Forensic Science International-Digital Investigation最新文献

英文中文

Forensic recovery via chip-transplantation in samsung smartphones 三星智能手机芯片移植法鉴定

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-07-01 DOI: 10.1016/j.fsidi.2025.301926

Sunbum Song , Hongseok Yang , Eunji Lee , Sangeun Lee , Gibum Kim

The advancement of mobile forensic technology has induced the increase of anti-forensic activities such as smartphone destruction, while prompting major manufacturers to strengthen their data encryption policies at the same time. Such changes resulted in forensic analysts having to perform ‘Chip-transplantation’ when extracting data from damaged smartphones. Chip-transplantation is a method referring to transplanting data storage and decryption modules from the original damaged device to a compatible device of same model. However, chip-transplantation consists of procedures such as chip-off which are risky in terms of data integrity, and require comprehensive understanding of the target device's hardware for a successful recovery. This study explores the improvements to chip-transplantation techniques that are compatible with Samsung's premium smartphone's AP and eSE modules. Experimental results indicate that for a successful data acquisition via Chip-Transplantation on Samsung smartphones, transplantation of the eSE module along with the AP and flash memory is required irrespective of user password settings. As there is a lack of research on the physical structure and PCB placement of the eSE, this study provides eSE's terminal information, PCB placement, and jump points to bypass damage to PCB pin terminals. Lastly, for cases where damage to AP or eSE modules is suspected prior to or after transplantation, this study suggests two less invasive and cost-effective diagnostic methods – smartphone log analysis during the boot process and current consumption pattern analysis – that can be used along with conventional continuity testing, thermal imaging, and X-ray analysis. As the adoption of dedicated encryption modules in smartphones grows with privacy protection schemes, this study will contribute to advancing the chip-transplantation success rate against ever-evolving hardware landscape.

随着移动取证技术的进步，破坏智能手机等反取证活动增加，同时也促使各大厂商加强数据加密政策。这些变化导致法医分析人员在从损坏的智能手机中提取数据时必须进行“芯片移植”。Chip-transplantation是指将数据存储和解密模块从原损坏设备移植到同型号兼容设备上的方法。然而，芯片移植包括诸如芯片脱落之类的过程，这在数据完整性方面是有风险的，并且需要全面了解目标设备的硬件才能成功恢复。本研究旨在探索与三星电子高级智能手机的AP和eSE模块兼容的芯片移植技术的改进。实验结果表明，为了在三星智能手机上成功地通过芯片移植获取数据，无论用户密码设置如何，都需要将eSE模块与AP和闪存一起移植。由于缺乏对eSE的物理结构和PCB放置的研究，本研究提供了eSE的终端信息、PCB放置和跳点，以绕过PCB引脚端子的损坏。最后，对于在移植之前或之后怀疑AP或eSE模块损坏的情况，本研究建议采用两种侵入性较小且成本效益较好的诊断方法——启动过程中的智能手机日志分析和电流消耗模式分析——可与传统的连续性测试、热成像和x射线分析一起使用。随着智能手机中专用加密模块的采用与隐私保护方案的增长，本研究将有助于提高芯片移植成功率，以应对不断发展的硬件环境。

{"title":"Forensic recovery via chip-transplantation in samsung smartphones","authors":"Sunbum Song , Hongseok Yang , Eunji Lee , Sangeun Lee , Gibum Kim","doi":"10.1016/j.fsidi.2025.301926","DOIUrl":"10.1016/j.fsidi.2025.301926","url":null,"abstract":"<div><div>The advancement of mobile forensic technology has induced the increase of anti-forensic activities such as smartphone destruction, while prompting major manufacturers to strengthen their data encryption policies at the same time. Such changes resulted in forensic analysts having to perform ‘Chip-transplantation’ when extracting data from damaged smartphones. Chip-transplantation is a method referring to transplanting data storage and decryption modules from the original damaged device to a compatible device of same model. However, chip-transplantation consists of procedures such as chip-off which are risky in terms of data integrity, and require comprehensive understanding of the target device's hardware for a successful recovery. This study explores the improvements to chip-transplantation techniques that are compatible with Samsung's premium smartphone's AP and eSE modules. Experimental results indicate that for a successful data acquisition via Chip-Transplantation on Samsung smartphones, transplantation of the eSE module along with the AP and flash memory is required irrespective of user password settings. As there is a lack of research on the physical structure and PCB placement of the eSE, this study provides eSE's terminal information, PCB placement, and jump points to bypass damage to PCB pin terminals. Lastly, for cases where damage to AP or eSE modules is suspected prior to or after transplantation, this study suggests two less invasive and cost-effective diagnostic methods – smartphone log analysis during the boot process and current consumption pattern analysis – that can be used along with conventional continuity testing, thermal imaging, and X-ray analysis. As the adoption of dedicated encryption modules in smartphones grows with privacy protection schemes, this study will contribute to advancing the chip-transplantation success rate against ever-evolving hardware landscape.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301926"},"PeriodicalIF":2.2,"publicationDate":"2025-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144749089","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

