Sienna (E -ISSN: 2745-9861 | P-ISSN: 2745-987X) https://jurnal.
id/index.
php/sienna DOI: https://doi.
org/10.
47637/sienna.
Blockchain-Based Preservation Framework for Network Forensic Evidence Integrity Mirza Sutrisno1*.
Sunardi2.
Rusydi Umar3 2536083037@webmail.
id1, sunardi@mti.
id2, rusydi@mti.
1,2,3
Universitas Ahmad Dahlan.
Indonesia Universitas Muhammadiyah Jakarta.
Indonesia *Correspondence: mirza.
sutrisno@umj.
Abstract Network forensic investigations rely heavily on the integrity and Article Status:
traceability of Packet Capture (PCAP) files as primary digital Accepted: 15-05-2026 Digital Forensic Research Workshop (DFRWS) Revised: 29-05-2026 implementations commonly employ centralized preservation Accepted: 02-06-2026 mechanisms that remain vulnerable to unauthorized modification and Keywords:
provide limited provenance transparency.
To address these Blockchain.
limitations, this study proposes a blockchain-based preservation Chain-of-Custody.
framework integrated into the preservation phase of the DFRWS DFRWS.
The framework combines SHA-256 cryptographic hashing Data Integrity.
for integrity verification, blockchain-based provenance logging, and Network Forensics distributed ledger validation while maintaining off-chain evidence Unlike many existing blockchain-based forensic frameworks that primarily emphasize provenance recording and chain-of-custody management, this study evaluates evidence preservation through an integrated validation approach consisting of controlled tampering simulation, cryptographic sensitivity analysis, and preservation latency measurement.
Experimental evaluation using PCAP datasets representing attack and baseline traffic conditions demonstrated that unauthorized evidence modification was successfully detected through hash inconsistencies.
Avalanche Effect analysis produced a value of 50.
39%, confirming the strong cryptographic sensitivity of the SHA-256 mechanism to minimal data alteration.
While SHA-256 enables reliable tampering detection, the integrated blockchain architecture provides tamper-resistant provenance recording, chainof-custody traceability, and distributed verification of evidence The framework achieved an average preservation latency 057 seconds within the experimental environment, providing preliminary evidence of feasibility for blockchain-assisted forensic logging under controlled conditions.
Although no direct comparison with alternative preservation approaches was conducted, the findings provide a proof-of-concept validation and contribute empirical evidence regarding the potential of blockchain-supported provenance management to enhance trustworthiness and integrity assurance in network forensic workflows.
A 2026 Mirza Sutrisno.
Sunardi.
Rusydi Umar This work is licensed under a Creative Commons Attribution-ShareAlike 4.
0 International License.
Jurnal Sienna Volume 7 Nomor 1 Mirza Sutrisno.
Sunardi.
Rusydi Umar Blockchain-based Preservation Framework for Network A INTRODUCTION Network forensics has become an essential component of modern digital investigations due to the exponential growth of cyber threats and the increasing complexity of network The rapid expansion of distributed systems, cloud environments, and Internet of Things (IoT) ecosystems has significantly amplified the volume and heterogeneity of network traffic, thereby increasing the difficulty of forensic evidence acquisition, preservation, and validation (Arif et al.
, 2025.
Atlam et al.
, 2.
In Indonesia, this challenge is further reflected in the national cybersecurity landscape, where large-scale cyber incidents and traffic anomalies continue to rise, emphasizing the urgent need for reliable and trustworthy forensic mechanisms (Badan Siber dan Sandi Negara, 2.
A visual representation of Indonesia's Cybersecurity Landscape is provided in Figure 1 below.
Figure 1.
Indonesia's Cybersecurity Landscape Within this context.
Packet Capture (PCAP) files play a central role as primary forensic artifacts, as they preserve detailed packet-level communication, including timestamps, payloads, and metadata required for reconstructing cyber incidents (Casey, 2.
Prior studies also emphasize the importance of structured investigation processes and systematic evidence handling in complex digital environments (Sunardi et al.
, 2.
Despite their evidentiary importance.
