demf cosic&baca ceciis2010 - presentation

8/8/2019 DEMF Cosic&Baca CECIIS2010 - presentation

1/15

A Framework to (Im)ProveChain of Custody in DigitalInvestigation Process?

Central European Conference on Informationand Intelligent Systems CECIIS 2010

[ September 22nd 24th, 2010 - Varadin, Croatia ]Jasmin osi* and Miroslav Baa**

*IT Section of Police AdministrationMinistry of Interior of Una-sana canton,Biha, B&H

jascosic[at]bih[dot]net[dot]ba**Faculty of Organization and Informatics

University of Zagreb, Zagreb, Croatiamiroslav[dot]baca[at]foi[dot]hr
mailto:[email protected]:[email protected]:[email protected]:[email protected]


2/15

09/23/10 2

Contents

q IntroductionqqChain of Custody (Chain of Evidence)

qqDigital integrity (integrity of digitalevidence)

q

qProposed DEMF - Digital EvidenceManagement FrameworkqqConclusion and Further Research


3/15

09/23/10 3

Introduction

Digital Forensic and Digital Evidence ?

Digital forensic is the science of collecting,preserving, examining, analyzing and presenting

relevant digital evidence for use in judicialproceedings. [Pollit and Whiteledge ] Digital evidence is any constitution or relevant

digital data enough to prove crime in computerand network storage media, one kind of physicalevidence, including patterns with text, picture,voice and image.[Cassey E.]

In all phases of forensic investigation, digitalevidence is susceptible to external influencesand coming into contact with many factors

Introduction

ital integrity

cept of proposed DEMF

equisite for implementation

clusion and further research


4/15

09/23/10 4

Introduction

Chain of Custody or Chain of Evidence ?

In order for the evidence to be accepted by thecourt as valid, chain of custody for digital

evidence must be kept. Some authors use a term chain of evidence

instead chain of custody The purpose of testimony concerning chain of

custody is to prove that evidence has not been

altered or changed through all phases, and mustinclude documentation on how evidence isgathered, transported, analyzed and presented.

Access to the evidence must be controlled andaudited.

Introduction

tal integrity

ept of proposed DEMF

qu is it e f or i mpl em en ta tio n

lusion and further research


5/15

09/23/10 5

Introduction

Chain of Custody or Chain of Evidence ?

Today most law enforcement agencies have sometype of evidence handling system that are

unchanged from 1950s years The system are an single room or rooms !!! In some countries agencies uses a bar code or RFID

to tracking evidence, but in most cases a paperchain of custody is primary.

Introduction

tal integrity





6/15

09/23/10 6

Introduction

To prove the chain of custody, we must know all thedetails on how the evidence was handled everystep of the way. The old formula used by police,

journalists and researchers - Who, What, When,Where, Why, and How - "Five Ws" (and one H)

[11] can be applied to help in digital forensicinvestigation:

WHAT? What is the evidence? HOW? How did investigators get the evidence?

WHEN? When was it collected and used? WHO? Who handled it? WHY Why that person handled it? WHERE? Where it traveled, where was it stored?

Introduction

tal integrity





7/15

09/23/10 7

Digital integrity

Digital integrity is the property whereby digitaldata has not been altered in an unauthorizedmanner since the time iz was created,transmitted, or stored by an authorized source.[8]

Adopted methods for digitally signing a evidence inorder to (im)prove its integrity:

CRC (Cyclic Redundancy Check) Hash function Digital signature Timestamp Encription Watermarking

Every function has a an adventages and disadventage [9]

oduction

igital integrity





8/15

09/23/10 8

Concept of proposedDEMF

DEMF = f{fingerprint _of _file, //what biometrics_characteristic,//who time_stamp, //when gps_location,} ; //where [5]

WHAT use a SHA-2 hash functionWHO use a biometrics characteristicsWHEN use a digital timestampWHERE use a gps;

oduction

ital integrity

Concept of proposed DEMF

e qu is it e f or i mp le me nt at io n



9/15

D ig ita l e vid e n ce

C alcu la tin g a h a sh( - )SHA 2

H ash d ata

A u th e n tica tio n w ith b io m e trics( )ch a ra cte ristis FIN G ER P R IN T O R IR IS

+h ash d a ta b io m e trics ch a rac te ristik

WHAT ?

