This article has been accepted for publication in a future issue of this journal, but has not been

fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3126715, IEEE Access

Date of publication xxxx 00, 0000, date of current version xxxx 00, 0000.
Digital Object Identifier 10.1109/ACCESS.2017.Doi Number

An Enhanced Blockchain-based IoT Digital Forensics

Architecture using Fuzzy Hash
Wael A. Mahrous1 , Mahmoud Farouk2 , Saad M. Darwish3 P P P

1
Higher Institute for Tourism, Hotels and Computer, Al-Seyouf - Alexandria, Egypt.
2
Management Information System Department, Agami Higher Institute of Administrative Sciences, Alexandria, Egypt
3
Department of Information Technology, Institute of Graduate Studies and Research, Alexandria University, Alexandria, Egypt
Corresponding author: Saad M. Darwish ([email protected]).
This paragraph of the first footnote will contain support information, including sponsor and financial support acknowledgment. For example, “This work
was supported in part by the U.S. Department of Commerce under Grant BS123456.”

ABSTRACT Due to businesses' growing use of IoT services in their day-to-day operations and the increased use of smart
devices, digital forensic investigations involving such systems will need increasingly sophisticated digital evidence
collection and processing. The majority of IoT systems are composed of disparate software and hardware components, which
may pose security and privacy concerns. Recently, blockchain technology was presented as one of the options for achieving
IoT security via the use of an immutable ledger, a decentralized architecture, and strong cryptographic primitives. Integrating
blockchain platforms with IoT-based applications, on the other hand, poses a number of difficulties owing to the
trustworthiness, integrity, and real-time responsiveness of IoT data. However, certain IoT devices may be incompatible with
existing blockchain-based IoT forensic methods for additional digital evidence processing owing to their usage of
conventional hash. A critical feature of cryptographic hash functions is that even if just one bit of the input is altered, the
output acts pseudo-randomly, making it impossible to identify identical files. However, in the field of computer forensics, it
is essential to locate comparable files (e.g., various versions of a file); therefore, we need a hash function that preserves
similarity. It is getting more difficult to establish how forensic investigators might utilize traces from such devices. To
effectively deal with IoT digital forensics applications, this article presents an improved blockchain-based IoT digital
forensics architecture that use fuzzy hash to construct the Blockchain’s Merkle tree in addition to the conventional hash for
authentication. Fuzzy hashing enables the identification of potentially damning documents that might otherwise remain
undiscovered using conventional hashing techniques. By comparing blocks/files to all nodes in the blockchain network using
fuzzy hash similarity, the digital forensics investigator will be able to verify their authenticity. To support the proof of
concept, we simulated the suggested model.

INDEX TERMS Blockchain, Internet of Things, Fuzzy Hash, IoT Forensics, Digital Examination.

I. INTRODUCTION integrated standard complicate the collection of forensic

Digital forensics is getting increasingly difficult to evidence by security and law enforcement authorities.
perform as a result of the exponential growth of computing As a forensic analyst, this presents challenges since we
devices and computer-enabled paradigms, posing new must devise new methods for collecting and securing this
difficulties for remote data processing. The Internet of data while ensuring that no evidence has been tampered
Things (IoT) is the network of individually identified with. The aim is to identify solutions to these issues by
embedded computing devices that are connected to the examining how these various types of evidence may be
current Internet infrastructure. With billions of new and properly seized, kept, extracted, and evaluated. At the
growing devices, the IoT expands the security risks. While moment, there is a defined technique for collecting
the IoT inherits the same monitoring needs as cloud evidence from hard drives and mobile phones, but no clear
computing, the associated difficulties are exacerbated by protocol for investigating IoT-based devices [1]. While
the volume, diversity, and velocity of data [1]. Current standards for dealing with electronic or digital evidence are
digital forensic tools, investigative frameworks, and being developed, additional supporting disciplines must
procedures are incapable of addressing the IoT adapt to help investigators in this new realm and ensure
environment's heterogeneity and dispersion characteristics. they are educated about appropriate crime scene behavior
These features provide significant difficulties for digital [2].
forensic investigators and law enforcement agencies. The From an investigator's viewpoint, the primary
complexity of the IoT system and the absence of an difficulties presented by an IoT-based crime scene are as
follows: (1) the size of objects of forensic relevance; (2)

