International Journal of Computer Applications (0975 – 8887)

Volume 114 – No. 5, March 2015

Digital Chain of Custody: State of the Art

Yudi Prayudi Azhari SN
Department of Informatics - Universitas Islam Department of Computer Science and Electronics
Indonesia Yogyakarta, Indonesia Gadjah Mada University, Yogyakarta, Indonesia

ABSTRACT The attempts to disclose cybercrime are done through a process

Digital forensics starts to show its role and contribution in the known as digital forensics. According to [8], the digital
society as a solution in disclosure of cybercrime. The essential forensics is the use of science and methods for finding,
in digital forensics is chain of custody, which is an attempt to collecting, securing, analyzing, interpreting and presenting
preserve the integrity of digital evidence as well as a procedure digital evidence related to the case occurring and it is beneficial
for performing documentation chronologically toward evidence. for event reconstruction as well as the legitimacy of the judicial
The characteristics of digital evidence have caused the handling process. Although digital forensics activities are mostly
chain of custody is becoming more complicated and complex. associated with law enforcement process, in fact, only a small
A number of researchers have contributed to provide solutions number of cybercrime cases that have been handled by law
for the digital chain custody through a different point of views. enforcement. Most of the cases are handled by private
This paper gives an overview of the extent to which the investigators. Banking, insurance, and private company are
problem and challenges are faced in the digital chain of custody institutions that often become the target of cybercrime, and the
issue as well as the scope of researches that can be done to institutions have had an internal unit for the handling cases that
contribute in the issue of the digital chain of custody. lead to cybercrime [9].
In Indonesian jurisdiction, the procedure of handling of
General Terms evidence refers to Regulation of the Chief of National Police
Digital Forensics No. 10/2010 on the Procedure of Handling of Evidence in The
Indonesian National Police [10]. The regulation provides an
Keywords overview of the business model for handling of evidence by law
Digital Forensics, Digital Evidence, Chain of Custody, enforcement officers. It mentions about:
Cybercrime
 Management namely: procedure or the process of
1. INTRODUCTION receiving, storing, securing, maintenance, using and
Chain of Custody is a procedure in the handling of evidence in destroying confiscated object to/from the evidence room.
a series of investigations. According to [1], chain of custody is a
procedure for performing documentation to the evidence in  The officer, who has the authority to receive, store,
chronological events. Meanwhile according to [2], chain of secure, care, release and destroy the confiscated objects
custody is an important part of the investigation process that from the evidence room.
will ensure evidence can be accepted in the court system. In this  Storage based on the different type of evidence.
case, chain of custody will document the terms related to where,
when, why, who, how in the use of evidence at any stage of the  Principles of evidence handling: legality, transparency,
investigative process. The issues of chain of custody become accountability and effectiveness.
very important, as authenticity of evidence must be maintained
in accordance with the condition when it was first discovered  The obligation to write and record into the register book
until later presented in the court. The scope of chain of custody of all activities related to the evidence.
includes all individuals involved in the process of acquisition, The challenges faced by investigators when the evidence
collection, analysis of evidence, time records as well as handled is digital evidence, i.e. any valuable information that is
contextual information, which includes case labeling, and the stored or transmitted in digital form [11] or information stored
unit and laboratory that process evidence. or transmitted in a binary form that can be used in the law
In today‟s digital society era, the issue of the digital chain of enforcement and judicial process [12]. In this case, there are
custody becomes important considering the number of two terms that are almost the same, i.e. electronic evidence and
cybercrime activities that appear. This is one of the digital evidence. Electronic evidence has a physical form and
consequences of development in information technology and can be identified visually (computer, mobile phone, camera,
the telecommunication infrastructure improvement that make it CD, hard disk, etc.), while digital evidence is evidence that is
easier to connect every individual in a virtual environment that extracted or recovered from electronic evidence (can be a file,
is without limit. In this case, according to [3] the development email, short message, image, video, log, text).
and improvement of information technology have impacted on According to Matthew Braid in [11], in order each evidence can
the openness of various forms of crimes recently committed by be used to support the judicial process, the evidence must meet
individuals and groups known as cybercrime. Survey and five criteria, namely: admissible, authentic, complete, reliable
reports made by [4],[5],[6], shows that cybercrime is a serious and believable. Meanwhile,[13] mentions the two basic aspects
threat to individuals, institutions or countries in which the of other criteria so that evidence can support legal proceedings,
amount of losses globally might equal to national income of a namely legal aspects, with the criteria: authentic, accurate,
country. In Indonesia, according to the Indonesia Computer complete; and technical aspects, with the criteria: chain of
Emergency Response Team (IDCERT) cited by Alkazimy evidence, transparent, explainable, accurate.
(2011) in [7], in the first half of 2011, there have been 78.238
cases of cybercrime and the number increased to 144.284 at the Digital evidence has a number of characteristics, such as easy to
fifth two-month year 2011. be duplicated and transmitted, very susceptible to be modified
and removed, easily contaminated by new data, and time
sensitive. Digital evidence is also very possible to cross

1
 International Journal of Computer Applications (0975 – 8887)
Volume 114 – No. 5, March 2015

countries and legal jurisdictions. For this reason, according to used by the researchers is different only in terms of the
[13], the handling of chain of custody of digital evidence is addressing and detail of digital forensics activities
much more difficult than the handling of physical evidence, in [14],[15],[16].
general. In contrast to physical evidence, digital evidence is
very dependent on the interpretation of its content. Therefore,
the integrity of the evidence and the ability of the expert to
interpret the evidence will be influential in sorting digital
documents available to serve as evidence [13].
This paper will provide an overview of the extent to which
research with a focus on the digital chain of custody has been
performed by a number of previous researchers. The expected
output of this paper is to obtain a general overview of the
problems and challenges that can become an area of research on
the digital chain of custody.

