Alexandria Engineering Journal 86 (2024) 631–643

Contents lists available at ScienceDirect

Alexandria Engineering Journal

journal homepage: www.elsevier.com/locate/aej

ORIGINAL ARTICLE

A novel blockchain-based digital forensics framework for preserving

evidence and enabling investigation in industrial Internet of Things
Nan Xiao, Zhaoshun Wang ∗ , Xiaoxue Sun, Junfeng Miao
University of Science and Technology Beijing, Beijing, China

A R T I C L E I N F O A B S T R A C T

Keywords: To address challenges in digital evidence collection and responsibility determination for industrial safety
IIoT accidents involving industrial Internet of Things (IIoT) device nodes, this paper proposes a blockchain-based
Blockchain digital forensic scheme within the IIoT communication architecture. The scheme utilizes a decentralized
Digital forensic
blockchain storage mechanism to enable remote storage of digital forensic data. Additionally, it leverages smart
Electronic evidence
contract mechanisms to facilitate efficient retrieval and tracing of related evidence chains. To enhance data
Consensus algorithm
security of IIoT device nodes, a token mechanism is implemented for access control. Moreover, to meet real-time
evidence acquisition requirements in IIoT, an efficient batch consensus mechanism is proposed. Experimental
simulations demonstrate the superiority of the novel consensus algorithm compared to the traditional Delegated
Proof-of-Stake (DPOS) consensus in the proposed scheme for the IIoT environment. It meets speed requirements
for evidence collection, ensuring tamper-proof, non-repudiable, and permanent storage of digital forensic data.
Consequently, the application of blockchain technology for judicial access and evidence storage has made
significant contributions to digital forensics within the IIoT context.

1. Introduction software platforms [5] [6] [7]. Consequently, digital forensics practi-
tioners [8] must possess knowledge of and adapt to the characteristics
The advent of industrial Internet of Things (IIoT) has revolutionized of diverse systems to collect and analyze relevant digital evidence ef-
industrial environments by enabling the interconnectivity of devices, fectively. Real-time requirements pose another challenge in IIoT envi-
sensors, and systems. While IIoT brings numerous benefits, it also in- ronments. Data generated in IIoT systems often necessitates real-time
troduces challenges for digital forensics investigations [1]. One of the analysis and response [9]. As a result, minimizing system interference
primary challenges in IIoT environments is the massive volume of data during digital forensics investigations becomes critical to ensuring un-
generated [2]. The diverse range of sensors, devices, and systems pro- interrupted production and operations. Developing appropriate tech-
duce a vast amount of data, including production data, transmission niques and tools [10] [11] for real-time data forensics and analysis is
logs, and alarm information [3]. Effectively processing and analyzing essential. Security and privacy concerns also present significant chal-
such large-scale data require robust computational capabilities and spe- lenges in IIoT digital forensics. Accessing sensitive data and systems
during the forensic process may expose potential security threats and
cialized analysis tools. Another significant challenge is the diversity of
privacy risks. Consequently, appropriate security measures must be im-
data sources [4] within IIoT. Various devices and sensors from differ-
plemented to ensure data confidentiality and integrity while complying
ent manufacturers utilize different communication protocols and data
with relevant laws and regulations.
formats. Consequently, digital forensics investigators must handle and
parse a wide array of data sources while ensuring data integrity and
accuracy. In addition to data diversity, IIoT systems are characterized 1.1. Motivation
by their distributed and heterogeneous nature. They consist of physical
devices, sensors, controllers, and network equipment, often provided Currently, most evidence preservation systems rely on centralized
by different vendors and employing different operating systems and repositories comprised of third parties [12]. This inevitably leads to

* Corresponding author.
E-mail addresses: [email protected] (N. Xiao), [email protected] (Z. Wang), [email protected] (X. Sun), [email protected]
(J. Miao).

https://doi.org/10.1016/j.aej.2023.12.021
Received 29 October 2023; Received in revised form 30 November 2023; Accepted 11 December 2023
Available online 15 December 2023
1110-0168/© 2023 THE AUTHORS. Published by Elsevier BV on behalf of Faculty of Engineering, Alexandria University. This is an open access article under the
CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).
N. Xiao, Z. Wang, X. Sun et al. Alexandria Engineering Journal 86 (2024) 631–643

various issues. Centralized structures necessitate robust security re- simulation results and security analysis. Section 7 concludes the paper
quirements, as breaches into centralized storage nodes can cause se- with a summary.
rious problems like information leakage and data tampering. Similar
to current digital forensic methods, centralized structures are vulner- 2. Related work
able in terms of transparency and reliability, leading people to con-
stantly question the dependability of services. Additionally, the myriad With the widespread application of digital evidence and continued
IoT devices have different producers and service providers, so an inte- practice in the legal field, blockchain-based electronic evidence has
grated digital forensic framework is needed. This negatively impacts been applied and validated in various scenarios (Table 1). Firstly, in the
forensic investigation and system scalability. In contrast, distributed field of cloud computing, more and more enterprises and government
blockchain networks provide a transparent and reliable security envi- agencies have started to build or rent third-party cloud centers to deploy
ronment where data can be protected through large-scale computing their own production systems. In this environment, obtaining authen-
power [13]. Trusted timestamps can be promptly appended to newly tication of electronic data in the cloud becomes quite difficult, involv-
created blocks. Most importantly, dispersing the authority of the audi- ing not only cloud storage and virtual machines components, but also
tor helps avoid trust issues and demonstrates the integrity, accuracy, requiring cooperation between investigators, institutions and cloud ser-
and timeliness required for preservation. vice providers. Currently, through blockchain technology, researchers
Existing IIoT forensics scheme primarily focus on identifying evi- are studying the centralized acquisition framework, data sources and
dence and investigative procedures [14], while ignoring several unre- integrity protection of electronic evidence in cloud environments, and
solved critical challenges. First, there are no systematic guidelines for have achieved a series of results.
acquiring evidence from complex IIoT systems and securing it from tam- Rane S et al. [16] proposed a secure logging service assisted by
pering. Second, current techniques cannot fully protect the integrity of blockchain to securely store and process different log types and solve
evidence, ensure confidentiality and anonymity, or track provenance. the problem of collusion between multiple stakeholders in cloud acqui-
Third, single points of failure in storage media continue to prevent the sition investigations.
efficient acquisition of evidence and the conclusive verification of in- Pourvahab M et al. [17] used SDN and blockchain to propose a dig-
tegrity during investigations. In summary, existing research does not ital acquisition architecture to reliably collect and store evidence from
provide solutions for systematic evidence collection protocols, robust IaaS cloud environments.
preservation of integrity and provenance, or the elimination of reliabil- Duy P et al. [18] proposed a blockchain-based method to improve
ity issues in storage media. This leaves significant knowledge gaps in the security of log management used for network acquisition in SDN,
the development of robust IIoT forensic frameworks. through fine-grained access control to protect the important role of log
To address these gaps in collecting and protecting electronic ev- files in appropriate storage in digital acquisition and cloud security.
idence, blockchain technology can complement existing efforts as a The above studies reflect that the application of blockchain tech-
decentralized distributed ledger system. Blockchain offers resilience for nology in cloud environments has undoubtedly greatly enhanced the
electronic data through its principles of environmental security, re- capability to collect and securely store electronic evidence in distributed
dundancy, record-keeping and proportional evidence preservation. Its cloud computing environments, and the field of electronic evidence in
chain-like structure ensures block dependency, detecting and alerting cloud computing has developed well. Secondly, in the field of Internet
any data tampering. Additionally, blockchain guarantees evidence in- of Things (IoT), IoT technology is widely used in various fields of so-
tegrity, prevents tampering, and enhances robustness. As a distributed ciety, such as smart home, intelligent transportation, wearable medical
shared database, blockchain’s decentralization, tamper-resistance and devices and energy. These fields are characterized by diverse IoT de-
traceability enable IIoT evidence access [15]. However, blockchain’s vices that can generate and collect various data for extensive analysis
inherent transparency challenges data privacy. Current research nar- and record the real-time status of systems. This reliable and complete
rowly focuses on blockchain evidence storage without reasonable access data can serve as electronic evidence to resolve disputes and combat cy-
control or privacy considerations. Existing works also still have single bercrime, so a reliable electronic evidence management mechanism is
points of trust, which cannot robustly guarantee evidence authentic- needed in the IoT environment. Considering that blockchain can ensure
ity, integrity, privacy and traceability throughout the lifecycle. To ad- the confidentiality and integrity of data, applying blockchain technol-
dress these limitations and satisfy real-world demands, we propose a ogy to solve challenges in IoT evidence acquisition has attracted aca-
blockchain-based forensic scheme for IIoT evidence. demic attention, with some research proposing new ideas for combining
blockchain with electronic data authentication in IoT environments.
1.2. Research contributions Le D et al. [19] proposed automatic recording of electronic evidence
oversight chains through blockchain smart contracts to mitigate IoT se-
The contribution of this paper is manifold. curity issues during network attacks.
Kumar G et al. [20] addressed the heterogeneity of IoT and lack
1. We identify and discuss the problems and limitations of performing of transparency in evidence handling by using regulatory and evidence
digital forensics in the IIoT environment. chains to process all stakeholders in investigations and provide solutions
2. We propose a novel forensic investigation framework for IIoT us- for cross-border legalization of evidence.
ing decentralized blockchain technology. This includes models for Malamas V et al. [21] proposed an authorization framework sup-
collecting digital evidence and storing it in a tamper-evident, trust- ported by blockchain to manage medical IoT (IoMT) devices and health-
worthy way. care stakeholders. The framework can provide fine-grained access to
3. We provide security analysis of our proposed scheme, compare it patient health data and provide audit tracing of provenance through in-
to related works, simulate and test the model to demonstrate proof tegrity and source assurances by retaining all logs in the custody chain.
of concept, and discuss future research directions in this area. Rekha G et al. [22] studied collecting data extracted as evidence
from various IoT devices of different data formats, such as Raspberry
1.3. Paper outline Pi, and recording it in a public digital ledger to enable precise check-
ing of evidence provenance and ensure traceability and auditability. In
The remainder of the paper is organized as follows: Section 2 re- addition, with the continuous rise in market share of new energy vehi-
views related work. Section 3 introduces relevant models and algo- cles and their increasing intelligence and promotion of smart roads,
rithms. Section 4 describes the digital forensic scheme in detail. Sec- blockchain has been fully applied in relevant links of electronic ev-
tion 5 discusses the three key implementation stages. Section 6 presents idence authentication in vehicle networks facing traffic accidents or

