Pub Date : 2025-02-03DOI: 10.1016/j.fsidi.2024.301859
Akila Wickramasekara , Frank Breitinger , Mark Scanlon
The ever-increasing workload of digital forensic labs raises concerns about law enforcement's ability to conduct both cyber-related and non-cyber-related investigations promptly. Consequently, this article explores the potential and usefulness of integrating Large Language Models (LLMs) into digital forensic investigations to address challenges such as bias, explainability, censorship, resource-intensive infrastructure, and ethical and legal considerations. A comprehensive literature review is carried out, encompassing existing digital forensic models, tools, LLMs, deep learning techniques, and the use of LLMs in investigations. The review identifies current challenges within existing digital forensic processes and explores both the obstacles and the possibilities of incorporating LLMs. In conclusion, the study states that the adoption of LLMs in digital forensics, with appropriate constraints, has the potential to improve investigation efficiency, improve traceability, and alleviate the technical and judicial barriers faced by law enforcement entities.
{"title":"Exploring the potential of large language models for improving digital forensic investigation efficiency","authors":"Akila Wickramasekara , Frank Breitinger , Mark Scanlon","doi":"10.1016/j.fsidi.2024.301859","DOIUrl":"10.1016/j.fsidi.2024.301859","url":null,"abstract":"<div><div>The ever-increasing workload of digital forensic labs raises concerns about law enforcement's ability to conduct both cyber-related and non-cyber-related investigations promptly. Consequently, this article explores the potential and usefulness of integrating Large Language Models (LLMs) into digital forensic investigations to address challenges such as bias, explainability, censorship, resource-intensive infrastructure, and ethical and legal considerations. A comprehensive literature review is carried out, encompassing existing digital forensic models, tools, LLMs, deep learning techniques, and the use of LLMs in investigations. The review identifies current challenges within existing digital forensic processes and explores both the obstacles and the possibilities of incorporating LLMs. In conclusion, the study states that the adoption of LLMs in digital forensics, with appropriate constraints, has the potential to improve investigation efficiency, improve traceability, and alleviate the technical and judicial barriers faced by law enforcement entities.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301859"},"PeriodicalIF":2.0,"publicationDate":"2025-02-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143141118","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2025-01-29DOI: 10.1016/j.fsidi.2025.301882
Thomas Göbel , Frank Breitinger , Harald Baier
Data sets (samples) are important for research, training, and tool development. While the FAIR principles, data repositories and archives like Zenodo and NIST's Computer Forensic Reference Data Sets (CFReDS) enhance the accessibility and reusability of data sets, standardised practices for crafting and describing these data sets require further attention. This paper analyses the existing literature to identify the key data set (generation) characteristics, issues, desirable attributes, and use cases. Although our findings are generally applicable, i.e., to the cybersecurity domain, our special focus is on the digital forensics domain. We define principles and properties for cybersecurity-relevant data sets and their implications for the data creation process to maximise their quality, utility and applicability, taking into account specific data set use cases and data origin. We aim to guide data set creators in enhancing their data sets' value for the cybersecurity and digital forensics field.
