Forensic Science International-Digital Investigation最新文献

Growing AI advancements are continuously pacing GAN enhancement that eventually facilitates the generation of deepfake media. Manipulated media poses serious risks pertaining court proceedings, journalism, politics, and many more where digital media have a substantial impact on society. State-of-the-art techniques for deepfake detection rely on convolutional networks for spatial analysis, and recurrent networks for temporal analysis. Since transformers are capable of recognizing wide-range dependencies with a global spatial view and along temporal sequence too, a novel approach called “SFormer” is proposed in this paper, utilizing a transformer architecture for both spatial and temporal analysis to detect deepfakes. Further, state-of-the-art techniques suffer from high computational complexity and overfitting which causes loss in generalizability. The proposed model utilized a Swin Transformer for spatial analysis that resulted in low complexity, thereby enhancing its generalization ability and robustness against the different manipulation types. Proposed end-to-end transformer based model, SFormer, is proven to be effective for numerous deepfake datasets, including FF++, DFD, Celeb-DF, DFDC and Deeper-Forensics, and achieved an accuracy of 100%, 97.81%, 99.1%, 93.67% and 100% respectively. Moreover, SFormer has demonstrated superior performance compared to existing spatio-temporal and transformer-based approaches for deepfake detection.

Most modern digital devices with storage utilize a file system to manage files and directories. Consequently, when digital forensic investigators derive evidence from such devices, they collect and analyze data stored on them through file system analysis. However, there are numerous types of file systems, with new ones continually being developed. Each file system possesses a distinct metadata structure and file management system. Therefore, investigators must possess prior knowledge of the specific file system being examined. Nevertheless, it is challenging for practitioners to be knowledgeable about all existing file systems. To address this issue, forensic software such as The Sleuth Kit (TSK), an open-source forensic tool, is employed for investigations. However, even these tools may not offer complete support for relatively recent file systems.

Hence, we propose a structure for integrating a new file system into the open-source forensic tool TSK. Additionally, to validate this proposed structure, we demonstrate that support for five file systems (Ext4, XFS, Btrfs, F2FS, and Hikvision) can be added following this framework. To achieve this, we conducted an analysis of the metadata and file management scheme for these five file systems. Furthermore, we examined the operational procedures of the TSK framework. Based on these analyses, investigation capabilities for the five file systems have been incorporated into TSK. Moreover, reliability verification experiments were conducted on the developed tools; and performance evaluation was carried out in comparison with other commercial digital forensic tools. The findings of this study can serve as a foundation for future forensic studies based on file systems. Additionally, the TSK developed based on the proposed structure can assist investigators in conducting digital forensics effectively.

Money laundering and video games provide opportunities to criminals for easier and less detectable methods of performing money laundering. These actions may be used as part of a system of transactions, by these criminals, to further disguise the origins of their funds. The use of videogames as a tool to launder money is something that has been only briefly explored. This work identifies the ways that money laundering through video game secondary marketplaces can offer benefits to criminals looking to launder money, versus the use of traditional money laundering methods.

We explore the potential for using publicly accessible data, such as that available from the Steam Marketplace, to identify suspicious transactions that may indicate the existence of money laundering within these platforms. This research focused on identifying irregularities in the frequency and quantity of trades on the Steam Marketplace.

The results of this investigation show that identifying, using very simple money laundering detection methods, possible cases of money laundering within transactional data from the Steam Marketplace is possible. The data used shows that there were several suspicious transactions and accounts which could warrant further investigation, and may be involved in activity which represents money laundering. As a result of this, there is scope for further investigations using larger data sets and examination of other publicly accessible data using a greater range of methods to identify suspicious transactions including, but not limited to, value of transactions and location.

