Junho Jeong* , Donghyo Kim** , Byungdo Lee*** and Yunsik Son**
Design and Implementation of a Digital Evidence Management Model Based on Hyperledger Fabric
Abstract: When a crime occurs, the information necessary for solving the case, and various pieces of the evidence needed to prove the crime are collected from the crime scene. The tangible residues collected through scientific methods at the crime scene become evidence at trial and a clue to prove the facts directly against the offense of the suspect. Therefore, the scientific investigation and forensic handling for securing objective forensic in crime investigation is increasingly important. Today, digital systems, such as smartphones, CCTVs, black boxes, etc. are increasingly used as criminal information investigation clues, and digital forensic is becoming a decisive factor in investigation and trial. However, the systems have the risk that digital forensic may be damaged or manipulated by malicious insiders in the existing centralized management systems based on client/server structure. In this paper, we design and implement a blockchain based digital forensic management model using Hyperledger Fabric and Docker to guarantee the reliability and integrity of digital forensic. The proposed digital evidence management model allows only authorized participants in a distributed environment without a central management agency access the network to share and manage potential crime data. Therefore, it could be relatively safe from malicious internal attackers compared to the existing client/server model.
Keywords: Blockchain , Digital Evidence Management , Digital Forensic , Hyperledger Fabric , Smart Contract
A Policing is one of the important factors for building a secure smart community system. Recently, the policing has been developing into smart community policing using information and communication technologies (ICT). Especially, crime investigation collects various information needed to solve cases, and various types of evidence to prove a crime when the crime occurs. Thus, after collecting tangible residues, the victim’s status, and behavioral evidence at the scene of the incident, the basis of scientific investigation is to analyze them scientifically and use the results.
Therefore, records and archives of forensic have been very important in criminal investigation. The importance of keeping forensic evidence is well documented as evidenced by well-known unsolved case in the United Kingdom . In 1981, in England, a 14-year-old girl was found raped and murdered, but the case had been remained unsolved. After 20 years the police were able to arrest the suspect by the samples taken from the girl’s body at that time.
The importance of chain of custody (CoC) is well documented in the O. J. Simpson case in the United States. The forensic presented to the court in this case showed that the transfer process had not been tampered with and proved that the process was perfect . In Korea, the criminal forensics of the serial murders, which remained unresolved for 33 years, has been preserved to this day. This has recently been used to limit the potential culprits of the case . In other words, recording and keeping evidence is a very important factor in criminal investigations. Investigating a crime means resolving the incident by collecting and analyzing on-site various types of evidence based on the condition and behavior of the offender and the victim demonstrating the crime.
Today, smartphones, CCTVs, black boxes, etc., are increasingly used as criminal information investigation clues, and digital evidence is becoming a decisive factor in investigation and trial . Table 1 shows the numbers of sources of digital evidence by 2018. Since 2009, with the development of electronic device technology, the spread of smartphones has increased, and the proportion of clues or evidence in criminal investigations is increasing. In other words, the number of cases where CCTV, black box, etc., are proved to be important evidence in criminal investigations is increasing, and the use of digital evidence and the number of referrals in criminal investigations is increasing .
On the other hand, an increase in the number of sources of digital evidence in criminal investigations means that there is a lot of information to be kept and managed. Therefore, standard criminal investigation method and evidence management system need to be established. Accordingly, various policies and technologies are researched in many countries to establish safe and reliable crime investigation methods and digital evidence management system.
However, in Korea, due to the independent operation guidelines of each local police agency, there is no standard best practice in the operation of digital evidence management system. In particular, the investigating agency in the field can investigate the case and obtain digital evidence through arbitrary submission or seizure search. This digital evidence can be collected by duplicating the original and verifying its integrity through hash values. However, many physical storage devices are acquired.
In this case, the software data is stored and managed in the physical storage obtained through the search until it is submitted to court and delivers the physical storage if necessary. Therefore, it has a problem in that the data stored in the physical storage device is exposed to damage and manipulation . In this process, there is a problem that the CoC is broken and the digital evidence collected and analyzed cannot be adopted hardly as legal evidence due to the lack of reliability of the digital evidence.
Therefore, there was a study to analyze the problems in practice by analyzing the digital evidence system to examine the reliability verification problems of digital evidence . In addition, this study analyzed the overall process that can meet the speed and confidentiality of digital forensic investigation based on the characteristics of the digital forensic system required in practice.