25th DFRWS USA 2025

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-07-01 DOI: 10.1016/j.fsidi.2025.301936

引用次数: 0

SoK: Timeline based event reconstruction for digital forensics: Terminology, methodology, and current challenges 基于时间线的数字取证事件重建：术语、方法和当前挑战

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-07-01 DOI: 10.1016/j.fsidi.2025.301932

Frank Breitinger , Hudan Studiawan , Chris Hargreaves

Event reconstruction is a technique that examiners can use to attempt to infer past activities by analyzing digital artifacts. Despite its significance, the field suffers from fragmented research, with studies often focusing narrowly on aspects like timeline creation or tampering detection. This paper addresses the lack of a unified perspective by proposing a comprehensive framework for timeline-based event reconstruction, adapted from traditional forensic science models. We begin by harmonizing existing terminology and presenting a cohesive diagram that clarifies the relationships between key elements of the reconstruction process. Through a comprehensive literature survey, we classify and organize the main challenges, extending the discussion beyond common issues like data volume. Lastly, we highlight recent advancements and propose directions for future research, including specific research gaps. By providing a structured approach, key findings, and a clearer understanding of the underlying challenges, this work aims to strengthen the foundation of digital forensics.

事件重建是一种技术，审查员可以通过分析数字工件来尝试推断过去的活动。尽管它很重要，但该领域的研究却很分散，研究往往局限于时间线创建或篡改检测等方面。本文通过提出一个基于时间线的事件重建的综合框架来解决缺乏统一视角的问题，该框架改编自传统的法医学模型。我们首先协调现有的术语，并呈现一个内聚图，澄清重建过程中关键元素之间的关系。通过全面的文献调查，我们对主要挑战进行分类和组织，将讨论扩展到数据量等常见问题之外。最后，我们强调了最近的进展，并提出了未来的研究方向，包括具体的研究差距。通过提供结构化的方法、关键发现和对潜在挑战的更清晰理解，这项工作旨在加强数字取证的基础。

{"title":"SoK: Timeline based event reconstruction for digital forensics: Terminology, methodology, and current challenges","authors":"Frank Breitinger , Hudan Studiawan , Chris Hargreaves","doi":"10.1016/j.fsidi.2025.301932","DOIUrl":"10.1016/j.fsidi.2025.301932","url":null,"abstract":"<div><div>Event reconstruction is a technique that examiners can use to attempt to infer past activities by analyzing digital artifacts. Despite its significance, the field suffers from fragmented research, with studies often focusing narrowly on aspects like timeline creation or tampering detection. This paper addresses the lack of a unified perspective by proposing a comprehensive framework for timeline-based event reconstruction, adapted from traditional forensic science models. We begin by harmonizing existing terminology and presenting a cohesive diagram that clarifies the relationships between key elements of the reconstruction process. Through a comprehensive literature survey, we classify and organize the main challenges, extending the discussion beyond common issues like data volume. Lastly, we highlight recent advancements and propose directions for future research, including specific research gaps. By providing a structured approach, key findings, and a clearer understanding of the underlying challenges, this work aims to strengthen the foundation of digital forensics.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301932"},"PeriodicalIF":2.2,"publicationDate":"2025-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144748995","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Memory Analysis of the Python Runtime Environment Python运行环境的内存分析

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-07-01 DOI: 10.1016/j.fsidi.2025.301920

