Research and Technology - Forensic Science Communications - October 2004
October 2004 - Volume 6 - Number 4
Research and Technology
Information Assurance Applied to Authentication of Digital Evidence
Thomas E. Duerr
Senior System Engineer
Northrop Grumman Space Technology
Nicholas D. Beser
Assistant Supervisor, Knowledge Discovery Section
Johns Hopkins University
Applied Physics Laboratory
Gregory P. Staisiunas
U.S. Postal Inspection Service
Forensic and Technical Services Division
Authentication of Evidence | Information-Assurance Services
Information Assurance Applied to Digital Evidence | Digital Video Evidence System
Generalized Information-Assurance Solution | Daubert Compliance | Conclusions
References | Appendix A | Appendix B | Acknowledgements
Authentication of Evidence
Authentication is the process by which the reliability of evidence is established. The party leading the evidence in court must show that it has not been altered since it was collected and that the location, date, and time of collection can be proven. That is accomplished using standardized evidence-handling procedures and chain-of-custody records and relies primarily on physical security measures.
Digital evidence offers new challenges for authentication and, at the same time, new opportunities to significantly strengthen the proofs of reliability. It has been argued that digital images may require that special care be given to document the collection and analysis procedures and chain of custody to ensure admissibility (Berg 2000). Those concerns can be extrapolated to digital evidence of all forms. As binary data on (usually) magnetic media, digital evidence is potentially more susceptible to postcollection alteration, or the accusation thereof by a defense attorney, than is analog evidence. To offset that vulnerability, digital evidence is also amenable to the many information-assurance methods that have been developed for Internet applications and electronic commerce. This paper explores the potential for applying information assurance to authentication of digital evidence in general and discusses a prototype application to digital video in particular.
The purpose of this paper is to stimulate dialog on the utility and requirements for information-assurance enhancements to current evidence-handling and chain-of-custody documentation procedures.
The Information Assurance Technical Framework (National Security Agency 2002) captures information-assurance guidance reflecting the state-of-practice in the U.S. Department of Defense, federal government, and industry information-assurance community. It describes the following five primary security services relevant to information and information processing systems: access control, confidentiality, integrity, availability, and nonrepudiation. Those five somewhat interdependent services are summarized here.
Access control is comprised of measures that prevent unauthorized user access to networked hardware, software, and data. It is accomplished by four functions:
- Identification and authentication determines the identity of a person who seeks access to a resource or data. Information-assurance terminology uses authentication in the sense of the reliability of identity credentials, which is similar to but more specialized than evidentiary usage.
- Authorization determines the access rights of a person (or process) given a valid identity.
- Decision determines whether a person's access rights are sufficient for the access requested and grants or denies access accordingly.
- Enforcement imposes the access-control decision.
Access control, as described in the Information Assurance Technical Framework, does not include physical security.
The confidentiality security service is defined as the protection of data from unauthorized disclosure. The data may be in storage or in transmission. This overlaps with access control but is sufficiently important to the information-assurance community to merit separate treatment in the Information Assurance Technical Framework.
The integrity security service includes any or all of the following: protecting data from modifications, detecting modifications, and recording modifications. Identification and authentication is an essential aspect of integrity as observed in the Information Assurance Technical Framework.
Note that integrity protection is of no value unless it is combined with a mechanism that provides authentication of the source. Without source authentication, anyone could tamper with the original data and then just reapply an integrity mechanism.
Availability is concerned with ensuring that network data and services are provided to users with a specified quality of service, when the network is subject to normal loads, failures, and outright attacks.
Nonrepudiation services provide proofs that participating parties were involved in a communication (e.g., an electronic commerce exchange). The objective is to render it infeasible for a person to deny having had access to information or information-processing resources or engaging in specific activities with regard to said information and resources.
Information Assurance Applied to Digital Evidence
The confidentiality and availability services have no apparent bearing on authentication of digital evidence. Confidentiality does not apply because all evidence must be disclosed during discovery, whereas availability is primarily a network issue. Those services will not be discussed further.
The physical security implicit in normal evidence-handling procedures provides a significant measure of access control. The information-assurance version of access control would serve to enhance that in some situations. For example, when some medium containing original digital evidence is connected to a computer for copying or analysis, information-assurance considerations would include the following:
- Is that computer connected to a local area network?
