Forensic Science International-Digital Investigation最新文献

While file system analysis is a cornerstone of forensic investigations and has been extensively studied, certain file system classes have not yet been thoroughly examined from a forensic perspective. Stacked file systems, which use an underlying file system for data storage instead of a volume, are a prominent example. With the growth of cloud infrastructure and big data, it is increasingly likely that investigators will encounter distributed stacked file systems, such as MooseFS and the Hadoop File System, that employ this architecture. However, current standard models and tools for file system analysis fall short of addressing the complexities of stacked file systems. This paper highlights the forensic challenges and implications associated with stacked file systems, discussing their unique characteristics in the context of forensic analyses. We provide insights through three analyses of different stacked file systems, illustrating their operational details and emphasizing the necessity of understanding this file system category during forensic investigations. For this purpose, we present general considerations that must be made when dealing with the analysis of stacked file systems.

The advent of the smart home has been made possible by Internet of Things (IoT) devices that continually collect and transmit private user data. In this paper, we explore how data from these devices can be accessed and applied for forensic investigations. Our research focuses on the iRobot Roomba autonomous vacuum cleaner. Through detailed analysis of Roomba's cloud infrastructure, we discovered undocumented Application Program Interfaces (APIs). Leveraging these APIs, we developed PyRoomba – an open-source Python application that acquires a Roomba's complete mission history and navigational data. From this information, PyRoomba generates detailed mission logs and maps of navigated spaces, informing the user about mission duration, detected objects, degree of coverage, and encrypted image captures. We compared the outcomes of PyRoomba with Roomba's mobile application across six navigation runs in two environments of different sizes. We found that PyRoomba provides more detailed environmental information. A simulated crime scene case study demonstrated PyRoomba's ability to detect environmental changes, such as bodies and knives, which were identified as hazards or obstacles. PyRoomba offers a more forensically sound approach to cloud acquisition compared to Roomba's standard mobile application, minimizing the risk of inadvertently triggering the device during a crime scene investigation.

The automated comparison of visual content is a contemporary solution to scale the detection of illegal media and extremist material, both for detection on individual devices and in the cloud. However, the problem is difficult, and perceptual similarity algorithms often have weaknesses and anomalous edge cases that may not be clearly documented. Additionally, it is a complex task to perform an evaluation of such tools in order to best utilise them. To address this, we present PHASER, a still-image perceptual hashing framework enabling forensics specialists and scientists to conduct experiments on bespoke datasets for their individual deployment scenarios. The framework utilises a modular approach, allowing users to specify and define a perceptual hash/image transform/distance metric triplet, which can be explored to better understand their behaviour and interactions. PHASER is open-source and we demonstrate its utility via case studies which briefly explore setting an appropriate dataset size and the potential to optimise the performance of existing algorithms by utilising learned weight vectors for comparing hashes.

Generative AIs, especially Large Language Models (LLMs) such as ChatGPT or Llama, have advanced significantly, positioning them as valuable tools for digital forensics. While initial studies have explored the potential of ChatGPT in the context of investigations, the question of to what extent LLMs can assist the forensic report writing process remains unresolved. To answer the question, this article first examines forensic reports with the goal of generalization (e.g., finding the ‘average structure’ of a report). We then evaluate the strengths and limitations of LLMs for generating the different parts of the forensic report using a case study. This work thus provides valuable insights into the automation of report writing, a critical facet of digital forensics investigations. We conclude that combined with thorough proofreading and corrections, LLMs may assist practitioners during the report writing process but at this point cannot replace them.

The video game industry has been experiencing consistent growth, accompanied by an increase in the number of players. After the remarkable success of the Nintendo Switch, it comes as no surprise that various other manufacturers have ventured into developing their own handheld gaming consoles. As a consequence, it is likely that these types of devices will be found more frequently in households in the near future and that they will start to play a more important role in forensic investigations. In light of this, we conducted a forensic examination of Valve's recent Steam Deck console to assist forensic investigators in retrieving and interpreting digital evidence obtained from such devices. The Steam Deck console runs on SteamOS and ships with a custom version of Valve's highly popular Steam gaming platform. Our examination encompasses exploring the console's architecture, the SteamOS operating system, and the pre-installed cross-platform Steam client. Using differential forensic analysis, we systematically identify forensically relevant artifacts on the handheld console and report on their locations and contents. Based on our findings, we developed Autopsy plugins for the automated extraction of forensic artifacts from images taken of Steam Deck devices.

Conducting a systematic literature review and comprehensive analysis, this paper surveys all 135 peer-reviewed articles published at the Digital Forensics Research Conference Europe (DFRWS EU) spanning the decade since its inaugural running (2014–2023). This comprehensive study of DFRWS EU articles encompasses sub-disciplines such as digital forensic science, device forensics, techniques and fundamentals, artefact forensics, multimedia forensics, memory forensics, and network forensics. Quantitative analysis of the articles’ co-authorships, geographical spread and citation metrics are outlined. The analysis presented offers insights into the evolution of digital forensic research efforts over these ten years and informs some identified future research directions.

Embedded Multimedia Cards (eMMCs) provide a protected memory area called the Replay Protected Memory Block (RPMB). eMMCs are commonly used as storage media in modern smartphones. In order to protect these devices from unauthorized access, important data is stored in the RPMB area in an authenticated manner. Modification of the RPMB data requires a pre-shared authentication key. An unauthorized user cannot change the stored data.

On modern devices, this pre-shared key is generated and used exclusively within a Trusted Execution Environment (TEE) preventing attackers from access. In this paper, we investigate how the authentication key for RPMB is programmed on the eMMC. We found that this key can be extracted directly from the target memory chip. Once obtained, the authentication key can be used to manipulate stored data. In addition, poor implementation of certain security features, aimed at preventing replay attacks using RPMB on the host system can be broken by an attacker. We show how the authentication key can be extracted and how it can be used to break the anti-rollback protection to enable data restoration even after a data wipe operation has been completed.

Our findings show that non-secure RPMB implementations can enable forensic investigators to break security features implemented on modern smartphones.