632
N. Xiao, Z. Wang, X. Sun et al. Alexandria Engineering Journal 86 (2024) 631–643

Table 1
Summary of recent surveys on blockchain.

Author Applications Smart Contract Main Contribution

Rane S et al. [16] Cloud No Proposed a secure logging service assisted by blockchain for different log types,
addressing collusion in cloud investigations.
Pourvahab M et al. [17] Cloud No Used SDN and blockchain to propose a digital acquisition architecture for IaaS
cloud environments.
Duy P et al. [18] Cloud No Proposed a blockchain-based method for secure log management in network
acquisition and cloud security.
Le D et al. [19] IoT No Proposed automatic recording of electronic evidence oversight chains through
blockchain smart contracts for IoT security.
Kumar G et al. [20]. IoT No Addressed IoT heterogeneity and evidence transparency using regulatory and
evidence chains for cross-border legalization.
Malamas V et al. [21]. IoMT Yes Proposed a blockchain-supported authorization framework for managing
medical IoT devices and healthcare stakeholders.
Rekha G et al. [22] IoT Yes Studied the collection of data from various IoT devices for evidence, recording
it in a public digital ledger for traceability and auditability in vehicle networks
and smart roads.
Hossain M et al. [14] IoV No Proposed a digital evidence framework called TrustIoV for IoV systems, focusing
on secure evidence collection and storage.
Our study IIoT Yes Emphasized the use of blockchain technology for digital evidence
authentication and storage across various industries and fields, contributing
significantly to IIoT-era reliable electronic evidence systems.

public safety incidents on roads that were previously difficult to trace nodes storing the actual data and non-leaf nodes containing hash values
back, which could provide detailed and accurate data as electronic of the leaf data to reduce capacity for synchronization and backup. The
evidence to help government agencies for investigation, analysis and Merkle root is obtained by hashing the block body data. Any block value
accountability of accidents. change affects the entire blockchain. Additionally, each block’s times-
Hossain M et al. [14] proposed a digital evidence framework called tamp ensures transaction data immutability and traceability within the
TrustIoV for IoV systems, which provides mechanisms for collecting and blockchain. A block undergoes three stages - transaction distribution,
storing trusted evidence from distributed infrastructures, maintaining validation, and synchronization - from generation to successful chain
the security of evidence provenance to ensure integrity of stored ev- incorporation, with the consensus algorithm being key. Traditional al-
idence, and allowing investigators to verify evidence integrity during gorithms like Proof of Work (PoW), Proof of Stake (PoS), and DPoS have
investigations. inefficient miner node competition. Both transaction propagation and
In summary, choosing blockchain technology as a solution for digital validation require full network broadcasting. For networks with sub-
evidence authentication and storage has been vigorously used in various stantial nodes, this consumes significant bandwidth and fails to meet
industries and fields such as cloud computing, IoT, vehicle networks, IIoT transaction timeliness requirements.
judicial, smart city, playing an important role. Blockchain proves to
be an important and meaningful technical approach for establishing 3.3. DPoS(Delegated Proof of Stake)
reliable electronic evidence systems in many fields. However, in the
domain of digital forensics in IIoT, challenges arise due to the diversity The DPoS algorithm has advantages like efficiency, decentraliza-
of devices and platforms, massive data volumes, and concerns regarding tion, and scalability, but it also has drawbacks: oligopoly and repre-
real-time processing, security, and privacy. Presently, there is a lack sentative node responsibility. Oligopoly occurs because voting power
of sufficiently mature research in this area. The novel IIoT electronic is delegated to limited representative nodes, enabling control over the
forensics framework proposed in this paper effectively fills this gap, network. Representative nodes’ actions impact transaction confirma-
addressing the difficulties of evidence collection and preservation in tions and network security. The concentration of power among a small
IIoT to a significant extent. number of representative nodes can lead to concerns about central-
ization and potential manipulation. The decision-making authority of
3. Preliminaries these nodes can potentially be influenced or exploited, compromising
the fairness and integrity of the blockchain network. Additionally, the
3.1. IIoT infrastructure responsibility placed on representative nodes to validate transactions
and maintain the network’s security can be burdensome. If a represen-
The IIoT takes various basic industrial equipment as its fundamental tative node fails to fulfill its duties effectively, it can have detrimental
components. It uses sensor technologies to collect raw data, and wireless effects on the network’s performance and reliability. To address these
or wired communication techniques to achieve information dissemina- challenges, it is crucial to have mechanisms in place to ensure a fair
tion and communication between devices, gateways, and data centers. and diverse representation of nodes within the DPoS consensus model.
As shown in Fig. 1, a typical IIoT structure consists of three main types This can involve implementing measures to prevent collusion among
of nodes: Industrial Device Node, Gateway Unit (GU) and Cloud Plat- representative nodes and promoting transparency in the election and
form. decision-making processes.

3.2. Blockchain 3.4. Digital forensic in IIoT

Blockchain is a specific data structure that chronologically chains to- Digital forensics [25] pertains to the scientific procedure of identify-
gether data blocks to form a tamper-proof decentralized ledger through ing, preserving, collecting, and presenting digital evidence in a manner
cryptographic means [23]. Each blockchain data block consists of a that meets the requirements for legal admissibility in a court of law.
header and body. The header records metadata like the current ver- Any information stored or extracted from digital media can poten-
sion number, previous block address, target hash value, and Merkle tially serve as digital evidence during a forensic investigation [26]. In
root [24]. The body contains structured data as a Merkle tree, with leaf contrast to traditional digital forensic scenarios where examiners can

633
N. Xiao, Z. Wang, X. Sun et al. Alexandria Engineering Journal 86 (2024) 631–643

Fig. 1. IIoT Infrastructure.