VOLUME XX, 2017

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3126715, IEEE Access

location - impacts on ease of access, potential connection to cost and performance and security. For resource-
other devices, local or cloud-based, etc. (3) The constrained IoT devices, lightweight –based blockchain
significance of the devices discovered and collected (4) technology is an effective way to force evidence integrity
Legal/jurisdictional considerations (5) Ambiguous network [41].
boundaries/edgeless networks, i.e. no perimeter or a Fuzzy hashing enables the identification of potentially
perimeter that is less clearly defined. (6) Are the tools damning documents that might otherwise remain
available sufficient for the tasks? Is the data secure? Is the undiscovered using conventional hashing techniques. The
device a data storage device or is it just middleware? [3]. fuzzy hash is similar to the fuzzy logic search in that it
Existing methods are built for a different generation of looks for documents that are similar but not identical,
evidence sources, with the premise that items of forensic referred to as homologous files. While homologous files
interest would always be available and accessible — while contain similar binary data strings, they are not exact copies
objects of forensic interest in the IoT may not always be [7]. Additionally, fuzzy hashing may be used to compare
available or accessible [3]. Cloud forensics will also be incomplete files, such as sliced papers, to other documents
critical in enforcing cybersecurity best practices since all of interest. Carving may enable the recovery of fragments
data produced by IoT components will be kept in the cloud of documents that may be linked to the original. Fuzzy
for scalability, capacity, and ease. As the number of IoT- hashes may also be used to connect a document to a suspect
connected devices continues to increase, it has become when the document implicating the suspect does not exist in
necessary to create a new procedure for investigating IoT- the current file system. If the investigator has access to the
related events. To address security issues, a new era of original or suspected document, it is possible to hash it
digital forensics and best practices will be required to fuzzily [7]. It may then be compared to carved objects
authenticate and utilize physical and digital evidence extracted from the image to ascertain if it was ever in the
concurrently in a changing regulatory environment [4]. system.
Numerous businesses and academics are increasingly
interested in blockchain technology because it A. PROBLEM STATEMENT
offers solutions to the issues connected with traditional Due to a lack of security mechanisms, evidence in IoT
centralized architecture. Whether public or private, a devices can be altered or destroyed; this can have a
blockchain is a distributed ledger that is capable of detrimental impact on the quality of evidence and possibly
preserving transaction integrity by decentralizing the ledger render it inadmissible in court. Vendors may not update
across participating users [5]. While the centralized IoT their devices on a regular basis or at all, and they frequently
system offers many advantages, it also introduces some discontinue support for older devices when releasing new
difficulties. Integrating IoT and blockchain technologies products with new infrastructures. As a result, hackers can
may help address these issues. Numerous studies utilize the attack newly found weaknesses in IoT devices. An
blockchain as a data integrity preservation technique in the investigator must identify and gather evidence at a digital
digital forensics process since it makes the ledger and crime scene during the identification phase of forensics.
internal information visible to all parties, allowing for the One problem is identifying all IoT devices present at a
verification and preservation of the information's integrity. crime scene, many of which are tiny, harmless, and perhaps
Current data integrity verification techniques in digital switched down. Furthermore, due to the variety of devices
forensics are usually used to gather digital evidence via and manufacturers' varied platforms, operating systems, and
legal processes and image the disk using professional hardware, collecting evidence from these devices is a
digital forensic tools [6]. A central authority verifies digital significant problem. Current digital forensic techniques are
evidence in this manner. However, this centralized not intended to deal with the heterogeneity that exists in an
approach of preserving evidence's integrity introduces the IoT context. Massive volumes of diverse and dispersed
danger of evidence being tampered with by malevolent evidence created by IoT devices found at crime scenes
insiders or attackers. significantly increase the difficulty of forensic
In general, the primary constraints of blockchain for investigations [8-12].
IoT [5] [6] are as follows (1) Resource consumption: to Recently, the benefit of blockchain technology in
secure the blockchain network from attack, the digital forensics is that the examiner may self-verify digital
conventional consensus method consumes a large number evidence by using the hash function to efficiently create a
of resources, which is too expensive for resource- chain of verifiable evidence. However, the conventional
constrained IoT devices. (2) Throughput limitation: hash method used to ensure data integrity inside blockchain
Because a new block's capacity is restricted, transactions networks is inefficient at dealing with identical files that
per second are generally limited to a few dozens, making it may arise from benign or malicious alteration of the IoT
unable to keep up with the exponential development of IoT sensors examined by the forensic investigator.
devices. Finally, (3) Confirmation delay: The confirmation
delay is too long for IoT applications because of the low B. CONTRIBUTION
access rate of new blocks [40]. As a consequence, there is a The article proposes a fuzzy-enabled blockchain
need for a lightweight algorithm(s) with trade-offs amongst framework for IoT forensics investigation. The proposed

VOLUME XX, 2017

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3126715, IEEE Access

framework provides forensic investigation with high levels governance, and their findings indicate that blockchain
of authenticity, traceability, and distributed confidence technologies may effectively fund fraudulent online product
among evidentiary entitles and examiners to deal with the evaluations. In untrusted software development, blockchain
heterogeneity that exists in an IoT context. Within the technology can guarantee integrity, trust, immutability, and
suggested framework, the evidence items are hashed into a authenticity.
Merkel tree and written into the block using a fuzzy hash. The blockchain is utilized in [30] to offer auditability and
Merkle trees provide a way to prove both the integrity and traceability during software development, and a role-based
validity of data and significantly reduce the amount of access control system is created to prevent illegal data
memory needed to do the above. Furthermore, the required access. Hossain et al. [31] presented a blockchain-based
proof and management only needs small amounts of forensic investigation framework for identifying criminal
information to be transmitted across networks. Utilizing events in IoT environment and gathering interactions
fuzzy hash functions enables forensic investigators to between various IoT entities. Although the suggested
successfully deal with permissible alteration to digital framework is effective at modeling interaction transactions,
evidence while using conventional hash methods is it is inefficient in collecting and analyzing data in large-
ineffective in this situation. The suggested model is feasible
scale IoT systems. Lone and Mir [32] developed a DF chain
for implementing in low power and low memory IoT
based on the widely used Ethereum blockchain technology.
devices through utilizing a simplified Proof of Work (PoW)
The recommended forensic chain concept was implemented
consensus (lightweight –based blockchain).
The remainder of this article is structured as follows. on Ethereum, which may offer data gathered from various
Section II provides a thorough overview of current research sources with integrity, transparency, and authenticity.
on IoT forensic analysis, and Section III proposes a Numerous studies have been conducted on the digital
blockchain-enabled IoT forensic chain architecture. Section investigation in a heterogeneous environment [20], on
IV covers IoT blockchain forensic applications and a use lightweight security solutions for IoT devices [26], and
case; Section V summarizes the paper's research difficulties digital witnesses [33].
and trends. In [10], the authors presented a fog-based IoT forensic
framework for early detection and mitigation of intrusions on
II RELATED WORK IoT devices. With the proliferation of IoT devices, the
In recent years, IoT-related research efforts have focused
number of security breaches and cyber-attacks is expected to
on IoT forensics [13-17], which includes the identification,
grow. Regrettably, existing forensic techniques are
collection, storage, analysis, and dissemination of digital
insufficient for collecting forensic evidence in the event of a
evidence in IoT environments [16], which is very distinct
cyber-attack involving an IoT device. The authors addressed
from traditional computer forensics. IoT systems include a
varied range of smart devices, heterogeneous networks, and significant difficulties connected with cloud computing and
different applications, where massive data volumes and IoT forensics, as well as alternative computing paradigms
disparate technologies provide new difficulties for forensic such as fog computing that may aid in resolving these issues.
investigation [18]-[20]. Since 2017, Digital Forensics (DF) In [12], the authors established the blockchain-based
has used developing blockchain technology to record forensic investigation framework by taking into account the
evidence objects, interaction activities, and evidence variety of devices, evidence items, data formats, and more in
preservation [21]–[26]. the complex IoT context. The primary objective is to recover
Numerous forensic investigation techniques and artifacts from IoT devices and then publish them to a
analytical models have been suggested based on the blockchain-based IoT forensic chain after evaluating the
knowledge and experiences of forensic investigators and relationships between evidence items, their provenance,
practitioners [20], [27]. However, there are presently no traceability, and auditability.
internationally recognized standards that codify these In [13], the authors described a novel similarity hashing
established forensic investigative procedures. Specifically, method for use in digital forensics. Their hash is based on the
current forensic investigation techniques have many information retrieval concept of TF-IDF (Term Frequency -
difficulties in complex digital settings such as IoT, cloud Inverse Document Frequency). The TF-IDF is a statistical
computing, and the networked digital cyber-physical metric that is used to determine the significance of a word in
environment. Cebe et al. [21] created a blockchain a collection or corpus of documents. Their hash function
architecture that is optimized for lightweight application takes advantage of this concept to determine the most
that integrates DF procedures and data privacy to enable significant pieces (features) of a text. The contribution of a
effective digital examination of vehicles. file fragment to the final similarity score is determined by its
Zhang et al. [28] recommended a provenance process significance or relevance in this metric.
model for digital investigations using blockchain In [43], the authors provided a comprehensive survey of
technology in a cloud environment, intending to increase various frameworks and solutions in all branches of digital
stakeholder confidence in cloud forensics. Al-Nemrat et al. forensics with a focus on cloud forensics. Many issues arise
[29] examined the feasibility of incorporating blockchain as a consequence of the application of digital forensics in
technology into the investigation of financial fraud in e- crimes committed in a smart environment with IoT devices,

