Forensic Science International-Digital Investigation最新文献_第6页

ANOC: Automated NoSQL database carver ANOC：自动NoSQL数据库雕刻器

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-07-01 DOI: 10.1016/j.fsidi.2025.301929

Mahfuzul I. Nissan , James Wagner , Alexander Rasin

The increased use of NoSQL databases to store and manage data has led to a demand to include them in forensic investigations. Most NoSQL databases use diverse storage formats compared to file carving and relational database forensics. For example, some NoSQL databases manage key-value pairs using B-Trees, while others maintain hash tables or even binary protocols for serialization. Current research on NoSQL carving focuses on single-database solutions, making it impractical to develop individual carvers for every NoSQL system. This necessitates a generalized approach to forensic recovery, enabling the creation of a unified carver that can operate effectively across various NoSQL platforms.

In this research, we introduce Automated NoSQL Carver, ANOC, a novel tool designed to reconstruct database contents from raw database images without relying on the database API or logs. ANOC adapts to the unique storage characteristics of various NoSQL systems, utilizing byte-level reverse engineering to identify and parse data structures. By analyzing storage layouts algorithmically, ANOC identifies and reconstructs key-value pairs, hierarchical storage structures, and associated metadata across multiple NoSQL platforms.

Through extensive experimentation, we demonstrate ANOC's ability to recover data from four representative key-value store NoSQL databases: Berkeley DB, ZODB, etcd, and LMDB. We explore ANOC's limitations in environments where data is corrupted and RAM snapshots. Our findings establish the feasibility of a generalized carver capable of addressing the challenges posed by the diverse and evolving NoSQL ecosystem.

越来越多地使用NoSQL数据库来存储和管理数据，这导致了将它们纳入法医调查的需求。与文件雕刻和关系数据库取证相比，大多数NoSQL数据库使用不同的存储格式。例如，一些NoSQL数据库使用b -树管理键值对，而其他数据库则维护哈希表甚至二进制协议进行序列化。目前对NoSQL雕刻的研究主要集中在单数据库解决方案上，这使得为每个NoSQL系统开发单独的雕刻器是不切实际的。这就需要一种通用的取证恢复方法，从而创建一个可以跨各种NoSQL平台有效操作的统一雕刻器。在本研究中，我们介绍了自动化NoSQL雕刻器，ANOC，一个新的工具，旨在从原始数据库图像重建数据库内容，而不依赖于数据库API或日志。ANOC适应各种NoSQL系统的独特存储特性，利用字节级逆向工程来识别和解析数据结构。通过分析存储布局算法，ANOC识别和重建跨多个NoSQL平台的键值对、分层存储结构和相关元数据。通过大量的实验，我们展示了ANOC从四个代表性键值存储NoSQL数据库（Berkeley DB、ZODB等和LMDB）中恢复数据的能力。我们将探讨ANOC在数据损坏和RAM快照环境中的局限性。我们的研究结果建立了一个通用的雕刻器的可行性，能够解决多样化和不断发展的NoSQL生态系统所带来的挑战。

{"title":"ANOC: Automated NoSQL database carver","authors":"Mahfuzul I. Nissan , James Wagner , Alexander Rasin","doi":"10.1016/j.fsidi.2025.301929","DOIUrl":"10.1016/j.fsidi.2025.301929","url":null,"abstract":"<div><div>The increased use of NoSQL databases to store and manage data has led to a demand to include them in forensic investigations. Most NoSQL databases use diverse storage formats compared to file carving and relational database forensics. For example, some NoSQL databases manage key-value pairs using B-Trees, while others maintain hash tables or even binary protocols for serialization. Current research on NoSQL carving focuses on single-database solutions, making it impractical to develop individual carvers for every NoSQL system. This necessitates a generalized approach to forensic recovery, enabling the creation of a unified carver that can operate effectively across various NoSQL platforms.</div><div>In this research, we introduce Automated NoSQL Carver, <span>ANOC</span>, a novel tool designed to reconstruct database contents from raw database images without relying on the database API or logs. <span>ANOC</span> adapts to the unique storage characteristics of various NoSQL systems, utilizing byte-level reverse engineering to identify and parse data structures. By analyzing storage layouts algorithmically, <span>ANOC</span> identifies and reconstructs key-value pairs, hierarchical storage structures, and associated metadata across multiple NoSQL platforms.</div><div>Through extensive experimentation, we demonstrate <span>ANOC</span>'s ability to recover data from four representative key-value store NoSQL databases: Berkeley DB, ZODB, etcd, and LMDB. We explore <span>ANOC</span>'s limitations in environments where data is corrupted and RAM snapshots. Our findings establish the feasibility of a generalized carver capable of addressing the challenges posed by the diverse and evolving NoSQL ecosystem.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301929"},"PeriodicalIF":2.2,"publicationDate":"2025-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144749092","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Your forensic AI-assistant, SERENA: Systematic extraction and reconstruction for enhanced A2P message forensics 你的人工智能法医助理，瑟琳娜：系统提取和重建增强A2P信息取证

