Forensic Science International-Digital Investigation最新文献_第4页

Advanced forensic recovery of deleted file data in F2FS 高级取证恢复已删除的文件数据在F2FS

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-10-01 DOI: 10.1016/j.fsidi.2025.301976

Junghoon Oh, Hyunuk Hwang

Flash-Friendly File System (F2FS) is a file system optimized for flash memory-based storage devices and is used in a wide range of devices including Android smartphones, drones, in-vehicle infotainment systems and embedded devices. Therefore, from a digital forensic perspective, a recovery technology for deleted file data in F2FS is needed. However, as far as research on deleted data recovery from F2FS is concerned, only basic research has been conducted on deleted data recovery from F2FS, and no specific recovery algorithms have been published. Even in the case of tools that support deleted file data recovery from F2FS, a significant proportion of deleted file data could not be recovered in tests, which limits their usefulness in real-world digital forensic investigations. Therefore, this paper proposes a deleted file data recovery algorithm based on file system metadata carving and virtual address table creation to overcome the limitations of existing research and tools. The proposed recovery algorithm is implemented as a recovery tool and used for performance evaluation with existing forensic and data recovery tools. The performance evaluation results proved the superiority of the recovery algorithm, with the proposed algorithm showing superior recovery performance compared to existing tools.

flash - friendly File System （F2FS）是一种针对基于闪存的存储设备进行优化的文件系统，广泛应用于Android智能手机、无人机、车载信息娱乐系统和嵌入式设备等设备。因此，从数字取证的角度来看，需要一种F2FS中被删除文件数据的恢复技术。但是，对于从F2FS中恢复已删除数据的研究，目前仅对从F2FS中恢复已删除数据进行了基础研究，并没有发表具体的恢复算法。即使使用支持从F2FS中恢复已删除文件数据的工具，也有很大一部分已删除文件数据无法在测试中恢复，这限制了它们在实际数字取证调查中的用处。因此，本文提出了一种基于文件系统元数据雕刻和虚拟地址表创建的被删除文件数据恢复算法，以克服现有研究和工具的局限性。提出的恢复算法作为恢复工具实现，并与现有的取证和数据恢复工具一起用于性能评估。性能评价结果证明了恢复算法的优越性，与现有工具相比，所提算法的恢复性能更优。

{"title":"Advanced forensic recovery of deleted file data in F2FS","authors":"Junghoon Oh, Hyunuk Hwang","doi":"10.1016/j.fsidi.2025.301976","DOIUrl":"10.1016/j.fsidi.2025.301976","url":null,"abstract":"<div><div>Flash-Friendly File System (F2FS) is a file system optimized for flash memory-based storage devices and is used in a wide range of devices including Android smartphones, drones, in-vehicle infotainment systems and embedded devices. Therefore, from a digital forensic perspective, a recovery technology for deleted file data in F2FS is needed. However, as far as research on deleted data recovery from F2FS is concerned, only basic research has been conducted on deleted data recovery from F2FS, and no specific recovery algorithms have been published. Even in the case of tools that support deleted file data recovery from F2FS, a significant proportion of deleted file data could not be recovered in tests, which limits their usefulness in real-world digital forensic investigations. Therefore, this paper proposes a deleted file data recovery algorithm based on file system metadata carving and virtual address table creation to overcome the limitations of existing research and tools. The proposed recovery algorithm is implemented as a recovery tool and used for performance evaluation with existing forensic and data recovery tools. The performance evaluation results proved the superiority of the recovery algorithm, with the proposed algorithm showing superior recovery performance compared to existing tools.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"54 ","pages":"Article 301976"},"PeriodicalIF":2.2,"publicationDate":"2025-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145424488","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

From sync to seizure: A binary instrumentation-based evaluation of the iCloud backup process 从同步到扣押：基于二进制仪器的iCloud备份过程评估

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-10-01 DOI: 10.1016/j.fsidi.2025.301978

Julian Geus, Jan Gruber, Jonas Wozar, Felix Freiling

Mobile phone data is crucial for gathering investigative leads and solving cases in most criminal investigations. An increasingly common method for collecting mobile data as evidence is acquiring phone backups stored in manufacturer cloud services. However, the reliability of this evidence source compared to the original device has yet to be thoroughly assessed. In this work, we investigate the accuracy and completeness of iOS backups stored in iCloud. We propose a novel evaluation methodology based on dynamic binary instrumentation, enabling precise tracking of backup contents during the restore process. Using this approach, we compare a full file system extraction and a local backup of an iOS device to a backup downloaded from iCloud and restored on a test device. Our analysis reveals significant discrepancies in timestamp information and minor differences in user data—both critical considerations when analyzing iOS backups in criminal investigations.

