Protecting Digital Evidence and Preserving Chain of Custody

Abstract

Evidence is the key to solve any crime. Evidence integrity needs to be protected in order to make it admissible in the court of law. Digital evidence is more revealing but it is fragile. It can easily be tampered or modified. There are different techniques available to protect the integrity of digital evidence. Different automated digital evidence acquisition tools are available in the market. In this thesis, we have analyzed two automated tools (EnCase and FTK Imager) that are used for disk imaging. These tools claim to protect the integrity of digital evidence. The techniques used by these tools are analyzed in this thesis. Problems with their approach are identified and a solution is proposed to address the problems. It is proposed as a solution that (i) there should be a functionality to authenticate and authorize the forensic examiner in collection phase of the digital evidence handling, (ii) digital chain of custody be appended with the digital evidence, (iii) digital hash be computed over the evidence and its digital chain of custody and (iv) digital signature of the forensic examiner be computed over the computed hash be appended at the end. A prototype of an automated tool is developed with implementation of this proposed solution and this prototype tool is evaluated in terms of cost, time and added functionality.