Pub Date : 2025-10-01Epub Date: 2025-11-03DOI: 10.1016/j.fsidi.2025.301976
Junghoon Oh, Hyunuk Hwang
Flash-Friendly File System (F2FS) is a file system optimized for flash memory-based storage devices and is used in a wide range of devices including Android smartphones, drones, in-vehicle infotainment systems and embedded devices. Therefore, from a digital forensic perspective, a recovery technology for deleted file data in F2FS is needed. However, as far as research on deleted data recovery from F2FS is concerned, only basic research has been conducted on deleted data recovery from F2FS, and no specific recovery algorithms have been published. Even in the case of tools that support deleted file data recovery from F2FS, a significant proportion of deleted file data could not be recovered in tests, which limits their usefulness in real-world digital forensic investigations. Therefore, this paper proposes a deleted file data recovery algorithm based on file system metadata carving and virtual address table creation to overcome the limitations of existing research and tools. The proposed recovery algorithm is implemented as a recovery tool and used for performance evaluation with existing forensic and data recovery tools. The performance evaluation results proved the superiority of the recovery algorithm, with the proposed algorithm showing superior recovery performance compared to existing tools.
flash - friendly File System (F2FS)是一种针对基于闪存的存储设备进行优化的文件系统,广泛应用于Android智能手机、无人机、车载信息娱乐系统和嵌入式设备等设备。因此,从数字取证的角度来看,需要一种F2FS中被删除文件数据的恢复技术。但是,对于从F2FS中恢复已删除数据的研究,目前仅对从F2FS中恢复已删除数据进行了基础研究,并没有发表具体的恢复算法。即使使用支持从F2FS中恢复已删除文件数据的工具,也有很大一部分已删除文件数据无法在测试中恢复,这限制了它们在实际数字取证调查中的用处。因此,本文提出了一种基于文件系统元数据雕刻和虚拟地址表创建的被删除文件数据恢复算法,以克服现有研究和工具的局限性。提出的恢复算法作为恢复工具实现,并与现有的取证和数据恢复工具一起用于性能评估。性能评价结果证明了恢复算法的优越性,与现有工具相比,所提算法的恢复性能更优。
{"title":"Advanced forensic recovery of deleted file data in F2FS","authors":"Junghoon Oh, Hyunuk Hwang","doi":"10.1016/j.fsidi.2025.301976","DOIUrl":"10.1016/j.fsidi.2025.301976","url":null,"abstract":"<div><div>Flash-Friendly File System (F2FS) is a file system optimized for flash memory-based storage devices and is used in a wide range of devices including Android smartphones, drones, in-vehicle infotainment systems and embedded devices. Therefore, from a digital forensic perspective, a recovery technology for deleted file data in F2FS is needed. However, as far as research on deleted data recovery from F2FS is concerned, only basic research has been conducted on deleted data recovery from F2FS, and no specific recovery algorithms have been published. Even in the case of tools that support deleted file data recovery from F2FS, a significant proportion of deleted file data could not be recovered in tests, which limits their usefulness in real-world digital forensic investigations. Therefore, this paper proposes a deleted file data recovery algorithm based on file system metadata carving and virtual address table creation to overcome the limitations of existing research and tools. The proposed recovery algorithm is implemented as a recovery tool and used for performance evaluation with existing forensic and data recovery tools. The performance evaluation results proved the superiority of the recovery algorithm, with the proposed algorithm showing superior recovery performance compared to existing tools.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"54 ","pages":"Article 301976"},"PeriodicalIF":2.2,"publicationDate":"2025-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145424488","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2025-09-01Epub Date: 2025-08-04DOI: 10.1016/j.fsidi.2025.301972
Muhammad Abdul Moiz Zia, Oluwasola Mary Adedayo
Digital documents have become a significant part of our everyday lives. From identity documents to various legal agreements and business communications, the ability to determine the authenticity and origin of different types of documents is incredibly important. In the physical domain, this need is addressed by forensic document examiners. Although many of the analysis methods used in the physical domain do not apply in the digital realm, the forensic analysis processes in both realms still address similar objectives. In this paper, we focus on the objective of identifying the tool that created a digital document to support answering questions about the origin of a document. In contrast to many existing works on the forensic analysis of digital documents which focus on file type identification, this paper focuses on identifying the tool that is used to create a document. This is particularly relevant for forensic digital document examination (FDDE). The paper explores the use of different machine learning algorithms to analyze PDF documents to determine the tool that created the document. Given that traditional methods for digital document analysis often rely on metadata and visible content that can be tampered with, we used a structural analysis approach that builds on methods that have previously been used for file type identification. We explored the use of byte histograms and entropy measurements in developing models capable of identifying the specific software used to create PDF documents using several machine learning models. Our results showed that Convolutional Neural Networks (CNNs) outperformed other models. In further experiments, we explored the use of the same approach to identify the version of a specific tool used to create a document and alternative ways of creating PDFs from a tool. Our results confirm the feasibility of this approach for digital document tool type identification with a high level of accuracy.
