Pub Date : 2024-11-17DOI: 10.1016/j.fsidi.2024.301843
Graeme Horsman
The decision as to whether a given tool can be used for the purposes of conducting a digital forensic examination of a device and its data may seem straightforward, but it is not. As part of their work, practitioners must always seek to identify and use tools that are appropriate for their investigative tasks, deploy them reliably within an applicable scenario, and be able to trust and understand the results that they provide. Before they can begin to do this, they must first ask themselves the question - ‘can I use that tool?‘, where this work considers how a practitioner may begin to formulate an answer. By unpacking the hidden complexity of this question, it is suggested that five sub-questions must be explored by any practitioner when seeking to use a tool, namely - (1) ‘what does that tool do?‘; (2) ‘how do I use that tool?‘; (3) ‘how does the tool do it?‘; (4) ‘does the tool do it properly?’ and (5) ‘should I use the tool?‘. This work discusses each in turn and the risks they pose to a practitioner.
{"title":"Commentary:- Can I use that tool?","authors":"Graeme Horsman","doi":"10.1016/j.fsidi.2024.301843","DOIUrl":"10.1016/j.fsidi.2024.301843","url":null,"abstract":"<div><div>The decision as to whether a given tool can be used for the purposes of conducting a digital forensic examination of a device and its data may seem straightforward, but it is not. As part of their work, practitioners must always seek to identify and use tools that are appropriate for their investigative tasks, deploy them reliably within an applicable scenario, and be able to trust and understand the results that they provide. Before they can begin to do this, they must first ask themselves the question - ‘<em>can I use that tool?</em>‘, where this work considers how a practitioner may begin to formulate an answer. By unpacking the hidden complexity of this question, it is suggested that five sub-questions must be explored by any practitioner when seeking to use a tool, namely - (1) ‘<em>what does that tool do?</em>‘; (2) ‘<em>how do I use that tool?</em>‘; (3) ‘<em>how does the tool do it?</em>‘; (4) ‘<em>does the tool do it properly?</em>’ and (5) ‘<em>should I use the tool?</em>‘. This work discusses each in turn and the risks they pose to a practitioner.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"51 ","pages":"Article 301843"},"PeriodicalIF":2.0,"publicationDate":"2024-11-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142661146","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-10-30DOI: 10.1016/j.fsidi.2024.301842
Michael C. Todd, Gilbert L. Peterson
Digital forensics is a complex field that requires expert knowledge (EK) and specialized tools to collect, analyze, and report on digital evidence. Temporal metadata analysis is particularly challenging, requiring expert knowledge to understand and interpret underlying traces and associate them with their source. This paper introduces Digital Trace Inspector (DTI), a Learning Classifier System (LCS)-based decision support tool for temporal metadata analysis. DTI leverages a binary Michigan-style LCS to locate and group corroborating temporal digital traces of targeted user activity. Rules are built from expert-created atomics encoded as feature vectors using patterns defined in a structured EK rule framework. The system is evaluated on 10 scenarios of typical user behavior on a Windows 10 workstation. Results show that all models achieved perfect recall, had an average F1 score of 0.98, and required little training data.
