The Data Governance Process Within the Digital Chain of Custody

Pestana, Gabriel; Carvalho, Luís M.; Chmel, Sebastian

doi:10.1007/978-3-031-62083-6_1

Gabriel Pestana⁸,
Luís M. Carvalho^9,10 &
Sebastian Chmel¹¹

Part of the book series: Security Informatics and Law Enforcement ((SILE))

123 Accesses

Abstract

The management of a digital chain of custody (dCoC) for collected samples in chemical, biological, radiological, nuclear and explosive (CBRNE) incidents lacks standardisation, leading to inconsistent practices among stakeholders within and across EU member states. This highlights the need for a digitalised approach to the chain of custody process, currently applied with paper-based forms, through a system that ensures the traceability and security of CBRNE evidence items throughout the process, including collection, transportation, analysis, storage and disposal. Establishing a standardised dCoC process across EU member states is crucial to provide evidence consistency and admissibility in court.

The paper analyses a proposal submitted to the CEN/TC 391 for Technical Specifications related to a data governance workflow to preserve metadata consistency in a digital chain of custody (dCoC). Maintaining data integrity is essential to the consistency and admissibility of evidence in court. The dCoC data governance workflow provides information about digital evidence items and their metadata, such as custody ownership, transfer between stakeholders and the transfer’s purpose. Adherence to a consistent process is required to ensure the integrity of digital custody metadata (DCM), which drives stakeholders taking custodianship at each Custody Transfer Point (CTP). The proposal includes an acknowledgement process enabling stakeholders to report various levels of data inconsistency concerning the metadata recorded in the DCM.

You have full access to this open access chapter, Download chapter PDF

Keywords

Introduction

CBRNE incidents involve collecting and transporting samples for accurate identification, necessitating interactions among multiple stakeholders [1]. The integrity of the chain of custody must be maintained, and all actions must be documented to enable information flow auditing, especially at Custody Transfer Points (CTPs) where stakeholders exchange sample custodianship. Paper-based forms are used, highlighting the need for a digitalised approach to the chain of custody process [2]. Implementing a digital chain of custody (dCoC) strategy ensures traceability and security throughout the entire process, from collection to disposal. However, the management of dCoC for collected samples lacks standardisation, leading to inconsistencies among stakeholders within and across EU member states. To ensure evidence consistency and admissibility in court, a standardised dCoC process must be established across EU member states.

A literature survey was conducted to analyse existing standards’ guidelines for the chain of custody framework, aiming to identify standardisation gaps and opportunities related to non-reputation of custodianship throughout the chain. Afterwards, an Experts by Experience Group (EEG) was set up to contribute to developing and standardising the dCoC process. The EEG was open to experts from entities that play significant roles in CBRNE incident response and management, as from the following sectors:

First Responders:
- Firefighters and Hazardous Materials (HazMat) teams responding to CBRNE incidents.
- Emergency Medical Services (EMS) personnel providing medical assistance in CBRNE scenarios.
- Law enforcement officers involved in securing the scene and assisting in evidence collection.
Crisis Management Agencies:
- National and regional crisis management centres responsible for coordinating responses to CBRNE incidents.
- Government agencies overseeing and supporting disaster management and emergency response efforts, such as environmental, meteorological, health, etc.
- Civil protection and emergency response teams at various levels of government.
Other stakeholders:
- Military units involved in CBRNE incident response and management, such as intelligence, reconnaissance, sampling and decontamination teams.
- Non-governmental organisations focused on disaster relief and humanitarian assistance, especially in CBRNE scenarios.
- Environmental organisations involved in monitoring and addressing CBRNE-related environmental risks.
- Human rights organisations concerned with the impact of CBRNE incidents on vulnerable populations.

During the survey, intermediate actions included creating a web-based prototype in co-creation with the EEG to demonstrate a possible practical application of a dCoC in plausible scenarios where the collection of samples is required. These co-creation sessions enabled end users to contribute to identifying rules for authenticity, integrity and relevant metadata considerations.