{"title":"Tool type identification for forensic digital document examination","authors":"Muhammad Abdul Moiz Zia, Oluwasola Mary Adedayo","doi":"10.1016/j.fsidi.2025.301972","DOIUrl":"10.1016/j.fsidi.2025.301972","url":null,"abstract":"<div><div>Digital documents have become a significant part of our everyday lives. From identity documents to various legal agreements and business communications, the ability to determine the authenticity and origin of different types of documents is incredibly important. In the physical domain, this need is addressed by forensic document examiners. Although many of the analysis methods used in the physical domain do not apply in the digital realm, the forensic analysis processes in both realms still address similar objectives. In this paper, we focus on the objective of identifying the tool that created a digital document to support answering questions about the origin of a document. In contrast to many existing works on the forensic analysis of digital documents which focus on file type identification, this paper focuses on identifying the tool that is used to create a document. This is particularly relevant for forensic digital document examination (FDDE). The paper explores the use of different machine learning algorithms to analyze PDF documents to determine the tool that created the document. Given that traditional methods for digital document analysis often rely on metadata and visible content that can be tampered with, we used a structural analysis approach that builds on methods that have previously been used for file type identification. We explored the use of byte histograms and entropy measurements in developing models capable of identifying the specific software used to create PDF documents using several machine learning models. Our results showed that Convolutional Neural Networks (CNNs) outperformed other models. In further experiments, we explored the use of the same approach to identify the version of a specific tool used to create a document and alternative ways of creating PDFs from a tool. Our results confirm the feasibility of this approach for digital document tool type identification with a high level of accuracy.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"54 ","pages":"Article 301972"},"PeriodicalIF":2.2,"publicationDate":"2025-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144766757","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2025-09-01Epub Date: 2025-05-28DOI: 10.1016/j.fsidi.2025.301939
Kyung-Jong Kim , Chan-Hwi Lee , So-Eun Bae , Ju-Hyun Choi , Wook Kang
The advent of digital technology and the ubiquity of mobile devices in today's society has led to a significant increase in the importance of mobile forensics in criminal investigations. Responding to the escalating volume and complexity of data due to enhanced smartphone capabilities and pervasive messaging apps, law enforcement agencies face challenges in data analysis. This study explores improving investigative efficiency through LLM-driven analysis of text from mobile messenger communications. We have conducted experiments on anonymized data collected from real crime scenes by employing three state-of-the-art LLM models, namely GPT-4o, Gemini 1.5 and Claude 3.5. The study focuses on optimizing model performance by employing prompt engineering, interpreting expressions embedded with hidden meanings such as slang, and contextually inferring ambiguous word usage. Finally, model performance is quantitatively evaluated using metrics such as precision, recall, F1 score, and hallucination rate.