数字取证是一个复杂的领域,需要专家知识(EK)和专业工具来收集、分析和报告数字证据。时间元数据分析尤其具有挑战性,需要专家知识来理解和解释底层痕迹,并将它们与来源联系起来。本文介绍了数字痕迹检查器(DTI),这是一种基于学习分类系统(LCS)的决策支持工具,用于时态元数据分析。DTI 利用二进制密歇根式 LCS 来定位和分组目标用户活动的时间数字痕迹。规则由专家创建,并使用结构化 EK 规则框架中定义的模式编码为特征向量。该系统在 Windows 10 工作站上的 10 个典型用户行为场景中进行了评估。结果表明,所有模型都达到了完美的召回率,平均 F1 得分为 0.98,并且几乎不需要训练数据。
{"title":"Temporal metadata analysis: A learning classifier system approach","authors":"Michael C. Todd, Gilbert L. Peterson","doi":"10.1016/j.fsidi.2024.301842","DOIUrl":"10.1016/j.fsidi.2024.301842","url":null,"abstract":"<div><div>Digital forensics is a complex field that requires expert knowledge (EK) and specialized tools to collect, analyze, and report on digital evidence. Temporal metadata analysis is particularly challenging, requiring expert knowledge to understand and interpret underlying traces and associate them with their source. This paper introduces Digital Trace Inspector (DTI), a Learning Classifier System (LCS)-based decision support tool for temporal metadata analysis. DTI leverages a binary Michigan-style LCS to locate and group corroborating temporal digital traces of targeted user activity. Rules are built from expert-created atomics encoded as feature vectors using patterns defined in a structured EK rule framework. The system is evaluated on 10 scenarios of typical user behavior on a Windows 10 workstation. Results show that all models achieved perfect recall, had an average F1 score of 0.98, and required little training data.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"51 ","pages":"Article 301842"},"PeriodicalIF":2.0,"publicationDate":"2024-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142539540","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-10-16DOI: 10.1016/j.fsidi.2024.301841
Cléo Berger, Benoît Meylan, Thomas R. Souvignet
Location traces are highly informative because of their potential to infer physical activity or presence. Their prevalence has increased largely due to the rise of digital devices, their encompassed location-based services and other positioning technologies (Raubal et al., 2004). However, there is little research that explores and supports their exploitation, which hampers the confidence that can be placed in it. Location traces are indeed subject to uncertainty and errors, notably in their production and exploitation processes. This article aims to shed some light on the uncertainty and errors associated with smartphone location traces and calls for research to be developed on that topic. Several empirical examples are developed throughout the article to better illustrate these issues.
{"title":"Uncertainty and error in location traces","authors":"Cléo Berger, Benoît Meylan, Thomas R. Souvignet","doi":"10.1016/j.fsidi.2024.301841","DOIUrl":"10.1016/j.fsidi.2024.301841","url":null,"abstract":"<div><div>Location traces are highly informative because of their potential to infer physical activity or presence. Their prevalence has increased largely due to the rise of digital devices, their encompassed location-based services and other positioning technologies (<span><span>Raubal et al., 2004</span></span>). However, there is little research that explores and supports their exploitation, which hampers the confidence that can be placed in it. Location traces are indeed subject to uncertainty and errors, notably in their production and exploitation processes. This article aims to shed some light on the uncertainty and errors associated with smartphone location traces and calls for research to be developed on that topic. Several empirical examples are developed throughout the article to better illustrate these issues.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"51 ","pages":"Article 301841"},"PeriodicalIF":2.0,"publicationDate":"2024-10-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142442388","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-10-11DOI: 10.1016/j.fsidi.2024.301840
Graeme Horsman , Andrew Dodd
Those practising in the field of digital forensics must be competent to conduct the work they carry out, and such competence must also be evidenced and assessed. Those seeking to demonstrate staff competence must consider what tasks and roles it is being sought for, how it is achieved, what is an acceptable level of performance for a task, and how to evidence and assess any claimed competence. This work intends to explore the multifaceted nature of competence within the field of digital forensics, examining how it is developed, assessed, and maintained in an era characterised by continuous technological advancement. Discussions are also linked to the requirements defined in the accreditation framework ISO/IEC 17025:2017 which governs the digital forensic landscape in England and Wales. We hope to contribute to the ongoing discourse on elevating standards and fostering excellence in the science of digital forensics.
