**1. Introduction**

Any digital data containing trustworthy information that supports an event hypothesis is considered digital evidence. Digital evidence's extent is continuously increasing, including both established and emerging technology such as computers, networks, memory, and mobile devices [1]. Digital evidence has many features, including the ease with which it can be copied and transferred, the ease with which it can be changed and deleted, the ease with which it may be tainted by new data, and the fact that it is time-sensitive. Additionally, digital evidence may be easily transferred across countries. As a result, managing digital evidence is much more complex than processing physical evidence [2]. Digital evidence may take the form of images, videos, text, or device logs. Additionally, it incorporates data from social media platforms such as Twitter, Instagram, and Facebook [3–10].

There are many ways for enhancing the integrity of digital evidence. These techniques include cyclic redundancy checking, hashing functions, digital signatures, time stamps,

**Citation:** Ali, M.; Ismail, A.; Elgohary, H.; Darwish, S.; Mesbah, S. A Procedure for Tracing Chain of Custody in Digital Image Forensics: A Paradigm Based on Grey Hash and Blockchain. *Symmetry* **2022**, *14*, 334. https://doi.org/10.3390/ sym14020334

Academic Editors: Ming-Chin Chuang and Chin-Ling Chen

Received: 8 December 2021 Accepted: 27 January 2022 Published: 6 February 2022

**Publisher's Note:** MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

**Copyright:** © 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https:// creativecommons.org/licenses/by/ 4.0/).

encryption, and watermarking. Each technique has a number of benefits and drawbacks; see [8,11–14] for more details. The majority of digital forensic tools and apps use some kind of hashing algorithm to ensure the integrity of digital evidence. Hashing is a cryptographic method for determining an entity's unique representation. When utilizing the conventional hash, certain problems will occur, particularly regarding data integrity since digital data can readily altered. Tampering will always be a problem. This occurs as a result of the exchange procedure being poorly documented [15]. Additionally, a conventional hash cannot be utilized to calculate similarity or to identify traces of evidence. Fuzzy hashing is a kind of hashing that is used to determine the degree to which two entities are similar. Fuzzy hashing enables the investigator to concentrate on possibly incriminating images that would not be seen using conventional hashing techniques.

Meanwhile, a Chain of Custody (CoC) is a critical process in the managemen<sup>t</sup> of evidence and investigations. CoC is a term that refers to the process of preserving and documenting the chronological history of digital evidence [4–6]. CoC and integrity of digital evidence play a part in the digital process of forensic investigation since forensic investigators must know where, when, and how digital evidence was found, gathered, tracked, handled, and preserved throughout its trip to a court of law. A proper CoC must include documentation that addresses each of these points. If any one of these questions is left unanswered, the CoC is compromised and disturbed. Without a certificate of conformity, the evidence is useless [7–15].

There are many indications that may be used to identify problems with the management of CoC [6,16–19]: (1) threats to the data integrity of digital evidence throughout its lifetime; (2) a massive amount of data is produced by billions of linked devices and must be stored, presenting significant difficulties in ensuring authenticity; (3) because digital evidence is complicated and volatile, and may be altered inadvertently or incorrectly after acquisition, the CoC must guarantee that the evidence gathered is admissible in court; (4) as the number of devices and types of software in the computer and information technology fields continues to increase, cybercrime faces difficulties in terms of the amount of evidence being examined; (5) documentation of the CoC is secure. This is a critical problem since digital evidence may be copied and transferred to other systems; and (6) CoC adaptability and capacity, which comes as a result of the growing amount of data produced by different new digital forensics technologies.

To address the aforementioned issues, an integrated system is required. This system must be capable of presenting data with established integrity and storing CoC for digital evidence, providing an auditing facility to ensure the accuracy of forensic tools and their application procedures, and preserving the artifacts of the evidence, in order for digital evidence to be admissible in court [6,15]. The blockchain may be used to verify the validity and legality of the processes used to collect, store, and transmit digital evidence, as well as to offer a consolidated view of all CoC interactions [20].

In its simplest form, a blockchain is a collection of linked data structures called blocks that store or monitor the state of any distributed system on a peer-to-peer network. Each block is connected to the previous block via a special pointer called a hash pointer, resulting in an append-only system, a permanent and irreversible history that can be used as a real-time audit trail by any participant to verify the accuracy of the records simply by reviewing the data itself [9]. The blockchain has been extensively utilized in a variety of areas, including cloud security, IoT security, and digital forensics. Blockchain technology is also a potential method for evidence verification and managemen<sup>t</sup> in the area of digital forensics, and it is being extensively explored [10].