In another study, there was a management plan that considered the life cycle of digital evidence . It was a study to effectively solve the problem of deletion or disposal of evidence due to lack of space. This study analyzed the necessity and utility of integrated management for the large-capacity and diversified evidence. However, this system could be effective against malicious external attacks, but it is inefficient for internal attack.
The client/server environment system refers to a network structure in which a client works with a separated server that is a provider of service resources. In general, since data is stored through a database existing in the central server, it operates in a closed structure between users. Therefore, there is a disadvantage that the central server does not prove the integrity and transparency of the data when the attack or the data is modified by a malicious attacker. In addition, for transaction management, it is necessary to perform a transaction verification using a third-party certification authority. In addition, as the number of devices connected to the server increases, the request and data transmission of the devices may place a heavy load on the server providing a specific service and function.
In this paper, we propose a management model of blockchain-based digital evidence and implemented it using Hyperledger Fabric . This paper is organized as follows. Section 2 introduces the related works about the digital forensic and blockchain. And we propose a digital evidence management model in Section 3. Section 4 analyzes the results of the implementation of the proposed model. Finally, we Section 5 concludes the paper.
2. Related Works
2.1 Digital Crime Investigation Process in Korea
Today, the digital criminal investigation process in Korea has generally the seven stages. The stages include initial survey, investigation, arrest, the closing of investigation, request for analysis, transfer of digital evidence and investigation, and trial. Fig. 1 shows the criminal investigation process in Korea.
The initial survey is the first action when an incident occurs, and the field investigation agency recognizes what kind of event it is and starts an investigation. The investigation stage then issues a warrant, collecting information on the case, convicting the suspect, and the culprit before the arrest. At the scene of the crime, criminal evidence is collected, and the culprits are arrested based on the warrant. If the suspect is arrested and the investigation is terminated, the investigators will collect additional criminal evidence at the scene. The evidence, along with the investigation information, is analyzed by the local police department’s analysis team and the results are obtained. After that, the investigative documents, the results of the criminal evidence analysis, and the physical storage device storing the digital evidence are transferred to the prosecutor’s office and stored. Finally, the proceedings are submitted as court evidence at the time of trial.
In the transfer of investigation documents and evidence, prosecutors examine only the documents in the case to determine the investigation, based on the trust of the entire criminal justice system. Thus, the procedure has a risk that a malicious insider could compromise or manipulate the digital evidence of the physical storage device. In this case, there is a problem in that it cannot be used as legal evidence because it cannot maintain continuity of management from the point of view of CoC [2,6].
2.2 Digital Evidence Management Research
Various studies have been continuously attempted to increase the originality, integrity, and authenticity of criminal digital evidence obtained through random submission or seizure search. Recently, research have been conducted to understand the characteristics of digital data, to establish an efficient management environment based on digital forensic, and to perform integrated management . As shown in Fig. 2, this study classifies and links the system into three crime investigation management areas: National Police Agency’s case management system, National Police Agency’s digital evidence management system, and Public Prosecutor’s Office digital evidence management system. And it uses national transmission network to manage digital evidence and investigation information.
However, this digital evidence integrated management system is a centralized system in a client/server environment. Therefore, authentication must be performed using a third party to manage transactions. In addition, a server for storing and managing digital evidence and investigation information is integrated. Therefore, if the central server is attacked, the operation and the important investigation information of the organization can be leaked, and thus the continuity of management cannot be maintained. In order to solve this problem, the transfer of digital evidence and investigation documents will be stored and shared in all networks, and the application of high transparency and reliability technology should be required.
2.3 Blockchain & Hyperledger Fabric
Blockchain, represented by Bitcoin is implemented in such a way that the participant collectively records and manages data by distributing the ledger to a peer-to-peer network rather than to a central server of a specific organization . In this case, the data is stored in a distributed manner to several sites, several countries, or several institutions. In case of a write request from the user, the data is shared to all the systems.
In other words, the blockchain is a data structure for implementing distributed ledgers. It connects all the transaction blocks that have been agreed and validated by network participants to the most recently created block from the beginning of the chain. It is a technology that can manage the same transaction by distributing it to all network members. The verification of the transaction is performed by using a thirdparty certification authority to manage the transaction in the client/server environment, while in the blockchain network, the verification of the contents in the ledger is performed by digital signature and smart contract.
Blockchains are categorized into three areas: public blockchain, private blockchain, and consortium blockchain . The digital evidence management model in the proposed study applies the Hyperledger Fabric to achieve the goal of this study. The Hyperledger Fabric is a consortium blockchain framework in which several organizations form a consortium and only authorized organizations can join the network. The framework is one of the Linux Foundation’s projects, Hyperledger, an open-source framework for building blockchain network infrastructure for business-to-business (B2B) and business-to-consumer (B2C) transactions . Unlike Bitcoin and Ethereum, the leading public chain frameworks, Hyperledger Fabric is not a cryptocurrency based, but a consortium blockchain technology for business.