Table 2 4.1.1. Gateway unit node

Comparison of IIoT Forensics and Traditional Digital Forensics. In this solution, besides fulfilling the traditional functions of the
Criteria IIoT Forensics Traditional Forensics IIoT, they also act as full nodes in the blockchain, storing relevant
and complete evidence data. They perform functions such as network
Scope Industrial/OT systems IT systems
Response Time Real-time required Flexible timeline
routing, consensus agreement, and transaction recording. In terms of
Data Volume Massive sensor data Lower file/log volumes security, industrial equipment nodes are authenticated by regulatory
Data Type Ephemeral sensor data Persistent files/logs agencies to ensure the identity of various industrial devices.
Heterogeneity Diverse OT assets Standard IT assets
Logging Limited in devices Robust in IT systems
4.1.2. Security regulatory department
Operations Avoid downtime Less constraints
Regulations Industrial specific General cybersecurity After an industrial safety incident occurs, this Department conducts
Tools Specialized tools Traditional tools digital forensics. In the improved consensus mechanism algorithm of
Challenges Data volatility Persistent data the solution, regional industrial data forensics Departments vote to se-
lect wireless access points or gateways as consensus nodes to enhance
consensus efficiency.

physically seize digital equipment to gather evidence, IIoT cases present

4.1.3. Judicial department
challenges in terms of isolating and shutting down certain devices for
Comprised of law enforcement agencies (regulatory agencies and
evidence extraction, making it impractical to transport them back to the courts), these departments can query and analyze the evidence stored
laboratory. For example [27], forcibly shutting down virtual machine by disputing entities in the chain and make liability judgments. They
instances would result in the loss of volatile data crucial for foren- also provide evidence to insurance company for convenient payment of
sic analysis, thereby compromising event reconstruction. Hence, IIoT compensation or implementation of relevant services.
forensics necessitates proactive collection and preservation of valuable
forensic data to enhance investigative capabilities within the environ- 4.1.4. Insurance company
ment while minimizing incident response costs [28]. Some research In the event of an industrial safety incident, insurance company
focus on developing forensic readiness systems that enable real-time ev- promptly provides troubleshooting and repairs services by querying ev-
idence collection from IIoT systems, followed by transmission to trusted idence or receiving relevant evidence from Judicial Departments. This
repositories for secure storage. This approach ensures the forensic capa- helps reduce losses and downtime for factories and businesses, as well
bilities of IIoT environments. Table 2 illustrates the differences between as determine compensation plans.
traditional digital forensics and IIoT forensics.
4.1.5. Security regulatory agency
4. Evidence preservation and digital forensics framework Responsible for the security supervision and management of the
IIoT, including network security, data security, and device security.
They establish and enforce security standards for industrial equipment
4.1. Scheme architecture
and systems and oversee enterprise security management and produc-
tion processes.
The overall architecture of blockchain-based digital forensics scheme The process of digital evidence storage and retrieval in our scheme is
in the IIoT is depicted in Fig. 2. In the IIoT environment, a consortium as follows: The industrial device node is registered with the security reg-
chain is formed by the alliance of industrial device nodes, gateway ulatory department offline and obtains the initialization authentication
nodes, regulatory agencies, judicial departments, and insurance com- parameters. After being authenticated and connected to the network,
pany. The industrial device nodes, judicial departments, and insurance the node periodically sends the collected status data during operation
company act as lightweight nodes, storing block headers. The gateway to a nearby gateway. The gateway verifies the reliability of the data
nodes and regulatory agencies serve as full nodes, responsible for stor- and adds new evidence to the blockchain. In the event of an accident
ing the entire chain and adding new blocks. requiring liability determination, the relevant judicial and insurance

634
N. Xiao, Z. Wang, X. Sun et al. Alexandria Engineering Journal 86 (2024) 631–643

Fig. 2. Workflows of digital forensics scheme for IIoT based on blockchain.

sensus request. Other 𝐺𝑈 s enter the authentication preparation state.

𝐺𝑈𝑗 broadcasts the block, and the remaining 𝐺𝑈 s return the verifi-
cation results and continue to package the block. After receiving the
authentication passed message, 𝐺𝑈𝑗 adds the block to the blockchain.
This consensus algorithm can effectively improve the consensus
speed. Its advantages are:

1. The nodes that implement this consensus algorithm exist in the

alliance chain, and all consensus nodes are trustworthy and online;
2. The existence of the main node ensures that the blockchain will not
fork;
3. The consensus nodes are selected by multi-party industrial super-
vision through voting, and their randomness ensures the reliability
of the consensus mechanism;
4. The consensus nodes can send verification results at any time with-
Fig. 3. Consensus Phase.
out waiting for the right to speak, and conduct batch consensus,
greatly improving the consensus speed and ensuring the timeliness
company apply to the security regulatory department for query per- of evidence.
missions to conduct blockchain verification. They obtain the related
operational status data of the industrial device nodes and reconstruct 4.3. Block storage structure and retrieval
the accident scene for further liability determination.

4.2. Improved DPoS consensus algorithm Fig. 4 showcases the block storage structure, as defined in our
scheme, where transaction information is stored utilizing key-value
The original Delegated Proof of Stake (DPoS) algorithm typically pairs. The key is created by combining the path from the root node
considers 21 blocks as a cycle, with 21 block producers selected through to the leaf node, while the key values on the path represent the up-
a voting process. It requires 100% producer participation, ensuring load time of the evidence, the 𝐼𝐷 number of the 𝐺𝑈 , and the 𝐼𝐷
every consensus node is aware of a transaction within 1.5 seconds, sub- number of the industrial device node, respectively. The data is orga-
sequently taking turns to produce the block. However, as transaction nized by “hour” as the unit, and data uploaded within the same hour
confirmation information can only be sent when a node has the turn to is grouped into a path, which is then further divided into branches by
produce a block, this results in extended transaction confirmation times, “minute” as the unit. Within the time-formed branch, the data is clas-
slowing down the overall consensus speed. This makes it unsuitable for sified and summarized according to the gateway and the 𝐼𝐷 code of
real-time evidence storage in the IIoT era. The newly proposed fast con- the industrial device node, based on the regional hierarchy. This orga-
sensus algorithm comprises various entities, including Industrial device nized integration of data enables quick location of the corresponding
nodes, Gateway nodes, Regulatory Agencies, Insurance Company, and path and improves query efficiency. Additionally, the value field stores
Judicial Department. In this system, both the gateway nodes and the the status data of the industrial device node.
Regulatory Agencies serve as fully nodes participating in the consensus The block retrieval uses the Bloom Filter algorithm, which com-
process. presses transaction data through hash functions and stores them as
The process is shown in Fig. 3: a total of 21 gateway unit (GU) points in a vector. Block retrieval can utilize the Bloom Filter algorithm
nodes were selected by voting from various local security regulatory for the following reasons:
departments to participate in block generation, with one gateway node
as the main node and the remaining 20 GU nodes responsible for block • Space efficiency: Bloom Filter only stores the hash values of blocks,
packaging. not the blocks themselves, which significantly reduces space re-
After recording three blocks, 𝐺𝑈𝑗 sends a consensus request to the quirements for large blockchains.
main node 𝐺𝑈𝑗 . The main node broadcasts a request message for au- • Improved efficiency: Bloom Filter allows for a fast initial check to
thentication preparation to the other 19 𝐺𝑈 s upon receiving the con- determine if a block exists, avoiding the need to search the entire

635
N. Xiao, Z. Wang, X. Sun et al. Alexandria Engineering Journal 86 (2024) 631–643

Table 3
Symbols and their meanings.

Symbols Meanings

𝐺1 , 𝐺2 Group satisfying bilinear mapping

𝑞, 𝛼 Prime numbers
𝐻() Hash encryption function
𝑃𝑥 Public key
𝑆𝑥 Private key
𝑉 Evidence
𝑁 Random numbers
𝑀 Query token
𝑆𝑖𝑔𝑛𝑥 () Signature algorithm
𝐸𝑥 () Encryption algorithm
𝐼𝑀𝑖 Unique identifier for identity
𝑇 𝑆reg Register time

stage for industrial device nodes includes both online and offline reg-
istration. Table 3 provides an explanation of the symbols used in the
scheme.