{"title":"Competence in digital forensics","authors":"Graeme Horsman , Andrew Dodd","doi":"10.1016/j.fsidi.2024.301840","DOIUrl":"10.1016/j.fsidi.2024.301840","url":null,"abstract":"<div><div>Those practising in the field of digital forensics must be competent to conduct the work they carry out, and such competence must also be evidenced and assessed. Those seeking to demonstrate staff competence must consider what tasks and roles it is being sought for, how it is achieved, what is an acceptable level of performance for a task, and how to evidence and assess any claimed competence. This work intends to explore the multifaceted nature of competence within the field of digital forensics, examining how it is developed, assessed, and maintained in an era characterised by continuous technological advancement. Discussions are also linked to the requirements defined in the accreditation framework ISO/IEC 17025:2017 which governs the digital forensic landscape in England and Wales. We hope to contribute to the ongoing discourse on elevating standards and fostering excellence in the science of digital forensics.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"51 ","pages":"Article 301840"},"PeriodicalIF":2.0,"publicationDate":"2024-10-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142419961","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-10-09DOI: 10.1016/j.fsidi.2024.301839
Magdalene Ng , Jade James , Ray Bull
Despite digital evidence nowadays playing a major role in criminal investigations and being intrinsic to almost every criminal trial, research in digital forensics (DF) and national approaches to digital evidence in relation to investigating officers and court personnel remain almost non-existent. This research seeks to remedy this issue by qualitatively examining the accounts and experiences of 16 digital forensic investigators (DFIs) in England and Wales who took part in semi-structured interviews. We analyzed the data using a reflexive thematic analysis and identified four overarching themes: (i) Navigating tensions with investigating officers (that has a subtheme of ‘Tensions with legal professionals and challenges navigating court theatrics’) (ii) The psychological, emotional, and existential challenges confronted by DFIs; (iii) Identifying the potential and pitfalls of automation and AI in DF and (iv) The centrality of academia in the advancement of DF (that has a subtheme of ‘Validation of tools as a crucial step in digital forensics’). These new findings reveal that DFIs encounter significant demands to perform well and are continuously overburdened while juggling many roles. This research serves as a pivotal starting point for broader discussions.
{"title":"“What you say in the lab, stays in the lab”: A reflexive thematic analysis of current challenges and future directions of digital forensic investigations in the UK","authors":"Magdalene Ng , Jade James , Ray Bull","doi":"10.1016/j.fsidi.2024.301839","DOIUrl":"10.1016/j.fsidi.2024.301839","url":null,"abstract":"<div><div>Despite digital evidence nowadays playing a major role in criminal investigations and being intrinsic to almost every criminal trial, research in digital forensics (DF) and national approaches to digital evidence in relation to investigating officers and court personnel remain almost non-existent. This research seeks to remedy this issue by qualitatively examining the accounts and experiences of 16 digital forensic investigators (DFIs) in England and Wales who took part in semi-structured interviews. We analyzed the data using a reflexive thematic analysis and identified four overarching themes: (i) Navigating tensions with investigating officers (that has a subtheme of ‘Tensions with legal professionals and challenges navigating court theatrics’) (ii) The psychological, emotional, and existential challenges confronted by DFIs; (iii) Identifying the potential and pitfalls of automation and AI in DF and (iv) The centrality of academia in the advancement of DF (that has a subtheme of ‘Validation of tools as a crucial step in digital forensics’). These new findings reveal that DFIs encounter significant demands to perform well and are continuously overburdened while juggling many roles. This research serves as a pivotal starting point for broader discussions.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"51 ","pages":"Article 301839"},"PeriodicalIF":2.0,"publicationDate":"2024-10-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142419960","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-10-04DOI: 10.1016/j.fsidi.2024.301838
Nishchal Soni , Manpreet Kaur , Khalid Aziz
The pervasive influence of digital technology has ushered in a new era of connectivity, reshaping the landscape of forensic science and challenging investigators to adapt to evolving methods of digital interaction. Remote access applications (RAAs) like TeamViewer have become integral tools for facilitating remote collaboration and support across various platforms. However, the widespread adoption of such applications has also led to an increase in cybercrimes, underscoring the critical need for meticulous forensic analysis. This study presents a comprehensive examination of TeamViewer's forensic artifacts across Windows and Android platforms, employing advanced forensic techniques such as registry analysis, disk forensics, memory forensics, and Android forensics. By meticulously dissecting digital evidence and uncovering valuable insights into user interactions, configuration settings, and session dynamics, this research aims to enhance understanding of remote access activities and empower forensic investigators with the tools needed to combat cybercrimes effectively. The findings highlight the forensic significance of each investigative approach and underscore the importance of continuous innovation in the field of digital forensics.