In addition, in contrast to public blockchains where anyone can participate, Hyperledger Fabric utilizes digital certificate and public key cryptography technology based on public key infrastructure (PKI) technology to manage affiliation, identity, and access permission and role of participating users in the network. Therefore, through the technique, the integrity of network participants can be proved, and only users who have access to the network by channel can participate in the blockchain network to provide privacy and confidentiality between the participants [12,13]. Fig. 3 shows the architecture of the model.
This means that not only all information can be shared equally, but also that the digital evidence and investigative information, which are important information, can be composed only among participants who want to share channels and create and share a separate ledger. Hyperledger Fabric generally consists of a blockchain network and a certificate authority server/client. Membership information, such as peer’s authority and orderer’s authority, defined in the client are registered in the certification authority server [14,15]. In addition, cryptographic data such as digital certificates, public keys, and private keys, genesis blocks, and transaction generators can be created and distributed to the Hyperledger Fabric network and maintained based on this.
Peer refers to a node in a Hyperledger Fabric network. Depending on the role played, “endorsing peer” performs the verification of the transaction that performs the smart contract, “committing peer” performs the verification of the latest block, and “anchor peer” connected to communicate with other institutions and receives the latest block connected to the orderer. It consists of “leader peer” that transmits to other peers in the organization. The orderer is a node that collects, sorts, and generates the actual block after the endorsing peer has verified the transaction that executes the smart contract. This process is called consensus [12,16].
As this work is separated and processed, it is possible to reduce the load of peers executing and verifying transactions, and parallel processing to perform various tasks is possible. Therefore, this paper also utilizes the technology of Hyperledger Fabric for effective and reliable digital evidence management.
2.4 Smart Contract in Hyperledger Fabric
Smart contract is an essential part of the digital evidence management model presented in this paper. It is a technology that can be easily and conveniently concluded and modified without an intermediary and uses the characteristics of distributed ledger technology (DLT). Thus, various types and forms of contract processing are possible, such as financial transactions, certification and contract notarization [12,17]. In Hyperledger Fabric, the source code that implements smart contracts is called chaincode. Installed on peers in a preconfigured network and used to execute transactions as a transaction.
If necessary, a plurality of chain cords may be installed in a peer, and a plurality of chain cords may be installed in a single peer. Unlike general smart contract technologies, Hyperledger Fabric’s smart contracts are classified into two types: system chaincode executed at the system level and developer chaincode that access the ledger at the application level.
A total of five system chaincodes are provided to facilitate development by directly instructing Hyperledger Fabric network systems . Each chain code is as follows.
(1) Query system chaincode (QSCC) reads the hash value, block number, and transaction ID of the stored block of the blockchain.
(2) The endorsement system chaincode (ESCC) compares a user’s transaction execution result and, if it is correct, guarantees the transaction's result with its own certificate.
(3) The validation system chaincode (VSCC) validates the existence of digital certificates in accordance with the data read and transaction policy of the transaction.
(4) Configuration system chaincode (CSCC) creates channel and joins peer and orderer to channel.
(5) Lifecycle system chaincode (LSCC) performs chaincode installation and peer data initialization on the peer.
3. Proposed Digital Evidence Management Model
3.1 Design of the Process for Digital Forensic using Hyperledger Fabric
The digital evidence management model proposed in this paper aims to overcome the problems of research limited to the existing server/client environment by blockchain network framework Hyperledger Fabric and to manage transparent and reliable digitalized evidence.
The Hyperledger Fabric provides a channel system between participating organizations and organizations in the blockchain, and can efficiently manage participation rights, identities, and roles in the blockchain based on PKI technology. Based on this, there is an advantage of providing privacy and confidentiality of institutions, organizations, and users. Therefore, it could be providing the privacy and confidentiality of limited institutions like the proposed model and supports the optimal function to improve the reliability of the shared data.
Fig. 4 shows the process of the proposed digital evidence management model. Provincial Police Agencies, National Police Agency, Cyber Analyst Teams, Prosecutors’ Office and Courts form consortiums to participate in blockchain channels and share digital evidence. The process begins with the field investigator registering the digital evidence collected in the blockchain network. Digital evidence information includes case numbers, case information, jurisdictions, registrants, investigation records, analysis results, and dates. However, the step 1–2 that is for identity registration and certificate issuance process is performed only by newly participating organizations.