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-07-01 DOI: 10.1016/j.fsidi.2025.301931

Jieon Kim, Byeongchan Jeong, Seungeun Park, Sangjin Lee, Jungheum Park

The integration of physical and online activities in today's hyper-connected world has blurred previously distinct boundaries. Online actions such as reservations, payments, and logins generate application-to-person (A2P) messages, which serve as valuable datasets for tracking user behavior. Although A2P messages from different service providers may vary in structure, the information within each message can be systematically normalized based on user behavior and service characteristics. However, traditional forensic tools have been unable to effectively identify and extract such forensically valuable information from these A2P messages. In this study, we leverage large language models (LLMs) combined with prompt engineering to analyze A2P messages from multiple service providers, addressing the limitations of existing forensic tools in extracting meaningful insights from unstructured or semi-structured text stored in messages and emails. The proposed methodology employs A2P messages to elaborately reconstruct user activity, enabling digital forensic investigations to identify case-relevant information with enhanced efficiency and accuracy.

在当今这个高度互联的世界里，实体活动和在线活动的融合模糊了以前截然不同的界限。在线操作（如预订、支付和登录）生成应用程序到个人（A2P）消息，这些消息可作为跟踪用户行为的有价值的数据集。尽管来自不同服务提供者的A2P消息可能在结构上有所不同，但每个消息中的信息可以基于用户行为和服务特征进行系统的规范化。然而，传统的取证工具无法有效地从这些A2P消息中识别和提取有价值的取证信息。在本研究中，我们利用大型语言模型（llm）结合即时工程来分析来自多个服务提供商的A2P消息，解决了现有取证工具在从存储在消息和电子邮件中的非结构化或半结构化文本中提取有意义的见解方面的局限性。建议的方法采用A2P消息来详细地重建用户活动，使数字取证调查能够以更高的效率和准确性识别与案件相关的信息。

{"title":"Your forensic AI-assistant, SERENA: Systematic extraction and reconstruction for enhanced A2P message forensics","authors":"Jieon Kim, Byeongchan Jeong, Seungeun Park, Sangjin Lee, Jungheum Park","doi":"10.1016/j.fsidi.2025.301931","DOIUrl":"10.1016/j.fsidi.2025.301931","url":null,"abstract":"<div><div>The integration of physical and online activities in today's hyper-connected world has blurred previously distinct boundaries. Online actions such as reservations, payments, and logins generate application-to-person (A2P) messages, which serve as valuable datasets for tracking user behavior. Although A2P messages from different service providers may vary in structure, the information within each message can be systematically normalized based on user behavior and service characteristics. However, traditional forensic tools have been unable to effectively identify and extract such forensically valuable information from these A2P messages. In this study, we leverage large language models (LLMs) combined with prompt engineering to analyze A2P messages from multiple service providers, addressing the limitations of existing forensic tools in extracting meaningful insights from unstructured or semi-structured text stored in messages and emails. The proposed methodology employs A2P messages to elaborately reconstruct user activity, enabling digital forensic investigations to identify case-relevant information with enhanced efficiency and accuracy.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301931"},"PeriodicalIF":2.2,"publicationDate":"2025-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144748994","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Improved Bitcoin simulation model and address heuristic method 改进了比特币仿真模型和地址启发式方法

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-07-01 DOI: 10.1016/j.fsidi.2025.301935

Yanan Gong, Kam Pui Chow, Siu Ming Yiu

Cryptocurrency-related crimes are on the rise and have a wide-ranging impact across various areas. To effectively combat and prevent such crimes, cryptocurrency forensics, which relies on blockchain analysis, is essential. Despite advancements in Bitcoin de-anonymization techniques, several challenges persist. The absence of authentic data labels introduces uncertainty in de-anonymization results, especially in the context of address clustering. This issue is further compounded by the development of privacy-enhancing technologies that obscure address linkages, thus undermining the reliability of outcomes as forensic evidence. To address these limitations, this study focuses on Bitcoin blockchain analysis and the improvement of address clustering. Specifically, the work presents an enhanced simulation model designed to accurately simulate real Bitcoin transactions, offering a stable platform for evaluating address clustering algorithms that utilize transaction details, thereby facilitating the assessment of the admissibility of clustering results. Meanwhile, we introduce a new heuristic algorithm aimed at identifying one-time change addresses, with experimental results demonstrating that it achieves more precise clustering outcomes than existing heuristic methods. Furthermore, our blockchain analysis reveals overarching patterns and recent changes in the Bitcoin blockchain, particularly following the introduction of the BRC-20 token.

