Digital Forensics

Digital Evidence:
Dream and Reality
Digital evidence is inherently weak. New evidence-gathering
technologiesdigital black boxesmust be developed
and deployed to support investigations of irreproducible
events such as digitally signing a document or electronically
casting a ballot.
ROLF OPPLIGER
R UEDI
RYTZ
Swiss Federal
Strategy Unit
for
Information
Technology

AND

rom sealing letters with wax carrying the authors

imprint to personally signing printed documents,
humans have long tried to ensure that a documents content cant easily be changed and that it
indeed states the will of the signer. The more important
the document, the more tempting forgery becomes. Its
no wonder many debates on the authenticity of documents and signatures are brought before a court.
The invention of public-key cryptography and, with it,
digital signatures has raised hopes that such debates will end
and that the evidence of digitally signed documents will be
as accurate as the underlying mathematical algorithms.
Unfortunately, such notions belong to the dream realm.
Cryptographic techniques provide weak digital evidence
despite what our intuition tells us. Therefore, technologies
for gathering both digital and nondigital evidence will become increasingly important and widely deployed.
Well witness systems similar to airplane black boxes
devices that record flight data and cockpit noise for examination following a malfunction. These digital black boxes
will consist of hardware and software components that
proactively generate, gather, protect, and make available evidence, notably of irreproducible events, thereby facilitating
their subsequent forensic investigation. Although the design
of such systems remains to be defined, it will likely depend
largely on the application under consideration.

Proofs and pieces of evidence

In the logicians view of mathematics, a proof refers to the
deduction of a claimed statement (a theorem) from a
given set of statements (axioms) assumed to be true according to a given logic. In an axiomatic world, proofs
exist if the axioms are known, and a commonly agreed44

PUBLISHED BY THE IEEE COMPUTER SOCIETY

upon logic determines the types of

deductions we can use to prove statements.
Outside the mathematics world (that is, in a nonaxiomatic world), the notion of a proof tends to be more involved and proofs of mathematical accuracy generally do
not exist. Instead of formal proofs, researchers use reproducible experiments. In fact, proving a statement in the natural sciences typically involves
defining an experiment,
carefully running the experiment a statistically significant number of times, and
verifying that the measured (physical) properties lie
within a certain range.
If the last two steps are fulfilled, the experiment is reproducible. In this article, proof refers to the ability to demonstrate a statements validity, which is typically accomplished most easily through reproducible experiments.
Strictly speaking, reproducible experiments are rarely
sufficient to prove a theory. As Austrian philosopher Karl
Popper noted: You cannot prove a theory, but you can
disprove it.1 Nevertheless, if I want to demonstrate to
students that a pencil I hold in my hand will fall to the
floor, I drop it. If some student didnt watch or still mistrusts the fact, I drop the pencil again. The outcome of a
single instance of a reproducible experiment (an event) is
not important to prove the fact.
Unfortunately, everyday life is rarely so simple, and
people frequently must demonstrate a statements validity
(that is, prove it) without defining and running a reproducible experiment. If I want to prove an event (for ex-

1540-7993/03/$17.00 2003 IEEE

IEEE SECURITY & PRIVACY

Digital Forensics

ample, that a man was stabbed to death), I cant travel back

in time and observe the event once again. Instead, to convince a third party at some later time that the event did
occur, I must gather as much evidence as possible. We all
knownot only from thriller movieshow difficult and
cumbersome gathering evidence can be. Clearly, however, the more pieces of evidence and the higher their
quality, the easier it usually is to convince a third party
(such as a jury) of certain circumstances.
Hence, several possibilities increase our ability to successfully demonstrate that an event occurred. We must increase the amount of evidence (by installing black boxes in
aircraft or keeping ballots after election day, for example),
its quality (by wearing gloves to touch a blood-stained
knife presumably used in a murder), or, ideally, both.

