Forensic Science International-Digital Investigation最新文献

英文中文

Integrated validation framework for EDR data reliability: Application to Korean traffic accident cases EDR数据可靠性集成验证框架：在韩国交通事故案例中的应用

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2026-03-01 Epub Date: 2026-02-10 DOI: 10.1016/j.fsidi.2026.302071

Youngsoo Choi , Jongjin Park , Seung-Hyun Kong

The importance of digital evidence in traffic accident analysis is continuously increasing. Among them, Event Data Recorder (EDR) data is widely used as critical evidence in traffic accident investigations. However, in Korea, social questions about the reliability of the data itself continue to be raised due to the uncertainty of the recording time (Time Zero) of EDR data. In this study, we proposed a framework for the systematic validation of EDR data and developed a practical program. We cross-validated EDR data using various information from Dashboard Camera (DBC) installed in most vehicles in Korea. By applying the framework to traffic accidents that occurred in Korea, we compared the calculated Principal Direction of Force (PDOF) with actual vehicle damage patterns, verified engine status through audio signal analysis, and estimated Time Zero by extracting text from DBC and synchronizing temporal data. The proposed synchronization algorithm achieved average similarity scores of 0.978 for speed data and 0.83 for acceleration data across various collision scenarios. This framework objectively demonstrates the similarity between EDR and DBC data, improving the accuracy and reliability of traffic accident analysis. It is particularly valuable for controversial cases in Korea, such as suspected sudden unintended acceleration accidents.

数字证据在交通事故分析中的重要性不断提高。其中，事件记录仪（Event Data Recorder， EDR）数据作为交通事故调查的关键证据被广泛使用。但是在国内，由于EDR数据的记录时间（time Zero）的不确定性，对数据本身的可靠性的质疑不断出现。在本研究中，我们提出了一个系统验证EDR数据的框架，并开发了一个实用的程序。我们使用安装在韩国大多数车辆中的仪表盘摄像头（DBC）的各种信息交叉验证了EDR数据。通过将该框架应用于韩国发生的交通事故，我们将计算的主力方向（PDOF）与实际车辆损伤模式进行了比较，通过音频信号分析验证了发动机状态，并通过从DBC提取文本和同步时间数据来估计时间零。该同步算法在不同碰撞场景下，速度数据的平均相似度得分为0.978，加速度数据的平均相似度得分为0.83。该框架客观地展示了EDR和DBC数据的相似性，提高了交通事故分析的准确性和可靠性。对于韩国国内的争议案件，如疑似突然意外加速事故，这一点尤其有价值。

{"title":"Integrated validation framework for EDR data reliability: Application to Korean traffic accident cases","authors":"Youngsoo Choi , Jongjin Park , Seung-Hyun Kong","doi":"10.1016/j.fsidi.2026.302071","DOIUrl":"10.1016/j.fsidi.2026.302071","url":null,"abstract":"<div><div>The importance of digital evidence in traffic accident analysis is continuously increasing. Among them, Event Data Recorder (EDR) data is widely used as critical evidence in traffic accident investigations. However, in Korea, social questions about the reliability of the data itself continue to be raised due to the uncertainty of the recording time (Time Zero) of EDR data. In this study, we proposed a framework for the systematic validation of EDR data and developed a practical program. We cross-validated EDR data using various information from Dashboard Camera (DBC) installed in most vehicles in Korea. By applying the framework to traffic accidents that occurred in Korea, we compared the calculated Principal Direction of Force (PDOF) with actual vehicle damage patterns, verified engine status through audio signal analysis, and estimated Time Zero by extracting text from DBC and synchronizing temporal data. The proposed synchronization algorithm achieved average similarity scores of 0.978 for speed data and 0.83 for acceleration data across various collision scenarios. This framework objectively demonstrates the similarity between EDR and DBC data, improving the accuracy and reliability of traffic accident analysis. It is particularly valuable for controversial cases in Korea, such as suspected sudden unintended acceleration accidents.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"56 ","pages":"Article 302071"},"PeriodicalIF":2.2,"publicationDate":"2026-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"147395547","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Beyond the binary—navigating opaque systems and the privacy paradox 超越二进制导航的不透明系统和隐私悖论

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2026-03-01 Epub Date: 2026-02-20 DOI: 10.1016/j.fsidi.2026.302075

