Upload
jasmincosic
View
225
Download
0
Embed Size (px)
Citation preview
8/8/2019 DEMF Cosic&Baca CECIIS2010 - presentation
1/15
A Framework to (Im)ProveChain of Custody in DigitalInvestigation Process?
Central European Conference on Informationand Intelligent Systems CECIIS 2010
[ September 22nd 24th, 2010 - Varadin, Croatia ]Jasmin osi* and Miroslav Baa**
*IT Section of Police AdministrationMinistry of Interior of Una-sana canton,Biha, B&H
jascosic[at]bih[dot]net[dot]ba**Faculty of Organization and Informatics
University of Zagreb, Zagreb, Croatiamiroslav[dot]baca[at]foi[dot]hr
mailto:[email protected]:[email protected]:[email protected]:[email protected]8/8/2019 DEMF Cosic&Baca CECIIS2010 - presentation
2/15
09/23/10 2
Contents
q IntroductionqqChain of Custody (Chain of Evidence)
qqDigital integrity (integrity of digitalevidence)
q
qProposed DEMF - Digital EvidenceManagement FrameworkqqConclusion and Further Research
8/8/2019 DEMF Cosic&Baca CECIIS2010 - presentation
3/15
09/23/10 3
Introduction
Digital Forensic and Digital Evidence ?
Digital forensic is the science of collecting,preserving, examining, analyzing and presenting
relevant digital evidence for use in judicialproceedings. [Pollit and Whiteledge ] Digital evidence is any constitution or relevant
digital data enough to prove crime in computerand network storage media, one kind of physicalevidence, including patterns with text, picture,voice and image.[Cassey E.]
In all phases of forensic investigation, digitalevidence is susceptible to external influencesand coming into contact with many factors
Introduction
ital integrity
cept of proposed DEMF
equisite for implementation
clusion and further research
8/8/2019 DEMF Cosic&Baca CECIIS2010 - presentation
4/15
09/23/10 4
Introduction
Chain of Custody or Chain of Evidence ?
In order for the evidence to be accepted by thecourt as valid, chain of custody for digital
evidence must be kept. Some authors use a term chain of evidence
instead chain of custody The purpose of testimony concerning chain of
custody is to prove that evidence has not been
altered or changed through all phases, and mustinclude documentation on how evidence isgathered, transported, analyzed and presented.
Access to the evidence must be controlled andaudited.
Introduction
tal integrity
ept of proposed DEMF
qu is it e f or i mpl em en ta tio n
lusion and further research
8/8/2019 DEMF Cosic&Baca CECIIS2010 - presentation
5/15
09/23/10 5
Introduction
Chain of Custody or Chain of Evidence ?
Today most law enforcement agencies have sometype of evidence handling system that are
unchanged from 1950s years The system are an single room or rooms !!! In some countries agencies uses a bar code or RFID
to tracking evidence, but in most cases a paperchain of custody is primary.
Introduction
tal integrity
ept of proposed DEMF
qu is it e f or i mpl em en ta tio n
lusion and further research
8/8/2019 DEMF Cosic&Baca CECIIS2010 - presentation
6/15
09/23/10 6
Introduction
To prove the chain of custody, we must know all thedetails on how the evidence was handled everystep of the way. The old formula used by police,
journalists and researchers - Who, What, When,Where, Why, and How - "Five Ws" (and one H)
[11] can be applied to help in digital forensicinvestigation:
WHAT? What is the evidence? HOW? How did investigators get the evidence?
WHEN? When was it collected and used? WHO? Who handled it? WHY Why that person handled it? WHERE? Where it traveled, where was it stored?
Introduction
tal integrity
ept of proposed DEMF
qu is it e f or i mpl em en ta tio n
lusion and further research
8/8/2019 DEMF Cosic&Baca CECIIS2010 - presentation
7/15
09/23/10 7
Digital integrity
Digital integrity is the property whereby digitaldata has not been altered in an unauthorizedmanner since the time iz was created,transmitted, or stored by an authorized source.[8]
Adopted methods for digitally signing a evidence inorder to (im)prove its integrity:
CRC (Cyclic Redundancy Check) Hash function Digital signature Timestamp Encription Watermarking
Every function has a an adventages and disadventage [9]
oduction
igital integrity
ept of proposed DEMF
qu is it e f or i mpl em en ta tio n
lusion and further research
8/8/2019 DEMF Cosic&Baca CECIIS2010 - presentation
8/15
09/23/10 8
Concept of proposedDEMF
DEMF = f{fingerprint _of _file, //what biometrics_characteristic,//who time_stamp, //when gps_location,} ; //where [5]
WHAT use a SHA-2 hash functionWHO use a biometrics characteristicsWHEN use a digital timestampWHERE use a gps;
oduction
ital integrity
Concept of proposed DEMF
e qu is it e f or i mp le me nt at io n
lusion and further research
8/8/2019 DEMF Cosic&Baca CECIIS2010 - presentation
9/15
D ig ita l e vid e n ce
C alcu la tin g a h a sh( - )SHA 2
H ash d ata
A u th e n tica tio n w ith b io m e trics( )ch a ra cte ristis FIN G ER P R IN T O R IR IS
+h ash d a ta b io m e trics ch a rac te ristik
WHAT ?