2. AN OVERVIEW OF THE PROBLEMS

IN CHAIN OF CUSTODY
In the actual case, physical and digital evidence are part of the
investigation process that is complementary to each other.
Similarly, when the judicial process, the physical and digital
evidence are becoming an integral part of the investigation
process. Thereby, the handling of physical or digital evidence is
supposed to be the same, or at least has a similar mechanism.
Figure 1 illustrates that both physical and digital evidence is a
unity in the investigation process.
The problem encountered these days is the gap in the handling
between physical and digital evidence. This is certainly going to
be an obstacle in the judicial process. That is why it requires the
contribution from academician to provide solutions and set the
framework for the handling of evidence, both physical and
digital evidence that will support the digital forensics activities.

Figure 2. An Illustration of Business Model and Digital

Evidence Chain of Custody
Nevertheless, this phenomenon does not apply to digital
forensics business model. Business model will provide a
description of the relation between parts in every stage of the
digital forensics frameworks. The difference in a business
model will cause a difference in the overall handling of the
digital forensics, including the handling of chain of custody.
Unfortunately, up to now there has been no study concerning
the issue of business model in digital forensics and the real
implementation among digital forensics practitioners.
Therefore, the study of business model in digital forensics will
be a reference to every institution that conducts digital forensics
activities. Figure 2 shows one of the concepts of business
models that can be implemented in digital forensics.
Digital chain of custody according to [17], [18] raises a problem
Figure 1. Unity of Physical and Digital Evidence Handling that is vast and complex. The main problem in the chain of
custody is related to the documentation of evidence.
(Source: Documenting and recording of all interactions on the physical
http://www.dynotech.com/articles/digitalevidence.shtml) evidence is extremely easy to do; however, this does not apply
to digital evidence. The easiness to do remote access, copy,
One of the problems encountered in the handling of digital
transfer the file, coupled with and user mobility trend in daily
chain of custody is the various frameworks and business models
activities allow a digital investigator or other law enforcement
in the digital forensics activities. The digital forensics
agencies to explore and analysis the data anywhere and
frameworks that are varying actually do not have a principle
anytime. This is certainly going to complicate the
and fundamental difference because in general any framework
documentation process of digital evidence. It requires accurate

2
 International Journal of Computer Applications (0975 – 8887)
Volume 114 – No. 5, March 2015

and complete documentation as well as data logs of the digital custody must provide 2 aspects of information, i.e.
evidence. information that is directly related to the case (includes
5W and 1 H), as well as information related to the source,
In the future, court and law enforcement will require much originality and the process for obtaining such evidence.
more detailed information to support the investigation process. Gayed called these two aspects as forensics information
Signature of the object, identity of all parties who interact with as and provenance information.
the evidence, location of handling the evidence, time of access
and all the descriptions that contain transactions and any access 3. CURRENT RESEARCH
to the evidence would be required [1]. According to [24], digital forensics developed as an
Meanwhile, according to [19], the documents issued by several independent field of study began in early 2000. However,
organizations (such as IOCE, SWGDE, DRWS) are basically according to [25], the initiation of digital forensics in fact
only in the form of report or paper about general aspects of the already started since 1976 where the terminology of computer
handling of digital evidence and chain of custody, whereas the crime was used to refer deletion and modification of data by a
technical implementation of the handling of the digital chain of person who was not entitled. This is in line with the opinion
custody is still not further explained. To this end, researches in from [20] that initially digital forensics activities were only
the field of digital forensics that focus on providing solutions to necessary for the data recovery.
the concept of digital chain of custody still pose a challenge and One case of which required a complex computer analysis and
open problem [20]. In addition, the rapid growth of cybercrime engaged a large investigation team was a crime done by a
must always be followed by a new understanding of digital hacker named Markus Hess and this case was handled by FBI in
evidence along with the handling of chain of custody. 1986 [25]. Then, the increasing of technology and the lifestyle
One of the problems in chain of custody is data integrity. In this of human that often interacts with technology support the
case, according to Vanstode in [21], digital integrity is a growing activities of digital forensics. This is as what [20]
property on which digital data do not experience any change by mentions, that one factor supporting the rising cases of
the party who is not authorized to do any change. Changes and cybercrime is a growing number of personal computer users as
contacts on digital evidence are only done by those who have well as easy connection between computers. In these case, [20]
the authority. The integrity of digital evidence warrants that the mentions; that within 15 years, digital forensics enters the
information presented is complete and unchanged from the first golden age as seen from the number of academics who conduct
until used lastly in the court. a research on various aspects of digital forensics, coupled with
the increasing interest of vendors to invent a variety of tools and
Meanwhile, based on the characteristics of digital evidence, the applications for digital forensics.
handling of evidence should also consider the order of volatility
of digital evidence. In this case, Brezinski & Killalea [22] state Also, [20] and [24] suggest and describe an overview of current
that the order of volatility of digital evidence is as follows: research as well as challenges in the field of digital forensics.
register, memory, table, processor, temporary file system, disk, Based on paper mapping on some media publication [25], [26]
remote logging and data monitoring, physical configuration and reveal an overview of the topics and research areas that are
network topology, as well as archived data. The improvement mostly examined in digital forensics.
capabilities of digital technology allows the emergence of Attempts to do some researches and explorations to get a
various new characteristics of digital evidence. Therefore, the reliable concept of digital chain of custody have been done by
order of volatility of the digital evidence is very possible to previous researchers. In this case, according to [23], broadly
change. speaking there are three dimensions of research activities
Digital forensics processes applied in disclosure of cybercrime regarding digital chain of custody.
must follow the procedures and mechanisms for the handling of  Researches on the topic of improving the quality of chain
digital evidence. In this regard, proper concepts and tools of of custody. There are at least three research focuses on this
digital chain of custody are necessities for a digital investigator. dimension; the first one is by focusing on the development
According to Garfinkel (2010), concepts and tools that are of chain of custody that is reliable and secure through the
available today are still partially able to explore digital evidence concept of DEMC (Digital Evidence Management
and not yet supporting the investigation process as a whole. Framework) and this concept is designed as a framework
Numerous studies have been done in an effort to implement the to answer the questions of who, what, why, when, where
concept of digital chain of custody. Regarding the handling of and how. [21]. The second focus is an integrity issue of
chain of custody, according to [23], there are at least four main chain of custody through the adoption of a number of
issues, namely: hashing algorithms on digital evidence. The third focus is
security approach on hardware as developed by SYPRUS
 Flexibility and capability of documentation of the chain of Company through their product called PC Hydra. This
custody in line with the increasing data volume generated product is a PC designed to implement cryptographic
from various new tools. technology that will guarantee the level of confidentiality,
integrity and non-repudiation of digital evidence.
 Interoperability between digital evidence and
documentation of the chain of custody.  The second dimension focuses on an attempt to represent
knowledge. In this case, Bogen in [23] applies UML and
 Security of chain of custody documentation, considering
UMML to represent knowledge in the process of planning,
that evidence can move from one party to another.
performing and documenting digital forensics activities.
 Knowledge of the judge and jury in dealing with cases
 The third dimension is focused on forensic format
involving digital evidence so he or she can decide cases in
approach. There are many versions of data format for
the right way. One of them is the way to present
digital forensics. Some formats that have ever been
information that can be understood by both the judges and
proposed are as summarized by the CDEF, such as FF,
other law enforcement agencies. In this case, chain of

