Forensic Science International-Digital Investigation最新文献

Residual forensic indicators of file exfiltration in windows preinstallation environment windows预安装环境下文件泄露残留取证指标

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2026-01-28 DOI: 10.1016/j.fsidi.2026.302068

Jingue Lee , Jiyun Kim , Doowon Jeong

File exfiltration conducted through bypass boot environments, such as the Windows Preinstallation Environment (Windows PE), poses a serious challenge to forensic investigations. Because endpoint security agents and logging mechanisms remain inactive, conventional artifacts of file access are absent. This study investigates the feasibility of using the NTFS $STANDARD_INFORMATION Accessed Time ($SI Atime) as a residual forensic indicator for detecting exfiltration events in Windows PE. Through controlled experiments, we analyze $SI Atime updates during file copy operations, examine their persistence under varying system conditions, and evaluate their evidentiary reliability over time. Our findings show that $SI Atime can reveal PE-based file access patterns in over two-thirds of cases, though reliability diminishes with prolonged use. To enhance robustness, we integrate Atime analysis with complementary artifacts, such as UEFI NVAR variables indicating abnormal boot order changes. This combined approach enables the reconstruction of exfiltration timelines even in the absence of logs or telemetry. The results highlight the potential of $SI Atime as a valuable residual artifact for detecting file exfiltration in bypass boot environments, offering investigators a methodological basis for addressing scenarios where traditional forensic sources are unavailable.

通过绕过引导环境（如Windows预安装环境（Windows PE））进行的文件泄露对取证调查构成了严重挑战。由于端点安全代理和日志机制仍然处于非活动状态，因此不存在传统的文件访问构件。本研究探讨了使用NTFS $STANDARD_INFORMATION访问时间（$SI Atime）作为检测Windows PE中泄漏事件的残留取证指标的可行性。通过受控实验，我们分析了文件复制操作期间的$SI Atime更新，检查了它们在不同系统条件下的持久性，并随着时间的推移评估了它们的证据可靠性。我们的研究结果表明，在超过三分之二的情况下，$SI Atime可以显示基于pe的文件访问模式，尽管可靠性随着使用时间的延长而降低。为了增强鲁棒性，我们将Atime分析与互补工件（如指示异常引导顺序变化的UEFI NVAR变量）集成在一起。这种组合方法可以在没有测井或遥测的情况下重建渗漏时间线。结果强调了$SI Atime作为在旁路引导环境中检测文件泄漏的有价值的残余工件的潜力，为调查人员提供了解决传统取证源不可用的场景的方法基础。

{"title":"Residual forensic indicators of file exfiltration in windows preinstallation environment","authors":"Jingue Lee , Jiyun Kim , Doowon Jeong","doi":"10.1016/j.fsidi.2026.302068","DOIUrl":"10.1016/j.fsidi.2026.302068","url":null,"abstract":"<div><div>File exfiltration conducted through bypass boot environments, such as the Windows Preinstallation Environment (Windows PE), poses a serious challenge to forensic investigations. Because endpoint security agents and logging mechanisms remain inactive, conventional artifacts of file access are absent. This study investigates the feasibility of using the NTFS $STANDARD_INFORMATION Accessed Time ($SI Atime) as a residual forensic indicator for detecting exfiltration events in Windows PE. Through controlled experiments, we analyze $SI Atime updates during file copy operations, examine their persistence under varying system conditions, and evaluate their evidentiary reliability over time. Our findings show that $SI Atime can reveal PE-based file access patterns in over two-thirds of cases, though reliability diminishes with prolonged use. To enhance robustness, we integrate Atime analysis with complementary artifacts, such as UEFI NVAR variables indicating abnormal boot order changes. This combined approach enables the reconstruction of exfiltration timelines even in the absence of logs or telemetry. The results highlight the potential of $SI Atime as a valuable residual artifact for detecting file exfiltration in bypass boot environments, offering investigators a methodological basis for addressing scenarios where traditional forensic sources are unavailable.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"56 ","pages":"Article 302068"},"PeriodicalIF":2.2,"publicationDate":"2026-01-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146077997","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Forensic analysis of the infotainment system of BMW vehicles 宝马汽车信息娱乐系统的法医分析

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2026-01-24 DOI: 10.1016/j.fsidi.2026.302066