Evidence in the digital world

Running a computer program is an example of a reproducible (digital) experiment. As for any reproducible experiment, the single event is of minor importance. If
someone doubts that for a given input a computation
yields 43, I simply run the computation again, thus showing the doubter that the output is indeed 43. It doesnt
even matter whether the program computes the correct
result; what does matter is that given the same input, the
program produces the same output.
Proving an event becomes trickier if the whole
process, such as digitally signing an electronic document
or casting a ballot over the Internet, is inherently irreproducible. If, for example, the day after an election, some
political party claims to have broken into the system and
modified the tally, how can you demonstrate the results
correctness? You cant redo the vote. Clearly, you can recount the electronic ballots over and over again, proving
at least that the counting (algorithm) works. However,
this doesnt prove that the electronic ballots are correct
and unchanged.
The digital world is fundamentally different from the
world in which objects are uniquely rendered by the laws of
physics. If the police found a knife with an alleged perpetrators fingerprints on its handle and the victims blood on its
blade, the prosecutor could argue that the knife should be
accepted as circumstantial evidence. Because various physical and chemical investigations are possible, it would be almost pointless for the defendant to claim that the bloodstained object is not a knife, the fingerprints belong to
somebody else, the dark-red substance is not dried blood,
and so forth. Of course, a defendant could challenge the validity of a specific fingerprint identification, among other
things, but you grasp the general point here.
Digital world objects are bits and bitstrings, exhibiting
no measurable intrinsic physical properties (weight, size,
age, and so forth). Furthermore, deciding whether a bitstring is genuine or synthetically generated is difficult
courts and lawmakers are currently wrestling with this

issue. Although some people can read and interpret specific bitstrings (such as Morse code), bits and bitstrings
generally have no meaning for humans unless a computer
system renders them and gives them sense. This rendering involves hardware and software and is by no means
unique. It is, for example, possible to write a program
(that is, a bitstring) that does something reasonable if executed on one computer system, but crashes another, perhaps running a different operating system. An attacker
might even digitally sign the program and send it to
someone he or she wants to attack. Unlike someone who
attacks a person with a knife, the attacker could simply
argue before court that he or she hadnt intended to harm
anyoneafter all, the code worked fine on his computer.
Bitstrings might differ from their final perception in
other instances; for example,
A person claims that a bitstring (say an image file) resulted from a random experiment. Sure, some potentially asymmetric (and not uniform) probability distribution for each interpretation exists and some
interpretations might appear unlikely; however, such
claims are possible and might be challenged in court.
Different bitstrings represent the same document. For
example, a word-processing file usually includes a lot of
hidden information. From the human users viewpoint,
several files represent the same document even though
the respective bitstrings are completely different.
Consequently, we must strive for complementary technologies to improve bitstrings overall credibility, notably
if their generation is a one-time event. This is where digital black boxes come into play.
It seems reasonable that we design, implement, and
deploy digital black boxes on an application-specific
basis, as is the Network Flight Recorder Network Intrusion Detection (NFR NID, www.nfr.com/products/

Generating a digital
signature, however, is a
one-time event, as is signing
a paper document with a pen.
nid/) for network traffic analysis. In other cases, implementing a black box might be tricky (in the context of
digital signatures, for example), or even illegal (such as in
remote Internet voting).

Irreproducible events
Irreproducible events are very common in daily life. Exhttp://computer.org/security/

IEEE SECURITY & PRIVACY

45

Digital Forensics

Digital signature systems

oughly speaking, a digital signature system (DSS) is a system

that can be used to digitally sign messages and to verify digital
signatures appended to messages. As such, DSSs are used
whenever digital documents (such as electronic documents, email
messages, and electronic contracts) must be protected in terms of
authenticity and integrity. A digital signature is aimed at providing
the electronic analog of a handwritten signature.
Technically, a DSS consists of a set of three efficiently computable algorithms:

Gen(1k) is a probabilistic key-generation algorithm that takes as

input a security parameter 1k and outputs a signing key k-1 and a

corresponding verification key k.

