(Im)Proving Chain of Custody

and Digital Evidence

Integrity
with Time Stamp
Jasmin Ćosić and Miroslav Bača

IT Section of Police Administration

Ministry of Interior of Una-sana canton
502.V.bbr br.2, Bihac, B&H
Phone: +387 61 790 484 E-mail: jascosic@bih.net.ba;
Faculty of Organization and Informatics
University of Zagreb
 INTRODUCTION
• What is “Chain of custody” or “Chain of
evidence”?
• Chain of custody and integrity of digital
evidence play a very important role in the
digital process of forensic investigation.
• In every phase forensic investigators must
know where, when and how the digital
evidence was discovered, collected,
handled with, when and who came in
contact with the evidence.
• Chain of custody must include
documentation with answers to all these
questions.
If one of these questions remains
•06/01/10 2
unanswered, the chain of custody is
 INTRODUCTION
• 5 “Ws” and 1 H (What, Who, Where, Why, When
and How) ?
• Investigator must know how to answer certain
questions in the whole forensic investigation
process:
– What is digital evidence?
– Where was digital evidence discovered, collected, handled and/or
examined?
– Who came into contact with digital evidence, handled it, and
discovered it?
– What’s the reason for using the digital evidence?
– When the digital evidence is discovered, accessed, examined or
transferred?
– How is digital evidence used?

• When presenting evidence in court, if one link

was missing in the chain of evidence, the court
would not accept the evidence as relevant
• The most sensitive variable is the “time of
06/01/10 3
 DIGITAL EVIDENCE
INTEGRITY
• According to Vanstone [3], digital
integrity is “the property whereby
digital data has not been altered in
an unauthorized manner since the
time it was created, transmitted, or
stored by an authorized source”.
• The integrity of digital evidence
ensures that the information
presented is complete and
unaltered from the time of
acquiring until its final disposition.
[SWGIT]
06/01/10 4
 DIGITAL EVIDENCE
INTEGRITY
• There are several adapted methods for
evidence digital signing in order to
(im)prove its integrity.
• Today most forensic tools and
applications implement some type of
checksum or hashing algorithm to
allow investigators later to verify the
disk or image integrity [4].
• A cryptographic hashing function or
algorithm has the following technical
characteristics [Table 1]
06/01/10 5
 DIGITAL EVIDENCE
INTEGRITY
Method
Cyclic redundancy
checks:
CRC 16
CRC 32
Length

16 bit
32 bit
64 bit
Description
Circular Redundancy Check – CRC often
used in file transfer to verify that the data
tranfer was successful.
Advantages
Very simple to use
Very fast
Small data in output
Disadvantages
Non secure hash
function
Problem with message
analysis
CRC 64 It’s easy to generate
other messages that
result in the same CRC

Cryptographic hash Hashing function – establishing Its easy to compute Collision and Preimage
function: 128 bit mathematical calculation that generates a the hash value for any attack , except SHA
MD2 128 bit numerical value based on the input data. given message 224/256 and SHA
MD4 128 bit This numerical value is referred to as the Secure hash function 384/512 [5]
MD5 160 bit hash value. Cryptographic hash
SHA1 224/256 bit function
SHA224/256 384/512 bit
SHA384/512
Digital signature Depending on The resulting hash (process used in a hash) is Binding identity to the Very slow
the used hash encrypted with a specific private key. File integrity Very complex to
function integrity can be verified using hash value implement
and the public key.
Time stamp Depending on Time stamps are typically used for logging Bind date and time Very complex to
the used hash events, in which case each event in a log is with integrity implement
function marked with a time stamp. In file systems, Dependence on the
time stamp may refer to the stored date/time “third party”
of the file creation or modification.
Trusted time stamping is the process of
securely keeping track of the creation and
modification time of a document.

Encryption Depending on Encryption is the process of transforming Very secure Very slow
the used information (referred to as plaintext) using Complex to implement
algorithm. an algorithm (called cipher) to make it and maintain
unreadable to anyone except those
possessing special knowledge, usually
referred to as the key. The result of the
process is encrypted information. Encryption
itself can protect the confidentiality of
messages.
Watermarking Depending on Watermarking is the process of embedding Very secure and User cannot
the used information into another object/signal. It simple to use significantly alter some
algorithm. combines aspects of data hashing and digital files without sacrificing
watermarking.[6] the quality or utility of
the data.

