Pub Date : 2024-10-01DOI: 10.1016/j.fsidi.2024.301811
Sorin Im , Hyunah Park , Jihun Joun , Sangjin Lee , Jungheum Park
As the capacity of storage devices continues to increase significantly and cloud environments emerge, there is a need to perform logical imaging to selectively collect specific data relevant to a case. However, there is currently insufficient research addressing the appropriateness and usability of logical image file formats, which could potentially raise issues in terms of the originality and integrity of digital evidence. This study performs a comprehensive analysis of the internal structures and metadata of existing proprietary and open-source logical image file formats, with a particular focus on the L01 and AFF4-L. Furthermore, this study reveals several limitations of each file format and the supporting tools through practical experiments including metadata manipulation and stress tests. More specifically, the potential for loss of originality and metadata manipulation during and after logical imaging underscores the necessity for the development and standardization of more advanced logical image file formats to systematically manage different types of digital evidence from different sources. The findings of this research also demonstrate the necessity of collective efforts from the community for the continuous improvement of logical image file formats.
{"title":"Revisiting logical image formats for future digital forensics: A comprehensive analysis on L01 and AFF4-L","authors":"Sorin Im , Hyunah Park , Jihun Joun , Sangjin Lee , Jungheum Park","doi":"10.1016/j.fsidi.2024.301811","DOIUrl":"10.1016/j.fsidi.2024.301811","url":null,"abstract":"<div><div>As the capacity of storage devices continues to increase significantly and cloud environments emerge, there is a need to perform logical imaging to selectively collect specific data relevant to a case. However, there is currently insufficient research addressing the appropriateness and usability of logical image file formats, which could potentially raise issues in terms of the originality and integrity of digital evidence. This study performs a comprehensive analysis of the internal structures and metadata of existing proprietary and open-source logical image file formats, with a particular focus on the L01 and AFF4-L. <span>Furthermore</span>, this study reveals several limitations of each file format and the supporting tools through practical experiments including metadata manipulation and stress tests. More specifically, the potential for loss of originality and metadata manipulation during and after logical imaging underscores the necessity for the development and standardization of more advanced logical image file formats to systematically manage different types of digital evidence from different sources. The findings of this research also demonstrate the necessity of collective efforts from the community for the continuous improvement of logical image file formats.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"50 ","pages":"Article 301811"},"PeriodicalIF":2.0,"publicationDate":"2024-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142530437","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-10-01DOI: 10.1016/j.fsidi.2024.301813
Elénore Ryser , Hannes Spichiger , David-Olivier Jaquet-Chiffelle
After a decade of technological advancements, digital forensic science is under increasing pressure to deliver investigative findings with a high degree of scientific rigor. The judicial community has voiced growing concerns regarding digital traces and their interpretation. This research focuses on assessing the significance of geolocation information embedded within the metadata of photographs captured using a mobile phone. In order to examine the variability in the accuracy of this geolocation metadata and identify potential external influences, images were taken at 29 different locations distributed along three distinct paths. The photographs were captured using two Samsung Galaxy S8 SM-G950F devices running on Android 8.0. Various configurations of GNSS and mobile network connections were tested, and their potential impact on the accuracy of geolocation metadata was investigated. The findings show the dependency of geolocation accuracy on the specific measurement location. This research ultimately highlights the imperative for evaluative approaches to take into account the specific characteristics of each point of interest, as opposed to leaning on broad statements about the reliability of geolocation processes in general.