在大多数刑事调查中，手机数据对于收集调查线索和破案至关重要。收集移动数据作为证据的一种日益常见的方法是获取存储在制造商云服务中的手机备份。然而，与原始设备相比，这种证据来源的可靠性还有待彻底评估。在这项工作中，我们调查了存储在iCloud中的iOS备份的准确性和完整性。我们提出了一种新的基于动态二进制检测的评估方法，能够在恢复过程中精确跟踪备份内容。使用这种方法，我们将iOS设备的完整文件系统提取和本地备份与从iCloud下载并在测试设备上恢复的备份进行比较。我们的分析揭示了时间戳信息的显著差异和用户数据的微小差异——这两者都是分析刑事调查中的iOS备份时的关键考虑因素。

引用次数: 0

Drone forensics in law enforcement: Assessing utilisation, challenges, and emerging necessities 执法中的无人机取证：评估利用率，挑战和新兴需求

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-09-29 DOI: 10.1016/j.fsidi.2025.302003

Ranul Deelaka Thantilage , Gerry Buttner , Ray Genoe

The proliferation of drone technology has introduced new challenges and opportunities for law enforcement, necessitating the development of drone forensics as a specialised field within digital forensics. This survey paper explores the critical role of drone forensics in modern policing, focusing on its applications in investigating crimes involving unmanned aerial vehicles (UAVs) and addressing emerging security threats. This paper examines the tools, data extraction methods, and operational practices employed in drone forensic investigations, with particular attention to cases of unauthorised surveillance, smuggling, and cyber-attacks. Furthermore, this study discusses the technical, legal, and ethical challenges associated with drone forensics, including encryption, anti-forensic techniques, proprietary software, and privacy concerns. Through a synthesis of current practices, technological advancements, and relevant case studies, this survey provides insights into the effectiveness, limitations, and evolving needs of drone forensics. Recommendations are offered to enhance law enforcement capabilities, emphasising the importance of continuous training, standardised protocols, and collaboration across agencies. This survey paper aims to support policymakers, law enforcement agencies, and forensic practitioners in integrating drone forensics as a versatile and effective approach for safeguarding public safety and ensuring justice in an increasingly drone-integrated world.

无人机技术的扩散给执法部门带来了新的挑战和机遇，使得无人机取证成为数字取证的一个专业领域成为必要。本调查报告探讨了无人机取证在现代警务中的关键作用，重点关注其在调查涉及无人机（uav）的犯罪和应对新出现的安全威胁方面的应用。本文研究了无人机取证调查中使用的工具、数据提取方法和操作实践，特别关注了未经授权的监视、走私和网络攻击案件。此外，本研究还讨论了与无人机取证相关的技术、法律和道德挑战，包括加密、反取证技术、专有软件和隐私问题。通过对当前实践、技术进步和相关案例研究的综合，本调查提供了对无人机取证的有效性、局限性和不断变化的需求的见解。提出了加强执法能力的建议，强调持续培训、标准化协议和跨机构合作的重要性。本调查报告旨在支持政策制定者、执法机构和法医从业者将无人机取证整合为一种多用途和有效的方法，以在无人机日益一体化的世界中维护公共安全和确保司法公正。

{"title":"Drone forensics in law enforcement: Assessing utilisation, challenges, and emerging necessities","authors":"Ranul Deelaka Thantilage , Gerry Buttner , Ray Genoe","doi":"10.1016/j.fsidi.2025.302003","DOIUrl":"10.1016/j.fsidi.2025.302003","url":null,"abstract":"<div><div>The proliferation of drone technology has introduced new challenges and opportunities for law enforcement, necessitating the development of drone forensics as a specialised field within digital forensics. This survey paper explores the critical role of drone forensics in modern policing, focusing on its applications in investigating crimes involving unmanned aerial vehicles (UAVs) and addressing emerging security threats. This paper examines the tools, data extraction methods, and operational practices employed in drone forensic investigations, with particular attention to cases of unauthorised surveillance, smuggling, and cyber-attacks. Furthermore, this study discusses the technical, legal, and ethical challenges associated with drone forensics, including encryption, anti-forensic techniques, proprietary software, and privacy concerns. Through a synthesis of current practices, technological advancements, and relevant case studies, this survey provides insights into the effectiveness, limitations, and evolving needs of drone forensics. Recommendations are offered to enhance law enforcement capabilities, emphasising the importance of continuous training, standardised protocols, and collaboration across agencies. This survey paper aims to support policymakers, law enforcement agencies, and forensic practitioners in integrating drone forensics as a versatile and effective approach for safeguarding public safety and ensuring justice in an increasingly drone-integrated world.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"55 ","pages":"Article 302003"},"PeriodicalIF":2.2,"publicationDate":"2025-09-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145220646","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