{"title":"Optimising data set creation in the cybersecurity landscape with a special focus on digital forensics: Principles, characteristics, and use cases","authors":"Thomas Göbel , Frank Breitinger , Harald Baier","doi":"10.1016/j.fsidi.2025.301882","DOIUrl":"10.1016/j.fsidi.2025.301882","url":null,"abstract":"<div><div>Data sets (samples) are important for research, training, and tool development. While the FAIR principles, data repositories and archives like Zenodo and NIST's Computer Forensic Reference Data Sets (CFReDS) enhance the accessibility and reusability of data sets, standardised practices for crafting and describing these data sets require further attention. This paper analyses the existing literature to identify the key data set (generation) characteristics, issues, desirable attributes, and use cases. Although our findings are generally applicable, i.e., to the cybersecurity domain, our special focus is on the digital forensics domain. We define principles and properties for cybersecurity-relevant data sets and their implications for the data creation process to maximise their quality, utility and applicability, taking into account specific data set use cases and data origin. We aim to guide data set creators in enhancing their data sets' value for the cybersecurity and digital forensics field.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301882"},"PeriodicalIF":2.0,"publicationDate":"2025-01-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143097417","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2025-01-16DOI: 10.1016/j.fsidi.2025.301862
Norah Ahmed Almubairik , Fakhri Alam Khan , Rami Mustafa Mohammad , Mubarak Alshahrani
Wrist devices have revolutionized our interaction with technology, monitoring various aspects of our activities and making them valuable in digital forensic investigations. Previous research has explored specific wrist device operating systems, often concentrating on devices from particular manufacturers. However, the broader market of wrist-worn devices, which includes a wide range of manufacturers, remains less explored. This oversight presents challenges in retrieving and analyzing data from wrist devices with different operating systems. Additionally, there has been limited exploration of utilizing health data from wrist devices in digital investigations. To address these gaps, this study presents a framework called “WristSense,” which systematically extracts health-related data from heterogeneous sources of wrist devices. The framework has been evaluated through case studies involving Huawei, Amazfit, Xiaomi, and Samsung wrist devices. The WristSense ensures compatibility with devices from different vendors and analyzes health data such as sleep patterns, heart rate, blood oxygen saturation, activities, and stress levels. The research uncovers potential circumstantial evidence applicable to law enforcement and introduces a wrist-wear device artifact catalog, which also serves as a taxonomy, enabling practitioners to codify and leverage their forensic collective knowledge. The findings demonstrate the effectiveness of the WristSense framework in extracting and analyzing data from various vendors, providing valuable insights for forensic investigations. However, challenges such as encryption mechanisms on certain devices present areas that require further investigation. This research provides a comprehensive overview of suspect or victim health data, empowering digital forensic investigators to reconstruct detailed timelines and gather crucial evidence in criminal investigations involving wrist devices.
{"title":"WristSense framework: Exploring the forensic potential of wrist-wear devices through case studies","authors":"Norah Ahmed Almubairik , Fakhri Alam Khan , Rami Mustafa Mohammad , Mubarak Alshahrani","doi":"10.1016/j.fsidi.2025.301862","DOIUrl":"10.1016/j.fsidi.2025.301862","url":null,"abstract":"<div><div>Wrist devices have revolutionized our interaction with technology, monitoring various aspects of our activities and making them valuable in digital forensic investigations. Previous research has explored specific wrist device operating systems, often concentrating on devices from particular manufacturers. However, the broader market of wrist-worn devices, which includes a wide range of manufacturers, remains less explored. This oversight presents challenges in retrieving and analyzing data from wrist devices with different operating systems. Additionally, there has been limited exploration of utilizing health data from wrist devices in digital investigations. To address these gaps, this study presents a framework called “WristSense,” which systematically extracts health-related data from heterogeneous sources of wrist devices. The framework has been evaluated through case studies involving Huawei, Amazfit, Xiaomi, and Samsung wrist devices. The WristSense ensures compatibility with devices from different vendors and analyzes health data such as sleep patterns, heart rate, blood oxygen saturation, activities, and stress levels. The research uncovers potential circumstantial evidence applicable to law enforcement and introduces a wrist-wear device artifact catalog, which also serves as a taxonomy, enabling practitioners to codify and leverage their forensic collective knowledge. The findings demonstrate the effectiveness of the WristSense framework in extracting and analyzing data from various vendors, providing valuable insights for forensic investigations. However, challenges such as encryption mechanisms on certain devices present areas that require further investigation. This research provides a comprehensive overview of suspect or victim health data, empowering digital forensic investigators to reconstruct detailed timelines and gather crucial evidence in criminal investigations involving wrist devices.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301862"},"PeriodicalIF":2.0,"publicationDate":"2025-01-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143141117","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2025-01-16DOI: 10.1016/j.fsidi.2025.301881
Daniel Bing Andersen , Nina Sunde , Kyle Porter
Pattern of life analysis has gained ground in the digital forensics field due to the widespread use of smart devices and systems. At the core of pattern of life analysis are the activity-level traces. These traces require expertise to draw valid inferences regarding coherent narratives of criminal events. Such complex tasks also increase the risks of bias and error. The contextual biases have been examined in a digital forensic context, however, the flaws and misinterpretations related to the interplay between the practitioner and the presented data from various software have not been examined through research.