{"title":"Decoding digital interactions: An extensive study of TeamViewer's Forensic Artifacts across Windows and android platforms","authors":"Nishchal Soni , Manpreet Kaur , Khalid Aziz","doi":"10.1016/j.fsidi.2024.301838","DOIUrl":"10.1016/j.fsidi.2024.301838","url":null,"abstract":"<div><div>The pervasive influence of digital technology has ushered in a new era of connectivity, reshaping the landscape of forensic science and challenging investigators to adapt to evolving methods of digital interaction. Remote access applications (RAAs) like TeamViewer have become integral tools for facilitating remote collaboration and support across various platforms. However, the widespread adoption of such applications has also led to an increase in cybercrimes, underscoring the critical need for meticulous forensic analysis. This study presents a comprehensive examination of TeamViewer's forensic artifacts across Windows and Android platforms, employing advanced forensic techniques such as registry analysis, disk forensics, memory forensics, and Android forensics. By meticulously dissecting digital evidence and uncovering valuable insights into user interactions, configuration settings, and session dynamics, this research aims to enhance understanding of remote access activities and empower forensic investigators with the tools needed to combat cybercrimes effectively. The findings highlight the forensic significance of each investigative approach and underscore the importance of continuous innovation in the field of digital forensics.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"51 ","pages":"Article 301838"},"PeriodicalIF":2.0,"publicationDate":"2024-10-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142419962","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-10-01DOI: 10.1016/j.fsidi.2024.301814
Sang-Hyun Cho , Dohyun Kim , Hyuk-Chul Kwon , Minho Kim
The rapid advancement of large language models (LLMs) has opened up new possibilities for various natural language processing tasks. This study explores the potential of LLMs for author profiling in digital text forensics, which involves identifying characteristics such as age and gender from writing style—a crucial task in forensic investigations of anonymous or pseudonymous communications. Experiments were conducted using state-of-the-art LLMs, including Polyglot, EEVE, and Bllossom, to evaluate their performance in author profiling. Different fine-tuning strategies, such as full fine-tuning, Low-Rank Adaptation (LoRA), and Quantized LoRA (QLoRA), were compared to determine the most effective methods for adapting LLMs to the specific needs of this task. The results show that fine-tuned LLMs can effectively predict authors’ age and gender based on their writing styles, with Polyglot-based models generally outperforming EEVE and Bllossom models. Additionally, LoRA and QLoRA strategies significantly reduce computational costs and memory requirements while maintaining performance comparable to full fine-tuning. However, error analysis reveals limitations in the current LLM-based approach, including difficulty in capturing subtle linguistic variations across age groups and potential biases from pre-training data. These challenges are discussed and future research directions to address them are proposed. This study underscores the potential of LLMs in author profiling for digital text forensics, suggesting promising avenues for further exploration and refinement.
