cta vol.3, no.2,2012.pdf cosic

8/2/2019 Cta Vol.3, No.2,2012.PDF Cosic

1/7


2/7


3/7

Publication Information:

Computer Technology and Application is published monthly in hard copy (ISSN1934-7332) and online

(ISSN1934-7340) by David Publishing Company located at 9460 Telstar Ave Suite 5, EL Monte, CA 91731, USA.

Aims and Scope:

Computer Technology and Application, a monthly professional academic journal, particularly emphasizes practical

application of up-to-date technology in realm of computer and other relevant fields. And articles interpreting

successful policies, programs or cases are also welcome.

Editorial Board Members:

Vyacheslav Tuzlukov (South Korea) William R. Simpson (United States) Christian Gontrand (France)Yixun Shi (United States) Yuri Pavlov Pavlov (Bulgaria)

Manuscripts and correspondence are invited for publication. You can submit your papers via web submission, or

E-mail to [email protected]. Submission guidelines and web submission system are available athttp://www.davidpublishing.org.

Editorial Office:

9460 Telstar Ave Suite 5, EL Monte, CA 91731, USA

Tel: 1-323-984-7526

Fax: 1-323-984-7374

E-mail: [email protected]

Copyright2012 by David Publishing Company and individual contributors. All rights reserved. David Publishing

Company holds the exclusive copyright of all the contents of this journal. In accordance with the international

convention, no part of this journal may be reproduced or transmitted by any media or publishing organs (including

various websites) without the written permission of the copyright holder. Otherwise, any conduct would be

considered as the violation of the copyright. The contents of this journal are available for any citation. However, all

the citations should be clearly indicated with the title of this journal, serial number and the name of the author.

Abstracted / Indexed in:

Database of EBSCO, Massachusetts, USAChinese Database of CEPS, Airiti Inc. & OCLC

CSA Technology Research DatabaseUlrichs Periodicals DirectorySummon Serials Solutions

Norwegian Social Science Data Services (NSD), Norway

Chinese Scientific Journals Database, VIP Corporation, Chongqing, China

Subscription Information:

Price (per year):

Print $520; Online $360; Print and Online $680

David Publishing Company

9460 Telstar Ave Suite 5, EL Monte, CA 91731, USA

Tel: 1-323-984-7526 Fax: 1-323-984-7374

E-mail: [email protected]

David Publishing Company

www.davidpublishing.org

DAVID PUBLISHING

D


4/7

Computer Technology and Application 3 (2012) 126-129

Chain of Custody and Life Cycle of Digital Evidence

Jasmin Cosic1

and Zoran Cosic2

1. Ministry of Interior of Una-sana canton, Bihac, Bosnia and Herzegovina

2. Statheros, Kastel Stari, Split, Croatia

Received: December 22, 2011 / Accepted: January 04, 2012 / Published: February 25, 2012.

Abstract: Life cycle and chain of digital evidence are very important parts of digital investigation process. It is very difficult to

maintain and prove chain of custody. Investigators and expert witness must know all details on how the evidence was handled everystep of the way. At each stage in life cycle of digital evidence, there is more impact (human, technical and natural) that can violate

digital evidence. This paper presents a basic concept of chain of custody of digital evidence and life cycle of digital evidence. It

will address a phase in life cycle in digital archiving. The authors also warn of certain shortcomings in terms of answering specific

questions, and gives same basic definition.

Key words: Digital evidence, digital forensic, chain of custody, digital evidence integrity, life cycle of digital evidence.

1. Introduction

There are so many definitions of digital forensic and

digital evidence. On the question What is Digital

Forensics? Pollitt highlighted in Ref. [1] that digital

forensics is not an elephant, it is a process and not just

one process, but a group of tasks and processes in

investigation. In fact, many digital forensics

investigation processes and tasks were defined on

technical implementation details. Investigation

procedures developed by traditional forensic scientist

focused on the procedures in handling the evidence,

while those developed by the technologist focused on

the technical details in capturing evidence [2]. One of

many definitions is digital forensic can be defined as

the application of science and engineering to the legal

problem of digital evidence [3]. According to Pollit

and Whiteledge [4] digital forensic is the science of

collecting, preserving, examining, analyzing and

Zoran Cosic, M.Sc., Ph.D. candidate, research fields:

information science, computer science.

Corresponding author: Jasmin Cosic, dipl.ing.IT, Ph.D.

candidate, research fields: information science, computerscience, digital forensic. E-mail: [email protected],

[email protected].

presenting relevant digital evidence for use in judicial

proceedings.