PCAP files remain highly vulnerable to anti-forensic manipulation.
Various forms of tampering, such as payload modification, timestamp alteration, replay injection, and metadata manipulation, can significantly distort forensic interpretation and compromise legal admissibility.
These vulnerabilities are largely attributed to the reliance on centralized preservation mechanisms, which introduce single points of failure and enable unauthorized modification without transparent traceability (Chen, 2025.
Riadi et al.
, 2.
In addition, the increasing sophistication of Mirza Sutrisno.
Sunardi.
Rusydi Umar Blockchain-based Preservation Framework for Network A cyberattacks, including multi-layer exploitation techniques such as Cross-Site Scripting (XSS), further complicates the integrity assurance of digital evidence, as conventional security mechanisms often fail to provide comprehensive protection across diverse attack vectors (Hartono & Sriyanto, 2.
Moreover, traditional chain-of-custody (CoC) practices often depend on manual documentation and centralized logging systems, which are prone to inconsistency, insider threats, and lack of verifiable auditability (Atlam et al.
, 2024.
Wang et al.
, 2.
As a result, ensuring the integrity, transparency, and trustworthiness of digital evidence remains a fundamental challenge in contemporary network forensic investigations.
To address these limitations, blockchain technology has emerged as a promising approach for enhancing digital forensic processes.
Blockchain provides a decentralized and immutable ledger that enables secure recording of evidence provenance, ensuring that any modification can be detected and verified across distributed nodes (Casino et al.
, 2019.
Zheng et al.
, 2.
particular, blockchain-based solutions have been widely explored for strengthening chain-ofcustody management by enabling transparent, tamper-resistant, and verifiable tracking of evidence throughout its lifecycle (Lone & Mir, 2019.
Machhi et al.
, 2.
In cloud-based forensic infrastructures, the integration of distributed ledger technology has been shown to improve evidence management by eliminating reliance on centralized authorities and enabling decentralized validation processes (Al-Khateeb et al.
, 2.
Furthermore, within network forensic workflows, cryptographic hashing combined with blockchain recording mechanisms has been emphasized as a key approach to ensuring evidence integrity and detecting unauthorized modifications (Riadi et al.
, 2.
More broadly, recent systematic reviews confirm that blockchain technology offers substantial advantages in digital forensics, particularly in enhancing immutability, transparency, and distributed trust, although challenges related to scalability, performance, and implementation complexity remain significant (Atlam et al.
, 2024.
Sunny et al.
, 2.
Despite the growing adoption of blockchain technology in digital forensics, several important limitations remain in existing studies.
First, many blockchain-based forensic frameworks, including ProvChain and Hyperledger-based chain-of-custody models, primarily focus on provenance architecture and evidence traceability.
While these studies demonstrate the potential of distributed ledgers for forensic record management, they provide limited empirical validation regarding how effectively preserved evidence can resist anti-forensic manipulation under controlled experimental conditions.
Second, previous studies generally evaluate blockchain functionality from a provenance or architectural perspective without examining the cryptographic sensitivity of the integrity verification mechanism itself.
Third, operational performance aspects remain underexplored because relatively few studies report preservation latency measurements obtained from end-to-end forensic preservation workflows (Dorri et al.
, 2017.
Wang et al.
, 2.
Accordingly, the contribution of this study is not merely the adoption of blockchain for chain-of-custody management, but the integration of blockchain-based provenance preservation into the DFRWS preservation phase combined with three complementary validation perspectives:
controlled tampering detection.
Avalanche Effect-based cryptographic sensitivity analysis, and preservation latency measurement.
Unlike ProvChain and most Hyperledger-based forensic preservation models, which primarily focus on provenance recording and chain-of-custody management, the proposed framework incorporates empirical validation of evidence integrity through controlled tampering experiments, evaluates the cryptographic sensitivity of the integrity Mirza Sutrisno.
Sunardi.
Rusydi Umar Blockchain-based Preservation Framework for Network A mechanism using Avalanche Effect analysis, and reports preservation latency obtained from an end-to-end preservation workflow.
