Blockchain-Based Chain of Custody Evidence

Management System for Digital Forensic

Investigations
Pasindu Bathiya Bandara Dinethra Tharindu Hewage
Oshada Dilshan Jayarathna
Department of Computer Systems Department of Computer Systems
Department of Computer Systems
Engineering Engineering
Engineering
Sri Lanka Institute of Information Sri Lanka Institute of Information
Sri Lanka Institute of Information
Technology Technology
Technology
Malabe, Sri Lanka Malabe, Sri Lanka
Malabe, Sri Lanka
pasindu.kmb@gmail.com dinethrahewage@gmail.com
oshadadilshan504@gmail.com Pasindu
Deemantha Siriwardana
Dinithi Pandithage
Nuwan Pradeep Bandara Department of Computer Systems
Department of Computer Systems
Department of Computer Systems Engineering
Engineering
Engineering Sri Lanka Institute of Information
Sri Lanka Institute of Information
Sri Lanka Institute of Information Technology
Technology
Technology Malabe, Sri Lanka
Malabe, Sri Lanka
Malabe, Sri Lanka deemantha.s@sliit.lk
dinithi.p@sliit.lk
ariyathilakenuwan@gmail.com

Abstract— The demand for digital evidence is increasing
worldwide. A reliable digital evidence management system is
needed to ensure that justice is served in court. The chain of
custody plays a vital role in this process, but people are the
weakest link in any trust chain. Blockchain technology can be
used to store and analyze digital evidence data in a secure and
confidential manner, with proper access control. As digital
evidence comes in various forms, blockchain can be dynamically
changed to accommodate new data extraction methods. This
research paper proposes and develops a blockchain-based
digital evidence management system using Hyperledger Fabric,
Dynamic chaincode ,Hybrid access control.
Keywords — Dynamic Chaincode, Data Extraction,
Blockchain, Hyperledger Fabric, Hybrid Access Control
I. INTRODUCTION
Digital technology is now an important aspect in our daily
life, where most of the industries including healthcare,
finance, food, transportation heavily relying on it. However,
rising cybercrime underscores the importance of digital
evidence in prosecution. Traditional Chain of Custody
processes have limitations, necessitating a decentralized
system for secure, confidential, authentic, and auditable
management of digital evidence. Blockchain technology, with
its immutable transaction history, is a promising solution. This
research introduces "Binary Themis," proposing a blockchain-
based Chain of Custody system, emphasizing evidence
confidentiality through group-wise ledger sharing, with
implementation details involving Hyperledger Fabric . [1]
The chain of custody is the chronological order
documentation or paper trail that records the sequence of
custody, control, transfer, analysis, and disposition of
materials, including physical or electronic evidence. It is a
critical process in ensuring the integrity of evidence, and it is
essential for the admissibility of evidence in court. but it is
challenging to maintain. [2]
Combining private blockchain, and cryptography
enhances the chain of custody, ensuring transparency,
authenticity, security, and auditability. Additionally, group-
wise ledger sharing and Hyperledger Fabric are proposed for
maintaining evidence confidentiality in this research. The
research identifies gaps in existing blockchain-based Chain of
Custody (CoC) systems compared to the proposed one. These
gaps include private blockchain use, permissioned networks,
group-wise ledger sharing, confidential evidence transfer, and
high supervision during investigations [3]. The study
addresses the need for innovative blockchain solutions,
highlighting privacy concerns in public blockchains and the
lack of higher authority supervision. It presents research
questions and objectives for developing a specific, secure, and
confidential CoC system using blockchain technology in
digital forensic investigations [4].
And also this study describes a novel technique for data
extraction for mobile device forensics. We offer a unique
approach for acquiring call logs, contacts, messages, and
device-specific information using a precisely constructed
system that includes an Android APK, a memory dump
collection mechanism, server infrastructure, and a desktop
application. Notably, our encryption system protects data
integrity by utilizing a proprietary hash-based encryption
process, which is augmented by real-time communication
over web sockets. This study establishes a complete
framework for redefining mobile device forensic operations,
resulting in increased accuracy and security in digital evidence
extraction[11].
II. LITERATURE REVIEW
The concept of chain of custody in digital evidence
management has evolved alongside advancements in digital
technology and the increasing role of digital evidence in
investigations.