Ricardo Marques , Patricio Domingues , Miguel Frade , Miguel Negrão

The automotive industry is undergoing a significant transformation driven by digitization. Modern cars are transitioning to digital and are now sophisticated computers on wheels. This digital revolution is driven by the integration of various computerized systems. One of the most noticeable systems, at least for drivers and occupants, is the In-Vehicle Infotainment (IVI) system. This system offers features such as radio, music playback and streaming, navigation, hands-free calling, and, in some cases, smartphone and internet connectivity. Data generated from user interactions with the vehicle information system can be valuable for digital forensics, providing artifacts such as call logs, contacts, GPS location history, and diagnostic data. However, acquiring and analyzing these data is challenging, as there are no universal standards for IVI systems. In this paper, we study the infotainment systems of four BMW vehicles from a digital forensic perspective. Specifically, we focus on two Computer-in-Car (CIC) BMW 3 Series systems, one from 2010 and another from 2012. We also analyze the Next Big Thing Evolution (NBT EVO) systems of two 2017’s BMWs, a 5 Series and a 7 Series. For this purpose, data from the infotainment hard disks were acquired and forensically analyzed. To overcome the lack of specific open-source tools to process these datasets, we developed two modules for the well-known Autopsy forensic software. The most relevant data recovered from the hard disks of the analyzed infotainment systems include phone call history, text messages, and linked smartphone IDs, such as Bluetooth addresses, International Mobile Equipment Identity (IMEI) and International Mobile Subscriber Identity (IMSI). The results indicate that the newer NBT EVO systems have more forensically meaningful data than the older CIC ones.

在数字化的推动下，汽车行业正在经历一场重大变革。现代汽车正在向数字化过渡，现在是车轮上的精密计算机。这场数字革命是由各种计算机系统的集成驱动的。最引人注目的系统之一，至少对司机和乘客来说，是车载信息娱乐（IVI）系统。该系统提供收音机、音乐播放和流媒体、导航、免提通话等功能，在某些情况下，还可以连接智能手机和互联网。用户与车辆信息系统交互产生的数据对于数字取证很有价值，可以提供诸如呼叫记录、联系人、GPS位置历史记录和诊断数据等工件。然而，获取和分析这些数据具有挑战性，因为IVI系统没有通用标准。本文从数字取证的角度对四辆宝马汽车的信息娱乐系统进行了研究。具体来说，我们关注的是2010年和2012年推出的两款车载电脑（CIC）宝马3系系统。我们还分析了两款2017款宝马5系和7系的Next Big Thing Evolution （NBT EVO）系统。为此，从信息娱乐硬盘中获取数据并进行法医分析。为了克服缺乏特定的开源工具来处理这些数据集，我们为著名的尸检法医软件开发了两个模块。从被分析的信息娱乐系统的硬盘中恢复的最相关的数据包括通话记录、短信、连接的智能手机id，如蓝牙地址、国际移动设备识别码（IMEI）和国际移动用户识别码（IMSI）。结果表明，较新的NBT EVO系统比旧的CIC系统具有更多的法医意义数据。

{"title":"Forensic analysis of the infotainment system of BMW vehicles","authors":"Ricardo Marques , Patricio Domingues , Miguel Frade , Miguel Negrão","doi":"10.1016/j.fsidi.2026.302066","DOIUrl":"10.1016/j.fsidi.2026.302066","url":null,"abstract":"<div><div>The automotive industry is undergoing a significant transformation driven by digitization. Modern cars are transitioning to digital and are now sophisticated computers on wheels. This digital revolution is driven by the integration of various computerized systems. One of the most noticeable systems, at least for drivers and occupants, is the In-Vehicle Infotainment (IVI) system. This system offers features such as radio, music playback and streaming, navigation, hands-free calling, and, in some cases, smartphone and internet connectivity. Data generated from user interactions with the vehicle information system can be valuable for digital forensics, providing artifacts such as call logs, contacts, GPS location history, and diagnostic data. However, acquiring and analyzing these data is challenging, as there are no universal standards for IVI systems. In this paper, we study the infotainment systems of four BMW vehicles from a digital forensic perspective. Specifically, we focus on two Computer-in-Car (CIC) BMW 3 Series systems, one from 2010 and another from 2012. We also analyze the Next Big Thing Evolution (NBT EVO) systems of two 2017’s BMWs, a 5 Series and a 7 Series. For this purpose, data from the infotainment hard disks were acquired and forensically analyzed. To overcome the lack of specific open-source tools to process these datasets, we developed two modules for the well-known Autopsy forensic software. The most relevant data recovered from the hard disks of the analyzed infotainment systems include phone call history, text messages, and linked smartphone IDs, such as Bluetooth addresses, International Mobile Equipment Identity (IMEI) and International Mobile Subscriber Identity (IMSI). The results indicate that the newer NBT EVO systems have more forensically meaningful data than the older CIC ones.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"56 ","pages":"Article 302066"},"PeriodicalIF":2.2,"publicationDate":"2026-01-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146077996","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Forensic readiness for autonomous mobility: The forensic incident recorder and information system concept 自动移动的法医准备：法医事件记录仪和信息系统概念

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2026-01-19 DOI: 10.1016/j.fsidi.2026.302044

Klara Dološ , Tobias Reichel , Mathias Gerstner , Leo Schiller , Liron Ahmeti , Andreas Attenberger , Victor Bialek , Rudolf Hackenberg , Conrad Meyer , Michael Nicks , Dennis Röck , Mirko Ross , Gerhard Steininger , Hugues Tamatcho Sontia , Svenja Wendler

