Pub Date : 2025-03-01DOI: 10.1016/j.fsidi.2025.301865
Radek Hranický, Lucia Šírová, Viktor Rucký
In the realm of digital forensics, password recovery is a critical task, with dictionary attacks representing one of the oldest yet most effective methods. To increase the attack power, developers of cracking tools have introduced password-mangling rules that apply modifications to the dictionary entries such as character swapping, substitution, or capitalization. Despite several attempts to automate rule creation that have been proposed over the years, creating a suitable ruleset is still a significant challenge. The current research lacks a deeper comparison and evaluation of the individual methods and their implications. We present RuleForge, a machine learning-based mangling-rule generator that leverages four clustering techniques and 19 commands with configurable priorities. Key innovations include an extended command set, advanced cluster representative selection, and various performance optimizations. We conduct extensive experiments on real-world datasets, evaluating clustering-based methods in terms of time, memory use, and hit ratios. Additionally, we compare RuleForge to existing rule-creation tools, password-cracking solutions, and popular existing rulesets. Our solution with an improved MDBSCAN clustering method achieves up to an 11.67%pt. Higher hit ratio than the original method and also outperformed the best yet-known state-of-the-art solutions for automated rule creation.
{"title":"Beyond the dictionary attack: Enhancing password cracking efficiency through machine learning-induced mangling rules","authors":"Radek Hranický, Lucia Šírová, Viktor Rucký","doi":"10.1016/j.fsidi.2025.301865","DOIUrl":"10.1016/j.fsidi.2025.301865","url":null,"abstract":"<div><div>In the realm of digital forensics, password recovery is a critical task, with dictionary attacks representing one of the oldest yet most effective methods. To increase the attack power, developers of cracking tools have introduced password-mangling rules that apply modifications to the dictionary entries such as character swapping, substitution, or capitalization. Despite several attempts to automate rule creation that have been proposed over the years, creating a suitable ruleset is still a significant challenge. The current research lacks a deeper comparison and evaluation of the individual methods and their implications. We present RuleForge, a machine learning-based mangling-rule generator that leverages four clustering techniques and 19 commands with configurable priorities. Key innovations include an extended command set, advanced cluster representative selection, and various performance optimizations. We conduct extensive experiments on real-world datasets, evaluating clustering-based methods in terms of time, memory use, and hit ratios. Additionally, we compare RuleForge to existing rule-creation tools, password-cracking solutions, and popular existing rulesets. Our solution with an improved MDBSCAN clustering method achieves up to an 11.67%pt. Higher hit ratio than the original method and also outperformed the best yet-known state-of-the-art solutions for automated rule creation.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301865"},"PeriodicalIF":2.0,"publicationDate":"2025-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143679782","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2025-03-01DOI: 10.1016/j.fsidi.2025.301877
Johannes Olegård, Stefan Axelsson, Yuhong Li
It is generally agreed that logs are necessary for understanding cyberattacks post-incident. However, little is known about what specific information logs should contain to be forensically helpful. This uncertainty, combined with the fact that conventional logs are often not designed with security in mind, often results in logs with too much or too little information. Events in one log are also often challenging to correlate with events in other logs. Most previous research has focused on preserving, filtering, and interpreting logs, rather than addressing what should be logged in the first place. This paper explores logging sufficiency through the lens of Digital Forensic Readiness, and highlights the absence of causal information in conventional logs. To address this gap, we propose a novel logging system leveraging “gretel numbers” to track causal information—such as attacker movement—across multiple applications in a tamper-resistant manner. A prototype, implemented using the Extended Berkeley Packet Filter (EBPF) and an Nginx web server, shows that causality tracking imposes minimal resource overhead, though log size management remains critical for scalability.
