Computer Technology and Application 2 (2011) 545-549

Modeling Digital Evidence Management and Dynamics Using Petri Nets

Jasmin Cosic1, Zoran Cosic2 and Miroslav Baca3
1. IT Section of Police Administration, Ministry of the Interior, Bihac77000, Bosnia and Herzegovina 2. Statheros, Katel Stari, Split, Croatia 3. Faculty of Organization and Informatics, University of Zagreb, Varadin 42000, Croatia Received: May 17, 2011 / Accepted: June 09, 2011 / Published: July 25, 2011. Abstract: In all phases of forensic investigation, digital evidence is exposed to external influences and coming into contact with many factors. Legal admissibility of digital evidence is the ability of that evidence being accepted as evidence in a court of law. Life cycle of digital evidence is very complex. In each stage there is more impact that can violate a chain of custody and its integrity. Contact with different variables occurs through a life cycle of digital evidence and can disrupt its integrity. In order for the evidence to be accepted by the court as valid, chain of custody for digital evidence must be kept, or it must be known who exactly came into contact with evidence in each stage of the investigation. This paper presents a dynamics and life cycle of digital evidence. The Petri nets will be proposed and used for modeling and simulation of this process. Key words: Digital evidence, digital forensic, chain of custody, digital evidence integrity, digital evidence manipulating, Petri nets.

1. Introduction
Digital forensic can be defined as the application of science and engineering to the legal problem of digital evidence [1]. According to Pollit and Whiteledge [2], digital forensic is the science of collecting, preserving, examining, analyzing and presenting relevant digital evidence for use in judicial proceedings. Digital evidence refers to any constitution or relevant digital data enough to prove crime in computer and network storage media is one kind of physical evidence, including patterns with text, picture, voice and image. The properties of undifferentiated copy, original authors hard to authenticate and data verification can be also called computer evidence or digital evidence, which is stored
Zoran Cosic, Mr.Sci., Ph.D. candidate, research fields: information science, computer science. Prof. Miroslav Baca, Ph.D., research fields: information science, computer science, forensic, biometrics. Corresponding author: Jasmin Cosic, Dipl.ing.IT, Ph.D. candidate, research fields: information science, computer science, digital forensic. E-mail: jascosic@bih.net.ba, jascosic@gmail.com.

on computer and network storage media with electromagnetic means. In another word, computer storage media or electromagnetic storage on network can be used for crime evidence [3]. In all phases of forensic investigation, digital evidence is exposed to external influences and coming into contact with many factors. Legal admissibility of digital evidence is the ability of those evidence being accepted as evidence in a court of law. The digital evidence can only be safeguarded and considered valid if it can be proven that the records are accurate, i.e., who and when they were created by, the fact that no alteration has occurred. Process of collecting digital evidence is not so simple and investigators or first responders (emergency personnel) must know what they are supposed to do in the first contact with evidence [4]. Petri nets are very good methods to show this dynamics. Petri nets are graphically mathematical tools that are suitable for modeling and projecting different system types. The very approach to a system modeling

546

Modeling Digital Evidence Management and Dynamics Using Petri Nets

by means of Petri nets faithfully reflect the way events develop in the real world so that for Petri nets it can be said that they have universal application. One of the major advantages of using Petri nets is that the same methodology can be used for the modeling, simulation and qualitative and quantitative analysis. Some authors present application of Petri nets for modeling and simulation in manufacturing, logistic system and scheduling [5]. In this paper, authors use Petri nets to show dynamics and life cycle of digital evidence in digital forensic investigation process. The paper is organized as follows: Section 1 gives us a short introduction; section 2 describes a digital evidence dynamics and management; section 3 presents a Petri net model and section 4 is a conclusion.

2. Digital Evidence Management

Dynamics

and

In order for the evidence to be accepted by the court as valid, chain of custody for digital evidence must be kept, or it must be known who exactly came into contact with evidence in each stage of the investigation. The phrase chain of custody refers to the accurate auditing control of original evidence material that could potentially be used for legal purposes [6]. Some authors use the term chain of evidence instead chain of custody. The purpose of testimony concerning chain of custody is to prove that evidence has not been altered or changed through all phases, and must include documentation on how evidence is gathered, transported, analyzed and presented. There is a lack of scientific papers written on topic of life cycle of digital evidence. According to Grundy and Garris [7], major phases of the digital evidence life cycle are: Acquisition; Integrity; Analysis; Reporting; Disposal. According to Casey [8], there are also 4 stages in

