Forensic Science International-Digital Investigation最新文献

英文中文

An effective automotive forensic technique utilizing various logs of Android-based In-vehicle infotainment systems 一种有效的汽车取证技术，利用基于android的车载信息娱乐系统的各种日志

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-12-01 Epub Date: 2025-09-01 DOI: 10.1016/j.fsidi.2025.301990

Sunjae Kim , Jeehun Jung , Haein Kang , Yejin Yoon , Seong-je Cho , Minkyu Park , Sangchul Han

Android-based In-vehicle infotainment (IVI) systems generate log message containing valuable forensic artifacts from interactions with internal or external devices. These log messages can help in vehicle accidents or criminal investigations; however, there is limited knowledge of the stored information and the methods of accessing them. In addition, digital forensic analysis of the Android-based IVI systems is not supported by the popular forensic tool, Berla's iVe. To address this, we first acquire multiple types of logs from three Jellybean-based systems (2017-2019) and two KitKat-based IVI systems (2022-2023) using a practical and non-invasive method, and then perform a comprehensive and comparative analysis of the logging mechanisms in the IVI systems. We then examine volatile and nonvolatile log data acquired from the IVI systems from the perspective of vehicle forensics. Jellybean-based systems maintain seven ring buffers for volatile logs, while KitKat-based systems use five. Volatile logs are erased when the system is powered off. Both versions of the Android systems store nonvolatile log files of seven different types, with data retained for up to a year. We conducted a thorough analysis of the acquired logs, uncovering artifacts related to navigation use, radio listening, engine start/stop, door access, seat belt use, and Bluetooth connections, including phone calls and SMS messages. In addition, we compare the artifacts identified within those IVI systems. Finally, our analysis creates a timeline to track driver behavior, and provides critical insights into driver actions and vehicle events.

基于android的车载信息娱乐（IVI）系统生成日志消息，其中包含与内部或外部设备交互的有价值的取证工件。这些日志信息有助于交通事故或刑事调查；然而，对存储的信息和访问它们的方法的了解有限。此外，流行的取证工具Berla's iVe不支持基于android的IVI系统的数字取证分析。为了解决这一问题，我们首先采用一种实用的非侵入性方法，从3套jellybean系统（2017-2019）和2套kitkat IVI系统（2022-2023）中获取了多种类型的测井数据，然后对IVI系统的测井机制进行了全面的对比分析。然后，我们从车辆取证的角度检查从IVI系统获得的易失性和非易失性日志数据。jellybean系统为易失日志维护7个环缓冲区，而kitkat系统使用5个环缓冲区。系统下电后，易失性日志将被清除。两个版本的Android系统都存储七种不同类型的非易失性日志文件，数据保留时间长达一年。我们对获取的日志进行了彻底的分析，发现了与导航使用、无线电监听、发动机启动/停止、车门访问、安全带使用和蓝牙连接（包括电话和短信）相关的工件。此外，我们比较了那些IVI系统中确定的工件。最后，我们的分析创建了一个时间轴来跟踪驾驶员的行为，并提供了对驾驶员行为和车辆事件的关键见解。

{"title":"An effective automotive forensic technique utilizing various logs of Android-based In-vehicle infotainment systems","authors":"Sunjae Kim , Jeehun Jung , Haein Kang , Yejin Yoon , Seong-je Cho , Minkyu Park , Sangchul Han","doi":"10.1016/j.fsidi.2025.301990","DOIUrl":"10.1016/j.fsidi.2025.301990","url":null,"abstract":"<div><div>Android-based In-vehicle infotainment (IVI) systems generate log message containing valuable forensic artifacts from interactions with internal or external devices. These log messages can help in vehicle accidents or criminal investigations; however, there is limited knowledge of the stored information and the methods of accessing them. In addition, digital forensic analysis of the Android-based IVI systems is not supported by the popular forensic tool, Berla's iVe. To address this, we first acquire multiple types of logs from three Jellybean-based systems (2017-2019) and two KitKat-based IVI systems (2022-2023) using a practical and non-invasive method, and then perform a comprehensive and comparative analysis of the logging mechanisms in the IVI systems. We then examine volatile and nonvolatile log data acquired from the IVI systems from the perspective of vehicle forensics. Jellybean-based systems maintain seven ring buffers for volatile logs, while KitKat-based systems use five. Volatile logs are erased when the system is powered off. Both versions of the Android systems store nonvolatile log files of seven different types, with data retained for up to a year. We conducted a thorough analysis of the acquired logs, uncovering artifacts related to navigation use, radio listening, engine start/stop, door access, seat belt use, and Bluetooth connections, including phone calls and SMS messages. In addition, we compare the artifacts identified within those IVI systems. Finally, our analysis creates a timeline to track driver behavior, and provides critical insights into driver actions and vehicle events.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"55 ","pages":"Article 301990"},"PeriodicalIF":2.2,"publicationDate":"2025-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144922521","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