3
 International Journal of Computer Applications (0975 – 8887)
Volume 114 – No. 5, March 2015

EWF, DEB, gfzip, Prodiscover and SMART. [23]. These model of actors in the interaction process of chain of custody
forensic format approaches started to be used widely in will be affected by the provisions of the law in each country.
Digital Forensics Research Workshop (DRWS) forum in However, the model that is built must be able to explain the
2006 formed Common Digital Evidence Storage Format activity, relationship, and involvement of the actors in digital
(CDEF) working group as an attempt to give a solution to evidence.
the concept of digital evidence storage and their metadata.
To understand the relation between digital evidence and chain
In the field of forensics in general, the issue revolving around of custody, the term of life cycle is used. Petri Nets model
the chain of custody has called the attention of a number of approach is used to build the life cycle of digital evidence.
researchers, one of them is [27]. On the research, a system is Previous researchers have been doing a research on the solution
built named Disciple LTA (Learner, Tutor and Assistant) as a of chain of custody but due to the wide and complex issue in
computer-based cognitive assistant that will help analysts to this field, it needs a further description of relations and
conduct a credible assessment of a number of intelligence interactions between parties involved in the handling of digital
evidence so that the assumption of uncertain changes in evidence.
information on the evidence during some stages of investigation
process can be overcome. The study provides a systematic and 3.2 Forensic Format
comprehensive approach to make an assessment so that at any Other researches about digital chain of custody are conducted
stage of the chain of custody, the integrity of any part of the through forensic format approach by [30] and [31]. In this case,
evidence is really guaranteed and no hesitation or assumption [30] provides a solution related to the digital chain of custody
for the possibility of missing information in the handling of by proposing an improvement on the concept of AFF version 3
evidence. (Advanced Forensic format Library) into AFF version 4. The
concept of AFF is an approach to digital signature and other
One issue in the chain of custody is data integrity. The common cryptographic protections for digital evidence that allow an
solution used to overcome this problem is to apply the concept investigator to apply the chain of custody system that is reliable
of a hash key to check the integrity of digital evidence. On this from the crime scene until in the trial. Meanwhile, [31] applies
issue, one of the early researches was conducted by [17]. The AFF4 framework through the implementation of XML to build
study presents a method to perform validation and a chain of custody on the network scheme of Internet Control
authentication of digital chain of custody through the approach Message Protocol (ICMP) sweep attack.
of Jacobsson algorithm, which is an algorithm for validating a
hash value that is generated by the algorithm via online. In the Another study has been conducted by [23] that develops a
preliminary research, [28] specifically proposed an algorithm digital chain of custody solution in the form of a modified
for generating Jakobsson‟s fractal hash chain, which is an forensic format and combines it with AFF4 forensics concepts
algorithm which can generate, traverse, and store the hash keys of RDF to bridge the gap between the real condition in juridical
in large amounts especially in small and constrained devices. proceedings and common practice which takes place in digital
Another study about the integrity of digital evidence was forensics community.
conducted by [29] by doing computational analysis through
In regard to forensic format, according to [32], there are three
comparison of several algorithms for hash function on digital
generations of data imaging techniques that produce forensic
evidence.
format. The first generation is imaging with the technique of bit
Given the rapid development of the characteristics of digital copies from the media that will be acquired and the result is
evidence, the attempts to find digital evidence and the „raw‟ or „dd‟ image; the second generation is the use of block-
documentation are becoming increasingly difficult. That is why based compression to increase space efficiency; while the third
[2] opines that one of the initial steps is to understand in more generation is using integration technique of multiple image
details about the characteristics of digital evidence and chain of streams, that is an expression of information and storage
custody through ontology approach. In the study, through top- virtualization into forensic format later known as AFF. This
down based approach, an ontology model is built that consists format is developed by Garfinkel as disk image container that
of five hierarchies, namely: Characteristics, Dynamics, supports storage of metadata in a single archive [23], [30].
Factors, Institutions and Integrity. Those five elements of the
Given the trend of increasingly varying information required in
hierarchy are named DCoDeOn (Digital chain of custody
the investigation process, then in 2009, Cohen in [33], [34]
Digital Evidence Ontology) and directed to be able to respond
created a proposal for AFF improvements to enhance its ability
to the aspects of what, why, who, when, where and how in the
in storing metadata more extensively. This upgrade is known as
chain of custody.
AFF4. Then, considering the greater storage capacity that must
Furthermore, when the handling of chain of custody has the be acquired, and then it is suggested to use the application of
same point of view with the law enforcement regulations hash scheme based compression to boost the speed of image
prevailing in Indonesia, then at least there are 6 aspects of key acquisition process [32].
handling of digital chain of custody, namely (a) business model
Another forensic format is vendor-based in nature, namely the
and life cycle; (b) forensic format, (c) information record
EWF (Encase Expert Witness Format). This format is issued by
keeping (d) the storage, (e) security assurance of the storage and
Encase vendor that contains data checksum, a hash key to verify
(f) access control for the storage of digital evidence.
information and integrations containing bad sectors from the
3.1 Life Cycle disk imaging process [35].
Cosic [2] has modelled interaction process in chain of custody An evaluation from CDESF as cited by [23] mentions that the
that includes five actors, namely: first responders, forensics various existing forensic formats still contain a number of
investigator, court expert witness, law enforcement and police weaknesses, especially in the ability to keep the number of
officer. Additionally, [1] also has constructed a model of an metadata needed to support the process of investigation and
interaction process of chain of custody that engages five trial. For this reason, the other approach used is through
different actors, namely: first responder, investigator, knowledge representation, namely how to map out necessary
prosecutor, defense and court. According to Giova (2011), the information in the chain of custody process via XML, ontology