Notion of digital evidence means any constitution

or relevant digital data enough to prove crime incomputer and network storage media is one kind of

physical evidence, including patterns with text, picture,

voice and image. The properties of undifferentiated

copy, original authors hard to authenticate and data

verification can be also called computer evidence or

digital evidence, which is stored on computer and

network storage media with electromagnetic means. In

another word, computer storage media or

electromagnetic storage on network can be used for

crime evidence [5-6].

In all phases of forensic investigation, digital

evidence is susceptible to external influences and

coming into contact with many factors.

In order for the evidence to be accepted by the court

as valid, chain of custody for digital evidence must be

kept, or it must be known who exactly, when and where

came into contact with evidence in each stage of the

investigation. The phrase chain of custody refers to

the accurate auditing control of original evidencematerial that could potentially be used for legal

DDAVID PUBLISHING


5/7

Chain of Custody and Life Cycle of Digital Evidence 127

purposes [7-10]. The purpose of testimony concerning

chain of custody is to prove that evidence has not been

altered or changed through all phases, and must include

documentation on how evidence is gathered, how is

transported, analyzed and presented. Knowing the

current location of original evidence, is not enough for

court, there must be accurate logs tracking evidence

material at all time. Access to the evidence must be

controlled and audited [7-12].

To prove the chain of custody, we must know all the

details on how the evidence was handled every step of

the way. The old formula used by police, journalistsand researchersWho, What, When,

Where, Why, and HowFive Ws and one H [13-14]

can be applied to help in digital forensic investigation.

The function for Chain of Custody of Digital Evidence

[15] can be presented like in (1):

CoCoDE = f{fingerprint_of_file, //what

biometrics_characteristics, //who

time_stamp, //when (1)

gps_location, //where

reason, //why

set_of_procedures}; //how

2. Life Cycle of Digital Evidence

Process of collecting digital evidence must begin in a

lawful way. In other words, if there is a forensic

investigation, competent prosecution or court must

issue the order to initiate an investigation, or if there is

a corporate internal investigation, management or

supervisory board must agree with investigation. Inboth cases, approval must be in a written document.

Situation is different in different countries, in

relation to who first comes into contact with digital

evidence. Somewhere there are specialized units (first

response forces) that are trained on how to behave with

this type of evidence, while in some countries this job

is done by law enforcement personnel (police officer)

who are not trained to do it.

According to International Organization on

Computer Evidence (IOCE) [16-17], when it is

necessary for a person to access original digital

evidence, that person should be trained for the purpose.

In many cases this is not possible, because forensics is

a very complex science, and requires a high level of

expertise to work with the evidence.

List of personnel who can act on the digital

evidence:

First responders;

Forensic investigators;

Court expert witness;

Law enforcement personnel;

Police officers (crime inspectors);Victim;

Suspect;

Passerby.

Each of the above-mentioned persons can affect

evidence in particular situation, and therefore it is very

important to know the answer to the question Who is

coming into contact with the evidence?.

Fig. 1 illustrates the impact of human factor in all

investigation stages and life cycle of digital evidence

[18]. It also emphasizes the most critical things in the

first phase of digital forensic investigation.

As we see can see in the figure, a life cycle of digital

evidence is very complex, and at each stage there are

more impact that can violate a chain of custody.

If the digital evidence is used in international

investigation, this life cycle is more complex and is

difficult to maintain chain of custody.

There is no explicit definition of life cycle of digital

evidence but it can be used a definition of digital fileand digital archiving. According to Hodge [19], in

Best Practices for Digital ArchivingAn Information

Life Cycle Approach, there is few phases in

information life cycle:

Creation;

Acquisition and collection;

Identification and cataloguing;

Storage;

Preservation;

Access.


6/7

Chain of Custody and Life Cycle of Digital Evidence128

Fig. 1 Life cycle of digital evidence modeled with Petri nets [18].

There are some similarities in life cycle of digital

evidence. First phase in digital evidence life cycle is

not a creation, because in digital investigation process

we already have a digital file that was previously

created. That file will become digital evidence in future.

First phase in digital evidence life cycle is

Identification and Collection. In this phase, digital

forensic investigators must search the vast amount of

material to find some interesting (Iceberg principle).

This phase is very complex and there is more impact

that can violate a chain of custody.