In the early days of digital forensics, during the 1980s and
1990s, there was limited awareness of the need for a
formalized chain of custody. Digital evidence was often
handled without the same level of care as physical evidence.
The late 1990s and early 2000s saw increased recognition of
the importance of chain of custody in digital evidence
through legal cases. Courts began to require documentation
of the handling and storage of digital evidence to ensure its There Yet?" by Erbium et al. (2020) [9]. Finally, the choice
admissibility. [5] of Hyperledger Fabric as the blockchain platform aligns with
Organizations such as the National Institute of Standards and the trend of using this technology.
Technology (NIST) in the United States began developing
guidelines and standards for digital evidence handling. The While prior research leveraged Ethereum-based consensus
NIST Special Publication 800-101 is an example of such a methods, notably Proof-of-Work (PoW) and Istanbul
guideline. [6] Byzantine Fault Tolerance (IBFT), this study introduces a
novel approach, adopting the Raft consensus algorithm
(RAFT). Unlike PoW's energy-intensive nature and IBFT's
A. Hyperledger Fabric blockchain network
multiple voting rounds, RAFT simplifies consensus with a
single authoritative node, minimizing network overhead,
Hyperledger Fabric is a prominent blockchain network
enhancing real-time processing, and reducing energy
framework that has gained significant attention in both
consumption. RAFT's efficiency and low latency make it a
academic research and industry applications. Developed
promising choice for digital forensics evidence management,
under the Linux Foundation's Hyperledger project, Fabric
highlighting the proposed system's innovative departure from
stands out for its modular and permissioned architecture,
conventional methods in the field. [10]
making it suitable for various enterprise use cases. One of its
key features is its support for smart contracts, which are
programmable logic components that facilitate the execution
of predefined actions upon certain conditions. This flexibility
enables the creation of decentralized applications (dApps)
tailored to specific business needs, such as supply chain
management and financial services. Additionally, Fabric
employs a robust consensus mechanism, often using Practical
Byzantine Fault Tolerance (PBFT) or Raft, to ensure Figure 1: Performance Comparison of Raft, Pbft, and PoW [10]
transaction finality and data integrity [7].
B. Evidence collecting and data extraction
The framework's focus on privacy and confidentiality is
noteworthy, with channels that enable private transactions
Recent work has emphasized the importance of developing
between select participants. Its rich permissioning system
novel techniques to solve constraints such as accurate and
further enhances security and access control. Hyperledger
secure digital evidence collection. The incorporation of
Fabric's widespread adoption and continuous development
cross-platform frameworks, such as Flutter, offers a viable
underscore its significance in the blockchain ecosystem,
path for developing efficient Android apps with privileged
offering a compelling solution for enterprises seeking to
access to the kernel. This ensures the recovery of complete
harness the benefits of blockchain technology while
data, including call records, contacts, messages, and device-
addressing their unique requirements for scalability, privacy,
specific information.
and control [8].
The use of SHA-256 encryption, a tried-and-true standard in
In the Binary Themis system, several key concepts and data security, provides another degree of protection to the
novelties are introduced to enhance evidence management in process. Notably, the proposed hash-based encryption
digital forensics. Firstly, the utilization of a private approach, in conjunction with real-time communication
blockchain stands out as a fundamental concept, ensuring that enabled by web sockets, adds to data integrity while in transit.
the network remains restricted to authorized participants,
which aligns with similar systems as presented in the work by
Ahmad et al. (2020) [9]. Additionally, the emphasis on a
permissioned network, where only authorized parties can
participate in the blockchain, reinforces the security and
control aspects, a shared concern as seen in the paper
"Blockchain-Based Chain of Custody for Digital Evidence
Management in Cloud" by Wang et al. (2019) [1]. The
introduction of group-wise ledger sharing among specific
stakeholders is a promising innovation that can enhance
collaboration and security in evidence management.

Moreover, the emphasis on keeping evidence transfer

information confidential is essential for maintaining data
privacy, a concept explored in the paper "Privacy-Preserving
Blockchain-Based Electric Vehicle Charging" by He et al.
