ArticlePDF Available

Tainted Digital Evidence and Privacy Protection in Blockchain-Based Systems

  • HES-SO Genève
DFRWS 2020 EU eProceedings of the Seventh Annual DFRWS Europe
Tainted Digital Evidence and Privacy Protection in Blockchain-Based Systems
David Billard. HES-SO, University of Applied Sciences in Geneva, Switzerland
E-mail address:
Extended abstract
This paper focuses on an often-forgotten aspect of digital evidence
handling, when a court dismisses an evidence from a trial. Multiple rea-
sons can lead to dismiss an evidence: it can be challenged by a party during
an investigation or in front of the court, or simply dropped by the
Of course, different countries apply different laws, but let's take a simple
example, that is quite universal. Bob is suspected to hold illegal child
pornography material. A warrant is issued and a police search is conducted
at Bob's house. During the search, a hard drive is seized and following the
police procedure, the hard drive is registered and a chain of custody is
initiated. Since this police body is a modern one, the hard drive is also
registered into the blockchain-based evidence inventory software.
Digital forensics experts examine the drive and nd connections with
Alice, who seems deeply involved in child pornography. A police search is
therefore triggered on Alice and a USB stick with a lot of inculpatory evi-
dence is found at Alice's home. As required by the procedure, the USB stick
is registered into the same blockchain-based software.
Much later in the investigation, a defense lawyer raises the legality of the
rst police search on serious grounds. The court follows the motion and
the rst police search is dismissed. Since the second police search is a
direct offspring of the rst, it is also dismissed from the case.
Now let's examine the same case, when a blockchain is used to implement
a chain of custody [1], [2]. The digital evidence found at Alice's and Bob's
are stored in the ledger, but there is no mechanism to delete a digital
evidence from the ledger, since it is precisely built to forbid any alteration,
deletion or cancellation.
In the absence of such mechanism, having this unique blockchain structure
available, there are at least two possible options in order to dismiss
The rst one is to delete the whole blockchain and to issue a new block-
chain, without the dismissed evidence. In practice, it means to start from
the root block and re-issue all the subsequent transactions (excepted the
transactions linked to the dismissed evidence of course). Although it is
theoretically doable, it means a huge effort of transaction and block vali-
dation, involving voting algorithms, and keeping track of all the blockchain
intra references. The reader can already notice that the computational
complexity is quite signicant.
The second option is to issue undo-transactions whose purpose is to
indicate that the referenced transaction is void and cannot be used
anymore. It means that the blockchain contains two categories of trans-
actions: (1) the transactions for registering evidence and (2) the undo-
transactions for dismissing evidence.
This technique of using undo-transactions is widely used, since a long
time, in DataBase Management Systems (DBMS) for recovery or rollback
purposes[3]. Unfortunately, while it is well suited for DBMS, it brings some
issues in blockchain-based systems.
The major issue concerns the verication of the transaction validation. In
order for a user to check if a transaction is valid, the user will have to verify
if the chain of hashes and signatures has not be en broken since a particular
point in time (usually the begin of the blockchain). This check means that
the transaction has been correctly entered into the system and has been
validated following the rules.
But this check does not prove that the transaction is valid from a legal point
of view: the evidence linked to the transaction may have been dismissed
later. Therefore, the check process must continue until either: (1) it nds
the undo-transaction, then the transaction is not legally valid or (2) it
reaches the end of the blockchain, then the transaction is legally valid. The
reader will notice that the computational complexity of this check is
signicantly higher than the single transaction verication protocol usu-
ally observed in blockchain.
Both solutions are unsatisfactory and we devised a solution where an
additional layer of software, AccessTX, provides access to the blockchain.
Let's name the chain of custody blockchain InventoryTX. The additional
layer, controlling access to InventoryTX, will rst check if a transaction is
either legally dismissed or valid, before granting access. After the check is
done, the transaction will be validated through the normal processing of
the blockchain InventoryTX.
In order to check the legal validity of a transaction, the access control will
also use a blockchain, named InvalidatedTX. The payload of every trans-
action in InvalidatedTX contains the transaction ID related to a tainted
evidence. It is desirable that each transaction in InvalidatedTX is signed by
the jurisdiction issuing the removal of the tainted evidence.
The validation of each invalidating transaction is processed as in a normal
blockchain, since the root of InvalidatedTX. Only the nature of the inva-
lidating transaction differentiates it from a traditional blockchain.
An example might be the best way to illustrate the different components of
the proposed solution. We suppose the police searches Ms Marple's home.
This woman is suspected to host a suspected man running from the police.
Three evidence items are found at her home:
Agent Poirot found a USB key with the searched man identity doc-
uments and 1000 bitcoins;
Agent Ness found a notebook with pornographic contents and a
hyperlink to a web server;
Agent Loch found a love letter from the suspected man to Ms
Later, the web site is investigated by agent Chris and it contains drug
recipes. The InventoryTX blockchain is built and has the look of Fig. 1.
The reader will notice that it is a generic representation of a blockchain
and that different authors in the literature may have additional fea-
Contents lists available at ScienceDirect
Forensic Science International: Digital Investigation
journal homepage:
Forensic Science International: Digital Investigation 32 (2020) 300911
We suppose that, in our ctious example, the defense argues that porno-
graphic materials and drug recipes are not the subject of the search and
should be dismissed. The court follows this request and judges Roy and
Prince update the InvalidatedTX blockchain which is depicted in Fig. 2.