5.1. Identity registration

The Security Regulatory Agency serves as a Trust third party to

initialize industrial device nodes, gateway units, and generate initial
Fig. 4. Structure of block storage. parameters: selecting a group 𝐺1 and 𝐺 that satisfy bilinear map-
ping, generating a random number 𝑠 ∈ Z∗𝑞 as the master key, where
Z∗𝑞 represents prime numbers in the set of positive integers. Com-
pute the public key 𝑃pub = 𝑠𝑞, 𝑛 = 𝛼𝑞 . The public parameters include
{ }
𝐺1 , 𝐺2 , 𝑛, 𝑃 , 𝑃pub , 𝐻1 , 𝑔 . Here, 𝐻1 ∶ {0, 1}∗ → 𝐺1 represents a one-
way hash encryption function; Parameter 𝑔 represents a bilinear map-
ping; 𝐺1 , 𝐺2 are additive and multiplicative groups of prime order,
respectively; Parameter 𝑃 is a generator of 𝐺1 . Identity registration
consists of two parts: offline registration and online registration. Of-
fline registration involves initializing the parameters for identity au-
thentication using industrial device nodes and gateways, while online
registration ensures the privacy and security of communication among
Fig. 5. Retrieval of Bloom Filter.
industrial device nodes.

blockchain for each check. This greatly improves the efficiency of 5.1.1. Offline registration
block retrieval. When the industrial device nodes are first installed or inspected pe-
• Error tolerance: Though Bloom Filter has a probability of error, riodically, the Security Regulatory Department inspects the state of the
they cannot mistakenly report a non-existent block as existing. This industrial device nodes and sets a shared key 𝑥𝑖 ∈ 𝐙∗𝑞 according to the
level of error is acceptable for block retrieval. identity information 𝐼𝑁𝐷𝑖 ∈ {0, 1}∗ (such as device serial number) and
industrial device node information 𝐼𝑁𝑀𝑖 (such as MAC address) pro-
When a new block is generated, its hash is calculated and mapped vided by the node/sensor, and establishes the association:
to multiple positions in the Bloom Filter using different hash functions. (⊕ represents XOR operation)
The corresponding bits are then set to 1. Similarly, when retrieving a
( )
block, its multiple hashes are also calculated and mapped to the Bloom 𝑅𝑖 = 𝐻1 𝐼𝑁𝑃𝑖 ⊕ 𝑥𝑖 (1)
Filter. If all the bits are 1, it is likely that the block exists. However, if
any of the bits are 0, it can be confirmed that the block does not exist. It Calculate the global unique identifier:
should be noted that for blocks reported as existing by the Bloom Filter, ( )
𝐼𝑀𝑖 = 𝐻1 𝐼𝑁𝐷𝑖 ‖ ‖
‖𝑥𝑖 ‖ 𝑇 𝑆reg ∈ 𝐺1 (2)
a full match in the blockchain is still required to confirm the result.
This approach presents a tradeoff between space and time. The initial and form the industrial device node 𝐼𝐷𝑖 according to the gateway area
quick check using the Bloom Filter is followed by a complete match for and device serial number.
accuracy. This significantly reduces the complexity of block{retrieval. } Prior to deployment, the gateway units are purchased and ini-
For instance, as illustrated in (Fig.) 5, let the set 𝑋 (= )𝑥0 , 𝑥1 be tialized by the Security Regulatory Department in a unified man-
mapped by the hash function as 𝐻 𝑥0 = (2, 3, 7) and 𝐻 𝑥1 = (4, 7, 9). ner. The Security Regulatory Department generates an integer 𝑒 that
Then, the elements at positions 2, 3, 4, 7, and 9 in the ( )vector B are set satisfies gcd(𝜙(𝑛), 𝑒) = 1 according to the RSA public key cryptosys-
to 1. When checking if element 𝑦0 exists, since 𝐻 𝑦0 = (1, 4, 7) and tem for the gateway,
{ } and generates the public and private key pair
the first position is 0, it indicates that 𝑦0 is not in the set 𝑋 . 𝑃R {𝑒, 𝑛}, 𝑆R {𝑑, 𝑛} , where 𝑑 = 𝑒−1 ( mod𝜙(𝑛)). And 𝐼𝐷r is assigned as
the unique identifier of the gateway. Stores the shared key 𝑘 between
5. Implementation the Security Regulatory Department and the gateway. The gateway ran-
domly selects an integer 𝑟r ∈ 𝐙∗𝑞 and broadcasts the parameters 𝑟r 𝑃R .
The implementation of the digital evidence preservation scheme can The Security Regulatory Department stores the 𝐼𝐷𝑖 − 𝐼𝑀𝑖 and 𝐼𝐷r − 𝑘
be divided into three stages: identity registration, real-time storage of mapping data. The Security Regulatory Department is a trusted full
evidence data, and evidence data retrieval. The identity registration node in the blockchain, responsible for registering and authenticating

636
N. Xiao, Z. Wang, X. Sun et al. Alexandria Engineering Journal 86 (2024) 631–643

Table 4 Table 5
Structure of Token. Evidence data structures.

Gateway Id 𝑃Token Timestamp Time 𝐺𝑈𝐼𝐷 Sensor𝐼𝐷 Devices Status SignSv

the identity information of judicial departments and insurance com- the industrial device node accepts the broadcast data from GU, gener-
pany. The judicial Department and insurance company register their ates a random integer 𝑟r ∈ 𝐙∗𝑞 , and calculates the session 𝑘𝑒𝑦.
device information with the Security Regulatory Department, the Secu-
rity Regulatory Department initializes the parameters in the
b)( The industrial device node ) sends a handshake request 𝑟𝑒𝑞1 ∶
{ same
} way, 𝐸PR Token, 𝑟𝑖 𝑃 , 𝑁1 , 𝑆𝑖𝑔𝑛𝑆𝑇 𝑜𝑘𝑒𝑛 , the industrial device node generates
assigns them an 𝐼𝐷𝑥 and public and private key pair 𝑃𝑥 , 𝑆𝑥 , and the signature 𝑆𝑖𝑔𝑛𝑆𝑇 𝑜𝑘𝑛 with the private key; The request message is
stores the 𝐼𝐷𝑥 − 𝑃𝑥 mapping data. encrypted and sent with 𝐺𝑈 ’s public key 𝑃R . ( ))
(
c) 𝐺𝑈 → 𝑠𝑒𝑛𝑠𝑜𝑟: res1 ∶ 𝐸key Success, SignSR 𝑁1 .
5.1.2. Online registration
① Verify the identity of the industrial device node: decrypt the mes-
The networking process when the industrial device node is in oper-
sage 𝑟𝑒𝑞1 SR mod 𝑛 with the private key and verify the signature:
ation:
( )𝑃Token ( )
{ } 𝑆𝑖𝑔𝑛𝑆𝑇 𝑜𝑘𝑒𝑛 mod 𝑛 = 𝑇 𝑜𝑘𝑒𝑛 ‖ ‖
‖𝑁1 ‖ 𝑟𝑖 𝑃 (4)
1. Generate the public and private key pair 𝑃Token , 𝑆Token by itself
using the RSA algorithm. is correct, invoke the smart contract, locate the key-value branch corre-
2. According to the temporary public key, generate the temporary sponding to Token in the blockchain, that is, recognize the legitimacy
identity credential Token, whose structure is shown in Table 4. of the identity of the industrial device node, and at the same time ob-
3. When entering the coverage of the gateway, receive the infor- tain the value: industrial device node 𝐼𝐷𝑖 . If no branch is found, this
mation 𝐺𝑈 periodically
{ } broadcasts and send the message 𝑚0 = message is discarded.
𝐴𝑖 , 𝑇 𝑆𝑖 , 𝑃pub to it. Where 𝐴𝑖 represents the result of encrypting ② Respond to the handshake request: GU generates the session key:
{ }
‖ ‖ ( ( ))
the information 𝐼𝐷𝑖 ‖𝑃pub ‖ 𝐼𝑀𝑖 ‖ Token ‖𝑇 𝑆𝑖
‖ ‖ 𝑆𝑒𝑠𝑠𝑖𝑜𝑛𝑘𝑒𝑦2 = 𝐻1 𝑔 𝑟r 𝑆r , 𝑟𝑖 𝑃 (5)
4. 𝐺𝑈 receives 𝑚0 , first verifies whether the timestamp ||𝑇 − 𝑇 𝑆𝑖 || < ( )
Δ𝑇 is valid, if it is valid, decrypts 𝐴𝑖 with 𝑆R to obtain 𝐼𝐷𝑖 and The signature SignSR 𝑁1 of the selected random number 𝑁1 , the au-
𝑃pub , and verify whether the parameters 𝑃pub matches the plaintext thentication result Success is encrypted with the session key as the
in 𝑚0 . After ensuring the validity and integrity of the informa- message:
tion, it requests identity authentication of the industrial device ( ( ))
node from{the Security Regulatory Department: 𝑟𝑒𝑠1 = 𝐸𝑘𝑒𝑦 𝑆𝑢𝑐𝑐𝑒𝑠𝑠, SignSR 𝑁1 (6)
} ( generate) the mes-
sage 𝑚1 = 𝐶, MAC, 𝑇 𝑆r , 𝑃R . Where 𝐶 = 𝐸𝑘 𝐼𝑀𝑖 ‖𝐼𝐷𝑖 , 𝑘 is the then sent 𝑟𝑒𝑠1 to the industrial device node.
shared key between 𝐺𝑈 and the Security Regulatory Department.
| |
5. The Security Regulatory Department checks whether |𝑇 − 𝑇 𝑆reg | < • Evidence Storage
| |
Δ𝑇 is true, and uses the verification code 𝑀𝐴𝐶 to verify the in-
tegrity of the message, decrypts the message with the shared key a) Industrial device node authorization: The industrial device node re-
to obtain 𝐼𝑀𝑖 and 𝐼𝐷𝑖 , and verify the legitimacy of the identity of ceives the GU handshake response, decrypts with the session key to
( )𝑃
the industrial device node; Finally, the legitimacy of the identity of obtain Success, verifies the SignSR 𝑅 mod 𝑛 = 𝑁1 ′ , confirm 𝑁1 = 𝑁1 ′ ,
the industrial device node is notified to 𝐺𝑈 . obtaining the temporary public and private key use rights.
6. After 𝐺𝑈 receives the authentication pass message from the Secu- b) Industrial device node evidence upload: req2 ∶ 𝐸key (V,
rity Regulatory Department, it will map the Token of the industrial SignSToken (𝑁1 )), the evidence data structures defined as shown in Ta-
device node, 𝐼𝐷𝑖 , 𝐼𝑀𝑖 into the blockchain, and the nodes/sensor ble 5, including data upload time, access GUID, industrial device node
will obtain the use right of the temporary public and private keys. SensorID, current status data, and signature field. The signature of the
random number 𝑁1 is encrypted and sent to GU.
The industrial device node uses this temporary public and private key to c) GU receives encrypted evidence: The session key decrypts to ob-
replace the long-term identity identifier 𝐼𝑀𝑖 to achieve the anonymous tain plain text 𝑉 , verifies the correctness of the signature and random
storage of the industrial device node this time, and at the same time, number 𝑁1 , triggers the Save Evidence Algorithm 1 of the smart con-
within the valid period of the Token timestamp, it does not need to tract, establishes a blockchain key-value pair key (Time, GUID, indus-
register the anonymous identity again when communicating across 𝐺𝑈 . trial device node ID) and Value (digital evidence), stores the mapping
relationship between industrial device nodes and evidence. GU signs
5.2. Real-time evidence collection
this mapping broadcast to the entire network.
The industrial device node sends the device state information
• Evidence Upload
recorded during the device’s operation process to 𝐺𝑈 . While verify-
ing the identity of the industrial device node, 𝐺𝑈 generates a session
The participating GU maps the relationship by validating signatures
key so that the industrial device node does not need to undergo fre-
and records it in a block, and uses the new consensus algorithm that we
quent identity authentication when storing evidence to the same 𝐺𝑈 ,
proposed to quickly reach consensus on the full block, joining the end
allowing real-time evidence collection. The industrial device node en-
of the blockchain.
crypts the uploaded evidence using this session key; then 𝐺𝑈 uses the
smart contract to store the evidence. The specific process is shown in
Fig. 6. 5.3. Retrieve and access evidence