06/01/10 TABLE I 6
Methods for digitally signing a evidence
 USING TIME STAMP FOR
SIGNING DIGITAL EVIDENCE
• In the real world, a time stamp can represent some moment in
time; in the computer world (digital world) the time stamp
represents a specific moment of time but in digital format.
• Time stamp and digital time stamping play a very important role
in the digital forensics, because there is a need for knowing the
time of certain moments in the investigation process.
• Problem of digital time stamping has been the subject of several
researches.
• Hosmer [7] emphasizes the use of time to prove the integrity of
digital evidence, and states the 3 steps that we must do in
order to effectively use digital evidence to prove the motif,
opportunity and means of cybercrimes:
– Step 1: Traceability to Legal Time Source
– Step 2: Time Distribution
– Step 3: Source Digital Time stamping
• There is a lack of research in using a time stamp to improve the
integrity of digital evidence, having in mind the fact when the
human factor (the staff) access the evidence.
• Time when digital evidence is discovered and collected, and the
06/01/10fact who comes into contact with it is vital to reconstructing 7
and proving integrity
 USING TIME STAMP FOR
SIGNING DIGITAL EVIDENCE
• We also must know when digital evidence is
transported.
• According to the RFC 3161 standard [10], a
trusted time stamp is a time stamp issued
by a trusted third party (TTP) acting as a
time stamping authority (TSA).
• It is used to prove the existence of certain
data before a certain point (e.g. contact
with digital evidence) without the
possibility that the owner can backdate
the time stamps. We can use multiple
TSAs to increase reliability and reduce
06/01/10
vulnerability. 8
 USING TIME STAMP FOR
SIGNING DIGITAL EVIDENCE
• There is a lot of TSA in the world, in some
country a few, and in some (e.g. Croatia)
just one [11].
• We can use services of trusted Time
Stamping Authority to prove the
consistency and integrity of digital
evidence in every stage of its existence.
• It is particularly important to have recorded
every moment of time when the digital
evidence is being accessed. In another
situation, chain of custody would be
terminated and this would affect the
outcome of the investigation.
• This is very important in international
06/01/10
exchange of digital evidence and 9
 USING TIME STAMP FOR
SIGNING DIGITAL EVIDENCE
• When a Time Stamp Authority (TSA), which we contact to get a
Time stamp, proceeds our request, there are a few “external
auditors” acting as witness. In some case there is one, in some
two auditors [12] which document the chain of evidence.
•  The process of obtaining a Time stamp from the TSA, which will
prove the existence and contact with the digital evidence by all
staff at any time, consists of several steps divided in two
separate parts:
• On the client side:
– Process of making a unique identifier, fingerprint (creating a hash) of
digital evidence (SHA-256, MD5,etc.)
– Process of sending a fingerprint to a Time Stamp Authority
– Process of verification with Public Key and local storing
•  On the side of TSA:
– Process of getting a official time from server
– Process of adding a time stamp to fingerprint
– Process of protecting (signing) with Private Key
– Process of sending a digital signature to the client
• These processes are illustrated on the next slide
06/01/10 10

 USING TIME STAMP FOR
SIGNING DIGITAL EVIDENCE

Fig u re 1 : T h e p ro ce ss o f tim e sta m p in g d ig ita le vid e n ce in a ll sta g e s

o f d ig ita lfo re n sic in ve stig a tio n p ro ce ss
06/01/10 11
 USING TIME STAMP FOR
SIGNING DIGITAL EVIDENCE
• Let`s see what happened in this process?
• First, investigators (or other staff who handled digital
evidence) must generate a unique identifier – fingerprint
of a digital evidence. In this process some of the
previously mentioned methods, hash function or, for
better security, multiple hash functions can be used. It is
proposed to use a high-secured SHA/MD algorithm.
• After generating a hash of digital evidence, these “few bits”
are being sent to the “third party” - Time Stamp
Authority.
• It is important to mention that only the fingerprint (hash) is
transmitted to the TSA, never the original file. TSA
cannot see the actual document (not any file). Next
what happens is that the TSA on received hash adds a
time stamp, calculate new hash and digitally signing a
file with protected signing key.
• TSA then sends this file back to the client (investigator),
who has another pair of signing key. In the next stage of
06/01/10forensic investigation exactly the same process happens. 12
On this way we can prove the time of digital evidence
 CONCLUSION
• As digital evidence is in bit/byte form, it is
very easy to transfer it to another side of
the world in a few seconds [13] . One of
the most important thing in forensic
process is maintenance of digital evidence
chain of custody.
• The purpose of this document is to show a
trusted time stamping method to signing
a digital evidence in every stage of digital
investigation process.
• Time stamp will be available from the
secure third party (Time Stamp Authority)
and will be used to prove a time when the
staff access the evidence in any stage of
06/01/10forensic investigation. 13
 ACKNOWLEDGEMENTS
• The presented data are from the
scientific project Methodology of
biometrics characteristics
evaluation (016-0161199-1721)
and practical project Multiple
biometric authentication using
smart card (2008-043), supported
by the Ministry of Science,
Education and Sport, Republic of
Croatia.
06/01/10 14
 REFERENCES
• [1] M.G.Nagaraya, „Investigators chain of custody in digital evidence
recovery“, Bureau of Police Research and Development, Indian Police
Journal, 2006
• [2] R. Yeager,, „Criminal Computer Forensics Management“, InfoSecCD, ACM,
Kennesaw, USA, 2006
• [3] S.Vanstone, P. Van Oorschot,, & A. Menezes, „Handbook of Applied
Criptografy“, CRC Press, 1997
• [4] C. Brown, „Digital evidence: Collecting and Preservation“, 2006
• [5] Cryptographic hash function, http://en.wikipedia.org/wiki/
• Cryptographic_hash_function#cite_note-13,
• (accessed: 04.12.2010) 
• [6] J.Ćosić, M.Bača, „Steganography and its implication on forensic
investigation“, INFOTEH 2010, Jahorina, B&H, in press
• [7] C. Hosmer, „Proving the Integrity of Digital Evidence with Time“ ,
International Journal of Digital Evidence, Spring 2002, Vol.1, Issue 1
• [8] S. Willassen, „Hypothesis based investigation of Digital Time stamps“, IFIP,
Advances in Digital Forensic IV, pp.75-86, 2008
06/01/10
• [9] B. Schatz, G. Mohay, A. Clark, „ A correlation method for establishing the 15
provenance of time stamps in digital evidence“ , Digital Investigation, vol 3,
 

 QUESTIONS ?
•
•
•
•
•
06/01/10 16