This paper outlines the essential needs for a forensic incident recorder (FIR) in autonomous vehicles, emphasizing its role in providing comprehensive data for post-incident analysis. The FIR must capture data from various vehicle systems, including onboard sensors, AI decision-making processes, internal diagnostics, V2X communications and cloud-based services, ensuring transparency and accountability. To ensure data integrity, the system must include encryption, tamper detection and redundancy. Furthermore, we introduce the concept of a forensic information system (FIS), an integrated solution for data storage, relevance determination and secure access, incorporating local and cloud-based storage. Triggers for permanent data storage and data upload to the cloud are suggested. Ultimately, the paper aims to highlight the need for comprehensive strategic and operational preparation for forensic investigations in the environment of autonomous, connected mobility.

本文概述了自动驾驶汽车对法医事故记录仪（FIR）的基本需求，强调了其在为事故后分析提供全面数据方面的作用。FIR必须从各种车辆系统捕获数据，包括车载传感器、人工智能决策过程、内部诊断、V2X通信和基于云的服务，以确保透明度和问责制。为了保证数据的完整性，系统必须包含加密、篡改检测和冗余功能。此外，我们还介绍了法医信息系统（FIS）的概念，这是一种集成数据存储、相关性确定和安全访问的解决方案，结合了本地和基于云的存储。建议使用触发器进行永久数据存储和数据上传到云。最后，本文旨在强调在自主、互联移动的环境下，法医调查需要全面的战略和业务准备。

{"title":"Forensic readiness for autonomous mobility: The forensic incident recorder and information system concept","authors":"Klara Dološ , Tobias Reichel , Mathias Gerstner , Leo Schiller , Liron Ahmeti , Andreas Attenberger , Victor Bialek , Rudolf Hackenberg , Conrad Meyer , Michael Nicks , Dennis Röck , Mirko Ross , Gerhard Steininger , Hugues Tamatcho Sontia , Svenja Wendler","doi":"10.1016/j.fsidi.2026.302044","DOIUrl":"10.1016/j.fsidi.2026.302044","url":null,"abstract":"<div><div>This paper outlines the essential needs for a forensic incident recorder (FIR) in autonomous vehicles, emphasizing its role in providing comprehensive data for post-incident analysis. The FIR must capture data from various vehicle systems, including onboard sensors, AI decision-making processes, internal diagnostics, V2X communications and cloud-based services, ensuring transparency and accountability. To ensure data integrity, the system must include encryption, tamper detection and redundancy. Furthermore, we introduce the concept of a forensic information system (FIS), an integrated solution for data storage, relevance determination and secure access, incorporating local and cloud-based storage. Triggers for permanent data storage and data upload to the cloud are suggested. Ultimately, the paper aims to highlight the need for comprehensive strategic and operational preparation for forensic investigations in the environment of autonomous, connected mobility.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"56 ","pages":"Article 302044"},"PeriodicalIF":2.2,"publicationDate":"2026-01-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146022914","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Large language models in digital forensics: capabilities, challenges and future directions 数字取证中的大型语言模型：能力、挑战和未来方向

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2026-01-08 DOI: 10.1016/j.fsidi.2025.302043

Maxim Chernyshev, Zubair Baig, Naeem Syed, Robin Doss, Malcolm Shore

The rapid advancement of large language models (LLMs) has simultaneously created opportunities and challenges for digital forensic science. This survey systematically examines the emerging intersection between generative artificial intelligence and digital forensics through our analysis of 33 peer-reviewed works. We map LLM capabilities across the established Digital Forensic Research Workshop (DFRWS) process model, identifying three strategic integration points where these technologies demonstrate measurable benefits – pattern recognition during the examination phase, evidence analysis during the analysis phase, and evidence presentation and reporting during the presentation phase. Our findings show that LLMs achieve substantial performance improvements across diverse forensic tasks, but critical challenges persist, including the fundamental tension between the probabilistic nature of LLM outputs and deterministic forensic requirements, alongside concerns regarding explainability, reproducibility, and legal admissibility. We identify significant research gaps in validation frameworks, forensic-ready architectures, and standardised evaluation protocols. The survey establishes a comprehensive research agenda spanning technical, methodological, and legal domains, emphasising the necessity for interdisciplinary collaboration and human-AI collaborative approaches to preserve forensic integrity when leveraging LLM capabilities.

