Forensic Science International-Digital Investigation最新文献_第7页

Unearthing the hidden path of MANET's nodes with signal strength measurements: Forensics challenges, survey and a novel approach for data collection, preservation and examination 通过信号强度测量揭示MANET节点的隐藏路径：取证挑战、调查和数据收集、保存和检查的新方法

IF 2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-05-16 DOI: 10.1016/j.fsidi.2025.301916

Omar Ragheb , Mena Safwat , Marianne A. Azer

Mobile Ad hoc Networks (MANETs) are self-configuring networks of mobile devices that communicate with each other without the need for infrastructure. This makes them highly flexible and adaptable to changing environments, making them ideal for applications such as transportation and tactical domains. However, the mobility feature of the network poses new challenges for digital forensics investigators due to their specific characteristics. One challenge is how the investigator can prove the Chain of Custody (COC) in court in this highly volatile network to ensure the integrity of the evidence. This paper studies the forensic challenges in several wireless technologies, including the Internet of Things (IoT), Vehicular Ad-hoc Networks (VANETs), and, especially in Mobile Ad-hoc Networks (MANETs), critically reviews several approaches to cover the challenges, and also proposes a novel digital forensics framework that is built on Fog Computing (FC). Using regular communication signal strength measurements, the proposed framework enables investigators to learn details about nodes' locations over time and mobility characteristics without requiring changes to communication protocols or overwhelming nodes with additional tasks. This can help to ensure the availability and integrity of the digital evidence and its admissibility in court. Additionally, the paper suggests a novel automated detection technique for Hello Flood attacks in ad-hoc networks. The viability of the approach has been demonstrated on a network simulator.

移动自组织网络（manet）是移动设备的自配置网络，无需基础设施即可相互通信。这使得它们高度灵活，适应不断变化的环境，使它们成为运输和战术领域等应用的理想选择。然而，网络的移动性由于其特有的特性，给数字取证调查员带来了新的挑战。一个挑战是调查人员如何在这个高度不稳定的网络中在法庭上证明监管链（COC），以确保证据的完整性。本文研究了几种无线技术中的取证挑战，包括物联网（IoT），车辆自组织网络（VANETs），特别是移动自组织网络（manet），批判性地回顾了几种应对挑战的方法，并提出了一种基于雾计算（FC）的新型数字取证框架。使用常规通信信号强度测量，所提出的框架使研究人员能够了解节点随时间的位置和移动特性的详细信息，而无需更改通信协议或用额外的任务压倒节点。这有助于确保数字证据的可用性和完整性及其在法庭上的可采性。此外，本文还提出了一种针对ad-hoc网络中Hello Flood攻击的新型自动检测技术。该方法的可行性已在网络模拟器上得到验证。

{"title":"Unearthing the hidden path of MANET's nodes with signal strength measurements: Forensics challenges, survey and a novel approach for data collection, preservation and examination","authors":"Omar Ragheb , Mena Safwat , Marianne A. Azer","doi":"10.1016/j.fsidi.2025.301916","DOIUrl":"10.1016/j.fsidi.2025.301916","url":null,"abstract":"<div><div>Mobile Ad hoc Networks (MANETs) are self-configuring networks of mobile devices that communicate with each other without the need for infrastructure. This makes them highly flexible and adaptable to changing environments, making them ideal for applications such as transportation and tactical domains. However, the mobility feature of the network poses new challenges for digital forensics investigators due to their specific characteristics. One challenge is how the investigator can prove the Chain of Custody (COC) in court in this highly volatile network to ensure the integrity of the evidence. This paper studies the forensic challenges in several wireless technologies, including the Internet of Things (IoT), Vehicular Ad-hoc Networks (VANETs), and, especially in Mobile Ad-hoc Networks (MANETs), critically reviews several approaches to cover the challenges, and also proposes a novel digital forensics framework that is built on Fog Computing (FC). Using regular communication signal strength measurements, the proposed framework enables investigators to learn details about nodes' locations over time and mobility characteristics without requiring changes to communication protocols or overwhelming nodes with additional tasks. This can help to ensure the availability and integrity of the digital evidence and its admissibility in court. Additionally, the paper suggests a novel automated detection technique for Hello Flood attacks in ad-hoc networks. The viability of the approach has been demonstrated on a network simulator.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301916"},"PeriodicalIF":2.0,"publicationDate":"2025-05-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144071062","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Infotainment system Forensics: Ford SYNC 3 gen 2 infotainment system as a use case 信息娱乐系统取证：以福特SYNC 3代信息娱乐系统为例