This combination provides an experimentally validated proofof-concept that extends beyond architectural design and offers empirical evidence regarding blockchain-assisted network forensic workflows.
METHODS
Types of research This study employed an experimental quantitative approach to evaluate the effectiveness of blockchain-based preservation mechanisms integrated into the Digital Forensic Research Workshop (DFRWS) framework.
The proposed framework integrates blockchain technology into the preservation phase of the DFRWS model by combining SHA-256 cryptographic hashing, blockchain-based provenance recording, and distributed ledger verification mechanisms.
This integration was intended to improve evidence immutability, chain-of-custody transparency, and resistance against anti-forensic manipulation.
The research workflow consisted of several stages, including network traffic acquisition, evidence hashing, blockchain recording, tampering simulation, hash verification.
Avalanche Effect analysis, and performance evaluation through latency measurement.
Experimental validation was performed using Packet Capture (PCAP) datasets representing both normal and attack-related traffic conditions.
Technical Implementation Environment The framework was implemented using a private blockchain simulation environment deployed on Ubuntu Linux 22.
04 LTS.
The blockchain layer consisted of three logical node roles:
Validator Node.
Forensic Node, and Archive Node.
The Validator Node was responsible for transaction validation and ledger synchronization.
The Forensic Node performed evidence registration, hash generation, and verification requests, and the Archive Node maintained replicated provenance records to support distributed verification.
Within this architecture, each preservation transaction followed a predefined workflow where an acquired PCAP file was processed using SHA-256 hashing.
The generated hash value, timestamp, evidence identifier, and investigator identifier were encapsulated into a blockchain transaction to be validated and appended to the distributed ledger.
Under this hybrid storage scheme, original PCAP evidence remained stored off-chain in a secure local directory, while metadata and integrity-related records were preserved on-chain.
Preservation transactions generated by the Forensic Node were validated by the Validator Node before being replicated to the Archive Node, ensuring consistent provenance records across the simulated blockchain environment.
The software environment utilized Jupyter Notebook with Python 3.
12 for automation and hash generation.
Wireshark and tcpdump for network traffic capture, and a custom Python-based private blockchain simulator.
Experimental execution for all three logical nodes was conducted on a workstation powered by an Intel Core Ultra 5 processor with 16 GB RAM and 512 GB SSD storage, representing a localized simulation environment designed for controlled performance and sensitivity evaluation.
Mirza Sutrisno.
Sunardi.
Rusydi Umar Blockchain-based Preservation Framework for Network A Digital Forensic Research Workshop (DFRWS) The proposed hybrid blockchain architecture was integrated into the Digital Forensic Research Workshop (DFRWS) framework to strengthen forensic evidence preservation, improve chain-of-custody transparency, and support distributed integrity verification during network forensic investigations.
The implementation process was conducted through several interconnected investigation phases, as illustrated in Figure 2.
Figure 2.
Digital Forensic Research Workshop (DFRWS) Framework Identification The identification phase focused on detecting suspicious network activities requiring forensic acquisition.
Wireshark and tcpdump were utilized to monitor and identify anomalous traffic patterns within the simulated network environment.
At this stage, blockchain mechanisms were not directly involved because the primary objective was incident recognition and traffic identification prior to forensic preservation.
Preservation The preservation phase represented the core implementation stage of the proposed blockchain-based framework.
After acquisition, each PCAP file was processed using the SHA256 cryptographic hashing algorithm to generate unique hash values representing evidence The original PCAP files were stored in off-chain forensic storage, while hash values, timestamps, investigator identifiers, and provenance records were recorded as blockchain transactions within a private blockchain environment.
This hybrid storage architecture was designed to maintain storage efficiency while ensuring immutable chain-of-custody preservation and distributed verification.
Blockchain integration in this phase was designed to support forensic accountability through immutable provenance recording and distributed verification.
Collection Mirza Sutrisno.
Sunardi.
Rusydi Umar Blockchain-based Preservation Framework for Network A During the collection phase, acquired PCAP datasets were transferred into secure forensic repositories for further investigation.