{"title":"When is logging sufficient? — Tracking event causality for improved forensic analysis and correlation","authors":"Johannes Olegård, Stefan Axelsson, Yuhong Li","doi":"10.1016/j.fsidi.2025.301877","DOIUrl":"10.1016/j.fsidi.2025.301877","url":null,"abstract":"<div><div>It is generally agreed that logs are necessary for understanding cyberattacks post-incident. However, little is known about what specific information logs should contain to be forensically helpful. This uncertainty, combined with the fact that conventional logs are often not designed with security in mind, often results in logs with too much or too little information. Events in one log are also often challenging to correlate with events in other logs. Most previous research has focused on preserving, filtering, and interpreting logs, rather than addressing what should be logged in the first place. This paper explores logging sufficiency through the lens of Digital Forensic Readiness, and highlights the absence of <em>causal information</em> in conventional logs. To address this gap, we propose a novel logging system leveraging “gretel numbers” to track causal information—such as attacker movement—across multiple applications in a tamper-resistant manner. A prototype, implemented using the Extended Berkeley Packet Filter (EBPF) and an Nginx web server, shows that causality tracking imposes minimal resource overhead, though log size management remains critical for scalability.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301877"},"PeriodicalIF":2.0,"publicationDate":"2025-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143679890","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2025-03-01DOI: 10.1016/j.fsidi.2025.301869
Jan Zavřel, Michal Koutenský, Daniel Dolejška, Vladimír Veselý
The privacy of Bitcoin transactions is a subject of ongoing research from parties interested in enhancing their security, as well as those seeking to analyze the flow of funds happening in the network. Various techniques have been identified to de-obfuscate pseudonymity, e.g., heuristics to cluster addresses and transactions, automatic tracing of transaction chains based on usage patterns/features that may reveal common ownership. These techniques gave rise to services that attempt to make these techniques unreliable with specific forms of behavior. Examples of such behavior include using one-time addresses or transactions with multiple participants. Centralized services employing these behavior patterns, commonly known as tumblers or mixers, offer customers a way to obfuscate their financial flows. In turn, new approaches have been proposed in recent scientific literature to exploit the way the mixers operate in order to gain insight into the underlying financial flows. In this paper, we analyze some of these approaches and identify challenges in the context of their application to a particular modern mixing service – Anonymixer. Furthermore, based on this analysis, we propose a novel approach for identification of addresses involved in mixing with capability to distinguish between depositing/withdrawing parties and mixer inner addresses. The approach utilizes wallet fingerprints, which we have extracted using statistical measurements of mixer’s behavior. An internally developed tool implementing the proposed techniques automates the deobfuscation process and outputs individual money transfers.
{"title":"Tumbling down the stairs: Exploiting a tumbler’s attempt to hide with ordinary-looking transactions using wallet fingerprinting","authors":"Jan Zavřel, Michal Koutenský, Daniel Dolejška, Vladimír Veselý","doi":"10.1016/j.fsidi.2025.301869","DOIUrl":"10.1016/j.fsidi.2025.301869","url":null,"abstract":"<div><div>The privacy of Bitcoin transactions is a subject of ongoing research from parties interested in enhancing their security, as well as those seeking to analyze the flow of funds happening in the network. Various techniques have been identified to de-obfuscate pseudonymity, e.g., heuristics to cluster addresses and transactions, automatic tracing of transaction chains based on usage patterns/features that may reveal common ownership. These techniques gave rise to services that attempt to make these techniques unreliable with specific forms of behavior. Examples of such behavior include using one-time addresses or transactions with multiple participants. Centralized services employing these behavior patterns, commonly known as <em>tumblers</em> or <em>mixers</em>, offer customers a way to obfuscate their financial flows. In turn, new approaches have been proposed in recent scientific literature to exploit the way the mixers operate in order to gain insight into the underlying financial flows. In this paper, we analyze some of these approaches and identify challenges in the context of their application to a particular modern mixing service – Anonymixer. Furthermore, based on this analysis, we propose a novel approach for identification of addresses involved in mixing with capability to distinguish between depositing/withdrawing parties and mixer inner addresses. The approach utilizes wallet fingerprints, which we have extracted using statistical measurements of mixer’s behavior. An internally developed tool implementing the proposed techniques automates the deobfuscation process and outputs individual money transfers.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301869"},"PeriodicalIF":2.0,"publicationDate":"2025-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143679791","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2025-03-01DOI: 10.1016/j.fsidi.2025.301872
