COMUNICAÇÃO TÉCNICA ______________________________________________________________________________________________________________________________________________________________________________________________________

Nº 170358

Automating the chain of custody using RFID technology to support the validation of forensics evidence Denis Bruno Viríssimo Alessandro Santiago dos Santos Maria Cristina Machado Domingues Mário Yoshikazu Miyake Vanessa D'Alessio Giarone Marina Gallucci Mazziero Henrique Frank Werner Puhlmann Luis Orlando Aponte Ruiz

Slides apresentado no IEEE International Workshop on Information Forensics and Security – WIFS, 2011, São Paulo

A série “Comunicação Técnica” compreende trabalhos elaborados por técnicos do IPT, apresentados em eventos, publicados em revistas especializadas ou quando seu conteúdo apresentar relevância pública. ___________________________________________________________________________________________________

Instituto de Pesquisas Tecnológicas do Estado de São Paulo

S/A - IPT Av. Prof. Almeida Prado, 532 | Cidade Universitária ou

Caixa Postal 0141 | CEP 01064-970 São Paulo | SP | Brasil | CEP 05508-901

Tel 11 3767 4374/4000 | Fax 11 3767-4099

www.ipt.br

1

Abstract—The forensic report is based on the legal mandate

that the methods of obtaining and preserving the forensic

evidence must assure its authenticity and integrity throughout its

life cycle, since its obtainment at the scene of the crime until the

completion of the report. This paper presents a proposal of an

automated management and control system for the custody of

forensic evidences. By automating the chain of custody it’s

possible to identify not only the forensic evidence at any time, but

also its responsible. The use of Radio-Frequency Identification –

RFID – in the chain of custody improves the traceability of

evidence. To test the feasibility of the proposal it was undertaken

a proof of concept involving the forensic analysis department of

the Techno-Scientific Police of the State of São Paulo (SPTC).

Index Terms—Custody, Forensic Evidence, RFID, IT.

I. INTRODUCTION

n the Brazilian legal system, the evidences collected in the

scene of a crime in the form of samples and traces must

preserve the characteristics of integrity and authenticity

throughout all the legal process case, up to the final sentence.

Integrity of an evidence refers to the property of maintaining

unchanged all its characteristics. Authenticity refers to the

guarantee that the evidence presented in court is the same

collected in the crime scene. The loss of any of those

characteristics, at any time during the legal process, may lead

to the disqualification of the evidence.

The chain of custody applies to the handling of samples and

traces in order to keep its authenticity and integrity, and it also

refers to the documentation used to register the sample

movements and manipulations by carriers following

determinations mandated by legal authorities [1]. In this

process, each agent having access to the evidence must be

identified and registered. The evidence, in turn, should also be

identified and be identifiable at any time.

The Forensic Police assumes the responsibility of custody

of evidence as soon as it is received by one of its operational

units. Therefore, it is important to have a central authority

responsible for the guard of materials, substances, instruments

and forensic objects, in order to minimize the risks of loss or

alterations on evidences under custody [2] [3].

In 2010 it was launched, in the Superintendence of the

Techno-Scientific Police of the State of São Paulo (SPTC), a

proof of concept of a system designed to automate the chain of

custody of forensic evidences under its jurisdiction.

The present procedures for the custody of forensic

evidences are based on manual procedures and present many

shortcomings.

Due to the manual handling of evidences without strong

control procedures, the chances are high of mismatch between

the evidence and the accompanying documents. Evidences can

be lost inside the operational units of the Superintendence,

since the elaboration of the forensic report can lead to the

execution of many examinations, usually in different

laboratories, located in different units, buildings or even cities.

These factors, combined with the large number of evidences

under custody, generate the need to improve the control of

forensic evidence.

II. A PROPOSAL FOR AN AUTOMATED MANAGEMENT AND

CONTROL SYSTEM FOR THE CUSTODY OF FORENSIC EVIDENCES

The new custody system must provide control in all phases

of the evidence life cycle. The use of automation is aimed at

reducing human errors, minimize the possibilities of

unauthorized manipulation of evidences, and give access to

data in real time.