Blockchain technology supported this process by recording evidence transfer activities and preserving provenance continuity through distributed ledger Every collection event generated a verifiable transaction record to ensure traceability throughout the forensic lifecycle.
Examination The examination phase involved metadata extraction, packet structure validation, and integrity inspection of the acquired evidence.
Relevant metadata, including timestamps, source and destination addresses, communication protocols, and payload structures, were analyzed to support forensic interpretation.
To evaluate the robustness of the proposed framework against anti-forensic manipulation, controlled tampering simulations were performed by modifying one byte within selected PCAP files.
Blockchain records and previously generated hash values were subsequently used as integrity references to detect evidence alteration.
Analysis The analysis phase recalculated SHA-256 hash values from the preserved evidence and compared them with hash records stored within the blockchain ledger.
Any mismatch between recalculated and recorded hash values indicated integrity violations, tampering attempts, or inconsistencies within the chain-of-custody process.
Avalanche Effect analysis was used as a supplementary validation mechanism to evaluate the sensitivity of the SHA-256 hashing algorithm against minimal evidence modification prior to blockchain preservation.
A higher Avalanche Effect value indicated stronger sensitivity of the hashing mechanism to evidence Presentation The presentation phase compiled forensic verification results, blockchain provenance records, tampering detection outcomes.
Avalanche Effect measurements, and preservation latency analysis into forensic reports.
Blockchain records provided immutable provenance documentation that strengthened evidence transparency and supported legal admissibility during forensic reporting and verification processes.
The overall integration of blockchain into the DFRWS framework was intended to provide a more reliable, transparent, and tamper-resistant preservation mechanism for network forensic evidence management.
Data Collection The experimental dataset used in this study consisted of ten Packet Capture (PCAP) files generated within an isolated and controlled network environment.
The datasets were designed to represent both normal and malicious network activities in order to evaluate the effectiveness of the proposed blockchain-based preservation framework under different forensic conditions.
Five datasets were categorized as attack traffic scenarios, while the remaining five represented baseline network traffic without malicious activities.
The attack datasets contained various simulated cyberattack activities, including unauthorized access attempts, replay packet injection, abnormal payload transmission, and protocol anomalies.
These scenarios were intentionally generated to emulate realistic anti-forensic and network intrusion conditions commonly encountered in forensic investigations.
In contrast.
Mirza Sutrisno.
Sunardi.
Rusydi Umar Blockchain-based Preservation Framework for Network A the baseline datasets represented normal operational traffic generated from standard communication processes within the simulated network environment.
The file sizes of the datasets varied significantly depending on traffic intensity and attack Attack-related PCAP files ranged from 15.
2 MB to 33.
0 MB, whereas baseline traffic datasets ranged from 64.
8 KB to 65.
7 KB.
This variation allowed the proposed framework to be evaluated under different evidence scales and traffic conditions.
Detailed characteristics of the experimental datasets are presented in Table 1.
Table 1.
Experimental Dataset Characteristics File Name Type File Size Attack_run01.
Attack_run02.
Attack_run03.
Attack_run04.
Attack_run05.
Baseline_run01.
Baseline_run02.
Baseline_run03.
Baseline_run04.
Baseline_run05.
Attack
Attack
Attack
Attack
Attack
Normal
Normal
Normal
Normal
Normal
0 MB
7 MB
0 MB
7 MB
2 MB
7 KB
7 KB
5 KB
0 KB
8 KB
The acquisition process was conducted using Wireshark and tcpdump within a Linuxbased forensic environment.
All datasets were stored in a local forensic repository prior to integrity preservation and blockchain recording processes.
The use of controlled and reproducible datasets ensured consistency during tampering simulation and verification experiments.
Procedure The research procedure followed the Digital Forensic Research Workshop (DFRWS) framework, which consists of six primary phases: identification, preservation, collection, examination, analysis, and presentation (Casey, 2.
Blockchain integration was incorporated into several critical stages of the framework to support evidence immutability, improve chain-ofcustody transparency, and support distributed integrity verification.
The process began with the identification phase, where relevant network data sources and digital artifact types were Packet Capture (PCAP) files and network logs generated within the simulated environment were identified as the primary forensic evidence used in the experiment.