与加密货币相关的犯罪正在上升，并在各个领域产生了广泛的影响。为了有效打击和预防此类犯罪，依赖于区块链分析的加密货币取证至关重要。尽管比特币去匿名化技术取得了进步，但仍存在一些挑战。真实数据标签的缺失给去匿名化结果带来了不确定性，尤其是在地址聚类的背景下。隐私增强技术的发展使这一问题进一步复杂化，这些技术模糊了地址之间的联系，从而削弱了结果作为法医证据的可靠性。为了解决这些限制，本研究着重于比特币区块链分析和地址聚类的改进。具体来说，这项工作提出了一个增强的仿真模型，旨在准确地模拟真实的比特币交易，为评估利用交易细节的地址聚类算法提供了一个稳定的平台，从而促进了聚类结果的可接受性评估。同时，我们引入了一种新的针对一次性变更地址识别的启发式算法，实验结果表明，它比现有的启发式方法获得了更精确的聚类结果。此外，我们的区块链分析揭示了比特币区块链的总体模式和近期变化，特别是在引入BRC-20代币之后。

{"title":"Improved Bitcoin simulation model and address heuristic method","authors":"Yanan Gong, Kam Pui Chow, Siu Ming Yiu","doi":"10.1016/j.fsidi.2025.301935","DOIUrl":"10.1016/j.fsidi.2025.301935","url":null,"abstract":"<div><div>Cryptocurrency-related crimes are on the rise and have a wide-ranging impact across various areas. To effectively combat and prevent such crimes, cryptocurrency forensics, which relies on blockchain analysis, is essential. Despite advancements in Bitcoin de-anonymization techniques, several challenges persist. The absence of authentic data labels introduces uncertainty in de-anonymization results, especially in the context of address clustering. This issue is further compounded by the development of privacy-enhancing technologies that obscure address linkages, thus undermining the reliability of outcomes as forensic evidence. To address these limitations, this study focuses on Bitcoin blockchain analysis and the improvement of address clustering. Specifically, the work presents an enhanced simulation model designed to accurately simulate real Bitcoin transactions, offering a stable platform for evaluating address clustering algorithms that utilize transaction details, thereby facilitating the assessment of the admissibility of clustering results. Meanwhile, we introduce a new heuristic algorithm aimed at identifying one-time change addresses, with experimental results demonstrating that it achieves more precise clustering outcomes than existing heuristic methods. Furthermore, our blockchain analysis reveals overarching patterns and recent changes in the Bitcoin blockchain, particularly following the introduction of the BRC-20 token.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301935"},"PeriodicalIF":2.2,"publicationDate":"2025-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144748998","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Leveraging memory forensics to investigate and detect illegal 3D printing activities 利用内存取证来调查和检测非法3D打印活动

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-07-01 DOI: 10.1016/j.fsidi.2025.301925

Hala Ali , Andrew Case , Irfan Ahmed

As 3D printing is widely adopted across critical sectors, malicious users exploit this technology to produce illegal tools for criminal activities. The increasing availability of affordable 3D printers and the limitations of current regulations highlight the urgent need for robust forensic capabilities. While existing research focuses on the physical forensics of printed objects, the digital aspects of 3D printing forensics remain underexplored, resulting in a significant investigative gap. This paper introduces SliceSnap, a novel memory forensics framework that analyzes the volatile memory of slicing software, which is essential for converting 3D models into printer-executable G-code instructions. Our investigation focuses on Ultimaker Cura, the most popular Python-based slicing tool. By leveraging the Python garbage collector and conducting structural analysis of its objects, SliceSnap can extract the mesh data of 3D models, G-code instructions, slicing settings, detailed 3D printer metadata, and logging information. Given the potential for slicing software compromises, our framework extends beyond artifact extraction to include the complementary analysis tool, G-parser. This tool detects malicious G-code manipulations by finding the discrepancies between the original settings and those extracted from the G-code. Evaluation results demonstrated the effectiveness of SliceSnap in recovering design files and G-code of various criminal tools, such as firearms and TSA master keys, with 100% accuracy, in addition to providing detailed information about the slicing software and 3D printer. The evaluation also analyzed the temporal persistence of memory artifacts across critical stages of Cura's lifecycle. Moreover, through G-parser, the framework successfully detected the G-code manipulations conducted by our novel attack vector that targets G-code during inter-process communication within the software. Implemented as Volatility 3 plugins, SliceSnap provides investigators with automated capabilities to detect 3D printing-related criminal activities.