An effective automotive forensic technique utilizing various logs of Android-based In-vehicle infotainment systems 一种有效的汽车取证技术，利用基于android的车载信息娱乐系统的各种日志

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-09-01 DOI: 10.1016/j.fsidi.2025.301990

Sunjae Kim , Jeehun Jung , Haein Kang , Yejin Yoon , Seong-je Cho , Minkyu Park , Sangchul Han

Android-based In-vehicle infotainment (IVI) systems generate log message containing valuable forensic artifacts from interactions with internal or external devices. These log messages can help in vehicle accidents or criminal investigations; however, there is limited knowledge of the stored information and the methods of accessing them. In addition, digital forensic analysis of the Android-based IVI systems is not supported by the popular forensic tool, Berla's iVe. To address this, we first acquire multiple types of logs from three Jellybean-based systems (2017-2019) and two KitKat-based IVI systems (2022-2023) using a practical and non-invasive method, and then perform a comprehensive and comparative analysis of the logging mechanisms in the IVI systems. We then examine volatile and nonvolatile log data acquired from the IVI systems from the perspective of vehicle forensics. Jellybean-based systems maintain seven ring buffers for volatile logs, while KitKat-based systems use five. Volatile logs are erased when the system is powered off. Both versions of the Android systems store nonvolatile log files of seven different types, with data retained for up to a year. We conducted a thorough analysis of the acquired logs, uncovering artifacts related to navigation use, radio listening, engine start/stop, door access, seat belt use, and Bluetooth connections, including phone calls and SMS messages. In addition, we compare the artifacts identified within those IVI systems. Finally, our analysis creates a timeline to track driver behavior, and provides critical insights into driver actions and vehicle events.

基于android的车载信息娱乐（IVI）系统生成日志消息，其中包含与内部或外部设备交互的有价值的取证工件。这些日志信息有助于交通事故或刑事调查；然而，对存储的信息和访问它们的方法的了解有限。此外，流行的取证工具Berla's iVe不支持基于android的IVI系统的数字取证分析。为了解决这一问题，我们首先采用一种实用的非侵入性方法，从3套jellybean系统（2017-2019）和2套kitkat IVI系统（2022-2023）中获取了多种类型的测井数据，然后对IVI系统的测井机制进行了全面的对比分析。然后，我们从车辆取证的角度检查从IVI系统获得的易失性和非易失性日志数据。jellybean系统为易失日志维护7个环缓冲区，而kitkat系统使用5个环缓冲区。系统下电后，易失性日志将被清除。两个版本的Android系统都存储七种不同类型的非易失性日志文件，数据保留时间长达一年。我们对获取的日志进行了彻底的分析，发现了与导航使用、无线电监听、发动机启动/停止、车门访问、安全带使用和蓝牙连接（包括电话和短信）相关的工件。此外，我们比较了那些IVI系统中确定的工件。最后，我们的分析创建了一个时间轴来跟踪驾驶员的行为，并提供了对驾驶员行为和车辆事件的关键见解。