大型语言模型（llm）的快速发展同时为数字法医学创造了机遇和挑战。本调查通过对33篇同行评议作品的分析，系统地考察了生成式人工智能和数字取证之间正在出现的交叉点。我们将法学硕士功能映射到已建立的数字法医研究研讨会（DFRWS）流程模型中，确定了三个战略集成点，这些技术在这些集成点上展示了可衡量的效益——检查阶段的模式识别，分析阶段的证据分析，以及展示阶段的证据展示和报告。我们的研究结果表明，法学硕士在不同的法医任务中取得了实质性的性能改进，但关键的挑战仍然存在，包括法学硕士输出的概率性质与确定性法医要求之间的基本紧张关系，以及对可解释性、可重复性和法律可接受性的关注。我们发现了验证框架、取证就绪架构和标准化评估协议方面的重大研究差距。该调查建立了一个涵盖技术、方法和法律领域的综合研究议程，强调在利用法学硕士能力时，跨学科合作和人类-人工智能协作方法的必要性，以保持法医的完整性。

{"title":"Large language models in digital forensics: capabilities, challenges and future directions","authors":"Maxim Chernyshev, Zubair Baig, Naeem Syed, Robin Doss, Malcolm Shore","doi":"10.1016/j.fsidi.2025.302043","DOIUrl":"10.1016/j.fsidi.2025.302043","url":null,"abstract":"<div><div>The rapid advancement of large language models (LLMs) has simultaneously created opportunities and challenges for digital forensic science. This survey systematically examines the emerging intersection between generative artificial intelligence and digital forensics through our analysis of 33 peer-reviewed works. We map LLM capabilities across the established Digital Forensic Research Workshop (DFRWS) process model, identifying three strategic integration points where these technologies demonstrate measurable benefits – pattern recognition during the examination phase, evidence analysis during the analysis phase, and evidence presentation and reporting during the presentation phase. Our findings show that LLMs achieve substantial performance improvements across diverse forensic tasks, but critical challenges persist, including the fundamental tension between the probabilistic nature of LLM outputs and deterministic forensic requirements, alongside concerns regarding explainability, reproducibility, and legal admissibility. We identify significant research gaps in validation frameworks, forensic-ready architectures, and standardised evaluation protocols. The survey establishes a comprehensive research agenda spanning technical, methodological, and legal domains, emphasising the necessity for interdisciplinary collaboration and human-AI collaborative approaches to preserve forensic integrity when leveraging LLM capabilities.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"56 ","pages":"Article 302043"},"PeriodicalIF":2.2,"publicationDate":"2026-01-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145926262","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Mapping the Tor darkmarket ecosystem: A network analysis of topics, communication channels, and languages 绘制Tor黑市生态系统：主题、沟通渠道和语言的网络分析

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-12-06 DOI: 10.1016/j.fsidi.2025.302032

Luis de-Marcos , Adrián Domínguez-Díaz , Zlatko Stapic

The Tor darkmarket ecosystem, a hidden segment of the internet hosting a range of illicit activities, remains a critical challenge for cybersecurity and law enforcement. This study employs network analysis to explore the structure, connectivity, and vulnerabilities of Tor hidden services, focusing on the interplay of topics, communication channels, and languages. Using a bipartite network framework, we analyzed 82,285 onion services and 57,071 identification forms (IDs) collected over a 20-week period. Our findings reveal hacking as the dominant topic (57,233 services), followed by finance-crypto (17,900 services), with email (43,298 IDs) and Telegram (11,218 IDs) serving as primary communication channels. Linguistically, Russian prevails in hacking (50,852 services), while English dominates other topics (29,762 services), with Portuguese activity notable in Q&A forums (781 services). Network metrics and visualizations highlight structural contrasts: hacking's expansive, collaborative structure (high diameter, long average path length) contrasts with finance-crypto's compact, centralized network (high density, low path length), reliant on just four IDs to link its services. High-degree nodes underscore vulnerabilities to targeted disruptions. The overall network's fragmentation (1848 components) alongside a large dominant component (76.72 %) suggests both resilience and exploitable interconnectedness. These insights provide a comprehensive understanding of the Tor darkmarket's organization, identifying key leverage points for intervention. By bridging gaps in topical, linguistic, and structural analyses, this study offers actionable strategies for law enforcement to investigate and mitigate illicit activities on the Dark Web, demonstrating the power of network science in addressing cybercrime.

Tor黑市生态系统是互联网中隐藏的一部分，承载着一系列非法活动，仍然是网络安全和执法部门面临的重大挑战。本研究采用网络分析的方法来探讨Tor隐藏服务的结构、连通性和漏洞，重点关注主题、通信渠道和语言的相互作用。使用双部网络框架，我们分析了在20周内收集的82,285个洋葱服务和57,071个识别表单（id）。我们的研究结果显示，黑客攻击是主要的主题（57,233个服务），其次是金融加密（17,900个服务），电子邮件（43298个id）和电报（11,218个id）是主要的通信渠道。在语言上，俄语在黑客攻击中占主导地位（50852个服务），而英语在其他主题中占主导地位（29762个服务），葡萄牙语活动在问答论坛中引人注目（781个服务）。网络指标和可视化突出了结构上的对比：黑客的扩张、协作结构（大直径、长平均路径长度）与金融加密的紧凑、集中式网络（高密度、低路径长度）形成鲜明对比，后者仅依赖四个id来连接其服务。高节点强调了有针对性破坏的脆弱性。整个网络的碎片化（1848个组件）以及一个大的主导组件（76.72%）表明弹性和可利用的互联性。这些见解提供了对Tor黑市组织的全面了解，确定了干预的关键杠杆点。通过弥合主题、语言和结构分析方面的差距，本研究为执法部门调查和减少暗网上的非法活动提供了可行的策略，展示了网络科学在解决网络犯罪方面的力量。