{"title":"Geotagging accuracy in smartphone photography","authors":"Elénore Ryser , Hannes Spichiger , David-Olivier Jaquet-Chiffelle","doi":"10.1016/j.fsidi.2024.301813","DOIUrl":"10.1016/j.fsidi.2024.301813","url":null,"abstract":"<div><div>After a decade of technological advancements, digital forensic science is under increasing pressure to deliver investigative findings with a high degree of scientific rigor. The judicial community has voiced growing concerns regarding digital traces and their interpretation. This research focuses on assessing the significance of geolocation information embedded within the metadata of photographs captured using a mobile phone. In order to examine the variability in the accuracy of this geolocation metadata and identify potential external influences, images were taken at 29 different locations distributed along three distinct paths. The photographs were captured using two Samsung Galaxy S8 SM-G950F devices running on Android 8.0. Various configurations of GNSS and mobile network connections were tested, and their potential impact on the accuracy of geolocation metadata was investigated. The findings show the dependency of geolocation accuracy on the specific measurement location. This research ultimately highlights the imperative for evaluative approaches to take into account the specific characteristics of each point of interest, as opposed to leaning on broad statements about the reliability of geolocation processes in general.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"50 ","pages":"Article 301813"},"PeriodicalIF":2.0,"publicationDate":"2024-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142530439","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-10-01DOI: 10.1016/j.fsidi.2024.301809
Byeongchan Jeong, Sangjin Lee, Jungheum Park
As Chromium-based applications continue to gain popularity, it is necessary for forensic investigators to obtain a comprehensive understanding of how they store and manage browsing artifacts from both filesystem and memory perspectives. In particular, the incognito mode developed in the current version of Chromium uses only physical memory to manage data related to active sessions. Therefore, handling physical memory is essential for tracking a user's browsing behaviour in incognito mode. This paper provides an in-depth examination of LevelDB, a lightweight key-value database utilized as Chromium's implementation for IndexedDB. In particular, we delve into the details of how IndexedDB data is managed through LevelDB, taking into account its low-level database file format. Furthermore, we thoroughly explore the possibility of residual data, both complete and incomplete, being retained as applications create and initialize IndexedDB-related data. Based on our research findings, we propose a systematic methodology for inspecting the internal structures of LevelDB-related C++ classes, carving these structures from binary streams, and interpreting the data for forensic analysis. In addition, we develop a proof-of-concept tool based on our approach and demonstrate its performance and effectiveness through case studies.
{"title":"MIC: Memory analysis of IndexedDB data on Chromium-based applications","authors":"Byeongchan Jeong, Sangjin Lee, Jungheum Park","doi":"10.1016/j.fsidi.2024.301809","DOIUrl":"10.1016/j.fsidi.2024.301809","url":null,"abstract":"<div><div>As Chromium-based applications continue to gain popularity, it is necessary for forensic investigators to obtain a comprehensive understanding of how they store and manage browsing artifacts from both filesystem and memory perspectives. In particular, the <em>incognito</em> mode developed in the current version of Chromium uses only physical memory to manage data related to active sessions. Therefore, handling physical memory is essential for tracking a user's browsing behaviour in incognito mode. This paper provides an in-depth examination of LevelDB, a lightweight key-value database utilized as Chromium's implementation for IndexedDB. In particular, we delve into the details of how IndexedDB data is managed through LevelDB, taking into account its low-level database file format. Furthermore, we thoroughly explore the possibility of residual data, both complete and incomplete, being retained as applications create and initialize IndexedDB-related data. Based on our research findings, we propose a systematic methodology for inspecting the internal structures of LevelDB-related C++ classes, carving these structures from binary streams, and interpreting the data for forensic analysis. In addition, we develop a proof-of-concept tool based on our approach and demonstrate its performance and effectiveness through case studies.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"50 ","pages":"Article 301809"},"PeriodicalIF":2.0,"publicationDate":"2024-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142530827","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-10-01DOI: 10.1016/j.fsidi.2024.301812
Hyomin Yang , Junho Kim , Jungheum Park
In recent years, there has been a notable increase in the prevalence of cybercrimes related to video content, including the distribution of illegal videos and the sharing of copyrighted material. This has led to the growing importance of identifying the source of video files to trace the owner of the files involved in the incident or identify the distributor. Previous research has concentrated on revealing the device (brand and/or model) that “originally” created a video file. This has been achieved by analysing the pattern noise generated by the image sensor in the camera, the storage structural features of the file, and the metadata patterns. However, due to the widespread use of mobile environments, instant messaging applications (IMAs) such as Telegram and Wire have been utilized to share illegal videos, which can result in the loss of information from the original file due to re-encoding at the application level, depending on the transmission settings. Consequently, it is necessary to extend the scope of existing research to identify the various applications that are capable of re-encoding video files in transit. Furthermore, it is essential to determine whether there are features that can be leveraged to distinguish them from the source identification perspective. In this paper, we propose a machine learning-based methodology for classifying the source application by extracting various features stored in the storage format and internal metadata of video files. To conduct this study, we analyzed 16 IMAs that are widely used in mobile environments and generated a total of 1974 sample videos, taking into account both the transmission options and encoding settings offered by each IMA. The training and testing results on this dataset indicate that the ExtraTrees model achieved an identification accuracy of approximately 99.96 %. Furthermore, we developed a proof-of-concept tool based on the proposed method, which extracts the suggested features from videos and queries a pre-trained model. This tool is released as open-source software for the community.