• Session establishment After an industrial accident occurs, relevant departments need to

quickly conduct digital forensics. The insurance company first queries
a) The industrial device node calculates the session key the local light node to determine the existence of electronic evidence
( ( ) ) on the blockchain. If it exists, they apply for a query permission token
𝑆𝑒𝑠𝑠𝑖𝑜𝑛𝑘𝑒𝑦1 = 𝐻1 𝑔 𝑟r 𝑃r , 𝑃pub 𝑟𝑖 , (3) from the full node of the security regulatory department and use that

637
N. Xiao, Z. Wang, X. Sun et al. Alexandria Engineering Journal 86 (2024) 631–643

Fig. 6. Process of log evidences.

Algorithm 1 Save Evidence. The security regulatory Department retrieve 𝐼𝐷𝑥 − 𝑃𝑥 from the lo-
Input: GUID, DeviceID, evidences cal database to verify the legitimacy of the querying party’s identity.
Output: f ∶ GUID → 𝑒𝑣𝑖𝑑𝑒𝑛𝑐𝑒𝑠; g ∶ DeviceID → 𝑒𝑣𝑖𝑑𝑒𝑛𝑐𝑒𝑠 {Mapping relationship with
Using its own public key 𝑃𝑡 , combined with a random number 𝑁 , they
encrypted evidence}
1: Verifies the signature and 𝑁1 calculate the token key:
2: while correct do
3: New stack; ( )𝑁
𝐾 ∗ = 𝑃𝑡 mod 𝑞 (9)
4: if GUID and DeviceID are both valid then
5: Stack push GUID, DeviceID, evidences ; Based on the token key, they generate the search token:
6: GU broadcast;
7: Return success; (
8: else 𝑀 = 𝐸𝑆𝑡 𝐼𝐷𝑡 ‖ ∗‖
‖𝐾 ‖ 𝑇 𝑆reg ), (10)
9: Return fail;
10: end if where 𝑇 𝑆reg is the token registration timestamp used to limit the query
11: end while time; 𝐼𝐷𝑡 is the regulatory authority’s identity identifier. Finally, en-
crypt the generated token message 𝑟𝑒𝑠 and transmit it to the querying
token to activate the query smart contract, which performs blockchain party.
data retrieval. The specific process is shown in Fig. 7.

5.3.1. Apply to the security regulatory department for evidence retrieval 5.3.3. Access evidences
As the querying node is a light node, it first uses the Bloom Filter The querying party decrypts 𝑟𝑒𝑠 using its private key, verifies the
algorithm to query the block headers stored in this node, judge the correctness of the signature 𝑆𝑖𝑔𝑛𝑆𝑡 , and then extracts the token 𝑀 and
existence of the evidence according to the hash mapping, and if it exists, key 𝐾 ∗ . After obtaining the token 𝑀 , the querying party activates the
then apply for query permission from the full node, with the following smart contract, and with 𝐼𝐷 of industrial device node, fault time 𝑇0 ,
application message: time range to be searched 𝑇ran as parameters, calls the evidence col-
( ) lection Algorithm 2 Search Evidence to find the evidence data of the
𝑟𝑒𝑞 = 𝐸𝑝𝑡 𝑃𝑥 , 𝐼𝐷𝑥 , Sign𝑆𝑥 (7) industrial device node in the corresponding block.
The algorithm steps are as follows:
In this equation, 𝑆𝑖𝑔𝑛𝑆𝑥 refers to the signature of information 𝑃𝑥
and 𝐼𝐷𝑥 by the security regulatory Department. The application mes-
Step1 Judge the validity of the token. The security regulatory depart-
sage 𝑟𝑒𝑞 is encrypted using the public key 𝑃𝑡 of the security regulatory
departments. ments decrypt the token 𝑀 𝑃 𝑡 mod 𝑛, get the data 𝐼𝐷𝑡 ‖𝐾 ∗ ‖ 𝑇 𝑆reg ,
the existence of 𝐼𝐷𝑡 indicates that the query party has obtained
5.3.2. Security regulatory department issue the search token permission.
Step2 Judge the timeliness of the token. If 𝑇 − 𝑇 𝑆reg > Δ𝑇 , the token
( )
𝑟𝑒𝑠 = 𝐸𝑃 𝑥 𝑀, 𝐾 ∗ , Sign𝑆𝑡 (𝑀) (8) has expired and has no right to query, otherwise perform Step3.

638
N. Xiao, Z. Wang, X. Sun et al. Alexandria Engineering Journal 86 (2024) 631–643

Fig. 7. Process of searching evidence.