- Who has access to the local network?
- Is everyone with access to the local network authorized to access the evidence?
- How is the local network protected from other networks?
- Who has access to the computer during duty and off-duty hours?
- Is the computer free from unauthorized applications?
- Are all access attempts automatically logged?
- How are access restrictions enforced?
Those and potentially other questions are highly relevant to establishing a complete picture of access control for the evidence and should be addressed in the evidence-handling procedures.
The information-assurance service most clearly relevant to the authentication of digital evidence is integrity. The Information Assurance Technical Framework discussion on data integrity is of central importance. The relevant section is reproduced as Appendix A to this paper. By implementing the means to reliably detect modifications to digital evidence by an integrity service, it will be possible to prove that no modifications were made.
The integrity implementation selected will depend on technical and operational factors. On the technical side, the storage media, data format, and data-extraction methods will be drivers. Computer hard drives, digital video tapes, and optical disks will present different challenges and requirements. The concept of operations will have a significant influence over implementation methods. Stake-outs, unattended covert surveillance, and seized evidence all present different operational needs. Generally, it is desirable to ensure the integrity of the data as close to the source format and as near to the time and place of collection as feasible. Identification of the user who collects the evidence and generates the integrity data should be integral to the solution. In no case should the integrity process modify the original data in any way because that would defeat the objective of the integrity service.
The nonrepudiation service could be applied to bolster chain-of-custody record keeping. Although investigators and forensic analysts obviously have no use for such a service, insofar as they are not likely to deny that they collected a piece of evidence or generated an analysis, it is equally obvious that someone attempting to alter evidence would seek to conceal their identity. Therefore from the perspective of evidence authentication, it is important to be able to prove who handled a piece of evidence and when they did so. Nonrepudiation works together with access control to prevent unauthorized access to evidence and maintain an audit trail of successful and unsuccessful access attempts.
To put these generalities in context, the next section describes a system that addresses access control, integrity, and nonrepudiation for a particular application.
Digital Video Evidence System
A prototype system is currently under development for the U.S. Postal Inspection Service that applies information-assurance methods to authenticate digital video (Beser et al. 2003). The following describes how the information-assurance services discussed above are manifested in a digital video evidence system.
The U.S. Postal Inspection Service desires to preempt any challenge to the admissibility of digital video evidence collected during surveillance operations, where such a challenge might be made on the grounds that digital video can be easily edited. The developmental system addresses access control, integrity, and nonrepudiation through the application of digital signatures in a government off-the-shelf public key infrastructure.
The components of the overall system are shown in Figure 1. Consider a collection-to-court sequence of events for a specimen of digital video evidence. Beginning on the lower left of the figure, a postal inspector reports to the public key infrastructure local registration authority and is given a security token (e.g., a smart card). The token is initialized with a cryptographic key pair and an identity certificate. The identity certificate is an electronic document containing the inspector's name, date and time, and the public key of the key pair. The local registration authority serves as witness to the identity of the inspector and key-generation process. The identity certificate is digitally signed by the public key infrastructure certificate authority. The identity certificate constitutes the inspector's electronic credentials that others can trust because of the certificate authority signature. This certificate-generation process is expected to take a few minutes for an inspector who has been preregistered. Registration with the public key infrastructure serves as access control because only authorized users will be able to register. Public key infrastructures have been described in more detail elsewhere (Lyons-Burke 2000) and will not be discussed further here.
The key pair enables the inspector to generate digital signatures on the security token using the private key of the pair, whereas the public key will enable anyone to verify those signatures. Refer to Appendix B for a description of digital signatures and the roles of public and private keys.
Figure 1. Digital Video Evidence System
Next, the inspector takes the security token, a digital camcorder, and the special-purpose digital video authenticator to the field to collect evidence. This step is illustrated on the lower right. The digital video authenticator is depicted as a laptop, which was used for the proof-of-principle prototype. A picture of the prototype is shown in Figure 2. The field prototype, currently under development, will be a smaller form factor. The digital video authenticator is connected to the camcorder by the IEEE-1394 Firewire interface. The inspector turns on the unit, which will wait for the user to connect a security token and enter a personal identification number to access the token. It will not operate without an inserted token. This feature provides for nonrepudiation for subsequent steps.