IF 2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-05-15 DOI: 10.1016/j.fsidi.2025.301917

Nils Antonson , Darren Quick , Kim-Kwang Raymond Choo

The digital era is ushering in the next generation of motor vehicles supported by dozens of dispersed electronic control units (ECUs) communicating with each other over controller area networks (e.g., CAN bus). Each ECU is responsible for a specific set of functions. For example, built-in cellular modems, typically part of the telecommunication control unit (TCU), are used to call first responders when a crash is detected, but also surreptitiously send back vehicle telematics, and enable convenient features such as remote unlock/lock, remote start, and log the GPS position of the automobile into the cloud. Potentially, every input by the driver is logged and recorded within these ECUs. Indeed, modern automobiles are inadvertently equipped with proverbial black boxes. As a result, a new subdivision of digital forensics to extract and analyze this black box data is emerging. Smart vehicle forensics, also known as digital vehicle forensics (DVF), enables investigators to examine data produced by and stored inside automobiles. The infotainment system typically holds the most valuable data because it contains GPS tracklogs, artifacts left behind from paired mobile devices, and receives data from many other modules within the automobile. Therefore, DVF primarily focuses on the automobiles infotainment system, and specializes in extracting and analyzing stored electronic data. Law enforcement is increasingly becoming aware and making use of this new source of data. It is only a matter of time and budget before DVF investigations become routine and common practice.

数字时代正在迎来由数十个分散的电子控制单元（ecu）支持的下一代机动车辆，这些电子控制单元（ecu）通过控制器局域网（例如CAN总线）相互通信。每个ECU负责一组特定的功能。例如，内置的蜂窝调制解调器，通常是电信控制单元（TCU）的一部分，用于在检测到碰撞时呼叫急救人员，但也可以秘密地发送车辆远程信息，并启用远程解锁/锁定、远程启动等方便功能，并将汽车的GPS位置记录到云端。潜在地，驱动程序的每个输入都被记录在这些ecu中。事实上，现代汽车在不经意间配备了众所周知的黑匣子。因此，一个新的数字取证分支正在出现，以提取和分析这些黑匣子数据。智能车辆取证，也被称为数字车辆取证（DVF），使调查人员能够检查汽车产生和存储的数据。信息娱乐系统通常拥有最有价值的数据，因为它包含GPS跟踪记录、配对移动设备留下的痕迹，并从汽车内的许多其他模块接收数据。因此，DVF主要针对汽车信息娱乐系统，专门对存储的电子数据进行提取和分析。执法部门越来越意识到并利用这种新的数据来源。DVF调查成为常规和普遍做法只是时间和预算问题。

{"title":"Infotainment system Forensics: Ford SYNC 3 gen 2 infotainment system as a use case","authors":"Nils Antonson , Darren Quick , Kim-Kwang Raymond Choo","doi":"10.1016/j.fsidi.2025.301917","DOIUrl":"10.1016/j.fsidi.2025.301917","url":null,"abstract":"<div><div>The digital era is ushering in the next generation of motor vehicles supported by dozens of dispersed electronic control units (ECUs) communicating with each other over controller area networks (e.g., CAN bus). Each ECU is responsible for a specific set of functions. For example, built-in cellular modems, typically part of the telecommunication control unit (TCU), are used to call first responders when a crash is detected, but also surreptitiously send back vehicle telematics, and enable convenient features such as remote unlock/lock, remote start, and log the GPS position of the automobile into the cloud. Potentially, every input by the driver is logged and recorded within these ECUs. Indeed, modern automobiles are inadvertently equipped with proverbial black boxes. As a result, a new subdivision of digital forensics to extract and analyze this black box data is emerging. Smart vehicle forensics, also known as digital vehicle forensics (DVF), enables investigators to examine data produced by and stored inside automobiles. The infotainment system typically holds the most valuable data because it contains GPS tracklogs, artifacts left behind from paired mobile devices, and receives data from many other modules within the automobile. Therefore, DVF primarily focuses on the automobiles infotainment system, and specializes in extracting and analyzing stored electronic data. Law enforcement is increasingly becoming aware and making use of this new source of data. It is only a matter of time and budget before DVF investigations become routine and common practice.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301917"},"PeriodicalIF":2.0,"publicationDate":"2025-05-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143947549","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Leveraging self-supervised learning for scene classification in child sexual abuse imagery 利用自监督学习对儿童性虐待图像进行场景分类