AKF: A modern synthesis framework for building datasets in digital forensics AKF：用于在数字取证中构建数据集的现代综合框架

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-12-01 Epub Date: 2025-10-03 DOI: 10.1016/j.fsidi.2025.302004

Lloyd Gonzales , Nancy LaTourrette, Bill Doherty

The forensic community depends on datasets containing disk images, network captures, and other forensic artifacts for education and research. These datasets must be reflective of the artifacts that real-world analysts encounter, which can evolve rapidly as new software is released. Additionally, these datasets must be free of sensitive data that would limit their distribution. To address the issues of relevance and sensitivity, many researchers and educators develop datasets by hand. While this approach is viable, it is time-consuming and rarely produces datasets that are fully reflective of real-world conditions. As a result, there is ongoing research into forensic synthesizers, which simplify the process of creating complex datasets that are free of legal and logistical concerns.

This work introduces the automated kinetic framework (AKF), a modular synthesizer for creating and interacting with virtualized environments to simulate human activity. AKF makes significant improvements to the approaches and implementations of prior synthesizers used to generate forensic artifacts. AKF also improves the process of documenting these datasets by leveraging the CASE standard to provide human- and machine-readable reporting. Finally, AKF offers several options for using these features to build and document datasets, including a custom scripting language. These contributions aim to streamline the development of forensic datasets and ensure the long-term usefulness of AKF-generated datasets and the framework as a whole.

法医社区依赖于包含磁盘映像、网络捕获和其他法医工件的数据集来进行教育和研究。这些数据集必须反映现实世界分析师遇到的工件，这些工件可以随着新软件的发布而迅速发展。此外，这些数据集必须没有敏感数据，以免限制其分布。为了解决相关性和敏感性问题，许多研究人员和教育工作者手工开发数据集。虽然这种方法是可行的，但它是耗时的，并且很少产生完全反映现实世界条件的数据集。因此，对法医合成器的研究正在进行中，它简化了创建复杂数据集的过程，免去了法律和后勤方面的担忧。这项工作介绍了自动动力学框架（AKF），一种模块化合成器，用于创建和与虚拟环境交互以模拟人类活动。AKF对先前用于生成法医工件的合成器的方法和实现进行了重大改进。AKF还通过利用CASE标准提供人类和机器可读的报告来改进记录这些数据集的过程。最后，AKF提供了几种使用这些特性来构建和记录数据集的选项，包括一种自定义脚本语言。这些贡献旨在简化法医数据集的开发，并确保akf生成的数据集和整个框架的长期有用性。

{"title":"AKF: A modern synthesis framework for building datasets in digital forensics","authors":"Lloyd Gonzales , Nancy LaTourrette, Bill Doherty","doi":"10.1016/j.fsidi.2025.302004","DOIUrl":"10.1016/j.fsidi.2025.302004","url":null,"abstract":"<div><div>The forensic community depends on datasets containing disk images, network captures, and other forensic artifacts for education and research. These datasets must be reflective of the artifacts that real-world analysts encounter, which can evolve rapidly as new software is released. Additionally, these datasets must be free of sensitive data that would limit their distribution. To address the issues of relevance and sensitivity, many researchers and educators develop datasets by hand. While this approach is viable, it is time-consuming and rarely produces datasets that are fully reflective of real-world conditions. As a result, there is ongoing research into forensic synthesizers, which simplify the process of creating complex datasets that are free of legal and logistical concerns.</div><div>This work introduces the automated kinetic framework (AKF), a modular synthesizer for creating and interacting with virtualized environments to simulate human activity. AKF makes significant improvements to the approaches and implementations of prior synthesizers used to generate forensic artifacts. AKF also improves the process of documenting these datasets by leveraging the CASE standard to provide human- and machine-readable reporting. Finally, AKF offers several options for using these features to build and document datasets, including a custom scripting language. These contributions aim to streamline the development of forensic datasets and ensure the long-term usefulness of AKF-generated datasets and the framework as a whole.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"55 ","pages":"Article 302004"},"PeriodicalIF":2.2,"publicationDate":"2025-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145220647","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