{"title":"Mapping the Tor darkmarket ecosystem: A network analysis of topics, communication channels, and languages","authors":"Luis de-Marcos , Adrián Domínguez-Díaz , Zlatko Stapic","doi":"10.1016/j.fsidi.2025.302032","DOIUrl":"10.1016/j.fsidi.2025.302032","url":null,"abstract":"<div><div>The Tor darkmarket ecosystem, a hidden segment of the internet hosting a range of illicit activities, remains a critical challenge for cybersecurity and law enforcement. This study employs network analysis to explore the structure, connectivity, and vulnerabilities of Tor hidden services, focusing on the interplay of topics, communication channels, and languages. Using a bipartite network framework, we analyzed 82,285 onion services and 57,071 identification forms (IDs) collected over a 20-week period. Our findings reveal hacking as the dominant topic (57,233 services), followed by finance-crypto (17,900 services), with email (43,298 IDs) and Telegram (11,218 IDs) serving as primary communication channels. Linguistically, Russian prevails in hacking (50,852 services), while English dominates other topics (29,762 services), with Portuguese activity notable in Q&A forums (781 services). Network metrics and visualizations highlight structural contrasts: hacking's expansive, collaborative structure (high diameter, long average path length) contrasts with finance-crypto's compact, centralized network (high density, low path length), reliant on just four IDs to link its services. High-degree nodes underscore vulnerabilities to targeted disruptions. The overall network's fragmentation (1848 components) alongside a large dominant component (76.72 %) suggests both resilience and exploitable interconnectedness. These insights provide a comprehensive understanding of the Tor darkmarket's organization, identifying key leverage points for intervention. By bridging gaps in topical, linguistic, and structural analyses, this study offers actionable strategies for law enforcement to investigate and mitigate illicit activities on the Dark Web, demonstrating the power of network science in addressing cybercrime.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"56 ","pages":"Article 302032"},"PeriodicalIF":2.2,"publicationDate":"2025-12-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145685824","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Editorial – Introducing the last Volume of 2025 社论-介绍2025年最后一卷

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-12-01 DOI: 10.1016/j.fsidi.2025.302033

Kim-Kwang Raymond Choo Senior Editor

引用次数: 0

A comprehensive analysis and evaluation of SQLite deleted Record recovery techniques: A survey SQLite删除记录恢复技术的综合分析与评价：调查

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-11-22 DOI: 10.1016/j.fsidi.2025.302031

Seonghyeon Lee , Sooyoung Park , Insoo Lee , Jongmoo Choi

SQLite is a lightweight, file-based relational database that is widely deployed on mobile and IoT devices to store diverse data. Due to its widespread use, SQLite has become an important subject of interest in digital forensics. In particular, SQLite exhibits structural characteristics that allow deleted data to persist temporarily within database, specifically through internal components such as the freelist and Write-Ahead Log (WAL). As a result, deleted content often remains recoverable even after deletion requests, making SQLite a valuable source of forensic artifacts. These characteristics have motivated the development of various techniques and tools for recovering deleted records from SQLite. However, comparative evaluations of the strengths, limitations, and performance of each approach based on consistent criteria remain relatively scarce. To address this gap, this study systematically categorizes existing deleted record recovery techniques into three types, namely Metadata-based, Carving-based, and WAL-based, and compares their trade-offs. In addition, we select representative open-source SQLite recovery tools, such as Undark, SQLite Deleted Record Parser, Bring2Lite, and FQLite, and quantitatively measure their recovery performance, reliability, and throughput based on various deletion scenarios. We also present a detailed analysis of incorrect recoveries (false positives) caused by structural changes in the database. These findings can provide practical guidelines for selecting the most suitable SQLite recovery method depending on the context, and can contribute to the development of more effective recovery techniques and tools in the future.