Sign(k-1,m) is a deterministic or probabilistic signature generation
algorithm that takes as input a message m (the message to be
signed) and a signing key k-1, and generates as output a digital signature s for m.
Verify(k,m,s) is a deterministic signature verification algorithm that
takes as input a verification key k, a message m, and a purported digital signature s for m, and generates as output a binary decision
(whether the digital signature s is valid for message m). If the signature is not valid, the message must not be assumed to be authentic.
Consequently, Verify(k,m,s) is valid if and only if s is a valid digital signature for message m and verification key k.

amples include a football game, lightning hitting a

rooftop, and an aircraft crashing. Because such events
cannot be repeated, their occurrence is intrinsically difficult to prove to a third party. Digitally signing documents
and remotely casting an electronic ballot are examples of
irreproducible events in the digital world.

Digital signatures
Introduced in the 1970s, digital signatures still are considered a major application of public key cryptography.2
In public key cryptography, each user holds a pair of keys
(k, k-1), one private (k-1) and the other public (k). The
two keys are mathematically related, but we assume
computing the private key from the public key is computationally infeasible.
In a digital signature system (DSS), one user digitally
signs messages with the private, or signing key, while another user verifies the digital signatures using the public,
or verification key (see the sidebar for a more detailed discussion of DSS). Many DSSs have been proposed, and
RSA, the first public-key cryptosystem for digitally signing electronic documents,3 still is widely used.
Developers often use digital signatures to implement
nonrepudiation servicesservices that make it impossible or
useless for communicating peers to repudiate their participation. For example, the sender of an email message
might digitally sign the message using his or her private
key. Anyone in possession of the public key can later verify the messages origin, making it difficult to repudiate.
Consequently, digital signatures often serve as electronic
analogs of handwritten signatures. To put these two signature types on par, many countries and organizations
have enacted legislation, such as the Community Framework for Electronic Signatures in Europe and the Electronic Signatures in Global and National Commerce Act
in the US (commonly known as E-SIGN). As of this
writing, the legal status of digital signatures is unclear.
Because digital signatures are based on mathematical
46

IEEE SECURITY & PRIVACY

SEPTEMBER/OCTOBER 2003

formulas, intuition tells us that the digital signature generation and verification processes are reproducible computations. This is true for verification. Once successfully
verified, subsequent computations verifying the same
digital signature (provided you know the correct public
key) will likely be successful.
Generating a digital signature, however, is a one-time
event, as is signing a paper document with a pen. Note
that the irreproducible nature of digital signatures is not
properly reflected in the mathematical definition of a
DSS (see the sidebar). Clearly, in principle you can digitally sign as many copies of your document as you wish.
However, sending a copy to your contracting party makes
that copy your (digitally) signed electronic document,
which you cannot take back later.
Against this background, its interesting to ask how secure digital signature systems and their implementations
are. A total break of a DSS would include computing the
signing (private) key from the verification (public) key.
This is very hard (or impossible) to do as it would require
solving an intractable mathematical problem (such as factoring a large integer or computing a discrete logarithm).
Obviously, anyone can totally break a DSS by stealing
the signing key. A key stored on a file system is only as secure as the file system. If the key is encrypted, it is as secure as the encryption. Most encryptions use a password
or passphrase. In this case, the key is at most as secure as
the password or passphrase. A partial break of a DSS involves combining digital signatures of different messages
to come up with a valid digital signature for a new message (that is, a message the signatory never signed). Partial
breaks are selective if an attacker can determine this new
message, or existential if the attacker cannot. Some DSSs
have been shown to be resistant against existential
forgeryeven if one considers chosen-message attacks.4,5 The mathematical basis for the DSSs in use
today is assumed to be relatively secure.
As for the implementation, bear in mind that the sign-