随着3D打印在关键领域的广泛应用，恶意用户利用这项技术生产用于犯罪活动的非法工具。越来越多的可负担的3D打印机的可用性和现行法规的局限性突出了对强大的法医能力的迫切需要。虽然现有的研究主要集中在打印对象的物理取证上，但3D打印取证的数字方面仍未得到充分探索，导致调查差距很大。本文介绍了SliceSnap，这是一种新的内存分析框架，可以分析切片软件的易失性内存，这对于将3D模型转换为打印机可执行的g代码指令至关重要。我们的调查重点是Ultimaker Cura，这是最流行的基于python的切片工具。通过利用Python垃圾收集器并对其对象进行结构分析，SliceSnap可以提取3D模型的网格数据、g代码指令、切片设置、详细的3D打印机元数据和日志信息。考虑到切片软件的潜在危害，我们的框架超越了工件提取，包括了补充分析工具G-parser。该工具通过查找原始设置与从g代码中提取的设置之间的差异来检测恶意的g代码操作。评估结果表明，SliceSnap在恢复各种犯罪工具（如枪支和TSA万能钥匙）的设计文件和g代码方面具有100%的准确性，此外还提供了有关切片软件和3D打印机的详细信息。评估还分析了在Cura生命周期的关键阶段记忆工件的时间持久性。此外，通过g解析器，该框架成功检测到我们的新型攻击向量在软件内部进程间通信期间针对g代码进行的g代码操作。作为波动性3插件，SliceSnap为调查人员提供了自动检测3D打印相关犯罪活动的功能。

{"title":"Leveraging memory forensics to investigate and detect illegal 3D printing activities","authors":"Hala Ali , Andrew Case , Irfan Ahmed","doi":"10.1016/j.fsidi.2025.301925","DOIUrl":"10.1016/j.fsidi.2025.301925","url":null,"abstract":"<div><div>As 3D printing is widely adopted across critical sectors, malicious users exploit this technology to produce illegal tools for criminal activities. The increasing availability of affordable 3D printers and the limitations of current regulations highlight the urgent need for robust forensic capabilities. While existing research focuses on the physical forensics of printed objects, the digital aspects of 3D printing forensics remain underexplored, resulting in a significant investigative gap. This paper introduces <em>SliceSnap</em>, a novel memory forensics framework that analyzes the volatile memory of slicing software, which is essential for converting 3D models into printer-executable G-code instructions. Our investigation focuses on Ultimaker Cura, the most popular Python-based slicing tool. By leveraging the Python garbage collector and conducting structural analysis of its objects, <em>SliceSnap</em> can extract the mesh data of 3D models, G-code instructions, slicing settings, detailed 3D printer metadata, and logging information. Given the potential for slicing software compromises, our framework extends beyond artifact extraction to include the complementary analysis tool, <em>G-parser</em>. This tool detects malicious G-code manipulations by finding the discrepancies between the original settings and those extracted from the G-code. Evaluation results demonstrated the effectiveness of <em>SliceSnap</em> in recovering design files and G-code of various criminal tools, such as firearms and TSA master keys, with 100% accuracy, in addition to providing detailed information about the slicing software and 3D printer. The evaluation also analyzed the temporal persistence of memory artifacts across critical stages of Cura's lifecycle. Moreover, through <em>G-parser</em>, the framework successfully detected the G-code manipulations conducted by our novel attack vector that targets G-code during inter-process communication within the software. Implemented as Volatility 3 plugins, <em>SliceSnap</em> provides investigators with automated capabilities to detect 3D printing-related criminal activities.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301925"},"PeriodicalIF":2.2,"publicationDate":"2025-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144749088","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Bytewise approximate matching: Evaluating common scenarios for executable files 按字节近似匹配：评估可执行文件的常见场景

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-07-01 DOI: 10.1016/j.fsidi.2025.301927

Carlo Jakobs, Axel Mahr, Martin Lambertz, Mariia Rybalka, Daniel Plohmann

This research explores the application of bytewise approximate matching algorithms on executable files, evaluating the effectiveness of ssdeep, sdhash, TLSH, and MRSHv2 across various scenarios, where approximate matching seems to be a natural tool to employ. Previous works already underlined that approximate matching is often used for tasks where the algorithms have not been thoroughly and systematically evaluated. Pagani et al. (2018), in particular, highlighted the shortcomings of previous research and tried to improve current knowledge about the applicability of approximate matching in the context of executable files by evaluating typical use cases. We extend their work by taking a closer look at further common scenarios that are not covered in their article. Specifically, we examine use cases such as different versions of the same software and comparisons between on-disk and in-memory representations of the same program, both for malicious and benign software.

Our findings reveal that the considered algorithms’ performance across all evaluated scenarios was generally unsatisfactory. Notably, they struggle with size-related and localized modifications introduced during the loading stage. Furthermore, executables with no functional similarity may be mismatched due to shared byte-level similarity caused by embedded resources or inherent to certain programming languages or runtime environments. Consequently, these algorithms should be used cautiously and regarded as assisting tools rather than reliable methods for indicating similarity between executable files, as both false positives and false negatives can occur, and users should be aware of them.