Binaya Sharma , James Ghawaly , Kyle McCleary , Andrew M. Webb , Ibrahim Baggili
Large Language Models (LLMs) excel in diverse natural language tasks but often lack specialization for fields like digital forensics. Their reliance on cloud-based APIs or high-performance computers restricts use in resource-limited environments, and response hallucinations could compromise their applicability in forensic contexts. We introduce ForensicLLM, a 4-bit quantized LLaMA-3.1–8B model fine-tuned on Q&A samples extracted from digital forensic research articles and curated digital artifacts. Quantitative evaluation showed that ForensicLLM outperformed both the base LLaMA-3.1–8B model and the Retrieval Augmented Generation (RAG) model. ForensicLLM accurately attributes sources 86.6 % of the time, with 81.2 % of the responses including both authors and title. Additionally, a user survey conducted with digital forensics professionals confirmed significant improvements of ForensicLLM and RAG model over the base model. ForensicLLM showed strength in “correctness” and “relevance” metrics, while the RAG model was appreciated for providing more detailed responses. These advancements mark ForensicLLM as a transformative tool in digital forensics, elevating model performance and source attribution in critical investigative contexts.
{"title":"ForensicLLM: A local large language model for digital forensics","authors":"Binaya Sharma , James Ghawaly , Kyle McCleary , Andrew M. Webb , Ibrahim Baggili","doi":"10.1016/j.fsidi.2025.301872","DOIUrl":"10.1016/j.fsidi.2025.301872","url":null,"abstract":"<div><div>Large Language Models (LLMs) excel in diverse natural language tasks but often lack specialization for fields like digital forensics. Their reliance on cloud-based APIs or high-performance computers restricts use in resource-limited environments, and response hallucinations could compromise their applicability in forensic contexts. We introduce ForensicLLM, a 4-bit quantized LLaMA-3.1–8B model fine-tuned on Q&A samples extracted from digital forensic research articles and curated digital artifacts. Quantitative evaluation showed that ForensicLLM outperformed both the base LLaMA-3.1–8B model and the Retrieval Augmented Generation (RAG) model. ForensicLLM accurately attributes sources 86.6 % of the time, with 81.2 % of the responses including both authors and title. Additionally, a user survey conducted with digital forensics professionals confirmed significant improvements of ForensicLLM and RAG model over the base model. ForensicLLM showed strength in <em>“correctness”</em> and <em>“relevance”</em> metrics, while the RAG model was appreciated for providing more detailed responses. These advancements mark ForensicLLM as a transformative tool in digital forensics, elevating model performance and source attribution in critical investigative contexts.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301872"},"PeriodicalIF":2.0,"publicationDate":"2025-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143679882","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2025-02-18DOI: 10.1016/j.fsidi.2025.301885
Alex Biedermann , Kyriakos N. Kotsoglou
This paper critically analyses and discusses the “Argument-Based Method for Evaluative Opinions” (ABMEO) recently proposed by Sunde and Franqueira in a paper published in Forensic Science International: Digital Investigation (Sunde and Franqueira, 2023). According to its developers, this novel method allows one to produce evaluative opinions in criminal proceedings by constructing arguments. The method is said to incorporate concepts from argumentation and probability theory, while ensuring adherence to accepted principles of evaluative reporting, in particular the ENFSI Guideline for Evaluative Reporting in Forensic Science. While this sounds promising, our analysis of the ABMEO, as well as Sunde and Franqueira's account of a number of evidence-related concepts such as probative value (and its assessment), credibility, relevance, normativity, and probability, among others, reveals a number of fundamental problems that are indicative of digital evidence exceptionalism; i.e. the idea that digital forensic science can somehow exempt itself from adhering to methodologically and scientifically rigorous evidence evaluation procedures. In this paper we explain why the ABMEO cannot and should not be considered as an appropriate complement, supplement or replacement for the existing reference framework for evaluative reporting in forensic science. In particular, we argue that the ABMEO is internally contradictory and tends to undermine the substantial progress made over the past two decades in the development and implementation of principles for the evaluative reporting of forensic science evidence.