引用次数: 0

REVEAL: A large-scale comprehensive image dataset for steganalysis REVEAL：用于隐写分析的大规模综合图像数据集

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-12-01 Epub Date: 2025-10-29 DOI: 10.1016/j.fsidi.2025.302006

Meike Kombrink , Stijn van Lierop , Dionne Stolwijk , Marcel Worring , Derk Vrijdag , Zeno Geradts

Detection methodologies for steganography are a topic of study both within academia and in law enforcement. For the development of detection methods and the validation of their use for law enforcement, a large-scale representative dataset is essential. Current datasets are lacking in terms of representing real-life steganography, as they only include low resolution images, are taken with only a few different cameras, and are validated with only a minimal number of steganography methods. A new large-scale comprehensive image steganography dataset is needed with many typical examples of steganography one could encounter in casework. To that end, we present the REVEAL dataset containing 100.006 images taken with more than 50 different cameras. The set contains a rich variety of images, the attributes of which have a wide distribution. There are for example over 200 different sizes, ranging from 256x256 to 7680x4320. All 100.006 images have then been subjected to many different chains of image preprocessing steps. After the preprocessing, a total of more than 50 different image steganography algorithms were used to hide information in the images. This results in three image sets namely: original, preprocessed, and stego, in total more than 300.000 images. This properly annotated dataset can help to achieve accurate detection using supervised machine-learning based methods. At the same time, this dataset can be used for both forensic evaluation and validation, thus improving the applicability of detection methods. The dataset with full annotations, algorithms, and results is made publicly available.

隐写术的检测方法是学术界和执法部门研究的一个课题。为了开发检测方法并验证其在执法中的使用，一个大规模的代表性数据集是必不可少的。目前的数据集在代表现实生活中的隐写术方面是缺乏的，因为它们只包括低分辨率的图像，只有几个不同的相机拍摄，并且只有很少数量的隐写术方法进行验证。需要一个新的大规模综合图像隐写数据集，其中包含在案例工作中可能遇到的许多典型的隐写实例。为此，我们提供了包含50多个不同相机拍摄的100.006张图像的REVEAL数据集。该集合包含了种类丰富的图像，其属性分布广泛。例如，有超过200种不同的尺寸，范围从256x256到7680x4320。然后，所有的100.006图像都要经过许多不同的图像预处理步骤。经过预处理后，总共使用了50多种不同的图像隐写算法来隐藏图像中的信息。这就产生了三个图像集，即原始图像集、预处理图像集和隐化图像集，总共有30多万张图像。这个正确注释的数据集可以帮助使用基于监督机器学习的方法实现准确的检测。同时，该数据集可用于法医鉴定和验证，从而提高了检测方法的适用性。具有完整注释、算法和结果的数据集是公开的。

{"title":"REVEAL: A large-scale comprehensive image dataset for steganalysis","authors":"Meike Kombrink , Stijn van Lierop , Dionne Stolwijk , Marcel Worring , Derk Vrijdag , Zeno Geradts","doi":"10.1016/j.fsidi.2025.302006","DOIUrl":"10.1016/j.fsidi.2025.302006","url":null,"abstract":"<div><div>Detection methodologies for steganography are a topic of study both within academia and in law enforcement. For the development of detection methods and the validation of their use for law enforcement, a large-scale representative dataset is essential. Current datasets are lacking in terms of representing real-life steganography, as they only include low resolution images, are taken with only a few different cameras, and are validated with only a minimal number of steganography methods. A new large-scale comprehensive image steganography dataset is needed with many typical examples of steganography one could encounter in casework. To that end, we present the REVEAL dataset containing 100.006 images taken with more than 50 different cameras. The set contains a rich variety of images, the attributes of which have a wide distribution. There are for example over 200 different sizes, ranging from 256x256 to 7680x4320. All 100.006 images have then been subjected to many different chains of image preprocessing steps. After the preprocessing, a total of more than 50 different image steganography algorithms were used to hide information in the images. This results in three image sets namely: original, preprocessed, and stego, in total more than 300.000 images. This properly annotated dataset can help to achieve accurate detection using supervised machine-learning based methods. At the same time, this dataset can be used for both forensic evaluation and validation, thus improving the applicability of detection methods. The dataset with full annotations, algorithms, and results is made publicly available.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"55 ","pages":"Article 302006"},"PeriodicalIF":2.2,"publicationDate":"2025-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145424629","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Drone forensics in law enforcement: Assessing utilisation, challenges, and emerging necessities 执法中的无人机取证：评估利用率，挑战和新兴需求