4
 International Journal of Computer Applications (0975 – 8887)
Volume 114 – No. 5, March 2015

or semantic web. In this case [23], [36] try to propose a CoC on each digital evidence file. This is done particularly because
solution through the use of semantic web to represent a chain of of the difficulty in controlling the mobility and accessibility of
custody using RDF where forensics information and digital files. In addition, digital chain of custody solution is not
provenance information is published and utilized through the included in a framework of digital forensics investigation that is
web. binding. Therefore, the research of Digital Evidence Cabinets
tries to perform another approach through digital evidence
Another solution for the digital chain of custody is as proposed collection using the information stored in the media storage
by [37] through the concept of XeBag. This concept is a (evidence cabinets) and not directly on the digital evidence.
combination of the use of PKZip data compression format with
representation of metadata via XML format. This concept is Next, [39] sees the necessity for data integrity concept to ensure
developed specifically to meet the needs of forensic format to the handling of digital evidence and chain of custody and then
handle the cases that take place in South Korea. The existing develops the concept of DEMF (Digital Evidence Management
forensic format, particularly EWF from Encase is seen as Framework) through several criteria to obtain information that
having a number of limitations to be applied in the juridical area meets 5W 1 H. For any information 5W and 1 H is included to
of South Korea. ensure the security (Who-fingerprint, Where-GPS, When-
timestamp, What-hash).
3.3 Information Record
The most important thing of the chain of custody is the ability 3.4 Storage Area
to store metadata information [12]. Considering the digital The volume of the digital evidence is growing and increasingly
evidence acquisition process through „dd‟ tools or other tools varied in terms of the file size. Storage of digital evidence is not
does not facilitate the needs for metadata information of digital just ordinary storage, but it should have technical specifications
evidence, then a mechanism is needed for additional record that comply with the provisions of the law, for example, the
keeping of metadata information through the concept known as ability of data storage, data maintenance as well as data
Digital Evidence Bags (DEB). The concept of Digital Evidence recovery [40]
Bag (DEB) as information container for digital evidence is then
implemented with an XML approach through the availability of As any other storage, digital evidence storage should pay
three main files, namely tag file; .indexnn file; and .bagnn file. attention to a number of criteria, namely: read/write data
technology applied in the storage, strength and durability of the
Another approach to chain of custody issue carried out by storage, as well as its architecture. The solution for storage can
Schatz (2007) is known as sealed digital evidence bags. This refer to the storage technology that has been available, for
concept is the development of DEB (Digital Evidence Bags) instance, as developed by Rimage [41]. Besides, the solution for
concept proposed earlier by Turner. The approach is to use the storage can also be through the application of some topology
concept of RDF/OWL for the representation of necessary storages as done by [40] through the implementation of NAS
knowledge, as well as control of digital evidence. Meanwhile, (Networked Attached Storage) and SAN (Storage Area
[37] proposes the concept of XeBag (XML PKZip Based Network) in a concept called DECL (Digital Evidence Storage
Digital Evidence Bag) as a solution for digital evidence storage Locker).
technique. In the concept, the evidence file is stored in PKZip
format while the information associated with the forensics is A number of studies have been done to optimize the use of
saved using XML format. NAS and SAN storage solutions, as well as High Performance
Storage Network (HPSN) by [42] and High Availability Storage
The same thing is done by [23]. In this matter, [23]provides a Network (HASN) by [43]. Digital forensics activities and
digital chain of custody solution through semantic web digital chain of custody require storage solution that supports
approach using RDF and provenance vocabularies to ensure the the process of storage and access to digital evidence. As a
trustworthiness and integrity of the information on digital result, establishing the storage model solution according to the
evidence. The study begins by setting the definition and needs of the digital forensics activities and chain of custody is
analysis of all data information related at each stage of digital an area of research that can be studied further.
forensics process. The next stage is linking the information
from chain of custody into interlinked RDF, including According to [41], almost all crime activities at this time will
integrating the forensics and provenance metadata. On the final include digital components. Therefore, it is no wonder that
stage, the web interface is built that allows all parties to access every 18-24 months, digital evidence stored in the storage will
necessary information from chain of custody that has been double than before. According to [44], depending on the type of
made. institution and company, in general the amount of data stored
doubles in 1-2 years. On the other hand, considering
On the other hand, according to [38], one of the problems investigation process until the end of judicial proceedings
encountered in the handling of digital chain of custody is how requires a very long time, then the storage of digital evidence
to present the information that is needed during the judicial must also be maintained and retained for a long period.
process. The information presented in the chain of custody
according to [38] should be a combination of a technical area of In practice, the HDD (Hard Disk Drive) is often used as a
digital evidence and legislation area from the judicial point of standard for data storage for a long period. In spite of that,
view. Thus, there must be a good interface so that the data according to [41], the technology on HDD is not intended to
generated by digital investigator can be understood by the serve as a digital data storage solution for a very long period
judges and other law enforcement agencies in accordance with (HDD capacity ranges from 5 to 6 years only). In addition,
the applicable law. In this case, there is what so-called as HDD also still has a number of constraints in terms of the
supervision data as the depiction of data extracted from the possibility of failure in the process of storage and data reading
technical aspect that meets the legal aspects. that will potentially corrupt data. Therefore, a solution offered
by Rimage is a storage technology using DVD/BD (Blue-ray
The similarity obtained from a variety of solutions for digital Disc) that will guarantee the concept of secure data
chain of custody is an approach to integrate a number of preservation, reliable data retrieval and readability.
essential information as required in the chain of custody directly