Moreover, while some of the unfavored results stem from design decisions, we observed unexpected behavior in some experiments that we could trace back to issues in the reference implementations of the algorithms. After fixing the implementations, the strange effects in our results indeed disappeared. It is still an open question if and to what extent previous experiments and evaluations were affected by these issues.

本研究探讨了字节近似匹配算法在可执行文件上的应用，评估了ssdeep、sdhash、TLSH和MRSHv2在各种场景中的有效性，在这些场景中，近似匹配似乎是一种自然的使用工具。以前的工作已经强调，近似匹配通常用于算法没有被彻底和系统地评估的任务。Pagani等人（2018）特别强调了先前研究的缺点，并试图通过评估典型用例来改进当前关于可执行文件上下文中近似匹配适用性的知识。我们通过深入研究他们的文章中未涉及的其他常见场景来扩展他们的工作。具体地说，我们检查用例，例如同一软件的不同版本，以及同一程序的磁盘上和内存中表示形式之间的比较，包括恶意软件和良性软件。我们的研究结果表明，所考虑的算法在所有评估场景中的性能通常不令人满意。值得注意的是，它们与加载阶段引入的与尺寸相关的本地化修改作斗争。此外，由于嵌入式资源或某些编程语言或运行时环境固有的共享字节级相似性，没有功能相似性的可执行文件可能会不匹配。因此，应该谨慎使用这些算法，并将其视为指示可执行文件之间相似性的辅助工具，而不是可靠的方法，因为可能会出现假阳性和假阴性，用户应该意识到这一点。此外，虽然一些不受欢迎的结果源于设计决策，但我们在一些实验中观察到意想不到的行为，我们可以追溯到算法参考实现中的问题。在修复了实现之后，我们的结果中的奇怪效果确实消失了。以前的实验和评估是否以及在多大程度上受到这些问题的影响仍然是一个悬而未决的问题。

{"title":"Bytewise approximate matching: Evaluating common scenarios for executable files","authors":"Carlo Jakobs, Axel Mahr, Martin Lambertz, Mariia Rybalka, Daniel Plohmann","doi":"10.1016/j.fsidi.2025.301927","DOIUrl":"10.1016/j.fsidi.2025.301927","url":null,"abstract":"<div><div>This research explores the application of bytewise approximate matching algorithms on executable files, evaluating the effectiveness of ssdeep, sdhash, TLSH, and MRSHv2 across various scenarios, where approximate matching seems to be a natural tool to employ. Previous works already underlined that approximate matching is often used for tasks where the algorithms have not been thoroughly and systematically evaluated. Pagani et al. (2018), in particular, highlighted the shortcomings of previous research and tried to improve current knowledge about the applicability of approximate matching in the context of executable files by evaluating typical use cases. We extend their work by taking a closer look at further common scenarios that are not covered in their article. Specifically, we examine use cases such as different versions of the same software and comparisons between on-disk and in-memory representations of the same program, both for malicious and benign software.</div><div>Our findings reveal that the considered algorithms’ performance across all evaluated scenarios was generally unsatisfactory. Notably, they struggle with size-related and localized modifications introduced during the loading stage. Furthermore, executables with no functional similarity may be mismatched due to shared byte-level similarity caused by embedded resources or inherent to certain programming languages or runtime environments. Consequently, these algorithms should be used cautiously and regarded as assisting tools rather than reliable methods for indicating similarity between executable files, as both false positives and false negatives can occur, and users should be aware of them.</div><div>Moreover, while some of the unfavored results stem from design decisions, we observed unexpected behavior in some experiments that we could trace back to issues in the reference implementations of the algorithms. After fixing the implementations, the strange effects in our results indeed disappeared. It is still an open question if and to what extent previous experiments and evaluations were affected by these issues.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301927"},"PeriodicalIF":2.2,"publicationDate":"2025-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144749090","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Detecting hidden kernel modules in memory snapshots 检测内存快照中隐藏的内核模块

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-07-01 DOI: 10.1016/j.fsidi.2025.301928

Roland Nagy

Rootkit infections have plagued IT systems for several decades now. As non-trivial threats often employed by sophisticated adversaries, rootkits have received a large amount of attention, from both the industrial and academic communities. Consequently, rootkit detection has a rich literature, but most papers focus on only detecting the fact that an infection happened. They rarely offer mitigation, let alone identifying the piece of malware. We aim to solve this by not only detecting rootkit infections but by finding the malware as well. Our paper has three main goals: extend the state of the art of cross-view-based detection of Loadable Kernel Modules (the de-facto delivery method of Linux kernel rootkits), provide a memory forensics tool that implements our detection method and enables further investigation of loaded modules, and publish the dataset we used to evaluate our solution. We implemented our tool in the form of a Volatility plugin and compared it to the already existing module detection capability of Volatility. We tested them on 55 rootkit-infected memory dumps, covering 27 different versions of the Linux kernel. We also provide compatibility analysis with different kernel versions, ranging from the initial release to the latest (6.13, at the time of writing).