This study advances this knowledge by examining the flaws or misinterpretations that may occur during such interactions in digital forensic casework. Our experiment conducted a mock murder scenario where pattern of life analysis is necessary to answer investigative questions. Six digital forensics investigators used two different pattern of life analysis tools, Cellebrite and APOLLO, to analyze the data extracted from the victim's iPhone and answer nine core investigative questions. We then evaluated their answers and identified any mistakes, wherein we further explored any errors that were likely caused by data misinterpretation. Both the output from Cellebrite and APOLLO enabled investigative errors due to poor naming conventions, but Cellebrite's lack of context and details of traces contributed to the largest amount of the investigators' errors. Further, the study examines how biases/misinterpretations may possibly be mitigated by combinations of traditional quality measures in digital forensics, such as the dual tool approach and peer review.
{"title":"Tool induced biases? Misleading data presentation as a biasing source in digital forensic analysis","authors":"Daniel Bing Andersen , Nina Sunde , Kyle Porter","doi":"10.1016/j.fsidi.2025.301881","DOIUrl":"10.1016/j.fsidi.2025.301881","url":null,"abstract":"<div><div>Pattern of life analysis has gained ground in the digital forensics field due to the widespread use of smart devices and systems. At the core of pattern of life analysis are the activity-level traces. These traces require expertise to draw valid inferences regarding coherent narratives of criminal events. Such complex tasks also increase the risks of bias and error. The contextual biases have been examined in a digital forensic context, however, the flaws and misinterpretations related to the interplay between the practitioner and the presented data from various software have not been examined through research.</div><div>This study advances this knowledge by examining the flaws or misinterpretations that may occur during such interactions in digital forensic casework. Our experiment conducted a mock murder scenario where pattern of life analysis is necessary to answer investigative questions. Six digital forensics investigators used two different pattern of life analysis tools, Cellebrite and APOLLO, to analyze the data extracted from the victim's iPhone and answer nine core investigative questions. We then evaluated their answers and identified any mistakes, wherein we further explored any errors that were likely caused by data misinterpretation. Both the output from Cellebrite and APOLLO enabled investigative errors due to poor naming conventions, but Cellebrite's lack of context and details of traces contributed to the largest amount of the investigators' errors. Further, the study examines how biases/misinterpretations may possibly be mitigated by combinations of traditional quality measures in digital forensics, such as the dual tool approach and peer review.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301881"},"PeriodicalIF":2.0,"publicationDate":"2025-01-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143097418","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2025-01-15DOI: 10.1016/j.fsidi.2025.301880
Johnny Bengtsson
Sensor and actuator event log analyses within the context of digital forensics are crucial for understanding events in automated buildings, such as in a building automation and control system (BACS) or a home automation system (HAS). Conclusions drawn from erroneous, misleading, or corrupted log data may adversely affect crime scene investigations and reconstructions. This work aims to raise awareness of the potential risk of misinterpretation due to corrupted or tampered data from BACS or HAS event log systems.
A series of non-invasive sensor and actuator attacks on such systems was designed and conducted to determine the feasibility of: 1) injecting spoofed pyroelectric infrared (PIR) and carbon dioxide (CO2) sensor event log records, 2) becoming invisible to PIR sensor and CO2 sensors, and 3) mimicking the behaviour of an actuator with the aim of injecting spoofed event log records. The study also concludes that sensor fusion can reveal activities that were concealed from CO2 sensors. Furthermore, this work discusses the adversarial perspectives in the cyber-physical (CPS) domain in relation to these findings.