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-12-01 Epub Date: 2025-09-29 DOI: 10.1016/j.fsidi.2025.302003

Ranul Deelaka Thantilage , Gerry Buttner , Ray Genoe

The proliferation of drone technology has introduced new challenges and opportunities for law enforcement, necessitating the development of drone forensics as a specialised field within digital forensics. This survey paper explores the critical role of drone forensics in modern policing, focusing on its applications in investigating crimes involving unmanned aerial vehicles (UAVs) and addressing emerging security threats. This paper examines the tools, data extraction methods, and operational practices employed in drone forensic investigations, with particular attention to cases of unauthorised surveillance, smuggling, and cyber-attacks. Furthermore, this study discusses the technical, legal, and ethical challenges associated with drone forensics, including encryption, anti-forensic techniques, proprietary software, and privacy concerns. Through a synthesis of current practices, technological advancements, and relevant case studies, this survey provides insights into the effectiveness, limitations, and evolving needs of drone forensics. Recommendations are offered to enhance law enforcement capabilities, emphasising the importance of continuous training, standardised protocols, and collaboration across agencies. This survey paper aims to support policymakers, law enforcement agencies, and forensic practitioners in integrating drone forensics as a versatile and effective approach for safeguarding public safety and ensuring justice in an increasingly drone-integrated world.

无人机技术的扩散给执法部门带来了新的挑战和机遇，使得无人机取证成为数字取证的一个专业领域成为必要。本调查报告探讨了无人机取证在现代警务中的关键作用，重点关注其在调查涉及无人机（uav）的犯罪和应对新出现的安全威胁方面的应用。本文研究了无人机取证调查中使用的工具、数据提取方法和操作实践，特别关注了未经授权的监视、走私和网络攻击案件。此外，本研究还讨论了与无人机取证相关的技术、法律和道德挑战，包括加密、反取证技术、专有软件和隐私问题。通过对当前实践、技术进步和相关案例研究的综合，本调查提供了对无人机取证的有效性、局限性和不断变化的需求的见解。提出了加强执法能力的建议，强调持续培训、标准化协议和跨机构合作的重要性。本调查报告旨在支持政策制定者、执法机构和法医从业者将无人机取证整合为一种多用途和有效的方法，以在无人机日益一体化的世界中维护公共安全和确保司法公正。

{"title":"Drone forensics in law enforcement: Assessing utilisation, challenges, and emerging necessities","authors":"Ranul Deelaka Thantilage , Gerry Buttner , Ray Genoe","doi":"10.1016/j.fsidi.2025.302003","DOIUrl":"10.1016/j.fsidi.2025.302003","url":null,"abstract":"<div><div>The proliferation of drone technology has introduced new challenges and opportunities for law enforcement, necessitating the development of drone forensics as a specialised field within digital forensics. This survey paper explores the critical role of drone forensics in modern policing, focusing on its applications in investigating crimes involving unmanned aerial vehicles (UAVs) and addressing emerging security threats. This paper examines the tools, data extraction methods, and operational practices employed in drone forensic investigations, with particular attention to cases of unauthorised surveillance, smuggling, and cyber-attacks. Furthermore, this study discusses the technical, legal, and ethical challenges associated with drone forensics, including encryption, anti-forensic techniques, proprietary software, and privacy concerns. Through a synthesis of current practices, technological advancements, and relevant case studies, this survey provides insights into the effectiveness, limitations, and evolving needs of drone forensics. Recommendations are offered to enhance law enforcement capabilities, emphasising the importance of continuous training, standardised protocols, and collaboration across agencies. This survey paper aims to support policymakers, law enforcement agencies, and forensic practitioners in integrating drone forensics as a versatile and effective approach for safeguarding public safety and ensuring justice in an increasingly drone-integrated world.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"55 ","pages":"Article 302003"},"PeriodicalIF":2.2,"publicationDate":"2025-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145220646","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Complex networks-based anomaly detection for financial transactions in anti-money laundering 反洗钱金融交易中基于复杂网络的异常检测