WHO ?

Timestamp WHEN ?

+ +hash data biometrics characteristik timestamp

adding

a

timestamp

...101101 11

...101101 11

gps location

+

+

...101101 11

+

. . :12 12 2009 19 00

+ + +ash data biometrics characteristik timestamp location WHERE ?

+

...101101 11

+

. . :12 12 2009 19 00+

Private key

Public key

adding a locationPKI

WHY ?

HOW ?


10/15

09/23/10 10

Prerequisite forimplementation

Template database with biometricscharacteristics of:

First responders, Forensic investigators, Court expert witness, Law enforcement personnel, Police officer (crime inspectors) Others , who handle with digital

evidence Time stamp authority (TSA) system GPS system PKI system

troduction

gital integrity

ncept of proposed DEMF

rerequisite for implementation

nclusion and further research


11/15

09/23/10 11


Today most country have adatabase with some of biocharacteristics of citizens

(finger, iris, face) TSA system can b

implemented in intranet orcan be used from outside.

All country around the worldhave a PKI and some of firmthat can digitally sign a

document (FINA).

troduction

ocess ofllecting digital evidence





12/15

09/23/10 12


Implementation in realenvironment

-> next step !

troduction

ocess ofllecting digital evidence





13/15

09/23/10 13

Conclusion and furtherresearch

In his research authors have deal with aconceptual framework for digitalevidence management and chain ofevidence in forensic investigationprocess.

It`s presented a conceptual DEMF(Digital Evidence ManagementFramework) on high level view. Withthis framework it can be implementeda secure, reliable and useful systemwhich will enable a secure chain ofcustody of digital evidence.

Future work will be based onimplementing this framework in realenvironment and testing his

functionality.

roduction

cess oflecting digital evidence

can act on theital evidence

equisite for implementation

clusion and further research


14/15

09/23/10 14

Reference [1] Sammes A, Jenkinson B: Forensic Computing A Practitioners Guide. Springer-Verlag, New

York; 2000

[2] Pollit M, Whiteledge A: Exploring big Haystacks. Data Mining and KnowledgeManagement. Advances in Digital Forensic II.IFIP; 2006

[3] osi J, Baa M: Computer forensic-broad aspects of its application, INFOTEH-JAHORINA,B&H, Vol. 9, Ref. E-VI-9, p. 857-860, March 2010.

[4] Casey E: Handbook of Computer Crime: Forensic Science, Computer and the Internet.Academic Press; 2000

[5] osi, J., Baa, M. Do we have a full control over integrity in digital evidence life cycle,Proceedings of ITI 2010, 32nd International Conference on Information TechnologyInterfaces, Dubrovnik/Cavtat, pp. 429-434, 2010

[6] Yaeger R: Criminal Computer Forensic Management. InfoSec Conference, USA;2006

[7] Media Awarenes Network. http://www.media-awareness.ca/english/resources/special_initiatives/wa_resources/wa_shared/tipsheets/5Ws_of_cyberspace.cfm [12/20 2009]

[8]S.Vanstone, P. Van Oorschot,, & A. Menezes: Handbook of Applied Criptografy, CRC Press,1997

[9] osi, J., Baa, M. (Im)proving chain of custody and digital evidence integrity withtimestamp, MIPRO, 33rd International Convention on Information and Communication

Technology, Electronics and Microelectronics, Opatija, 171-175, 2010

[10] Hosmer C: Proving the Integrity of Digital Evidence with Time, International Journal ofDigital Evidence, Spring, 2002, Vol.1, Issue 1

[11] Willassen S: Hypothesis based investigation of Digital Time stamp, IFIP, Advanced inDigital Forensic IV, pp.75-86, 2008

[12]Strawn C: Expanding the Potential for GPS Evidence Acquisition, Small Scale digitalevidence Forensic Journal, Vol.3, No1., 2009


15/15

09/23/10 15

Any Question ?

Thank You forThank You forYYour attentionour attention

- .sudskivjestak ikt com. .czb foi hr

demf cosic&baca ceciis2010 - presentation

Documents