Hala Ali , Andrew Case , Irfan Ahmed

Memory forensics has become a crucial component of digital investigations, particularly for detecting sophisticated malware that operates solely in system memory without leaving traces on the file system. Although memory forensics provides a complete view of the system state during acquisition, prior research efforts have primarily focused on analyzing kernel-level data structures for malware detection. With the propagation of kernel-level malware, operating system vendors implemented stringent kernel access restrictions, leading the malware authors to shift their focus to developing userland malware. This evolution in tactics necessitated a corresponding shift in forensic research toward analyzing userland runtime environments. While significant memory analysis capabilities have been developed for various runtime environments, including Android, Objective-C, and.NET, no effort has addressed the analysis of Python despite its growing popularity among legitimate software developers and malware authors. To address this critical gap, we present a comprehensive analysis of the Python runtime, encompassing its hierarchical memory management, garbage collection mechanism, and thread execution context management. We automated this analysis by developing a suite of new Volatility 3 plugins that provide detailed visibility into Python applications, including classes and their runtime instances, modules, functions, dynamically generated values, and execution traces across application threads. We evaluated our plugins against real-world malware samples, including cryptocurrency hijackers, ransomware variants, and remote access trojans (RATs). Results demonstrated 100% extraction accuracy of application objects within practical time constraints. The plugins recovered critical artifacts, including cryptocurrency wallet addresses, encryption keys, malicious functions, and execution paths. Through these new automated analysis capabilities, investigators of all levels of experience will be able to detect and analyze Python-based malware.

内存取证已经成为数字调查的重要组成部分，特别是在检测仅在系统内存中运行而不在文件系统上留下痕迹的复杂恶意软件时。尽管内存取证在获取过程中提供了系统状态的完整视图，但之前的研究工作主要集中在分析恶意软件检测的内核级数据结构上。随着内核级恶意软件的传播，操作系统供应商实施了严格的内核访问限制，导致恶意软件作者将重点转移到开发用户级恶意软件上。这种战术上的演变使得法医学研究必须相应地转向分析用户运行时环境。虽然已经为各种运行时环境开发了重要的内存分析功能，包括Android、Objective-C和。尽管Python在合法软件开发人员和恶意软件作者中越来越受欢迎，但还没有人努力解决Python的分析问题。为了解决这个关键的差距，我们对Python运行时进行了全面的分析，包括其分层内存管理、垃圾收集机制和线程执行上下文管理。我们通过开发一套新的volatile 3插件来自动化分析，这些插件提供了对Python应用程序的详细可见性，包括类及其运行时实例、模块、函数、动态生成的值以及跨应用程序线程的执行跟踪。我们针对现实世界的恶意软件样本评估了我们的插件，包括加密货币劫机者、勒索软件变体和远程访问木马（rat）。结果表明，在实际时间限制下，应用对象的提取准确率为100%。这些插件恢复了关键工件，包括加密货币钱包地址、加密密钥、恶意功能和执行路径。通过这些新的自动化分析功能，所有经验水平的调查人员都将能够检测和分析基于python的恶意软件。

{"title":"Memory Analysis of the Python Runtime Environment","authors":"Hala Ali , Andrew Case , Irfan Ahmed","doi":"10.1016/j.fsidi.2025.301920","DOIUrl":"10.1016/j.fsidi.2025.301920","url":null,"abstract":"<div><div>Memory forensics has become a crucial component of digital investigations, particularly for detecting sophisticated malware that operates solely in system memory without leaving traces on the file system. Although memory forensics provides a complete view of the system state during acquisition, prior research efforts have primarily focused on analyzing kernel-level data structures for malware detection. With the propagation of kernel-level malware, operating system vendors implemented stringent kernel access restrictions, leading the malware authors to shift their focus to developing userland malware. This evolution in tactics necessitated a corresponding shift in forensic research toward analyzing userland runtime environments. While significant memory analysis capabilities have been developed for various runtime environments, including Android, Objective-C, and.NET, no effort has addressed the analysis of Python despite its growing popularity among legitimate software developers and malware authors. To address this critical gap, we present a comprehensive analysis of the Python runtime, encompassing its hierarchical memory management, garbage collection mechanism, and thread execution context management. We automated this analysis by developing a suite of new Volatility 3 plugins that provide detailed visibility into Python applications, including classes and their runtime instances, modules, functions, dynamically generated values, and execution traces across application threads. We evaluated our plugins against real-world malware samples, including cryptocurrency hijackers, ransomware variants, and remote access trojans (RATs). Results demonstrated 100% extraction accuracy of application objects within practical time constraints. The plugins recovered critical artifacts, including cryptocurrency wallet addresses, encryption keys, malicious functions, and execution paths. Through these new automated analysis capabilities, investigators of all levels of experience will be able to detect and analyze Python-based malware.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301920"},"PeriodicalIF":2.2,"publicationDate":"2025-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144749084","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