{"title":"The ghost in the building: Non-invasive spoofing and covert attacks on automated buildings","authors":"Johnny Bengtsson","doi":"10.1016/j.fsidi.2025.301880","DOIUrl":"10.1016/j.fsidi.2025.301880","url":null,"abstract":"<div><div>Sensor and actuator event log analyses within the context of digital forensics are crucial for understanding events in automated buildings, such as in a building automation and control system (BACS) or a home automation system (HAS). Conclusions drawn from erroneous, misleading, or corrupted log data may adversely affect crime scene investigations and reconstructions. This work aims to raise awareness of the potential risk of misinterpretation due to corrupted or tampered data from BACS or HAS event log systems.</div><div>A series of non-invasive sensor and actuator attacks on such systems was designed and conducted to determine the feasibility of: 1) injecting spoofed pyroelectric infrared (PIR) and carbon dioxide (CO<sub>2</sub>) sensor event log records, 2) becoming invisible to PIR sensor and CO<sub>2</sub> sensors, and 3) mimicking the behaviour of an actuator with the aim of injecting spoofed event log records. The study also concludes that sensor fusion can reveal activities that were concealed from CO<sub>2</sub> sensors. Furthermore, this work discusses the adversarial perspectives in the cyber-physical (CPS) domain in relation to these findings.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301880"},"PeriodicalIF":2.0,"publicationDate":"2025-01-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143141113","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2025-01-08DOI: 10.1016/j.fsidi.2024.301861
Giyoon Kim , Uk Hur , Soojin Kang , Jongsung Kim
WhatsApp is a global secure instant messenger with approximately two billion users. Secure instant messengers use various cryptographic techniques to ensure secure communication. WhatsApp utilizes end-to-end encryption, so even the server owner cannot view internal data. Although this provides strong privacy protection, it can act as a barrier to data collection during digital forensics investigations. We analyze in detail the Web and Universal Windows Platform (UWP) versions of WhatsApp to overcome the collection obstacles that hinder digital forensic investigations. Our analysis showed that for the Web version of WhatsApp, most of the elements needed to decrypt messages are stored in the browser's storage, except for Salt, which is exchanged through communication with the server. We propose a method to obtain Salt by revealing the communication process and the data exchanged, based on which we successfully decrypt the message. For the UWP version of WhatsApp, the database where messages are stored is protected using the identifier value of the application. The identifier value, a unique value assigned to the UWP application, cannot be accessed outside the application. Following a detailed analysis of the UWP API, we developed a method for reproducing the identifier value without calling the API. We also propose a way to decrypt encrypted messages of the UWP version of WhatsApp. Our findings provide a practical solution for forensic investigators analyzing encrypted WhatsApp messages and also provide insights that can be extended to other secure instant messengers.
{"title":"Analyzing the Web and UWP versions of WhatsApp for digital forensics","authors":"Giyoon Kim , Uk Hur , Soojin Kang , Jongsung Kim","doi":"10.1016/j.fsidi.2024.301861","DOIUrl":"10.1016/j.fsidi.2024.301861","url":null,"abstract":"<div><div>WhatsApp is a global secure instant messenger with approximately two billion users. Secure instant messengers use various cryptographic techniques to ensure secure communication. WhatsApp utilizes end-to-end encryption, so even the server owner cannot view internal data. Although this provides strong privacy protection, it can act as a barrier to data collection during digital forensics investigations. We analyze in detail the Web and Universal Windows Platform (UWP) versions of WhatsApp to overcome the collection obstacles that hinder digital forensic investigations. Our analysis showed that for the Web version of WhatsApp, most of the elements needed to decrypt messages are stored in the browser's storage, except for Salt, which is exchanged through communication with the server. We propose a method to obtain Salt by revealing the communication process and the data exchanged, based on which we successfully decrypt the message. For the UWP version of WhatsApp, the database where messages are stored is protected using the identifier value of the application. The identifier value, a unique value assigned to the UWP application, cannot be accessed outside the application. Following a detailed analysis of the UWP API, we developed a method for reproducing the identifier value without calling the API. We also propose a way to decrypt encrypted messages of the UWP version of WhatsApp. Our findings provide a practical solution for forensic investigators analyzing encrypted WhatsApp messages and also provide insights that can be extended to other secure instant messengers.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301861"},"PeriodicalIF":2.0,"publicationDate":"2025-01-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143141194","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-12-27DOI: 10.1016/j.fsidi.2024.301860
Akarshan Suryal
This article has been retracted: please see Elsevier Policy on Article Withdrawal (https://www.elsevier.com/about/policies/article-withdrawal).
This article has been retracted following an allegation that raises concerns this article may have been generated by Generative AI.
The author of the article has been given opportunity to present evidence that he was the original and genuine creator of the work, however at the time of publication of this notice, the journal has not received any response. The Editors-in-Chief, with support from Elsevier's Research Integrity & Publishing Ethics team, have analysed the article and agree there are enough indicators to cause serious doubts over the authenticity and originality of the work and agree this article should be retracted.
