International Journal of Communication and Networking System Volume: 01 Issue: 01 January- June 2012 ISSN: 2278-2427 Integrated Intelligent Research (IIR) 49 Use of AFF4 “Chain of Custody”- Methodology for Foolproof Computer Forensics Operation NITHESH K.NANDHAKUMAR #1, UJJWAL AGARWAL *2, FAIZAL H. #3 IT department, Salalah Colege of Technology Oman-Post Box No. 608, Postal Code 211 1 niteshnanda@gmail.com, 2 ujjwal.libya@gmail.com, 3 faizal.h@gmail.com Abstract—Computer forensics is a science where various methods are used to procure all computer related evidences that are deemed “legally” useful, then preserving them and finally presenting those evidences before the court of law or other legal institutions, in the most effective manner. This paper tries to walk the lines of a computer forensic investigator, especially the areas in which Chain of Custody is relevant. For having a fool-proof forensic operation, a proper methodology is critical, which refers to the disciplined methods, guidelines and techniques employed, for achieving that. In this respect, the use of a new specification of Advance Forensic format (AFF) for Forensic analysis is suggested which includes evidence acquisition, handling and management procuring. AFF4 implementation is simpler in design, supports different specifications including the digital evidence management framework (DEMF) along with strong security features. This paper studies how AFF4 can be extended to accommodate the new challenges faced during digital evidence custodial processes. Our research reveals that AFF4 is well suited for modern cyber crimes like the ICMP attacks. Here we have taken ICMP Sweep attack as a case, which is investigated and documented using AFF4 by employing the DEMF guideline in an XML format. Keywords- Computer forensics, Chain of custody, AFF4, DEMF, XML formats, digital evidences I.INTRODUCTION Computer forensics requires colection of digital evidences from physical and logical resources like hardware, media, database and files where the ‘crime’ is suspected to have taken place or originated. These resources are seized and searched for digital evidences and proper custodial measures are needed. Here it must be noted that al evidences that are colected should be done in a fool proof manner according to the standards prescribed for maintaining it, so that it doesn’t breach the principle of integrity of data in the first place. Information discovery involves al kind of information retrieval and analysis of those colected data. [1] The original state of a l of the colected evidences has to be intact and unchanged during the analysis phase. Thisstate has to be maintained further, even after the case is closed and the verdict has been declared, because of the scope of appeals in a higher court of law. Evidence has to be preserved too, for the matter of good documentation. Extra care has to be taken here, because any finding which proves that the evidence’s data has been changed even by a bit wil have an adverse consequence on the investigation and the legal proceedings. [2] Chain of custody is an important concept owing to the reasons above and it essentialy is a perfect measure to achieve quality, authenticity and validity of the evidences colected. Also, the handlers of the evidences are made accountable for their actions. This is a measure against any attempt to tamper with or destroy key evidences so that its