Applied Innovative Research, ISSN 2581-8198, Vol.

3, Issue 1 - 4, Year 2022

Blockchain-Based Chain Of Custody: A Secure Digital

Evidence Framework For Digital Forensics Investigation
Febin Prakash* & Harsh Sadawarti
CT university, Punjab, India

Abstract : The rapid expansion of digital space has led to a rise in cybercrime, stressing the importance of actual
evidence in building a relationship between suspected individuals as well as cybercrime. It is necessary to
have a chain of custody (COC) for any evidence object, which is a document of movement and possession. As
technology progresses, the safety of digital evidence (DE) becomes increasingly important in forensic
investigations. When it comes to COC, DE presents its own set of challenges. Existing database systems aren't
capable of understanding the requirements for the accuracy as well as the validity of DE. Blockchain-based
COC is a system for preserving as well as analyzing evidence in digital forensics (DF). CA blockchain is a data
format that enables all users in a distributed network of computers to build a digital ledger for storing and
maintaining transactions. Blockchain (BC) creates an undeniable audit trail by encrypting the process of
storing and managing network transactions. This study develops a basis for implementing DE authentication,
integrity, and privacy, making it a reliable solution that retains evidence authenticity and ensures its
permissibility among various stakeholders involved, like law enforcement agencies, solicitors, and forensic
experts.

Keywords: Blockchain; Forensics; Digital Evidence; Chain of Custody; Cyber Forensic; Digital Forensics
Investigation.

Introduction and audio-visual forensics are necessary to establish a

As the devices connected to the internet grow, DF successful team. Because of the highly integrated
has risen to include all of the different technologies we cyber-physical environment we operate in, non-
use every day (Navarro-Ortiz et al., 2018). DF is a well- electronic information is also included.
established skill domain in cybersecurity, and it is a DE is defined as any electronic information
vital component of an incident response strategy using comprising correct information to support an event
electronic information. The primary purpose of DF is hypothesis. DE's scope is continuing to expand,
to perform digital analyses within a legislative implementing both existing as well as emerging
structure in response to illegal acts involving computer technologies such as computers, smartphones,
technology. In a civil or criminal process, the objective networks, and memory (Ali et al. 2022). In DE, the ease
is to prove or reject a hypothesis. In this case, with which it can be reproduced or disseminated, as
eDiscovery could be applied to resolve disagreements well as the ease with which it can be changed or
among various commercial parties. Skilled and damaged are all factors. DE is also time-sensitive.
experienced investigators collect, assess, and recreate There is also the convenience of transferring DE
incidences as well as actions using forensically between countries. Assessing DE is thus more difficult
appropriate methods (extensively analyzed and than assessing physical evidence (Prayudi & Sn, 2015).
validated) to help describe what happened in support Digital evidence includes images, texts, videos, and
of a case (Daryabar and colleagues, 2017). The scope of device records. This research proposed a basis for
DF is continually expanding. Specialists in mobile implementing DE authentication, integrity, privacy,
phone and computer forensics, onsite (scene of the and a secure solution that ensures evidence integrity
crime) examinations, records in call data, demand and permissibility among various stakeholders, such
orders, forensic readiness plans, storage and retrieval, as law enforcement agencies, solicitors, and forensic
*Corresponding author:(E-mail: febin18002@ctuniversity.in)

108
experts (Kumar et al., 2021). standards by the expert during this phase of the
Due to the widespread availability of image investigation. Regarding the certificate of authenticity,
manipulation software and the growing prevalence of BC technology can record tamper-proof evidence,
digital photography, digital picture forgeries are particularly when paired with fuzzy hashing. Because
becoming increasingly prevalent. It's impossible to traditional hash methods are ineffective in this
determine whether the photograph is genuine or has scenario, forensics experts can properly solve the issue
been modified. A portion of a photograph can be of authorized modification of DE by utilizing fuzzy
removed, a portion of the photograph can be obscured, hash functions.
or the photograph can be altered so that the image data The effectiveness of the proposed system has been
is displayed improperly. These issues affect the validated for use in picture forensics. This technique
reliability of digital photographs (Patel et al., 2017). A can convert a set of data types such as audio, video,
variety of methods for detecting image deception are photos, and documents.
carefully discussed. They are divided into active The fundamental procedure of the proposed
algorithms (AA) and passive algorithms (PA). The AA framework is depicted below.
entails putting a watermark on the picture. Methods
for passive forgery identification look at evidence left
on the picture after many picture processing stages.
Additionally, it can be used to determine the amount
and position of fraud in a photograph (Varkey & Nair,
2018).
Tian et al. developed a secure DE framework
based on BC technology in 2019. It includes a loose-
coupling format which preserves both the evidence as
well as the evidence data in different locations. The
researchers (Widatama, Prayudi, and Sugiantoro, 2018)
used the RC4 cryptographic technique to encrypt the
XML layout on the digital COC data storage. No
database management system (DBMS) must use this Fig. 1: Proposed Model
XML format, which is simple enough for non-experts
to understand. DE cannot be accepted in court since the The following factors influence the selection of
information is accessible to everyone. photos in the application:
Furthermore, unlike earlier BC-based picture (1) Several occurrences in DF specialists' work are
forensics systems, which used conventional hashing to associated with picture forgery, as images of signs
validate the BC validity, the proposed method uses and cheques constitute the majority of transactions
fuzzy hashing to properly manage evidence of object made.
alterations produced by malicious as well as suspicious (2) The development and availability of advanced image
attacks. Whenever the correlation between the two analysis application programs and computer
blocks exceeds 95%, the block is viewed separately (Lone technologies have made manipulating digital
et al., 2019). This study examines the methods used in photos incredibly simple. A comprehensive study is
the study as well as the findings that were drawn from required to assure digital photographs' validity,
it. integrity, accuracy, and origin.
(3) Images have been used in highly specialized
Methodology domains like forensic science, astronomy,
This section shows how to handle defects in the medicines, and surveillance. The researcher does
DE for multiple copies of a similar document not affect the evidence, although minor changes
(unpredictability about the integrity). made inside some programs, such as contraction,
All picture forensic-capture technologies are may be altered. Even though a single aspect of the
included in the data-gathering step. Information from input is altered, cryptographic hash methods'
hard drives, RAM data, operating systems, application pseudo-random nature prevents identical files'
logs, network packet captures, as well as smartphones subsequent detection. When working in DF, it is
must be collected in accordance with forensic necessary to use a hash function that doesn't keep
109
 file commonalities (for example, various versions Table 1: Performance Valuation of proposed
of the same file). system

