Blockchain-Based Digital Forensics Investigation Framework In The Internet Of Things System
To conceptualize and define the Blockchain and cryptocurrencies, numerous definitions have been used. From the online dictionary of Merriam-Webster, is quoted a definition from Iansiti and Lakhani (2017) for Blockchain as “The technology at the heart of bitcoin and other virtual currencies, Blockchain is an open, distributed ledger that can record transactions between two parties efficiently and in a verifiable and permanent way. The ledger itself can also be programmed to trigger transactions automatically.”
The concept of Blockchain first appeared in October 2008 as part of a proposal for Bitcoin that intended to create P2P money without third parties like banks. The sentence that was in the first lines of the proposal read as follows:
“Commerce on the Internet has come to rely almost exclusively on financial institutions serving as trusted third parties to process electronic payments… What is needed is an electronic payment system based on cryptographic proof instead of trust, allowing any two willing parties to transact directly with each other without the need for a trusted third party…”[1]
As the author of this proposal, Satoshi Nakamoto, published the idea of “Bitcoin” as a computer program they hoped would one day produce the modern world’s first thriving non-national currency. In their proposal, Bitcoin, a type of cryptocurrency that Nakamoto explained, is a medium of exchange similar to the US dollar, European Euro, or other currencies. Unlike physical currencies, a cryptocurrency is digital, which uses cryptology methods to control the creation of monetary units and verify the transfer of funds.[2] The assumption is that the emergence of Bitcoin dates back to the early 1990s. The union of technological development and anti-government political philosophy first appeared in some communities. In 1992, for example, a momentous event took place when a retired Intel physicist, Timothy May, invited a group of friends to discuss privacy issues in light of emerging developments on the Internet.
The outcome of this discussion has raised fears a concern that governments around the world will increasingly act to restrict access to the cryptology used to protect digital messages and information. May and her friends perceived the cryptology aspect as a positive development that could lead to a loosening of state control. It has become accepted that cryptological methods will fundamentally change business and government intervention in economic transactions.[3]
Nakamoto’s proposal provided a brand-new idea for centralized data storage and information management in the context of privacy and security. The network will be holding an identical copy of the ledger of transactions with the acts as the single point of reference. In the name of providing the network’s security, data will be stored on a P2P (peer to peer) network to eliminate problems arising from the vulnerability of centralized servers while using various cryptographic methods.
Peer To Peer Network (P2P)
The definition of P2P network changes depending on the industry in which it is used. For example, a P2P network is a distributed network that enables peers to exchange digital assets like cryptocurrencies for the financial sector. This architecture allows peers, sellers, and buyers to buy or sell without a mediator.
Blockchain technology is a ledger system that is distributed. It can store linked transactions in the form of a decentralized database in the P2P network. Accordingly, there are no other destinations in this network except the users who perform transactions. Data is stored in time-stamped blocks linked in a chain, creating a perpetual audit trail that is publicly visible and validated by a consensus-based proof of trust.
Digital Forensic View To Cryptocurrencies
Digital forensics uncover and examine evidence located on all electronic things with digital storage, including computers, mobile phones, and networks.[4] It is a field that encompasses the essential elements of information security and information assurance. These disciplines are needed to investigate a criminal attack, criminal investigation and forensic validation methods as evidence. Digital forensics represents information and communication technologies (ICT) and law, both substantive and procedural.
Internet of Things (IoT) is a system of interconnected devices or objects that are tagged with unique identifiers. They can transmit data over a network without a human or computer interaction.
New technologies, developing day by day, make our lives easier. However, where a vast number of devices are connected to the Internet, new technologies make it easier and more accessible for cybercriminals to carry out their activities in an IoT environment. The role of evidence in the IoT environment is vital to guarantee continuous integrity, traceability, and auditability. Digital forensics has some challenges in the field of IoT. These can be considered under three points:[5]
- Framework definition for digital forensics can meet the new challenges in the new environment,
- Providing a guarantee related to reliability, availability, recovery of dynamic digital evidence in the IoT environment,
- Privacy and security regulations, such as compliance with the General Data Protection Regulation (GDPR).
The application of cryptology methods in digital forensics provides preservation of digital integrity and repeatability by creating a digital fingerprint (hash digest) for a digital asset to prevent changes in the record of transactions in the ledger. Blockchain technology can provide forensic applications that offer significant advantages for digital forensic investigation procedures. In particular, Blockchain can increase transparency at every investigation stage. For example, it can provide practical applications in the early stage of the investigation to precisely define data sources, reduce data storage, and increase the efficiency of operational analysis to reduce costs.[5]
In addition to the use of cryptocurrencies, there is also a mining dimension. The first miner to prove the transaction through their computing power on this process is rewarded with cryptocurrency. In this context, there are two significant risks in cryptocurrency mining; running mining software on the miner’s hardware in his network can lead to:[6]
- The mining process can be compromised by malware.
- The hosting organization pays for the energy spent on mining, but the recipient of the reward could be a malicious actor.
The malicious actor may cause increased power bills, depleted resources, compromised workflows, services, and other users.
Blockchain Investigation In Digital Forensic Context
First of all, the required key properties in the chain of digital forensics evidence are immutability and auditability; therefore, Blockchain technology should provide these characteristics.
Thanks to a decentralized ledger system, a complete piece of evidence can be led back to its sources of evidence to related objects of evidence. It is beneficial if there are many sources of evidence and activities that can occur in many investigation scenarios.
Another essential view is continuous integrity. One of the fundamental concepts in a digital investigation is the continuous integrity, value, and ownership of evidence. There may be cases resulting from data breaches. In this case, it should not be ignored that many IoT devices are connected to each other. In forensics, hash functions such as SHA1, SHA256 are often used to ensure the integrity of certain pieces of evidence. However, the chain of evidence lacks a current continuous integrity checking or validation mechanism.
Once evidence is collected, it is added to the blockchain, guaranteeing the exact provenance of each piece of evidence to provide a tamper-proof environment. Accordingly, participants share all the evidence. The evidence report has critical implications for criminal justice, so any evidence should be composed available to ensure complete provenance. For example, in a digital forensic examination, an examiner must specify each piece of evidence the exact location where all of its sources intersect. If these conditions are met, an independent examiner must be able to find that piece of evidence. This attitude allows obtaining full provenance.
Accordingly to these investigation requirements, some approaches provide cryptocurrency miners with the detection of malicious actors.[6]
Traffic monitoring is an analysis method to ensure the network’s security, used by network and security administrators to detect possible incidents. Incidents may affect the functionality, accessibility, and availability of the network. To detect malicious actors, employing passive and active traffic monitoring provides a broad perspective. While passive monitoring is enabled to analyze IP flow records, active monitoring is based on probing. The detection method gradually learns a list of mining servers, reducing the need for active monitoring. Anyone can set up their mining pool or a mining server. Therefore, it is unlikely that the result list of publicly known mining servers is complete. In this way, any network operator can use this as a basis for miner detection.[6]
The other approach is a catalogue of mining pools. Creating a publicly available website containing the metadata about existing mining pools will provide knowledge for users who may query in the system to check whether a given FQDN, IP address or port number is a part of known pool configuration.
Conclusion
The core capabilities of the IoT are having a tremendous impact on digital forensics. The near-ubiquitous availability of these devices increases the volume, resources, and variety of potential evidence. In the event of an incident, the decision about who is responsible and who is to blame has been made more difficult by this situation. In order to prevent these confusions and create a more secure environment, using both approaches is an important step that can be taken on behalf of digital forensics.