几十年来，Rootkit感染一直困扰着IT系统。作为复杂的对手经常使用的重要威胁，rootkit已经受到了工业界和学术界的大量关注。因此，rootkit检测有丰富的文献，但大多数论文只关注于检测感染发生的事实。他们很少提供缓解措施，更不用说识别恶意软件了。我们的目标是不仅通过检测rootkit感染，而且通过找到恶意软件来解决这个问题。我们的论文有三个主要目标：扩展可加载内核模块的基于交叉视图的检测技术（Linux内核rootkit的实际交付方法），提供一个内存取证工具来实现我们的检测方法，并允许对加载模块进行进一步调查，并发布我们用于评估我们的解决方案的数据集。我们以波动性插件的形式实现了我们的工具，并将其与波动性现有的模块检测能力进行了比较。我们在55个被rootkit感染的内存转储上测试了它们，覆盖了27个不同版本的Linux内核。我们还提供了不同内核版本的兼容性分析，范围从初始版本到最新版本（撰写本文时为6.13）。

{"title":"Detecting hidden kernel modules in memory snapshots","authors":"Roland Nagy","doi":"10.1016/j.fsidi.2025.301928","DOIUrl":"10.1016/j.fsidi.2025.301928","url":null,"abstract":"<div><div>Rootkit infections have plagued IT systems for several decades now. As non-trivial threats often employed by sophisticated adversaries, rootkits have received a large amount of attention, from both the industrial and academic communities. Consequently, rootkit detection has a rich literature, but most papers focus on only detecting the fact that an infection happened. They rarely offer mitigation, let alone identifying the piece of malware. We aim to solve this by not only detecting rootkit infections but by finding the malware as well. Our paper has three main goals: extend the state of the art of cross-view-based detection of Loadable Kernel Modules (the de-facto delivery method of Linux kernel rootkits), provide a memory forensics tool that implements our detection method and enables further investigation of loaded modules, and publish the dataset we used to evaluate our solution. We implemented our tool in the form of a Volatility plugin and compared it to the already existing module detection capability of Volatility. We tested them on 55 rootkit-infected memory dumps, covering 27 different versions of the Linux kernel. We also provide compatibility analysis with different kernel versions, ranging from the initial release to the latest (6.13, at the time of writing).</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301928"},"PeriodicalIF":2.2,"publicationDate":"2025-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144749091","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Thumb: A forensic automation framework leveraging MLLMs and OCR on Android device Thumb：在Android设备上利用mlm和OCR的取证自动化框架

IF 2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-06-17 DOI: 10.1016/j.fsidi.2025.301949

Dingjie Shang, Amin Sakzad, Stuart W. Hall

The forensic of Android devices is challenging due to automated thumbnail generation by applications and the operating system, complicating attribution to specific user actions. This paper presents the design, implementation, and evaluation of a forensic framework, Thumb, which performs real-time experiments on physical Android devices. Thumb integrates multimodal large language models (MLLM) and Optical Character Recognition (OCR) to capture on-screen information and simulate user interactions, while extracting data from internal storage to monitor changes in cached and thumbnail files. A proof-of-concept implementation demonstrates the framework's accuracy across various applications, highlighting its potential to simplify Android forensic analysis. However, current MLLM limitations and the framework's structure pose challenges in complex scenarios and detailed data analysis.

Android设备的取证具有挑战性，因为应用程序和操作系统会自动生成缩略图，这使得对特定用户行为的归因变得复杂。本文介绍了一个取证框架Thumb的设计、实现和评估，该框架可以在物理Android设备上进行实时实验。Thumb集成了多模态大语言模型（MLLM）和光学字符识别（OCR）来捕捉屏幕上的信息并模拟用户交互，同时从内部存储中提取数据以监控缓存和缩略图文件的变化。概念验证实现演示了该框架在各种应用程序中的准确性，突出了其简化Android取证分析的潜力。然而，当前MLLM的局限性和框架的结构给复杂场景和详细数据分析带来了挑战。

引用次数: 0

DrIfTeR: A Drone Identification Technique using RF signals 一种使用射频信号的无人机识别技术

IF 2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-06-16 DOI: 10.1016/j.fsidi.2025.301948

