Our BCCS Cluster member Sec-Consult Group shares insights of how to use Blockchain technology in digital forensics.
SEC Consult has been observing the development and application possibilities of blockchain technologies for some time. These technologies could also be used in individual areas of security consulting. Within the scope of a recent research project, possible scenarios for the preservation of evidence after cyberattacks were examined in more detail.
Why use blockchain in forensics?
The SEC Consult SEC Defense team uses various forensic tools to analyze cyber incidents. With more and more analyses done, the challenge arises that the results can also be used as evidence in court. An important part of these activities is the secure copying of data images, also called forensic imaging. Forensic imaging is carried out using so-called write blockers. There are different types of hardware write block devices that support different types of storage media such as SATA, SAS, IDE USB, memory cards and others.
The process itself is done using imaging software. This software reads the source image through the write blocker onto a target device. At the same time, it also calculates a digital fingerprint, typically using a recognized hash signature. The digital fingerprint can be saved on any data medium in any format and is, therefore, theoretically changeable. This means that images could be manipulated afterward, and the stored fingerprint could be swapped for a new one.
Proof Of Existence
To make a data record usable as evidence in court, it is necessary to prove that this data was available in a certain form at a certain time and has not been changed since then. This is particularly important to prevent deliberate falsification of evidence. To analyze and solve a cyber incident, data records must be processed accordingly. This means that the status of the data to be investigated must be recorded BEFORE processing the evidence in the first place.
By means of notarization (also called proof of existence), this can be ensured: When a notarization is created, a unique fingerprint (the so-called hash value) of the file is calculated and, together with a timestamp, is unalterably logged in a blockchain. To later verify that the document in question already existed at a time claimed or was not been changed, the data is retrieved from the blockchain and compared with the information available.
ForensicForever – a prototype
As part of the SEC Consult research project, the prototype of the tool ForensicForever has now been developed enabling blockchain-based notarization of data used as input data in forensic analyses. ForensicForever can also be used to log any other files created during the processing of a cyber incident (e.g. reports in PDF format) in the blockchain. If the necessary hash signature is already available, it can be transferred directly.
Moreover, it is possible to generate such a signature in the course of the notarization with the help of the tool. After the successful creation of a notarization, it is possible to generate a certificate in PDF form which summarizes the information. The certificate can be seen as a human-readable representation and can make the verification process more convenient.
The results after the first tests with the prototype are very promising, which is why SEC Consult will continue to advance the research work in this field.