cta vol.3, no.2,2012.pdf cosic
TRANSCRIPT
-
8/2/2019 Cta Vol.3, No.2,2012.PDF Cosic
1/7
-
8/2/2019 Cta Vol.3, No.2,2012.PDF Cosic
2/7
-
8/2/2019 Cta Vol.3, No.2,2012.PDF Cosic
3/7
Publication Information:
Computer Technology and Application is published monthly in hard copy (ISSN1934-7332) and online
(ISSN1934-7340) by David Publishing Company located at 9460 Telstar Ave Suite 5, EL Monte, CA 91731, USA.
Aims and Scope:
Computer Technology and Application, a monthly professional academic journal, particularly emphasizes practical
application of up-to-date technology in realm of computer and other relevant fields. And articles interpreting
successful policies, programs or cases are also welcome.
Editorial Board Members:
Vyacheslav Tuzlukov (South Korea) William R. Simpson (United States) Christian Gontrand (France)Yixun Shi (United States) Yuri Pavlov Pavlov (Bulgaria)
Manuscripts and correspondence are invited for publication. You can submit your papers via web submission, or
E-mail to [email protected]. Submission guidelines and web submission system are available athttp://www.davidpublishing.org.
Editorial Office:
9460 Telstar Ave Suite 5, EL Monte, CA 91731, USA
Tel: 1-323-984-7526
Fax: 1-323-984-7374
E-mail: [email protected]
Copyright2012 by David Publishing Company and individual contributors. All rights reserved. David Publishing
Company holds the exclusive copyright of all the contents of this journal. In accordance with the international
convention, no part of this journal may be reproduced or transmitted by any media or publishing organs (including
various websites) without the written permission of the copyright holder. Otherwise, any conduct would be
considered as the violation of the copyright. The contents of this journal are available for any citation. However, all
the citations should be clearly indicated with the title of this journal, serial number and the name of the author.
Abstracted / Indexed in:
Database of EBSCO, Massachusetts, USAChinese Database of CEPS, Airiti Inc. & OCLC
CSA Technology Research DatabaseUlrichs Periodicals DirectorySummon Serials Solutions
Norwegian Social Science Data Services (NSD), Norway
Chinese Scientific Journals Database, VIP Corporation, Chongqing, China
Subscription Information:
Price (per year):
Print $520; Online $360; Print and Online $680
David Publishing Company
9460 Telstar Ave Suite 5, EL Monte, CA 91731, USA
Tel: 1-323-984-7526 Fax: 1-323-984-7374
E-mail: [email protected]
David Publishing Company
www.davidpublishing.org
DAVID PUBLISHING
D
-
8/2/2019 Cta Vol.3, No.2,2012.PDF Cosic
4/7
Computer Technology and Application 3 (2012) 126-129
Chain of Custody and Life Cycle of Digital Evidence
Jasmin Cosic1
and Zoran Cosic2
1. Ministry of Interior of Una-sana canton, Bihac, Bosnia and Herzegovina
2. Statheros, Kastel Stari, Split, Croatia
Received: December 22, 2011 / Accepted: January 04, 2012 / Published: February 25, 2012.
Abstract: Life cycle and chain of digital evidence are very important parts of digital investigation process. It is very difficult to
maintain and prove chain of custody. Investigators and expert witness must know all details on how the evidence was handled everystep of the way. At each stage in life cycle of digital evidence, there is more impact (human, technical and natural) that can violate
digital evidence. This paper presents a basic concept of chain of custody of digital evidence and life cycle of digital evidence. It
will address a phase in life cycle in digital archiving. The authors also warn of certain shortcomings in terms of answering specific
questions, and gives same basic definition.
Key words: Digital evidence, digital forensic, chain of custody, digital evidence integrity, life cycle of digital evidence.
1. Introduction
There are so many definitions of digital forensic and
digital evidence. On the question What is Digital
Forensics? Pollitt highlighted in Ref. [1] that digital
forensics is not an elephant, it is a process and not just
one process, but a group of tasks and processes in
investigation. In fact, many digital forensics
investigation processes and tasks were defined on
technical implementation details. Investigation
procedures developed by traditional forensic scientist
focused on the procedures in handling the evidence,
while those developed by the technologist focused on
the technical details in capturing evidence [2]. One of
many definitions is digital forensic can be defined as
the application of science and engineering to the legal
problem of digital evidence [3]. According to Pollit
and Whiteledge [4] digital forensic is the science of
collecting, preserving, examining, analyzing and
Zoran Cosic, M.Sc., Ph.D. candidate, research fields:
information science, computer science.