Wireshark and tcpdump were utilized to capture suspicious network activities and generate datasets representing both baseline and attack traffic scenarios.
During the preservation phase, each acquired PCAP file was processed using the SHA-256 cryptographic hashing algorithm to generate unique hash values representing evidence integrity.
The original evidence files were stored within local forensic storage, while the generated hash values, timestamps, investigator identifiers, and provenance records were recorded within a private blockchain environment through blockchain transaction mechanisms.
The use of SHA-256 hashing was selected due to its high reliability and widespread adoption in integrity verification systems (Stallings, 2.
The collection phase involved systematic evidence acquisition and secure transfer into the forensic repository.
Blockchain transactions were used to record evidence transfer activities, thereby maintaining provenance continuity and ensuring transparent chain-of-custody Mirza Sutrisno.
Sunardi.
Rusydi Umar Blockchain-based Preservation Framework for Network A documentation throughout the investigation lifecycle.
In the examination phase, metadata extraction and structural validation were performed on the acquired PCAP files.
Relevant information such as timestamps, source and destination IP addresses, communication protocols, and payload structures were analyzed to support forensic interpretation.
Controlled tampering simulations were subsequently conducted by modifying one byte within selected PCAP files in order to evaluate the sensitivity of the preservation mechanism against anti-forensic manipulation The analysis phase recalculated SHA-256 hash values from the preserved evidence and compared them with the corresponding records stored within the blockchain ledger.
Any discrepancy between recalculated and recorded hash values indicated integrity violations or unauthorized evidence modification.
In addition.
Avalanche Effect analysis was conducted to measure the cryptographic sensitivity of the hashing mechanism against minor evidence changes.
Finally, the presentation phase compiled all forensic verification results, blockchain provenance logs, tampering detection outcomes.
Avalanche Effect measurements, and preservation latency analysis into comprehensive forensic reports.
Blockchain-based provenance records provided immutable documentation that strengthened evidence transparency and supported legal admissibility during forensic reporting processes.
To evaluate the effectiveness of the proposed framework, this study employed a one-group pretest-posttest experimental design.
Initial hash values were recorded before controlled evidence modification, followed by postmanipulation verification to identify integrity discrepancies.
This experimental design enabled direct evaluation of the frameworkAos capability to detect evidence tampering and preserve forensic Data Processing Data processing in this study focused on evaluating both the integrity preservation capability and operational performance of the proposed blockchain-based forensic framework.
The processing stage consisted of cryptographic verification, tampering sensitivity analysis, and preservation efficiency measurement.
Tampering sensitivity was evaluated using Avalanche Effect (AE) analysis, which measures the percentage of changed output bits resulting from minimal modifications to the input data.
In cryptographic systems, secure hash functions are expected to generate substantially different outputs even when only minor changes occur in the original input, thereby ensuring strong resistance against manipulation attempts (Stallings, 2021.
Upadhyay et al.
, 2.
In this study.
Avalanche Effect analysis was performed by comparing binary differences between the original SHA-256 hash output and the hash generated after controlled tampering simulations on the PCAP files.
The Avalanche Effect value was calculated using the following equation:
AE =
!"#$%%&'
!()(*#
x 100% where AE represents the Avalanche Effect percentage.
Bflipped denotes the number of changed bits between the original and modified hash outputs, and Btotal represents the total number of bits produced by the SHA-256 algorithm, which equals 256 bits.
According to cryptographic security standards.
Avalanche Effect values approaching 50% indicate strong cryptographic sensitivity and effective resistance against anti-forensic manipulation (Upadhyay et al.
, 2.
In addition to cryptographic sensitivity analysis, system efficiency was evaluated Mirza Sutrisno.
Sunardi.
Rusydi Umar Blockchain-based Preservation Framework for Network A through preservation latency measurement.
Preservation latency refers to the cumulative processing time required to secure, validate, and record digital evidence within the blockchainbased preservation framework.
This metric combines SHA-256 hashing duration and blockchain transaction validation time, adapted from distributed ledger performance evaluation approaches proposed in previous blockchain forensic and lightweight blockchain studies (Al-Khateeb et al.