SQLite是一个轻量级的、基于文件的关系数据库，广泛部署在移动设备和物联网设备上，用于存储各种数据。由于其广泛使用，SQLite已成为数字取证领域的一个重要主题。特别是，SQLite显示了允许删除的数据在数据库中临时保存的结构特征，特别是通过自由列表和预写日志（Write-Ahead Log， WAL）等内部组件。因此，即使在删除请求之后，删除的内容通常仍然是可恢复的，这使得SQLite成为取证工件的有价值的来源。这些特点促使开发各种技术和工具来从SQLite中恢复已删除的记录。然而，基于一致的标准对每种方法的优势、局限性和性能的比较评估仍然相对较少。为了解决这一差距，本研究系统地将现有的删除记录恢复技术分为三种类型，即基于元数据的、基于雕刻的和基于wal的，并比较了它们的优缺点。此外，我们选择了具有代表性的开源SQLite恢复工具，如Undark、SQLite Deleted Record Parser、Bring2Lite、FQLite，并根据不同的删除场景，定量测量了它们的恢复性能、可靠性和吞吐量。我们还详细分析了由数据库结构变化引起的错误恢复（误报）。这些发现可以为根据上下文选择最合适的SQLite恢复方法提供实用指导，并有助于将来开发更有效的恢复技术和工具。

{"title":"A comprehensive analysis and evaluation of SQLite deleted Record recovery techniques: A survey","authors":"Seonghyeon Lee , Sooyoung Park , Insoo Lee , Jongmoo Choi","doi":"10.1016/j.fsidi.2025.302031","DOIUrl":"10.1016/j.fsidi.2025.302031","url":null,"abstract":"<div><div>SQLite is a lightweight, file-based relational database that is widely deployed on mobile and IoT devices to store diverse data. Due to its widespread use, SQLite has become an important subject of interest in digital forensics. In particular, SQLite exhibits structural characteristics that allow deleted data to persist temporarily within database, specifically through internal components such as the freelist and Write-Ahead Log (WAL). As a result, deleted content often remains recoverable even after deletion requests, making SQLite a valuable source of forensic artifacts. These characteristics have motivated the development of various techniques and tools for recovering deleted records from SQLite. However, comparative evaluations of the strengths, limitations, and performance of each approach based on consistent criteria remain relatively scarce. To address this gap, this study systematically categorizes existing deleted record recovery techniques into three types, namely Metadata-based, Carving-based, and WAL-based, and compares their trade-offs. In addition, we select representative open-source SQLite recovery tools, such as Undark, SQLite Deleted Record Parser, Bring2Lite, and FQLite, and quantitatively measure their recovery performance, reliability, and throughput based on various deletion scenarios. We also present a detailed analysis of incorrect recoveries (false positives) caused by structural changes in the database. These findings can provide practical guidelines for selecting the most suitable SQLite recovery method depending on the context, and can contribute to the development of more effective recovery techniques and tools in the future.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"55 ","pages":"Article 302031"},"PeriodicalIF":2.2,"publicationDate":"2025-11-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145578846","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Uncovering digital traces of DeepSeek: Cross-platform mobile and network forensics 揭露深度搜索的数字痕迹：跨平台移动和网络取证

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-11-18 DOI: 10.1016/j.fsidi.2025.302028

Yufeng Gong , Sonali Tyagi , Vaishnavi Mahindra , Umit Karabiyik

As an application focusing on generative artificial intelligence, open-source LLM DeepSeek has been widely adopted by many research institutions and international companies around the world. More than 60 million active daily users have been reported on DeepSeek by QuestMobile. Given the rapid growth in the population of DeepSeek users and the fact that mobile devices gradually function as centers for users to interact with AI chatbots, it is essential to conduct thorough mobile forensics along with network forensics on the DeepSeek mobile app to discover potential evidence stored in both Android and iOS devices and provide valuable insight into its potential vulnerabilities. However, given the app’s recent introduction, there is currently a lack of systematic forensic research that investigates its potentially valuable artifacts, data persistence mechanisms, and network communication patterns across platforms. This research focused on user data and application usage, such as log files, metadata, and other critical traces, which revealed insights into its operational behavior in different versions of DeepSeek and the data sent over the network. Our analysis can help forensic researchers and investigators fully utilize the forensic value of DeepSeek on mobile devices to have a clear view of what can be recovered and obtained.

作为一款专注于生成式人工智能的应用，开源LLM DeepSeek已经被全球众多研究机构和国际公司广泛采用。据QuestMobile报道，DeepSeek的日活跃用户已超过6000万。鉴于DeepSeek用户数量的快速增长，以及移动设备逐渐成为用户与人工智能聊天机器人互动的中心，有必要对DeepSeek移动应用程序进行彻底的移动取证和网络取证，以发现存储在Android和iOS设备中的潜在证据，并对其潜在漏洞提供有价值的见解。然而，鉴于该应用程序最近才推出，目前缺乏系统的取证研究来调查其潜在的有价值的工件、数据持久性机制和跨平台的网络通信模式。这项研究的重点是用户数据和应用程序使用情况，如日志文件、元数据和其他关键痕迹，揭示了其在不同版本的DeepSeek中的操作行为和通过网络发送的数据。我们的分析可以帮助法医研究人员和调查人员充分利用DeepSeek在移动设备上的法医价值，清楚地了解可以恢复和获取的内容。