{"title":"Digital forensics in law enforcement: A case study of LLM-driven evidence analysis","authors":"Kyung-Jong Kim , Chan-Hwi Lee , So-Eun Bae , Ju-Hyun Choi , Wook Kang","doi":"10.1016/j.fsidi.2025.301939","DOIUrl":"10.1016/j.fsidi.2025.301939","url":null,"abstract":"<div><div>The advent of digital technology and the ubiquity of mobile devices in today's society has led to a significant increase in the importance of mobile forensics in criminal investigations. Responding to the escalating volume and complexity of data due to enhanced smartphone capabilities and pervasive messaging apps, law enforcement agencies face challenges in data analysis. This study explores improving investigative efficiency through LLM-driven analysis of text from mobile messenger communications. We have conducted experiments on anonymized data collected from real crime scenes by employing three state-of-the-art LLM models, namely GPT-4o, Gemini 1.5 and Claude 3.5. The study focuses on optimizing model performance by employing prompt engineering, interpreting expressions embedded with hidden meanings such as slang, and contextually inferring ambiguous word usage. Finally, model performance is quantitatively evaluated using metrics such as precision, recall, F1 score, and hallucination rate.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"54 ","pages":"Article 301939"},"PeriodicalIF":2.0,"publicationDate":"2025-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144154363","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2025-09-01Epub Date: 2025-06-17DOI: 10.1016/j.fsidi.2025.301949
Dingjie Shang, Amin Sakzad, Stuart W. Hall
The forensic of Android devices is challenging due to automated thumbnail generation by applications and the operating system, complicating attribution to specific user actions. This paper presents the design, implementation, and evaluation of a forensic framework, Thumb, which performs real-time experiments on physical Android devices. Thumb integrates multimodal large language models (MLLM) and Optical Character Recognition (OCR) to capture on-screen information and simulate user interactions, while extracting data from internal storage to monitor changes in cached and thumbnail files. A proof-of-concept implementation demonstrates the framework's accuracy across various applications, highlighting its potential to simplify Android forensic analysis. However, current MLLM limitations and the framework's structure pose challenges in complex scenarios and detailed data analysis.
{"title":"Thumb: A forensic automation framework leveraging MLLMs and OCR on Android device","authors":"Dingjie Shang, Amin Sakzad, Stuart W. Hall","doi":"10.1016/j.fsidi.2025.301949","DOIUrl":"10.1016/j.fsidi.2025.301949","url":null,"abstract":"<div><div>The forensic of Android devices is challenging due to automated thumbnail generation by applications and the operating system, complicating attribution to specific user actions. This paper presents the design, implementation, and evaluation of a forensic framework, Thumb, which performs real-time experiments on physical Android devices. Thumb integrates multimodal large language models (MLLM) and Optical Character Recognition (OCR) to capture on-screen information and simulate user interactions, while extracting data from internal storage to monitor changes in cached and thumbnail files. A proof-of-concept implementation demonstrates the framework's accuracy across various applications, highlighting its potential to simplify Android forensic analysis. However, current MLLM limitations and the framework's structure pose challenges in complex scenarios and detailed data analysis.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"54 ","pages":"Article 301949"},"PeriodicalIF":2.0,"publicationDate":"2025-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144297437","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2025-09-01Epub Date: 2025-07-07DOI: 10.1016/j.fsidi.2025.301971
Woosung Yun , Jeuk Kang , Sangjin Lee, Jungheum Park
In recent years, as the amount of data that individuals deal with has increased, CPU manufacturers (Intel and AMD) have developed RAID systems that are readily available on desktop PCs. This is referred to as firmware RAID. In contrast to RAID systems on servers and network-attached storage (NAS) devices, which require a relatively complex configuration process, firmware RAID is relatively straightforward and easy to set up via the basic input/output system (BIOS). Intel supports this technology on the majority of its motherboards, with the exception of a few minor models released since 2020, under the name of Intel Rapid Storage Technology (IRST). Similarly, AMD has provided for this technology to all motherboard chipsets released since 2017 under the name of RAIDXpert. From the perspective of digital forensics, a disk with a firmware RAID is recognized by the operating system as a single physical disk and is typically connected to the motherboard without any additional devices. Consequently, during a digital forensics investigation, investigators barely recognize its application, and, as a result, a significant amount of data could be omitted without intention, or could be lost through simple anti-forensic behavior by a malicious user. At present, there are no publicly available techniques for identifying or reconstructing disks in a firmware RAID system, despite the fact that this system is available on nearly every desktop PC. In this paper, we present an analysis of the operational patterns and structures of firmware RAID supported by Intel and AMD. Our approach has led to the development of X-raid, a digital forensic tool capable of identifying firmware-based volumes within a system and reconstructing normal or deleted virtual disks. Furthermore, we propose a methodological digital forensic framework for investigating computer systems with considerations of firmware RAID.