Dorri et al.
, 2.
The preservation latency was calculated using the following equation:
Tpreservation = Thashing Tblockchain Thashing represents the processing time required to generate SHA-256 hash values, while Tblockchain denotes the time required for blockchain transaction validation and ledger recording This dual-processing evaluation ensured that the proposed preservation framework not only provided strong cryptographic integrity protection but also maintained operational efficiency suitable for practical network forensic investigation environments.
RESULTS AND DISCUSSION
Blockchain Preservation Implementation The implementation of the blockchain-based preservation framework demonstrates the potential of blockchain-assisted preservation for providing provenance transparency and distributed verification through distributed ledger mechanisms.
By integrating SHA-256 cryptographic hashing with blockchain-based provenance logging, the proposed framework ensures that each forensic artifact is uniquely identified and immutably recorded within a distributed ledger.
This design directly addresses the fundamental limitations of centralized systems, particularly the lack of transparency and vulnerability to unauthorized modification.
The findings are consistent with previous studies emphasizing that blockchain enables tamper-resistant and verifiable chain-of-custody management through decentralized consensus mechanisms (Casino et al.
, 2019.
Zheng et al.
, 2.
Furthermore, recent developments in blockchain-based forensic architectures highlight that distributed ledger integration significantly enhances accountability and traceability in digital evidence management systems, particularly in multi-stakeholder environments (Al-Khateeb et al.
, 2019.
Atlam et al.
, 2.
In comparison to prior works such as ProvChain and Hyperledger-based forensic models (Liang et al.
, 2017.
Lone & Mir, 2.
, which primarily focus on architectural design, this study contributes by providing experimental validation within the DFRWS framework.
The adoption of a hybrid architectureAicombining on-chain provenance records with off-chain storageAialso aligns with contemporary blockchain design principles aimed at improving scalability and efficiency (Xu et al.
, 2.
Additionally, recent studies in digital forensic frameworks emphasize that integrating blockchain with structured forensic models can significantly strengthen evidentiary reliability and legal admissibility, particularly when supported by automated provenance tracking mechanisms (Xu et al.
, 2.
Tampering Simulation and Avalanche Effect Analysis To evaluate tampering sensitivity, a controlled modification was performed by altering one byte within the attack_run01.
pcap file using a hexadecimal editor.
The integrity verification process generated two SHA-256 hash outputs corresponding to the original and modified Mirza Sutrisno.
Sunardi.
Rusydi Umar Blockchain-based Preservation Framework for Network A The (Horigina.
The (Hmodifie.
Both hash values were converted into binary format and compared using the XOR operation to determine the number of differing bits between the two outputs.
The comparison results indicate that Bflipped=129 bits.
Since the SHA-256 algorithm produces a fixed output length of Btotal=256 The Avalanche Effect (AE) value was calculated using the following equation:
AE = Bflipped/ Btotal x 100% ,- AE = ,.
/ x 100% AE = 50.
The tampering simulation results demonstrate that the proposed framework effectively detects even minimal evidence modification.
The obtained Avalanche Effect value of 50.
confirms the strong diffusion property of the SHA-256 hashing algorithm, where minor input changes result in substantial output differences.
This characteristic is essential in forensic applications to ensure that any unauthorized modification can be reliably detected.
From a theoretical perspective, this finding is consistent with cryptographic security principles, which require hash functions to exhibit high sensitivity to input variation in order to prevent collision and manipulation attacks (Upadhyay et al.
, 2.
It is important to note that the Avalanche Effect reflects the cryptographic behavior of the SHA-256 hashing algorithm rather than the blockchain layer itself.
The role of blockchain in the proposed framework is to preserve hash records through tamper-resistant provenance logging and to enable distributed verification of integrity assessments across participating nodes.
Consequently, the Avalanche Effect result should be interpreted as evidence of the sensitivity of the hashing mechanism, while blockchain contributes to the trustworthiness and traceability of the integrity verification process.
Compared to previous studies that focus primarily on blockchain-based provenance without evaluating cryptographic robustness (Liang et al.