A comprehensive artifact analysis of Google applications on Android and iOS platforms Android和iOS平台上b谷歌应用程序的综合工件分析

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-12-01 Epub Date: 2025-11-11 DOI: 10.1016/j.fsidi.2025.302029

Jisu Park , Jincheol Park , Hyunjun Kim , Soojin Kang , Jongsung Kim

Google provides a diverse suite of applications (e.g., Gmail, Google Drive, Google Maps, and Google Docs Editor), which are interconnected to enhance user convenience. This study comparatively analyzes the artifacts generated by 25 Google applications on Android and iOS platforms. We start by describing an artifact acquisition method and the utility of artifacts in digital forensic investigations. Based on these investigations, we identify the differences between the two platforms in terms of their data storage patterns and demonstrate that the integrated analysis of both platforms provides a more comprehensive set of artifacts than single-platform analysis. Subsequently, we analyze the synchronization among Google applications. We demonstrate how various applications share and synchronize data, and present methods for utilizing the interactions among the corresponding artifacts. The results of this analysis, we develop a tool for effectively tracing and analyzing the collected artifacts. By comparing the artifact acquisition rates of Android and iOS, we highlight the distinct data provided by each platform. Compared with existing methods, our integrated approach is expected to provide richer and more accurate digital evidence.

谷歌提供了各种各样的应用程序套件（例如，Gmail、谷歌Drive、谷歌Maps和谷歌Docs Editor），它们相互连接以增强用户的便利性。本研究对比分析了Android和iOS平台上的25bb00个应用程序产生的工件。我们首先描述了一种人工制品采集方法和人工制品在数字法医调查中的应用。基于这些调查，我们确定了两个平台在数据存储模式方面的差异，并证明了两个平台的集成分析提供了比单一平台分析更全面的工件集。随后，我们分析了谷歌应用程序之间的同步。我们将演示各种应用程序如何共享和同步数据，并提供利用相应构件之间的交互的方法。根据分析的结果，我们开发了一个工具来有效地跟踪和分析收集的工件。通过比较Android和iOS的人工获取率，我们突出了每个平台提供的不同数据。与现有方法相比，我们的综合方法有望提供更丰富、更准确的数字证据。

{"title":"A comprehensive artifact analysis of Google applications on Android and iOS platforms","authors":"Jisu Park , Jincheol Park , Hyunjun Kim , Soojin Kang , Jongsung Kim","doi":"10.1016/j.fsidi.2025.302029","DOIUrl":"10.1016/j.fsidi.2025.302029","url":null,"abstract":"<div><div>Google provides a diverse suite of applications (e.g., Gmail, Google Drive, Google Maps, and Google Docs Editor), which are interconnected to enhance user convenience. This study comparatively analyzes the artifacts generated by 25 Google applications on Android and iOS platforms. We start by describing an artifact acquisition method and the utility of artifacts in digital forensic investigations. Based on these investigations, we identify the differences between the two platforms in terms of their data storage patterns and demonstrate that the integrated analysis of both platforms provides a more comprehensive set of artifacts than single-platform analysis. Subsequently, we analyze the synchronization among Google applications. We demonstrate how various applications share and synchronize data, and present methods for utilizing the interactions among the corresponding artifacts. The results of this analysis, we develop a tool for effectively tracing and analyzing the collected artifacts. By comparing the artifact acquisition rates of Android and iOS, we highlight the distinct data provided by each platform. Compared with existing methods, our integrated approach is expected to provide richer and more accurate digital evidence.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"55 ","pages":"Article 302029"},"PeriodicalIF":2.2,"publicationDate":"2025-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145527963","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Practitioner-driven framework for AI adoption in digital forensics 在数字取证中采用人工智能的从业者驱动框架

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-12-01 Epub Date: 2025-11-12 DOI: 10.1016/j.fsidi.2025.302030

Maryna Veksler , Kemal Akkaya , Selcuk Uluagac

The impact of AI has not bypassed the field of digital forensics. However, despite the emergence of AI-based digital forensic methods and tools, their widespread adoption remains limited due to ethical, legal, and practical concerns. While existing research has proposed various solutions to support AI integration in digital forensics, many reiterate challenges already present in traditional digital forensics, focusing heavily on explainable AI, and often overlooking real-world feasibility. Thus, this study investigates the practical challenges affecting the adoption of AI in digital forensics by directly engaging with practitioners.