{"title":"More on digital evidence exceptionalism: Critique of the argument-based method for evaluative opinions","authors":"Alex Biedermann , Kyriakos N. Kotsoglou","doi":"10.1016/j.fsidi.2025.301885","DOIUrl":"10.1016/j.fsidi.2025.301885","url":null,"abstract":"<div><div>This paper critically analyses and discusses the “Argument-Based Method for Evaluative Opinions” (ABMEO) recently proposed by Sunde and Franqueira in a paper published in <em>Forensic Science International: Digital Investigation</em> (<span><span>Sunde and Franqueira, 2023</span></span>). According to its developers, this novel method allows one to produce evaluative opinions in criminal proceedings by constructing arguments. The method is said to incorporate concepts from argumentation and probability theory, while ensuring adherence to accepted principles of evaluative reporting, in particular the ENFSI Guideline for Evaluative Reporting in Forensic Science. While this sounds promising, our analysis of the ABMEO, as well as Sunde and Franqueira's account of a number of evidence-related concepts such as probative value (and its assessment), credibility, relevance, normativity, and probability, among others, reveals a number of fundamental problems that are indicative of <em>digital evidence exceptionalism</em>; i.e. the idea that digital forensic science can somehow exempt itself from adhering to methodologically and scientifically rigorous evidence evaluation procedures. In this paper we explain why the ABMEO cannot and should not be considered as an appropriate complement, supplement or replacement for the existing reference framework for evaluative reporting in forensic science. In particular, we argue that the ABMEO is internally contradictory and tends to undermine the substantial progress made over the past two decades in the development and implementation of principles for the evaluative reporting of forensic science evidence.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301885"},"PeriodicalIF":2.0,"publicationDate":"2025-02-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143428108","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2025-02-07DOI: 10.1016/j.fsidi.2025.301883
Yee Ching Tok, Davis Yang Zheng, Sudipta Chattopadhyay
Cybercrime and the market for cyber-related compromises are becoming attractive revenue sources for state-sponsored actors, cybercriminals and technical individuals affected by financial hardships. Due to burgeoning cybercrime on new technological frontiers, efforts have been made to assist digital forensic investigators (DFI) and law enforcement agencies (LEA) in their investigative efforts.
Forensic tool innovations and ontology developments, such as the Unified Cyber Ontology (UCO) and Cyber-investigation Analysis Standard Expression (CASE), have been proposed to assist DFI and LEA. Although these tools and ontologies are useful, they lack extensive information sharing and tool interoperability features, and the ontologies lack the latest Smart City Infrastructure (SCI) context that was proposed.
To mitigate the weaknesses in both solutions and to ensure a safer cyber-physical environment for all, we propose the Smart City Ontological Paradigm Expression (Scope), an expansion profile of the UCO and CASE ontology that implements SCI threat models, SCI digital forensic evidence, attack techniques, patterns and classifications from MITRE.
We showcase how Scope could present complex data such as SCI-specific threats, cybercrime, investigation data and incident handling workflows via an incident scenario modeled after publicly reported real-world incidents attributed to Advanced Persistent Threat (APT) groups. We also make Scope available to the community so that threats, digital evidence and cybercrime in emerging trends such as SCI can be identified, represented, and shared collaboratively.