When parties will access the evidence stored into the InventoryTX, the
system will rst look up in the InvalidatedTX to verify if the transaction
concerning the evidence is legally sound. Three scenarii are then possible:
If the transaction hash is absent from InvalidatedTX, and present in
InventoryTX then the system will serve the transaction payload,
which is usually a reference to a safe storage entity holding the
evidence content, or description.
If the transaction hash is absent from InvalidatedTX, and also absent
from InventoryTX then the system will raise a Transaction not
If the transaction hash is present in InvalidatedTX then the system
will raise a Transaction invalidated by court order #xxx
This system possesses the advantage of being very lightweight. In the
absence of dismissed evidence, the cost for the lookup is in O(1), since
InvalidatedTX is empty. In the presence of dismissed evidence, the cost for
the lookup is in O(m) were mis the total number of dismissed evidence
Our solution for dismissing tainted evidence do not erase the fact that the
evidence was once part of the procedure, but it will prevent the use of this
evidence by the parties. We believe that this algorithm will help in the
adoption of blockchain solutions by providing more exibility in the evi-
dence management. Besides, this solution works with a majority of
blockchain implementation because it does not modify the blockchain
Furthermore, evidence data is separated from the blockchain transaction's
payload, that holds only metadata.
[1] A. H. Lone and R. N. Mir, Forensic-chain: Blockchain based digital fo-
rensics chain of custody with PoC in Hyperledger Composer,Digital
Investigation, vol. 28, pp. 44e55, Mar. 2019,
[2] H. Al-Khateeb, G. Epiphaniou, and H. Daly, Blockchain for Modern
Digital Forensics: The Chain-of-Custody as a Distributed Ledger,in
Blockchain and Clinical Trial: Securing Patient Data, H. Jahankhani, S.
Kendzierskyj, A. Jamal, G. Epiphaniou, and H. Al-Khateeb, Eds. Cham:
Springer International Publishing, 2019, pp. 149e168.
[3] J. Gray and A. Reuter, Transaction Processing: Concepts and Techniques.
Morgan Kaufmann Publishers Inc., 1992.
Fig. 1. InventoryTX for the Marple case.Ă
Fig. 2. InvalidatedTX for the Marple case.Ă
Forensic Science International: Digital Investigation 32 (2020) 300911S2
... In contrast, participants of the network should fuel the system. Furthermore, recent experience has shown [5] that authenticity alone is not enough for managing behavioral evidence, and enforceable authorization rules are needed to devise an effective access control layer. Distributed Ledger Technology (DLT) is a natural candidate for addressing these requirements. ...
... Sudden Behavior Change Simulation (On/Off Attack)5 This corresponds to the average gas price in gwei on 7/5/2021 ...
Blockchain technology can be incorporated into new systems to facilitate modern Digital Forensics and Incident Response (DFIR). For example, it is widely acknowledged that the Internet-of-Things (IoT) has introduced complexity to the cyberspace, however, incident responders should also realise the advantages presented by these new “Digital Witnesses” (DW) to support their investigation. Logs generated by IoT devices can help in the process of event reconstruction, but their integrity -and therefore admissibility- can be achieved only if a Chain-of-Custody (CoC) is maintained within the wider context of an on-going digital investigation. Likewise, the transition to electronic documentation improves data availability, legibility, the utility of notes, and therefore enhances the communication between stakeholders. However, without a proof of validity, these data could be falsified. For example, in an application area such as eHealth, there is a requirement to maintain various existing (and new) rules and regulations concerning authorship, auditing, and the integrity of medical records. Lacking data control could lead to system abuse, fraud and severe compromise of service quality. These concerns can be resolved by implementing an online CoC. In this paper, we discuss the value and means of utilising Blockchain in modern systems to support DFIR. we demonstrate the value of Blockchain to improve the implementation of Digital Forensic Models and discuss why law enforcement and incident responders need to understand Blockchain technology. Furthermore, the admissibility of a Digital Evidence to a Court of Law requires chronological documentation. Hence, we discuss how the CoC can be sustained based on a distributed ledger. Finally, we provide a practical scenario related to eHealth to demonstrate the value of this approach to introduce forensic readiness to computer systems and enable better Police interventions.
Advancements in Information Technology landscape over the past two decades have made the collection, preservation, and analysis of digital evidence an extremely important tool for solving cybercrimes and preparing court cases. Digital evidence plays an important role in cybercrime investigation, as it is used to link individuals with criminal activities. Thus it is of utmost importance to guarantee integrity, authenticity, and auditability of digital evidence as it moves along different levels of hierarchy in the chain of custody during cybercrime investigation. Modern day technology is more advanced in terms of portability and power. A huge amount of information is generated by billions of devices connected to the internet that needs to be stored and accessed, thus posing great challenges in maintaining the integrity and authenticity of digital evidence for its admissibility in the court of law. Handling digital evidences poses unique challenges because of the fact they are latent, volatile, fragile, can cross jurisdictional borders quickly and easily and in many cases can be time/machine dependent too. Thus guaranteeing the authenticity and legality of processes and procedures used to gather and transfer the evidence in a digital society is a real challenge. Blockchain technology's capability of enabling comprehensive view of transactions (events/actions) back to origination provides enormous promise for the forensic community. In this research we proposed Forensic-Chain: A Blockchain based Digital Forensics Chain of Custody, bringing integrity and tamper resistance to digital forensics chain of custody. We also provided Proof of Concept in Hyperledger Composer and evaluated its performance.