To this end, we conducted a survey and interview study involving 28 digital forensic experts to explore their experiences with AI-based tools, their perceptions of AI in digital forensics, and the practical challenges they encounter. Our findings highlight key concerns related to validation, transparency, and the explanation and presentation of AI-generated evidence in court. We also find that practical challenges are often broader than those discussed in theory, warranting deeper, practice-oriented analysis and perspectives.

Based on these findings, we propose a practitioner-focused framework to support stakeholders, including forensic professionals, developers, law enforcement, regulators, and researchers, in fostering standardized, responsible, and effective adoption of AI-based digital forensics. Rather than replacing existing procedures, our framework builds on traditional digital forensic processes, extending them to address AI-specific requirements. Finally, as part of this proposed framework, we provide practical recommendations for the development and deployment of AI-based digital forensic tools that are better aligned with real-world investigative needs.

人工智能的影响并没有绕过数字取证领域。然而，尽管出现了基于人工智能的数字取证方法和工具，但由于道德、法律和实际问题，它们的广泛采用仍然受到限制。虽然现有的研究提出了各种解决方案来支持人工智能在数字取证中的集成，但许多研究都重申了传统数字取证中已经存在的挑战，这些挑战主要集中在可解释的人工智能上，而往往忽视了现实世界的可行性。因此，本研究通过直接与从业者接触，调查了影响在数字取证中采用人工智能的实际挑战。为此，我们进行了一项调查和访谈研究，涉及28名数字法医专家，以探讨他们使用基于人工智能的工具的经验，他们对人工智能在数字法医中的看法，以及他们遇到的实际挑战。我们的研究结果突出了与法庭上人工智能生成证据的有效性、透明度以及解释和呈现相关的关键问题。我们还发现，实际的挑战往往比理论中讨论的更广泛，需要更深入、以实践为导向的分析和观点。基于这些发现，我们提出了一个以从业者为中心的框架，以支持包括法医专业人员、开发人员、执法部门、监管机构和研究人员在内的利益相关者，促进标准化、负责任和有效地采用基于人工智能的数字取证。我们的框架不是取代现有程序，而是建立在传统数字取证流程的基础上，将其扩展到满足人工智能的特定要求。最后，作为拟议框架的一部分，我们为开发和部署基于人工智能的数字取证工具提供了实用建议，这些工具更符合现实世界的调查需求。

{"title":"Practitioner-driven framework for AI adoption in digital forensics","authors":"Maryna Veksler , Kemal Akkaya , Selcuk Uluagac","doi":"10.1016/j.fsidi.2025.302030","DOIUrl":"10.1016/j.fsidi.2025.302030","url":null,"abstract":"<div><div>The impact of AI has not bypassed the field of digital forensics. However, despite the emergence of AI-based digital forensic methods and tools, their widespread adoption remains limited due to ethical, legal, and practical concerns. While existing research has proposed various solutions to support AI integration in digital forensics, many reiterate challenges already present in traditional digital forensics, focusing heavily on explainable AI, and often overlooking real-world feasibility. Thus, this study investigates the practical challenges affecting the adoption of AI in digital forensics by directly engaging with practitioners.</div><div>To this end, we conducted a survey and interview study involving 28 digital forensic experts to explore their experiences with AI-based tools, their perceptions of AI in digital forensics, and the practical challenges they encounter. Our findings highlight key concerns related to validation, transparency, and the explanation and presentation of AI-generated evidence in court. We also find that practical challenges are often broader than those discussed in theory, warranting deeper, practice-oriented analysis and perspectives.</div><div>Based on these findings, we propose a practitioner-focused framework to support stakeholders, including forensic professionals, developers, law enforcement, regulators, and researchers, in fostering standardized, responsible, and effective adoption of AI-based digital forensics. Rather than replacing existing procedures, our framework builds on traditional digital forensic processes, extending them to address AI-specific requirements. Finally, as part of this proposed framework, we provide practical recommendations for the development and deployment of AI-based digital forensic tools that are better aligned with real-world investigative needs.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"55 ","pages":"Article 302030"},"PeriodicalIF":2.2,"publicationDate":"2025-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145527964","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Dial M for Mixer: A methodological approach to forensic analysis of unknown devices using the thermomix TM6 Dial M for Mixer：使用thermomix TM6对未知设备进行法医分析的方法学方法