Digital Forensics

ing process is complex and many things (usually invisible

to the signer) occur behind the scenes. In a preferred setting, the computer system acting as signatory hashes the
electronic document and sends the hash value to a secure
signing device. The signing device holds the signing key
and outputs the signed hash value representing the documents digital signature.
The security of the signing process depends on several
assumptions. For example,
The cryptographic hash function must operate as
specified.
The computer system must send the hash value to the
signing device only.
The signing device must securely store the private key and
sign the hash value provided by the computer system.
Even if the signing device is reasonably secure and the
DSS is provably secure, the signer can still give away the
signing key (purposefully or not), or a manipulated operating system can feed the wrong documents to the signing device. This is the representation or what you sign is
what you see (WYSIWYS) problem, central to many
considerations related to the application and legal significance of digital signatures. How do you ensure a trusted
path from the memory, which feeds the screen, to the device, which actually generates the digital signature? Unless one enters the field of dedicated security hardware
and trusted (or trustworthy) computing, this problem is
hard to solve.
Other problems must also be addressed. What happens if a signed document contains hidden information?
Is the hidden information signed? If the hidden information consists of text blocks that have been removed from
the document, does the signature include them? Current
digital signature legislation doesnt address, much less answer, these questions.
The complexity of the digital signature generation
process and the limited legal history of digital signatures
make it likely that such signatures will face legal challenges, much like the telegraph and fax machine did on
their first use. Being a one-time event, improving the
legal significance of a digital signature requires gathering
evidence using a digital black box. For example, you
could record the signature generation process using some
out-of-band channel, such as a video stream, and attach it
to the signed document.6,7 This would not only enhance
the digital signatures credibility but also signify the legal
importance of signing the document. To improve inband quality, you might include information about the
time the signature was generated (time stamps), the configuration of the signatorys computer systems, or the
type of signed document.
Some measures to improve a digital signatures legal
significance might have privacy implications. For exam-

ple, some individuals might not want contracting parties

to keep video streams of the signing process.
Both out-band and in-band evidence gathering in
the context of digital signatures are open for research and
development. It will be interesting to see what type of
technology will be developed, implemented, marketed,
and deployed.

Remote Internet voting

Voting is another intrinsically nonrepeatable event. Its
digital analogs, electronic voting (e-voting) in general,
and remote Internet voting in particular,8,9 are thus
worth exploring. Developing secure Internet-based voting systems has become an important goal in many countries. Many advocates of Internet voting argue that the security technologies used in e-commerce applications
(including digital signatures) are sufficient for remote Internet voting. However, this argument neglects the generally accepted requirement that voters remain anonymous while casting their ballots. This anonymity
requirement for e-voting introduces yet another dimension to the problem of inherently weak digital evidence.
Assume some sophisticated cryptographic protocols ensure both the anonymity of remote Internet voters and the
security of the vote-tabulation process.10 Despite the cryptographys sophistication, an organization unhappy with the
outcome might claim that somebody broke the voting systems security and thus the result must be discarded.
In the real world, this situation is manageable, mainly
because a complete audit trail of the votes exists. In fact,
voting officials keep the ballots so they can be counted
and double-checked as many times as necessary, as we saw
in the 2000 US presidential election. Knowing this is possible prohibits political opponents from claiming that
something went wrong. In the digital world, however,
the situation is different: Bitstrings exhibit no physical
properties that can be checked and verified. If a hacker
broke the security of the remote Internet voting system,
the ballots and tally would look the same as if no breach
had occurred, and there would be no way to check and
verify their authenticity and integrity.
Even more frightening than the chance of this occurring is the impossibility of determining the correct result
(even if someone only viciously and falsely claims to have
cheated). To make things worse, without digital black
boxes it is even pointless to challenge the result. Recounting electronic ballots that might have been tampered with
would at best validate the counting algorithm; it couldnt
recreate the election. Even though cheating in an election is always possible regardless of how its organized, evoting leaves more openings for massive fraud than any
other technique. If you can forge one digital ballot, you
can forge thousands. This holds for remote Internet voting as well as for dedicated electronic voting machines
whose flaws allow for tampering with election results.
http://computer.org/security/