process of forensic investigation. Those phases are: recognition, preservation, classification and reconstruction. Model proposed by Kruse and Heiser [9] includes 3 stagesevidence acquiring, authentication and analyzing. In early works, Cosic and Baca [10-12] warned about this problem and proposed a framework for secure manage with digital evidence on high-level definition. This is very important because of preserving digital evidence integrity and his chain of custody. This paper focuses on all phases of computer investigation and life cycle of digital evidence; authors also address relevance of chain of custody and most critical factor that will determine the integrity of digital evidence. Process of collecting digital evidence must begin in a lawful way. In other words, if there is a forensic investigation, competent prosecution or court must issue the order to initiate an investigation, or if there is a corporate internal investigation, management or supervisory board must agree with investigation. In both cases, approval must be in the form of a written document. When it comes to the question of who comes first into contact with the digital evidence, it has to be noted that the situation is different from country to a country. Somewhere there are specialized units (first response team) that are trained on how to behave with this type of evidence, while in some countries (Balkan countries) this job is done by law enforcement personnel (police officer) who are not trained to do it. According to IOCE 1 , when it is necessary for a person to access original digital evidence, that person should be trained for this purpose. In many cases this is not possible, because forensics is a very complex science, and requires a high level of expertise to work with the evidence. Below is a list of personnel who can act on the digital evidence: First responders;
1

International Organization on Computer Evidence

Modeling Digital Evidence Management and Dynamics Using Petri Nets

547

Forensic investigators; Court expert witness; Law enforcement personnel; Prosecution; Defense; Court. Impact on digital evidence life cycle also has: Victim; Suspect; Bystanders. Each of the above-mentioned persons can affect evidence in particular situation, and therefore it is very important to know the answer to the question who is coming into contact with the evidence?. The lifetime of digital evidence begins with its discovery. This is the first contact with evidence (first phase of life cycle). This phase is very sensitive because it is here that the contact with digital evidence occurs not only by first responders but victim, suspect and bystanders. Life cycle continues with the investigation led by forensic investigators in the stages of collecting, examining, analyzing and reporting. At this stage of the life cycle of digital evidence significant role is of a legal expert witness whose role is intertwined with the role of the forensic investigator. Defense and the prosecution were involved in all phases of the life cycle of digital evidence, acquisition, collecting, examining, analyzing and reporting. The most important phase for the court is reporting phase. Presentation of this model using Petri nets is what follows next.

3. Modeling System with Classical Petri Nets

Petri nets are graphical mathematical tools that are suitable for modeling and projecting different system types. Petri nets were devised by Carl Adam Petri in 1962 to model and analyze processes. They have a strong mathematical basis, and this formal basis makes it possible to make strong statement about the properties of the process being modeled [13].

Petri Nets are built up from four different building blocks: places, transitions, tokens and arcs. Places are denoted by a circle (P), transition by a black rectangle (T), arc by an arrow (A) and token by a black dot. Places represent a participant in the process. For example, in the phase investigations model, a place can represent first responders, forensic investigators, expert witness etc. Transitions represent the stochastic or time-based nature of changes in the model. Transitions can be immediate, deterministically time-delayed, or time-delayed based on a probability distribution defined by the user. A transition could represent the interval between phase of discovery of digital evidence and phase of collecting or examining. Tokens represent objects in the model. For instance, a .jpg, .pdf or .doc file can be modeled as a token. A token graphically appears as a black dot in the circle. When too many tokens appear in one place, most applications revert to placing a number inside the place. Arcs determine the path that tokens take throughout the model. Arcs can either enable or inhibit movement in the model, depending on their use [5, 13]. When a transition allows the movement of a token it is like a door that opens in the model. The transition is said to have fired when this happens. Apart from modeling the behavior of complex systems, Place-Transition nets were originally designed to assist the analysis of such systems. Mathematical model of the Petri nets is given by its structure C=(P, T, I, O): P = p1 , p2 ,..., pn , the final set of location; T = t1 , t 2 ,..., t n , the final set of transition; I (t ) , input function; O (t ) , output function. Our system is shown in Fig. 1 . This system consists of a set of elements. The place where digital evidence is reservesis shown with p (places). As in human themselves, the forces that act on digital evidence from humans come in all shapes and sizes and can affect it in a variety of ways. These can be the first responders, forensic investigators, expert