{"title":"Uncovering digital traces of DeepSeek: Cross-platform mobile and network forensics","authors":"Yufeng Gong , Sonali Tyagi , Vaishnavi Mahindra , Umit Karabiyik","doi":"10.1016/j.fsidi.2025.302028","DOIUrl":"10.1016/j.fsidi.2025.302028","url":null,"abstract":"<div><div>As an application focusing on generative artificial intelligence, open-source LLM DeepSeek has been widely adopted by many research institutions and international companies around the world. More than 60 million active daily users have been reported on DeepSeek by QuestMobile. Given the rapid growth in the population of DeepSeek users and the fact that mobile devices gradually function as centers for users to interact with AI chatbots, it is essential to conduct thorough mobile forensics along with network forensics on the DeepSeek mobile app to discover potential evidence stored in both Android and iOS devices and provide valuable insight into its potential vulnerabilities. However, given the app’s recent introduction, there is currently a lack of systematic forensic research that investigates its potentially valuable artifacts, data persistence mechanisms, and network communication patterns across platforms. This research focused on user data and application usage, such as log files, metadata, and other critical traces, which revealed insights into its operational behavior in different versions of DeepSeek and the data sent over the network. Our analysis can help forensic researchers and investigators fully utilize the forensic value of DeepSeek on mobile devices to have a clear view of what can be recovered and obtained.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"55 ","pages":"Article 302028"},"PeriodicalIF":2.2,"publicationDate":"2025-11-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145578847","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Practitioner-driven framework for AI adoption in digital forensics 在数字取证中采用人工智能的从业者驱动框架

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-11-12 DOI: 10.1016/j.fsidi.2025.302030

Maryna Veksler , Kemal Akkaya , Selcuk Uluagac

The impact of AI has not bypassed the field of digital forensics. However, despite the emergence of AI-based digital forensic methods and tools, their widespread adoption remains limited due to ethical, legal, and practical concerns. While existing research has proposed various solutions to support AI integration in digital forensics, many reiterate challenges already present in traditional digital forensics, focusing heavily on explainable AI, and often overlooking real-world feasibility. Thus, this study investigates the practical challenges affecting the adoption of AI in digital forensics by directly engaging with practitioners.

To this end, we conducted a survey and interview study involving 28 digital forensic experts to explore their experiences with AI-based tools, their perceptions of AI in digital forensics, and the practical challenges they encounter. Our findings highlight key concerns related to validation, transparency, and the explanation and presentation of AI-generated evidence in court. We also find that practical challenges are often broader than those discussed in theory, warranting deeper, practice-oriented analysis and perspectives.

Based on these findings, we propose a practitioner-focused framework to support stakeholders, including forensic professionals, developers, law enforcement, regulators, and researchers, in fostering standardized, responsible, and effective adoption of AI-based digital forensics. Rather than replacing existing procedures, our framework builds on traditional digital forensic processes, extending them to address AI-specific requirements. Finally, as part of this proposed framework, we provide practical recommendations for the development and deployment of AI-based digital forensic tools that are better aligned with real-world investigative needs.

人工智能的影响并没有绕过数字取证领域。然而，尽管出现了基于人工智能的数字取证方法和工具，但由于道德、法律和实际问题，它们的广泛采用仍然受到限制。虽然现有的研究提出了各种解决方案来支持人工智能在数字取证中的集成，但许多研究都重申了传统数字取证中已经存在的挑战，这些挑战主要集中在可解释的人工智能上，而往往忽视了现实世界的可行性。因此，本研究通过直接与从业者接触，调查了影响在数字取证中采用人工智能的实际挑战。为此，我们进行了一项调查和访谈研究，涉及28名数字法医专家，以探讨他们使用基于人工智能的工具的经验，他们对人工智能在数字法医中的看法，以及他们遇到的实际挑战。我们的研究结果突出了与法庭上人工智能生成证据的有效性、透明度以及解释和呈现相关的关键问题。我们还发现，实际的挑战往往比理论中讨论的更广泛，需要更深入、以实践为导向的分析和观点。基于这些发现，我们提出了一个以从业者为中心的框架，以支持包括法医专业人员、开发人员、执法部门、监管机构和研究人员在内的利益相关者，促进标准化、负责任和有效地采用基于人工智能的数字取证。我们的框架不是取代现有程序，而是建立在传统数字取证流程的基础上，将其扩展到满足人工智能的特定要求。最后，作为拟议框架的一部分，我们为开发和部署基于人工智能的数字取证工具提供了实用建议，这些工具更符合现实世界的调查需求。