An extensible and scalable system for hash lookup and approximate similarity search with similarity digest algorithms 一个可扩展和可扩展的系统，用于散列查找和使用相似摘要算法的近似相似搜索

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-07-01 DOI: 10.1016/j.fsidi.2025.301930

Daniel Huici , Ricardo J. Rodríguez , Eduardo Mena

Efficient management and analysis of large volumes of digital data has emerged as a major challenge in the field of digital forensics. To quickly identify and analyze relevant artifacts within large datasets, we introduce APOTHEOSIS, an approximate similarity search system designed for scalability and efficiency. Our system integrates approximate search techniques (which allow searching for a match on a close value) with Similarity Digest Algorithms (SDA; which capture common features between similar elements), using a space-saving radix tree and a graph-based hierarchical navigable small world structure to perform fast approximate nearest neighbor searches. We demonstrate the effectiveness and versatility of our system through two key case studies: first, in plagiarism detection, demonstrating the effectiveness of our system in identifying similar or duplicate documents within a large source code dataset; then, in memory artifact detection, showing its scalability and performance in processing large-scale forensic data collected from various versions of Microsoft Windows. Our comprehensive evaluation shows that APOTHEOSIS not only efficiently handles large datasets, but also provides a way to evaluate the performance of various SDA and their approximate similarity search in different forensic scenarios.

高效管理和分析大量数字数据已成为数字取证领域的主要挑战。为了快速识别和分析大型数据集中的相关工件，我们引入了APOTHEOSIS，这是一个为可扩展性和效率而设计的近似相似性搜索系统。我们的系统集成了近似搜索技术（允许在接近值上搜索匹配）和相似摘要算法(SDA；它捕获相似元素之间的共同特征)，使用节省空间的基数树和基于图的分层可导航小世界结构来执行快速近似最近邻搜索。我们通过两个关键案例研究展示了我们系统的有效性和多功能性：首先，在抄袭检测方面，展示了我们的系统在大型源代码数据集中识别相似或重复文档的有效性；然后，在内存伪迹检测方面，展示了该方法在处理来自不同版本Microsoft Windows的大规模取证数据时的可扩展性和性能。综合评价表明，APOTHEOSIS不仅能够有效地处理大型数据集，而且还提供了一种方法来评估各种SDA的性能及其在不同取证场景下的近似相似性搜索。

{"title":"An extensible and scalable system for hash lookup and approximate similarity search with similarity digest algorithms","authors":"Daniel Huici , Ricardo J. Rodríguez , Eduardo Mena","doi":"10.1016/j.fsidi.2025.301930","DOIUrl":"10.1016/j.fsidi.2025.301930","url":null,"abstract":"<div><div>Efficient management and analysis of large volumes of digital data has emerged as a major challenge in the field of digital forensics. To quickly identify and analyze relevant artifacts within large datasets, we introduce <span>APOTHEOSIS</span>, an approximate similarity search system designed for scalability and efficiency. Our system integrates approximate search techniques (which allow searching for a match on a close value) with Similarity Digest Algorithms (SDA; which capture common features between similar elements), using a space-saving radix tree and a graph-based hierarchical navigable small world structure to perform fast approximate nearest neighbor searches. We demonstrate the effectiveness and versatility of our system through two key case studies: first, in plagiarism detection, demonstrating the effectiveness of our system in identifying similar or duplicate documents within a large source code dataset; then, in memory artifact detection, showing its scalability and performance in processing large-scale forensic data collected from various versions of Microsoft Windows. Our comprehensive evaluation shows that <span>APOTHEOSIS</span> not only efficiently handles large datasets, but also provides a way to evaluate the performance of various SDA and their approximate similarity search in different forensic scenarios.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301930"},"PeriodicalIF":2.2,"publicationDate":"2025-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144749093","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Out of Control: Igniting SCADA investigations with an HMI forensics framework and the ignition forensics artifact carving tool (IFACT) 失控：用HMI取证框架和点火取证工件雕刻工具（IFACT）点燃SCADA调查