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-10-01 Epub Date: 2025-11-03 DOI: 10.1016/j.fsidi.2025.301983

Maximilian Eichhorn, Felix Freiling

To forensically examine an unknown digital device, a method is proposed that involves to perform experiments on an identical device and systematically derive information from the observed behaviour while performing specific actions. We apply this method to the Thermomix TM6 from Vorwerk, a multifunctional kitchen appliance. Using differential forensic analysis together with our method, we identify various forensic artefacts from real-world use, e.g., timestamps when the system was turned on and logs of specific cooking actions like dough kneading and cooking. We also observe inadequate data sanitization after factory reset. Other forensic artefacts we found include Wi-Fi login details and account information for the Cookidoo online service provided by Vorwerk to exchange recipes.

为了对未知的数字设备进行法医检查，提出了一种方法，该方法涉及在相同的设备上进行实验，并在执行特定操作时系统地从观察到的行为中获取信息。我们将这种方法应用于多功能厨房电器——来自Vorwerk的Thermomix TM6。使用微分取证分析和我们的方法，我们从现实世界的使用中识别各种取证人工制品，例如，系统打开时的时间戳和特定烹饪动作的日志，如揉面和烹饪。我们还观察到在出厂重置后数据处理不足。我们发现的其他证据包括Wi-Fi登录详细信息和Vorwerk提供的用于交换食谱的Cookidoo在线服务的帐户信息。

引用次数: 0

Welcome to the Proceedings of the Fifth Annual DFRWS APAC Conference 2025! 欢迎参加2025年第五届亚太地区DFRWS年会论文集！

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-10-01 Epub Date: 2025-11-03 DOI: 10.1016/j.fsidi.2025.301989

Mariya Shafat Kirmani

引用次数: 0

Creating a standardized corpus for digital stratigraphic methods with fsstratify 使用fsstratify为数字地层学方法创建标准化语料库

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-10-01 Epub Date: 2025-11-03 DOI: 10.1016/j.fsidi.2025.301986

Julian Uthoff , Lisa Marie Dreier , Martin Lambertz , Mariia Rybalka , Felix Freiling

Digital stratigraphic methods aim to infer new information about digital objects using their depositional context. Many such methods have been developed, for example, to interpret file allocation traces and thereby estimate timestamps of file fragments based on their position on disk. Such methods are difficult to compare. We therefore present a corpus of NTFS file system images that can be used to evaluate these methods. The corpus comprises different categories, each extensively employing a small subset of file system operations to display their effect on file allocation traces. We demonstrate the usefulness of this corpus by evaluating the method of Bahjat and Jones (2019) that derives the timestamp of a file fragment from the timestamps of neighboring files. The corpus was generated using a revised version of fsstratify, a software framework to simulate file system usage. The tool is able to log the position of content data during file creation, greatly facilitating research in the realm of digital stratigraphy.

数字地层学方法旨在利用数字物体的沉积环境推断出有关它们的新信息。例如，已经开发了许多这样的方法来解释文件分配跟踪，从而根据文件片段在磁盘上的位置估计它们的时间戳。这些方法很难比较。因此，我们提供了一个可用于评估这些方法的NTFS文件系统映像语料库。语料库包含不同的类别，每个类别都广泛使用文件系统操作的一小部分来显示它们对文件分配跟踪的影响。我们通过评估Bahjat和Jones （2019）的方法来证明该语料库的实用性，该方法从相邻文件的时间戳中提取文件片段的时间戳。语料库是使用fsstratify的修订版本生成的，fsstratify是一个模拟文件系统使用的软件框架。该工具能够在文件创建过程中记录内容数据的位置，极大地促进了数字地层学领域的研究。