VOLUME XX, 2017

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3126715, IEEE Access

since the increased number of digital devices linked to the proposed to address all of these issues. In other more
internet results in an ever-growing amount of data. Based on sophisticated cases, new frameworks were proposed to
these issues confronting forensics in the age of new address issues that can be resolved through integration.
technology, a new integration between forensics processes Table 1 shows the main DF frameworks and solutions that
and new technologies such as mining algorithms, security were suggested for the IoT environment.
algorithms, data integrity and authentication algorithms was

TABLE I
MAIN FRAMEWORKS AND SOLUTION THAT SUGGESTED IN IOT BRANCH OF DIGITAL FORENSICS

Framework Comments and Limitation Contribution and Comments

This framework includes the fundamental phases of the

Generic Digital Forensics for
digital forensics process, but it lacks a strategy for It is significant because it incorporates the different
IoT [44]
feedback and assessment, and it makes no reference to safety concepts provided by the ISO standard.
privacy or integrity.

The primary objective is to provide a new

This framework is a privacy-conscious framework that
IoT Forensics Framework lightweight version of the IoT forensics framework
incorporates a set of privacy principles capable of
for Smart Environment that can be used to investigate crimes that
enhancing data privacy but is insufficient for IoT devices
[45] happened in the IoT environment and is
with low resources.
compatible with the nature of IoT devices.

IoT Forensics Meets Privacy The suggested model's concept is to offer a digital
The author presents an adaptive Model for the study of an
Towards Cooperative Digital witness strategy and methodology that enables
IoT environment that incorporates a number of privacy
Investigations citizens to submit sensitive information with
and security issues.
[46] investigators through the PROFIT technique.

The suggested model comprises of the fundamental

Application Specific Digital A forensically significant artifact in three widely
phases of the forensic process and does not include any
Forensics Investigative Model accepted IoT application scenarios: smart house,
security concepts like as privacy, integrity, or
in IoT [47] smart city, and wearable.
confidentiality.

The suggested framework incorporates all of the

This is a privacy-conscious framework that includes a set
Privacy Aware IoT Forensics fundamental phases of any forensic process model,
of privacy principles capable of improving data privacy
Process Model [48] as well as additional stages such as review,
but is inadequate for low-resource IoT devices.
initiation, and feedback.

From the literature, it is apparent that the most recent accurately identifying data sources during the early
DF analysis and research efforts fall into two categories: investigation stage, reducing data storage, and increasing
(1) those aimed at helping law enforcement, and (2) those transactional analysis efficiency, all of which can help
aimed at particular forensics applications. The purpose of reduce the investigation's costs. All the studies that
this study is to create a distributed ledger architecture that discussed the IoT digital forensics [1][3][5][8] confirmed
may be utilized in complicated cyber settings (such as IoT that utilizing blockchain technology provides security
and cyber-physical systems). The primary difference against attacks as the IoT forensic investigation
between the proposed model and the previous blockchain- framework is built on private blockchain network.
based IoT digital forensics framework is that the The suggested approach, which incorporates fuzzy
proposed model analyzes the Blockchain validity hashing into the IoT Blockchain’s digital forensic
(evidence items) using fuzzy hashing rather than architecture, primarily accomplishes the following goals.
traditional hashing in order to extend the ability of related (1) Forensic examinations. (2) Continual integrity: critical
work to deal with evidence item modifications caused by evidence data was lost or corrupted as a result of insecure
benign or malicious IoT environment attacks. When the evidence systems. A continuous integrity check or
resemblance between two blocks exceeds 95%, the block validation method is now lacking for the whole evidence
is recognized as original evidence. chain; the fuzzy hash will be able to resolve this issue. (3)
Due to the nature of blockchain technology, it is capable
of providing DF immutability and audibility, which are
III METHODOLOGY
critical characteristics of a DF chain of evidence. (4) The
In general, the blockchain can increase transparency at blockchain may be used to track flaws and offer
each stage, for example, by assisting the examiner in convenient traceability from the scene to the court

VOLUME XX, 2017

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3126715, IEEE Access

throughout the evidence chain, thus restricting access to timestamps, and tools) on the blockchain [12]. Fig. 1
all recorded data (i.e., evidence items, examiners, depicts the suggested model's major schematic.