{"title":"Video source identification using machine learning: A case study of 16 instant messaging applications","authors":"Hyomin Yang , Junho Kim , Jungheum Park","doi":"10.1016/j.fsidi.2024.301812","DOIUrl":"10.1016/j.fsidi.2024.301812","url":null,"abstract":"<div><div>In recent years, there has been a notable increase in the prevalence of cybercrimes related to video content, including the distribution of illegal videos and the sharing of copyrighted material. This has led to the growing importance of identifying the source of video files to trace the owner of the files involved in the incident or identify the distributor. Previous research has concentrated on revealing the device (brand and/or model) that “originally” created a video file. This has been achieved by analysing the pattern noise generated by the image sensor in the camera, the storage structural features of the file, and the metadata patterns. However, due to the widespread use of mobile environments, instant messaging applications (IMAs) such as Telegram and Wire have been utilized to share illegal videos, which can result in the loss of information from the original file due to re-encoding at the application level, depending on the transmission settings. Consequently, it is necessary to extend the scope of existing research to identify the various applications that are capable of re-encoding video files in transit. Furthermore, it is essential to determine whether there are features that can be leveraged to distinguish them from the source identification perspective. In this paper, we propose a machine learning-based methodology for classifying the source application by extracting various features stored in the storage format and internal metadata of video files. To conduct this study, we analyzed 16 IMAs that are widely used in mobile environments and generated a total of 1974 sample videos, taking into account both the transmission options and encoding settings offered by each IMA. The training and testing results on this dataset indicate that the ExtraTrees model achieved an identification accuracy of approximately 99.96 %. Furthermore, we developed a proof-of-concept tool based on the proposed method, which extracts the suggested features from videos and queries a pre-trained model. This tool is released as open-source software for the community.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"50 ","pages":"Article 301812"},"PeriodicalIF":2.0,"publicationDate":"2024-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142530438","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-10-01DOI: 10.1016/j.fsidi.2024.301819
Raymond Chan
{"title":"Welcome to the proceedings of the Fourth Annual DFRWS APAC Conference 2024!","authors":"Raymond Chan","doi":"10.1016/j.fsidi.2024.301819","DOIUrl":"10.1016/j.fsidi.2024.301819","url":null,"abstract":"","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"50 ","pages":"Article 301819"},"PeriodicalIF":2.0,"publicationDate":"2024-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142530824","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-10-01DOI: 10.1016/j.fsidi.2024.301810
Maximilian Eichhorn, Gaston Pugliese
As IoT devices become more prevalent in everyday environments, their relevance to digital investigations increases. The product class of “smart relays”, which are connected to the low-voltage grid and usually installed in sockets behind walls, has not yet received much attention in the context of smart home forensics. To close a category-specific gap in the device forensics literature, we conducted a multi-device analysis of 16 smart relays from 9 manufacturers, which support six different companion apps in total. Our examination shows that forensic artifacts can be found locally on the smart relays and in the companion app data, as well as remotely on cloud servers of the vendors. Based on our findings, we developed a Python framework to extract forensic artifacts automatically from obtained firmware dumps, from companion app data, and from captured network traffic.
{"title":"Do You “Relay” Want to Give Me Away? – Forensic Cues of Smart Relays and Their IoT Companion Apps","authors":"Maximilian Eichhorn, Gaston Pugliese","doi":"10.1016/j.fsidi.2024.301810","DOIUrl":"10.1016/j.fsidi.2024.301810","url":null,"abstract":"<div><div>As IoT devices become more prevalent in everyday environments, their relevance to digital investigations increases. The product class of “smart relays”, which are connected to the low-voltage grid and usually installed in sockets behind walls, has not yet received much attention in the context of smart home forensics. To close a category-specific gap in the device forensics literature, we conducted a multi-device analysis of 16 smart relays from 9 manufacturers, which support six different companion apps in total. Our examination shows that forensic artifacts can be found locally on the smart relays and in the companion app data, as well as remotely on cloud servers of the vendors. Based on our findings, we developed a Python framework to extract forensic artifacts automatically from obtained firmware dumps, from companion app data, and from captured network traffic.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"50 ","pages":"Article 301810"},"PeriodicalIF":2.0,"publicationDate":"2024-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142530828","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-09-17DOI: 10.1016/j.fsidi.2024.301829
Yaman Salem, Mohammad M.N. Hamarsheh
IoT devices spread over a wide range of applications these days, and their vast amount of data generated becomes a target for intruders. IoT digital forensics, which involves extracting the digital evidence from the IoT device itself and/or its network traffic using a framework is important and challenging. The challenges include the diversity of types of IoT devices, resource constraints, and users’ privacy. In this article, we focus on network forensics investigations of smart camera traffic as a case study. The investigation process followed the MAoIDFF-IoT framework, a comprehensive and effective framework for IoT devices, and focusing on the locations of potential Artifacts of Interest (AoI). In addition, a few scenarios in using the camera are investigated to obtain a valuable artifact. The results show that it is possible to extract a few artifacts from the network captured traffic even though the traffic is encrypted. Moreover, this research offers guidelines for digital investigators to conduct network forensics on smart camera devices, with detailed results provided.
