Forensic Science International-Digital Investigation最新文献

Since its public launch, OpenAI's ChatGPT has achieved significant success, attracting millions of users within the first few months of its release. Although numerous similar applications have emerged, none have yet matched the success of OpenAI's ChatGPT. Last year, OpenAI released the ChatGPT mobile app. This application serves a broad range of uses, some of which may be malicious and, unfortunately, it has not yet been parsed by either commercial or open-source tools. Nevertheless, the data stored by this application, such as JSON files that store a user's conversations with ChatGPT, can be instrumental in attributing user actions, discerning perpetrators' knowledge and motivations, and resolving practical investigations. In this paper, OpenAI's ChatGPT mobile application is examined on both Android and iOS operating systems, focusing on potential evidentiary data within. The cloud-native data associated with the app, which can be retrieved through user data export requests are also investigated. The primary objective of this study is to discover artifacts that investigators can use in real-world cases involving this mobile app. Additionally, the authors have contributed to FOSS to support professionals in this field.

Survey study explores the pivotal role of metadata in forensic investigations within the realm of social media. Investigating digital clues embedded in metadata unveils a wealth of information crucial for understanding the authenticity and origin of online content. This study delves into the technical intricacies of metadata extraction, shedding light on its potential in verifying the chronology, geolocation, and user interactions on social platforms. By leveraging metadata, forensic experts can unravel the intricate web of digital footprints, enhancing the accuracy and efficiency of social media investigations. The findings of this study contribute to the evolving landscape of digital forensic techniques, addressing contemporary challenges in online information scrutiny.

The rise of end-to-end encryption has enabled end-users to protect their data to a point that classical techniques of lawful access (seizure of devices, wiretaps) are futile. While there is a heated discussion about regulating the access primitive to end-user devices for law enforcement, little attention is given to the technical design of how evidence should be collected. This is especially critical during remote surveillance, as law enforcement may have unrestricted access to end-user devices over longer periods of time. In this paper, we propose the novel category of key extraction-based lawful interception (KEX-LI), meaning that instead of directly accessing plaintext data, law enforcement only extracts the necessary key material from end-user devices, thus minimizing the requirements of data extraction on end-user devices. When subsequently collecting encrypted data (e.g., via wiretapping), law enforcement can use these keys for decryption. We structure and survey the state-of-the-art of key extraction techniques, thus embedding KEX-LI in the broader context of device forensics. Furthermore, we describe specific requirements for a practical solution to conduct KEX-LI and evaluate currently available technical implementations. Our results are intended to help practitioners select the most suitable techniques as well as to identify research gaps.

The problem of intelligent malware detection has become increasingly relevant in the industry, as there has been an explosion in the diversity of threats and attacks that affect not only small users, but also large organisations and governments. One of the problems in this field is the lack of homogenisation or standardisation in the nomenclature used by different antivirus programs for different malware threats. The lack of a clear definition of what a category is and how it relates to individual threats makes it difficult to share data and extract common information from multiple antivirus programs. Therefore, efforts to create a common naming convention and hierarchy for malware are important to improve collaboration and information sharing in this field.

Our approach uses as a tool the methods of Formal Concept Analysis (FCA) to model and attempt to solve this problem. FCA is an algebraic framework able to discover useful knowledge in the form of a concept lattice and implications relating to the detection and diagnosis of suspicious files and threats. The knowledge extracted using this mathematical tool illustrates how formal methods can help prevent new threats and attacks. We will show the results of applying the proposed methodology to the identification of hierarchical relationships between malware.

Memory Forensics (MF) is an essential aspect of digital investigations, but practitioners often face time-consuming challenges when using popular tools like the Volatility Framework (VF). VF, a widely-adopted Python-based memory forensics tool, presents difficulties for practitioners due to its slow performance. Thus, in this study, we evaluated methods to accelerate VF without modifying its code by testing four alternative Python Just In Time (JIT) interpreters - CPython, Pyston, PyPy, and Pyjion - using CPython as our baseline. Tests were conducted on 14 memory samples, totaling 173 GB, using a search-intensive VF plugin for Windows hosts. Employing our custom Framework for Advanced Monitoring and Execution (FAME), we deployed interpreters in Docker containers and monitored their real-time performance. A statistically significant difference was observed between the Python JIT interpreters and the standard interpreter. With PyPy emerging as the best interpreter, yielding a 15–20 % performance increase compared to the standard interpreter. Implementing PyPy has the potential to save significant time (many hours) when processing substantial memory samples. FAME enhances the efficiency of deploying and monitoring robust forensic tool testing, fostering reproducible research and yielding reliable results in both MF and the broader field of digital forensics.