FIGURE 1. Fuzzy hash-based blockchain of IoT evidence management.

- Along with additional metadata and timestamps, the
A. EVIDENCE IDENTIFICATION AND ACQUISITION fingerprinted records will be uploaded to the blockchain,
In an IoT context, the vast majority of data is as will any identification events/findings throughout this
recorded digitally at the point of collection, with proof in step.
the form of digital assets gathered from sensors, devices, - Each member in the peer-to-peer blockchain network will
cloud storage, and other sources. Restriction of access to have a full copy of the evidence blockchain. Once an
a digital asset is problematic in the context of criminal evidence block is added to the blockchain, each
evidence. This stage consists of three major steps: participant may be certain that the data will be accessible
- The suggested approach identifies and fingerprints digital and traceable. Each piece of evidence will have an
evidence using a one-way hash algorithm (SHA256). If extremely high degree of provenance. For instance, if an
several versions of digital assets are discovered, each evidence item consists of several parts from various
claiming to be definitive, a digital fingerprint is created sources, each component and its source will be
for each piece of digital evidence; the contents and fingerprinted using a hash function to create a TE item in
inspection events are specified as TE records. Fig. 2 the blockchain [34]. Similarly, the blockchain will be
illustrates a JavaScript Object Notation (JSON) script for used to create the whole of the complete evidence chains.
a piece of evidence. When TEs need to be "transferred" from one party to
- another, new records will be generated and added to the
blockchain using digital signatures.
B. FORENSIC-CHAIN FRAMEWORK
The proposed model is a blockchain-based forensic
chain of custody solution for digital investigation. It
enables the system to establish a distributed ledger for
recording and storing TEs (examining events/findings,
and other information). These TEs will be distributed
through the blockchain network to all authorized
participants. The framework is comprised of the essential
components listed below.
- Users and IoT Devices: The term "users" refers to those
FIGURE 2. JSON script for evidence blocks. who are involved in this investigation as users, owners, or
examiners [35]. All devices, sensors, and IoT

VOLUME XX, 2017

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3126715, IEEE Access

infrastructures involved in the case are included in this

framework.
- Merkle Tree: A Merkle tree is a hash tree that enables the
investigation's TEs to be verified efficiently and securely
[12]. It can aggregate all TEs, examine other information
in a block, and generate a digital signature for the whole
collection of objects, allowing a user to verify whether or
not a transaction is included in a block. Fig. 3 illustrates a
Merkle tree of nodes, where the TE is a file in this
instance (it could be folder or memory). A hash tree may
be constructed by continually hashing transactional
evidence or its hash value until it aggregates into a single FIGURE 4. Chained blocks.
root hash; in this work, HT indicates the evidence's hash
value.
- Block: In the proposed model's blockchain network, the
HT 1 =Hash (Transactional_Evidence#1) (1) evidence item's signature may be validated. Each block's
HT 2 =Hash (Transacrional_Evidence#2) (2) header includes the following attributes: the pre-block
HT 12 =Hash (HT 1 |HT 2 ) (3) hash, the version, the nonce, the timestamp, the block
H root =Hash (H 12 |…) (4) state, and the Merkle root (see Fig.4). The TE item is
used to represent the record of the evidence item and is
This phase reads all block information and applies the hashed into a Merkle tree.
Merkle tree method to get the Merkle root using the fuzzy - Smart Contract: A smart contract, also known as a
hash to validate the transactions across all blocks. Finally, blockchain contract, is a computer-executable digital
this node creates the new block as a new file using the contract. Typically, the smart contract is kept on the
Merkle tree algorithm. Algorithm 1 outlines the stages
blockchain network and is overseen by the nodes of the
involved in the construction of a Merkle tree.
blockchain network. It enables users to exchange
information, data, and business processes automatically
and without the need for a middleman. Smart contracts
may execute, verify, and make decisions automatically in
a secure and immutable manner on the decentralized
ledger [12]. The following features of the smart contract
may help the DF investigation. (1) Autonomy—it may
specify the criteria for autonomously locating linked
evidence items. (2) Trust evidence item may be encrypted
and stored on a distributed ledger. (3) Security—items
may be encrypted cryptographically. (4) Speed—when
compared to manual processing, smart contracts may
substantially decrease examination time. (5) Cost
savings—smart contracts eliminate the need for
FIGURE 3. Merkle tree structure. intermediaries such as notaries and witnesses. (6)
Accuracy—the automated smart contract operates in a
Algorithm 1 : MERKLE_TREE more efficient, accurate, and cost-effective manner.
Input Mined Block Header H : Block payload P In our approach, a smart contract begins when the node
Output Similarity, Boolean valid receives transaction evidence; the node then calculates the
H = Extract_nonce_value ( ) nonce using Proof of Work (PoW) consensus and
B=Calculate_Merkle_Tree ( ) broadcasts it to the blockchain network; it then constructs
V=Create header_verify(H,P,B) a Merkle tree depending on the validity of prior blocks. A
R=verify(H,B,V) fuzzy hash of all previous blocks is utilized inside the
Similarity= calculate_ssdeep_hashed_value(R) Merkle tree, and if it is valid, the node will add the new
if (similarity >=90) then block to the current blockchain in the form of a file.
Valid TRUE; In our case, reducing the complexity of PoW is needed
else in IoT. Using a simplified PoW will decrease the time to
Valid FALSE; achieve the consensus between nodes in an IoT network
end if and this is the most used business scenario. For Bitcoin
return Valid; and Ethereum applications, PoW is attributed with high
End complexity as it requires high computer resources, such

