A Framework to (Im)Prove

“Chain of Custody” in Digital

Investigation Process?
Central European Conference on Information
and Intelligent Systems – CECIIS 2010
[ September 22nd – 24th, 2010 - Varaždin, Croatia ]
Jasmin Ćosić* and Miroslav Bača**
*IT Section of Police Administration
Ministry of Interior of Una-sana canton,Bihać, B&H
jascosic[at]bih[dot]net[dot]ba
**Faculty of Organization and Informatics
University of Zagreb, Zagreb, Croatia
miroslav[dot]baca[at]foi[dot]hr
Contents
q Introduction
q
q Chain of Custody (“Chain of Evidence”)
q
q Digital integrity (integrity of digital
evidence)
q
q Proposed DEMF - “Digital Evidence
Management Framework”
q
q Conclusion and Further Research
•
09/23/10 2
 Introduction
• Digital Forensic and Digital Evidence ?
Introduction


gital integrity

• Digital forensic is the science of collecting,

ncept of proposed DEMF
preserving, examining, analyzing and presenting
erequisite for implementation relevant digital evidence for use in judicial
nclusion and further research
proceedings. [Pollit and Whiteledge ]
• Digital evidence is any constitution or relevant
digital data enough to prove crime in computer
and network storage media, one kind of physical
evidence, including patterns with text, picture,
voice and image.[Cassey E.]
• In all phases of forensic investigation, digital
evidence is susceptible to external influences
and coming into contact with many factors
•
09/23/10 3
•
 Introduction
• “Chain of Custody” or “Chain of Evidence” ?
Introduction


ital integrity

• In order for the evidence to be accepted by the

cept of proposed DEMF
court as valid, “chain of custody” for digital
requisite for implementation evidence must be kept.

• Some authors use a term „chain of evidence“

clusion and further research

instead “chain of custody”

• The purpose of testimony concerning “chain of
custody” is to prove that evidence has not been
altered or changed through all phases, and must
include documentation on how evidence is
gathered, transported, analyzed and presented.
• Access to the evidence must be controlled and
audited.
•
09/23/10 4
 Introduction
• “Chain of Custody” or “Chain of Evidence” ?
Introduction


ital integrity

• Today most law enforcement agencies have some

cept of proposed DEMF
type of evidence handling system that are
requisite for implementation unchanged from 1950s years

• The system are an single room or rooms !!!

clusion and further research

• In some countries agencies uses a bar code or RFID

to tracking evidence, but in most cases a paper
chain of custody is primary.
•
•

09/23/10 5
 Introduction
Introduction • To prove the chain of custody, we must know all the
details on how the evidence was handled every
ital integrity
step of the way. The old formula used by police,
cept of proposed DEMF journalists and researchers - Who, What, When,
requisite for implementation
Where, Why, and How - "Five Ws" (and one H)
[11] can be applied to help in digital forensic
clusion and further research
investigation:


§ WHAT? What is the evidence?

§ HOW? How did investigators get the evidence?
§ WHEN? When was it collected and used?
§ WHO? Who handled it?
§ WHY Why that person handled it?
§ WHERE? Where it traveled, where was it stored?


09/23/10 6
 Digital integrity
roduction • Digital integrity is “the property whereby digital
data has not been altered in an unauthorized
Digital integrity
manner since the time iz was created,
cept of proposed DEMF transmitted, or stored by an authorized source”.
requisite for implementation
[8]
• Adopted methods for digitally signing a evidence in
clusion and further research
order to (im)prove its integrity:
– CRC (Cyclic Redundancy Check)
– Hash function
– Digital signature
– Timestamp
– Encription
– Watermarking
 Every function has a an adventages and disadventage [9]

09/23/10 7
 Concept of proposed
DEMF
roduction • DEMF = f {fingerprint _of _file, //what
ital integrity  biometrics_characteristic, //who

Concept of proposed DEMF time_stamp, //when

erequisite for implementation
gps_location,} ; //where [5]

clusion and further research


WHAT – use a SHA-2 hash function

WHO – use a biometrics characteristics

WHEN – use a digital timestamp

WHERE – use a gps;

09/23/10 8
 A u th e n tica tio n w ith b io m e trics
ch a ra cte ristis ( FIN G E R PR IN T O R IR IS )
WHAT ? 101101...11

