EviChain Standard – Version 1.21

Digital Evidence Management – Requirements for identification, collection, acquisition, and preservation.

Introduction

This standard specifies the requirements for a digital evidence management system, hereinafter referred to as EviChain. Its purpose is to provide organizations, particularly Small and Medium-sized Enterprises (SMEs), with a consistent, practical, and verifiable framework that ensures the integrity, authenticity, and defensibility of evidentiary material. The EviChain standard is designed as a practical implementation framework for the principles contained in the international standard ISO/IEC 27037.

1. Scope

The standard applies to all organizations that identify, collect, acquire, and preserve potential digital evidence as part of their operations. It covers processes from the moment of accepting an engagement requiring work with digital data, up to the secure transfer of the material and case closure.

The standard does not cover the analysis phase of the evidentiary material. All analytical activities must be performed on a separate working copy to ensure the inviolability of the master material.

2. Normative References

There are no normative references in version 1.2 of the standard.

3. Terms and Definitions

  • Digital Evidence: Information of evidentiary value that is stored or transmitted in digital form.
  • Chain of Custody: Chronological documentation tracking every action and every person who has had contact with the digital evidence from the moment of its acquisition.
  • Master Medium: A new, sterile data carrier, physically marked with the case number, on which the sole, inviolable copy of the evidentiary material is stored.
  • Hash (Checksum): A unique, cryptographic “fingerprint” of a file, generated using a standard algorithm (e.g., SHA-256).
  • Hash Manifest: A text file with a defined name (e.g., hash_manifest.txt) containing a list of evidence files along with their individual hashes.
  • EviChain Digital Seal: A single hash generated for the Hash Manifest file. It provides cryptographic security for the integrity of the entire set of evidence.

4. Core Principles

The EviChain system is based on four fundamental principles:

  • Principle of Inviolability of the Original: The source material is never modified. All technical operations are performed on a cryptographically verified 1:1 copy.
  • Principle of Full Documentation: Every action must be precisely and chronologically documented.
  • Principle of Cryptographic Verifiability: The integrity of the evidentiary material must be mathematically verifiable at any time.
  • Principle of Legal Compliance: The processing of personal data must have a documented, valid legal basis, verified before commencing technical activities.

5. Management System Requirements

An organization implementing the EviChain standard must:

  • Provide the resources necessary to implement and maintain the system.
  • Define roles and responsibilities for personnel.
  • Ensure that personnel have the appropriate competencies and have undergone training in the application of the standard.
  • Maintain and archive complete documentation for every case handled.

6. Procedural Requirements

The organization must implement and apply documented procedures for the following phases:

6.1. Preparatory and Legal Analysis Phase

  • Before commencing technical activities, the organization must conduct and document an analysis of the legal basis for data processing, in accordance with applicable laws.
  • A positive outcome of this analysis is a prerequisite for continuing the engagement.

6.2. Identification and Collection Phase

  • Each case must be assigned a unique identification number.
  • The act of receiving the source medium must be recorded in a chronological log of activities, which includes at least: date and time, a clear description of the medium, and operator details.

6.3. Acquisition and Copy Verification Phase

  • A new, sterile Master Medium must be prepared for each case.
  • Data from the source medium must be copied to the Master Medium using a method that ensures a 1:1 copy and includes mandatory cryptographic verification of the copy’s correctness.
  • Successful completion of the copy verification must be recorded in the chronological log of activities.

6.4. Integrity Protection Phase

  • A Hash Manifest must be generated for all evidence files on the Master Medium and saved on that medium.
  • A single, master EviChain Digital Seal must be generated for the Hash Manifest file.
  • The EviChain Digital Seal must be officially registered in the EviChain Public Ledger, a decentralized, immutable registry built on the blockchain.
  • All activities related to generating and registering hashes must be recorded in the chronological log of activities.

6.5. Completion and Data Management Phase

  • The transfer of the Master Medium to the client, along with a final report containing the EviChain Digital Seal, must be recorded in the chronological log of activities.
  • The organization must have and apply a documented data retention and deletion policy, compliant with applicable laws and contractual obligations.
  • After case closure, all copies of data not subject to mandatory archiving must be permanently deleted in a manner that prevents their recovery, and this action must be documented.

Annexes (Informative)

This standard may be supplemented by informative annexes containing sample documentation templates. These templates do not form a normative part of the standard and are provided within the “EviChain Implementation Guide”.

Scroll to Top