{"title":"An effective automotive forensic technique utilizing various logs of Android-based In-vehicle infotainment systems","authors":"Sunjae Kim , Jeehun Jung , Haein Kang , Yejin Yoon , Seong-je Cho , Minkyu Park , Sangchul Han","doi":"10.1016/j.fsidi.2025.301990","DOIUrl":"10.1016/j.fsidi.2025.301990","url":null,"abstract":"<div><div>Android-based In-vehicle infotainment (IVI) systems generate log message containing valuable forensic artifacts from interactions with internal or external devices. These log messages can help in vehicle accidents or criminal investigations; however, there is limited knowledge of the stored information and the methods of accessing them. In addition, digital forensic analysis of the Android-based IVI systems is not supported by the popular forensic tool, Berla's iVe. To address this, we first acquire multiple types of logs from three Jellybean-based systems (2017-2019) and two KitKat-based IVI systems (2022-2023) using a practical and non-invasive method, and then perform a comprehensive and comparative analysis of the logging mechanisms in the IVI systems. We then examine volatile and nonvolatile log data acquired from the IVI systems from the perspective of vehicle forensics. Jellybean-based systems maintain seven ring buffers for volatile logs, while KitKat-based systems use five. Volatile logs are erased when the system is powered off. Both versions of the Android systems store nonvolatile log files of seven different types, with data retained for up to a year. We conducted a thorough analysis of the acquired logs, uncovering artifacts related to navigation use, radio listening, engine start/stop, door access, seat belt use, and Bluetooth connections, including phone calls and SMS messages. In addition, we compare the artifacts identified within those IVI systems. Finally, our analysis creates a timeline to track driver behavior, and provides critical insights into driver actions and vehicle events.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"55 ","pages":"Article 301990"},"PeriodicalIF":2.2,"publicationDate":"2025-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144922521","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Research on smartphone image source identification based on PRNU features collected multivariate sampling strategy 基于PRNU特征采集多元采样策略的智能手机图像源识别研究

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-08-26 DOI: 10.1016/j.fsidi.2025.301991

Fu-Yuan Liang, Shu-Hui Gao, Liang-Ju Xu

Photo Response Non-Uniformity (PRNU)-based image source attribution is one of the core methods for identifying the imaging device of a given picture, and has significant applications in the field of digital media forensics. However, with the increasing complexity of smartphone imaging systems, PRNU features extracted from smartphone images exhibit greater instability compared to those from traditional cameras. This instability can lead to performance degradation in conventional single-sample extraction strategies when applied to smartphone image source attribution. To address this challenge, this paper proposes a robust multi-sample enhancement scheme. To verify its generalizability, we employ both a non–data-driven wavelet-domain decomposition algorithm and a deep U-shaped residual neural network (DRUNet) as noise extractors, and conduct experiments on the FODB dataset. Experimental results demonstrate that the proposed multi-sample framework exhibits superior performance in improving feature stability, providing a new technical pathway for digital image source attribution in smart terminal devices. Furthermore, we perform PCE distribution statistics on positive and negative samples in the dataset and quantitatively analyze the regional instability of PRNU features.

基于照片响应非均匀性（PRNU）的图像源归属是识别给定图像的成像设备的核心方法之一，在数字媒体取证领域具有重要应用。然而，随着智能手机成像系统的日益复杂，与传统相机相比，从智能手机图像中提取的PRNU特征表现出更大的不稳定性。当应用于智能手机图像源归属时，这种不稳定性会导致传统单样本提取策略的性能下降。为了解决这一挑战，本文提出了一种鲁棒的多样本增强方案。为了验证其泛化性，我们采用了非数据驱动的小波域分解算法和深度u形残差神经网络（DRUNet）作为噪声提取器，并在FODB数据集上进行了实验。实验结果表明，所提出的多样本框架在提高特征稳定性方面表现出优异的性能，为智能终端设备中数字图像源归属提供了新的技术途径。此外，我们对数据集中的正、负样本进行PCE分布统计，定量分析PRNU特征的区域不稳定性。

{"title":"Research on smartphone image source identification based on PRNU features collected multivariate sampling strategy","authors":"Fu-Yuan Liang, Shu-Hui Gao, Liang-Ju Xu","doi":"10.1016/j.fsidi.2025.301991","DOIUrl":"10.1016/j.fsidi.2025.301991","url":null,"abstract":"<div><div>Photo Response Non-Uniformity (PRNU)-based image source attribution is one of the core methods for identifying the imaging device of a given picture, and has significant applications in the field of digital media forensics. However, with the increasing complexity of smartphone imaging systems, PRNU features extracted from smartphone images exhibit greater instability compared to those from traditional cameras. This instability can lead to performance degradation in conventional single-sample extraction strategies when applied to smartphone image source attribution. To address this challenge, this paper proposes a robust multi-sample enhancement scheme. To verify its generalizability, we employ both a non–data-driven wavelet-domain decomposition algorithm and a deep U-shaped residual neural network (DRUNet) as noise extractors, and conduct experiments on the FODB dataset. Experimental results demonstrate that the proposed multi-sample framework exhibits superior performance in improving feature stability, providing a new technical pathway for digital image source attribution in smart terminal devices. Furthermore, we perform PCE distribution statistics on positive and negative samples in the dataset and quantitatively analyze the regional instability of PRNU features.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"54 ","pages":"Article 301991"},"PeriodicalIF":2.2,"publicationDate":"2025-08-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144896324","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Tool type identification for forensic digital document examination 法医数字文件检验工具类型识别