(2020). The commitment to conducting investigations under
high supervision echoes the need for transparency and
accountability in digital forensic processes, a concern
highlighted in "Blockchain for Digital Forensics: Are We Figure 2:Comparison of Running Times
The proposed study fills holes in existing approaches by
providing a comprehensive system that includes APK
creation, memory dump collecting, server architecture, and
desktop application design. This unique approach
demonstrates the potential for improving accuracy and
security in mobile device forensic investigations, therefore
establishing a new standard in the industry.
III. METHODOLOGY
"Binary Themis" is a web application with a hybrid structure.
It means that it uses a centralized database and a decentralized
blockchain system. It also enhances dynamic smart contracts
and a new access control system with a new digital evidence
collecting system.
Figure 3: Overall System Diagram
A. Main hyperledger fabric blockchain network
Figure 4: Main Network Architecture
The new blockchain has so many novelties such as a a private
permissioned blockchain network using Hyperledger Fabric,
which includes group-wise ledger sharing, ensures
confidentiality of evidence transfer information, and
conducts investigations under high supervision. This
architecture have three main authentication level control
under policies in order . The users in the network will have
three levels of access:
High-Level: These users can add, delete, and transfer
evidence data. They can also add or remove users to their
investigation group as members (peers).
Mid-Level: These users can only handle evidence data (read
and transfer), but not users.
Low-Level: These users can only read data.
The network has many peers, each of which is assigned to a
level of access. When a new incident begins, a level 1 user
can create a subnetwork with a minimum of 3 members. This
subnetwork will be a separate channel in the Hyperledger
Fabric network. The users in the subnetwork will be granted
the appropriate level of access based on their role.
The ledger for the subnetwork will only be shared with the
members of the subnetwork. The ledger is encrypted using
cryptography, so only authorized users can access it. The
encryption keys are managed by the organization's fabric CA,
which is under the control of a higher authority.
The network also has a minimum of 3 order nodes. These
nodes are responsible for ordering the transactions in the
ledger. The order nodes use the RAFT consensus algorithm,
which ensures that the ledger is consistent and immutable.
The order nodes are also under the control of a higher
authority. In this way, the network can provide a high level
of security and privacy for the evidence data. Only authorized
users can access the data, and the data is encrypted to protect
it from unauthorized access. And the system needs several
chaincodes or one dynamic chaincode to handle those
processes. The reason for using multiple channels in one
network is to isolate different business processes.
B. Chaincode Design Considerations
The application of smart contract techniques that make it
possible to alter data pertaining to evidence based on user
interactions and inputs. Let's look at a few chaincode
characteristics that contribute to its dynamic nature:
The initLedger function dynamically initializes the ledger
with evidence data. Instead of hardcoding evidence records,
this function populates the ledger dynamically by iterating
through an array of evidence objects. This dynamic
initialization ensures that the ledger starts with relevant data,
facilitating real-world scenarios. The submitEvidence
function allows users to dynamically submit new evidence
records. Users provide inputs such as case number, crime
type, evidence type, and description. These inputs are used to
dynamically create an evidence object, which is then stored
on the ledger. This dynamic submission mechanism enables
the addition of new evidence as cases are investigated.
The transfer Evidence function facilitates dynamic transfers
of evidence ownership. Users provide the case number and
the new owner's identity. The function retrieves the evidence
data dynamically from the ledger, verifies the current owner's
identity, and then updates the chain of custody dynamically
by adding the new owner's identity. This dynamic transfer of
ownership reflects the real-world flow of evidence through
different stages of investigation. The verify Evidence
function dynamically verifies evidence for courtroom
presentation. It retrieves the evidence dynamically from the
ledger and performs a dynamic check to determine if the
evidence has been sent to court. If the evidence meets the
criteria, a dynamic verification message is returned.
The update Evidence function allows for the dynamic update
of evidence descriptions. Users provide the case number and
the updated description, and the function dynamically
retrieves the corresponding evidence data from the ledger.
The evidence's description is then updated dynamically,
reflecting changes made during the investigation process.
The query Evidence By Criteria function enables dynamic
querying of evidence based on dynamic criteria provided as
inputs. The function dynamically constructs a query string
and retrieves dynamic query results from the ledger. The
results are then dynamically processed and returned,
providing users with specific evidence records that match
their criteria.