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-07-01 DOI: 10.1016/j.fsidi.2025.301933

LaSean Salmon , Ibrahim Baggili

In the modern industrial landscape, Programmable Logic Controllers (PLCs) and Supervisory Control and Data Acquisition (SCADA) systems serve as critical components in the automation and control of various industrial processes. While their widespread availability and overall efficiency are crucial, the increasing integration of these systems with networked environments has exposed them to a growing array of cyber threats. Meanwhile, the rapid growth and deployment of SCADA systems worldwide pose increasing challenges to managing their security effectively. We explore the value of HMI-focused digital forensics within SCADA environments, emphasizing the unique challenges in their evaluation and the information contained in digital artifacts. We present a comprehensive forensic analysis of Ignition: a popular SCADA software platform developed by Inductive Automation. We also develop a generic forensic analysis framework that can be used when conducting a forensic investigation on an HMI environment. Our investigative process is supported with the creation of IFACT: an HMI Forensic Analysis Tool created to streamline the process of parsing system information presented in Ignition HMI-sourced forensic data. The data recovered from memory, network, and disk forensic investigations provides insight into the state of the SCADA system, including tag and PLC utilization and configurations. Using IFACT, we investigate how long this data persists in volatile memory and how its lifetime is variable.

在现代工业环境中，可编程逻辑控制器（plc）和监控和数据采集（SCADA）系统是各种工业过程自动化和控制的关键组件。虽然它们的广泛可用性和整体效率至关重要，但这些系统与网络环境的日益集成使它们面临越来越多的网络威胁。同时，SCADA系统在全球范围内的快速发展和部署，对其安全管理提出了越来越大的挑战。我们探讨了SCADA环境中以人机界面为中心的数字取证的价值，强调了其评估中的独特挑战和数字文物中包含的信息。我们提出了一个全面的法医分析点火：一个流行的SCADA软件平台开发的电感自动化。我们还开发了一个通用的取证分析框架，可用于在HMI环境中进行取证调查。我们的调查过程得到了IFACT的支持：一个HMI取证分析工具，旨在简化分析Ignition HMI取证数据中呈现的系统信息的过程。从内存、网络和磁盘取证调查中恢复的数据可以深入了解SCADA系统的状态，包括标签和PLC的利用率和配置。使用IFACT，我们研究这些数据在易失性存储器中持续多久以及它的生命周期是如何变化的。

{"title":"Out of Control: Igniting SCADA investigations with an HMI forensics framework and the ignition forensics artifact carving tool (IFACT)","authors":"LaSean Salmon , Ibrahim Baggili","doi":"10.1016/j.fsidi.2025.301933","DOIUrl":"10.1016/j.fsidi.2025.301933","url":null,"abstract":"<div><div>In the modern industrial landscape, Programmable Logic Controllers (PLCs) and Supervisory Control and Data Acquisition (SCADA) systems serve as critical components in the automation and control of various industrial processes. While their widespread availability and overall efficiency are crucial, the increasing integration of these systems with networked environments has exposed them to a growing array of cyber threats. Meanwhile, the rapid growth and deployment of SCADA systems worldwide pose increasing challenges to managing their security effectively. We explore the value of HMI-focused digital forensics within SCADA environments, emphasizing the unique challenges in their evaluation and the information contained in digital artifacts. We present a comprehensive forensic analysis of Ignition: a popular SCADA software platform developed by Inductive Automation. We also develop a generic forensic analysis framework that can be used when conducting a forensic investigation on an HMI environment. Our investigative process is supported with the creation of IFACT: an HMI Forensic Analysis Tool created to streamline the process of parsing system information presented in Ignition HMI-sourced forensic data. The data recovered from memory, network, and disk forensic investigations provides insight into the state of the SCADA system, including tag and PLC utilization and configurations. Using IFACT, we investigate how long this data persists in volatile memory and how its lifetime is variable.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301933"},"PeriodicalIF":2.2,"publicationDate":"2025-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144748996","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Bridging knowledge gaps in digital forensics using unsupervised explainable AI 使用无监督可解释的人工智能弥合数字取证方面的知识差距