Results
Performance is perhaps the desirable attribute of
any problem-solving activity. So, solutions based
Blockchain are no exception. During the course of this
analysis, the Hyper Ledger Caliper was utilized in
order to determine the overall effectiveness of the
proposed system. Performance measures such as
transaction per second (TPS) and transaction delay can
be used to compare different block chain networks in
terms of their ability to meet a set of use cases(moment
spent between the time a transaction was made and the
time when it was recorded in the BC). The code was
written using Python 3.6 software. Caliper's two-
organization-one-peer as well as three-organization-
one-peer network models were applied in the 1st round
of assessment to test our prototype with 4 customers
using Caliper's two-organization-one-peer as well as *R – Round, SR - Send Rate, MxL - Max Latency,
three-organization-one-peer network models. MnL - Min Latency, AL - Avg Latency, TP –
Since they had a direct effect on the state of the Throughput
BC, this study made a test document that looked at two It is shown in Table 1 the latency as well as
important parts of our approach, evidence creation and throughput for a variety of 2- and 3-organization 1-
transmission. 10 rounds of evaluation were conducted peer network configurations. The prototype's
with a variety of transaction quantities and transmit throughput reaches a max. value during the
transaction rates to determine the best configuration. performance assessment, and afterwards gradually
In order to obtain average values for vital aspects with declines as the transmit rate rises.
the lowest probability of error, multiple tests have to Block generation was researched in the 2nd test
be conducted. As per the results of the performance phase and the number of blocks formed by every node
investigation, the prototype's throughput reaches a was calculated. This value indicates whether or not
max before diminishing as the transmit rate (TR) each BC node has a fair probability of creating blocks.
increases. Both two-organization-one-peer and three- The cumulative (Cum.) proportion of blocks generated
organization-1-peer network topologies have attained by x nodes can be seen in the following graph (fig. 2).
the highest throughputs, with fifteen TPS and ten TPS. Here, ‘k’ represents "the number of node names". The
The outcomes, however, reveal that increasing the line is more likely to be straight if the weight is evenly
number of colleagues has an influence on the distributed. The curve begins a significant ascent when
throughput of the prototype. It is typical of hyper k is equal to one.
ledger-based coalitions BC. The evaluation of how well
the proposed system would work is shown in the table
below.

Fig. 2: Cum. Dispersal of Blocks

110
 The final set of experiments used a topology with
1,000 nodes to determine the BC dimensions when
different block dimensions were used. The graph below
displays the size of the BC as a function of the number
of blocks. The mixed BC is utilized to compute the max,
mean, as well as minimal BC dimensions, while the
entire size of the BC is computed using a common
scenario whereby all nodes possess the whole BC.