Table 1.1 resumes the survey, classifying the achievements into three categories. Existing standards lack addressing challenges related to metadata standardisation to digitally monitor the custodianship of CBRNE evidence items, raising the pertinence of a consistent methodology for designing, implementing and managing the dCoC process.

Table 1.1 Overview of existing standards

Full size table

Starting with and based on this literature survey and the EEG input, the following Technical Specifications (TS) were developed:

Digital Chain of Custody for CBRNE Evidence—Part 1: Overview and Concepts.
Digital Chain of Custody for CBRNE Evidence—Part 2: Data Governance and Audit

These TS offer guidelines to establish rules for implementing Custody Transfer Point (CTP) actions, ensuring the chain of evidence’s integrity in administrative, disciplinary and judicial proceedings. Part 1 provides an overview of the data governance workflow for automating digital custody transfers in the chain of custody for CBRNE digital evidence items. Part 2 offers formal guidelines, using Business Process Model and Notation (BPMN) to implement the specified processes, ensuring a proper understanding of the requirements for auditing the digital metadata custody (DMC) and its admissibility in court [9].

The paper discusses results obtained in the STRATEGY project (N° 883520), specifically the results targeting potential standardisation aspects related to the CBRNE context. These aspects involve business scenarios, presented as high-level descriptions from the user’s viewpoint, outlining the features that should be considered while characterising the information workflow and associated data governance for intelligent automation of the dCoC. The paper also highlights the collaboration with CEN/TC 391 in developing the TS.

The Data Governance Process

The primary aim of establishing a standard dCoC process is to ensure the traceability and security of CBRNE evidence items [10, 11], promoting transparency and accountability by documenting all actions in the chain of custodianship [12]. Achieving a unified approach to non-repudiation custodianship requires global agreement on digital custody metadata to maintain the integrity of the dCoC and enable digital evidence auditing [2].

The data governance process should provide clear guidelines for managing and auditing DCM, allowing stakeholders to identify and audit custody ownership of CBRNE digital evidence items throughout the chain of custody [13], particularly in its CTP lifecycles, and detect inconsistencies. Adopting a standardised approach with a well-defined DCM structure makes it possible to uniquely characterise each digital evidence item and effectively track custodians at each CTP [9]. To facilitate this, the CTP data model should include all the necessary metadata to describe the data package’s transfer from stakeholder A to stakeholder B. Figure 1.1 outlines the essential components of the data governance workflow, wherein the Mission Command Team specifies the stakeholders involved in each CTP, along with their corresponding DCM.

A schematic illustrates the d C o C process for C B R N events. The components in order are custody owner, C T P what core metadata are required, and custody receiver. — **Fig. 1.1**

The CTP lifecycle serves as a basis for gathering, interpreting, presenting and analysing stakeholder concerns from their respective viewpoints. These viewpoints are instrumental in establishing conventions that facilitate applying informal or tacit experiential knowledge. The goal is to assess whether the information reported by the DCM effectively addresses the concerns of stakeholders through role-play scenarios. The stakeholders encompass the Mission Commander, Reconnaissance, Sampling, Carrier and Laboratory Teams (Fig. 1.2).

A block diagram illustrates the role of stakeholders in the d C o C process. There is a box on top labeled mission commander team followed by a box that lists the tasks. Below it is a horizontal flow comprising 4 boxes labeled reconnaissance team, sampling team, carrier team, and laboratory team. — **Fig. 1.2**

The innovative concepts and viewpoints presented in the TS are summarised as follows:

Custody Transfer Point (CTP)
- List of metadata to identify a specific CTP within the dendrogram.
- List of metadata to characterise the information within a CTP.
- Audit the digital chain of custody, in particular, to analyse situations with inconsistencies.
Digital Custody Metadata (DCM)
- Metadata guidelines to describe the CTP lifecycle within the dendrogram.
- Digital log of information related to custodianship interactions (e.g. keep a historical record of the custody transfer actions performed, for each CTP, within the dendrogram).
- Establish a metadata-centric approach for a non-repudiation digital log, creating a standard data structure for data management and auditing.