Corresponding author: Jasmin Cosic, dipl.ing.IT, Ph.D.
candidate, research fields: information science, computerscience, digital forensic. E-mail: [email protected],
presenting relevant digital evidence for use in judicial
proceedings.
Notion of digital evidence means any constitution
or relevant digital data enough to prove crime incomputer and network storage media is one kind of
physical evidence, including patterns with text, picture,
voice and image. The properties of undifferentiated
copy, original authors hard to authenticate and data
verification can be also called computer evidence or
digital evidence, which is stored on computer and
network storage media with electromagnetic means. In
another word, computer storage media or
electromagnetic storage on network can be used for
crime evidence [5-6].
In all phases of forensic investigation, digital
evidence is susceptible to external influences and
coming into contact with many factors.
In order for the evidence to be accepted by the court
as valid, chain of custody for digital evidence must be
kept, or it must be known who exactly, when and where
came into contact with evidence in each stage of the
investigation. The phrase chain of custody refers to
the accurate auditing control of original evidencematerial that could potentially be used for legal
DDAVID PUBLISHING
-
8/2/2019 Cta Vol.3, No.2,2012.PDF Cosic
5/7
Chain of Custody and Life Cycle of Digital Evidence 127
purposes [7-10]. The purpose of testimony concerning
chain of custody is to prove that evidence has not been
altered or changed through all phases, and must include
documentation on how evidence is gathered, how is
transported, analyzed and presented. Knowing the
current location of original evidence, is not enough for
court, there must be accurate logs tracking evidence
material at all time. Access to the evidence must be
controlled and audited [7-12].
To prove the chain of custody, we must know all the
details on how the evidence was handled every step of
the way. The old formula used by police, journalistsand researchersWho, What, When,
Where, Why, and HowFive Ws and one H [13-14]
can be applied to help in digital forensic investigation.
The function for Chain of Custody of Digital Evidence
[15] can be presented like in (1):
CoCoDE = f{fingerprint_of_file, //what
biometrics_characteristics, //who
time_stamp, //when (1)
gps_location, //where
reason, //why
set_of_procedures}; //how
2. Life Cycle of Digital Evidence
Process of collecting digital evidence must begin in a
lawful way. In other words, if there is a forensic
investigation, competent prosecution or court must
issue the order to initiate an investigation, or if there is
a corporate internal investigation, management or
supervisory board must agree with investigation. Inboth cases, approval must be in a written document.
Situation is different in different countries, in
relation to who first comes into contact with digital
evidence. Somewhere there are specialized units (first
response forces) that are trained on how to behave with
this type of evidence, while in some countries this job
is done by law enforcement personnel (police officer)
who are not trained to do it.
According to International Organization on
Computer Evidence (IOCE) [16-17], when it is
necessary for a person to access original digital
evidence, that person should be trained for the purpose.
In many cases this is not possible, because forensics is
a very complex science, and requires a high level of
expertise to work with the evidence.
List of personnel who can act on the digital
evidence:
First responders;
Forensic investigators;
Court expert witness;
Law enforcement personnel;
Police officers (crime inspectors);Victim;
Suspect;
Passerby.
Each of the above-mentioned persons can affect
evidence in particular situation, and therefore it is very
important to know the answer to the question Who is
coming into contact with the evidence?.
Fig. 1 illustrates the impact of human factor in all
investigation stages and life cycle of digital evidence
[18]. It also emphasizes the most critical things in the
first phase of digital forensic investigation.
As we see can see in the figure, a life cycle of digital
evidence is very complex, and at each stage there are
more impact that can violate a chain of custody.
If the digital evidence is used in international
investigation, this life cycle is more complex and is
difficult to maintain chain of custody.
There is no explicit definition of life cycle of digital
evidence but it can be used a definition of digital fileand digital archiving. According to Hodge [19], in
Best Practices for Digital ArchivingAn Information
Life Cycle Approach, there is few phases in
information life cycle:
Creation;
Acquisition and collection;
Identification and cataloguing;
Storage;
Preservation;
Access.
-
8/2/2019 Cta Vol.3, No.2,2012.PDF Cosic
6/7
Chain of Custody and Life Cycle of Digital Evidence128
Fig. 1 Life cycle of digital evidence modeled with Petri nets [18].
There are some similarities in life cycle of digital
evidence. First phase in digital evidence life cycle is
not a creation, because in digital investigation process
we already have a digital file that was previously
created. That file will become digital evidence in future.
First phase in digital evidence life cycle is
Identification and Collection. In this phase, digital
forensic investigators must search the vast amount of
material to find some interesting (Iceberg principle).