{"title":"Retraction notice to “Leveraging metadata in social media forensic investigations: Unravelling digital clues- A survey study” [Forensic Sci. Int.: Digit. Invest. 50 (2024) 301798]","authors":"Akarshan Suryal","doi":"10.1016/j.fsidi.2024.301860","DOIUrl":"10.1016/j.fsidi.2024.301860","url":null,"abstract":"<div><div>This article has been retracted: please see Elsevier Policy on Article Withdrawal (<span><span>https://www.elsevier.com/about/policies/article-withdrawal</span><svg><path></path></svg></span>).</div><div>This article has been retracted following an allegation that raises concerns this article may have been generated by Generative AI.</div><div>The author of the article has been given opportunity to present evidence that he was the original and genuine creator of the work, however at the time of publication of this notice, the journal has not received any response. The Editors-in-Chief, with support from Elsevier's Research Integrity & Publishing Ethics team, have analysed the article and agree there are enough indicators to cause serious doubts over the authenticity and originality of the work and agree this article should be retracted.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301860"},"PeriodicalIF":2.0,"publicationDate":"2024-12-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143097416","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-12-17DOI: 10.1016/j.fsidi.2024.301855
Kyungsuk Cho, Yunji Park, Jiyun Kim, Byeongjun Kim, Doowon Jeong
Recent advances in conversational AI services have attracted interest from both specialized technical communities and the general public. Major IT companies such as OpenAI, Microsoft, and Google are actively developing and enhancing conversational AI technologies. The widespread public interest and usage of these services are rapidly increasing due to their interactive chat interfaces, which are easily accessible to anyone with basic digital literacy. However, with the growing utilization of these services, there is a risk that some users may exploit them for malicious purposes, such as technology leaks, phishing, and malware creation. This paper proposes a method for forensically investigating conversational AI services. It examines the characteristics of these services across various environments from the perspective of a digital forensic investigator and outlines a method for collecting forensic artifacts. Based on the analysis, we present a forensic investigation framework for conversational AI services, including case studies of representative services such as ChatGPT, Copilot, Gemini, and Claude.
{"title":"Conversational AI forensics: A case study on ChatGPT, Gemini, Copilot, and Claude","authors":"Kyungsuk Cho, Yunji Park, Jiyun Kim, Byeongjun Kim, Doowon Jeong","doi":"10.1016/j.fsidi.2024.301855","DOIUrl":"10.1016/j.fsidi.2024.301855","url":null,"abstract":"<div><div>Recent advances in conversational AI services have attracted interest from both specialized technical communities and the general public. Major IT companies such as OpenAI, Microsoft, and Google are actively developing and enhancing conversational AI technologies. The widespread public interest and usage of these services are rapidly increasing due to their interactive chat interfaces, which are easily accessible to anyone with basic digital literacy. However, with the growing utilization of these services, there is a risk that some users may exploit them for malicious purposes, such as technology leaks, phishing, and malware creation. This paper proposes a method for forensically investigating conversational AI services. It examines the characteristics of these services across various environments from the perspective of a digital forensic investigator and outlines a method for collecting forensic artifacts. Based on the analysis, we present a forensic investigation framework for conversational AI services, including case studies of representative services such as ChatGPT, Copilot, Gemini, and Claude.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301855"},"PeriodicalIF":2.0,"publicationDate":"2024-12-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143141115","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-12-17DOI: 10.1016/j.fsidi.2024.301858
Samantha Klier, Harald Baier
Source Camera Identification (SCI) is vital in digital forensics, yet its most prominent approach, Sensor Pattern Noise (SPN), faces new challenges in the era of modern devices and vast media datasets. This paper introduces the Source Camera Target Model (SCTM) to classify SCI approaches and formally defines three core problem classes: Verification, Identification, and Exploration. For each, we outline key evaluation metrics tailored to practical use cases. Applying this framework, we critically assess recognized SCI methods and their alignment with contemporary needs. Our findings expose significant gaps in scalability, efficiency, and relevance to modern imaging pipelines, challenging the notion of SPN as a gold standard. Finally, we provide a roadmap for advancing SCI research to address these limitations and adapt to evolving technological landscapes.
