AI-Augmented Log Forensics for PowerShell-Based Malware Detection (Published)
Digital evidence forms the backbone of modern cybercrime investigations, particularly in web-server forensics, where logs, SSH traces, and system snapshots serve as critical artefacts for incident reconstruction. However, such evidence is inherently fragile—susceptible to tampering, manipulation, or accidental alteration during collection, storage, and transfer. Ensuring the authenticity and continuity of this evidence is central to preserving its legal and investigative credibility.Conventional forensic models depend on centralized, trust-based architectures for managing evidence. These models are prone to insider threats, administrative errors, and single points of failure, leading to breaks in the chain-of-custody and undermining evidentiary integrity. Moreover, existing digital forensics tools lack mechanisms for verifiable, immutable recordkeeping of evidence handling events, leaving investigators reliant on procedural documentation rather than cryptographic assurance. This study introduces a Blockchain-Enabled Evidence Integrity Framework (BEEIF)—a decentralized system that employs blockchain technology to establish tamper-proof, cryptographically verifiable chains-of-custody for web-server forensic artefacts. The framework leverages blockchain’s immutability, distributed consensus, and smart contract automation to transform the management of digital evidence into a transparent, mathematically provable process.The proposed framework comprises five key components: (1) Evidence Acquisition Agents that securely collect logs and system snapshots, (2) a Hashing and Timestamping Module that generates SHA-3-512 hashes and trusted timestamps, (3) a permissioned blockchain layer that records cryptographic proofs and metadata, (4) smart contracts governing evidence registration, access control, and verification, and (5) a Verification Interface for investigator interaction. A proof-of-concept was implemented on a simulated testbed featuring a compromised web server and a private blockchain network (Hyperledger Fabric), with realistic performance metrics analyzed to assess feasibility.The results demonstrated that blockchain integration achieved tamper-proof traceability with negligible system overhead—approximately 2.3% CPU utilization and sub-second transaction latency. Blockchain growth remained minimal due to the separation of on-chain metadata and off-chain evidence storage. These findings validate the framework’s ability to maintain evidence integrity and transparency in real time without compromising operational efficiency.The BEEIF framework redefines digital forensics by shifting evidentiary trust from procedural dependence to cryptographic verifiability. By securing the entire forensic evidence lifecycle through blockchain immutability, this approach offers a transformative pathway for credible, cross-institutional cybercrime investigations and legally defensible digital evidence management in the emerging era of decentralized cybersecurity assurance.
Keywords: blockchain forensics, chain-of-custody, cybercrime investigation, digital evidence integrity, evidence immutability, web-server forensics