Once the evidence is received in the forensic analysis

department it receives a RFID tag with its identification code

[4]. At this time, the evidence is registered in the chain of

custody system. The identified evidence is then stored in the

evidence warehouse. All movements of the evidence must be

monitored by the system.

In order to manage and control the chain of custody, it is

proposed a computer system divided in four layers: Central

System Layer, Local System Layer, Monitor System Layer,

and RFID Portal.

The RFID Portal has two main purposes: automatic

evidence identification capture; and local signaling system to

indicate authorized and denied operations with the evidence.

This Portal embeds technologies that enable a quick and easy

identification, with as little human interaction in the process as

possible, and to identify several evidences at the same time.

All the movements of evidences between sensible areas within

the forensic analysis department are monitored by RFID

Portals located at the accesses of these areas.

The Monitor System manages the information flow from

RFID Portal and identifies from which area the evidence is

coming.

Automating the chain of custody using RFID

technology to support the validation of forensics

evidence D. B. Viríssimo, IPT, A. Santiago, IPT, M. C. Machado, IPT, M. Y. Miyake, IPT, V. D. Giarone, IPT,

M. G. Mazziero, IPT, H. F. W. Puhlmann, IPT, L. O. A. Ruiz, SPTC

I

2

The Local System is responsible for the intelligence of

forensic evidence movement.

The Central System consolidates all the information from

the Local Systems, allowing the managerial control of the

entire chain of custody over the evidence life cycle.

III. PROOF OF CONCEPT

In this context, it was studied and implemented a particular

combination of technologies to test the viability of the

proposed control system.

The proof of concept had to adopt some requirements

proceeding from the custody environment, namely: control of

incoming and outgoing evidences, validating the integrity and

authenticity of these; control of the volume of incoming and

outgoing evidences in the analysis department; inventory

management of the warehouse; real time location of evidences

in the different areas; control access to evidences; detection of

irregularities in evidences movements; tracking a specific

evidence’s chain of custody; evidence status (in admission,

examination, ready for dispatch); identification of faulty points

in the chain of custody.

Besides these requirements, some choices have been made

for the definition of the proof of concept: adopting a model of

standard low-cost RFID tag; smallest possible interference in

day-to-day activities of the experts; allow the traceability of

the evidences, including information about its carrier and its

current location; laboratories must satisfy technical conditions

for confinement rooms.

Thus, the proof of concept was built using RFID EPC Gen

2 technology, a passive tag model, standardized and with a low

cost, operating around the 900 MHz band. The laboratory

which received the solution works with materials such as CDs,

tapes, and DVDs. These forensic evidences are stored in

security envelopes, in which the RFID tag was attached. In

addition, the chosen evidences did not contain elements such

as water and metal, which could difficult the reading with the

EPC Gen 2 model.

It was decided to restructure the analysis department room’s

layout, in order to create an enabling environment to set up

traceability requirement. In addition, the carriers also received

a RFID card to identify their movements in the controlled

areas.

It was necessary to redesign processes for the entrance,

distribution and emission of forensic reports in a way to

conform to the steps shown in Fig. 1.

Fig. 1. also shows the new layout of the analysis department

and the operational sequence of administrative activities to be

accomplished to establish a full trace of the forensic evidence.

Fig. 1. Proof of concept case scenario.

In this proof of concept, the following tests were

performed: capability of simultaneous tag readings;

alternatives for positioning of the antennas; variation of

passage speed and synchronization in the portals; best position

for the tag in the envelope; studies about types of evidences

containers, e.g. trolleys; alternatives for warehouses design.

IV. CONCLUSIONS

With the modification of the code of criminal procedure by

the Law 11.690/08 [5] the importance of the chain of custody

has become evident in recent criminal cases. In many

situations, the forensic evidence produced at the crime scene

was invalidated by faulty manipulation.

The technologies employed in the proof of concept

represent an advance in the evolution towards the automation

of chain of custody management control systems. Ideally the

new systems will reduce incidents with evidences and the

disqualification as proofs in legal processes.