{"title":"Practitioner-driven framework for AI adoption in digital forensics","authors":"Maryna Veksler , Kemal Akkaya , Selcuk Uluagac","doi":"10.1016/j.fsidi.2025.302030","DOIUrl":"10.1016/j.fsidi.2025.302030","url":null,"abstract":"<div><div>The impact of AI has not bypassed the field of digital forensics. However, despite the emergence of AI-based digital forensic methods and tools, their widespread adoption remains limited due to ethical, legal, and practical concerns. While existing research has proposed various solutions to support AI integration in digital forensics, many reiterate challenges already present in traditional digital forensics, focusing heavily on explainable AI, and often overlooking real-world feasibility. Thus, this study investigates the practical challenges affecting the adoption of AI in digital forensics by directly engaging with practitioners.</div><div>To this end, we conducted a survey and interview study involving 28 digital forensic experts to explore their experiences with AI-based tools, their perceptions of AI in digital forensics, and the practical challenges they encounter. Our findings highlight key concerns related to validation, transparency, and the explanation and presentation of AI-generated evidence in court. We also find that practical challenges are often broader than those discussed in theory, warranting deeper, practice-oriented analysis and perspectives.</div><div>Based on these findings, we propose a practitioner-focused framework to support stakeholders, including forensic professionals, developers, law enforcement, regulators, and researchers, in fostering standardized, responsible, and effective adoption of AI-based digital forensics. Rather than replacing existing procedures, our framework builds on traditional digital forensic processes, extending them to address AI-specific requirements. Finally, as part of this proposed framework, we provide practical recommendations for the development and deployment of AI-based digital forensic tools that are better aligned with real-world investigative needs.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"55 ","pages":"Article 302030"},"PeriodicalIF":2.2,"publicationDate":"2025-11-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145527964","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

A comprehensive artifact analysis of Google applications on Android and iOS platforms Android和iOS平台上b谷歌应用程序的综合工件分析

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-11-11 DOI: 10.1016/j.fsidi.2025.302029

Jisu Park , Jincheol Park , Hyunjun Kim , Soojin Kang , Jongsung Kim

Google provides a diverse suite of applications (e.g., Gmail, Google Drive, Google Maps, and Google Docs Editor), which are interconnected to enhance user convenience. This study comparatively analyzes the artifacts generated by 25 Google applications on Android and iOS platforms. We start by describing an artifact acquisition method and the utility of artifacts in digital forensic investigations. Based on these investigations, we identify the differences between the two platforms in terms of their data storage patterns and demonstrate that the integrated analysis of both platforms provides a more comprehensive set of artifacts than single-platform analysis. Subsequently, we analyze the synchronization among Google applications. We demonstrate how various applications share and synchronize data, and present methods for utilizing the interactions among the corresponding artifacts. The results of this analysis, we develop a tool for effectively tracing and analyzing the collected artifacts. By comparing the artifact acquisition rates of Android and iOS, we highlight the distinct data provided by each platform. Compared with existing methods, our integrated approach is expected to provide richer and more accurate digital evidence.

谷歌提供了各种各样的应用程序套件（例如，Gmail、谷歌Drive、谷歌Maps和谷歌Docs Editor），它们相互连接以增强用户的便利性。本研究对比分析了Android和iOS平台上的25bb00个应用程序产生的工件。我们首先描述了一种人工制品采集方法和人工制品在数字法医调查中的应用。基于这些调查，我们确定了两个平台在数据存储模式方面的差异，并证明了两个平台的集成分析提供了比单一平台分析更全面的工件集。随后，我们分析了谷歌应用程序之间的同步。我们将演示各种应用程序如何共享和同步数据，并提供利用相应构件之间的交互的方法。根据分析的结果，我们开发了一个工具来有效地跟踪和分析收集的工件。通过比较Android和iOS的人工获取率，我们突出了每个平台提供的不同数据。与现有方法相比，我们的综合方法有望提供更丰富、更准确的数字证据。

{"title":"A comprehensive artifact analysis of Google applications on Android and iOS platforms","authors":"Jisu Park , Jincheol Park , Hyunjun Kim , Soojin Kang , Jongsung Kim","doi":"10.1016/j.fsidi.2025.302029","DOIUrl":"10.1016/j.fsidi.2025.302029","url":null,"abstract":"<div><div>Google provides a diverse suite of applications (e.g., Gmail, Google Drive, Google Maps, and Google Docs Editor), which are interconnected to enhance user convenience. This study comparatively analyzes the artifacts generated by 25 Google applications on Android and iOS platforms. We start by describing an artifact acquisition method and the utility of artifacts in digital forensic investigations. Based on these investigations, we identify the differences between the two platforms in terms of their data storage patterns and demonstrate that the integrated analysis of both platforms provides a more comprehensive set of artifacts than single-platform analysis. Subsequently, we analyze the synchronization among Google applications. We demonstrate how various applications share and synchronize data, and present methods for utilizing the interactions among the corresponding artifacts. The results of this analysis, we develop a tool for effectively tracing and analyzing the collected artifacts. By comparing the artifact acquisition rates of Android and iOS, we highlight the distinct data provided by each platform. Compared with existing methods, our integrated approach is expected to provide richer and more accurate digital evidence.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"55 ","pages":"Article 302029"},"PeriodicalIF":2.2,"publicationDate":"2025-11-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145527963","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0