The check Tampering function dynamically calculates a hash
of evidence data and performs a dynamic comparison with a
hash stored within the evidence. This dynamic process
ensures that the evidence's integrity is maintained and
provides a dynamic method to detect potential tampering.
The get Chain Of Custody function dynamically retrieves the
chain of custody for a given case number. It dynamically
fetches the evidence data from the ledger and returns the
chain of custody dynamically, reflecting the history of
ownership changes.
Figure 5: Dynamic Chaincode Architecture
The process of dynamic chaincode is shown in figure 5. In
conclusion, the proposed chaincode exhibits dynamic
behavior by processing dynamic inputs, performing dynamic
computations and comparisons, and dynamically updating
evidence-related data based on user interactions. Due to its
dynamic nature, the smart contract may react to actual
situations, making it easier for crime investigation teams to
manage and track evidence.
C. Evidence collecting and data extraction
In order to develop a strong mobile device data extraction
system for forensic investigation, the suggested approach for
this research incorporates a sophisticated combination of
Flutter plugins, web sockets, cryptographic measures, and
data transport protocols.
The selected technological approaches work together to
optimize mobile device data extraction for forensic
investigation. Using Flutter plugins allows a direct
connection with the Android OS, allowing for exact access to
call records, messages, and contacts while minimizing
irrelevant dependencies. Web sockets enable low-latency,
bidirectional communication between the mobile device and
the server, allowing for real-time updates and efficient
progress monitoring. The use of SHA-256 encryption
preserves data integrity by creating a unique hash value,
which makes changes instantly apparent. The embedded
secret key method improves security by allowing only
authorized parties to decrypt data even if it is intercepted.
Finally, the Electron-based desktop application ensures
consistent, safe analysis across platforms by using native-like
performance and reducing web-based vulnerabilities. This
harmonic combination of technologies strengthens the
overall dependability, security, and efficacy of the data
extraction and analysis process.
This research project leverages an APK that is built on
Flutter, a versatile framework that includes specific plugins
for data collecting from mobile devices. This APK comes
with four crucial Flutter plugins. The "call_log" plugin is
used to access call history, while the "flutter_sms_inbox"
plugin is used to extract SMS messages. The
"permission_handler" plugin maintains the permissions
needed for data extraction, ensuring that access is easy. In
addition, the "flutter_contacts" plugin is critical in getting
contact information from the mobile device. These plugins
collaborate in order to capture extensive data from the mobile
device, including critical features such as call history, text
messages, and contact information.
Web sockets are used to establish real-time communication
between the server and the mobile device. This allows for
seamless and effective data transmission, as well as instant
updates on the status of data extraction. The SHA-256
algorithm is used to ensure data integrity throughout the
procedure. The collected data is converted to JSON format,
encrypted with the SHA-256 hash, and delivered to the
server. The encrypted data is saved on the server for further
confirmation. The server, created with Python Flask,
functions as an intermediary for communication between the
mobile device and the desktop application.
The utilization of a secret key, which is embedded into both
the APK and the server, is essential for the data security and
validation aspect. This key is the foundation of the data
encryption and decryption processes. On the mobile side, the
secret key is used to encrypt data with the SHA-256 hash
value, adding an extra layer of cryptographic security. The
same secret key is used for decryption at the server end to
confirm data integrity. This guarantees that the captured data
is not tampered with and stays legitimate during transmission.
Electron is used to construct a desktop application for
analysis and exploration. This program takes encrypted data
from the server, decrypts it with the secret key, and converts
it back to its original JSON format. Forensic investigators can
then carefully review and analyze this encrypted data,
providing critical insights into the mobile device's
communication history, contact exchanges, and more. By
combining these technical components smoothly, the
technique ensures a complete and secure approach to mobile
device data extraction and analysis for forensic reasons.
D. Implement a hybrid access control mechanism using
both role-based access controls (RBAC) and attribute-
based access controls (ABAC)
The initial step involves identifying the roles within the
system, which represent various job functions or user duties.
Roles such as "Judge", "police officer" or "Administrator" are
examples that may present in the system. Each role is given
the permissions that are appropriate for their job duties. The
actions that users in a certain role permitted to take are
determined by these permissions. An "Administrator" for
instance, might have access to data creation, read, update, and
deletion, whereas a "policeman " role might just have access
to read and update.