5
 International Journal of Computer Applications (0975 – 8887)
Volume 114 – No. 5, March 2015

3.5 Infrastructure Security be a valuable input to construct an appropriate model of access

Meanwhile, for the infrastructure of chain of custody, [11], control in the scope of digital chain of custody.
[45], [46] have offered a solution for the secure infrastructure
for digital evidence handling, that is, by establishing the
4. DISCUSSION
concept of valid evidence based on a hardware-based security Business model approach, as can be seen in Figure 2, can give
using a TPM (trusted platform module). an idea of the importance of the chain of custody in a process of
digital forensics. In addition, through this approach, to
Secure infrastructure is very important especially for the understand the importance of and the position of the chain of
handling of digital evidence in cases where the digital data are custody in the digital forensics also can be done through a
taken directly from the device. One example is the application modelling approach. In this case, [54] has introduced the
of Traffic Monitoring System in particular areas that are mostly general model and the conceptual model of digital forensic.
done in several major cities. Trusted Computing and Trusted Unfortunately, on both the proposed model is not visible the
Platform Modules serve as trustworthy based computing role and position of the digital chain of custody in digital
platforms to the solution. Another approach to infrastructure forensics. For that, refers to the model of the proposed general
solution is given by [47] i.e. through secure logging protocols model and the conceptual model of digital forensics with
for the benefit of digital evidence handling. include the chain of custody as one of the elements of
importance. A new proposed model are:
Another attempt to provide a solution to the handling of chain
of custody is the application of RFID technology to perform General Model DF = {I, S, D, E, A, R}
monitoring and data record keeping on physical or electronic
evidence. This is as developed by [48] via EPC global approach I = Identification process, S = Storage for digital evidence, D =
to Architecture Frameworks. Documentation of digital evidence, E = Exploration, A=
Analysis data and R = Reporting.
3.6 Access Control Conceptual Model DF = {Pi[Tj, Lk], DE}
Integrity and credibility of evidence on digital chain of custody
are determined by the concept of access control applied to it. Pi = A series of digital forensics process, Tj = Technique,
Therefore, there is a necessity for mechanisms to protect digital methods, approach, system, tools. Lk = Legal principle, DE =
evidence that supports the integrity, confidentiality and Digital Evidence.
authenticity of the digital evidence. In this case, according to Both of these models suggests that the chain of custody is an
[49], in the policy region, access control indicates whether a inseparable part of the activity of digital forensics. On the
subject (e.g. processes, computers, users, tools etc.) is allowed general model of the chain of custody is represented by D while
or not to perform an operation (such as read, write, execute, in the conceptual model are represented by Lk and DE.
delete, search etc.) on an object (e.g. database, table, file,
service, resource etc.). While according to [50], access control Based on the review, the attempts to provide solutions to digital
is a mechanism that gives authorization only to the legitimate chain of custody are divided into two approaches, namely:
users to be able to use the data and existing resource.
 The first approach is using information container as a
The application of access control on digital evidence has solution that allows to save a number of metadata in the
previously been proposed by [51] through the implementation form of specific forensic format. This approach is as
of cryptographic techniques to model the mechanism of committed by [30], [33].
hierarchical access control. In this case, partial mechanism and
full supervision are developed to describe rights and functions  The second approach is through formal knowledge
that are different between the investigator who directly handles representation with XML, ontology and semantic web
digital evidence and other law enforcement agencies that solution to store information metadata. This approach is as
perform supervisory control against the use of such evidence. committed by [2], [23]. DEB (Digital Evidence Bags)
The solution given in the study is focused on the efforts to carry expressed by Turner [12] as a container for loading some
out control and protection toward access to digital evidence information such as crime scene artifacts, metadata,
through the application of AES cryptography on different information integrity, access, and audit records is one of
security levels. the chain of custody solutions using XML approach. Then
with the addition of a Tag Integrity File on the concept of
In terms of computer security, according to research by [52] an DEB Turner, [13] develops a new concept known as
attack on the system can be because of inconsistencies the Sealed Digital Evidence Bags (SDEB).
application of access control. Thus, in the research, an
algorithm is built to detect any inconsistency in access control  The third approach is a combination of container
on a firewall as part of IDS (Intrusion Detection System) information and knowledge representation as expressed by
system [37] in XeBag.