IF 2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-05-15 DOI: 10.1016/j.fsidi.2025.301918

Pedro H.V. Valois , João Macedo , Leo S.F. Ribeiro , Jefersson A. dos Santos , Sandra Avila

Crime in the 21st century is split into a virtual and real world. However, the former has become a global menace to people's well-being and security in the latter. The challenges it presents must be faced with unified global cooperation, and we must rely more than ever on automated yet trustworthy tools to combat the ever-growing nature of online offenses. Over 10 million child sexual abuse reports are submitted to the US National Center for Missing & Exploited Children every year, and over 80% originate from online sources. Therefore, investigation centers cannot manually process and correctly investigate all imagery. In light of that, reliable automated tools that can securely and efficiently deal with this data are paramount. In this sense, the scene classification task looks for contextual cues in the environment, being able to group and classify child sexual abuse data without requiring to be trained on sensitive material. The scarcity and limitations of working with child sexual abuse images lead to self-supervised learning, a machine-learning methodology that leverages unlabeled data to produce powerful representations that can be more easily transferred to downstream tasks. This work shows that self-supervised deep learning models pre-trained on scene-centric data can reach 71.6% balanced accuracy on our indoor scene classification task and, on average, 2.2 percentage points better performance than a fully supervised version. We cooperate with Brazilian Federal Police experts to evaluate our indoor classification model on actual child abuse material. The results demonstrate a notable discrepancy between the features observed in widely used scene datasets and those depicted on sensitive materials.

21世纪的犯罪分为虚拟世界和现实世界。然而，前者已成为威胁后者人民福祉和安全的全球性威胁。它所带来的挑战必须通过统一的全球合作来面对，我们必须比以往任何时候都更加依赖自动化但值得信赖的工具来打击日益增长的在线犯罪。超过1000万份儿童性虐待报告提交给美国国家失踪中心。每年都有被剥削的儿童，其中80%以上来自网络资源。因此，调查中心无法手动处理和正确调查所有图像。有鉴于此，能够安全有效地处理这些数据的可靠自动化工具至关重要。从这个意义上说，场景分类任务在环境中寻找上下文线索，能够对儿童性虐待数据进行分组和分类，而不需要接受敏感材料的培训。处理儿童性虐待图像的稀缺性和局限性导致了自我监督学习，这是一种机器学习方法，利用未标记的数据产生强大的表示，可以更容易地转移到下游任务。这项工作表明，在以场景为中心的数据上进行预训练的自监督深度学习模型在我们的室内场景分类任务上可以达到71.6%的平衡准确率，平均比完全监督的模型高出2.2个百分点。我们与巴西联邦警察专家合作，评估我们的室内分类模型对实际虐待儿童的材料。结果表明，在广泛使用的场景数据集中观察到的特征与在敏感材料上描述的特征之间存在显着差异。

{"title":"Leveraging self-supervised learning for scene classification in child sexual abuse imagery","authors":"Pedro H.V. Valois , João Macedo , Leo S.F. Ribeiro , Jefersson A. dos Santos , Sandra Avila","doi":"10.1016/j.fsidi.2025.301918","DOIUrl":"10.1016/j.fsidi.2025.301918","url":null,"abstract":"<div><div>Crime in the 21st century is split into a virtual and real world. However, the former has become a global menace to people's well-being and security in the latter. The challenges it presents must be faced with unified global cooperation, and we must rely more than ever on automated yet trustworthy tools to combat the ever-growing nature of online offenses. Over 10 million child sexual abuse reports are submitted to the US National Center for Missing & Exploited Children every year, and over 80% originate from online sources. Therefore, investigation centers cannot manually process and correctly investigate all imagery. In light of that, reliable automated tools that can securely and efficiently deal with this data are paramount. In this sense, the scene classification task looks for contextual cues in the environment, being able to group and classify child sexual abuse data without requiring to be trained on sensitive material. The scarcity and limitations of working with child sexual abuse images lead to self-supervised learning, a machine-learning methodology that leverages unlabeled data to produce powerful representations that can be more easily transferred to downstream tasks. This work shows that self-supervised deep learning models pre-trained on scene-centric data can reach 71.6% balanced accuracy on our indoor scene classification task and, on average, 2.2 percentage points better performance than a fully supervised version. We cooperate with Brazilian Federal Police experts to evaluate our indoor classification model on actual child abuse material. The results demonstrate a notable discrepancy between the features observed in widely used scene datasets and those depicted on sensitive materials.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301918"},"PeriodicalIF":2.0,"publicationDate":"2025-05-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143947548","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Data hiding in symbolic link slack space 隐藏在符号链接松弛空间中的数据