548

Modeling Digital Evidence Management and Dynamics Using Petri Nets

witness, defense, procesution and court. As one might suspect, the forensic investigators themselves are

Fig. 1

Petri nets graph of digital evidence dynamics.

included in the human force of evidence dynamics. Forensic computer investigators should keep in mind that theirs may not be the only evidence being collected. Examining several disciplines may be required [8]. Victim, suspect and bystanders can be also important parameters in this cycle. Victim interaction with digital evidence is defense and reactive in nature. Victim can be a regular PC user, system administrator in bank or corporate or home user. The role of the suspect is to eliminate, hide, destroy or restrict access to the digital evidence, while bystanders can interact with digital evidence in many ways. T(t) is the transition from one phase to another in digital investigations process (discovery, collection, examination , etc.). Arcs are arrows that link places to transition and vice versa. Places may not be linked to another places, and transition may not be linked to another transition. In Fig. 1 arc A1 connects places p1 to transition t1, arc A2 connects p2 to t1, arc A3 connects t1 to p3 etc.

In this way digital evidence (some .jpg, .doc, .xls or other digital file) represent a token which traverse the model. For example, the system shown in Fig. 1 can be mathematicaly presented as (1):

C = (P, T, I,O);P {pi } i = 1, 2...6;T {t j} j = 1, 2,3 (1)

Input and output in transition 1 (t1 ) for example
I (t1 ) = {p1 , p 2 }; O (t1 ) = {p 3 , p 7 }

can be presented as (2): etc.

(2)

4. Conclusions and Future Work

In all phases of forensic investigation, different profiles of personnel come into contact with digital evidence. Through the entire life cycle of digital evidence, there are threats that can affect its integrity and thus in the end, the courts decision. In the paper, a complete digital evidence life cycle is shown and modeled by Petri nets. All human factors are taken into

Modeling Digital Evidence Management and Dynamics Using Petri Nets

549

consideration, and its impact on digital evidence integrity. In further research the authors will be engaged on identifying other elements that have an impact on the integrity of digital evidence.

[6]

Acknowledgment
The presented research and results came out form the research supported by the Center for Biometrics-Faculty of Organization and Information Science Varazdin, University of Zagreb, Croatia.

[7] [8] [9] [10]

References
[1] [2] A. Sammes, B. Jenkinson, Forensic Computing: a Practitioners Guide, Springer-Verlag, New York, 2000. M. Pollit, A. Whiteledge, Exploring big haystacks, data mining and knowledge management, in: Advances in Digital Forensic II: IFIP International Conference on Digital Forensics, National Center for Forensic Science, Orlando, Florida, January 29-February 1, 2006. E. Casey, Digital Evidence and Computer Crime: Forensic Science, Computer and the Internet, Academic Press, 2000. M. Baca, Introduction to Computer Security (on Croatian), Zagreb: Narodne Novine, 2004. S. Cvetkovic, G. Simunovic, L. Maglic, Modelling of [11]

[12]

[3]

[13]

[4] [5]

logistic system by Petri nets, Strojarstvo 52 (2010) 169-179. R. Yaeger, Criminal computer forensic management, in: Proceedings of the 3rd Annual Conference on Information Security Curriculum Development, 2006, pp. 168-174. B. Grundy, J. Garris, One policy approach regarding digital evidence acyuisition and analysis, NASA. E. Casey, Digital Evidence and Computer Crime, 2nd ed., Elsevier Academic Press, 2004. S. Perumal, Digital forensic model based on Malaysian investigation process. IJCSNS 9 (2009) 38-44. J. Cosic, M. Baca, Improving chain of custody and digital evidence integrity with timestamp, in: Proceeding of the 33rd International Convention Information and Communication Technology, Electronics and Microelectronics, MIPRO, 2010. J. Cosic, M. Baca, A framework to improve chain of custody in digital investigation process, in: Central European Conference on Information and Intelligent Systems, University of Zagreb, Croatia, 2010. J. Cosic, M. Baca, Do we have full control over integrity in digital evidence life cycle, in: 32nd International Conference on Information Technology Interfaces, Cavtat/Dubrovnik-Croatia, 2010. W. Bos, Modeling biological system using Petri nets, Department of Electrical Engineering, Mathematics and Computer Science, University of Twente, Netherland, 2008.