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-07-01 DOI: 10.1016/j.fsidi.2025.301924

Zainab Khalid , Farkhund Iqbal , Mohd Saqib

Artificial Intelligence (AI) has found multi-faceted applications in critical sectors including Digital Forensics (DF) which also require eXplainability (XAI) as a non-negotiable for its applicability, such as admissibility of expert evidence in the court of law. The state-of-the-art XAI workflows focus more on utilizing XAI tools for supervised learning. This is in contrast to the fact that unsupervised learning may be practically more relevant in DF and other sectors that largely produce complex and unlabeled data continuously, in considerable volumes. This research study explores the challenges and utility of unsupervised learning-based XAI for DF's complex datasets. A memory forensics-based case scenario is implemented to detect anomalies and cluster obfuscated malware using the Isolation Forest, Autoencoder, K-means, DBSCAN, and Gaussian Mixture Model (GMM) unsupervised algorithms on three categorical levels. The CIC MalMemAnalysis-2022 dataset's binary, and multivariate (4, 16) categories are used as a reference to perform clustering. The anomaly detection and clustering results are evaluated using accuracy, confusion matrices and Adjusted Rand Index (ARI) and explained through Shapley Additive Explanations (SHAP), using force, waterfall, scatter, summary, and bar plots' local and global explanations. We also explore how some SHAP explanations may be used for dimensionality reduction.

人工智能（AI）已经在包括数字取证（DF）在内的关键领域找到了多方面的应用，这些领域也需要可解释性（XAI）作为其适用性的不可协商性，例如法庭上专家证据的可采性。最先进的XAI工作流程更侧重于利用XAI工具进行监督学习。这与无监督学习可能在DF和其他大量连续产生复杂和未标记数据的部门实际上更相关的事实形成鲜明对比。本研究探讨了基于无监督学习的XAI在DF复杂数据集中的挑战和应用。实现了基于内存取证的案例场景，使用隔离森林、自动编码器、K-means、DBSCAN和高斯混合模型（GMM）无监督算法在三个分类级别上检测异常和集群混淆恶意软件。CIC MalMemAnalysis-2022数据集的二元和多元（4,16）类别被用作执行聚类的参考。异常检测和聚类结果使用精度、混淆矩阵和调整兰德指数（ARI）进行评估，并通过Shapley加性解释（SHAP）进行解释，使用力、瀑布、散点、汇总和条形图的局部和全局解释。我们还探讨了如何将一些SHAP解释用于降维。

{"title":"Bridging knowledge gaps in digital forensics using unsupervised explainable AI","authors":"Zainab Khalid , Farkhund Iqbal , Mohd Saqib","doi":"10.1016/j.fsidi.2025.301924","DOIUrl":"10.1016/j.fsidi.2025.301924","url":null,"abstract":"<div><div>Artificial Intelligence (AI) has found multi-faceted applications in critical sectors including Digital Forensics (DF) which also require eXplainability (XAI) as a non-negotiable for its applicability, such as admissibility of expert evidence in the court of law. The state-of-the-art XAI workflows focus more on utilizing XAI tools for supervised learning. This is in contrast to the fact that unsupervised learning may be practically more relevant in DF and other sectors that largely produce complex and unlabeled data continuously, in considerable volumes. This research study explores the challenges and utility of unsupervised learning-based XAI for DF's complex datasets. A memory forensics-based case scenario is implemented to detect anomalies and cluster obfuscated malware using the Isolation Forest, Autoencoder, K-means, DBSCAN, and Gaussian Mixture Model (GMM) unsupervised algorithms on three categorical levels. The CIC MalMemAnalysis-2022 dataset's binary, and multivariate (4, 16) categories are used as a reference to perform clustering. The anomaly detection and clustering results are evaluated using accuracy, confusion matrices and Adjusted Rand Index (ARI) and explained through Shapley Additive Explanations (SHAP), using force, waterfall, scatter, summary, and bar plots' local and global explanations. We also explore how some SHAP explanations may be used for dimensionality reduction.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301924"},"PeriodicalIF":2.2,"publicationDate":"2025-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144749087","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