The CTP dendrogram, as exemplified in Fig. 1.3, outlines the dCoC process’s information workflow and illustrates the relation between various CTPs. Once the Sampling Team collects samples at the scene, appropriate packaging is necessary for transporting them to intermediate or final destinations. Different samples may follow various paths, requiring specific transportation conditions, which the Carrier Teams must comply with. Since a package can contain multiple samples, standardised metadata is essential for consistent data sample descriptions. The DCM ensures this consistency by establishing a standardised data format structure, allowing for result comparability across the CTP dendrogram.

A C T P dendrogram begins with a sampling team first custody owner, followed by the next custody owner, and this branch continues up to C T P subscript n plus 2 custody owners. The second branch continues up to C T P subscript y plus n custody owners. — **Fig. 1.3**

The mission Command Team manages the configuration of the dendrogram structure (i.e. CTP nodes and the corresponding paths within the dCoC process). They should be able to make any changes to the dendrogram structure as operational aspects occur; for instance, whenever a stakeholder reports a data inconsistency for a specific CTP, the CTP status changes, requiring instructions on how to proceed. This makes it easier for stakeholders to understand the process and identify potential areas for improvement.

The model developed was the outcome of several co-sessions with the EEG, in which diverse scenarios and contexts were established to thoroughly test and evaluate the TS, incorporating multiple storylines that trigger actions from role-players.

A Mock-Up Demonstrating the Metadata Structure of a CTP

Figure 1.4 depicts a web-based prototype developed to help the EEG get familiarised with the essential TS concepts and the recommended metadata structure for each DCM in the dCoC process.

A screenshot of the C T P validation window displaying package metadata and custodians metadata, such as a custody owner identity, and custody receiver identity. — **Fig. 1.4**

The layout is organised into three main sections:

The top section provides data characterising the CTP and identifying the assigned mission, meaning data describing the mission to which the CTP is posted.
The middle section provides a table with the essential data regarding package identifier. This area includes a line for each package assigned to the CTP. A graphical diagram on the right side visually represents the CTP status with a timestamp of the stakeholder’s interactions with the system.
At the bottom, the information of the intervenient stakeholders (Custody owner and custody receiver) is presented.

The user can select a package row to obtain additional details about the package and its sample(s). If any suspicious situation arises, such as a package with a broken seal or serious cracks that could jeopardise sample’s integrity (severity level L1), the user should press the reject button to report data inconsistency to the Mission Command Team. A similar procedure is followed for moderate severity level issues where the problem does not compromise the samples (see Table 1.2). In such cases, the user can capture an image of the package’s exterior, add it to the image gallery and provide comments on the package’s status for additional information. Access to this layout requires proper credentials, and a timeout event is triggered if no user action is detected within a specific timeframe. Default values and timeout events are configured for each process step to ensure timely completion.

Table 1.2 Data inconsistency levels

Full size table

The metadata that describes the transportation conditions of the package, along with the attributes that enable stakeholders to verify and validate the reported information for the CTP, holds significant importance for all parties involved [13]. Only after both stakeholders acknowledge the data, can the receiver accept custody of the physical package, thereby completing the CTP and marking it as successfully executed. As shown in Fig. 1.5, additional complementary data such as weight and package dimensions are key for the Carrier Team to handle the package’s transportation effectively.

A set of 2 screenshots. The one on the left displays a photo of a package followed by its status such as upload an image bar, refrigeration status, and its dimensions. The one on the right displays a scrolled down view of the same, with the detail colorless liquid from the drum highlighted. — **Fig. 1.5**

Stakeholders authorised to access samples in secure conditions, typically in intermediate or final destination laboratories, must also verify and validate the related information. This data should be accessible in the system, enabling stakeholders to ensure the digital data aligns with the physical samples inside the package. Different samples may follow various paths, requiring specific transportation conditions, which the Carrier Teams must comply with. Since a package can contain multiple samples, standardised metadata is essential for consistent data sample descriptions.