{"title":"A Smart City Infrastructure ontology for threats, cybercrime, and digital forensic investigation","authors":"Yee Ching Tok, Davis Yang Zheng, Sudipta Chattopadhyay","doi":"10.1016/j.fsidi.2025.301883","DOIUrl":"10.1016/j.fsidi.2025.301883","url":null,"abstract":"<div><div>Cybercrime and the market for cyber-related compromises are becoming attractive revenue sources for state-sponsored actors, cybercriminals and technical individuals affected by financial hardships. Due to burgeoning cybercrime on new technological frontiers, efforts have been made to assist digital forensic investigators (DFI) and law enforcement agencies (LEA) in their investigative efforts.</div><div>Forensic tool innovations and ontology developments, such as the Unified Cyber Ontology (UCO) and Cyber-investigation Analysis Standard Expression (CASE), have been proposed to assist DFI and LEA. Although these tools and ontologies are useful, they lack extensive information sharing and tool interoperability features, and the ontologies lack the latest Smart City Infrastructure (SCI) context that was proposed.</div><div>To mitigate the weaknesses in both solutions and to ensure a safer cyber-physical environment for all, we propose the Smart City Ontological Paradigm Expression (<span>Scope</span>), an expansion profile of the UCO and CASE ontology that implements SCI threat models, SCI digital forensic evidence, attack techniques, patterns and classifications from MITRE.</div><div>We showcase how <span>Scope</span> could present complex data such as SCI-specific threats, cybercrime, investigation data and incident handling workflows via an incident scenario modeled after publicly reported real-world incidents attributed to Advanced Persistent Threat (APT) groups. We also make <span>Scope</span> available to the community so that threats, digital evidence and cybercrime in emerging trends such as SCI can be identified, represented, and shared collaboratively.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301883"},"PeriodicalIF":2.0,"publicationDate":"2025-02-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143347830","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2025-02-06DOI: 10.1016/j.fsidi.2025.301884
Fergus Toolan, Georgina Humphries
The ever increasing volume of anti-forensic tools and the growth in data hiding at the file system level has led to research in data hiding techniques in recent years. These techniques have focused on common file systems such as NTFS and the ext family. Less common file systems can also be used as a means of hiding data. This paper examines data hiding in the XFS file system, the default file system on all Red Hat Enterprise Linux distributions. The paper introduces five methods of data hiding in XFS and evaluates these techniques using the metrics of capacity, the amount of data that can be hidden, detection difficulty, the effort required to detect hidden data, and stability, the likelihood that the hidden data will persist through file system usage.
近年来,随着反取证工具数量的不断增加和文件系统级数据隐藏技术的发展,数据隐藏技术得到了广泛的研究。这些技术关注的是常见的文件系统,如NTFS和ext系列。不太常见的文件系统也可以用作隐藏数据的手段。本文研究隐藏在XFS文件系统中的数据,XFS是所有Red Hat Enterprise Linux发行版的默认文件系统。本文介绍了在XFS中隐藏数据的五种方法,并使用容量、可隐藏的数据量、检测难度、检测隐藏数据所需的工作量以及稳定性(隐藏数据在使用文件系统时持续存在的可能性)等指标来评估这些技术。
{"title":"Data hiding in the XFS file system","authors":"Fergus Toolan, Georgina Humphries","doi":"10.1016/j.fsidi.2025.301884","DOIUrl":"10.1016/j.fsidi.2025.301884","url":null,"abstract":"<div><div>The ever increasing volume of anti-forensic tools and the growth in data hiding at the file system level has led to research in data hiding techniques in recent years. These techniques have focused on common file systems such as NTFS and the ext family. Less common file systems can also be used as a means of hiding data. This paper examines data hiding in the XFS file system, the default file system on all Red Hat Enterprise Linux distributions. The paper introduces five methods of data hiding in XFS and evaluates these techniques using the metrics of capacity, the amount of data that can be hidden, detection difficulty, the effort required to detect hidden data, and stability, the likelihood that the hidden data will persist through file system usage.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301884"},"PeriodicalIF":2.0,"publicationDate":"2025-02-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143310433","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2025-02-03DOI: 10.1016/j.fsidi.2024.301859
Akila Wickramasekara , Frank Breitinger , Mark Scanlon
The ever-increasing workload of digital forensic labs raises concerns about law enforcement's ability to conduct both cyber-related and non-cyber-related investigations promptly. Consequently, this article explores the potential and usefulness of integrating Large Language Models (LLMs) into digital forensic investigations to address challenges such as bias, explainability, censorship, resource-intensive infrastructure, and ethical and legal considerations. A comprehensive literature review is carried out, encompassing existing digital forensic models, tools, LLMs, deep learning techniques, and the use of LLMs in investigations. The review identifies current challenges within existing digital forensic processes and explores both the obstacles and the possibilities of incorporating LLMs. In conclusion, the study states that the adoption of LLMs in digital forensics, with appropriate constraints, has the potential to improve investigation efficiency, improve traceability, and alleviate the technical and judicial barriers faced by law enforcement entities.
