Dataset Protocol and Evidence Preservation for Detecting Cyber Incident Screenshot Manipulation: Data Structure, Tamper Recipes, and Chain of Custody
Keywords:
Digital Forensics, Screenshot Evidence, Passive Image Forensics, SHA-256, Dataset Protocol, Evidence PreservationAbstract
Screenshots are widely used in cybersecurity and digital forensics as preliminary evidence of incidents such as phishing pages, website defacement, and SIEM/IDS dashboard captures; however, their ease of manipulation through overlay, cropping, splicing, copy-move, and recompression undermines evidentiary reliability and complicates investigation triage. This study aims to design a standardized dataset protocol for cyber incident screenshots that strengthens digital evidence preservation and supports reproducible analysis workflows. The proposed protocol defines acquisition documentation, SHA-256 hashing, and chain-of-custody recording, alongside a structured folder hierarchy, evidence naming conventions, labeling schemes for binary and multi-class classification tasks, acquisition metadata, documented manipulation procedures via a tamper_recipe, and case_id-based data splitting to prevent leakage of derived manipulations across dataset partitions. As an implementation reference for triage modules, a lightweight analytical framework using GLCM texture features and classical classifiers is specified to demonstrate practical integration without positioning the work as a performance benchmark. The resulting outputs include a comprehensive, auditable protocol specification, standardized metadata and labeling templates, and a reproducible data management workflow tailored for cyber incident screenshots. The study concludes that formalizing acquisition, provenance, and splitting practices improves evidentiary integrity, reduces contamination risk across data partitions, and enhances the utility of screenshots for early-stage forensic triage while remaining compatible with resource-constrained operational settings.
References
B. Guttman, D. R. White, S. Williams, and T. Walraven, “Digital evidence preservation: Considerations for evidence handlers,” 2022.
S. Chinthala, “Analyzing the Effectiveness of SIEM Tools in Threat Mitigation: A Qualitative Study in Cybersecurity.” University of the Cumberlands, 2024.
A. Subcommittee, “OSAC 2024 ‐ N ‐ 0011 Standard Guide for Forensic Digital Image Management,” pp. 1–6, 2024, [Online]. Available: https://www.nist.gov/system/files/documents/2024/03/29/OSAC 2024-N-0011 Standard Guide for Forensic Digital Image Management_Version 1.0.pdf
G. Johansen, Digital Forensics and Incident Response: Incident response tools and techniques for effective cyber threat response. Packt Publishing Ltd, 2022.
J. D. Swerzenski, “Fact, fiction or Photoshop: Building awareness of visual manipulation through image editing software,” J. Vis. Lit., vol. 40, no. 2, pp. 104–124, 2021.
H. Fuchs, S. M. Pizer, E. R. Heinz, S. H. Bloomberg, L.-C. Tsai, and D. C. Strickland, “Design of and image editing with a space-filling three-dimensional display based on a standard raster graphics system,” in Processing and Display of Three-Dimensional Data, SPIE, 1983, pp. 117–129.
R. Policy, “Scientific Working Group on Digital Evidence Scientific Working Group on Digital Evidence,” SWGE, 2024, [Online]. Available: https://www.swgde.org/wp-content/uploads/2024/11/2024-11-20-Guidelines-for-Forensic-Image-Analysis-16-I-002-2.0.pdf
P. Duszejko, T. Walczyna, and Z. Piotrowski, “Detection of Manipulations in Digital Images: A Review of Passive and Active Methods Utilizing Deep Learning,” Appl. Sci., vol. 15, no. 2, p. 881, 2025.
D. Sharma, “A survey of image forensics: Exploring forgery detection in image colorization,” 2025.
M. Zanardelli, F. Guerrini, R. Leonardi, and N. Adami, “Image forgery detection: a survey of recent deep-learning approaches,” Multimed. Tools Appl., vol. 82, no. 12, pp. 17521–17566, 2023.
X. Zhao, P. Bateman, and A. T. S. Ho, “Image authentication using active watermarking and passive forensics techniques,” in Multimedia Analysis, Processing and Communications, Springer, 2011, pp. 139–183.
R. G. Mani, R. Parthasarathy, S. Eswaran, and P. Honnavalli, “A survey on digital image forensics: Metadata and image forgeries,” in Workshop on Applied Computing, January, 2022, pp. 27–28.
R. M. Haralick, K. Shanmugam, and I. H. Dinstein, “Textural features for image classification,” IEEE Trans. Syst. Man. Cybern., no. 6, pp. 610–621, 2007.
T. Ojala, M. Pietikainen, and T. Maenpaa, “Multiresolution gray-scale and rotation invariant texture classification with local binary patterns,” IEEE Trans. Pattern Anal. Mach. Intell., vol. 24, no. 7, pp. 971–987, 2002.
A. Xiang, J. Zhang, Q. Yang, L. Wang, and Y. Cheng, “Research on splicing image detection algorithms based on natural image statistical characteristics,” arXiv Prepr. arXiv2404.16296, 2024.
R. J. Al-Azawi, N. M. G. Al-Saidi, H. A. Jalab, R. W. Ibrahim, and D. Baleanu, “Image Splicing Detection Based on Texture Features with Fractal Entropy,” Comput. Mater. Contin., vol. 69, no. 3, 2021.