{"title":"Forensically analyzing IoT smart camera using MAoIDFF-IoT framework","authors":"Yaman Salem, Mohammad M.N. Hamarsheh","doi":"10.1016/j.fsidi.2024.301829","DOIUrl":"10.1016/j.fsidi.2024.301829","url":null,"abstract":"<div><p>IoT devices spread over a wide range of applications these days, and their vast amount of data generated becomes a target for intruders. IoT digital forensics, which involves extracting the digital evidence from the IoT device itself and/or its network traffic using a framework is important and challenging. The challenges include the diversity of types of IoT devices, resource constraints, and users’ privacy. In this article, we focus on network forensics investigations of smart camera traffic as a case study. The investigation process followed the MAoIDFF-IoT framework, a comprehensive and effective framework for IoT devices, and focusing on the locations of potential Artifacts of Interest (AoI). In addition, a few scenarios in using the camera are investigated to obtain a valuable artifact. The results show that it is possible to extract a few artifacts from the network captured traffic even though the traffic is encrypted. Moreover, this research offers guidelines for digital investigators to conduct network forensics on smart camera devices, with detailed results provided.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"51 ","pages":"Article 301829"},"PeriodicalIF":2.0,"publicationDate":"2024-09-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142239585","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-09-10DOI: 10.1016/j.fsidi.2024.301821
Dirk HR. Spennemann , Rudolf J. Spennemann , Clare L. Singh
Deliberate academic misconduct by students often relies on the use of segments of externally authored text, generated either by commercial contract authoring services or by generative Artificial intelligence language models. While revision save identifier (rsid) numbers in Microsoft Word files are associated with edit and save actions of a document, MS Word does not adhere to the ECMA specifications for the Office Open XML. Existing literature shows that digital forensics using rsid requires access to multiple document versions or the user's machine. In cases of academic misconduct allegations usually only the submitted files are available for digital forensic examination, coupled with assertions by the alleged perpetrators about the document generation and editing process This paper represents a detailed exploratory study that provides educators and digital forensic scientists with tools to examine a single document for the veracity of various commonly asserted scenarios of document generation and editing. It is based on a series of experiments that ascertained whether and how common edit and document generation actions such as copy, paste, insertion of blocks of texts from other documents, leave tell-tale traces in the rsid encoding that is embedded in all MS Word documents. While digital forensics can illuminate document generation processes, the actions that led to these may have innocuous explanations. In consequence, this paper also provides academic misconduct investigators with a set of prompts to guide the interview with alleged perpetrators to glean the information required for cross-correlation with observations based on the rsid data.