In relation to this access control issue, based on the existing In addition, if the handling of chain of custody has the same
literature, there has been no study that specifically refers to the point of view with the law enforcement regulations prevailing
application of access control concept for digital chain of in Indonesia, at least there are four key aspects of the handling
custody. However, to know the importance of access control of chain of custody, namely, storage, registration and record-
concept for digital chain of custody can refer to the importance keeping, control access to the evidence, as well as security
of access control for medical record. In this case, a number of guarantee of the storage and analysis process. Based on this
studies have been done on the concept of access control to perspective, the previous explanation about researches in the
protect integrity of the medical records of patients in a field of a digital chain of custody can be mapped through the
Healthcare Information System. In addition, a study by [53] diagram in Figure 3.
about access control model for a collaborative environment can

6
 International Journal of Computer Applications (0975 – 8887)
Volume 114 – No. 5, March 2015

In this study, an overview of digital forensics activities

requiring digital chain of custody mechanism refers to the legal
documents Regulation of the Chief of National Police No. 10/
2010 and the regulation system prevailing in Indonesia that
contains the settings of evidence, such as Law No. 8/ 2008
about Information and Electronic Transaction. Referring to this
document, in practice, based on the experience in handling
cases and interacting with digital forensics practitioners, the
activities generally performed at this time among the digital
investigators are limited to imaging, examination/exploration,
analysis and reporting the findings of evidence. Activities that
support the implementation of the digital chain of custody still
have not been taken into account by the digital investigator.
Chain of custody is only applied for the sake of physical
evidence documentation, but not on digital evidence. Interaction
process with digital evidence is not well documented. In
addition to the lack of tool and framework that support digital
chain of custody, there is also no mutual agreement related to
the management of digital evidence.
Figure 3. Problem and Chain of Custody Research Area
This is certainly a challenge for researchers to establish a
Based on the review above, in principle there are a few things
mechanism of the digital chain of custody so that the integrity
that still rise a challenge in researches about the chain of
and credibility of the evidence can still be guaranteed. Then,
custody, namely:
there is no presumption against digital evidence submitted by
 Business model for handling digital chain of custody. The investigators because all parties have achieved compliance with
first step to build the solution is to fix the business model the standard handling of evidence, in general. Therefore, one
of digital forensics. The business model will give an idea research area for digital chain of custody is to provide a more
on how the relation and order of interactions process comprehensive solution through unity in the existing solution
between actors in digital forensics activity. Further and the concept of business model, the concept of record and
researches can be done by referring to input from the storing information, as well as security and access control. This
practitioners in digital forensics either from the law is what underlies [55] to propose a solution known as Digital
enforcement agencies or from the private actors. Evidence Cabinets. The solution offered is like a new approach
to dealing with digital evidence and documentation of a digital
 Storage of digital evidence. The issue is how to implement chain of custody. This model is built through the approach of
and build storage infrastructures to fulfil the needs as well business model concept that corresponds to the legal aspects,
as meet the criteria set by the law. Therefore, things that development of a reliable storage model, development of record
can be done are identifying the criteria for digital evidence keeping and documentation concept based on the Digital
storage and mapping vendor products that meet the criteria Evidence Bags and Digital Evidence Sealed Bags, as well as
or storage model development through the implementation support for infrastructure based on trusted computing. Though
of NAS and SAN concept. the proposal is still in the early stages, but in principle the
solution offered has enriched the studies about digital chain of
 The concept of metadata information record keeping on
custody.
chain of custody. One way that can be developed is
building a new logging model based on a previously built 5. CONCLUSION AND FURTHER
model namely the concepts of DEB Turner and SDEB
from Schatz. The other thing that can be done is to RESEARCH
integrate record-keeping concept with DEMC concept Disclosure of cybercrime can be done through a series of digital
from Cosic. forensics activities. The important elements in these activities
are the integrity and credibility of the digital evidence in a
 A secure Infrastructure. Digital forensics and handling single procedure for handling the chain of custody (or chain of
chain of custody should be supported by a secure evidence). In this case, the handling of evidences either digitally
infrastructure. That is why, given the mobility or conventionally is supposed to use the same concept.
characteristics of the officers, a method that can be applied However, due to the specific characteristics of digital evidence,
is implementing SSL VPN concept as a means of access to the handling of chain of custody for digital evidence is not the
the server and storage. This can be supported by the same in practice. The difficulties found are the handling of
application of trusted computing-based and access control digital evidence turns out to be more difficult than of physical
concepts as a medium for the secure platform. The evidence. For this reason, a system environment that supports
incorporation of SSL VPN and Trusted Computing based the implementation of handling digital chain of custody is
brings a challenge for research about infrastructure on required by the law-enforcement institution to support the
digital chain of custody. handling and investigation of cybercrime.
 Establishing a framework for handling digital chain of This paper discusses the problems faced in the digital chain of
custody in a comprehensive manner. The framework will custody as well as various points of view the contributions of
provide an overview of solutions ranging from storing researchers in providing solutions to these problems. There are
process of digital evidence until interaction process among still many problems that must be resolved in order for the
business actors in a chain of custody along with the record digital chain of custody solutions can truly serve as an
keeping. aggregation process of handling evidence that will support the
process of investigation by law enforcement.