Key information, including the Sample Collection Form, along with supporting data like pictures and videos, completed by the Sample Team at the incident location as the initial custodian, forms an essential part of this validation process within the CTP dendrogram.

Conclusions

The paper highlights the necessity for standardised recommendations, encompassing harmonised terminology and a data model, to enhance system interoperability. These guidelines empower stakeholders to adhere to applicable laws and regulations while facilitating the seamless integration of new and existing products, services and processes. Given the sensitivity and criticality of the data, preserving the dCoC becomes paramount, providing essential authenticity hallmarks required by the court. Implementing a standardised dCoC process is of utmost importance to ensure the traceability and security of CBRNE evidence items throughout the entire procedure, ensuring evidence consistency and admissibility in court.

Guidance for the dCoC process is offered, providing stakeholders with practical and reliable guidelines for conducting a DCM audit and identifying key participants in the CTP lifecycle. These guidelines establish rules for CTP actions to uphold the integrity and chain of evidence in administrative, disciplinary and judicial proceedings. Furthermore, emphasis is placed on the significance of a consistent data governance workflow, ensuring a traceable digital fingerprint of the digital evidence item throughout the dCoC process. The proposed approach introduces two new concepts, CTP and DCM, as key components for tracking custodianship within the dCoC process. It also seeks to address gaps in existing standards concerning the chain of evidence and the necessary metadata to characterise the chain of responsibility for digital evidence items as they move through each CTP within the dCoC process.

The involvement of various stakeholders highlights the need to thoroughly document all actions in the chain of custodianship, enhancing transparency and accountability. Additionally, the dCoC process should address challenges related to metadata standardisation and promptly trigger alert messages to stakeholders when monitoring the custodianship of digital CBRNE evidence items. Data protection requirements are of utmost importance in executing secure digital transfers and identifying stakeholders as contributors to the evidentiary materials at each stage of the dCoC process.

While the specific technology for implementing DCM’s non-repudiation is not discussed, the technology-agnostic approach of the framework emphasises focusing on process description rather than specific implementation details. However, encryption and blockchain (or similar secure solutions) should be carefully considered to safeguard data privacy and integrity. Additionally, since a package can contain multiple samples, standardised metadata is essential for consistent data sample descriptions, and the DCM ensures this consistency by establishing a standardised data format structure, allowing for result comparability across the CTP dendrogram.