{"title":"Digital forensic approaches to Intel and AMD firmware RAID systems","authors":"Woosung Yun , Jeuk Kang , Sangjin Lee, Jungheum Park","doi":"10.1016/j.fsidi.2025.301971","DOIUrl":"10.1016/j.fsidi.2025.301971","url":null,"abstract":"<div><div>In recent years, as the amount of data that individuals deal with has increased, CPU manufacturers (Intel and AMD) have developed RAID systems that are readily available on desktop PCs. This is referred to as firmware RAID. In contrast to RAID systems on servers and network-attached storage (NAS) devices, which require a relatively complex configuration process, firmware RAID is relatively straightforward and easy to set up via the basic input/output system (BIOS). Intel supports this technology on the majority of its motherboards, with the exception of a few minor models released since 2020, under the name of Intel Rapid Storage Technology (IRST). Similarly, AMD has provided for this technology to all motherboard chipsets released since 2017 under the name of RAIDXpert. From the perspective of digital forensics, a disk with a firmware RAID is recognized by the operating system as a single physical disk and is typically connected to the motherboard without any additional devices. Consequently, during a digital forensics investigation, investigators barely recognize its application, and, as a result, a significant amount of data could be omitted without intention, or could be lost through simple anti-forensic behavior by a malicious user. At present, there are no publicly available techniques for identifying or reconstructing disks in a firmware RAID system, despite the fact that this system is available on nearly every desktop PC. In this paper, we present an analysis of the operational patterns and structures of firmware RAID supported by Intel and AMD. Our approach has led to the development of <em>X-raid</em>, a digital forensic tool capable of identifying firmware-based volumes within a system and reconstructing normal or deleted virtual disks. Furthermore, we propose a methodological digital forensic framework for investigating computer systems with considerations of firmware RAID.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"54 ","pages":"Article 301971"},"PeriodicalIF":2.0,"publicationDate":"2025-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144569858","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2025-09-01Epub Date: 2025-06-03DOI: 10.1016/j.fsidi.2025.301937
Srikanth Madikeri , Petr Motlicek , Dairazalia Sanchez-Cortes , Pradeep Rangappa , Joshua Hughes , Jakub Tkaczuk , Alejandra Sanchez Lara , Driss Khalil , Johan Rohdin , Dawei Zhu , Aravind Krishnan , Dietrich Klakow , Zahra Ahmadi , Marek Kováč , Dominik Boboš , Costas Kalogiros , Andreas Alexopoulos , Denis Marraud
A criminal investigation is a labor-intensive work requiring expert knowledge from several disciplines. Due to a large amount of heterogeneous data available from several modalities (i.e., audio/speech, text, video, non-content data), its processing raises many challenges. It may become impossible for law enforcement agents to deal with large amounts of highly-diverse data, especially for cross-border investigations focused on organized crime. ROXANNE EC H2020 project developed an all-in-one investigation platform for processing such diverse data. The platform mainly focuses on analyzing lawfully intercepted telephone conversations extended by non-content data (e.g., metadata related to the calls, time/spatial positions, and data collected from social media). Several state-of-the-art components are integrated into the pipeline, including speaker identification, automatic speech recognition, and named entity detection. With information extracted from this pipeline, the platform builds multiple knowledge graphs that capture phone and speaker criminal network interactions, including the central network and their clans. After hands-on sessions, law enforcement agents found the Autocrime platform easy to understand and highlighted its innovative, multi-technology functionalities that streamline forensic investigations, reducing manual effort. The AI-powered platform marks a significant first step toward creating an open investigative tool that combines advanced speech, text, and video processing algorithms with criminal network analysis, aimed at mitigating organized crime.