DFRWS APAC 2025 Seoul DFRWS APAC 2025首尔

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-07-01 DOI: 10.1016/S2666-2817(25)00100-3

引用次数: 0

If at first you don't succeed, trie, trie again: Correcting TLSH scalability claims for large-dataset malware forensics 如果一开始你没有成功，尝试，再尝试：纠正大数据集恶意软件取证的TLSH可伸缩性声明

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-07-01 DOI: 10.1016/j.fsidi.2025.301922

Jordi Gonzalez

Malware analysts use Trend Micro Locality-Sensitive Hashing (TLSH) for malware similarity computation, nearest-neighbor search, and related tasks like clustering and family classification. Although TLSH scales better than many alternatives, technical limitations have limited its application to larger datasets. Using the Lean 4 proof assistant, I formalized bounds on the properties of TLSH most relevant to its scalability and identified flaws in prior TLSH nearest-neighbor search algorithms. I leveraged these formal results to design correct acceleration structures for TLSH nearest-neighbor queries. On typical analyst workloads, these structures performed one to two orders of magnitude faster than the prior state-of-the-art, allowing analysts to use datasets at least an order of magnitude larger than what was previously feasible with the same computational resources. I make all code and data publicly available.

恶意软件分析师使用趋势科技位置敏感散列（TLSH）进行恶意软件相似度计算、最近邻搜索以及聚类和家族分类等相关任务。尽管TLSH的可伸缩性比许多替代方案好，但技术限制限制了它在更大数据集上的应用。使用Lean 4证明助手，我形式化了与TLSH可伸缩性最相关的属性界限，并确定了先前TLSH最近邻搜索算法中的缺陷。我利用这些正式结果为TLSH最近邻查询设计正确的加速结构。在典型的分析师工作负载上，这些结构的执行速度比以前的最先进技术快一到两个数量级，允许分析师使用的数据集至少比以前在相同计算资源下可行的数据集大一个数量级。我将所有代码和数据公开。

引用次数: 0

Enhancing DFIR in orchestration Environments: Real-time forensic framework with eBPF for windows 在编排环境中增强DFIR：用于windows的eBPF实时取证框架

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-07-01 DOI: 10.1016/j.fsidi.2025.301923

Philgeun Jin , Namjun Kim , Doowon Jeong

Digital forensic investigations in Windows orchestration environments face critical challenges, including the ephemeral nature of containers, dynamic scaling, and limited visibility into low-level system events. Traditional event log-based approaches often fail to capture essential kernel-level artifacts such as process creation, file I/O, and registry modifications. To overcome these limitations, this paper introduces a novel DFIR framework that leverages eBPF to enable real-time kernel-level monitoring in containerized environments. Building on Microsoft's Windows eBPF project, we developed custom eBPF extensions tailored for DFIR. Aligned with NIST SP 800-61 guidelines, the proposed framework integrates unified workflows for preparation, detection, containment, and recovery through a centralized management console. Through case studies of cryptocurrency mining, ransomware, and blue screen of death attacks, we demonstrate our framework's ability to identify malicious processes that traditional event log-based methods might miss, while confirming minimal system overhead and high compatibility with existing orchestration platforms.

Windows编排环境中的数字取证调查面临着严峻的挑战，包括容器的短暂性、动态伸缩和对底层系统事件的有限可见性。传统的基于事件日志的方法通常无法捕获基本的内核级构件，例如进程创建、文件I/O和注册表修改。为了克服这些限制，本文介绍了一种新的DFIR框架，该框架利用eBPF在容器化环境中实现实时内核级监控。基于微软的Windows eBPF项目，我们为DFIR开发了定制的eBPF扩展。根据NIST SP 800-61指南，拟议的框架通过集中管理控制台集成了准备、检测、遏制和恢复的统一工作流程。通过对加密货币挖掘、勒索软件和蓝幕死亡攻击的案例研究，我们展示了我们的框架能够识别传统的基于事件日志的方法可能错过的恶意进程，同时确认了最小的系统开销和与现有编排平台的高兼容性。