VOLUME XX, 2017

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3126715, IEEE Access

as memory and processor as each node requires to C) ANALYSIS

generate a hash value that starts with ‘0000’, which will The smart contract will be utilized to generate the
take a long time until finding the required hash. In an IoT analysis results at this step. The digital investigator will
network, we should reduce the PoW complexity due to analyze the block information to ensure that the similarity
IoT resource-constrained. In the suggested model, to rate is more than 90%, ensuring that the blockchain is not
achieve the consensus between nodes in an IoT network, tampered with. Utilizing fuzzy hash functions enables
we used a simplified PoW algorithm so that the generated forensic investigators to successfully deal with
hash started with ‘00’ instead of ‘0000’, which will permissible alteration to digital evidence while using
reduce the time required to create the new block and conventional hash methods is ineffective in this situation.
consequently reduce the complexity. The digital forensic investigator will pick any node with a
- Fuzzy Hashing: To ensure that the blockchain is not random block in the concurrent blockchain, create the
tampered with at any node, the digital forensic fuzzy hash signature. and then compare the signatures to
investigator will utilize SSDEEP [36] as a fuzzy hash the blocks of other nodes using SSDEEP. The result is
method to compare file similarities. In security analysis, 100, indicating that the whole block conforms to the
fuzzy hash methods are used to try to identify file block signature and the block data is unaltered.
tampering while examining the integrity and similarity of
files of interest [36]. The file of interest is split into D) PRESENTATION
several blocks and a hash value is computed for each As stated before, this step will be based on the
block, with the last step being the concatenation of all analysis stage's results; all evidence can be readily
block hash values to create the fuzzy hash value tracked back to its source. All reports and presentations
illustrated in Fig. 5. Numerous variables influence the will be built on top of the blockchain and will be added to
length of the fuzzy hash value, including the block size, it.
V. EVALUATION AND DISCUSSION
the file size, and the output size of the hash algorithm
chosen. In this section, we assess the suggested model by
Herein, SSDEEP is utilized to build fuzzy hash conducting several experiments in terms of throughput,
[36][37]. SSDEEP is a program that computes context- response time, and the delay-incurred performance metrics.
sensitive piecewise hashes (CTPH). CTPH, also known Our model is implemented using python. For developing
as fuzzy hashes, is capable of matching inputs that share Python programs, Atom IDE is used. All the experiments
homologies. These inputs include sequences of identical are simulated on Intel Core i5 CPU 2.4 GHz, 4 GB
bytes in the same order, but the bytes between these memory, Windows OS. Herein, the miner is deployed for
sequences may vary in content and length. This technique validating the blockchain and the Proof-of-Work concept is
splits a file into a number of chunks according to its used. The proposed model started with building a Merkle
content. A rotating hash technique is used to identify the tree, validating the blockchain, creating root hash using
endpoints of these blocks. A rolling hash algorithm fuzzy hash, implementing the proof-of-work then creates
generates a pseudo-random value from the input's current the text file containing the block information. In our case,
context. The rolling hash algorithm operates by preserving the fuzzy hash is used to encode the Merkle tree and this
a state 6 entirely on the basis of the last few bytes of the step comes after applying SHA256 to encode the TE
input. Each byte processed is added to the state and deleted records.
after a certain number of additional bytes have been The first set of experiments was conducted to compare
processed [38]. fuzzy hash and traditional hash for creating root hash of
created Merkle tree in terms of response time. The
response time is the time taken by the node to receive the
transaction, mining the new block, and creating a text file
with the mined block information. Fig. 6 shows the
response time as a function of the number of minded
blocks. The results reveal that the response time is
gradually increased with the increase in the number of
mined blocks.
The results reveal that the suggested model that utilizes
fuzzy hash reduces the response time by an average of 2%
compared with the same model that utilizes traditional hash
to encode TE records. This confirms that the suggested
model can be implemented in real-time digital
FIGURE 5. Generation of Fuzzy Hash Value investigation applications. One possible explanation of
these results is that fuzzy hash operates based on the MD5

VOLUME XX, 2017

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3126715, IEEE Access

algorithm and the complexity of the MD5 algorithm and transactions, services, the CPU utilization varies during
SHA256 is equal but the running time of MD5 is faster producing the new blocks.
than SHA256. MD5 produces 32 chars hash while
SHA256 produces 64 chars hash. The results shown in 30
Fig. 7 confirm the same fact that was concluded previously
25

CPU Utilization (%)

but in the case of a large number of mined blocks. The
results confirm the feasibility of the suggested model to 20
deal with a large number of blocks in terms of response 15
time for mined blocks.
10
5
SHA256 encoding Fuzzy hash encoding
12 0
1 9 25 95 120 144 167 187 211 308 322 330 341 402 438
10
No. of Blocks (evidence)
Time (Second)

8
6 FIGURE 8. CPU utilization with respect to the number of blocks

4
In order to asses our model performance, a modern
2 load testing framework called Locust [39] was used to test
0 the system infrastructure along with the various APIs. It
0 5 10 15 20 25 30 allows to simulate users’ behavior using Python scripts.
No. of Blocks Three scenarios were designed to stress all the Model APIs.
They involve a variable number of concurrent users (50,
FIGURE 6. Response time for the mined block using SHA256 vs Fuzzy 100 and 150) with a fixed hatch rate of 5 users/sec. Each
Hash (in case of a small number of blocks) scenario is run for a duration of 2 minutes during which
users perform multiple operations, including GET chain to
get the available used blockchain status, POST transaction
to the available node, and GET the mined block status. Fig.
SHA256 encoding Fuzzy hash encoding 9 through 11 depict the percentage of requests completed
in a given time interval for the three scenarios. We observe
8 that the completion time increases with the increase in the
number of concurrent users, it is also observed that
6
GET/mine requests incur longer service time, this is
Time (Second)

because the mining process uses computer resources to do

4
the POW consensus and applying Merkle tree root hash.
2

0 25000 25000
25000 22000 23000 23000 25000
Completion time (ms)
Block 1
Block84
Block181
Block259
Block300
Block371
Block471
Block487
Block601

20000
Block631
Block763
Block788
Block875
Block 891
Block955
Block991

15000 10000

10000 5300
1800 3300 4300 9200 9300 9500
10000 10000 9500 9500
5000 200 380 650 4400 7200 10000 10000
820 26005600
No. of blocks 180 350 730
1000 2800
0

FIGURE 7. Response time for the mined block using SHA256 vs Fuzzy
Hash (in case of a large number of blocks).