Figure 2. Proof-of-Principle Digital Video Authenticator with Camcorder
After the token handshake, the digital video authenticator generates another cryptographic key pair. The private key of this pair is used in the unit to generate digital signatures for the digital video. The public key is concatenated with optional, user-supplied session information and is digitally signed by the security token to produce an integrity certificate. Both the identity certificate and integrity certificate are written to removable media in the digital video authenticator. The integrity certificate provides for nonrepudiation regarding the identity of the inspector who generated the associated keys.
During video taping, the digital video authenticator receives the compressed video data stream (Society of Motion Picture and Television Engineers 1999) from the camcorder over the Firewire simultaneously as the camcorder records. The authenticator delineates the stream into frames and then further parses the frames into segments for video, audio, and control data. Each segment is digitally signed in a pipeline process that matches the 30-frames-per-second throughput of the camcorder. Those signatures are the core data used in subsequent analysis to verify the integrity of the video.
After the recording session, the inspector terminates digital video authenticator operation. The unit automatically destroys the private key used for signing the video. Destruction of that critical private key is a strong form of access control. The key existed only during a single recording session while it was in custody of a known user. No further signatures can be generated that are compatible with the public key in the integrity certificate.
The collected video, identity and integrity certificates, and digital signatures are submitted to the evidence storage facility in accordance with standard operating procedures. Working copies can be made as needed. An option to be exercised by the U.S. Postal Inspection Service is to return to the local registration authority, surrender the security token, and destroy the key pair resident on that device. The intent is to alleviate the need for the inspector to carry a security token at all times. One advantage of keeping the token is that the inspector would not need to complete the token initialization step every time digital signatures were to be generated.
The fourth step in the digital video evidence system in Figure 1 is to verify the integrity of any video clip of evidentiary interest. This might be done routinely or only when a clip is challenged. In any event, the digital video certificates and signatures and public key from the public key infrastructure certificate authority will be provided to the analyst. That analyst will use software tools to be provided in a digital video verification workstation to assess the integrity of the video clip.
Integrity verification is a multipart process. The analyst must first establish the validity of the various public keys involved. That is accomplished by the chaining of certificates. The public key from the public key infrastructure certificate authority, which is trusted and independently verifiable, is used to verify the inspector's identity certificate. The public key from the inspector's identity certificate is used to verify the integrity certificate. The public key from the integrity certificate is used with the digital signatures to verify the audio, video, and control portions of each frame. Therefore, trust in the integrity of each frame segment can be unequivocally traced back to trust in the public key infrastructure, which must meet federal standards for access control, confidentiality, and integrity of its keys.
Once the keys are validated, the analysts will perform an automated, frame-level integrity verification. Not all video frames will pass the integrity verification. Tape defects, recording or playback noise from dirty heads, and variability in error detection and correction capability among playback equipment will cause frames to fail verification. The analyst may be able to deduce the cause of failure in some cases (e.g., unreadable audio data are replaced by a square-wave output in some systems). Furthermore, the digital video authenticator is a soft real-time system, meaning, it will fail to generate signatures on a fraction of the frames (roughly 1 in 9,700 for the prototype). Those and other factors will be taken into account in a final assessment of authenticity.
The investigative analysis of the evidence will have the advantage of the authenticity report, as indicated in the upper, central portion of Figure 1. The analysts will be confident that they can rely on the admissibility of the video clip or even a specific frame of interest. To be conservative, failed frames can be excluded from consideration for presentation in court.
Generalized Information-Assurance Solution
The information-assurance methods employed for the digital video example may be applied to provide information-assurance services for other digital evidence formats. Generalizations for access control, integrity, and nonrepudiation are discussed below.
Access control can be achieved by a public key infrastructure. It provides for identifying and authenticating authorized users through the user registration process. Identity certificates and associated cryptographic keys are protected using security tokens. The decision and enforcement aspects of access control are performed by analysts who need merely observe whether an identity certificate is valid based on the public key infrastructure certificate authority's public key. Defense expert witnesses will also have access to the identity certificates and public keys, enabling independent validation of authorized users at any time.
Integrity can be ensured through the generation of digital signatures of the original digital evidence in the original format at the time of collection. For the digital video example, that format is compressed DV-25 as recorded on the digital tape, and the time-of-collection requirement is interpreted to mean concurrently with recording and at the video-frame rate. Digital signatures can be handily applied to any formatted data. Unformatted data, or data with an unknown format, can be arbitrarily segmented or protected with a single signature for an entire data file or directory. However, the single-signature option should be avoided because the introduction of a single bit error will render the evidence unverifiable.
