Cyber Forensics: Representing and Managing Tangible Chain of Custody Using the Linked Data Principles

Hakim Lounis, Moncef Bari, Rafek Nicolas
Tangible Chain of Custody (CoC) in cyber forensics (CF) is a document accompanying digital evidences. It records all information related to the evidences at each phase of the forensics investigation process in order to improve and prosecute them in a court of law. Because a digital evidence can be easily altered and loses its value, the CoC plays a vital role in the digital investigation by demonstrating the road map of Who exactly, When, Where, Why, What and How came into contact with the
more » ... ntact with the digital evidence. With the advent of the digital age, the tangible CoC document needs to undergo a radical transformation from paper to electronic data (e-CoC). This e-CoC will be readable, and consumed by computers. The semantic web is a fertile land to represent and manage the tangible CoC because it uses web principles known as Linked Data Principles (LDP), which provide useful information in Resource Description Framework (RDF) upon Unified Resource Identifier (URI) resolution. These principles are used to publish data publicly on the web and provide a standard framework that allows such data to be shared, and consumed in a machine readable format. This paper provides a framework explaining how these principles are applied to represent the chain of custodies and used only by actors in each forensics process, in order to be consumed at the end by the jury in a court of law. This paper also illustrates this idea by giving an example of the authentication phase imported from the Kruse forensics process.