WHO ?
Timestamp WHEN ?
+ +hash data biometrics characteristik timestamp
adding
a
timestamp
...101101 11
...101101 11
gps location
+
+
...101101 11
+
. . :12 12 2009 19 00
+ + +ash data biometrics characteristik timestamp location WHERE ?
+
...101101 11
+
. . :12 12 2009 19 00+
Private key
Public key
adding a locationPKI
WHY ?
HOW ?
8/8/2019 DEMF Cosic&Baca CECIIS2010 - presentation
10/15
09/23/10 10
Prerequisite forimplementation
Template database with biometricscharacteristics of:
First responders, Forensic investigators, Court expert witness, Law enforcement personnel, Police officer (crime inspectors) Others , who handle with digital
evidence Time stamp authority (TSA) system GPS system PKI system
troduction
gital integrity
ncept of proposed DEMF
rerequisite for implementation
nclusion and further research
8/8/2019 DEMF Cosic&Baca CECIIS2010 - presentation
11/15
09/23/10 11
Prerequisite forimplementation
Today most country have adatabase with some of biocharacteristics of citizens
(finger, iris, face) TSA system can b
implemented in intranet orcan be used from outside.
All country around the worldhave a PKI and some of firmthat can digitally sign a
document (FINA).
troduction
ocess ofllecting digital evidence
ncept of proposed DEMF
rerequisite for implementation
nclusion and further research
8/8/2019 DEMF Cosic&Baca CECIIS2010 - presentation
12/15
09/23/10 12
Prerequisite forimplementation
Implementation in realenvironment
-> next step !
troduction
ocess ofllecting digital evidence
ncept of proposed DEMF
rerequisite for implementation
nclusion and further research
8/8/2019 DEMF Cosic&Baca CECIIS2010 - presentation
13/15
09/23/10 13
Conclusion and furtherresearch
In his research authors have deal with aconceptual framework for digitalevidence management and chain ofevidence in forensic investigationprocess.
It`s presented a conceptual DEMF(Digital Evidence ManagementFramework) on high level view. Withthis framework it can be implementeda secure, reliable and useful systemwhich will enable a secure chain ofcustody of digital evidence.
Future work will be based onimplementing this framework in realenvironment and testing his
functionality.
roduction
cess oflecting digital evidence
can act on theital evidence
equisite for implementation
clusion and further research
8/8/2019 DEMF Cosic&Baca CECIIS2010 - presentation
14/15
09/23/10 14
Reference [1] Sammes A, Jenkinson B: Forensic Computing A Practitioners Guide. Springer-Verlag, New
York; 2000
[2] Pollit M, Whiteledge A: Exploring big Haystacks. Data Mining and KnowledgeManagement. Advances in Digital Forensic II.IFIP; 2006
[3] osi J, Baa M: Computer forensic-broad aspects of its application, INFOTEH-JAHORINA,B&H, Vol. 9, Ref. E-VI-9, p. 857-860, March 2010.
[4] Casey E: Handbook of Computer Crime: Forensic Science, Computer and the Internet.Academic Press; 2000
[5] osi, J., Baa, M. Do we have a full control over integrity in digital evidence life cycle,Proceedings of ITI 2010, 32nd International Conference on Information TechnologyInterfaces, Dubrovnik/Cavtat, pp. 429-434, 2010
[6] Yaeger R: Criminal Computer Forensic Management. InfoSec Conference, USA;2006
[7] Media Awarenes Network. http://www.media-awareness.ca/english/resources/special_initiatives/wa_resources/wa_shared/tipsheets/5Ws_of_cyberspace.cfm [12/20 2009]
[8]S.Vanstone, P. Van Oorschot,, & A. Menezes: Handbook of Applied Criptografy, CRC Press,1997
[9] osi, J., Baa, M. (Im)proving chain of custody and digital evidence integrity withtimestamp, MIPRO, 33rd International Convention on Information and Communication
Technology, Electronics and Microelectronics, Opatija, 171-175, 2010
[10] Hosmer C: Proving the Integrity of Digital Evidence with Time, International Journal ofDigital Evidence, Spring, 2002, Vol.1, Issue 1
[11] Willassen S: Hypothesis based investigation of Digital Time stamp, IFIP, Advanced inDigital Forensic IV, pp.75-86, 2008
[12]Strawn C: Expanding the Potential for GPS Evidence Acquisition, Small Scale digitalevidence Forensic Journal, Vol.3, No1., 2009
8/8/2019 DEMF Cosic&Baca CECIIS2010 - presentation
15/15
09/23/10 15
Any Question ?
Thank You forThank You forYYour attentionour attention
- .sudskivjestak ikt com. .czb foi hr