{"title":"Exploring the potential of large language models for improving digital forensic investigation efficiency","authors":"Akila Wickramasekara , Frank Breitinger , Mark Scanlon","doi":"10.1016/j.fsidi.2024.301859","DOIUrl":"10.1016/j.fsidi.2024.301859","url":null,"abstract":"<div><div>The ever-increasing workload of digital forensic labs raises concerns about law enforcement's ability to conduct both cyber-related and non-cyber-related investigations promptly. Consequently, this article explores the potential and usefulness of integrating Large Language Models (LLMs) into digital forensic investigations to address challenges such as bias, explainability, censorship, resource-intensive infrastructure, and ethical and legal considerations. A comprehensive literature review is carried out, encompassing existing digital forensic models, tools, LLMs, deep learning techniques, and the use of LLMs in investigations. The review identifies current challenges within existing digital forensic processes and explores both the obstacles and the possibilities of incorporating LLMs. In conclusion, the study states that the adoption of LLMs in digital forensics, with appropriate constraints, has the potential to improve investigation efficiency, improve traceability, and alleviate the technical and judicial barriers faced by law enforcement entities.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301859"},"PeriodicalIF":2.0,"publicationDate":"2025-02-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143141118","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2025-01-29DOI: 10.1016/j.fsidi.2025.301882
Thomas Göbel , Frank Breitinger , Harald Baier
Data sets (samples) are important for research, training, and tool development. While the FAIR principles, data repositories and archives like Zenodo and NIST's Computer Forensic Reference Data Sets (CFReDS) enhance the accessibility and reusability of data sets, standardised practices for crafting and describing these data sets require further attention. This paper analyses the existing literature to identify the key data set (generation) characteristics, issues, desirable attributes, and use cases. Although our findings are generally applicable, i.e., to the cybersecurity domain, our special focus is on the digital forensics domain. We define principles and properties for cybersecurity-relevant data sets and their implications for the data creation process to maximise their quality, utility and applicability, taking into account specific data set use cases and data origin. We aim to guide data set creators in enhancing their data sets' value for the cybersecurity and digital forensics field.