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-12-01 Epub Date: 2025-10-07 DOI: 10.1016/j.fsidi.2025.302005

Rodrigo Marcel Araujo Oliveira , Angelo Marcio Oliveira Sant’Anna , Paulo Henrique Ferreira

Money laundering is a global threat that undermines the integrity of the financial system and the stability of the world economy. This paper proposes an approach based on complex network techniques to support investigating financial transactions of individuals suspected of money laundering. The study includes analyses for anomaly detection, community detection, density analysis, and cycle identification, aiming to capture complex patterns of interaction among accounts. Anomaly detection was based on a Graph Neural Networks model. The results highlight the model’s effectiveness, as indicated by the Silhouette score and Davies-Bouldin index metrics obtained on the test set, which were 0.83 and 1.59, respectively. This suggests that the groups of anomalous and normal accounts are well represented in terms of similarity and dissimilarity. The study also incorporates various financial indicators, such as moving averages over different time windows of transactions. The K-means algorithm was employed to identify patterns in financial transactions and determine the number of clusters. Correspondence Analysis was applied to establish similarities among the transactional profiles of the investigated individuals. The findings are relevant to the investigative process, providing analytical support for monitoring and prioritizing cases and identifying potential transactional patterns and groups of individuals possibly involved in illicit activities, such as drug trafficking, fraud, and scams.

洗钱是一个全球性的威胁，破坏了金融体系的完整性和世界经济的稳定。本文提出了一种基于复杂网络技术的方法，以支持对涉嫌洗钱的个人的金融交易进行调查。该研究包括异常检测、社区检测、密度分析和周期识别分析，旨在捕获账户之间交互的复杂模式。异常检测基于图神经网络模型。测试集上的Silhouette得分和Davies-Bouldin指数指标分别为0.83和1.59，表明了模型的有效性。这表明，在相似性和差异性方面，异常和正常帐户组得到了很好的代表。该研究还纳入了各种财务指标，例如不同交易时间窗的移动平均线。K-means算法用于识别金融交易模式并确定聚类数量。对应分析应用于建立被调查个体之间的交易概况的相似性。调查结果与调查过程相关，为监测和确定案件的优先次序以及确定潜在的交易模式和可能参与非法活动（如贩毒、欺诈和诈骗）的个人群体提供分析支持。

{"title":"Complex networks-based anomaly detection for financial transactions in anti-money laundering","authors":"Rodrigo Marcel Araujo Oliveira , Angelo Marcio Oliveira Sant’Anna , Paulo Henrique Ferreira","doi":"10.1016/j.fsidi.2025.302005","DOIUrl":"10.1016/j.fsidi.2025.302005","url":null,"abstract":"<div><div>Money laundering is a global threat that undermines the integrity of the financial system and the stability of the world economy. This paper proposes an approach based on complex network techniques to support investigating financial transactions of individuals suspected of money laundering. The study includes analyses for anomaly detection, community detection, density analysis, and cycle identification, aiming to capture complex patterns of interaction among accounts. Anomaly detection was based on a Graph Neural Networks model. The results highlight the model’s effectiveness, as indicated by the Silhouette score and Davies-Bouldin index metrics obtained on the test set, which were 0.83 and 1.59, respectively. This suggests that the groups of anomalous and normal accounts are well represented in terms of similarity and dissimilarity. The study also incorporates various financial indicators, such as moving averages over different time windows of transactions. The K-means algorithm was employed to identify patterns in financial transactions and determine the number of clusters. Correspondence Analysis was applied to establish similarities among the transactional profiles of the investigated individuals. The findings are relevant to the investigative process, providing analytical support for monitoring and prioritizing cases and identifying potential transactional patterns and groups of individuals possibly involved in illicit activities, such as drug trafficking, fraud, and scams.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"55 ","pages":"Article 302005"},"PeriodicalIF":2.2,"publicationDate":"2025-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145267233","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Uncovering digital traces of DeepSeek: Cross-platform mobile and network forensics 揭露深度搜索的数字痕迹：跨平台移动和网络取证

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-12-01 Epub Date: 2025-11-18 DOI: 10.1016/j.fsidi.2025.302028