After that, the identification confirmation of the registered digital evidence information registrant and the digital evidence information are verified, and the verified evidence information is generated through a chain code, which is a smart contract predefined in the peer, and distributed to all agencies. Accordingly, all agencies can share the registered digital evidence information through distributed blocks. In addition, once blocks are created. The blocks cannot be deleted and modified to increase the transparency and reliability of digital evidence.
3.2 Design of Hyperledger Fabric Network for the Proposed System
The Hyperledger Fabric network consists of digital evidence registrants (clients), peers, orders, channels, chaincodes, and membership service providers. Fig. 5 illustrates the network for the proposed system. Peers are chained together by a consortium of Provincial Police Agencies, National Police Agency, Cyber Analyst Teams, Prosecutors’ Office and Courts that handle criminal investigation information. To do this, we use Docker and Hyperledger Fabric, container-based open source virtualization platforms. It maintains peers, orders, and channels using membership information, institutions, digital certificates, public keys, and private key cryptography techniques .
Therefore, the membership service provider may verify the identity of the registrant as a participant in the organization when a digital forensic registrant registers an identity on a Hyperledger Fabric network. It also issues encrypted data and accesses to the network.
Subsequently, when the registered registrant submits the digital forensic registration transaction, the chaincode installed in the peer is executed to record the transaction in the ledger, and the transactions are distributed to all endorsement peers through the anchor peers connected to each peer. As a result, all endorsement peers verify the distributed transaction, generate a block, and perform distribution again.
4. Implementation and Analysis
The proposed system model implemented based on Hyperledger Fabric a blockchain network infrastructure framework and Docker that is an s/w virtualization platform in this paper. Table 2 show the detail environment for the implementation. The first step in the implementation of criminal digital evidence management blockchain network is to establish the organization and authority of peers and orderers using membership service providers. In order to set the authority of peer using membership service provider, the authentication server was maintained as a Docker container. The yaml file for setting permissions is mounted as a container on the Host. Therefore, it was issued when a request for authorization and PKI-based encryption data was received from the outside. Therefore, in the proposed blockchain network, for each individual peer organization, the National Police Agency, the Cyber Analysis Center, Prosecutor’s Office, Court, and National Police Agency set to the same level of authority, and digital certificates, public keys, private keys, genesis block, transaction generator encrypted data was generated. In addition, a Docker container is constructed based on the generated encrypted data and network peers and orderer are always enabled. Containers of peers of the local police agency and the Cyber Analysis Center, the Prosecutor’s Office, the Courts, and the police agency joined to the channel so that they are configured in the same network.
Fig. 6 shows the result of obtaining user authority by requesting identity registration from the authentication server of each institution to register the user identity to each peer such as the police department, the Prosecutor's Office, the digital cyber analysis team, and the Court of the blockchain network. The red box in Fig. 6 shows that all the peers in the digital evidence management system have been successfully registered.
Fig. 7 also shows the digital certificate provided by the authentication server based on the registered identity. When registering the identity, the authentication server issues a separate digital certificate, public key, and private key for each institution, and uses it to verify the identity in the blockchain network. And the chaincodes are setup to perform smart contracts to record digital evidence and investigationrelated information by investigators on the blockchain network at all peers.
The chaincode set in the peer executes the smart contract by passing the argument to the corresponding function created in the blockchain network when the registration transaction is submitted. The contents of this transaction include case information, jurisdiction, registrant, investigation record, and date. The chaincode consists of an Init function to initializes and records digital evidence and investigation-related information, an Invoke function to update evidence information recorded, a Query function to retrieve recorded information, and finally DELETE function to remove the data by identifier in the ledger.
Identifying the digital evidence registrant through the chaincode is identified by Enroll_Id, the registrant’s network ID. When the digital evidence registrant passes the registration transaction to the blockchain network, the digital evidence is registered in the ledger through chaincode execution. In addition, the chaincode is executed by the police agency peers to record all transactions identically in the ledger owned by peers participating in the channel.
Fig. 8 shows the result of recording and updating digital evidence using the identifier ID in the established chaincode. Transactions are shared among all peers using anchor peers that communicate with other peers. When chaincode is executed on all peers and the transaction is shared, all nodes agree to create a block. And all peers participating in the channel will share the same criminal digital evidence registration information.