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-08-04 DOI: 10.1016/j.fsidi.2025.301972

Muhammad Abdul Moiz Zia, Oluwasola Mary Adedayo

Digital documents have become a significant part of our everyday lives. From identity documents to various legal agreements and business communications, the ability to determine the authenticity and origin of different types of documents is incredibly important. In the physical domain, this need is addressed by forensic document examiners. Although many of the analysis methods used in the physical domain do not apply in the digital realm, the forensic analysis processes in both realms still address similar objectives. In this paper, we focus on the objective of identifying the tool that created a digital document to support answering questions about the origin of a document. In contrast to many existing works on the forensic analysis of digital documents which focus on file type identification, this paper focuses on identifying the tool that is used to create a document. This is particularly relevant for forensic digital document examination (FDDE). The paper explores the use of different machine learning algorithms to analyze PDF documents to determine the tool that created the document. Given that traditional methods for digital document analysis often rely on metadata and visible content that can be tampered with, we used a structural analysis approach that builds on methods that have previously been used for file type identification. We explored the use of byte histograms and entropy measurements in developing models capable of identifying the specific software used to create PDF documents using several machine learning models. Our results showed that Convolutional Neural Networks (CNNs) outperformed other models. In further experiments, we explored the use of the same approach to identify the version of a specific tool used to create a document and alternative ways of creating PDFs from a tool. Our results confirm the feasibility of this approach for digital document tool type identification with a high level of accuracy.

数字文档已经成为我们日常生活中重要的一部分。从身份文件到各种法律协议和商业通信，确定不同类型文件的真实性和来源的能力是非常重要的。在物理领域，这一需求由法医文件审查员解决。尽管物理领域中使用的许多分析方法并不适用于数字领域，但这两个领域的取证分析过程仍然解决类似的目标。在本文中，我们关注的目标是识别创建数字文档的工具，以支持回答有关文档起源的问题。与许多现有的专注于文件类型识别的数字文档取证分析工作不同，本文侧重于识别用于创建文档的工具。这与法医数字文件检查（FDDE）特别相关。本文探讨了使用不同的机器学习算法来分析PDF文档，以确定创建文档的工具。考虑到数字文档分析的传统方法通常依赖于可以被篡改的元数据和可见内容，我们使用了一种结构分析方法，该方法建立在以前用于文件类型识别的方法之上。我们探索了字节直方图和熵测量在开发模型中的使用，这些模型能够识别用于使用几个机器学习模型创建PDF文档的特定软件。我们的研究结果表明，卷积神经网络（cnn）优于其他模型。在进一步的实验中，我们探索了使用相同的方法来识别用于创建文档的特定工具的版本，以及从工具创建pdf的替代方法。我们的结果证实了这种方法在数字文档工具类型识别方面的可行性，并且具有很高的准确性。

{"title":"Tool type identification for forensic digital document examination","authors":"Muhammad Abdul Moiz Zia, Oluwasola Mary Adedayo","doi":"10.1016/j.fsidi.2025.301972","DOIUrl":"10.1016/j.fsidi.2025.301972","url":null,"abstract":"<div><div>Digital documents have become a significant part of our everyday lives. From identity documents to various legal agreements and business communications, the ability to determine the authenticity and origin of different types of documents is incredibly important. In the physical domain, this need is addressed by forensic document examiners. Although many of the analysis methods used in the physical domain do not apply in the digital realm, the forensic analysis processes in both realms still address similar objectives. In this paper, we focus on the objective of identifying the tool that created a digital document to support answering questions about the origin of a document. In contrast to many existing works on the forensic analysis of digital documents which focus on file type identification, this paper focuses on identifying the tool that is used to create a document. This is particularly relevant for forensic digital document examination (FDDE). The paper explores the use of different machine learning algorithms to analyze PDF documents to determine the tool that created the document. Given that traditional methods for digital document analysis often rely on metadata and visible content that can be tampered with, we used a structural analysis approach that builds on methods that have previously been used for file type identification. We explored the use of byte histograms and entropy measurements in developing models capable of identifying the specific software used to create PDF documents using several machine learning models. Our results showed that Convolutional Neural Networks (CNNs) outperformed other models. In further experiments, we explored the use of the same approach to identify the version of a specific tool used to create a document and alternative ways of creating PDFs from a tool. Our results confirm the feasibility of this approach for digital document tool type identification with a high level of accuracy.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"54 ","pages":"Article 301972"},"PeriodicalIF":2.2,"publicationDate":"2025-08-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144766757","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Digital forensic approaches to Intel and AMD firmware RAID systems 英特尔和AMD固件RAID系统的数字取证方法

