Forensic evidence storage through blockchains: Scorechain in Cyber-Trust Project

The CYBER-TRUST project aims to develop an innovative cyber-threat intelligence gathering, detection, and mitigation platform, as well as, to perform high-quality interdisciplinary research in key areas for introducing novel concepts and approaches to tackle the big challenges towards securing the ecosystem of IoT devices. 

Scorechain’s role in this project was to provide a blockchain for partners both private for instance Internet Service Provider (ISP) and public Law Enforcement Agency (LEA). One of the responsibilities of this blockchain is to allow partners to safely share information about alleged malicious activity between them. In this context, “safe” means that information is guaranteed to circulate without any modification from malicious sources. More specifically, information sharing will potentially be used in a court. By doing this, the blockchain is used as a way to provide a reliable, decentralized and traceable Chain of Custody.

The legal implications concerning the storage and the admissibility of electronic evidence and a blockchain raise two questions:

  1. What are the requirements for the lawful collection of electronic evidence and its respective admissibility before a court? 
  2. Is blockchain chain of custody possible? 

As for the first question, given the European aspiration of the project, the document concluded that any tools for the collection of evidentiary material should follow the legal requirements at the EU level and the principles described both in (European Union Agency on Cybersecurity) ENISA´s and Council of Europe´s guides on electronic evidence as well as the national framework of the jurisdiction where the evidence is collected from and the jurisdiction where it is going to be used for the criminal proceedings. Regarding the second question, if a blockchain was to be used in the chain of custody, a private solution seemed appropriate to be prioritized, supported by the necessary security safeguards.

Given this legal constraint, Scorechain chose to use HyperLedger Fabric as a framework to build our blockchain. One of the key factors in the adoption of Hyper Ledger was the newly added feature of private data to store forensic evidence. This allows data producers to store information on the blockchain without sharing it directly with the other peers of the chain. Indeed, a partner has to require through an on-chain protocol access to the data. Thus, an LEA having a warrant will be able to access information on the blockchain. Moreover, the private data feature comes with Time-To-Live (TTL) capabilities. This means that data producers will specify according to their legal jurisdiction constraint how long the forensic evidence will remain on the blockchain, after that period, no one even themselves will be able to access the data.

To be concluded, the Cyber-Trust platform relies on a blockchain protocol to provide decentralized yet legally compliant chain of custody evidence sharing mechanism.