References

Cosic, J., & Cosic, Z. (2012). Chain of custody and life cycle of digital evidence. Computer Technology and Application, 3, 126–129. Accessed: May 13, 2021. [Online]. Available: https://www.researchgate.net/publication/279175015_Chain_of_custody_and_life_cycle_of_digital_evidence
ADS Google Scholar
Prayudi, Y., & Azhari, S. N. (2015). Digital chain of custody: State of the art. International Journal of Computers and Applications, 114(5), 1–9. https://doi.org/10.5120/19971-1856
Article Google Scholar
AEP-66. (2015). Nato handbook for sampling and identification of biological, chemical and radiological agents. Nato Standardization Agency (NSA).
Google Scholar
CEN. (2020). BS EN 17173:2020 European CBRNE glossary, Brussels.
Google Scholar
EN ISO/IEC. (2016). EN ISO/IEC 27042 Information technology – Security techniques – Guidelines for the analysis and interpretation of digital evidence (pp. 1–14). International Organization for Standardization. [Online]. Available: www.iso.org
Google Scholar
ISO. (2020). ISO/FDIS 22095: 2020 (E) Chain of custody—General terminology and models (pp. 1–34). International Organization for Standardization. [Online]. Available: https://www.iso.org/
Google Scholar
ISO/IEC. (2019). ISO/IEC 27050-1 Information technology—Electronic discovery—Part 1: Overview and concepts (pp. 1–20). International Organization for Standardization. [Online]. Available: www.iso.org
Google Scholar
ISO/IEC. (2018). ISO/IEC 27050-2 Information technology—Electronic discovery—Part 2: Guidance for governance and management of electronic discovery (pp. 1–9). International Organization for Standardization. [Online]. Available: www.iso.org
Google Scholar
Pestana, G. F., Carvalho, L. M., Gouveia-Carvalho, J., & Antunes, W. (2022). Digital chain of custody for CBRNE events: Custody transfer governance. In A. Rocha, H. Adeli, G. Dzemyda, & F. Moreira (Eds.), Information systems and technologies (pp. 304–314). Springer International Publishing.
Chapter Google Scholar
Bonomi, S., M. Engineering, Ruberti, A., Casini, M., & Ciccotelli, C. (2019). B-CoC: A blockchain-based chain of custody for evidences management in digital forensics. In International conference on blockchain economics, security and protocols (Vol. 12, pp. 12:1–12:15). https://doi.org/10.4230/OASIcs.Tokenomics.2019.12
Caianiello, M., & Camon, A. (2021). Digital forensic evidence towards common European standards in antifraud administrative and criminal investigations – OLAF, European Anti-Fraud Office. Wolters Kluwer.
Google Scholar
Ermine, J.-L. (2013). A knowledge value chain for knowledge management. Journal of Knowledge & Communication Management, 3(2), 85. https://doi.org/10.5958/j.2277-7946.3.2.008
Article Google Scholar
Koleoso, R. A. (2018, July). A digital forensics investigation model with digital chain of custody for confidentiality, integrity and authenticity, Conimsconference.Com.Ng
Google Scholar

Download references

Acknowledgements

The research presented in this paper was developed within the scope of the STRATEGY project, which has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 883250. The information presented in the paper was classified as public. It reflects a summary of the main achievements from the author’s viewpoint.

Author information

Authors and Affiliations

INOV – Institute of Systems and Computer Engineering Innovation, Lisbon, Portugal
Gabriel Pestana
Unidade Militar Laboratorial de Defesa Biológica e Química, Exército Português, Lisbon, Portugal
Luís M. Carvalho
CINAMIL, AM, Instituto Universitário Militar, Lisbon, Portugal
Luís M. Carvalho
Fraunhofer INT (Fraunhofer Institute for Technological Trend Analysis), Euskirchen, Germany
Sebastian Chmel

Authors

Gabriel Pestana
View author publications
You can also search for this author in PubMed Google Scholar
Luís M. Carvalho
View author publications
You can also search for this author in PubMed Google Scholar
Sebastian Chmel
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Gabriel Pestana .

Editor information

Editors and Affiliations

Satways Ltd, Irakleio, Greece
Ilias Gkotsis
M4D, CERTH-ITI, Ilioupoli, Greece
Dimitrios Kavallieros
Bulgarian Defence Institute, Sofia, Sofiya, Bulgaria
Nikolai Stoianov
M4D, CERTH-ITI, Thessaloniki, Greece
Stefanos Vrochidis
Satways Ltd, Irakleio, Greece
Dimitrios Diagourtas
CENTRIC, Sheffield Hallam University, SHEFFIELD, UK
Babak Akhgar

Rights and permissions

Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

Reprints and permissions

Copyright information

About this chapter

Cite this chapter

Pestana, G., Carvalho, L.M., Chmel, S. (2025). The Data Governance Process Within the Digital Chain of Custody. In: Gkotsis, I., Kavallieros, D., Stoianov, N., Vrochidis, S., Diagourtas, D., Akhgar, B. (eds) Paradigms on Technology Development for Security Practitioners. Security Informatics and Law Enforcement. Springer, Cham. https://doi.org/10.1007/978-3-031-62083-6_1

Download citation

DOI: https://doi.org/10.1007/978-3-031-62083-6_1
Published: 30 September 2024
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-62082-9
Online ISBN: 978-3-031-62083-6
eBook Packages: Physics and AstronomyPhysics and Astronomy (R0)

Publish with us

Policies and ethics