Rules are established to integrate attribute-based
requirements with role-based permissions. Based on a piece
of data's properties, these policies decide whether a person
with a particular role is permitted access to it. For instance,
you could create a policy that only permits a role with the title
"police officer" to read a particular type of data if it has not
been designated as sensitive. Access control mechanisms are
used in accordance with the specified policies and these
guidelines can be applied in a number of ways, including
custom code within your application, database triggers, and
access control lists (ACLs).
Access to data is either granted or denied based on the
outcome of the evaluation against the established policies. If
a user's role and other attributes align with the defined
policies, access is permitted; otherwise, access is blocked,
and the appropriate error message is presented. To ensure that
the access control policies remain aligned with the evolving
needs of the organization, regular reviews and updates are
essential. Changes to roles, permissions, attributes, or
policies may be necessary as the system matures and to
accommodate shifting requirements.
Figure 6: Access control mechanism.
IV. DISCUSSION
The research presented in this paper introduces "Binary
Themis," a blockchain-based Chain of Custody (CoC) system
designed to address the limitations of traditional CoC
processes in managing digital evidence. The system
emphasizes evidence confidentiality through group-wise
ledger sharing and utilizes Hyperledger Fabric for
implementation.
The "Binary Themis" system has broad implications for the
field of digital forensics and beyond. Its ability to ensure the
confidentiality, security, and authenticity of digital evidence
can bolster the admissibility of evidence in court, ultimately
strengthening the justice system's reliance on digital data.
Moreover, the system's emphasis on privacy and security
aligns with the growing concerns regarding data protection in
the digital age.
V. CONCLUSION
The "Binary Themis" system introduces a novel approach to
Chain of Custody management for digital evidence through
the integration of private blockchain technology,
cryptography, and the use of the Raft consensus algorithm.
By addressing existing gaps in blockchain-based CoC
systems and emphasizing evidence confidentiality, this
research provides a promising solution for enhancing the
integrity and security of digital evidence in forensic
investigations. The system's innovative departure from
conventional methods opens new avenues for research and
development in this critical field.
VI. REFERENCES
[1] R. N. M. Auqib Hamid Lone, "Forensic-chain:
Blockchain based digital forensics chain of custody
with PoC in Hyperledger Composer.," Digital
investigation , pp. 44-55, 2019.
[2] W. Silva and A. C. B. Garcia, "Where is our data? A
Blockchain-based Information Chain of Custody
Model for Privacy Improvement," 2021 IEEE 24th
International Conference on Computer Supported
 Cooperative Work in Design (CSCWD), pp. 329-334,
2021.
[3] A. S. Yudi Prayudi, "Digital Chain of Custody: State of
the Art," International Journal of Computer
Applications, 2015.
[4] P. K. S. J. H. J. Jung Hyun Ryu, "A blockchain-based
decentralized efficient investigation framework for IoT
digital forensics," Journal of Supercomputing , pp.
4372-4387, 2019.
[5] E. Casey, Digital evidence and computer crime:
Forensic science, computers, and the internet.,
Academic press, 2011.
[6] R. S. B. W. J. Ayers, Guidelines on mobile device
forensics (draft)., NIST Special Publication, 800, 101,
2013.
[7] E. a. B. A. a. B. V. a. C. C. a. C. K. a. D. C. A. a. E. D.
a. F. C. a. L. G. a. M. Y. a. M. S. a. M. Androulaki,
"Hyperledger Fabric: A Distributed Operating System
for Permissioned Blockchains," Association for
Computing Machinery, pp. 1-15, 2018.
[8] "A Blockchain Platform for the Enterprise,"
hyperledger, [Online]. Available: https://hyperledger-
fabric.readthedocs.io/en/release-2.5/.
[9] S. K. ,. I. F. K. Liza Ahmad, "Blockchain-based chain
of custody: towards real-time tamper-proof evidence
management," Conference: ARES 2020: The 15th
International Conference on Availability, Reliability
and Security, 2020.
[10] X. W. Y. Z. ,. Y. Yu Han, "A UAV swarm
communication network architecture based on
consortium blockchain," Journal of Physics
Conference Series 2352, 2022.
[11] M. H. Dongliang You, "A Comparative Study of Cross-
platform Mobile Application Development,"
Conference: CITRENZ , 2021.