The success of the solution depends not only on the

efficiency of employed technologies, but also on the redesign

of processes in the chain of custody and the training and

motivation of people involved.

Nevertheless, the proof of concept demonstrated that the

adopted technological solution shows potential for

improvements in the efficiency on the chain of custody.

V. REFERENCES

[1] N. S Bonaccorso, “Aplicação do exame de DNA na elucidação de

Crimes,” [DNA exam application in crime elucidation] master’s

dissertation, Faculty of Law, Univ. of São Paulo, São Paulo, 2005 (in

Portuguese).

[2] N. S. Bonaccorso and C. Perioli, “Centro de Custódia,” [Center of

custody] 16th Congresso Nacional de Criminalística (CNC 01),

Florianópolis, 2003 (in Portuguese).

[3] R. Yaeger. “Criminal Computer Forensic Management,” InfoSec

Conference, USA, 2006.

[4] V. D. Hunt, A. Puglia, M. Puglia, RFID: A Guide to Radio Frequency

Identification, Wiley-Interscience, 2007.

[5] Código de Processo Penal, relativos à prova, e dá outras providências.

Law 11.690, Brasília, Distrito Federal, 2008 (in Portuguese).

Automating the chain of custody using RFID technology

to support the validation of forensics evidence D. B. Viríssimo1, A. Santiago1, M. C. Machado1, M. Y. Miyake1, V. D. Giarone1,

M. G. Mazziero1, H. F. W. Puhlmann1, L. O. A. Ruiz2 1 Institute for Technological Research, 2 Technical-Scientific Police of the State of São Paulo

Authors’ contact: denisbv@ipt.br +55 11 3767-4656

The RFID Portal has two main purposes: automatic evidence

identification capture; and local signaling system to indicate authorized and

denied operations with the evidence. This Portal embeds technologies that

enable a quick and easy identification, with as little human interaction in the

process as possible, and to identify several evidences at the same time. All the

movements of evidences between sensible areas within the forensic analysis

department are monitored by RFID Portals located at the accesses of these

areas.

Fig. 3. RFID Portal scheme

1. Introduction

The chain of custody applies to the handling of samples and traces in

order to keep its authenticity and integrity, and it also refers to the

documentation used to register the sample movements and manipulations by

carriers following determinations mandated by legal authorities. In this process,

each agent having access to the evidence must be identified and registered. The

evidence, in turn, should also be identified and be identifiable at any time.

In 2010 it was launched, in the Superintendence of the Technical-

Scientific Police of the State of São Paulo (SPTC), a proof of concept of a

system designed to automate the chain of custody of forensic evidences under its

jurisdiction.

3. Conclusion

The technologies employed in the proof of concept represent an advance

in the evolution towards the automation of chain of custody management

control systems. Ideally the new systems will reduce incidents with evidences

and the disqualification as proofs in legal processes.

The success of the solution depends not only on the efficiency of

employed technologies, but also on the redesign of processes in the chain of

custody and the training and motivation of people involved.

Nevertheless, the proof of concept demonstrated that the adopted

technological solution shows potential for improvements in the efficiency on the

chain of custody.

2. The proposal

The new custody system must provide control in all phases of the

evidence life cycle. The use of automation is aimed at reducing human errors,

minimize the possibilities of unauthorized manipulation of evidences, and give

access to data in real time.

Once the evidence is received in the forensic analysis department it

receives a RFID tag with its identification code. At this time, the evidence is

registered in the chain of custody system. The identified evidence is then stored

in the evidence warehouse. All movements of the evidence must be monitored

by the system.

The Monitor System manages the information flow from RFID Portal

and identifies from which area the evidence is coming.

The Local System is responsible for the intelligence of forensic evidence

movement.

The Central System consolidates all the information from the Local

Systems, allowing the managerial control of the entire chain of custody over the

evidence life cycle.

Fig. 4. Proof of concept case scenario Fig. 1. RFID Tags on Evidence wrapper

Fig. 2. System Architecture