IF 2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-07-07 DOI: 10.1016/j.fsidi.2025.301971

Woosung Yun , Jeuk Kang , Sangjin Lee, Jungheum Park

In recent years, as the amount of data that individuals deal with has increased, CPU manufacturers (Intel and AMD) have developed RAID systems that are readily available on desktop PCs. This is referred to as firmware RAID. In contrast to RAID systems on servers and network-attached storage (NAS) devices, which require a relatively complex configuration process, firmware RAID is relatively straightforward and easy to set up via the basic input/output system (BIOS). Intel supports this technology on the majority of its motherboards, with the exception of a few minor models released since 2020, under the name of Intel Rapid Storage Technology (IRST). Similarly, AMD has provided for this technology to all motherboard chipsets released since 2017 under the name of RAIDXpert. From the perspective of digital forensics, a disk with a firmware RAID is recognized by the operating system as a single physical disk and is typically connected to the motherboard without any additional devices. Consequently, during a digital forensics investigation, investigators barely recognize its application, and, as a result, a significant amount of data could be omitted without intention, or could be lost through simple anti-forensic behavior by a malicious user. At present, there are no publicly available techniques for identifying or reconstructing disks in a firmware RAID system, despite the fact that this system is available on nearly every desktop PC. In this paper, we present an analysis of the operational patterns and structures of firmware RAID supported by Intel and AMD. Our approach has led to the development of X-raid, a digital forensic tool capable of identifying firmware-based volumes within a system and reconstructing normal or deleted virtual disks. Furthermore, we propose a methodological digital forensic framework for investigating computer systems with considerations of firmware RAID.

近年来，随着个人处理的数据量的增加，CPU制造商（英特尔和AMD）已经开发出可以在台式电脑上使用的RAID系统。这被称为固件RAID。服务器和网络附加存储（NAS）设备上的RAID系统需要相对复杂的配置过程，而固件RAID则相对简单，易于通过基本输入/输出系统（BIOS）进行设置。英特尔在其大多数主板上支持这项技术，除了自2020年以来发布的几款小型型号，这些型号以英特尔快速存储技术（IRST）的名义发布。同样，AMD已经为自2017年以来以RAIDXpert的名义发布的所有主板芯片组提供了这项技术。从数字取证的角度来看，具有固件RAID的磁盘被操作系统识别为单个物理磁盘，并且通常连接到主板上，而不需要任何额外的设备。因此，在数字取证调查期间，调查人员几乎无法识别其应用，因此，大量数据可能无意中被遗漏，或者可能因恶意用户的简单反取证行为而丢失。目前，还没有公开可用的技术来识别或重建固件RAID系统中的磁盘，尽管几乎每个桌面PC都可以使用该系统。本文分析了Intel和AMD支持的固件RAID的工作模式和结构。我们的方法导致了X-raid的开发，这是一种数字取证工具，能够识别系统中基于固件的卷，并重建正常或已删除的虚拟磁盘。此外，我们提出了一种方法学数字取证框架，用于调查考虑固件RAID的计算机系统。