Nonrepudiation is accomplished by logging and digitally signing events using the private key corresponding to the identity certificate. All significant events should be signed. In the digital video example, the principal event is the generation of a cryptographic key pair in the digital video authenticator. The generation of a digitally signed integrity certificate serves as the means of nonrepudiation for the creation of that key pair and the subsequent digital signatures for the video. The critical events for each type of digital evidence can be similarly identified. Then the appropriate means to log and sign the events can be incorporated into the authentication system.
The Daubert ruling (Daubert 1993) requires the trial judge to make an assessment of whether a methodology or technique invoked by expert testimony is scientifically valid and whether the methodology can be applied to the facts in issue. The ruling provides the following five example considerations to aid the judge in making that assessment:
- Whether the technique can be and has been tested
- Whether the technique has been subjected to peer review and publication
- Known or potential rate of error
- Existence and maintenance of standards controlling the technique
- General acceptance in the relevant scientific community
Digital signatures have not been used to date to authenticate digital evidence in criminal court so are subject to a Daubert challenge.
That fact leads to one primary design principle for authentication systems—strict adherence to existing government and industry standards and accepted practices. The National Institute for Standards and Technology is the national standards-setting body for government and commercial cryptographic algorithms and equipment. Adherence to National Institute of Standards and Technology standards (e.g., Federal Information Processing Standards Publication 140-2) helps ensure that those facets of the system are acceptable to the information-assurance community. Similarly, using unaltered, industry-accepted data formats (e.g., SMPTE Std 314M-1999 for digital video) will facilitate acceptance by the technical community relevant to the evidence. In addition, the resulting system must be extensively tested to establish expected performance and error rates. Preliminary performance results for the digital video example have been reported (Beser et al. 2003).
This paper briefly explored the application of information-assurance practices to the problem of the authentication of digital evidence. Technical feasibility has been demonstrated for the challenging case of digital video. In that example, objective proof of integrity is provided in a realm where evidence is in a lossy, compressed data format stored on magnetic tape. Access control and nonrepudiation reinforce the chain of custody by augmenting the physical security embodied in standard evidence-handling procedures with an additional layer of information security. Those information-assurance methods are equally applicable to other forms of digital evidence. The means are at hand to make the reliability of digital evidence a matter of scientific fact.
Berg, E. C. Legal ramifications of digital imaging in law enforcement, Forensic Science Communications [Online]. (October 2000). Available: www.fbi.gov/hq/lab/fsc/backissu/oct2000/berg.htm.
Beser, N. D., Duerr, T. E., and Staisiunas, G. P. Authentication of digital video evidence, In: SPIE Applications of Digital Image Processing XXVI, San Diego, California, August 3-8, 2003.
Daubert v. Merrell Dow Pharmaceuticals, Inc., 509 US, 579 (1993).
Lyons-Burke, K. Federal Agency Use of Public Key Technology for Digital Signatures and Authentication, National Institute of Standards Special Publication 800-25, October 2000.
National Institute of Standards and Technology. Security Requirements for Cryptographic Modules, Federal Information Processing Standards Publication 140-2, May 25, 2001.
National Security Agency Information Assurance Solutions Technical Directors. Information Assurance Technical Framework, Release 3.1, September 2002.
Society of Motion Picture and Television Engineers. Data Structure for DV-Based Audio, Data and Compressed Video — 25 and 50 Mb/s, SMPTE Std 314M-1999, July 1, 1999.
Appendix A: Excerpted from Information Assurance Technical Framework Release 3.1 (2002)
The integrity security service includes the following methods: prevention of unauthorized modification of data (both stored and communicated), detection and notification of unauthorized modification of data, and recording of all changes to data. Modification of both stored and communicated data may include changes, insertions, deletions, or duplications. Additional potential modifications that may result when data is exposed to communications channels include sequence changes and replay.
The requirements for provision of integrity security services are similar to those for confidentiality and include the location, type, and amount or parts of the data that needs protection.