Yufeng Gong , Sonali Tyagi , Vaishnavi Mahindra , Umit Karabiyik

As an application focusing on generative artificial intelligence, open-source LLM DeepSeek has been widely adopted by many research institutions and international companies around the world. More than 60 million active daily users have been reported on DeepSeek by QuestMobile. Given the rapid growth in the population of DeepSeek users and the fact that mobile devices gradually function as centers for users to interact with AI chatbots, it is essential to conduct thorough mobile forensics along with network forensics on the DeepSeek mobile app to discover potential evidence stored in both Android and iOS devices and provide valuable insight into its potential vulnerabilities. However, given the app’s recent introduction, there is currently a lack of systematic forensic research that investigates its potentially valuable artifacts, data persistence mechanisms, and network communication patterns across platforms. This research focused on user data and application usage, such as log files, metadata, and other critical traces, which revealed insights into its operational behavior in different versions of DeepSeek and the data sent over the network. Our analysis can help forensic researchers and investigators fully utilize the forensic value of DeepSeek on mobile devices to have a clear view of what can be recovered and obtained.

作为一款专注于生成式人工智能的应用，开源LLM DeepSeek已经被全球众多研究机构和国际公司广泛采用。据QuestMobile报道，DeepSeek的日活跃用户已超过6000万。鉴于DeepSeek用户数量的快速增长，以及移动设备逐渐成为用户与人工智能聊天机器人互动的中心，有必要对DeepSeek移动应用程序进行彻底的移动取证和网络取证，以发现存储在Android和iOS设备中的潜在证据，并对其潜在漏洞提供有价值的见解。然而，鉴于该应用程序最近才推出，目前缺乏系统的取证研究来调查其潜在的有价值的工件、数据持久性机制和跨平台的网络通信模式。这项研究的重点是用户数据和应用程序使用情况，如日志文件、元数据和其他关键痕迹，揭示了其在不同版本的DeepSeek中的操作行为和通过网络发送的数据。我们的分析可以帮助法医研究人员和调查人员充分利用DeepSeek在移动设备上的法医价值，清楚地了解可以恢复和获取的内容。

{"title":"Uncovering digital traces of DeepSeek: Cross-platform mobile and network forensics","authors":"Yufeng Gong , Sonali Tyagi , Vaishnavi Mahindra , Umit Karabiyik","doi":"10.1016/j.fsidi.2025.302028","DOIUrl":"10.1016/j.fsidi.2025.302028","url":null,"abstract":"<div><div>As an application focusing on generative artificial intelligence, open-source LLM DeepSeek has been widely adopted by many research institutions and international companies around the world. More than 60 million active daily users have been reported on DeepSeek by QuestMobile. Given the rapid growth in the population of DeepSeek users and the fact that mobile devices gradually function as centers for users to interact with AI chatbots, it is essential to conduct thorough mobile forensics along with network forensics on the DeepSeek mobile app to discover potential evidence stored in both Android and iOS devices and provide valuable insight into its potential vulnerabilities. However, given the app’s recent introduction, there is currently a lack of systematic forensic research that investigates its potentially valuable artifacts, data persistence mechanisms, and network communication patterns across platforms. This research focused on user data and application usage, such as log files, metadata, and other critical traces, which revealed insights into its operational behavior in different versions of DeepSeek and the data sent over the network. Our analysis can help forensic researchers and investigators fully utilize the forensic value of DeepSeek on mobile devices to have a clear view of what can be recovered and obtained.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"55 ","pages":"Article 302028"},"PeriodicalIF":2.2,"publicationDate":"2025-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145578847","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

A comprehensive analysis and evaluation of SQLite deleted Record recovery techniques: A survey SQLite删除记录恢复技术的综合分析与评价：调查

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-12-01 Epub Date: 2025-11-22 DOI: 10.1016/j.fsidi.2025.302031