Next stage of life cycle is Examination. In this stage,

contact with digital evidence can be happened by the

forensic investigators and expert witness. Examination phase implies identification of potential digital

evidence and separation of other large amount of

digital files.

Process of storage and transport are phases that are

always happened in this circle.

All the time chain of custody of digital evidence

must be kipped. Next phase in digital evidence life

cycle is Report/Publishing. This is not a final phase.

In this phase, digital evidence is presented by the

Defense/Prosecution side and at this stage contact with

digital evidence can be happened by the forensic

investigators, expert witness, defense and prosecution.

The result of forensic investigations will be presented.

At the end, there is a closing case phase in which digital

evidence can be stored and archived.

When we consider all these aspects and facts it can

be sad that the life cycle of digital evidence begin with

identification and collection, continues with

examination report and publishing and ends with

storing and archiving.

Fig. 2 [10] illustrates a forensic model based on

phase in life cycle of digital evidence.

3. Conclusions

In all phases of forensic investigation, different profiles of personnel come into contact with digital

evidence.

Through the entire lifecycle of digital evidence,

there are threats that can affect its integrity and thus in

the end, the courts decision. The goal of this document

is to show weaknesses that are a consequence and to

define a life cycle of digital evidence.

Further research will be focused on problem how to

implement a framework to secure maintain digital

evidence and chain of custody of digital evidence,

which will help investigators to safely handle evidence.


7/7

Chain of Custody and Life Cycle of Digital Evidence 129

Fig. 2 Chain of Digital Evidence based model of digital forensic investigation process [10].

References

[1] M. Pollit, Six blind men from Indostan: digital forensic

research workshop, in: DFRWS-Digital Forensic ResearchWorkshop, 2004.

[2] R. Ieong, FORZAdigital forensics investigation

framework that incorporate legal issues, Digital

Investigation 3 (2006) 29-36.

[3] A. Sammes, B. Jankinson, Forensic Computing: A

Practitioners Guide (Practitioner Series), Springer-Verlag,

New York, 2000.

[4] M. Pollit, A. Whiteledge, Exploring big haystack, data

mining and knowledge management, in: Advances in

Digital Forensic II IFIP, 2006.

[5] C. Eoghan, Digital Evidence and Computer Crime:

Forensic Science, Computers and the Internet, AcademicPress, 2004, p. 690.

[6] E. Casey, Digital Evidence and Computer Crime, 3rd ed.,

Academic Press, 2011, p. 807.

[7] C.G. Keith, Chain of custody, 2006.

[8] M. Nagaraja, Investigators chain of custody in digital

evidence recovery, Indian Police Service, pp. 1-7.

[9] B.J. Patzakis, Maintaining the digital chain of custody, in:

IFOSEC, 2003.

[10] J. Cosic, Z. Cosic, M. Ba a, Chain of digital evidence

based model of digital forensic investigation process,

International Journal of Computer Science and

Information Security 9 (8) (2011) 18-24.[11] N. Bartlow, Establishing the digital chain of evidence in

biometric systems, Doctoral Dissertation, Virginija

University, USA, 2009.

[12] N. Kuntze, R. Carsten, Secure digital chain of evidence, in:

6th International Workshop on Systematic Approaches to

Digital Forensic Engineering, 2011.

[13] J. Cosic, M. Ba a, Do we have full control over integrity in

digital evidence life cycle?, in: 32nd International

Conference on Information Technology Interfaces (ITI),

2010, pp. 429-434.

[14] J. Cosic, M. Ba a, A framework to (im)prove chain of

custody in digital investigation process, in: Proceedings of

the 21st Central European Conference on Information and

Intelligent Systems, 2010.

[15] J. Cosic, Z. Cosic, M. Ba a, An ontological approach to

study and manage digital chain of custody of digitalevidence, Journal of Information and Organizational

Sciences 35 (1) (2011) 1-13.

[16] IOCE Principles and definition, IOCE Conference, 1999,

available online at: http://www.ioce.org/core.php?ID=5.

[17] IOCE, Guidelines for best practice in the forensic

examination of digital technology, 2002.

[18] J. Cosic, Z. Cosic, M. Baca, Modeling digital evidence

management and dynamics using Petri nets, Computer

Technology and Application 2 (2011) 545-549.

[19] H.M. Gail, Best Practices for Digital Archiving an

Information Life Cycle Approach, 2000, available online

at: http://www.dlib.org/dlib/january00/01hodge.html,accessed: October 01, 2011.

cta vol.3, no.2,2012.pdf cosic

Documents