{"title":"Creating a standardized corpus for digital stratigraphic methods with fsstratify","authors":"Julian Uthoff , Lisa Marie Dreier , Martin Lambertz , Mariia Rybalka , Felix Freiling","doi":"10.1016/j.fsidi.2025.301986","DOIUrl":"10.1016/j.fsidi.2025.301986","url":null,"abstract":"<div><div>Digital stratigraphic methods aim to infer new information about digital objects using their depositional context. Many such methods have been developed, for example, to interpret file allocation traces and thereby estimate timestamps of file fragments based on their position on disk. Such methods are difficult to compare. We therefore present a corpus of NTFS file system images that can be used to evaluate these methods. The corpus comprises different categories, each extensively employing a small subset of file system operations to display their effect on file allocation traces. We demonstrate the usefulness of this corpus by evaluating the method of Bahjat and Jones (2019) that derives the timestamp of a file fragment from the timestamps of neighboring files. The corpus was generated using a revised version of <span>fsstratify</span>, a software framework to simulate file system usage. The tool is able to log the position of content data during file creation, greatly facilitating research in the realm of digital stratigraphy.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"54 ","pages":"Article 301986"},"PeriodicalIF":2.2,"publicationDate":"2025-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145424404","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

DFRWS EU 2026 Sweden

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-10-01 Epub Date: 2025-11-03 DOI: 10.1016/S2666-2817(25)00155-6

引用次数: 0

Advanced Monero wallet forensics: Demystifying off-chain artifacts to trace privacy-preserving cryptocurrency transactions 高级门罗币钱包取证：揭开链下工件的神秘面纱，追踪保护隐私的加密货币交易

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-10-01 Epub Date: 2025-11-03 DOI: 10.1016/j.fsidi.2025.301988

Jeongin Lee, Geunyeong Choi, Jihyo Han, Jungheum Park

Monero, a privacy-preserving cryptocurrency, employs advanced cryptographic techniques to obfuscate transaction participants and amounts, thereby achieving strong untraceability. However, digital forensic approach can still reveal sensitive information by examining off-chain artifacts such as memory and wallet files. In this work, we conduct an in-depth forensic analysis of Monero's wallet application, focusing on the handling of public and private keys and the wallet's data storage formats. We reveal how these keys are managed in memory and develop a memory scanning algorithm capable of identifying key-related data structures. Furthermore, we analyze the wallet keys and cache files, presenting a method for decrypting and interpreting serialized keys and transaction data encrypted with a user-specified passphrase. Our approach is implemented as an open-source Volatility3 plugin and a set of decryption scripts. Finally, we discuss the applicability of our methodology to multi-cryptocurrency wallets that incorporate Monero components, thereby validating the generalizability of our techniques.

门罗币是一种保护隐私的加密货币，采用先进的加密技术来混淆交易参与者和金额，从而实现强大的不可追溯性。然而，数字取证方法仍然可以通过检查内存和钱包文件等链下工件来揭示敏感信息。在这项工作中，我们对门罗币的钱包应用程序进行了深入的取证分析，重点关注公钥和私钥的处理以及钱包的数据存储格式。我们揭示了这些键是如何在内存中管理的，并开发了一种能够识别键相关数据结构的内存扫描算法。此外，我们分析了钱包密钥和缓存文件，提出了一种解密和解释序列化密钥和使用用户指定的密码短语加密的交易数据的方法。我们的方法是通过开源的Volatility3插件和一组解密脚本实现的。最后，我们讨论了我们的方法对包含门罗币组件的多加密货币钱包的适用性，从而验证了我们技术的通用性。