Seonghyeon Lee , Sooyoung Park , Insoo Lee , Jongmoo Choi

SQLite is a lightweight, file-based relational database that is widely deployed on mobile and IoT devices to store diverse data. Due to its widespread use, SQLite has become an important subject of interest in digital forensics. In particular, SQLite exhibits structural characteristics that allow deleted data to persist temporarily within database, specifically through internal components such as the freelist and Write-Ahead Log (WAL). As a result, deleted content often remains recoverable even after deletion requests, making SQLite a valuable source of forensic artifacts. These characteristics have motivated the development of various techniques and tools for recovering deleted records from SQLite. However, comparative evaluations of the strengths, limitations, and performance of each approach based on consistent criteria remain relatively scarce. To address this gap, this study systematically categorizes existing deleted record recovery techniques into three types, namely Metadata-based, Carving-based, and WAL-based, and compares their trade-offs. In addition, we select representative open-source SQLite recovery tools, such as Undark, SQLite Deleted Record Parser, Bring2Lite, and FQLite, and quantitatively measure their recovery performance, reliability, and throughput based on various deletion scenarios. We also present a detailed analysis of incorrect recoveries (false positives) caused by structural changes in the database. These findings can provide practical guidelines for selecting the most suitable SQLite recovery method depending on the context, and can contribute to the development of more effective recovery techniques and tools in the future.

SQLite是一个轻量级的、基于文件的关系数据库，广泛部署在移动设备和物联网设备上，用于存储各种数据。由于其广泛使用，SQLite已成为数字取证领域的一个重要主题。特别是，SQLite显示了允许删除的数据在数据库中临时保存的结构特征，特别是通过自由列表和预写日志（Write-Ahead Log， WAL）等内部组件。因此，即使在删除请求之后，删除的内容通常仍然是可恢复的，这使得SQLite成为取证工件的有价值的来源。这些特点促使开发各种技术和工具来从SQLite中恢复已删除的记录。然而，基于一致的标准对每种方法的优势、局限性和性能的比较评估仍然相对较少。为了解决这一差距，本研究系统地将现有的删除记录恢复技术分为三种类型，即基于元数据的、基于雕刻的和基于wal的，并比较了它们的优缺点。此外，我们选择了具有代表性的开源SQLite恢复工具，如Undark、SQLite Deleted Record Parser、Bring2Lite、FQLite，并根据不同的删除场景，定量测量了它们的恢复性能、可靠性和吞吐量。我们还详细分析了由数据库结构变化引起的错误恢复（误报）。这些发现可以为根据上下文选择最合适的SQLite恢复方法提供实用指导，并有助于将来开发更有效的恢复技术和工具。

{"title":"A comprehensive analysis and evaluation of SQLite deleted Record recovery techniques: A survey","authors":"Seonghyeon Lee , Sooyoung Park , Insoo Lee , Jongmoo Choi","doi":"10.1016/j.fsidi.2025.302031","DOIUrl":"10.1016/j.fsidi.2025.302031","url":null,"abstract":"<div><div>SQLite is a lightweight, file-based relational database that is widely deployed on mobile and IoT devices to store diverse data. Due to its widespread use, SQLite has become an important subject of interest in digital forensics. In particular, SQLite exhibits structural characteristics that allow deleted data to persist temporarily within database, specifically through internal components such as the freelist and Write-Ahead Log (WAL). As a result, deleted content often remains recoverable even after deletion requests, making SQLite a valuable source of forensic artifacts. These characteristics have motivated the development of various techniques and tools for recovering deleted records from SQLite. However, comparative evaluations of the strengths, limitations, and performance of each approach based on consistent criteria remain relatively scarce. To address this gap, this study systematically categorizes existing deleted record recovery techniques into three types, namely Metadata-based, Carving-based, and WAL-based, and compares their trade-offs. In addition, we select representative open-source SQLite recovery tools, such as Undark, SQLite Deleted Record Parser, Bring2Lite, and FQLite, and quantitatively measure their recovery performance, reliability, and throughput based on various deletion scenarios. We also present a detailed analysis of incorrect recoveries (false positives) caused by structural changes in the database. These findings can provide practical guidelines for selecting the most suitable SQLite recovery method depending on the context, and can contribute to the development of more effective recovery techniques and tools in the future.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"55 ","pages":"Article 302031"},"PeriodicalIF":2.2,"publicationDate":"2025-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145578846","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Editorial – Introducing the last Volume of 2025 社论-介绍2025年最后一卷

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-12-01 Epub Date: 2025-12-02 DOI: 10.1016/j.fsidi.2025.302033

Kim-Kwang Raymond Choo Senior Editor

引用次数: 0

Evaluating digital forensic findings in Trojan horse defense cases using Bayesian networks 利用贝叶斯网络评估特洛伊木马辩护案件中的数字取证结果