{"title":"Digital forensic approaches to Intel and AMD firmware RAID systems","authors":"Woosung Yun , Jeuk Kang , Sangjin Lee, Jungheum Park","doi":"10.1016/j.fsidi.2025.301971","DOIUrl":"10.1016/j.fsidi.2025.301971","url":null,"abstract":"<div><div>In recent years, as the amount of data that individuals deal with has increased, CPU manufacturers (Intel and AMD) have developed RAID systems that are readily available on desktop PCs. This is referred to as firmware RAID. In contrast to RAID systems on servers and network-attached storage (NAS) devices, which require a relatively complex configuration process, firmware RAID is relatively straightforward and easy to set up via the basic input/output system (BIOS). Intel supports this technology on the majority of its motherboards, with the exception of a few minor models released since 2020, under the name of Intel Rapid Storage Technology (IRST). Similarly, AMD has provided for this technology to all motherboard chipsets released since 2017 under the name of RAIDXpert. From the perspective of digital forensics, a disk with a firmware RAID is recognized by the operating system as a single physical disk and is typically connected to the motherboard without any additional devices. Consequently, during a digital forensics investigation, investigators barely recognize its application, and, as a result, a significant amount of data could be omitted without intention, or could be lost through simple anti-forensic behavior by a malicious user. At present, there are no publicly available techniques for identifying or reconstructing disks in a firmware RAID system, despite the fact that this system is available on nearly every desktop PC. In this paper, we present an analysis of the operational patterns and structures of firmware RAID supported by Intel and AMD. Our approach has led to the development of <em>X-raid</em>, a digital forensic tool capable of identifying firmware-based volumes within a system and reconstructing normal or deleted virtual disks. Furthermore, we propose a methodological digital forensic framework for investigating computer systems with considerations of firmware RAID.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"54 ","pages":"Article 301971"},"PeriodicalIF":2.0,"publicationDate":"2025-07-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144569858","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Exploiting database storage for data exfiltration 利用数据库存储进行数据泄露

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-07-01 DOI: 10.1016/j.fsidi.2025.301934

James Wagner , Alexander Rasin , Vassil Roussev

Steganography is a technique for hiding messages in plain sight – typically by embedding the message within commonly shared files (e.g., images or video) or within file system slack space. Database management systems (DBMSes) are the de facto centralized data repositories for both personal and business use. As ubiquitous repositories that already offer shared data access to many different users, DBMSes have the potential to be a powerful channel to discretely deliver messages through steganography.

In this paper we present a method, Hidden Database Records (HiDR), that adapts steganography techniques to all relational row-store DBMSes. HiDR is particularly effective for hiding data within a DBMS because it adds data to the database state without leaving an audit trail in the DBMS (i.e., without executing SQL commands that may be logged and traced to the sender). While sending a message in this way requires administrative privileges from the sender, it also offers them much more control enabling the sender to erase the original message just as easily as it was created. We demonstrate how HiDR keeps data from being unintentionally discovered but at the same time makes that data easy to access using SQL queries from a non-privileged account.

隐写术是一种隐藏信息的技术，通常通过将信息嵌入到公共共享文件（例如，图像或视频）或文件系统空闲空间中来实现。数据库管理系统（dbms）实际上是个人和企业使用的集中式数据存储库。作为已经向许多不同用户提供共享数据访问的无处不在的存储库，dbms有潜力成为通过隐写术离散地传递消息的强大通道。在本文中，我们提出了一种方法，隐藏数据库记录（HiDR），该方法将隐写技术应用于所有关系行存储dbms。HiDR对于在DBMS中隐藏数据特别有效，因为它将数据添加到数据库状态而不会在DBMS中留下审计跟踪（即，不执行可能被记录和跟踪到发送者的SQL命令）。虽然以这种方式发送消息需要发件人的管理权限，但它也为发件人提供了更多的控制权，使发件人能够像创建原始消息一样轻松地删除原始消息。我们将演示HiDR如何防止数据被无意中发现，同时使数据易于从非特权帐户使用SQL查询访问。

{"title":"Exploiting database storage for data exfiltration","authors":"James Wagner , Alexander Rasin , Vassil Roussev","doi":"10.1016/j.fsidi.2025.301934","DOIUrl":"10.1016/j.fsidi.2025.301934","url":null,"abstract":"<div><div>Steganography is a technique for hiding messages in plain sight – typically by embedding the message within commonly shared files (e.g., images or video) or within file system slack space. Database management systems (DBMSes) are the de facto centralized data repositories for both personal and business use. As ubiquitous repositories that already offer shared data access to many different users, DBMSes have the potential to be a powerful channel to discretely deliver messages through steganography.</div><div>In this paper we present a method, Hidden Database Records (<span>HiDR</span>), that adapts steganography techniques to all relational row-store DBMSes. <span>HiDR</span> is particularly effective for hiding data within a DBMS because it adds data to the database state without leaving an audit trail in the DBMS (i.e., without executing SQL commands that may be logged and traced to the sender). While sending a message in this way requires administrative privileges from the sender, it also offers them much more control enabling the sender to erase the original message just as easily as it was created. We demonstrate how <span>HiDR</span> keeps data from being unintentionally discovered but at the same time makes that data easy to access using SQL queries from a non-privileged account.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301934"},"PeriodicalIF":2.2,"publicationDate":"2025-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144748997","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Uncovering linux desktop espionage 揭露linux桌面间谍