IF 2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-05-13 DOI: 10.1016/j.fsidi.2025.301919

Fergus Toolan, Georgina Humphries

Recent research has begun to focus on data hiding in file systems, however, much of this is focused on individual file systems such as ext, NTFS and XFS. This paper examines an exploitation of symbolic link storage methods to manufacture slack space which can be used for hiding information in file systems. Many modern file systems, including ext, XFS, BtrFS, HFS+, APFS and NTFS support symbolic links at the file system level. This paper investigates these structures in the various file systems and determines if the symbolic links can be used to create slack space, and if so determines their effectiveness in hiding data from users, system administrators and forensic analysts.

最近的研究已经开始关注隐藏在文件系统中的数据，然而，其中大部分研究都集中在单个文件系统上，如ext、NTFS和XFS。本文研究了利用符号链接存储方法来制造空闲空间，从而在文件系统中隐藏信息。许多现代文件系统，包括ext、XFS、BtrFS、HFS+、APFS和NTFS，都支持文件系统级别的符号链接。本文研究了各种文件系统中的这些结构，并确定符号链接是否可以用于创建空闲空间，如果可以，则确定它们在向用户、系统管理员和法医分析人员隐藏数据方面的有效性。

引用次数: 0

Towards reliable data in the scope of unmanned aircraft systems 朝着可靠的数据在无人机系统的范围

IF 2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-04-29 DOI: 10.1016/j.fsidi.2025.301914

Karolin Lohre , Harald Baier , Lukas Hardi , Andreas Attenberger

The goal of a digital forensic examination is to answer legal questions in the scope of IT systems. In order to come up with accurate answers, the data of the IT system at hand needs to be reliable. While the processing of digital traces of classical operating systems like Windows and its corresponding applications is well understood (especially with respect to the reliability of traces), emerging technologies often lack such an understanding of the trustworthiness of the examined data. In this work, we address the reliability of data in the scope of Unmanned Aircraft System (UAS). Although systems like UAS have become popular in various fields of application, digital forensic scientists and investigators currently lack an understanding of how to assess the correctness of UAS information, especially in the scope of Do-It-Yourself drone forensics. We shed light on common challenges when working with UAS data. Our main contribution is the introduction, explanation, and discussion of a conceptual framework to rate the reliability of UAS data. Our framework is based on three different categories representing three different levels of knowledge about the state of the UAS.

数字法医检查的目标是回答IT系统范围内的法律问题。为了得到准确的答案，手头的IT系统的数据需要是可靠的。虽然传统操作系统（如Windows）及其相应应用程序的数字痕迹处理很好理解（特别是关于痕迹的可靠性），但新兴技术通常缺乏对检查数据可信度的理解。在这项工作中，我们解决了无人机系统（UAS）范围内数据的可靠性。尽管像UAS这样的系统在各个应用领域都很受欢迎，但数字法医科学家和调查人员目前对如何评估UAS信息的正确性缺乏了解，特别是在diy无人机取证的范围内。我们在处理无人机数据时阐明了常见的挑战。我们的主要贡献是介绍、解释和讨论一个概念性框架来评价UAS数据的可靠性。我们的框架基于三个不同的类别，代表了关于无人机状态的三个不同层次的知识。

{"title":"Towards reliable data in the scope of unmanned aircraft systems","authors":"Karolin Lohre , Harald Baier , Lukas Hardi , Andreas Attenberger","doi":"10.1016/j.fsidi.2025.301914","DOIUrl":"10.1016/j.fsidi.2025.301914","url":null,"abstract":"<div><div>The goal of a digital forensic examination is to answer legal questions in the scope of IT systems. In order to come up with accurate answers, the data of the IT system at hand needs to be reliable. While the processing of digital traces of classical operating systems like Windows and its corresponding applications is well understood (especially with respect to the reliability of traces), emerging technologies often lack such an understanding of the trustworthiness of the examined data. In this work, we address the reliability of data in the scope of Unmanned Aircraft System (UAS). Although systems like UAS have become popular in various fields of application, digital forensic scientists and investigators currently lack an understanding of how to assess the correctness of UAS information, especially in the scope of Do-It-Yourself drone forensics. We shed light on common challenges when working with UAS data. Our main contribution is the introduction, explanation, and discussion of a conceptual framework to rate the reliability of UAS data. Our framework is based on three different categories representing three different levels of knowledge about the state of the UAS.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301914"},"PeriodicalIF":2.0,"publicationDate":"2025-04-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143882128","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Formulating propositions in Trojan horse defense cases 在特洛伊木马辩护案件中提出主张