{"title":"Advanced Monero wallet forensics: Demystifying off-chain artifacts to trace privacy-preserving cryptocurrency transactions","authors":"Jeongin Lee, Geunyeong Choi, Jihyo Han, Jungheum Park","doi":"10.1016/j.fsidi.2025.301988","DOIUrl":"10.1016/j.fsidi.2025.301988","url":null,"abstract":"<div><div>Monero, a privacy-preserving cryptocurrency, employs advanced cryptographic techniques to obfuscate transaction participants and amounts, thereby achieving strong untraceability. However, digital forensic approach can still reveal sensitive information by examining off-chain artifacts such as memory and wallet files. In this work, we conduct an in-depth forensic analysis of Monero's wallet application, focusing on the handling of public and private keys and the wallet's data storage formats. We reveal how these keys are managed in memory and develop a memory scanning algorithm capable of identifying key-related data structures. Furthermore, we analyze the wallet keys and cache files, presenting a method for decrypting and interpreting serialized keys and transaction data encrypted with a user-specified passphrase. Our approach is implemented as an open-source Volatility3 plugin and a set of decryption scripts. Finally, we discuss the applicability of our methodology to multi-cryptocurrency wallets that incorporate Monero components, thereby validating the generalizability of our techniques.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"54 ","pages":"Article 301988"},"PeriodicalIF":2.2,"publicationDate":"2025-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145424406","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

DFRWS USA 2026 Arlington

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-10-01 Epub Date: 2025-11-03 DOI: 10.1016/S2666-2817(25)00159-3

引用次数: 0

首页上一页

下一页尾页

类型

全部化学•材料生命科学医学物理工程技术环境•农林材料科学地球科学法学管理学化学环境科学与生态学计算机科学教育学经济学农林科学人文科学生物学数学物理与天体物理心理学综合性期刊其他工业工程理学历史学农学文学信息工程

数据库

全部 ACS Publications Elsevier ieeexplore Springer The Royal Society of Chemistry Wiley

期刊

Forensic Science International-Digital Investigation

全部 Contrib. Mineral. Petrol. Carbon Balance Manage. Geobiology Gondwana Res. Global Biogeochem. Cycles OCEAN SCI J Paleontol. J. Geosci. J. FRONT EARTH SCI-PRC Ocean and Coastal Research POL POLAR RES B SOC GEOL MEX Adv. Atmos. Sci. ACTA PETROL SIN GEOHERITAGE Environ. Toxicol. Pharmacol. Environ. Prot. Eng. Acta Oceanolog. Sin. Precambrian Res. Org. Geochem. ARCH ACOUST Int. J. Earth Sci. QUATERNAIRE Acta Geophys. Hydrogeol. J. Environ. Geochem. Health Resour. Geol. Explor. Geophys. GEOL BELG Quat. Sci. Rev. Geosci. Model Dev. Aust. J. Earth Sci. Atmos. Res. GEOCHEM GEOPHY GEOSY Polar Sci. Geol. Ore Deposits Phys. Chem. Miner. IDOJARAS Andean Geol. J. Environ. Eng. Geophys. European Journal of Clinical and Experimental Medicine J. Geog. Sci. Clim. Change Newsl. Stratigr. Veg. Hist. Archaeobot. Environmental Health Insights Atmos. Chem. Phys. Ore Geol. Rev. Norw. J. Geol. Environmental Science: an Indian journal Stratigr. Geol. Correl. NEUES JAHRB GEOL P-A GEOLOGY Aquat. Geochem. ACTA GEOL POL Ecol. Monogr. AAPG Bull. Astrophys. J. Suppl. Ser. Engineering Science and Technology, an International Journal INDIAN J GEO-MAR SCI EPISODES Am. J. Phys. Anthropol. Archaeol. Anthropol. Sci. Am. Mineral. Mineral. Mag. ERN: Other Macroeconomics: Aggregative Models (Topic) ATMOSPHERE-BASEL ACTA GEOL SIN-ENGL FAM PRACT J. Atmos. Chem. Atmos. Meas. Tech. ARCHAEOMETRY Hydrol. Earth Syst. Sci. Geochim. Cosmochim. Acta Int. J. Disaster Risk Reduct. Appl. Clay Sci. Asia-Pac. J. Atmos. Sci. J. Earth Syst. Sci. ARCT ANTARCT ALP RES Acta Geochimica Ann. Glaciol. Geochem. Perspect. BIOGEOSCIENCES IZV-PHYS SOLID EART+ Int. J. Climatol. J APPL METEOROL CLIM ASTROBIOLOGY Basin Res. P GEOLOGIST ASSOC Am. J. Sci. Vadose Zone J. Big Earth Data Appl. Geochem. Annu. Rev. Earth Planet. Sci. Adv. Meteorol. Int. J. Geog. Inf. Sci. Geophys. Prospect. Theor. Appl. Climatol. J. Atmos. Oceanic Technol. WEATHER

﹀