Protecting Digital Evidence Integrity and Preserving Chain of Custody

Evidence is the key to solve any crime. Evidence integrity needs to be protected in order to make it admissible in the court of law. Digital evidence is more revealing, but it is fragile; it can easily be tampered with or modified. There are different techniques available to protect the integrity of digital evidence. Different automated digital evidence acquisition tools are available in the market. In this paper, we have analyzed two automated tools (EnCase and FTK Imager) that are used for disk imaging. These tools claim to protect the integrity of digital evidence. The techniques used by these tools are analyzed in this paper. Problems with their approaches are discussed and a solution is proposed to address the problems. A prototype of an automated tool is developed with an implementation of the proposed solution.

[1]  Marc Stevens,et al.  Fast Collision Attack on MD5 , 2006, IACR Cryptol. ePrint Arch..

[2]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[3]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[4]  Oliver Popov,et al.  Protecting Digital Evidence Integrity by Using Smart Cards , 2010, ICDF2C.

[5]  Oliver Popov,et al.  Extended Abstract Digital Forensics Model with Preservation and Protection as Umbrella Principles , 2014, KES.

[6]  Sangjin Lee,et al.  Digital evidence collection process in integrity and memory information gathering , 2005, First International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE'05).