The second set of experiments was implemented to Percentage of requests completed

assess the overall average CPU usage against the number
of generated blocks. As expected, from Fig. 8, more CPU GET /chain POST /transaction GET /mine
resources are needed to mine more blocks. However, as the
number of blocks to be mined increased, the amount of FIGURE 9. Completion time with respect to the percentage of the
CPU usages does not increase with a large amount. various completed requests (50 users)
According to the computer resources and the number of

VOLUME XX, 2017

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3126715, IEEE Access

consumption. We used a wall outlet power meter to

measure the power consumption.
41000 41000 42000
The results in the Table 2 and Table 3 show the time and
45000
42000
37000 42000 power consumption that are required to run the proposed
Completion time (ms)

40000 33000
30000
35000 26000 model on two devices with different configurations ( one
30000 29000 30000 31000 31000
19000 26000
25000
15000 26000 27000 29000
31000 31000 31000 31000
31000 31000
for IoT device with low configuration and the other for
18000
20000 15000 17000
20000
14000 IoT device with high configuration ) respectively. The
9000 10000
15000 10000 larger value of time for Raspberry Pi device is due to the
10000
5000
complexity of operations needed to be performed.
0 Moreover, the Raspberry Pi needs less resources as
50% 66% 75% 80%
compared to a laptop. According to the above comparison
90%
95%
98%
99%
99.90%
in terms of time and power consumption, the suggested
99.99%
100% model is feasible for implementing in low power and low
Percentage of requests completed memory IoT devices.
TABLE 2
GET /chain POST /transaction GET /mine TIME NEEDED TO GENERATE THE NEW BLOCK AND ADDED IT TO THE
BLOCKCHAIN NETWORK (SECONDS)
Laptop Raspberry Pi
High configuration Low configuration
FIGURE 10. Completion time with respect to the percentage of the
various completed requests (100 users)
Average
3 13
Time
TABLE 3
POWER CONSUMPTION NEEDED TO GENERATE THE NEW BLOCK AND
ADDED IT TO THE BLOCKCHAIN NETWORK (MW)
Completion time (ms)

69000 69000 Laptop Raspberry Pi

70000 69000
60000 62000
56000 High configuration Low configuration
60000 52000

50000
Average
37000 4 12
43000 46000 47000 48000
3800043000 46000 48000 48000 Power
40000 27000 46000 47000
21000 24000 47000 47000
34000
20000 22000 22000 24000
30000
19000 21000 22000 23000
20000 VI.CONCLUSION AND FUTURE WORK
10000 Preservation of data integrity is carried out
0 independently by central authorities in the present digital
50% 66%
75%
forensics investigation. This method is sufficiently
80%
90%
95%
98%
efficient and convenient procedurally, but the integrity of
99%
99.90% prospective evidence may be jeopardized if the central
99.99%
100%
authority is attacked by a malevolent attacker.
Percentage of requests completed
Additionally, human and material resources are expended
to maintain the chain of custody and ensure the
GET /chain POST /transaction GET /mine
investigation's integrity. Unlike today, the existing chain
of custody method must include a more robust approach to
FIGURE 11. Completion time with respect to the percentage of the various integrity preservation and streamlined processes in order to
completed requests (150 users). conduct a thorough digital forensic investigation in large-
scale IoT settings.
This article performed preliminary forensic study on the
The final set of experiments was conducted to confirm blockchain-based forensic investigation framework, taking
the ability of the suggested model for execution on IoT into account the variety of devices, evidence items, and
devices with low configurations such as The Raspberry Pi data formats found in the complex IoT environment. We
that is a low-cost, credit-card- sized computer. Raspberry propose a blockchain-based digital forensic framework for
Pi is widely used in many areas, such as for weather the IoT environment in this article to address the
monitoring, because of its low cost, modularity, and open heterogeneity and dispersion of the IoT environment, as
design. It is typically used by computer and electronic well as the centralization of current forensic investigations.
hobbyists, due to its adoption of HDMI and USB devices Additionally, we show the updated block structure and
[42]. In our case, the employed Raspberry Pi has the workflow of the suggested framework for investigation by
following configuration: Processor type: 32-Bit, Max CPU encoding Merkle trees with fuzzy hash to cope with
Speed: 700 MHz, Operating System: Raspbian 5.6.12, evidence similarities (different version document). In the
Model: 3B, Memory: 512 MB. In this case, was considered future work, we will investigate ways to enhance the
Raspberry Pi as a node on our blockchain network. Two suggested digital forensic investigation model's execution
important factors for IoT devices are considered during the time and its complexity and apply it to real digital
experimentation: time consumption and power investigations.