C a lcu la tin g a h a sh
WHO ? ( SHA -2 )
+

D ig ita le vid e n ce H a sh d a ta h a sh d a ta + b io m e trics ch a ra cte ristik

101101...11
WHY ?

timestamp
adding a
HOW ? WHEN ?
Timestamp

Private key

adding a location
PKI gps location 101101...11
hash data + biometrics characteristik + timestamp + location
WHERE ? hash data + biometrics characteristik+timestamp
+

Public key
101101...11
+
+
12.12.2009 19:00

+
12.12.2009 19:00
+
 Prerequisite for
implementation
ntroduction • Template database with biometrics
igital integrity characteristics of:
oncept of proposed DEMF
• First responders,
Prerequisite for
• Forensic investigators,
implementation
• Court expert witness,
onclusion and further research
• Law enforcement personnel,
• Police officer (crime inspectors)
• Others , who handle with digital
evidence
• Time stamp authority (TSA) system
• GPS system
• PKI system
09/23/10
– 10
 Prerequisite for
implementation
ntroduction
• Today most country have a
rocess of
ollecting digital evidence database with some of bio
oncept of proposed DEMF characteristics of citizens
Prerequisite for
implementation
(finger, iris, face…)
• TSA
onclusion and further research system can be
implemented in intranet or
can be used from outside.
• All country around the world
have a PKI and some of firm
that can digitally sign a
09/23/10
document (FINA). 11
 Prerequisite for
implementation
ntroduction
• Implementation in real
rocess of
ollecting digital evidence environment
oncept of proposed DEMF
 -> next step !
Prerequisite for

•
implementation

onclusion and further research

09/23/10 12
 Conclusion and further
research
troduction • In his research authors have deal with a
ocess of
conceptual framework for digital
llecting digital evidence
evidence management and chain of
o can act on the evidence in forensic investigation
gital evidence
process.
• It`s presented a conceptual DEMF
erequisite for implementation

nclusion and further research (“Digital Evidence Management

Framework”) on high level view. With
this framework it can be implemented
a secure, reliable and useful system
which will enable a secure chain of
custody of digital evidence.
• Future work will be based on
implementing this framework in real
environment and testing his
09/23/10 functionality. 13
 Reference
• [1] Sammes A, Jenkinson B: Forensic Computing A Practitioners Guide. Springer-Verlag, New
York; 2000
• [2] Pollit M, Whiteledge A: Exploring big Haystacks. Data Mining and Knowledge
Management. Advances in Digital Forensic II.IFIP; 2006
• [3] Ćosić J, Bača M: Computer forensic-broad aspects of its application, INFOTEH-
JAHORINA,B&H, Vol. 9, Ref. E-VI-9, p. 857-860, March 2010.
• [4] Casey E: Handbook of Computer Crime: Forensic Science, Computer and the Internet.
Academic Press; 2000
• [5] Ćosić, J., Bača, M. Do we have a full control over integrity in digital evidence life cycle,
Proceedings of ITI 2010, 32nd International Conference on Information Technology
Interfaces, Dubrovnik/Cavtat, pp. 429-434, 2010
• [6] Yaeger R: Criminal Computer Forensic Management. InfoSec Conference, USA;2006
• [7] Media Awarenes Network. http://www.media-
awareness.ca/english/resources/special_initiatives/wa_resources/wa_shared/tipsheets/5W
s_of_cyberspace.cfm [12/20 2009]
• [8]S.Vanstone, P. Van Oorschot,, & A. Menezes: Handbook of Applied Criptografy, CRC Press,
1997
• [9] Ćosić, J., Bača, M. (Im)proving chain of custody and digital evidence integrity with
timestamp, MIPRO, 33rd International Convention on Information and Communication
Technology, Electronics and Microelectronics, Opatija, 171-175, 2010
• [10] Hosmer C: Proving the Integrity of Digital Evidence with Time, International Journal of
Digital Evidence, Spring, 2002, Vol.1, Issue 1
• [11] Willassen S: Hypothesis based investigation of Digital Time stamp, IFIP, Advanced in
Digital Forensic IV, pp.75-86, 2008
[12]Strawn C: Expanding the Potential for GPS Evidence Acquisition, Small Scale digital
•09/23/10 14
evidence Forensic Journal, Vol.3, No1., 2009


 Any Question ?
• Thank You for Your attention

sudskivjestak-ikt.com
czb.foi.hr
09/23/10 15