学生蓄意的学术不端行为往往依赖于使用外部撰写的文本片段,这些片段由商业合同撰写服务或生成式人工智能语言模型生成。虽然 Microsoft Word 文件中的修订保存标识符(rsid)编号与文档的编辑和保存操作相关联,但 MS Word 并不遵循 Office Open XML 的 ECMA 规范。现有文献表明,使用 rsid 进行数字取证需要访问多个文档版本或用户机器。在学术不端指控案件中,通常只有提交的文件可供数字取证检查,再加上被指控的肇事者对文档生成和编辑过程的断言,本文是一项详细的探索性研究,为教育工作者和数字取证科学家提供了检查单个文档的工具,以确定各种常见的文档生成和编辑情况的真实性。该研究基于一系列实验,以确定常见的编辑和文档生成操作(如复制、粘贴、插入其他文档中的文本块)是否以及如何在嵌入所有 MS Word 文档的 rsid 编码中留下蛛丝马迹。虽然数字取证可以揭示文档的生成过程,但导致这些过程的操作可能有无害的解释。因此,本文还为学术不端行为调查人员提供了一套提示,用于指导对涉嫌犯罪者的访谈,以收集所需的信息,并与基于 rsid 数据的观察结果进行交叉关联。
{"title":"Examining and detecting academic misconduct in written documents using revision save identifier numbers in MS Word as exemplified by multiple scenarios","authors":"Dirk HR. Spennemann , Rudolf J. Spennemann , Clare L. Singh","doi":"10.1016/j.fsidi.2024.301821","DOIUrl":"10.1016/j.fsidi.2024.301821","url":null,"abstract":"<div><p>Deliberate academic misconduct by students often relies on the use of segments of externally authored text, generated either by commercial contract authoring services or by generative Artificial intelligence language models. While revision save identifier (rsid) numbers in Microsoft Word files are associated with edit and save actions of a document, MS Word does not adhere to the ECMA specifications for the Office Open XML. Existing literature shows that digital forensics using rsid requires access to multiple document versions or the user's machine. In cases of academic misconduct allegations usually only the submitted files are available for digital forensic examination, coupled with assertions by the alleged perpetrators about the document generation and editing process This paper represents a detailed exploratory study that provides educators and digital forensic scientists with tools to examine a single document for the veracity of various commonly asserted scenarios of document generation and editing. It is based on a series of experiments that ascertained whether and how common edit and document generation actions such as copy, paste, insertion of blocks of texts from other documents, leave tell-tale traces in the rsid encoding that is embedded in all MS Word documents. While digital forensics can illuminate document generation processes, the actions that led to these may have innocuous explanations. In consequence, this paper also provides academic misconduct investigators with a set of prompts to guide the interview with alleged perpetrators to glean the information required for cross-correlation with observations based on the rsid data.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"51 ","pages":"Article 301821"},"PeriodicalIF":2.0,"publicationDate":"2024-09-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281724001458/pdfft?md5=1c46f6d9d5928150f3f10e0b2c0b28f0&pid=1-s2.0-S2666281724001458-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142164106","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-08-28DOI: 10.1016/j.fsidi.2024.301818
Soojin Kang , Uk Hur , Giyoon Kim , Jongsung Kim
Video conferencing applications have become ubiquitous in the post-COVID-19 era. Remote meetings, briefing sessions, and lectures are gradually becoming part of our culture. Thus, the amount of user data that video conferencing applications collect and manage has increased, and such data can be used as digital evidence. In this study, we analyzed Tencent Meeting, the most widely used video conferencing application in China, to identify the data stored on the user's disk by the application. Tencent Meeting stores user information and the chat history during a video conference on local storage. We found that Tencent Meeting suffers from a vulnerability in the process of encrypting and storing the user data, which can be exploited by anyone who can access and decrypt the user's data. We expect that our findings to help digital forensics investigators conduct efficient investigations when applications are used for malicious purposes.
{"title":"Forensic analysis and data decryption of tencent meeting in windows environment","authors":"Soojin Kang , Uk Hur , Giyoon Kim , Jongsung Kim","doi":"10.1016/j.fsidi.2024.301818","DOIUrl":"10.1016/j.fsidi.2024.301818","url":null,"abstract":"<div><p>Video conferencing applications have become ubiquitous in the post-COVID-19 era. Remote meetings, briefing sessions, and lectures are gradually becoming part of our culture. Thus, the amount of user data that video conferencing applications collect and manage has increased, and such data can be used as digital evidence. In this study, we analyzed Tencent Meeting, the most widely used video conferencing application in China, to identify the data stored on the user's disk by the application. Tencent Meeting stores user information and the chat history during a video conference on local storage. We found that Tencent Meeting suffers from a vulnerability in the process of encrypting and storing the user data, which can be exploited by anyone who can access and decrypt the user's data. We expect that our findings to help digital forensics investigators conduct efficient investigations when applications are used for malicious purposes.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"51 ","pages":"Article 301818"},"PeriodicalIF":2.0,"publicationDate":"2024-08-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142086964","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-08-28DOI: 10.1016/j.fsidi.2024.301820
{"title":"Navigating the digital labyrinth: Forensics in the age of AI","authors":"","doi":"10.1016/j.fsidi.2024.301820","DOIUrl":"10.1016/j.fsidi.2024.301820","url":null,"abstract":"","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"50 ","pages":"Article 301820"},"PeriodicalIF":2.0,"publicationDate":"2024-08-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142086871","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
扫码关注我们
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号