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-07-01 DOI: 10.1016/j.fsidi.2025.301921

Lukas Schmidt , Sebastian Strasda , Sebastian Schinzel

The increasing adoption of Linux-based desktop systems in various sectors, including critical infrastructures and personal use, has made them an attractive target for Advanced Persistent Threat (APT) groups and state actors. Yet, the espionage capabilities of Linux desktop malware and the forensic strategies for uncovering them remain largely unexamined. This paper addresses this gap by analyzing ten malware families that target the Linux desktop environment, studying the utilized espionage techniques, and introducing novel approaches to detect them using memory forensics.

Facing the multitude of espionage attack implementations that result from the diverse Linux desktop ecosystem, we propose to reduce the complexity of memory forensic investigations by focusing on the analysis of targeted core services. We evaluate our approach by implementing proof-of-concept Volatility plugins for identification of keylogging, screen capturing as well as camera and microphone recording malware, and prove their effectiveness by performing forensic analyses of real-world espionage techniques that were utilized during APT campaigns. Our evaluation shows that memory forensics is effective in uncovering Linux espionage attacks, and we are confident that our study provides valuable insights for future research and practical analysis of these threats.

基于linux的桌面系统越来越多地应用于各个领域，包括关键基础设施和个人使用，这使得它们成为高级持续威胁（APT）组织和国家行为者的一个有吸引力的目标。然而，Linux桌面恶意软件的间谍能力和发现它们的取证策略在很大程度上仍未得到检验。本文通过分析十种针对Linux桌面环境的恶意软件家族，研究利用的间谍技术，并引入使用内存取证来检测它们的新方法来解决这一差距。面对来自不同Linux桌面生态系统的大量间谍攻击实现，我们建议通过专注于目标核心服务的分析来降低内存取证调查的复杂性。我们通过实施概念验证波动性插件来评估我们的方法，该插件用于识别键盘记录、屏幕捕获以及摄像头和麦克风记录恶意软件，并通过对APT活动中使用的真实间谍技术进行取证分析来证明其有效性。我们的评估表明，内存取证在发现Linux间谍攻击方面是有效的，我们相信我们的研究为这些威胁的未来研究和实际分析提供了有价值的见解。

{"title":"Uncovering linux desktop espionage","authors":"Lukas Schmidt , Sebastian Strasda , Sebastian Schinzel","doi":"10.1016/j.fsidi.2025.301921","DOIUrl":"10.1016/j.fsidi.2025.301921","url":null,"abstract":"<div><div>The increasing adoption of Linux-based desktop systems in various sectors, including critical infrastructures and personal use, has made them an attractive target for Advanced Persistent Threat (APT) groups and state actors. Yet, the espionage capabilities of Linux desktop malware and the forensic strategies for uncovering them remain largely unexamined. This paper addresses this gap by analyzing ten malware families that target the Linux desktop environment, studying the utilized espionage techniques, and introducing novel approaches to detect them using memory forensics.</div><div>Facing the multitude of espionage attack implementations that result from the diverse Linux desktop ecosystem, we propose to reduce the complexity of memory forensic investigations by focusing on the analysis of targeted core services. We evaluate our approach by implementing proof-of-concept Volatility plugins for identification of keylogging, screen capturing as well as camera and microphone recording malware, and prove their effectiveness by performing forensic analyses of real-world espionage techniques that were utilized during APT campaigns. Our evaluation shows that memory forensics is effective in uncovering Linux espionage attacks, and we are confident that our study provides valuable insights for future research and practical analysis of these threats.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301921"},"PeriodicalIF":2.2,"publicationDate":"2025-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144749085","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

DFRWS EU 2026 Sweden

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-07-01 DOI: 10.1016/S2666-2817(25)00103-9

引用次数: 0