{"title":"Exploring the potential of large language models for author profiling tasks in digital text forensics","authors":"Sang-Hyun Cho , Dohyun Kim , Hyuk-Chul Kwon , Minho Kim","doi":"10.1016/j.fsidi.2024.301814","DOIUrl":"10.1016/j.fsidi.2024.301814","url":null,"abstract":"<div><div>The rapid advancement of large language models (LLMs) has opened up new possibilities for various natural language processing tasks. This study explores the potential of LLMs for author profiling in digital text forensics, which involves identifying characteristics such as age and gender from writing style—a crucial task in forensic investigations of anonymous or pseudonymous communications. Experiments were conducted using state-of-the-art LLMs, including Polyglot, EEVE, and Bllossom, to evaluate their performance in author profiling. Different fine-tuning strategies, such as full fine-tuning, Low-Rank Adaptation (LoRA), and Quantized LoRA (QLoRA), were compared to determine the most effective methods for adapting LLMs to the specific needs of this task. The results show that fine-tuned LLMs can effectively predict authors’ age and gender based on their writing styles, with Polyglot-based models generally outperforming EEVE and Bllossom models. Additionally, LoRA and QLoRA strategies significantly reduce computational costs and memory requirements while maintaining performance comparable to full fine-tuning. However, error analysis reveals limitations in the current LLM-based approach, including difficulty in capturing subtle linguistic variations across age groups and potential biases from pre-training data. These challenges are discussed and future research directions to address them are proposed. This study underscores the potential of LLMs in author profiling for digital text forensics, suggesting promising avenues for further exploration and refinement.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"50 ","pages":"Article 301814"},"PeriodicalIF":2.0,"publicationDate":"2024-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142530440","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Computer and console-based video games are an important part of the entertainment industry. Such devices may be found in evidence lockers as part of investigations, or overlooked as their intrinsic value to an investigation may not be well-understood. Modern games consoles provide network connectivity and functionality that allows a significant degree of interaction via peer-to-peer connections and/or the Internet. These gaming consoles store settings, user preferences, user information, and can capture photos, audio and video, all of which potentially contain forensic artifacts about a person of interest. Games consoles have a fixed lifespan, eventually superseded by newer models with an expanded range of capabilities. As there are significant numbers of consoles available on the secondhand market, there is clear evidence that older consoles remain in circulation even after production has ceased. What is unclear, however, is the actual extent of forensic data available within these consoles. This paper shares the results of a digital forensic case-study undertaken to assess what artifacts are retrievable based on ‘real-world’ dataset, particularly the aging, but popular Nintendo 3DS series. A total of 47 Nintendo 3DS/2DS handheld systems were purchased secondhand. They were forensically imaged then examined to identify what artifacts are commonly found ‘in the wild’ on these often overlooked systems. Results presented in this paper provide guidance to digital forensic investigators of what may be realistically obtained from these non-traditional devices.
{"title":"Nintendo 3DS forensics: A secondhand case study","authors":"Huw O.L. Read , Konstantinos Xynos , Iain Sutherland , Matthew Bovee , Clyde Tamburro","doi":"10.1016/j.fsidi.2024.301815","DOIUrl":"10.1016/j.fsidi.2024.301815","url":null,"abstract":"<div><div>Computer and console-based video games are an important part of the entertainment industry. Such devices may be found in evidence lockers as part of investigations, or overlooked as their intrinsic value to an investigation may not be well-understood. Modern games consoles provide network connectivity and functionality that allows a significant degree of interaction via peer-to-peer connections and/or the Internet. These gaming consoles store settings, user preferences, user information, and can capture photos, audio and video, all of which potentially contain forensic artifacts about a person of interest. Games consoles have a fixed lifespan, eventually superseded by newer models with an expanded range of capabilities. As there are significant numbers of consoles available on the secondhand market, there is clear evidence that older consoles remain in circulation even after production has ceased. What is unclear, however, is the actual extent of forensic data available within these consoles. This paper shares the results of a digital forensic case-study undertaken to assess what artifacts are retrievable based on ‘real-world’ dataset, particularly the aging, but popular Nintendo 3DS series. A total of 47 Nintendo 3DS/2DS handheld systems were purchased secondhand. They were forensically imaged then examined to identify what artifacts are commonly found ‘in the wild’ on these often overlooked systems. Results presented in this paper provide guidance to digital forensic investigators of what may be realistically obtained from these non-traditional devices.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"50 ","pages":"Article 301815"},"PeriodicalIF":2.0,"publicationDate":"2024-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142530441","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
扫码关注我们
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号