Fig. 9 shows the result of registration and update of all peers participating in the channel. It could be seen that a total of two blocks have been updated and waiting for block generation. As such, it is impossible to modify the digital evidence in which the block was generated, and if there is a modification, the updated contents are recorded in the block, making it difficult to manipulate data by insiders. Even if the digital evidence is corrected by an insider, all the records remain, which increases the reliability of the evidence.
In addition, in the case of an external attacker accessing the blockchain network and attacking digital evidence recorded in the ledger, as shown in Fig. 10, the user whose identity is not verified cannot modify the transaction and chaincode. In other words, the proposed model can provide high reliability of the crime digital evidence because it is not possible to modify the records stored in the ledger in the peer to which it belongs, as well as the external attackers and the constituent nodes of the crime digital evidence management model.
5. Conclusion and Future Works
Nowadays, we have a risk that a malicious insider could compromise or manipulate the digital evidence of the physical storage device. In this case, it causes a problem in that it cannot be used as legal evidence because it cannot maintain continuity of management from the point of view of CoC. Therefore, the digital evidences that are difficult to analyze are not used as legal evidence because the continuity of management is not guaranteed.
Recently it has been various studies to enable a transparent and reliable management of criminal digital evidence. However, in Korea, the crime digital evidence management system is centrally operated in an integrated server/client environment and is being researched to advance it. The centralized system is not effective for the CoC because the investigation information of the relevant institution can be leaked or manipulated when the central server is attacked, and it is also vulnerable to attacks by insiders. Therefore, a new crime digital evidence management model that is different from the existing system is required.
In this study, we proposed a digital forensic management model that can share and manage data by accessing a network in a distributed environment where only authorized participants participate. The data of digital forensic written once by creating a block cannot be modified and deleted by any user, and has the advantage of increasing transparency and reliability since it is shared with all peers in the blockchain network. In addition, the proposed model was implemented with Hyperledger Fabric and analyzed. The results of the analysis showed that digital evidence stored in the proposed model could provide high reliability.
However, this study has not yet implemented user interface and distributed application for user convenience. Nevertheless, the model proposed in this study could contribute to lowering the threats present in the transmission and management of digital evidence in Korea and increasing the reliability of digital forensic.
This research was supported by the Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education (No. 2017R1D1A3B03029906), and this work was supported by the NRF grant funded by the Korea Government (MSIT) (No. 2018 R1A5A7023490). This research was supported by the Ministry of Science and ICT, Korea, under the Information Technology Research Center support program (No. IITP-2020-2020-0-01789) supervised by the Institute for Information & Communications Technology Planning Evaluation (IITP).
He received the B.S. degree from the Department of Computer Science and Engin-eering, Dongguk University, Seoul, Korea, in 2007, and M.S. and Ph.D. degrees from the Department of Computer Science and Engineering, Dongguk University, Seoul, Korea in 2009 and 2015, respectively. He was a research professor of Electronic Commerce Institute, Dongguk University, Gyeongju, Korea, from 2015–2019. And he was a research professor of Department of Computer Science and Engineering, Dongguk University, Seoul, Korea until 2019 Aug. Currently, he is an assistant professor of the Department of Computer Science and Engineering, Kongju National University, Cheonan, Korea. His research areas include computer security, privacy preserving, distributed system, network security, and secure software.
He received Bachelor’s degree in School of Computer Science and Engineering from Dongguk Computer Science Institute in 2017. Also, currently he is a master student in Department of Computer Science and Engineering, Dongguk University, Seoul, Korea. His current research interests include blockchain, smart contract security and software security.
He received the B.A. degree from the Department of Police Administration, Dongguk University, Seoul, Korea, in 2012, and M.A. and Ph.D. degrees from the Department of Police Administration, Dongguk University, Seoul, Korea in 2014, and 2017, re-spectively. He was a research professor of Development of Smart Community Policing System (Googi) Research Center, Dongguk University, Seoul, Korea. Currently, he is an assistant professor of the Department of Police Science, Seoul Digital University, Seoul, Korea. His research areas include police science, criminal justice, juvenile delinquency and criminology.
He received the B.S. degree from the Department of Computer Science and Engin-eering, Dongguk University, Seoul, Korea, in 2004, and M.S. and Ph.D. degrees from the Department of Computer Science and Engineering, Dongguk University, Seoul, Korea in 2006 and 2009, respectively. He was a research professor of Department of Brain and Cognitive Engineering, Korea University, Seoul, Korea, from 2015–2016. Currently, he is an assistant professor of the Department of Computer Science and Engineering, Dongguk University, Seoul, Korea. Also, His research areas include secure software, programming languages, compiler construction, and mobile/embedded systems.