{"title":"Autocrime - open multimodal platform for combating organized crime","authors":"Srikanth Madikeri , Petr Motlicek , Dairazalia Sanchez-Cortes , Pradeep Rangappa , Joshua Hughes , Jakub Tkaczuk , Alejandra Sanchez Lara , Driss Khalil , Johan Rohdin , Dawei Zhu , Aravind Krishnan , Dietrich Klakow , Zahra Ahmadi , Marek Kováč , Dominik Boboš , Costas Kalogiros , Andreas Alexopoulos , Denis Marraud","doi":"10.1016/j.fsidi.2025.301937","DOIUrl":"10.1016/j.fsidi.2025.301937","url":null,"abstract":"<div><div>A criminal investigation is a labor-intensive work requiring expert knowledge from several disciplines. Due to a large amount of heterogeneous data available from several modalities (i.e., audio/speech, text, video, non-content data), its processing raises many challenges. It may become impossible for law enforcement agents to deal with large amounts of highly-diverse data, especially for cross-border investigations focused on organized crime. ROXANNE EC H2020 project developed an all-in-one investigation platform for processing such diverse data. The platform mainly focuses on analyzing lawfully intercepted telephone conversations extended by non-content data (e.g., metadata related to the calls, time/spatial positions, and data collected from social media). Several state-of-the-art components are integrated into the pipeline, including speaker identification, automatic speech recognition, and named entity detection. With information extracted from this pipeline, the platform builds multiple knowledge graphs that capture phone and speaker criminal network interactions, including the central network and their clans. After hands-on sessions, law enforcement agents found the Autocrime platform easy to understand and highlighted its innovative, multi-technology functionalities that streamline forensic investigations, reducing manual effort. The AI-powered platform marks a significant first step toward creating an open investigative tool that combines advanced speech, text, and video processing algorithms with criminal network analysis, aimed at mitigating organized crime.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"54 ","pages":"Article 301937"},"PeriodicalIF":2.0,"publicationDate":"2025-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144205090","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2025-09-01Epub Date: 2025-06-10DOI: 10.1016/j.fsidi.2025.301941
Gonçalo Paulino , Miguel Negrão , Miguel Frade , Patrício Domingues
With growing concerns over the security and privacy of personal conversations, end-to-end encrypted instant messaging applications have become a key focus of forensic research. This study presents a detailed methodology along with an automated Python script for decrypting and analyzing forensic artifacts from Signal Desktop for Windows. The methodology is divided into two phases: i) decryption of locally stored data and ii) analysis and documentation of forensic artifacts. To ensure data integrity, the proposed approach enables retrieval without launching Signal Desktop, preventing potential alterations. Additionally, a reporting module organizes extracted data for forensic investigators, enhancing usability. Our approach is effective in extracting and analyzing encrypted Signal artifacts, providing a reliable method for forensic investigations.