Digital image forgeries are becoming more prevalent today since image manipulation software is widely accessible and the usage of digital images has grown in popularity. One cannot tell if the image is genuine or has been altered. Images may be altered by removing a portion of the image, hiding an area within the image or altering the image in such a way that the image information is misrepresented. These flaws erode the validity of digital images [4]. Numerous methods are discussed in detail in order to identify image forgery. They are categorized as active or passive algorithms [5]. The active method involves embedding a watermark into the picture. Because embedding watermarks in images needs specially equipped cameras, this technique is very restricted in practice. In contrast, passive methods to forgery detection rely on the evidence left on the image by various processing stages during image modification. Passive may also be used to detect the amount and location of forgeries in an image.

To summarize, computer forensics professionals use forensic software to acquire copies or images of electronic equipment and to capture associated data. Recent advances in forensic software allow for remote gathering and analysis. Even if it is impossible to precisely quantify the uncertainty inherent in a piece of digital evidence, courts should consult experts to ge<sup>t</sup> a sense of the data's reliability. Every piece of digital data has some degree of uncertainty, and an expert should be able to describe and estimate the degree of certainty that can be put on a particular piece of evidence. If we do not attempt to quantify uncertainty in digital evidence, one might argue that there is no foundation for assessing the evidence's dependability or correctness. Additionally, forensic examiners who do not account for ambiguity throughout their analysis risk arriving at incorrect conclusions during the investigation stage and finding it more difficult to defend their claims when cross-examined.

This paper focuses on the research of protecting digital evidence that is uncertain, which is still a challenging research topic that has not been studied much by researchers. Traditional blockchain-based chain of custody is mainly based on a concise description of the evidence under examination and some kind of hash code. However, the conventional hash method is inefficient at dealing with identical files that arise from benign or malicious alteration of the images examined by the forensic investigator. Utilizing fuzzy hash functions enables forensic investigators to successfully deal with permissible alteration to digital evidence, while using conventional hash methods is ineffective in this situation.

The remainder of this paper will be structured as follows. Section 2 discusses several similar works and their benefits and drawbacks. The suggested framework is described in Section 3. Section 4 outlines the experiments used to verify the proposed framework, and Section 5 concludes the paper.

#### **2. Literature Review**

Numerous methods have been presented to enhance the quality of CoC. Several blockchain-based secure digital evidence systems have been suggested in recent years. The authors in [21] suggested a Blockchain-based Chain of Custody (B-CoC) to dematerialize the CoC procedure while ensuring the integrity of gathered evidence and owner traceability. B-CoC was shown to effectively assist the CoC process during the performance assessment. However, the degree of anonymity for validators must be increased without modifying security attributes. In a similar manner, the authors in [15] integrated the Digital Evidence Cabinet (DEC) architecture with Blockchain. This prototype is referred as (B-DEC). B-DEC makes use of data storage integrity to handle digital evidence that relates to DEC. DEC is written in an XML format. However, the system must be capable of securely storing digital evidence through software. It needs to significantly strengthen the protection of digital evidence, such as via the use of encryption.

The work in [8] established a reliable time-stamping technique for protecting digital evidence during the investigative process. Timestamps are acquired from a secure third party in order to establish the date and time of the staff's access to the evidence. A significant issue here is that a reliable source of time is contingent on the setting of the clock that produces it. Another similar study is [12], in which the authors utilized a variety of security techniques to protect the integrity of the digital evidence, including (CRC—Hash Functions—Digital Signatures). SHA512 was chosen for integrity protection based on tests and evaluations since it is computationally extremely fast and least susceptible. However, one may alter the original data, recalculate the hash, and then exchange the original hash with the recalculated one, thus subverting the integrity service.

The authors in [19] encrypted the XML structure on the digital chain of custody data storage using the RC4 cryptography technique. One benefit of utilizing XML is that it is simple for non-professionals to comprehend. Another issue is that XML does not need a specific database managemen<sup>t</sup> system to be opened. On the other hand, since the material is accessible to everyone, the integrity of digital evidence cannot be accepted in court. Additionally, RC4 encryption will take longer if the plaintext is lengthy. The researchers in [22] evaluated two automated disk imaging programs (Encase and FTK Imager). These programs claim that they protect the integrity of digital evidence by computing MD5 and SHA1 hashes of extracted data. The offered solution is both effective and practical. However, MD5 and SHA1 hashes are insufficient to ensure the evidence's integrity.

Z. Tian et al. [10] proposed a secure Digital Evidence Framework (Block-DEF) based on Blockchain technology, with a loose coupling structure in which evidence and evidence information are stored independently. The Blockchain is used to keep just the evidence information, which is then kept on a trustworthy storage platform. Experiments demonstrated that Block-DEF is a scalable framework; it ensures the authenticity of evidence and strikes an appropriate balance between privacy and traceability. However, when adding a new node to the blockchain it takes an inordinate amount of time to download and validate the blockchain.

While earlier blockchain-based image forensics systems employed standard hashing, the suggested approach uses fuzzy hashing to examine the blockchain validity (evidence items) in order to better handle evidence item alterations induced by both benign and malicious cyberattacks. When the similarity between two blocks surpasses 95%, the block is considered to be original.