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-12-01 Epub Date: 2025-11-05 DOI: 10.1016/j.fsidi.2025.302023

Marouschka Vink , Ruud Schramp , Bas Kokshoorn , Marjan J. Sjerps

Digital forensic scientists primarily rely on individual internal reasoning and categorical conclusions when evaluating evidence in casework. This can make it difficult to maintain structured reasoning that is logically sound, balanced, robust, and transparent. Trojan horse defense cases exemplify these challenges in evaluating digital forensic findings. The key challenge in such cases is combining multiple observations into a logically sound probabilistic evaluation while maintaining an understandable forensic report for court and other recipients. To address these challenges, we propose using the likelihood ratio framework to evaluate digital findings in Trojan horse defense cases, with Bayesian networks serving to visualize the evaluation and derive a likelihood ratio. We will illustrate this approach by demonstrating the construction of a Bayesian network through a case example. We show that these networks are very suitable to model the evaluation of digital evidence in Trojan horse defense cases and that they can be easily adapted for various case circumstances. Based on our findings, we strongly recommend broader exploration of Bayesian networks in digital forensic casework.

数字法医在评估案件证据时主要依靠个人内部推理和分类结论。这可能会使维护逻辑合理、平衡、健壮和透明的结构化推理变得困难。特洛伊木马辩护案件体现了评估数字取证结果的这些挑战。这种情况下的主要挑战是将多种观察结果结合成逻辑合理的概率评估，同时为法院和其他接受者保持一份可理解的法医报告。为了解决这些挑战，我们建议使用似然比框架来评估特洛伊木马防御案例中的数字发现，贝叶斯网络用于可视化评估并推导似然比。我们将通过一个案例演示贝叶斯网络的构造来说明这种方法。我们表明，这些网络非常适合模拟特洛伊木马辩护案件中数字证据的评估，并且可以很容易地适应各种案件情况。基于我们的发现，我们强烈建议在数字法医案件工作中更广泛地探索贝叶斯网络。

{"title":"Evaluating digital forensic findings in Trojan horse defense cases using Bayesian networks","authors":"Marouschka Vink , Ruud Schramp , Bas Kokshoorn , Marjan J. Sjerps","doi":"10.1016/j.fsidi.2025.302023","DOIUrl":"10.1016/j.fsidi.2025.302023","url":null,"abstract":"<div><div>Digital forensic scientists primarily rely on individual internal reasoning and categorical conclusions when evaluating evidence in casework. This can make it difficult to maintain structured reasoning that is logically sound, balanced, robust, and transparent. Trojan horse defense cases exemplify these challenges in evaluating digital forensic findings. The key challenge in such cases is combining multiple observations into a logically sound probabilistic evaluation while maintaining an understandable forensic report for court and other recipients. To address these challenges, we propose using the likelihood ratio framework to evaluate digital findings in Trojan horse defense cases, with Bayesian networks serving to visualize the evaluation and derive a likelihood ratio. We will illustrate this approach by demonstrating the construction of a Bayesian network through a case example. We show that these networks are very suitable to model the evaluation of digital evidence in Trojan horse defense cases and that they can be easily adapted for various case circumstances. Based on our findings, we strongly recommend broader exploration of Bayesian networks in digital forensic casework.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"55 ","pages":"Article 302023"},"PeriodicalIF":2.2,"publicationDate":"2025-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145473733","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

AI-driven dataset creation in mobile forensics using LLM-based storyboards 使用基于法学硕士的故事板在移动取证中创建ai驱动的数据集

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-12-01 Epub Date: 2025-10-03 DOI: 10.1016/j.fsidi.2025.302002

Dirk Pawlaszczyk , Philipp Engler , Ronny Bodach , Christian Hummert , Margaux Michel , Ralf Zimmermann

The generation of datasets is essential for training and validation tasks in digital forensics. Currently, the processes of data generation and provisioning are mainly performed manually. In the field of mobile forensics, there are only a limited number of tools available that aid in populating and injecting data into mobile devices. In this paper, we introduce a novel method for automatic data generation using an AI-driven approach. We present a comprehensive toolchain for dataset creation, focusing on developing a dynamic model (storyboard) with the assistance of large language model (LLM) agents. The generated sequences of activities are then automatically executed on mobile devices. Our proposed approach has been successfully implemented within the data creation and injection framework called AutoPodMobile (APM) as part of a proof-of-concept study. For data generated through AI methods, a validation is presented as well. The paper ends with a brief discussion of the results and the next steps planned.