随着人们对个人对话的安全性和隐私性的日益关注,端到端加密即时通讯应用程序已成为法医研究的重点。这项研究提出了一个详细的方法,以及一个自动的Python脚本,用于解密和分析来自Signal Desktop for Windows的取证工件。该方法分为两个阶段:i)本地存储数据的解密和ii)法医文物的分析和记录。为了确保数据的完整性,所提出的方法可以在不启动Signal Desktop的情况下进行检索,从而防止潜在的更改。此外,报告模块为法医调查人员组织提取的数据,增强了可用性。该方法有效地提取和分析了加密信号伪影,为法医调查提供了可靠的方法。
{"title":"Decrypting messages: Extracting digital evidence from signal desktop for windows","authors":"Gonçalo Paulino , Miguel Negrão , Miguel Frade , Patrício Domingues","doi":"10.1016/j.fsidi.2025.301941","DOIUrl":"10.1016/j.fsidi.2025.301941","url":null,"abstract":"<div><div>With growing concerns over the security and privacy of personal conversations, end-to-end encrypted instant messaging applications have become a key focus of forensic research. This study presents a detailed methodology along with an automated Python script for decrypting and analyzing forensic artifacts from Signal Desktop for Windows. The methodology is divided into two phases: i) decryption of locally stored data and ii) analysis and documentation of forensic artifacts. To ensure data integrity, the proposed approach enables retrieval without launching Signal Desktop, preventing potential alterations. Additionally, a reporting module organizes extracted data for forensic investigators, enhancing usability. Our approach is effective in extracting and analyzing encrypted Signal artifacts, providing a reliable method for forensic investigations.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"54 ","pages":"Article 301941"},"PeriodicalIF":2.0,"publicationDate":"2025-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144243118","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2025-09-01Epub Date: 2025-08-26DOI: 10.1016/j.fsidi.2025.301991
Fu-Yuan Liang, Shu-Hui Gao, Liang-Ju Xu
Photo Response Non-Uniformity (PRNU)-based image source attribution is one of the core methods for identifying the imaging device of a given picture, and has significant applications in the field of digital media forensics. However, with the increasing complexity of smartphone imaging systems, PRNU features extracted from smartphone images exhibit greater instability compared to those from traditional cameras. This instability can lead to performance degradation in conventional single-sample extraction strategies when applied to smartphone image source attribution. To address this challenge, this paper proposes a robust multi-sample enhancement scheme. To verify its generalizability, we employ both a non–data-driven wavelet-domain decomposition algorithm and a deep U-shaped residual neural network (DRUNet) as noise extractors, and conduct experiments on the FODB dataset. Experimental results demonstrate that the proposed multi-sample framework exhibits superior performance in improving feature stability, providing a new technical pathway for digital image source attribution in smart terminal devices. Furthermore, we perform PCE distribution statistics on positive and negative samples in the dataset and quantitatively analyze the regional instability of PRNU features.
{"title":"Research on smartphone image source identification based on PRNU features collected multivariate sampling strategy","authors":"Fu-Yuan Liang, Shu-Hui Gao, Liang-Ju Xu","doi":"10.1016/j.fsidi.2025.301991","DOIUrl":"10.1016/j.fsidi.2025.301991","url":null,"abstract":"<div><div>Photo Response Non-Uniformity (PRNU)-based image source attribution is one of the core methods for identifying the imaging device of a given picture, and has significant applications in the field of digital media forensics. However, with the increasing complexity of smartphone imaging systems, PRNU features extracted from smartphone images exhibit greater instability compared to those from traditional cameras. This instability can lead to performance degradation in conventional single-sample extraction strategies when applied to smartphone image source attribution. To address this challenge, this paper proposes a robust multi-sample enhancement scheme. To verify its generalizability, we employ both a non–data-driven wavelet-domain decomposition algorithm and a deep U-shaped residual neural network (DRUNet) as noise extractors, and conduct experiments on the FODB dataset. Experimental results demonstrate that the proposed multi-sample framework exhibits superior performance in improving feature stability, providing a new technical pathway for digital image source attribution in smart terminal devices. Furthermore, we perform PCE distribution statistics on positive and negative samples in the dataset and quantitatively analyze the regional instability of PRNU features.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"54 ","pages":"Article 301991"},"PeriodicalIF":2.2,"publicationDate":"2025-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144896324","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The civilian drone market is experiencing explosive growth, with projections estimating it will hit USD 54.81 billion by 2030. This surge in drone numbers brings with it significant privacy and security challenges. To defend critical infrastructure and safeguard personal privacy from misuse, an effective drone detection system has become essential. There is a demand for detection solution that is not only efficient and accurate but also robust, cost-effective, and scalable to meet the evolving needs of this rapidly expanding field. In this paper, we present DrIfTeR, a drone detection, identification and classification model based on the radio frequency signals. Firstly we employ wavelet domain extraction and 3-stage wavelet decomposition during RF signal preprocessing. Secondly, we employ traditional machine learning, deep learning and ensemble learning models to evaluate effectiveness. Thirdly, we evaluate performance of DrIfTeR against drone detection, drone manufacturer identification and drone model identification. The performance of the approach is evaluated against benchmark dataset and is found to be effective and accurate.
