Providing Cryptographic Security and Evidentiary Chain-of-Custody with the Advanced Forensic Format, Library, and Tools

Introduction

Chain-of-custody for evidence from the crime scene to the court room is a bedrock principle of both civil and criminal law. Without a clear and unambiguous chain-of-custody there is no way to be sure that an object presented to the court is the same object that was collected at the scene of the crime. Even evidence presented to technical experts needs to have chain-of-custody: without it, there is no way to assure that the expert’s testimony pertains to evidence from the actual case that is under consideration.

A paper notebook found at a crime scene can be put into an evidence bag, tagged, and locked away in an evidence locker. Each time the evidence is accessed or moved to another location this fact will be noted. In this manner the prosecution can show that the evidence has not been tampered; in the rare cases where tampering takes place, it can be detected.

But unlike records written with pen and paper, digital files can be modified without leaving a trace of the original message. This is one of the great challenges of digital forensics—establishing that a particular arrangement of bits on a digital storage medium is the result of on specific computational history (e.g., deleting a file) and not of another (e.g., using a hex editor to write raw sectors onto the disk drive that are indicative of a deleted file)[Carrier, 2006].

Of course, hard drives, USB memory sticks, and cell phones are tagged and bagged. But at some point, the information on these devices needs to be copied onto another computer system for analysis. In a modern forensic laboratory these files might be placed on a high-capacity server or a Storage Area Network (SAN) to allow for flexible use and simultaneous access by multiple examiners. Such environments require highly reliable technical measures to provide assurances that evidence is kept intact and unmodified.

Although computer forensics practitioners understand the importance of chain-of-custody, today’s tools for preserving this chain are poor. Programs such as EnCase[Keightley, 2003] and dcfldd[Harbour, 2006] will compute an MD5 or SHA-1 cryptographic hash of a disk when it is copied by an investigator into an image file. Later, when the image file is provided to a forensic analyst, the analyst can compare the hash of the image received with the hash of the original to determine if the file has been modified. If the hashes match, the assumption is that the file is unchanged from the original.

This article introduces an improved method for assuring the integrity of digital evidence that is based on public key cryptography. In addition to providing improved integrity, the method presented also allows for:

• •

  digital documentation of evidentiary transfer from one agent to another;

• •

  reconstruction of evidence that has been inadvertently damaged during transfer;

• •

  forensically sound methods for recovering partial evidence in cases where so much digital evidence has been damaged that reconstruction is no longer possible;

• •

  encryption with both symmetric and public key cryptography, so that evidence that is acquired in a hostile environment can be safely transferred back to a secure facility.

These new methods have been implemented in the Advanced Forensic Format Library (AFFLIB) Version 3[Garfinkel, 2008]. AFFLIB is an open source software package written in the C/C++ programming language that allows for the imaging, manipulation, storage and use of digital evidence. The software is available free of charge for incorporation into both open source and proprietary forensic applications.