IEEE SECURITY & PRIVACY

47

Digital Forensics

vidence gathering is related to computer and network

forensics.11,12 However, evidence gathering focuses
on collecting evidence before an event occurs, whereas
forensics focuses on collecting evidence after an event.
Nevertheless, evidence gathering and forensics should go
hand in hand and complement each other to provide the
most significant digital evidence possible.
Last but not least, we note that many security techniques widely used today (handwritten signatures, for example) are not perfectly secure, yet they are socially accepteda fact security professionals tend to overlook.
Technologies such as digital black boxes supporting
the digital evidence will become important in the future;
the field is open for research and development.

7.

8.

9.

10.

References
1. K.R. Popper, Conjectures and Refutations: The Growth of
Scientific Knowledge, 5th ed., Routledge, 1992, p. 192.
2. W. Diffie and M.E. Hellman, New Directions in Cryptography, IEEE Trans. Information Theory, vol. 22, no. 6,
1976, pp. 644654.
3. R.L. Rivest, A. Shamir, and L. Adleman, A Method for
Obtaining Digital Signatures and Public-Key Cryptosystems, Comm. ACM, vol. 21, no. 2, Feb. 1978, pp.
120126.
4. S. Goldwasser, S. Micali, and R.L. Rivest, A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks, SIAM J. Computing, vol. 17, no. 2, 1988,
pp. 281308.
5. C. Dwork and M. Naor, An Efficient Existentially
Unforgeable Signature Scheme and Its Applications, J.
Cryptology, vol. 11, no. 3, 1998, pp. 187208.
6. C. Ellison, Improvements on Conventional PKI Wisdom, Proc. 1st Ann. PKI Research Workshop, Natl Inst.

11.
12.

Standards and Technology, 2002, pp. 165176; www.

cs.dartmouth.edu/~pki02/proceedings.pdf.
U. Maurer, Digital Signatures, Signer Awareness, and Digital Declarations, tech. report, Dept. of Computer Science,
ETH Zurich, Dec. 2002; ftp://ftp.inf.ethz.ch/pub/
crypto/publications/Maurer02c.pdf.
R. Oppliger, How to Address the Secure Platform Problem for Remote Internet Voting, Proc. 5th Conf. Security in Information Systems (SIS 2002), vdf
Hochschulverlag, 2002, pp. 153173; www.ifi.unizh.
ch/~oppliger/Docs/sis_2002.pdf.
A.D. Rubin, Security Considerations for Remote Electronic Voting, Comm. ACM, vol. 45, no. 12, Dec. 2002,
pp. 3944.
B. Schoenmakers, Fully Auditable Electronic SecretBallot Elections, Xootic Magazine, vol. 8, no. 1, 2000, pp.
187208.
M. Caloyannides, Computer Forensics and Privacy, Artech
House, 2001.
G. Mohay et al., Computer and Intrusion Forensics, Artech
House, 2003.

Rolf Oppliger is a scientific employee at Swiss Federal Strategy

Unit for Information Technology (FSUIT). He also leads eSECURITY Technologies, teaches at the University of Zurich, and is
the editor of Artech Houses computer security book series. His
research interests are computer and network security. He has
an MSc and a PhD in computer science from the University of
Berne, and received the venia legendi from the University of
Zurich. Hes a member of the IEEE Computer Society, the ACM,
IACR, and IFIP. Contact him at rolf.oppliger@isb.admin.ch.
Ruedi Rytz is a scientific employee at FSUIT. His research interests include computer and network security in general, and critical information infrastructure protection in particular. He has
an MSc and a PhD in physical chemistry from the University of
Berne. Contact him at ruedi.rytz@isb.admin.ch.

Get access
to individual IEEE Computer Society
documents online.
More than 67,000 articles and conference papers available!
US$9 per article for members
US$19 for nonmembers

http://computer.org/publications/dlib

http://computer.org/

48

IEEE SECURITY & PRIVACY

SEPTEMBER/OCTOBER 2003