VOLUME XX, 2017

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3126715, IEEE Access

IV. REFERENCES
[22] S. Wu, Y. Chen, Q. Wang, M. Li, C. Wang, and X. Luo, “CReam:
a smart contract enabled collusion-resistant e-auction”, IEEE
[1] M. Dermott, T. Baker, and Q.Shi, "IoT forensics: challenges for Transactions on Information Forensics and Security, vol. 14, no. 7,
the IOA era”, 9th IFIP International Conference on New pp. 1687–1701, 2019.
Technologies, Mobility and Security (NTMS), France, pp. 1-5, [23] L. V. Der Horst, K.-K. R. Choo, and N.-A. Le-Khac, “Process
2018. memory investigation of the bitcoin clients electrum and bitcoin
[2] Z. Baig, P. Szewczyk,C. Valli, P. Rabadia, P. Hannay, M. core,” IEEE Access, vol. 5, pp. 22385–22398, 2017.
Chernyshev , M. Johnstone, P. Kerai, A. Ibrahim, K. Sansurooah, [24] H. Ritzdorf, C. Soriente, G. O. Karame, S. Marinovic, D. Gruber,
and N. Syed, “Future challenges for smart cities: Cyber-security and and S. Capkun, “Toward shared ownership in the cloud”, IEEE
digital forensics”, Digital Investigation, pp. 3-13, 2017. Transactions on Information Forensics and Security, vol. 13, no.
[3] U. Salama, “Smart Forensics for the Internet of Things (IoT)”, 12, pp. 3019–3034, 2018.
Security Intelligence IBM, 22nd , March 2017. [25] G. Tziakouris, “Cryptocurrencies—A forensic challenge or
[4] B. Cao, Z. Zhang, D. Feng, S. Zhang, L. Zhang, M. Peng, and Y. opportunity for law enforcement? an INTERPOL perspective,”
Li,” Performance analysis and comparison of PoW, PoS and DAG IEEE Security Privacy, vol. 16, no. 4, pp. 92–94, 2018.
based blockchain”, Digital Communications and Networks, vol. 6, [26] Z. Liu, and H. Seo, “Iot-nums: Evaluating nums elliptic curve
issue 4, pp. 480-485, 2020. cryptography for iot platforms”, IEEE Transactions on
[5] H. Atlam, and G. Wills, “Technical aspects of blockchain and IoT. Information Forensics and Security, vol. 14, no. 3, pp. 720–729,
InAdvances in Computers”, Elsevier , Vol. 115, pp. 1-39, 2019. 2019.
[6] J. Ryu, P. Sharma, J. Jo, and J. Park,” A blockchain-based [27] A. Valjarevic and H. Venter, “A harmonized process model for
decentralized efficient investigation framework for IoT digital digital forensic investigation readiness,” in Advances Digital
forensics”, Journal of Supercomputing, vol. 75, no. 8,pp. 4372- Forensics. Berlin, Germany: Springer, 2013.
4387, 2019. [28] Y. Zhang, S. Wu, B. Jin, and J. Du, “A blockchain-based process
[7] D. Hurlbut, “Fuzzy Hashing for Digital Forensic Investigators”, provenance for cloud forensics”, 3rd IEEE International Conference
AccessData, 2009. on Computer and Communications (ICCC), pp. 2470–2473, China,
[8] M. Samaniego, U. Jamsrandorj and R. Deters, "Blockchain as a 2017.
Service for IoT," IEEE International Conference on Internet of [29] A. Al-Nemrat, “Identity theft on e-government/e-governance &
Things (iThings), pp. 433-436, 2016. digital forensics,” IEEE International Symposium on
[9] M. Xenya, and K. Quist-Aphetsi, "A Cryptographic Technique for Programming and Systems, p. 1, Algeria, 2018.
Authentication and Validation of Forensic Account Audit Using [30] D. Ulybyshev, M. Villarreal-Vasquez, B. Bhargava, G. Mani, S.
SHA256" International Conference on Cyber Security and Internet Seaberg, P. Conoval, R. Pike, and J. Kobes, “(WIP) blockhub:
of Things (ICSIoT), Accra, Ghanapp, pp. 11-14, 2019. Blockchain-based software development system for untrusted
[10] E. Al-Masri, Y. Bai and J. Li, "A Fog-Based Digital Forensics environments”, IEEE 11th International Conference on Cloud
Investigation Framework for IoT Systems," IEEE International Computing, pp. 582–585, USA, 2018.
Conference on Smart Cloud (SmartCloud), USA, pp. 196-201, [31] M. M. Hossain, R. Hasan, and S. Zawoad, “Probe-IoT: A public
2018. digital ledger based forensic investigation framework for IoT,”
[11] P. Sharma, and J. Park,“Blockchain based hybrid network Proc. IEEE INFOCOM Workshop, pp. 1–2, USA, 2018.
architecture for the smart city”, Future Generation Computer [32] A. H. Lone, and R. N. Mir, “Forensic-chain: Ethereum blockchain
Systems, vol. 86, pp. 650-655, 2018. based digital forensics chain of custody”, Scientific and Practical
[12] S. Li, T. Qin, and G. Min, "Blockchain-based digital forensics Cyber Security Journal, vol. 1, no. 2, pp. 21–27, 2018.
investigation framework in the internet of things and social [33] A. Nieto, R. Roman, and J. Lopez, “Digital witness: Safeguarding
systems," IEEE Transactions on Computational Social Systems, vol. digital evidence by using secure architectures in personal devices,”
6, no. 6, pp. 1433-1441, Dec. 2019 IEEE Network, vol. 30, no. 6, pp. 34–41, 2016.
[13] D. Chang, M. Ghosh, S. Sanadhya, M. Singh, and R Douglas, [34] S. Kälber, A. Dewald, and F. Freiling. “Forensic application-
“FbHash: A New Similarity Hashing Scheme for Digital Forensics”, fingerprinting based on file system metadata”, 7th international
Digital Investigation , vol. 29, pp. S113-S123, 2019. conference on it security incident management and it forensics,
[14] T. M. Fernández-Caramés, and P. Fraga-Lamas, "A Review on the IEEE ,pp. 98-112, 2013.
use of blockchain for the internet of things," IEEE Access, vol. 6, [35] H. Atlam, A. Alenezi, M. Alassafi, A. Alshdadi, and G. Wills, “
pp. 32979-33001, 2018. Security, cybercrime and digital forensics for IoT. InPrinciples of
[15] S. Li, S. Zhao, P. Yang, P. Andriotis, L. Xu, and Q. Sun, internet of things (IoT) ecosystem: Insight paradigm”, Springer, pp.
“Distributed consensus algorithm for events detection in cyber- 551-577, 2020.
physical systems,” IEEE Internet Things, vol. 6, no. 2, pp. 2299– [36] N. Naik, P. Jenkins, N. Savage, L. Yang, T. Boongoen and N. Iam-
2308, Apr. 2019. On, "Fuzzy-Import Hashing: A Malware Analysis Approach,"
[16] M. Hossain, Y. Karim, and R. Hasan, “FIF-IoT: A forensic IEEE International Conference on Fuzzy Systems (FUZZ-IEEE),
investigation framework for IoT using a public digital ledger,” IEEE pp. 1-8, UK, 2020.
International Congress on Internet of Things, pp. 33–40, Jul. 2018. [37] K. Savage, P. Coogan, and H. Lau, “The evolution of ransomware
[17] M. M. Hossain, R. Hasan, and S. Zawoad, “Trust-IoV: A -Symantec,”, Technical Report, Symantec Security Response.
trustworthy forensic investigation framework for the Internet of Symantec Corporation, Mountain View, pp. 1–57, CA, 2015.
vehicles (IoV),” International Congress on Internet of Things, pp. [38] K. Jesse. “Identifying almost identical files using context triggered
25–32, USA, 2017. piecewise hashing”, Digital Investigation,Vol.3, pp.91-97, 2006.
[18] M. Chernyshev, S. Zeadally, Z. Baig, and A. Woodward, “Internet [39] G. Cornetta, A. Touhafi, M. Togou, and G.Muntean, “ Fabrication-as-
of things forensics: the need, process models, and open issues,” IT a-service: A Web-based solution for STEM education using Internet
Professional, vol. 20, no. 3, pp. 40–49, 2018. of Things”, IEEE Internet of Things Journal, Vol.7, Issue 2, pp.1519-
[19] D. Quick, and K. R. Choo, “Iot device forensics and data 1530, 2019.
reduction,” IEEE Access, vol. 6, pp. 47566–47574, 2018. [40] B. Cao, Y. Li, L. Zhang, S. Mumtaz, Z. Zhou, and M. Peng, “When
[20] L. Caviglione, S. Wendzel, and W. Mazurczyk, “The future of internet of things meets blockchain: challenges in distributed
digital forensics: Challenges and the road ahead,” IEEE Security consensus”, IEEE Network, vol. 33, issue 6, pp. 133-139, 2019.
[41] V. Thakor, M. Razzaque, and M. Khandaker, “Lightweight
Privacy, vol. 15, no. 6, pp. 12–17, 2017. cryptography algorithms for resource-constrained IoT devices: A
[21] M. Cebe, E. Erdin, K. Akkaya, H. Aksu, and S. Uluagac, review, comparison and research opportunities”, IEEE Access, vol. 9,
“Block4forensic: An integrated lightweight blockchain framework pp. 28177-28193, 2021.
for forensics applications of connected vehicles”, IEEE [42] U. Khalid, M. Asim, T. Baker, P. Hung, M. Tariq, and L. Rafferty, “A
Communications Magazine, vol.56, no.10 ,pp. 5-57,2018. decentralized lightweight blockchain-based authentication