When integrity is discussed with respect to network security, it is important to consider where in the protocol stack the integrity service is provided. Different implementation (layering) options will provide integrity to data in different protocol layers as well as to data being communicated. Sophisticated integrity schemes are likely to require service from the application using the data.
Note that integrity protection is of no value unless it is combined with a mechanism that provides authentication of the source. Without source authentication, anyone could tamper with the original data and then just reapply an integrity mechanism.
Data integrity can be divided into two types, based on the type of data to be protected. Integrity can be applied to a single data unit (protocol data unit, database element, file, etc.) or to a stream of data units (e.g., all protocol data units exchanged in a connection).
184.108.40.206 Single Unit of Data
Ensuring the integrity of a single data unit requires that the originating (sending) entity calculate an additional data item that is a function of (and bound to) the original data unit. This additional item is then carried along with the data unit. The entity that desires to verify the integrity of this data unit must recalculate the corresponding quantity and compare it with the transferred value. A failure of the two to match indicates that the data unit has been modified in transit.
Methods for calculating this data item, which is a function of the original data unit (the check value), vary in the processing required and the services provided. Checksums, cyclic redundancy check (CRC) values, and hashes (also known as a message digest) all meet the requirement that they depend on the entire content of the original data unit. A weakness of this method is that, if an adversary modifies the original data, these functions are easily reproducible and allow the adversary to generate a proper value for the modified data thereby defeating the integrity service. An additional mechanism can be applied to prevent access to the check value (e.g., encryption or digital signatures) to overcome this problem.
Another method of preventing successful modification of the check value is to include a secret value along with the original data unit. This property is exhibited by message authentication codes (also known as message integrity check and keyed hashes).
The icheck [sic] value alone will not protect against an attack that replays a single data unit. A time stamp may be included along with the original data unit to provide limited protection against replay.
220.127.116.11 Sequence of Data Units
To protect the integrity of a sequence of data units (i.e., protect against reordering, losing, replaying and inserting, or modifying data), some type of ordering information must be provided in the communications protocol. Examples of ordering information are sequence numbers and time stamps. Integrity of sequences can also be provided by encrypting the sequence of data units using a cryptographic algorithm in which encryption of each sequence depends on the encryption of all previous sequences (also referred to as chaining).
Appendix B: Digital Signatures
Digital signatures as used in this paper are based on asymmetric cryptography. For asymmetric cryptography, the cryptographic keys are generated in pairs, where the individual keys are referred to as the public key and private key. In any given information exchange, one of the keys is used to encrypt a message to generate a cipher, and the other is used to decrypt the cipher to recover the message. Although either key may be used for either role, neither key can both encrypt the message and decrypt the resulting cipher. Typically, the private key is held as a secret key by a user, and the public key is disseminated without restriction.
The digital signature generation process is outlined in Figure B-1. First a binary message, such as a segment of a digital-video frame, is input to a one-way secure hash function. That hash generates a fixed-length bit string, or digest, that has two important properties-the original message cannot be derived from the digest, and the probability of two different messages producing the same digest (or probability of collision) is remote. For example, a 128-bit digest provides a probability of collision of 2-64, or about 10-19. Applied to the authentication problem, this means that the probability that digitally signed evidence can be modified and yield the same digest as the original evidence is approximately 10-19. Conversely, the probability of detecting a modification where digital signatures are used as an integrity check is 1–10-19, or 0.99... out to 19 decimal places.
Figure B-1. Digital-Signature Process
Next, the digest is encrypted using a private cryptographic key. The encrypted digest constitutes the digital signature of the input message. The encryption step ensures that in the event of tampering, a modified digest cannot be computed and substituted along with the modified evidence. Clearly, maintaining the secrecy of that key is critical to a successful digital-signature implementation. That involves stringent access-control mechanisms in the device used to generate the signatures.
The integrity-verification process is outlined in Figure B-2. The message is again subjected to the hash to obtain a digest. The recorded digital signature is decrypted using the public key of the key pair, and the decrypted digest is compared to the newly computed digest. If there is any modification to the message, the newly computed digest will differ from the decrypted one. If the signature has been modified, the digest will not successfully decrypt using the public key, and the digests will not match. The output of the process is a pass or fail decision regarding the integrity of the inputs.
Figure B-2. Integrity-Verification Process
The work supporting the writing of this paper is funded by the Investigative Support and Forensics Subgroup of the Technical Support Working Group.