{"title":"Optimising data set creation in the cybersecurity landscape with a special focus on digital forensics: Principles, characteristics, and use cases","authors":"Thomas Göbel , Frank Breitinger , Harald Baier","doi":"10.1016/j.fsidi.2025.301882","DOIUrl":"10.1016/j.fsidi.2025.301882","url":null,"abstract":"<div><div>Data sets (samples) are important for research, training, and tool development. While the FAIR principles, data repositories and archives like Zenodo and NIST's Computer Forensic Reference Data Sets (CFReDS) enhance the accessibility and reusability of data sets, standardised practices for crafting and describing these data sets require further attention. This paper analyses the existing literature to identify the key data set (generation) characteristics, issues, desirable attributes, and use cases. Although our findings are generally applicable, i.e., to the cybersecurity domain, our special focus is on the digital forensics domain. We define principles and properties for cybersecurity-relevant data sets and their implications for the data creation process to maximise their quality, utility and applicability, taking into account specific data set use cases and data origin. We aim to guide data set creators in enhancing their data sets' value for the cybersecurity and digital forensics field.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301882"},"PeriodicalIF":2.0,"publicationDate":"2025-01-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143097417","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2025-01-16DOI: 10.1016/j.fsidi.2025.301862
Norah Ahmed Almubairik , Fakhri Alam Khan , Rami Mustafa Mohammad , Mubarak Alshahrani
Wrist devices have revolutionized our interaction with technology, monitoring various aspects of our activities and making them valuable in digital forensic investigations. Previous research has explored specific wrist device operating systems, often concentrating on devices from particular manufacturers. However, the broader market of wrist-worn devices, which includes a wide range of manufacturers, remains less explored. This oversight presents challenges in retrieving and analyzing data from wrist devices with different operating systems. Additionally, there has been limited exploration of utilizing health data from wrist devices in digital investigations. To address these gaps, this study presents a framework called “WristSense,” which systematically extracts health-related data from heterogeneous sources of wrist devices. The framework has been evaluated through case studies involving Huawei, Amazfit, Xiaomi, and Samsung wrist devices. The WristSense ensures compatibility with devices from different vendors and analyzes health data such as sleep patterns, heart rate, blood oxygen saturation, activities, and stress levels. The research uncovers potential circumstantial evidence applicable to law enforcement and introduces a wrist-wear device artifact catalog, which also serves as a taxonomy, enabling practitioners to codify and leverage their forensic collective knowledge. The findings demonstrate the effectiveness of the WristSense framework in extracting and analyzing data from various vendors, providing valuable insights for forensic investigations. However, challenges such as encryption mechanisms on certain devices present areas that require further investigation. This research provides a comprehensive overview of suspect or victim health data, empowering digital forensic investigators to reconstruct detailed timelines and gather crucial evidence in criminal investigations involving wrist devices.
{"title":"WristSense framework: Exploring the forensic potential of wrist-wear devices through case studies","authors":"Norah Ahmed Almubairik , Fakhri Alam Khan , Rami Mustafa Mohammad , Mubarak Alshahrani","doi":"10.1016/j.fsidi.2025.301862","DOIUrl":"10.1016/j.fsidi.2025.301862","url":null,"abstract":"<div><div>Wrist devices have revolutionized our interaction with technology, monitoring various aspects of our activities and making them valuable in digital forensic investigations. Previous research has explored specific wrist device operating systems, often concentrating on devices from particular manufacturers. However, the broader market of wrist-worn devices, which includes a wide range of manufacturers, remains less explored. This oversight presents challenges in retrieving and analyzing data from wrist devices with different operating systems. Additionally, there has been limited exploration of utilizing health data from wrist devices in digital investigations. To address these gaps, this study presents a framework called “WristSense,” which systematically extracts health-related data from heterogeneous sources of wrist devices. The framework has been evaluated through case studies involving Huawei, Amazfit, Xiaomi, and Samsung wrist devices. The WristSense ensures compatibility with devices from different vendors and analyzes health data such as sleep patterns, heart rate, blood oxygen saturation, activities, and stress levels. The research uncovers potential circumstantial evidence applicable to law enforcement and introduces a wrist-wear device artifact catalog, which also serves as a taxonomy, enabling practitioners to codify and leverage their forensic collective knowledge. The findings demonstrate the effectiveness of the WristSense framework in extracting and analyzing data from various vendors, providing valuable insights for forensic investigations. However, challenges such as encryption mechanisms on certain devices present areas that require further investigation. This research provides a comprehensive overview of suspect or victim health data, empowering digital forensic investigators to reconstruct detailed timelines and gather crucial evidence in criminal investigations involving wrist devices.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301862"},"PeriodicalIF":2.0,"publicationDate":"2025-01-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143141117","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
扫码关注我们
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号