VOLUME XX, 2017

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3126715, IEEE Access

mechanism for IoT systems”, Cluster Computing. Vol. 23, issue 3,

pp: 1-21, 2020.
[43] M. Khanafseh, M. Qatawneh, and W. Almobaideen. A survey of
various frameworks and solutions in all branches of digital forensics WAEL M. ABD ELMONEM received the
with a focus on cloud forensics”, International Journal of Advanced
Computer Science and Applications, Vol. 10, No. 8, pp. 610-629,
B.Sc. degree in Computer Science from the
2019. Higher Institute of Computer - Abbasiya,
[44] V. Kebande and I. Ray, “A generic digital forensic investigation Egypt in 1995. He is a Microsoft Certified
framework for internet of things (IoT)”, IEEE 4th International Trainer form 2008 to 2013. His research and
Conference on Future Internet of Things and Cloud, pp. 356–362 professional interests include image
2016. processing, optimization techniques, security
[45] L. Babun, A. Sikder, A. Acar, and A. Uluagac, “IOTDOTS: A digital technologies, database management,
forensics framework for smart environments”, arXiv preprintarXiv:
1809.00745, 2018.
machine learning, digital forensics, Web
[46] A. Nieto, R. Rios, and J. Lopez, “IoT-forensics meets privacy: towards technologies and robotics, He is working in
cooperative digital investigations”, Sensors, vol. 18, no. 2, 492, pp.1- the Higher Institute of Tourism, Hotels and
17, 2018. Computer - Al-Seyouf - Alexandria – Egypt as a lab teacher teaching
[47] T. Zia, P. Liu, and W. Han, “Application-specific digital forensics Networks, Java , Digital marketing, web applications .
investigative model in internet of things (IoT)”, Proceedings of the
12th International Conference on Availability, Reliability and Security.
ACM, pp.1-7, 2017.
[48] A. Nieto, R. Rios, and J. Lopez, “A methodology for privacy-aware IOT
forensics “, IEEE Trustcom/BigDataSE/ICESS. pp. 626–633, 2017.

SAAD M. DARWISH received the

B.Sc. degree in Statistics and Computer
Science from the Faculty of Science,
Alexandria University, Egypt in 1995.
He held the M.Sc. degree in information
technology from the Institute of
Graduate Studies and Research (IGSR),
Department of Information Technology,
University of Alexandria in 2002. He
received his Ph.D. degree from the
Alexandria University for a thesis in
image mining and image description
technologies. He is the author or
coauthor of 50+ papers publications in prestigious journals and top
international conferences and also received several citations. He has
served as a Reviewer for several international journals and conferences.
He has supervised around 60 M.sc and Ph.D. students. His research and
professional interests include image processing, optimization
techniques, security technologies, database management, machine
learning, biometrics, digital forensics, and bioinformatics. Since June
2017, he has been a Professor in the department of information
technology, IGSR.

MAHMOUD FAROUK received the B.Sc.,

M.Sc., and PhD degrees from Military
Technical College (M.T.C) Cairo, Egypt in
1995 and 2001 and Faculty of Engineering,
Alexandria University in 2006 respectively.
He was an academic staff with M.T.C,
Computer Department from 1997 to 2001.
He served as the Computer Specialist and
Computer Educational Assistant of Egypt
Armed Forces from 1995 to 2013 and as a
teacher in King Marriott Academy
Alexandria “High Institute for Computer”
during 2014 to 2020. He is currently Head of Management Information
System department at Agami Higher Institute of Administrative
Sciences. He is the author or co-author for more than twenty one
national and international papers and also collaborated in several
research projects.

VOLUME XX, 2017

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/