Since its public launch, OpenAI's ChatGPT has achieved significant success, attracting millions of users within the first few months of its release. Although numerous similar applications have emerged, none have yet matched the success of OpenAI's ChatGPT. Last year, OpenAI released the ChatGPT mobile app. This application serves a broad range of uses, some of which may be malicious and, unfortunately, it has not yet been parsed by either commercial or open-source tools. Nevertheless, the data stored by this application, such as JSON files that store a user's conversations with ChatGPT, can be instrumental in attributing user actions, discerning perpetrators' knowledge and motivations, and resolving practical investigations. In this paper, OpenAI's ChatGPT mobile application is examined on both Android and iOS operating systems, focusing on potential evidentiary data within. The cloud-native data associated with the app, which can be retrieved through user data export requests are also investigated. The primary objective of this study is to discover artifacts that investigators can use in real-world cases involving this mobile app. Additionally, the authors have contributed to FOSS to support professionals in this field.

Survey study explores the pivotal role of metadata in forensic investigations within the realm of social media. Investigating digital clues embedded in metadata unveils a wealth of information crucial for understanding the authenticity and origin of online content. This study delves into the technical intricacies of metadata extraction, shedding light on its potential in verifying the chronology, geolocation, and user interactions on social platforms. By leveraging metadata, forensic experts can unravel the intricate web of digital footprints, enhancing the accuracy and efficiency of social media investigations. The findings of this study contribute to the evolving landscape of digital forensic techniques, addressing contemporary challenges in online information scrutiny.

The rise of end-to-end encryption has enabled end-users to protect their data to a point that classical techniques of lawful access (seizure of devices, wiretaps) are futile. While there is a heated discussion about regulating the access primitive to end-user devices for law enforcement, little attention is given to the technical design of how evidence should be collected. This is especially critical during remote surveillance, as law enforcement may have unrestricted access to end-user devices over longer periods of time. In this paper, we propose the novel category of key extraction-based lawful interception (KEX-LI), meaning that instead of directly accessing plaintext data, law enforcement only extracts the necessary key material from end-user devices, thus minimizing the requirements of data extraction on end-user devices. When subsequently collecting encrypted data (e.g., via wiretapping), law enforcement can use these keys for decryption. We structure and survey the state-of-the-art of key extraction techniques, thus embedding KEX-LI in the broader context of device forensics. Furthermore, we describe specific requirements for a practical solution to conduct KEX-LI and evaluate currently available technical implementations. Our results are intended to help practitioners select the most suitable techniques as well as to identify research gaps.

The problem of intelligent malware detection has become increasingly relevant in the industry, as there has been an explosion in the diversity of threats and attacks that affect not only small users, but also large organisations and governments. One of the problems in this field is the lack of homogenisation or standardisation in the nomenclature used by different antivirus programs for different malware threats. The lack of a clear definition of what a category is and how it relates to individual threats makes it difficult to share data and extract common information from multiple antivirus programs. Therefore, efforts to create a common naming convention and hierarchy for malware are important to improve collaboration and information sharing in this field.

Our approach uses as a tool the methods of Formal Concept Analysis (FCA) to model and attempt to solve this problem. FCA is an algebraic framework able to discover useful knowledge in the form of a concept lattice and implications relating to the detection and diagnosis of suspicious files and threats. The knowledge extracted using this mathematical tool illustrates how formal methods can help prevent new threats and attacks. We will show the results of applying the proposed methodology to the identification of hierarchical relationships between malware.

Memory Forensics (MF) is an essential aspect of digital investigations, but practitioners often face time-consuming challenges when using popular tools like the Volatility Framework (VF). VF, a widely-adopted Python-based memory forensics tool, presents difficulties for practitioners due to its slow performance. Thus, in this study, we evaluated methods to accelerate VF without modifying its code by testing four alternative Python Just In Time (JIT) interpreters - CPython, Pyston, PyPy, and Pyjion - using CPython as our baseline. Tests were conducted on 14 memory samples, totaling 173 GB, using a search-intensive VF plugin for Windows hosts. Employing our custom Framework for Advanced Monitoring and Execution (FAME), we deployed interpreters in Docker containers and monitored their real-time performance. A statistically significant difference was observed between the Python JIT interpreters and the standard interpreter. With PyPy emerging as the best interpreter, yielding a 15–20 % performance increase compared to the standard interpreter. Implementing PyPy has the potential to save significant time (many hours) when processing substantial memory samples. FAME enhances the efficiency of deploying and monitoring robust forensic tool testing, fostering reproducible research and yielding reliable results in both MF and the broader field of digital forensics.