This phase is very complex and there is more impact
that can violate a chain of custody.
Next stage of life cycle is Examination. In this stage,
contact with digital evidence can be happened by the
forensic investigators and expert witness. Examination phase implies identification of potential digital
evidence and separation of other large amount of
digital files.
Process of storage and transport are phases that are
always happened in this circle.
All the time chain of custody of digital evidence
must be kipped. Next phase in digital evidence life
cycle is Report/Publishing. This is not a final phase.
In this phase, digital evidence is presented by the
Defense/Prosecution side and at this stage contact with
digital evidence can be happened by the forensic
investigators, expert witness, defense and prosecution.
The result of forensic investigations will be presented.
At the end, there is a closing case phase in which digital
evidence can be stored and archived.
When we consider all these aspects and facts it can
be sad that the life cycle of digital evidence begin with
identification and collection, continues with
examination report and publishing and ends with
storing and archiving.
Fig. 2 [10] illustrates a forensic model based on
phase in life cycle of digital evidence.
3. Conclusions
In all phases of forensic investigation, different profiles of personnel come into contact with digital
evidence.
Through the entire lifecycle of digital evidence,
there are threats that can affect its integrity and thus in
the end, the courts decision. The goal of this document
is to show weaknesses that are a consequence and to
define a life cycle of digital evidence.
Further research will be focused on problem how to
implement a framework to secure maintain digital
evidence and chain of custody of digital evidence,
which will help investigators to safely handle evidence.
-
8/2/2019 Cta Vol.3, No.2,2012.PDF Cosic
7/7
Chain of Custody and Life Cycle of Digital Evidence 129
Fig. 2 Chain of Digital Evidence based model of digital forensic investigation process [10].
References
[1] M. Pollit, Six blind men from Indostan: digital forensic
research workshop, in: DFRWS-Digital Forensic ResearchWorkshop, 2004.
[2] R. Ieong, FORZAdigital forensics investigation
framework that incorporate legal issues, Digital
Investigation 3 (2006) 29-36.
[3] A. Sammes, B. Jankinson, Forensic Computing: A
Practitioners Guide (Practitioner Series), Springer-Verlag,
New York, 2000.
[4] M. Pollit, A. Whiteledge, Exploring big haystack, data
mining and knowledge management, in: Advances in
Digital Forensic II IFIP, 2006.
[5] C. Eoghan, Digital Evidence and Computer Crime:
Forensic Science, Computers and the Internet, AcademicPress, 2004, p. 690.
[6] E. Casey, Digital Evidence and Computer Crime, 3rd ed.,
Academic Press, 2011, p. 807.
[7] C.G. Keith, Chain of custody, 2006.
[8] M. Nagaraja, Investigators chain of custody in digital
evidence recovery, Indian Police Service, pp. 1-7.
[9] B.J. Patzakis, Maintaining the digital chain of custody, in:
IFOSEC, 2003.
[10] J. Cosic, Z. Cosic, M. Ba a, Chain of digital evidence
based model of digital forensic investigation process,
International Journal of Computer Science and
Information Security 9 (8) (2011) 18-24.[11] N. Bartlow, Establishing the digital chain of evidence in
biometric systems, Doctoral Dissertation, Virginija
University, USA, 2009.
[12] N. Kuntze, R. Carsten, Secure digital chain of evidence, in:
6th International Workshop on Systematic Approaches to
Digital Forensic Engineering, 2011.
[13] J. Cosic, M. Ba a, Do we have full control over integrity in
digital evidence life cycle?, in: 32nd International
Conference on Information Technology Interfaces (ITI),
2010, pp. 429-434.
[14] J. Cosic, M. Ba a, A framework to (im)prove chain of
custody in digital investigation process, in: Proceedings of
the 21st Central European Conference on Information and
Intelligent Systems, 2010.
[15] J. Cosic, Z. Cosic, M. Ba a, An ontological approach to
study and manage digital chain of custody of digitalevidence, Journal of Information and Organizational
Sciences 35 (1) (2011) 1-13.
[16] IOCE Principles and definition, IOCE Conference, 1999,
available online at: http://www.ioce.org/core.php?ID=5.
[17] IOCE, Guidelines for best practice in the forensic
examination of digital technology, 2002.
[18] J. Cosic, Z. Cosic, M. Baca, Modeling digital evidence
management and dynamics using Petri nets, Computer
Technology and Application 2 (2011) 545-549.
[19] H.M. Gail, Best Practices for Digital Archiving an
Information Life Cycle Approach, 2000, available online
at: http://www.dlib.org/dlib/january00/01hodge.html,accessed: October 01, 2011.