Algorithm 2 Search Evidence. Table 6

Input: 𝑇0 , 𝑇𝑟𝑎𝑛 , GUID Testing tools and their functions.
Output: 𝐸𝑘 (𝑒𝑣𝑖)
1: Decrypt RSA(𝑀 ); Tools Roles
2: Judge the validity of the Token; Docker Running Fabric
3: while ID is legal do Hyperledger Fabric v1.4 Blockchain framework
4: Judge the timeliness of the Token; Golang Programming language
5: if 𝑇 − 𝑇 𝑆𝑟𝑒𝑔 < Δ𝑇 then Ubuntu 20.04 Experimental underlying system
6: Locate the block containing the evidence;
7: 𝐵𝑙𝑜𝑐𝑘 = 𝐵𝑙𝑜𝑜𝑚𝐹 𝑖𝑙𝑡𝑒𝑟(𝐵𝑙𝑜𝑐𝑘)
8: Calculate the hash mapping;
6. Simulation results and analysis
9: Push the DeviceID,GUID;
10: Return 𝐸𝑘 (𝑒𝑣𝑖);
11: else This experiment uses Docker on the Linux operating system to build
12: No evidence an alliance chain model, using Hyperledger Fabric v1.4 tool to deploy
13: Return fail; IIoT identity, simulating a fast authentication process under experi-
14: end if
15: end while
mental restrictions. It is assumed that the pre-registration of industrial
device nodes has been completed and security analysis will be con-
ducted later. The experiment mainly completes establishing blockchain
consensus and fast identity verification.
Step3 Locate the block containing the evidence. Call the Bloom Filter
At the start of the experiment, by invoking the smart contract, simu-
algorithm to calculate the hash mapping of the industrial device
lating the Token generated after the basic identity verification of indus-
node 𝐼𝐷𝑥 , query the corresponding block, and perform Step4.
trial nodes during the pre-registration stage, the identity information is
Step4 The travel function traverses the located block. For each branch,
packaged by GUs, a consensus is reached through an improved DPoS al-
perform Step5.
gorithm, and after consensus authentication between nodes, a block is
Step5 Match the industrial device node to be queried within the time
generated and stored in the blockchain; Each node updates data opera-
range of 𝑇0 ± 𝑇ran , for each path that meets the condition, per- tions. The test tools and their roles involved in the experimental process
form Step6; are shown in Table 6. The feasibility of the system is analyzed by com-
( the 𝐺𝑈𝐼𝐷 value
Step6 Obtain ) in the key-value pair of the path, and bining throughput and proof-of-work response times.
use 𝐺𝑈𝐼𝐷 , 𝑇0 , 𝑇ran as parameters to repeat Step4 or Step5 to
find evidence of industrial device nodes under the same gateway 6.1. Feasibility analysis
within the same time period.
Step7 Encrypt the evidence with the token key (structure as in Table 5) The test scheme deploys 6 blockchain nodes in a virtual machine to
and return it to the querying party. represent the consensus nodes GU responsible for the on-chain verifica-
tion and updates of industrial device node evidence. Table 7 shows the
5.3.4. The querying party receives the evidence testing situation of GU within 1 hour, which indicates that the 6 con-
The querying party uses the token public formula key 𝐾 ∗ to decrypts sensus nodes maintained online state and performed evidence update
𝐷𝑘 (𝑒𝑣𝑖) then obtain the evidence data. In addition to containing the operations.
status data of this industrial device node within the accident period, the
evidence also contains the status data of other industrial device nodes 6.2. Safety analysis
that are accessed through the same gateway during this period. Judicial
authorities and insurance company can comprehensively and effectively 6.2.1. Evidence traceable and tamper resistance
restore the status of relevant industrial device nodes in this industrial In traditional IIoT digital forensics models, there are significant risks
safety accident based on the retrieved data, thereby conducting further — namely, real-time responsiveness and security — associated with
investigation reports. sending all evidence from industrial device nodes to a cloud data center

639
N. Xiao, Z. Wang, X. Sun et al. Alexandria Engineering Journal 86 (2024) 631–643

Table 7 The plaintext of the session is encrypted in packets, each packet

Feasibility analysis. binary value is less than 𝑛. Let 𝑃R = {𝑒, 𝑛}, 𝑆R = {𝑑, 𝑛}, and the plaintext
Nodes Online state(/min) Update is 𝑚.
(1) Encryption:
R1 50/60 Yes
R2 53/60 Yes
R3 57/60 Yes
𝐶 = 𝑚𝑒 mod 𝑛; (15)
R4 59/60 Yes
(2) Decryption:
R5 57/60 Yes
R6 60/60 Yes
𝑀 = 𝐶 𝑑 mod 𝑛 = (𝑚𝑒 )𝑑 mod 𝑛 = 𝑚𝑒𝑑 mod 𝑛 (16)
Mathematical attack approaches: factorize 𝑛 into two prime factors. Cal-
for processing, industrial device nodes operating at high speeds require culate
responses within milliseconds. If problems such as data transmission
errors or network attacks occur, the status data of the industrial de- 𝜙(𝑛) = (𝑝 − 1)(𝑞 − 1), (17)
vice nodes may not be recorded, leading to difficulties in determining
responsibility. Additionally, the central cloud server faces high data pro- thereby determining
cessing loads and is prone to attacks such as tampering, eavesdropping,
𝑑 ≡ 𝑒−1 (mod𝜙(𝑛)). (18)
and denial of service, leading to significant losses for IIoT practitioners
if evidence is compromised. Determining 𝜙(𝑛) given 𝑛 is equivalent to factorizing 𝑛, and the integer
The solution proposed in this article combines blockchain technol- factorization problem cannot crack the private key. For chosen cipher-
ogy to store digital evidence from industrial device nodes, moving re- text attacks (CCA), since
trieval and storage services to nearby Gateways Units (GUs) for edge ( ) ( ) ([ ])
processing, satisfying the requirements of low latency and large con- 𝐸𝑃 𝑥 𝑀1 × 𝐸𝑃 𝑥 𝑀2 = 𝐸𝑃 𝑥 𝑀1 , 𝑀2 , (19)
nections. Blockchain is interconnected through the hash values in the
decryption can be done as follows:
block headers, taking advantage of the irreversibility and collision re-
(1) Calculate
sistance of hash functions. If a malicious actor modifies a piece of data,
the hash values of the entire chain change, increasing the difficulty for 𝑋 = (𝐶 × 2𝑒 ) mod 𝑛 (20)
attackers and ensuring that the evidence stored in the blockchain is un-
alterable and undeniable. As the blockchain is permanent and arranged (2) Submit 𝑋 as the chosen plaintext and receive:
in chronological order, each record can be traced back in time.
𝑌 = 𝑋 𝑑 mod 𝑛 (21)
6.2.2. Evidence access and identity (3)
In the architecture we proposed, Insurance company, Judicial De-
partment and Industrial Device Node are all lightweight nodes, they 𝑋 =(𝐶 mod 𝑛) × (2𝑒 mod 𝑛)
only store block header information and cannot view complete evidence = (𝑀 𝑒 mod 𝑛) × (2𝑒 mod 𝑛) (22)
in the blockchain, complete evidence access requires an access token ap-
𝑒
plication to the Security Regulatory Department, and the evidence can =(2𝑀) mod 𝑛;
only be queried with the authorization of the Security Regulatory De- Therefore, 𝑀 is obtained. To prevent such attacks, the plaintext is
partment. The tokens can have validity periods according to needs, are randomly padded before encryption, so that the ciphertext is random-
composed of one-time random numbers, and protect the privacy of ev- ized and the property no longer holds, making it impossible to crack.
idence. The industrial device nodes use temporary anonymous private Furthermore, due to the private key being exclusively known lo-
keys to sign the evidence, the temporary identity Tokens contain times- cally, only the corresponding private key possesses the capability to
tamps and can be updated at irregular intervals, protecting the privacy decrypt data that has been encrypted with the public key. This ensures
of the identities of the industrial device nodes. that only the holder of the private key can execute a digital signature,
thereby guaranteeing the confidentiality, integrity, and reliability of the
6.2.3. Session security
transmitted data.
• Security of session key generation.
• Security of inspection.
The industrial device node calculates the session key:
( ( )𝑟 ) When inspecting, the token key is calculated from the private key of
𝑘𝑒𝑦 = 𝐻1 𝑔 𝑟r 𝑃r , 𝑃pub 𝑖 (11)
the Security Regulatory Agency and a random number, realizing one-
GU calculates the session key: time-only to ensure the unforgeability and security of the token, thus
( ( )) realizing reliable evidence transmission.
𝑘𝑒𝑦 = 𝐻1 𝑔 𝑟r 𝑆r , 𝑟𝑖 𝑃 (12)
industrial device node: 6.2.4. Security analysis based on AVISPA
( ( )𝑟 ) On the basis of the above security analysis, we further verified the
𝐻1 𝑔 𝑟r 𝑃r , 𝑃pub 𝑖 𝑟 security properties of the proposed authentication scheme through for-
( ( )𝑟 ) mal modeling and analysis using the formal analysis software AVISPA.
= 𝐻1 𝑔 𝑟r 𝑝r , 𝑠𝑃 𝑖 (13)
( ( )𝑟 𝑟𝑠 ) AVISPA is an automated simulation tool for verifying security protocols.
= 𝐻1 𝑔 𝑃r , 𝑃 𝑟 𝑖 It uses the Dolev-Yao (DY) threat model [29] as its basis. AVISPA not
( ( )) ( ( )) only provides a High Level Protocol Specification Language (HLPSL),
𝐺𝑈 ∶ 𝐻1 𝑔 𝑟r 𝑆𝑃r , 𝑟𝑖 𝑃 = 𝐻1 𝑔 𝑟r 𝑆r , 𝑟𝑖 𝑃 ; (14)
but also integrates various available backend analysis technologies for
The one-way hash function encryption ensures the security of the automated protocol analysis, such as the OFMC model and CL-ATSE
session key, while the use of random numbers prevents man-in-the- model. Due to the limitations of AVISPA tool detection, it only supports
middle attacks. three types of operators (cascading, XOR, and exponentiation). During
the simulation, some operations of the scheme are simplified, with mul-
• Security of the session process. tiplication and pairing executed as hash functions.