{"title":"Enhancing DFIR in orchestration Environments: Real-time forensic framework with eBPF for windows","authors":"Philgeun Jin , Namjun Kim , Doowon Jeong","doi":"10.1016/j.fsidi.2025.301923","DOIUrl":"10.1016/j.fsidi.2025.301923","url":null,"abstract":"<div><div>Digital forensic investigations in Windows orchestration environments face critical challenges, including the ephemeral nature of containers, dynamic scaling, and limited visibility into low-level system events. Traditional event log-based approaches often fail to capture essential kernel-level artifacts such as process creation, file I/O, and registry modifications. To overcome these limitations, this paper introduces a novel DFIR framework that leverages eBPF to enable real-time kernel-level monitoring in containerized environments. Building on Microsoft's Windows eBPF project, we developed custom eBPF extensions tailored for DFIR. Aligned with NIST SP 800-61 guidelines, the proposed framework integrates unified workflows for preparation, detection, containment, and recovery through a centralized management console. Through case studies of cryptocurrency mining, ransomware, and blue screen of death attacks, we demonstrate our framework's ability to identify malicious processes that traditional event log-based methods might miss, while confirming minimal system overhead and high compatibility with existing orchestration platforms.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301923"},"PeriodicalIF":2.2,"publicationDate":"2025-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144749086","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

首页上一页

下一页尾页

类型

全部化学•材料生命科学医学物理工程技术环境•农林材料科学地球科学法学管理学化学环境科学与生态学计算机科学教育学经济学农林科学人文科学生物学数学物理与天体物理心理学综合性期刊其他工业工程理学历史学农学文学信息工程

数据库

全部 ACS Publications Elsevier ieeexplore Springer The Royal Society of Chemistry Wiley

期刊

Forensic Science International-Digital Investigation

全部 Acc. Chem. Res. ACS Applied Bio Materials ACS Appl. Electron. Mater. ACS Appl. Energy Mater. ACS Appl. Mater. Interfaces ACS Appl. Nano Mater. ACS Appl. Polym. Mater. ACS BIOMATER-SCI ENG ACS Catal. ACS Cent. Sci. ACS Chem. Biol. ACS Chemical Health & Safety ACS Chem. Neurosci. ACS Comb. Sci. ACS Earth Space Chem. ACS Energy Lett. ACS Infect. Dis. ACS Macro Lett. ACS Mater. Lett. ACS Med. Chem. Lett. ACS Nano ACS Omega ACS Photonics ACS Sens. ACS Sustainable Chem. Eng. ACS Synth. Biol. Anal. Chem. BIOCHEMISTRY-US Bioconjugate Chem. BIOMACROMOLECULES Chem. Res. Toxicol. Chem. Rev. Chem. Mater. CRYST GROWTH DES ENERG FUEL Environ. Sci. Technol. Environ. Sci. Technol. Lett. Eur. J. Inorg. Chem. IND ENG CHEM RES Inorg. Chem. J. Agric. Food. Chem. J. Chem. Eng. Data J. Chem. Educ. J. Chem. Inf. Model. J. Chem. Theory Comput. J. Med. Chem. J. Nat. Prod. J PROTEOME RES J. Am. Chem. Soc. LANGMUIR MACROMOLECULES Mol. Pharmaceutics Nano Lett. Org. Lett. ORG PROCESS RES DEV ORGANOMETALLICS J. Org. Chem. J. Phys. Chem. J. Phys. Chem. A J. Phys. Chem. B J. Phys. Chem. C J. Phys. Chem. Lett. Analyst Anal. Methods Biomater. Sci. Catal. Sci. Technol. Chem. Commun. Chem. Soc. Rev. CHEM EDUC RES PRACT CRYSTENGCOMM Dalton Trans. Energy Environ. Sci. ENVIRON SCI-NANO ENVIRON SCI-PROC IMP ENVIRON SCI-WAT RES Faraday Discuss. Food Funct. Green Chem. Inorg. Chem. Front. Integr. Biol. J. Anal. At. Spectrom. J. Mater. Chem. A J. Mater. Chem. B J. Mater. Chem. C Lab Chip Mater. Chem. Front. Mater. Horiz. MEDCHEMCOMM Metallomics Mol. Biosyst. Mol. Syst. Des. Eng. Nanoscale Nanoscale Horiz. Nat. Prod. Rep. New J. Chem. Org. Biomol. Chem. Org. Chem. Front. PHOTOCH PHOTOBIO SCI PCCP Polym. Chem.

﹀