, 2017.
Lone & Mir, 2.
, this study provides an additional validation layer by incorporating Avalanche Effect analysis.
Recent research in forensic security systems also highlights that combining cryptographic validation with distributed ledger recording significantly enhances resistance against anti-forensic techniques, which often exploit weaknesses in centralized logging mechanisms (Chen, 2025.
Rani et al.
, 2025.
Riadi et , 2.
Integrity Verification Analysis Integrity verification was performed by comparing recalculated SHA-256 hash values with the corresponding hash records stored in the blockchain ledger.
The verification results are summarized in Table 2.
Table 2.
Integrity Verification Results Verification Result File Name Baseline_run01.
Valid Mirza Sutrisno.
Sunardi.
Rusydi Umar Blockchain-based Preservation Framework for Network A Baseline_run02.
Baseline_run03.
Baseline_run04.
Baseline_run05.
Attack_run01.
Attack_run02.
Attack_run03.
Attack_run04.
Attack_run05.
Valid Valid Valid Valid Rejected Valid Valid Valid Valid The integrity verification results indicate that the proposed framework consistently differentiates between valid and tampered evidence.
All non-manipulated datasets were successfully verified, while the modified dataset was correctly rejected due to hash inconsistency.
This outcome demonstrates that the system enforces strict integrity validation through deterministic cryptographic hashing combined with immutable blockchain records.
This result can be explained by the inherent properties of hash functions, where any alteration to the input data produces a completely different output.
When these hash values are stored within a blockchain ledger, they serve as immutable references that cannot be altered without detection.
This mechanism significantly enhances the reliability and trustworthiness of digital evidence, which is critical for forensic investigations and legal proceedings.
Furthermore, the findings highlight an important distinction between malicious content and evidence integrity.
The presence of attack traffic does not inherently compromise data integrity unless post-acquisition manipulation occurs.
This observation is consistent with network forensic principles, where integrity violations are primarily associated with unauthorized modification rather than the nature of the captured data itself (Riadi et al.
, 2.
Similar conclusions have been reported in recent forensic studies, which emphasize the importance of preserving evidence authenticity independently from attack characteristics (Atlam et al.
, 2.
Latency Analysis To provide an initial assessment of the operational characteristics of the proposed framework, preservation latency was measured across all experimental datasets.
The resulting latency values are presented in Table 3.
Table 3.
Preservation Latency Analysis File Name Category T_hash T_consensus Final T_total .
Status baseline_run01.
baseline_run02.
baseline_run03.
baseline_run04.
baseline_run05.
attack_run01.
attack_run02.
attack_run03.
attack_run04.
attack_run05.
Normal Normal Normal Normal Normal Attack Attack Attack Attack Attack Valid Valid Valid Valid Valid Rejected Valid Valid Valid Valid Mirza Sutrisno.
Sunardi.
Rusydi Umar Blockchain-based Preservation Framework for Network A The experimental results show that the average preservation latency across all datasets was 057 seconds.
The hashing process contributed only a small fraction of the total processing time, ranging from 0.
039 to 0.
047 seconds, whereas the blockchain consensus process accounted for the majority of the latency, with an average duration of approximately 2.
01 seconds.
Similar latency values were observed across both baseline and attack datasets, indicating that the traffic characteristics did not substantially affect processing time within the experimental environment.
Although these results indicate that the proposed preservation workflow can be completed within approximately two seconds per file, the findings should be interpreted with caution.
The present study did not include a direct comparison with conventional non-blockchain preservation mechanisms or alternative blockchain implementations.
Consequently, the relative performance impact introduced by blockchain integration cannot be conclusively determined.
Therefore, the reported latency values should be interpreted as preliminary evidence of feasibility within a controlled experimental environment rather than as definitive indicators of operational performance in real-world forensic deployments.
Additional evaluations involving larger datasets, higher transaction volumes, and comparative benchmarking against alternative preservation approaches are required to provide a more comprehensive assessment of scalability and efficiency.