7
 International Journal of Computer Applications (0975 – 8887)
Volume 114 – No. 5, March 2015

Based on the description in the paper, the next research step is [16] J. Shah and L. G. Malik, “An Approach Towards Digital
supposed to do further study by exploring a number of issues Forensic Framework for Cloud,” in IEEE International
that have been identified in particular to the concept of record Advance Computing Conference (IACC), 2014, pp. 798–
and information storage as well as security and access control 801.
scheme in a digital chain of custody system.
[17] P. G. P. G. Bradford and D. A. D. A. Ray, “Using Digital
Based on the description that has been conducted in this paper Chains of Custody on Constrained Devices to Verify
the next research steps that can be done is to do further studies Evidence,” in 2007 IEEE Intelligence and Security
to explore a number of issues that have been identified as Informatics, 2007, pp. 8–15.
particularly about concept of the writing and storage of
metadata information as well as security and access control [18] Rajamäki and J. Knuuttila, “Law Enforcement Authorities
scheme in a digital chain of custody system. ‟ Legal Digital Evidence Gathering,” in European
Intelligence and Security Informatics Conference, 2013,
6. REFERENCES pp. 198–203.
[1] G. Giova, “Improving Chain of Custody in Forensic [19] J. Cosic, G. Cosic, J. Ćosić, and Z. Ćosić, “Chain of
Investigation of Electronic Digital Systems,” Int. J. Custody and Life Cycle of Digital Evidence,” Computer
Comput. Sci. Netw. Secur., vol. 11, no. 1, pp. 1–9, 2011. Technology and Aplications, vol. 3, pp. 126–129, Feb-
[2] J. Ćosić, Z. Ćosić, M. Bača, J. Cosic, G. Cosic, and M. 2012.
Baca, “An Ontological Approach to Study and Manage [20] S. L. Garfinkel, “Digital forensics research: The next 10
Digital Chain of Custody of Digital Evidence,” JIOS, vol. years,” Digit. Investig., vol. 7, pp. S64–S73, Aug. 2010.
35, no. 1, pp. 1–13, 2011.
[21] J. Cosic and M. Baca, “( Im ) Proving Chain of Custody
[3] UNODC, “Comprehensive Study on Cybercrime,” New and Digital Evidence Integrity with Time Stamp,” in
York, USA., 2013. MIPRO,Proceedings of the 33rd International Convention
[4] CSIC, “Net Losses : Estimating the Global Cost of International Conference, 2010, no. Im, pp. 1226 – 1230.
Cybercrime,” Washington DC, 2014. [22] S. Dossis, “Semantically-enabled Digital Investigations,”
[5] PwC, “US cybercrime: Rising risks, reduced readiness,” Master, Department of Computer and Systems Sciences,
2014. Stockholm University, Swedia, 2012.

[6] RSA, “THE CURRENT STATE OF CYBERCRIME 2014 [23] T. F. Gayed, H. Lounis, and M. Bari, “Computer
An Inside Look at the Changing Threat Landscape,” 2014. Forensics: Toward the Construction of Electronic Chain of
Custody on the Semantic Web,” in The 24th International
[7] T. Widodo and Y. Prayudi, “Model Digital Forensic Conference on Software Engineering & Knowledge
Readiness Index (DiFRI) untuk Mengukur Tingkat Engineering, 2012, pp. 406–411.
Kesiapan Insititusi,” in Seminar Nasional Teknologi
Informasi (SNTI), 2013. [24] S. Raghavan, “Digital forensic research: current state of
the art,” CSI Trans. ICT, vol. 1, no. 1, pp. 91–114, Nov.
[8] A. Agarwal, M. Gupta, and S. Gupta, “Systematic Digital 2012.
Forensic Investigation Model,” Int. J. Comput. Sci. Secur.,
vol. 5, no. 1, pp. 118–134, 2011. [25] Damshenas, A. Dehghantanha, and R. Mahmoud, “A
Survey on Digital Forensics Trends,” Int. J. Cyber-
[9] C. Easttom and J. Taylor, Computer Crime, Investigation, Security Digit. Forensics, vol. 3, no. 4, pp. 209–234, 2014.
and the Law. Boston, Massachusetts USA: Course
Technology, 2011. [26] F. N. Dezfoli, A. Dehghantanha, R. Mahmoud, and N. F.
Binti, “Digital Forensic Trends and Future,” Int. J. Cyber-
[10] Kepolisian Negara RI, “Perkap Tata Cara Pengelolaan Security Digit. Forensics, vol. 2, no. 2, pp. 48–76, 2013.
Barang Bukti,” Jakarta, 2011.
[27] D. Schum, G. Tecuci, and M. Boicu, “Analyzing Evidence
[11] J. Richter and N. Kuntze, “Securing Digital Evidence,” in and its Chain of Custody : A Mixed-Initiative
Fifth International Workshop on Systematic Approaches to Computational Approach,” Int. J. Intell.
Digital Forensic Engeneering, 2010, pp. 119–130. Counterintelligence, vol. 22, no. 2, pp. 298–319, 2009.
[12] P. Turner, “Unification of Digital Evidence from Disparate [28] P. G. Bradford and D. A. Ray, “An Online Algorithm for
Sources ( Digital Evidence Bags ),” in Digital Forensic Generating Fractal Hash Chains Applied to Digital Chains
Research Workshop (DFRWS), 2005, pp. 1–8. of Custody,” Jul. 2013.
[13] B. Schatz, “Digital Evidence: Representation and [29] S. Saleem, O. Popov, and R. Dahman, “Evaluation of
Assurance,” Queensland University of Technology, Security Methods for Ensuring the Integrity of Digital
Australia, 2007. Evidence,” in International Conference on Innovations in
Information Technology, 2011, pp. 220–225.
[14] C. P. Grobler, C. P. Louwrens, and S. H. Von Solms, “A
framework to guide the implementation of Proactive [30] S. L. Garfinkel, “Providing Cryptographic Security and
Digital Forensics in organizations,” in International Evidentiary Chain-of-Custody with the Advanced Forensic
Conference on Availability, Reliability and Security, 2010, Format ,” Int. J. Digit. Crime Forensics, vol. 1, no. March,
pp. 677–682. pp. 1–28, 2009.
[15] O. Ademu, C. O. Imafidon, and D. S. Preston, “A New [31] Nandhakumar and U. Agarwal, “Use of AFF4 „Chain of
Approach of Digital Forensic Model for Digital Forensic Custody‟- Methodology for Foolproof Computer Forensics
Investigation,” Int. J. Adv. Comput. Sci. Appl., vol. 2, no. Operation,” Int. J. Commun. Netw. Syst., vol. 1, no. 1, pp.
12, pp. 175–178, 2011. 49–57, 2012.