数据集的生成对于数字取证的培训和验证任务至关重要。目前，数据的生成和发放主要是手工完成的。在移动取证领域，只有数量有限的工具可以帮助将数据填充和注入移动设备。在本文中，我们介绍了一种使用人工智能驱动方法自动生成数据的新方法。我们提出了一个用于数据集创建的综合工具链，重点是在大型语言模型（LLM）代理的帮助下开发动态模型（故事板）。生成的活动序列然后在移动设备上自动执行。作为概念验证研究的一部分，我们提出的方法已经在名为AutoPodMobile （APM）的数据创建和注入框架中成功实施。对于通过人工智能方法生成的数据，也给出了验证。论文最后简要讨论了研究结果和下一步计划。

引用次数: 0

首页上一页

下一页尾页

类型

全部化学•材料生命科学医学物理工程技术环境•农林材料科学地球科学法学管理学化学环境科学与生态学计算机科学教育学经济学农林科学人文科学生物学数学物理与天体物理心理学综合性期刊其他工业工程理学历史学农学文学信息工程

数据库

全部 ACS Publications Elsevier ieeexplore Springer The Royal Society of Chemistry Wiley

期刊

Forensic Science International-Digital Investigation

全部 Acc. Chem. Res. ACS Applied Bio Materials ACS Appl. Electron. Mater. ACS Appl. Energy Mater. ACS Appl. Mater. Interfaces ACS Appl. Nano Mater. ACS Appl. Polym. Mater. ACS BIOMATER-SCI ENG ACS Catal. ACS Cent. Sci. ACS Chem. Biol. ACS Chemical Health & Safety ACS Chem. Neurosci. ACS Comb. Sci. ACS Earth Space Chem. ACS Energy Lett. ACS Infect. Dis. ACS Macro Lett. ACS Mater. Lett. ACS Med. Chem. Lett. ACS Nano ACS Omega ACS Photonics ACS Sens. ACS Sustainable Chem. Eng. ACS Synth. Biol. Anal. Chem. BIOCHEMISTRY-US Bioconjugate Chem. BIOMACROMOLECULES Chem. Res. Toxicol. Chem. Rev. Chem. Mater. CRYST GROWTH DES ENERG FUEL Environ. Sci. Technol. Environ. Sci. Technol. Lett. Eur. J. Inorg. Chem. IND ENG CHEM RES Inorg. Chem. J. Agric. Food. Chem. J. Chem. Eng. Data J. Chem. Educ. J. Chem. Inf. Model. J. Chem. Theory Comput. J. Med. Chem. J. Nat. Prod. J PROTEOME RES J. Am. Chem. Soc. LANGMUIR MACROMOLECULES Mol. Pharmaceutics Nano Lett. Org. Lett. ORG PROCESS RES DEV ORGANOMETALLICS J. Org. Chem. J. Phys. Chem. J. Phys. Chem. A J. Phys. Chem. B J. Phys. Chem. C J. Phys. Chem. Lett. Analyst Anal. Methods Biomater. Sci. Catal. Sci. Technol. Chem. Commun. Chem. Soc. Rev. CHEM EDUC RES PRACT CRYSTENGCOMM Dalton Trans. Energy Environ. Sci. ENVIRON SCI-NANO ENVIRON SCI-PROC IMP ENVIRON SCI-WAT RES Faraday Discuss. Food Funct. Green Chem. Inorg. Chem. Front. Integr. Biol. J. Anal. At. Spectrom. J. Mater. Chem. A J. Mater. Chem. B J. Mater. Chem. C Lab Chip Mater. Chem. Front. Mater. Horiz. MEDCHEMCOMM Metallomics Mol. Biosyst. Mol. Syst. Des. Eng. Nanoscale Nanoscale Horiz. Nat. Prod. Rep. New J. Chem. Org. Biomol. Chem. Org. Chem. Front. PHOTOCH PHOTOBIO SCI PCCP Polym. Chem.

﹀