Nevertheless, the consistency of the observed latency values across all experimental scenarios suggests that the proposed framework can maintain stable processing behaviour under the tested conditions.
This characteristic is important for forensic preservation workflows, where predictable evidence handling procedures contribute to process reliability and traceability.
Blockchain Verification Consistency Blockchain verification consistency was evaluated to assess the reliability of distributed ledger synchronization across all participating nodes within the proposed framework.
This evaluation focused on ensuring that cryptographic hashes, transaction records, and timestamps remained identical across validator, forensic, and archive nodes throughout the preservation Consistency in this context is critical for maintaining a trustworthy chain-of-custody, as any discrepancy between nodes may indicate data integrity issues or potential tampering.
The consistency value was calculated using the following equation:
Cv = 0( x 100% Cv represents the blockchain verification consistency (%).
Nm denotes the number of matching transactions across all nodes, and Nt represents the total number of transactions processed during the preservation phase.
The results of the consistency evaluation are presented in Table 4.
Table 4.
Blockchain Verification Consistency Node ycAyea ycAyei Cv (%) Validator Node Forensic Node Archive Node Mirza Sutrisno.
Sunardi.
Rusydi Umar Blockchain-based Preservation Framework for Network A All recorded transactions remained synchronized across participating nodes during the experimental evaluation, resulting in an observed consistency rate of 100% within the tested This finding demonstrates successful ledger synchronization under the evaluated However, the result should not be generalized to large-scale deployments without further scalability testing.
Blockchain systems are inherently designed to eliminate discrepancies through consensus protocols, thereby ensuring that all participants share the same version of the ledger (Zheng et al.
, 2.
Compared to prior studies that report potential synchronization challenges in distributed environments, the absence of inconsistencies in this study indicates that the implemented configuration is sufficiently robust for forensic applications (Casino et al.
, 2019.
Sunny et al.
Moreover, recent forensic frameworks emphasize that distributed trust models significantly enhance transparency and reduce reliance on centralized authorities, thereby improving the credibility of digital evidence management systems (Rani et al.
, 2.
Despite the strong consistency and reliability demonstrated by the proposed framework, several limitations should be acknowledged.
The experimental evaluation was conducted in a controlled environment with a limited number of PCAP datasets, which may not fully represent large-scale and highly dynamic real-world network conditions.
In addition, the use of a private blockchain configuration may influence performance characteristics, particularly in terms of scalability and consensus overhead.
Therefore, further studies are needed to validate the proposed framework in more complex and real-time forensic environments.
CONCLUSION
This study demonstrates that integrating blockchain technology into the preservation phase of the DFRWS framework can support integrity assurance through immutable provenance logging, chain-of-custody traceability, and distributed verification.
Experimental evaluation produced an Avalanche Effect value of 50.
39%, confirming the strong cryptographic sensitivity of SHA-256 to minimal data modification.
However, the primary contribution of the proposed framework lies not in the cryptographic sensitivity itself, but in its ability to provide immutable provenance logging, chain-of-custody traceability, and distributed verification through blockchain-based record management.
The framework achieved an average preservation latency 057 seconds within a controlled experimental environment, providing preliminary evidence of operational feasibility.
Nevertheless, further validation under larger-scale and real-world conditions is required before broader deployment conclusions can be drawn.
Future research can extend this work by exploring the integration of real-time forensic acquisition with intrusion detection systems (IDS) and security information and event management (SIEM) platforms.
Such integration would enable automated evidence capture and preservation directly from live network environments, improving responsiveness and reducing the risk of evidence loss during incident detection.
In addition, the incorporation of machine learning techniques offers potential for enhancing anomaly-driven evidence preservation.
By leveraging intelligent detection models, forensic systems could automatically prioritize and preserve highrisk network activities, thereby improving efficiency and scalability in large-scale environments.
Further studies are also recommended to perform comparative benchmarking against centralized Mirza Sutrisno.
Sunardi.
Rusydi Umar Blockchain-based Preservation Framework for Network A preservation systems.
Hyperledger-based implementations, and alternative permissioned blockchain architectures to quantify performance trade-offs and scalability characteristics.
REFERENCES