8
 International Journal of Computer Applications (0975 – 8887)
Volume 114 – No. 5, March 2015

[32] Cohen and B. Schatz, “Hash based disk imaging using [44] K. Engelhardt, “Secure Data Storage - An Overview of
AFF4,” Digit. Investig., vol. 7, pp. S121–S128, Aug. 2010. Storage Technology,” 2008.
[33] M. Cohen, S. Garfinkel, and B. Schatz, “Extending the [45] Kuntze, C. Rudolph, T. Kemmerich, and B. Endicott,
advanced forensic format to accommodate multiple data “Chapter 1 SCENARIOS FOR RELIABLE AND
sources, logical evidence, arbitrary information and SECURE DIGITAL EVIDENCE,” in Ninth Annual IFIP
forensic workflow,” Digit. Investig., vol. 6, pp. S57–S68, WG 11.9 International Conference, 2013, pp. 1–13.
Sep. 2009.
[46] N. Kuntze, C. Rudolph, and I. Technology, “Secure Digital
[34] B. Schatz and M. Cohen, “Refining Evidence Containers Chains of Evidence,” in SADFE (Sixth International
for Provenance and Accurate Data Representation,” IFIP Workshop on Systematic Approaches to Digital Forensic
Adv. Inf. Commun. Technol., vol. 337, pp. 227–242, 2010. Engineering), 2011, pp. 1–8.
[35] CDESFWG, “Survey of Disk Image Storage Formats,” [47] R. Accorsi, “Safekeeping Digital Evidence with Secure
2006. Logging Protocols : State of the Art and Challenges,” 2009
Fifth Int. Conf. IT Secur. Incid. Manag. IT Forensics, no.
[36] T. F. Gayed, H. Lounis, and M. Bari, “Cyber Forensics : 1, pp. 94–110, 2009.
Representing and ( Im ) Proving the Chain of Custody
Using the Semantic web,” in COGNITIVE 2012 : The [48] C. Chen and C. Huang, “Applying EPCglobal Architecture
Fourth International Conference on Advanced Cognitive Framework for Criminal Physical Evidence Safety
Technologies and Applications, 2012, no. Im, pp. 19–23. Monitoring System,” in TANET (Taiwan Academics
Network Conference), 2013, pp. 1–6.
[37] K. Lim and D. G. Lee, “A New Proposal for a Digital
Evidence Container for Security Convergence,” in IEEE [49] . Thion, “Access Control Models,” in Cyber Warfare and
International Conference on Control System, Computing Cyber Terorism, IGI Global, 2008.
and Engineering, 2011, pp. 171–175.
[50] Samarati and S. D. C. di Vimercati, “Access Control:
[38] W. Yi, “Extraction and Supervison Of Data Of Chain Of Policies, Models, and Mechanisms,” in Foundation Of
Custody in Computer Forensics,” China Communication, Security Analysis, Springer Berlin Heidelberg, 2001.
vol. 12, 2010.
[51] C. Hsu and Y. Lin, “A Digital Evidence Protection Method
[39] J. Ćosić and M. Bača, “A framework to (Im)Prove „Chain with Hierarchical Access Control Mechanisms,” in IEEE
of Custody“ in Digital Investigation Process,” Proc. 21st International Carnahan Conference on Security
Cent. Eur. Conf. Inf. Intell. Syst., pp. 435–438, 2010. Technology (ICCST), 2011, pp. 1–9.
[40] M. Davis, G. Manes, and S. Shenoi, “A Network-Based [52] D. Zhang, “The Utility of Inconsistency in Information
Architecture For Storing Digital Evidence,” in Advances in Security and Digital Forensics,” in IEEE International
Digital Forensics, M. Pollitt and S. Shenoi, Eds. Springer Conference on Information Reuse and Integration (IRI),
New York, 2005, pp. 33–42. 2011, pp. 141 – 146.
[41] Rimage Corporation, “Digital Evidence Preservation and [53] W. Zhou, “Access Control Model and Policies for
Distribution : Updating the Analog System for the Digital Collaborative Environments,” PhD Dissertation,
World,” 2012. Universitaet Potsdam, Potsdam Germany, 2008.
[42] X.-G. Yu and W.-X. Li, “A New Network Storage [54] A. Hellany, H. Achi, and M. Nagrial, “An Overview of
Architecture Based on NAS and SAN,” in 10 th Digital Security Forensics Approach and Modelling,” in
International Conference on Control, Automation, 2008 International Conference on Computer Engineering
Robotics and Vision, 2008, no. December, pp. 2224–2227. & Systems, 2008, pp. 257–260.
[43] D. Han and F. Feng, “Research on the High Availability [55] Y. Prayudi, A. Ashari, and T. K. Priyambodo, “Digital
Storage Network,” in 2008 4th International Conference Evidence Cabinets : A Proposed Frameworks for Handling
on Wireless Communications, Networking and Mobile Digital Chain of Custody,” Int. J. Comput. Appl., vol. 109,
Computing, 2008, pp. 1–4. no. 9, pp. 30–36, 2014.

9
IJCATM : www.ijcaonline.org