{"title":"Source Camera Identification - Do we have a gold standard?","authors":"Samantha Klier, Harald Baier","doi":"10.1016/j.fsidi.2024.301858","DOIUrl":"10.1016/j.fsidi.2024.301858","url":null,"abstract":"<div><div>Source Camera Identification (SCI) is vital in digital forensics, yet its most prominent approach, Sensor Pattern Noise (SPN), faces new challenges in the era of modern devices and vast media datasets. This paper introduces the Source Camera Target Model (SCTM) to classify SCI approaches and formally defines three core problem classes: Verification, Identification, and Exploration. For each, we outline key evaluation metrics tailored to practical use cases. Applying this framework, we critically assess recognized SCI methods and their alignment with contemporary needs. Our findings expose significant gaps in scalability, efficiency, and relevance to modern imaging pipelines, challenging the notion of SPN as a gold standard. Finally, we provide a roadmap for advancing SCI research to address these limitations and adapt to evolving technological landscapes.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301858"},"PeriodicalIF":2.0,"publicationDate":"2024-12-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143097419","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-12-12DOI: 10.1016/j.fsidi.2024.301846
Jian Xi , Melanie Siegel , Dirk Labudde , Michael Spranger
In recent years, mobile devices have become the dominant communication medium in our daily lives. This trend is also evident in the planning, arranging, and committing of criminal activities, particularly in organized crime. Accordingly, mobile devices have become an essential source of evidence for data analysts or investigators, especially in Law Enforcement Agencies (LEAs). However, communication via mobile devices generates vast amounts of data, rendering manual analysis impractical and resulting in growing backlogs of evidence awaiting analysis process, which can take months to years, thereby hindering investigations and trials. The automatic analysis of textual chat messages falls short because communication is not limited to the single modality, such as text, but instead spans multiple modalities, including voice messages, pictures, videos, and sometimes various messengers (channels). These modalities frequently overlap or interchange within the same communication, further complicating the analysis process. To achieve a correct and comprehensive understanding of such communication, it is essential to consider all modalities and channels through a consistent joint semantic analysis. This paper introduces a novel mobile forensics approach that enables efficient assessment of mobile data without losing semantic consistency by unifying semantic concepts across different modalities and channels. Additionally, a knowledge-guided topic modeling approach is proposed, integrating expertise into the investigation process to effectively examine large volumes of noisy mobile data. In this way, investigators can quickly identify evidentiary parts of the communication and completely facilitate reconstructing the course of events.
{"title":"Towards a joint semantic analysis in mobile forensics environments","authors":"Jian Xi , Melanie Siegel , Dirk Labudde , Michael Spranger","doi":"10.1016/j.fsidi.2024.301846","DOIUrl":"10.1016/j.fsidi.2024.301846","url":null,"abstract":"<div><div>In recent years, mobile devices have become the dominant communication medium in our daily lives. This trend is also evident in the planning, arranging, and committing of criminal activities, particularly in organized crime. Accordingly, mobile devices have become an essential source of evidence for data analysts or investigators, especially in Law Enforcement Agencies (LEAs). However, communication via mobile devices generates vast amounts of data, rendering manual analysis impractical and resulting in growing backlogs of evidence awaiting analysis process, which can take months to years, thereby hindering investigations and trials. The automatic analysis of textual chat messages falls short because communication is not limited to the single modality, such as text, but instead spans multiple modalities, including voice messages, pictures, videos, and sometimes various messengers (channels). These modalities frequently overlap or interchange within the same communication, further complicating the analysis process. To achieve a correct and comprehensive understanding of such communication, it is essential to consider all modalities and channels through a consistent joint semantic analysis. This paper introduces a novel mobile forensics approach that enables efficient assessment of mobile data without losing semantic consistency by unifying <em>semantic concepts</em> across different modalities and channels. Additionally, a <em>knowledge-guided</em> topic modeling approach is proposed, integrating expertise into the investigation process to effectively examine large volumes of noisy mobile data. In this way, investigators can quickly identify evidentiary parts of the communication and completely facilitate reconstructing the course of events.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301846"},"PeriodicalIF":2.0,"publicationDate":"2024-12-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143141114","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
扫码关注我们
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号