640
N. Xiao, Z. Wang, X. Sun et al. Alexandria Engineering Journal 86 (2024) 631–643

expressed in transactions per second (TPS), representing the total num-

ber of effective transactions achieved within a period of time. This
experiment tested the throughput (TPS) and average latency (Seconds)
of evidence uploading, updating and retrieval operations respectively,
with test contents of log evidence (a) and operational data (i). Based on
the configuration in the benchmark and network files, different work-
load modules can be used to generate transactions and submit them
to the consortium blockchain under test, so Caliper can simulate many
client workloads injected into the blockchain network.
The workload data volume in this experiment ranged from 100
to 2500, with a step size of 100. According to the test results, the
throughput of log evidence (a) uploading, updating and retrieval oper-
ations were above 110TPS, 75TPS and 1050TPS respectively, while the
throughput of operational data (i) uploading, updating and retrieval op-
erations were above 100TPS, 80TPS and 1100TPS respectively. Taking
a workload of 500 as an example in the IIoT digital forensics process,
Fig. 8. Analysis of simulation results under OFMC & CL-AtSe backends. the average latencies of log evidence (a) uploading, updating and re-
trieval were 5.5 s, 3.79 s and 0.25 s respectively, while the average
To achieve the desired outcome with the AVISPA tool, the following latencies of operational data (i) uploading, updating and retrieval were
steps should be followed: 4.9 s, 3.29 s and 0.25 s respectively. The results of the tests demonstrate
that the consortium blockchain achieves a throughput and average la-
• Step1 Implement the designed protocol in HLPSL and save it in a tency that are in line with the requirements for efficient transmission of
file with the “.hlpsl” extension. digital evidence information in the IIoT. This enables the effective op-
• Step2 Convert the HLPSL file to the Intermediate Format (IF) using eration of the digital evidence collection mode. These findings provide
the HLPSL2IF translator. evidence to support the feasibility and effectiveness of the IIoT digi-
• Step3 Provide the IF as input to one of the available back-ends, tal forensics architecture based on the consortium blockchain. The test
which will generate the output indicating whether the tested pro- results are shown in Fig. 9.
tocol is safe, unsafe, or inconclusive.
6.4. Comparative performance analysis
The fundamental steps for constructing the model of the scheme
are outlined as follows: First, use the high-level protocol modeling lan- Our proposed framework leverage blockchain and its asymmetric
guage HLPSL to program the implementation process of the protocol, cryptographic underpinnings to integrate the IIoT while ensuring pro-
adopt a role-based approach to set the states of the protocol partici- tection of peer-to-peer transmissions external to the blockchain layer.
pating entities (Industrial Device Nodes, GUs and Cloud Platform, etc.), This allows for secure information handling, identity management of
and create specific events for the corresponding roles, such as: request, networked entities, and validated transactions.
authentication. Second, describe the variables of the protocol running We evaluate the design’s ability to establish trust across all network
environment and attacker capabilities, etc. Finally, specify the expected operations and components within the IIoT context. The results indi-
security goals and authentication goals to be achieved. cate security and transparency can be uniformly provided. Tables 8, 9
The simulation results shown in Fig. 8 assure that our scheme pro- comparatively assess related efforts based on consensus algorithm,
tects both replay & man-in-the-middle attacks. blockchain platform, hardware dependencies, energy usage, and per-
formance metrics.
6.3. Performance analysis Overall, our architecture represents a promising step towards har-
nessing blockchain’s full potential for industrial systems by integrating
To validate the rationality and feasibility of the proposed consor- it in a manner that safeguards data transfers and establishes an environ-
tium blockchain-based digital forensics architecture for the IIoT, we ment of verifiability, accountability and integrity for Internet-connected
conducted performance testing using the Hyperledger Caliper platform. machines, sensors and controllers. Future work will aim to optimize dif-
This testing aimed to confirm the effectiveness of the architecture. ferent parameters and evaluate real-world deployability at scale.
Caliper can generate workloads for the blockchain system under test
and continuously monitor and test the performance of the consortium 7. Conclusion
blockchain. Testing the consortium blockchain with Caliper requires a
benchmark file, a blockchain network configuration file, and workload This article proposes an innovative digital forensic scheme that
modules. The benchmark file defines the number of IIoT device nodes utilizes blockchain technology for the IIoT. This scheme harnesses
in the workload, the number of data submissions, the length of rounds blockchain to ensure tamper-proof, irrefutable, and permanent stor-
in seconds, and the rate of evidence transmission to the blockchain. age of digital evidence. To meet the real-time demands of IIoT, it also
The blockchain network configuration file clearly specifies the basic ar- introduces a new, efficient batch consensus mechanism. The scheme in-
chitecture, node addresses and identities, channels and smart contracts corporates token authorization for access control over evidence queries
used during the testing of the consortium blockchain under test. The and facilitates rapid retrieval through smart contracts. It employs pub-
workload modules are exported node functions used to simulate client lic key cryptography to maintain the anonymity of device identities
node requests to the consortium blockchain under test. and the confidentiality and integrity of data transmission. However,
We set up the benchmark file, blockchain network configuration file it’s noteworthy that the scheme has only been tested in limited sim-
and workload modules based on the IIoT digital forensics consortium ulated environments, and further refinement is required for its actual
blockchain architecture proposed in this paper to simulate the con- deployment in real-world industrial network settings. Presently, both
struction of an IIoT digital forensics consortium blockchain and used domestically and internationally, research on evidence storage in IIoT
the Caliper framework to test the simulated consortium blockchain. digital forensics is quite scarce. By integrating blockchain, this approach
The two basic performance metrics for evaluating blockchain perfor- not only pioneers a new path for IIoT digital forensics but also aims to
mance are throughput and average latency, with the former usually catalyze further research in this emerging field.

641
N. Xiao, Z. Wang, X. Sun et al. Alexandria Engineering Journal 86 (2024) 631–643

Fig. 9. Hyperledger Caliper Test Result.

Table 8
Performance Comparison with Related Work.

Author Consensus Mechanism Blockchain Platform Hardware Dependency Energy Efficiency Consuming Time

Rathee et al. [30] PoW Consortium Blockchain Yes Fair High

Shen et al. [31] IBS Consortium Blockchain No Fair High
Cao et al. [32] PoC Hyperledger Yes Fair Midding
Hu et al. [33] PoW Ethereum Blockchain Yes Fair High
He et al. [34] PBFT Hyperledger Fabric v0.6 No Fair Midding
Gul et al. [35] Delegate PoS Public Blockchain No Fair High
Our study New DPoS Hyperledger Fabric v1.4 No High Low

Table 9
More Comparison With Related Work.

Works Computing Power Block Size Trial Time Transaction Time

[30] - 5000 Bytes 60 s Avg 3s

[31] AMD Ryzen 5 2600X CPU @3.6GHz and 16 GB - 90 min 75-90 ms
[32] - 10,000bytes 60 s 100-1000 ms
[33] - 0.8 MB 60 min. Avg above 20 s
[35] X86-64 @3.3G 2 GB 1 MB 300 s Create: 6.07 s, Update: 16.6 s
Reg-Invoke: 10.5 ms, Reg-Query 98 ms,
Our Work Intel i7-13600KF @ 4.6 GHz and 32 GB 2500 KB 60 min
upload:4.3 s updating 3.5 s retrieval 0.25 s