Pankaj Choudhary , Vikas Sihag , Gaurav Choudhary , Nicola Dragoni

The civilian drone market is experiencing explosive growth, with projections estimating it will hit USD 54.81 billion by 2030. This surge in drone numbers brings with it significant privacy and security challenges. To defend critical infrastructure and safeguard personal privacy from misuse, an effective drone detection system has become essential. There is a demand for detection solution that is not only efficient and accurate but also robust, cost-effective, and scalable to meet the evolving needs of this rapidly expanding field. In this paper, we present DrIfTeR, a drone detection, identification and classification model based on the radio frequency signals. Firstly we employ wavelet domain extraction and 3-stage wavelet decomposition during RF signal preprocessing. Secondly, we employ traditional machine learning, deep learning and ensemble learning models to evaluate effectiveness. Thirdly, we evaluate performance of DrIfTeR against drone detection, drone manufacturer identification and drone model identification. The performance of the approach is evaluated against benchmark dataset and is found to be effective and accurate.

民用无人机市场正在经历爆炸式增长，预计到2030年将达到548.1亿美元。无人机数量的激增带来了重大的隐私和安全挑战。为了保护关键基础设施和保护个人隐私不被滥用，一个有效的无人机检测系统变得至关重要。对检测解决方案的需求不仅是高效和准确的，而且是强大的，具有成本效益的，可扩展的，以满足这个快速扩展的领域不断变化的需求。本文提出了一种基于射频信号的无人机检测、识别和分类模型DrIfTeR。首先在射频信号预处理中采用小波域提取和三级小波分解。其次，我们采用传统的机器学习、深度学习和集成学习模型来评估有效性。第三，我们评估了DrIfTeR在无人机检测、无人机制造商识别和无人机型号识别方面的性能。针对基准数据集对该方法的性能进行了评估，结果表明该方法是有效和准确的。

{"title":"DrIfTeR: A Drone Identification Technique using RF signals","authors":"Pankaj Choudhary , Vikas Sihag , Gaurav Choudhary , Nicola Dragoni","doi":"10.1016/j.fsidi.2025.301948","DOIUrl":"10.1016/j.fsidi.2025.301948","url":null,"abstract":"<div><div>The civilian drone market is experiencing explosive growth, with projections estimating it will hit USD 54.81 billion by 2030. This surge in drone numbers brings with it significant privacy and security challenges. To defend critical infrastructure and safeguard personal privacy from misuse, an effective drone detection system has become essential. There is a demand for detection solution that is not only efficient and accurate but also robust, cost-effective, and scalable to meet the evolving needs of this rapidly expanding field. In this paper, we present DrIfTeR, a drone detection, identification and classification model based on the radio frequency signals. Firstly we employ wavelet domain extraction and 3-stage wavelet decomposition during RF signal preprocessing. Secondly, we employ traditional machine learning, deep learning and ensemble learning models to evaluate effectiveness. Thirdly, we evaluate performance of DrIfTeR against drone detection, drone manufacturer identification and drone model identification. The performance of the approach is evaluated against benchmark dataset and is found to be effective and accurate.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"54 ","pages":"Article 301948"},"PeriodicalIF":2.0,"publicationDate":"2025-06-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144290613","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Decrypting messages: Extracting digital evidence from signal desktop for windows 解密消息：从windows的信号桌面中提取数字证据

IF 2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-06-10 DOI: 10.1016/j.fsidi.2025.301941

Gonçalo Paulino , Miguel Negrão , Miguel Frade , Patrício Domingues

With growing concerns over the security and privacy of personal conversations, end-to-end encrypted instant messaging applications have become a key focus of forensic research. This study presents a detailed methodology along with an automated Python script for decrypting and analyzing forensic artifacts from Signal Desktop for Windows. The methodology is divided into two phases: i) decryption of locally stored data and ii) analysis and documentation of forensic artifacts. To ensure data integrity, the proposed approach enables retrieval without launching Signal Desktop, preventing potential alterations. Additionally, a reporting module organizes extracted data for forensic investigators, enhancing usability. Our approach is effective in extracting and analyzing encrypted Signal artifacts, providing a reliable method for forensic investigations.

随着人们对个人对话的安全性和隐私性的日益关注，端到端加密即时通讯应用程序已成为法医研究的重点。这项研究提出了一个详细的方法，以及一个自动的Python脚本，用于解密和分析来自Signal Desktop for Windows的取证工件。该方法分为两个阶段：i)本地存储数据的解密和ii)法医文物的分析和记录。为了确保数据的完整性，所提出的方法可以在不启动Signal Desktop的情况下进行检索，从而防止潜在的更改。此外，报告模块为法医调查人员组织提取的数据，增强了可用性。该方法有效地提取和分析了加密信号伪影，为法医调查提供了可靠的方法。

引用次数: 0

Autocrime - open multimodal platform for combating organized crime 自动犯罪-打击有组织犯罪的开放式多模式平台

IF 2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-06-03 DOI: 10.1016/j.fsidi.2025.301937