Fig. 4: Running Time

The tree began with a sample of 4000 “illegal”
images and was then enlarged to include all of the
images in the larger collection. When calculating
“Search Time,” we include the time it takes to look
through the entire tree and compare the leaves. In
order to get the fastest execution time, more leaf nodes
were used. Between the start and finish of the race,
there were 1197 seconds that is “all-against-all”
comparisons take 49 percent less time than pair-wise
comparisons. Because the paired technique doesn't
scale, this difference is likely to become even more
Fig. 3: Dimension of the BC
obvious with larger datasets.
In the standard BC, the mixed BC is a subset.
Fuzzy Hashing (FH) was used in this study to
When the number of blocks increases exponentially in
account for changes in the evidence items." Piecewise
all four cases, this supports the theoretical theory. It
and Rolling Hashing" are both parts of FH (RH). CTPH
was discovered in this research that MRSH-method v2's
is called a "grey hash type" because it can tell if two
of searching for "illegal" documents took a lot longer
files are almost the same, but other hashing methods
than this approach's method of searching for the 100
wouldn't be able to tell. With RH, input context
"illegal" documents contained verbatim in the hard
determines how long traditional hash strings will be
drive image, as well as the 40 "illegal" documents found
generated into. It is possible to build a checksum for a
in the picture. More than 4,000 "known-illegal" photos
complete image using Piecewise Hashes (PH) and to get
were included in a collection that also included 140
over this limitation, they divide the image into preset
additional images. Of the 4000 "illegal" photographs
sections and hash each one. The final hash sequence is
analyzed by MRSH-v2, 100 were found to be similar to
the created values. In this study, FH uses PH to keep
those in the database, while the other 40 were not.
data similar. PH also ensures data integrity by
The main indicator was how long it took to finish
guaranteeing that one hash segment is empty during
the whole method that comprised building the tree,
forensic imaging. Memory storage of the proposed
searching for it, and analyzing the leaves in pairs. The
system uses idle hard drive space from users to store
running time is shown in the diagram below.
data. Decentralized infrastructure can overcome
several difficulties with centralized cloud storage.
In terms of forensics, the proposed process is
complex because it can be attacked in both ways. You
can hide information with anti-blacklisting and anti-
whitelisting. Attackers modify files such that fuzzy
hashing doesn't recognize them as being the same. As
far as humans are concerned, there is no discernible
change between the original and the edited version.

111
When a file is modified successfully, it is marked as [3] Navarro-Ortiz, J., Sendra, S., Ameigeiras, P., &
"unknown, not bad." This way to stop blacklisting Lopez-Soler, J. M. (2018). Integration of LoRaWAN
changes one bit within every chunk as well as keeps and 4G/5G for the Industrial Internet of Things.
track of trigger points. Alter the trigger so that the IEEE Communications Magazine, 56(2), 60-67.
Hamming distance tells how big each change is. Each [4] Daryabar, F., Dehghantanha, A., & Choo, K. K. R.
building block has a Hamming distance, and triggering (2017). Cloud storage forensics: MEGA as a case
can be changed with a "one-bit modification." Active study. Australian Journal of Forensic Sciences,
opponents must change one bit each time they meet. 49(3), 344-357.
There are more places where the Hamming distance is [5] Patel, J. J., & Bhatt, N. (2017). Review of digital
short, so 100 more changes are needed. A whitelisted image forgery detection. Int. J. Recent Innov.
file's hash value must be used to change a bad file such Trends Comput. Commun, 5(7), 152-155.
that its hash value matches that of a whitelisted file in [6] Varkey, A., & Nair, L. (2018). Robust image forgery
order for anti-whitelisting to work. An attack's detection and classification in copy-move using
original and altered forms are indistinguishable to SVM. Int. J. Adv. Res. Trends Eng. Technol, 5(12),
humans. Using this method, a given signature can be 89-93.
created by creating legal trigger sequences then [7] Tian, Z., Li, M., Qiu, M., Sun, Y., & Su, S. (2019).
inserting zero-strings. If a file's hash value can be Block-DEF: A secure digital evidence framework
altered in any way, it will no longer be useful. All active using block chain. Information Sciences, 491, 151-
trigger sequences are erased when an adversary is 165.
active. In the second step, he has to replicate the white- [8] Widatama, K., Prayudi, Y., & Sugiantoro, B. (2018).
listed file's triggering behavior, which requires a Application of RC4 Cryptography Method to
number of system modifications. Support XML Security on Digital Chain of
Custody Data Storage. International Journal of
Conclusions Cyber-Security and Digital Forensics, 7(3), 230-238.
These processes depend on the reliability and [9] Kumar, G., Saha, R., Lal, C., & Conti, M. (2021).
reliability of DE to manage the COC in a unified Internet-of-Forensic (IoF): A block chain based
manner (or chain of evidence). Fuzzy cryptographic digital forensics framework for IoT applications.
hash algorithms in BC technology are compared to Future Generation Computer Systems, 120, 13-25.
regular cryptographic hash algorithm methods to [10] Lone, A. H., & Mir, R. N. (2019). Forensic-chain:
examine how good they are at protecting the integrity Blockchain based digital forensics chain of
of DE in picture analysis for determining custody with PoC in Hyperledger Composer.
commonalities. We developed and evaluated a forensic Digital investigation, 28, 44-55.
chain model prototype using a hyper ledger
component. Because of its capacity to deal with COC-
related unpredictability and keep a realistic workload,
the fuzzy hash-based BC was shown to be an excellent
support for the COC method in the performance
evaluation results. The suggested framework
performance will be tested in the long term when
working with multiple digital forms of evidence.

References
[1] Ali, M., Ismail, A., Elgohary, H., Darwish, S., &
Mesbah, S. (2022). A Procedure for Tracing Chain
of Custody in Digital Image Forensics: A
Paradigm Based on Grey Hash and Blockchain.
Symmetry, 14(2), 334.
[2] Prayudi, Y., & Sn, A. (2015). Digital chain of
custody: State of the art. International Journal of
Computer Applications, 114(5).

112