Data Provenance describes what has happened to a users data within a ma- chine as a form of digital evidence. However this type of evidence is currently not admissible in courts of law, because the integrity of data provenance can- not be guaranteed. Tools which capture data provenance must either prevent, or be able to detect changes to the information they produce, i.e. tamper-proof or tamper-evident.
Most current tools aim to be tamper-evident, and capture data provenance at a kernel level or higher. However, these tools do not provide a secure mechanism for transferring data provenance to a centralised location, while providing data integrity and confidentiality.
In this thesis we propose a tamper-evident framework to fill this gap by using a widely-available hardware security chip: the Trusted Platform Module (TPM). We apply our framework to Progger, a cloud-based provenance logger, and demonstrate the completeness, confidentiality and admissibility require- ments for data provenance, enabling the information to be used as digital evidence in courts of law