642
N. Xiao, Z. Wang, X. Sun et al. Alexandria Engineering Journal 86 (2024) 631–643

Declaration of competing interest [18] Phan The Duy, Hien Do Hoang, DoThi Thu Hien, Nguyen Ba Khanh, Van-Hau
Pham, Sdnlog-foren: ensuring the integrity and tamper resistance of log files for
sdn forensics using blockchain, in: 2019 6th NAFOSTED Conference on Information
No potential conflict of interest was reported by the authors.
and Computer Science (NICS), 2019, pp. 416–421.
[19] Duc-Phong Le, Huasong Meng, Le Su, Sze Ling Yeo, Vrizlynn Thing, Biff: a
References blockchain-based iot forensics framework with identity privacy, in: TENCON 2018 -
2018 IEEE Region 10 Conference, 2018, pp. 2372–2377.
[1] Venkata Venugopal Rao Gudlur Saigopal, Valliappan Raju, Iiot digital forensics and [20] Gulshan Kumar, Rahul Saha, Chhagan Lal, Mauro Conti, Internet-of-Forensic (IoF):
major security issues, in: 2020 International Conference on Computational Intelli- a blockchain based digital forensics framework for IoT applications, Future Gener.
gence (ICCI), 2020, pp. 233–236. Comput. Syst. 120 (2021-07) 13–25.
[2] Md Abdur Rahman, M. Shamim Hossain, Ahmad J. Showail, Nabil A. Alrajeh, [21] Vaggelis Malamas, Thomas Dasaklis, Panayiotis Kotzanikolaou, Mike Burmester,
Ahmed Ghoneim, Ai-enabled iiot for live smart city event monitoring, IEEE Int. Sokratis Katsikas, A forensics-by-design management framework for medical devices
Things J. 10 (4) (2023) 2872–2880. based on blockchain, in: 2019 IEEE World Congress on Services (SERVICES), volume
[3] Junfeng Miao, Zhaoshun Wang, Zeqing Wu, Xin Ning, Prayag Tiwari, A blockchain- 2642-939X, 2019, pp. 35–40.
enabled privacy-preserving authentication management protocol for Internet of [22] G. Rekha, B. Uma Maheswari, Raspberry pi forensic investigation and evidence
Medical Things, Expert Syst. Appl. 237 (2024-03) 121329. preservation using blockchain, in: 2021 International Conference on Forensics, An-
[4] Tiantong Wu, Guillaume Jourjon, Kanchana Thilakarathna, Phee Lep Yeoh, alytics, Big Data, Security (FABS), vol. 1, 2021, pp. 1–5.
Mapchain-d: a distributed blockchain for iiot data storage and communications, [23] Wanqin Cao, Yunhui Huang, Dezheng Li, Feng Yang, Xiaofeng Jiang, Jian Yang, A
IEEE Trans. Ind. Inform. 19 (9) (2023) 9766–9776. blockchain based link-flooding attack detection scheme, in: 2021 IEEE 4th Advanced
[5] Shunyuan Sun, Jingyuan Yu, An indoor location algorithm for heterogeneous de- Information Management, Communicates, Electronic and Automation Control Con-
vices and environmental changes, J. Jilin Univ. Sci. Ed. 61 (4) (2023). ference (IMCEC), volume 4, 2021, pp. 1665–1669.
[6] Hui Wang, Chengyu Bi, Zihao Shen, Peiqian Liu, Two-stage location privacy protec- [24] Jianbin Gao, Kwame Opuni-Boachie Obour Agyekum, Emmanuel Boateng Sifah,
tion method for mobile crowd sensing, J. Jilin Univ. Sci. Ed. 61 (5) (2023). Kingsley Nketia Acheampong, Qi Xia, Xiaojiang Du, Mohsen Guizani, Hu Xia, A
[7] Pengcheng Zhang, Xiaohan Yu, Xiao Bai, Chen Wang, Jin Zheng, Xin Ning, Joint dis- blockchain-sdn-enabled internet of vehicles environment for fog computing and 5g
criminative representation learning for end-to-end person search, Pattern Recognit. networks, IEEE Int. Things J. 7 (5) (2020) 4278–4291.
147 (2024) 110053. [25] Claudio Agostino Ardagna, Rasool Asal, Ernesto Damiani, Nabil El Ioini, Claus Pahl,
[8] Kim Strandberg, Nasser Nowdehi, Tomas Olovsson, A systematic literature review Trustworthy IoT: an evidence collection approach based on smart contracts, in: 2019
on automotive digital forensics: challenges, technical solutions and data collection, IEEE International Conference on Services Computing (SCC), IEEE, 2019, pp. 46–50.
IEEE Trans. Intell. Veh. 8 (2) (2023) 1350–1367. [26] Auqib Hamid Lone, Roohie Naaz Mir, Forensic-chain: blockchain based digital foren-
[9] Sri Harsha Mekala, Zubair Baig, Adnan Anwar, Industrial internet of things (iiot): sics chain of custody with PoC in Hyperledger Composer, Digit. Investig. 28 (2019)
testbed and datasets for cybersecurity and digital forensics, in: 2022 Interna- 44–55.
tional Conference on Smart Generation Computing, Communication and Networking [27] Xiaojin Ma, Huahu Xu, Honghao Gao, Minjie Bian, Walayat Hussain, Real-time vir-
(SMART GENCON), 2022, pp. 1–10. tual machine scheduling in industry iot network: a reinforcement learning method,
[10] Enhao Ning, Changshuo Wang, Huang Zhang, Xin Ning, Prayag Tiwari, Occluded IEEE Trans. Ind. Inform. 19 (2) (2023) 2129–2139.
person re-identification with deep learning: a survey and perspectives, Expert Syst. [28] Qingyang Zhang, Jing Wu, Hong Zhong, Debiao He, Jie Cui, Efficient anonymous au-
Appl. 239 (2024) 122419. thentication based on physically unclonable function in industrial internet of things,
[11] Songsong Tian, Lusi Li, Weijun Li, Hang Ran, Xin Ning, Prayag Tiwari, A survey on IEEE Trans. Inf. Forensics Secur. 18 (2023) 233–247.
few-shot class-incremental learning, Neural Netw. 169 (2024) 307–324. [29] Danny Dolev, Andrew Yao, On the security of public key protocols, IEEE Trans. Inf.
[12] Jung Hyun Ryu, Pradip Kumar Sharma, Jeong Hoon Jo, Jong Hyuk Park, A Theory 29 (2) (1983) 198–208.
blockchain-based decentralized efficient investigation framework for IoT digital [30] Geetanjali Rathee, Farhan Ahmad, Naveen Jaglan, Charalambos Konstantinou, A
forensics, J. Supercomput. 75 (8) (2019) 4372–4387. secure and trusted mechanism for industrial IoT network using blockchain, IEEE
[13] Thomas K. Dasaklis, Fran Casino, Constantinos Patsakis, Sok: Blockchain Solutions Trans. Ind. Inform. 19 (2) (2023) 1894–1902.
for Forensics, 2020. [31] Meng Shen, Huisen Liu, Liehuang Zhu, Ke Xu, Hongbo Yu, Xiaojiang Du, Mohsen
[14] Mahmud Hossain, Ragib Hasan, Shams Zawoad, Probe-IoT: a public digital ledger Guizani, Blockchain-assisted secure device authentication for cross-domain indus-
based forensic investigation framework for IoT, in: IEEE INFOCOM 2018 - IEEE trial IoT, IEEE J. Sel. Areas Commun. 38 (5) (2020) 942–954.
Conference on Computer Communications Workshops (INFOCOM WKSHPS), 2018, [32] Yan Cao, Feng Jia, Gunasekaran Manogaran, Efficient traceability systems of steel
pp. 1–2. products using blockchain-based Industrial Internet of Things, IEEE Trans. Ind. In-
[15] Yunjia Zhang, Jian Wang, Xudong He, Jiqiang Liu, Blockchain-based access control form. 16 (9) (2020) 6004–6012.
mechanism in electronic evidence, in: Ke Xu, Jianming Zhu, Xianhua Song, Zeguang [33] Wei Hu, Huanhao Li, A blockchain-based secure transaction model for distributed
Lu (Eds.), Blockchain Technology and Application, vol. 1305, Springer, Singapore, energy in Industrial Internet of Things, Alex. Eng. J. 60 (1) (2021) 491–500.
2021, pp. 17–33. [34] Sen He, Wei Ren, Tianqing Zhu, Kim-Kwang Raymond Choo, BoSMoS: a blockchain-
[16] Sagar Rane, Arati Dixit Blockslaas, Blockchain assisted secure logging-as-a-service based status monitoring system for defending against unauthorized software updat-
for cloud forensics, in: Sukumar Nandi, Devesh Jinwala, Virendra Singh, Vijay ing in industrial Internet of things, IEEE Int. Things J. 7 (2) (2020) 948–959.
Laxmi, Manoj Singh Gaur, Parvez Faruki (Eds.), Security and Privacy, Springer Sin- [35] M. Junaid Gul, Barathi Subramanian, Anand Paul, Jeonghong Kim, Blockchain for
gapore, Singapore, 2019, pp. 77–88. public health care in smart society, Microprocess. Microsyst. 80 (2021) 103524.
[17] Mehran Pourvahab, Gholamhossein Ekbatanifard, Digital forensics architecture for
evidence collection and provenance preservation in IaaS cloud environment using
SDN and blockchain technology, IEEE Access 7 (2019) 153349–153364.

643