Srikanth Madikeri , Petr Motlicek , Dairazalia Sanchez-Cortes , Pradeep Rangappa , Joshua Hughes , Jakub Tkaczuk , Alejandra Sanchez Lara , Driss Khalil , Johan Rohdin , Dawei Zhu , Aravind Krishnan , Dietrich Klakow , Zahra Ahmadi , Marek Kováč , Dominik Boboš , Costas Kalogiros , Andreas Alexopoulos , Denis Marraud

A criminal investigation is a labor-intensive work requiring expert knowledge from several disciplines. Due to a large amount of heterogeneous data available from several modalities (i.e., audio/speech, text, video, non-content data), its processing raises many challenges. It may become impossible for law enforcement agents to deal with large amounts of highly-diverse data, especially for cross-border investigations focused on organized crime. ROXANNE EC H2020 project developed an all-in-one investigation platform for processing such diverse data. The platform mainly focuses on analyzing lawfully intercepted telephone conversations extended by non-content data (e.g., metadata related to the calls, time/spatial positions, and data collected from social media). Several state-of-the-art components are integrated into the pipeline, including speaker identification, automatic speech recognition, and named entity detection. With information extracted from this pipeline, the platform builds multiple knowledge graphs that capture phone and speaker criminal network interactions, including the central network and their clans. After hands-on sessions, law enforcement agents found the Autocrime platform easy to understand and highlighted its innovative, multi-technology functionalities that streamline forensic investigations, reducing manual effort. The AI-powered platform marks a significant first step toward creating an open investigative tool that combines advanced speech, text, and video processing algorithms with criminal network analysis, aimed at mitigating organized crime.

刑事侦查是一项劳动密集型的工作，需要多个学科的专业知识。由于来自多种模式的大量异构数据（即音频/语音、文本、视频、非内容数据），其处理提出了许多挑战。执法人员可能无法处理大量高度多样化的数据，特别是针对有组织犯罪的跨境调查。ROXANNE EC H2020项目开发了一个一体化的调查平台来处理这些多样化的数据。该平台主要侧重于分析合法截获的非内容数据（如与通话相关的元数据、时间/空间位置、社交媒体收集的数据）扩展的电话对话。几个最先进的组件集成到管道中，包括说话人识别、自动语音识别和命名实体检测。通过从这个管道中提取的信息，该平台建立了多个知识图谱，捕捉电话和扬声器犯罪网络的相互作用，包括中央网络和他们的宗族。在实践环节后，执法人员发现Autocrime平台易于理解，并强调其创新的多技术功能，简化了法医调查，减少了人工工作。这个由人工智能驱动的平台标志着朝着创建一个开放的调查工具迈出了重要的第一步，该工具将先进的语音、文本和视频处理算法与犯罪网络分析相结合，旨在减轻有组织犯罪。

{"title":"Autocrime - open multimodal platform for combating organized crime","authors":"Srikanth Madikeri , Petr Motlicek , Dairazalia Sanchez-Cortes , Pradeep Rangappa , Joshua Hughes , Jakub Tkaczuk , Alejandra Sanchez Lara , Driss Khalil , Johan Rohdin , Dawei Zhu , Aravind Krishnan , Dietrich Klakow , Zahra Ahmadi , Marek Kováč , Dominik Boboš , Costas Kalogiros , Andreas Alexopoulos , Denis Marraud","doi":"10.1016/j.fsidi.2025.301937","DOIUrl":"10.1016/j.fsidi.2025.301937","url":null,"abstract":"<div><div>A criminal investigation is a labor-intensive work requiring expert knowledge from several disciplines. Due to a large amount of heterogeneous data available from several modalities (i.e., audio/speech, text, video, non-content data), its processing raises many challenges. It may become impossible for law enforcement agents to deal with large amounts of highly-diverse data, especially for cross-border investigations focused on organized crime. ROXANNE EC H2020 project developed an all-in-one investigation platform for processing such diverse data. The platform mainly focuses on analyzing lawfully intercepted telephone conversations extended by non-content data (e.g., metadata related to the calls, time/spatial positions, and data collected from social media). Several state-of-the-art components are integrated into the pipeline, including speaker identification, automatic speech recognition, and named entity detection. With information extracted from this pipeline, the platform builds multiple knowledge graphs that capture phone and speaker criminal network interactions, including the central network and their clans. After hands-on sessions, law enforcement agents found the Autocrime platform easy to understand and highlighted its innovative, multi-technology functionalities that streamline forensic investigations, reducing manual effort. The AI-powered platform marks a significant first step toward creating an open investigative tool that combines advanced speech, text, and video processing algorithms with criminal network analysis, aimed at mitigating organized crime.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"54 ","pages":"Article 301937"},"PeriodicalIF":2.0,"publicationDate":"2025-06-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144205090","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0