In the face of the harm that ransomware can inflict upon users’ computers, the imperative to efficiently and accurately triage its processes within memory forensics becomes increasingly crucial. However, ransomware perpetrators employ sophisticated techniques, such as process masquerading, to evade detection and analysis. In response to these challenges, we propose a novel ransomware triage method leveraging a Large Language Model (LLM) in conjunction with the Volatility framework, the de-facto standard in memory forensics. We conducted experiments on memory dumps infected by five different ransomware families, utilizing LLM-based approaches. Through extensive experiments, our method named volGPT demonstrated high accuracy in identifying ransomware-related processes within memory dumps. Additionally, our approach exhibited greater efficiency and provided more comprehensive explanations during ransomware triage than other state-of-the-art methods.

In the ever-expanding landscape of computation, graphics processing units have become one of the most essential types of devices for personal and commercial needs. Nearly all modern computers have one or more dedicated GPUs due to advancements in artificial intelligence, high-performance computing, 3D graphics rendering, and the growing demand for enhanced gaming experiences. As the GPU industry continues to grow, forensic investigations will need to incorporate these devices, given that they have large amounts of VRAM, computing power, and are used to process highly sensitive data. Past research has also shown that malware can hide its payloads within these devices and out of the view of traditional memory forensics. While memory forensics research aims to address the critical threat of memory-only malware, no current work focuses on video memory malware and the malicious use of the GPU. Our work investigates the largest GPU manufacturer, NVIDIA, by examining the newly released open-source GPU kernel modules for the development of forensic tool creation. We extend our impact by creating symbol mappings between open and closed-source NVIDIA software that enables researchers to develop tools for both “flavors” of software. We specifically focus our research on artifacts found in RAM, providing the foundational methods to detect and map NVIDIA Object Compiler Structures for forensic investigations. As a part of our analysis and evaluation, we examined the similarities between open-and-closed kernel modules by collecting structure sizes and class IDs to understand the similarities and differences. A standalone tool, NVSYMMAP, and Volatility plugins were created with this foundation to automate this process and provide forensic investigators with knowledge involving processes that utilized the GPU.

Data remanence in the physical memory of computers, i.e., the fact that data remains temporarily in memory even after power is cut, is a well-known issue which can be exploited for recovering cryptographic keys and other data in forensic investigations. Since virtual machines in many aspects mimic their physical counterparts, we investigate whether data remanence is also observable in virtual machines. Using KVM as an example of virtualization technology, we experimentally show that it is common for a substantial amount of volatile data to remain in the memory of virtual machines after a reboot. In digital forensic analysis scenarios such as malware analysis using virtual machines, our observations imply high risks of evidence contamination if no precautions are taken. So while the symptoms of data remanence in virtual machines are similar to physical machines, the implications for digital forensic analysis appear very different.

Memory forensics is a crucial part of digital forensics as it can be used to extract valuable information such as running processes, network connections, and encryption keys from memory. The last is especially important when considering the widely used Transport Layer Security (TLS) protocol used to secure internet communication, thus hampering network traffic analysis. Particularly in the context of cybercrime investigations (such as malware analysis), it is therefore paramount for investigators to decrypt TLS traffic. This can provide vital insights into the methods and strategies employed by attackers. For this purpose, it is first and foremost necessary to identify and extract the corresponding TLS key material in memory.

In this paper, we systematize and evaluate the current state of techniques, tools, and methodologies for identifying and extracting TLS key material in memory. We consider solutions from academia but also identify innovative and promising approaches used “in the wild” that are not considered by the academic literature. Furthermore, we identify the open research challenges and opportunities for future research in this domain. Our work provides a profound foundation for future research in this crucial area.