{"title":"DrIfTeR: A Drone Identification Technique using RF signals","authors":"Pankaj Choudhary , Vikas Sihag , Gaurav Choudhary , Nicola Dragoni","doi":"10.1016/j.fsidi.2025.301948","DOIUrl":"10.1016/j.fsidi.2025.301948","url":null,"abstract":"<div><div>The civilian drone market is experiencing explosive growth, with projections estimating it will hit USD 54.81 billion by 2030. This surge in drone numbers brings with it significant privacy and security challenges. To defend critical infrastructure and safeguard personal privacy from misuse, an effective drone detection system has become essential. There is a demand for detection solution that is not only efficient and accurate but also robust, cost-effective, and scalable to meet the evolving needs of this rapidly expanding field. In this paper, we present DrIfTeR, a drone detection, identification and classification model based on the radio frequency signals. Firstly we employ wavelet domain extraction and 3-stage wavelet decomposition during RF signal preprocessing. Secondly, we employ traditional machine learning, deep learning and ensemble learning models to evaluate effectiveness. Thirdly, we evaluate performance of DrIfTeR against drone detection, drone manufacturer identification and drone model identification. The performance of the approach is evaluated against benchmark dataset and is found to be effective and accurate.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"54 ","pages":"Article 301948"},"PeriodicalIF":2.0,"publicationDate":"2025-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144290613","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2025-07-01Epub Date: 2025-08-01DOI: 10.1016/j.fsidi.2025.301934
James Wagner , Alexander Rasin , Vassil Roussev
Steganography is a technique for hiding messages in plain sight – typically by embedding the message within commonly shared files (e.g., images or video) or within file system slack space. Database management systems (DBMSes) are the de facto centralized data repositories for both personal and business use. As ubiquitous repositories that already offer shared data access to many different users, DBMSes have the potential to be a powerful channel to discretely deliver messages through steganography.
In this paper we present a method, Hidden Database Records (HiDR), that adapts steganography techniques to all relational row-store DBMSes. HiDR is particularly effective for hiding data within a DBMS because it adds data to the database state without leaving an audit trail in the DBMS (i.e., without executing SQL commands that may be logged and traced to the sender). While sending a message in this way requires administrative privileges from the sender, it also offers them much more control enabling the sender to erase the original message just as easily as it was created. We demonstrate how HiDR keeps data from being unintentionally discovered but at the same time makes that data easy to access using SQL queries from a non-privileged account.
{"title":"Exploiting database storage for data exfiltration","authors":"James Wagner , Alexander Rasin , Vassil Roussev","doi":"10.1016/j.fsidi.2025.301934","DOIUrl":"10.1016/j.fsidi.2025.301934","url":null,"abstract":"<div><div>Steganography is a technique for hiding messages in plain sight – typically by embedding the message within commonly shared files (e.g., images or video) or within file system slack space. Database management systems (DBMSes) are the de facto centralized data repositories for both personal and business use. As ubiquitous repositories that already offer shared data access to many different users, DBMSes have the potential to be a powerful channel to discretely deliver messages through steganography.</div><div>In this paper we present a method, Hidden Database Records (<span>HiDR</span>), that adapts steganography techniques to all relational row-store DBMSes. <span>HiDR</span> is particularly effective for hiding data within a DBMS because it adds data to the database state without leaving an audit trail in the DBMS (i.e., without executing SQL commands that may be logged and traced to the sender). While sending a message in this way requires administrative privileges from the sender, it also offers them much more control enabling the sender to erase the original message just as easily as it was created. We demonstrate how <span>HiDR</span> keeps data from being unintentionally discovered but at the same time makes that data easy to access using SQL queries from a non-privileged account.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301934"},"PeriodicalIF":2.2,"publicationDate":"2025-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144748997","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
扫码关注我们
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号