IF 2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-04-28 DOI: 10.1016/j.fsidi.2025.301915

M. Vink , R. Schramp , C.E.H. Berger , M.J. Sjerps

This paper demonstrates how to formulate relevant sets of propositions in cases involving alleged possession of illegal content on electronic devices. The primary purpose of exploring how to formulate propositions is to enable a balanced and transparent evaluation of digital evidence, ideally using a likelihood ratio (LR). We present five categories explaining how illegal material can appear on electronic devices, including intentional and unintentional activities by suspects, other individuals, or automated processes (the “Trojan horse defense”). We review existing guidelines on formulating propositions developed for physical evidence and show how each explanation category can be properly formulated into propositions. Our findings indicate that the digital forensic domain can benefit from established principles for evaluating physical evidence. We also observe aspects that are more specific to digital forensic science where observations need to be evaluated in cases where intent is disputed, which can lead to propositions that address whether activities were carried out knowingly or unknowingly. By providing guidance on formulating relevant propositions, this research aims to contribute to the broader implementation of evaluative practices in digital forensic science.

本文论证了在涉及电子设备上涉嫌拥有非法内容的案件中如何制定相关的命题。探索如何制定命题的主要目的是对数字证据进行平衡和透明的评估，理想情况下使用似然比（LR）。我们提出了五个类别来解释非法材料是如何出现在电子设备上的，包括嫌疑人、其他个人或自动化过程（“特洛伊木马防御”）的有意和无意活动。我们回顾了为物理证据制定命题的现有指导方针，并展示了如何将每个解释类别适当地制定为命题。我们的研究结果表明，数字取证领域可以从评估物证的既定原则中受益。我们还观察到数字法医科学更具体的方面，在意图存在争议的情况下，需要对观察结果进行评估，这可能导致解决活动是有意还是无意进行的命题。通过为相关命题的制定提供指导，本研究旨在促进数字法医学评估实践的更广泛实施。

{"title":"Formulating propositions in Trojan horse defense cases","authors":"M. Vink , R. Schramp , C.E.H. Berger , M.J. Sjerps","doi":"10.1016/j.fsidi.2025.301915","DOIUrl":"10.1016/j.fsidi.2025.301915","url":null,"abstract":"<div><div>This paper demonstrates how to formulate relevant sets of propositions in cases involving alleged possession of illegal content on electronic devices. The primary purpose of exploring how to formulate propositions is to enable a balanced and transparent evaluation of digital evidence, ideally using a likelihood ratio (LR). We present five categories explaining how illegal material can appear on electronic devices, including intentional and unintentional activities by suspects, other individuals, or automated processes (the “Trojan horse defense”). We review existing guidelines on formulating propositions developed for physical evidence and show how each explanation category can be properly formulated into propositions. Our findings indicate that the digital forensic domain can benefit from established principles for evaluating physical evidence. We also observe aspects that are more specific to digital forensic science where observations need to be evaluated in cases where intent is disputed, which can lead to propositions that address whether activities were carried out knowingly or unknowingly. By providing guidance on formulating relevant propositions, this research aims to contribute to the broader implementation of evaluative practices in digital forensic science.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301915"},"PeriodicalIF":2.0,"publicationDate":"2025-04-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143878936","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Horodocs: A scalable, sustainable, robust and privacy compliant system to securely timestamp digital evidence and documents Horodocs：一个可扩展的，可持续的，强大的和隐私兼容的系统，以安全地时间戳数字证据和文件

IF 2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-04-15 DOI: 10.1016/j.fsidi.2025.301913

David-Olivier Jaquet-Chiffelle , Ludovic Pfeiffer , Lionel Brocard , Emmanuel Benoist , Noria Foukia

Human activities produce more and more digital traces. Criminal activities are no exception: criminals often operate on computers, carry mobile phones, use GPS devices, or are recorded by surveillance cameras. Moreover, analyses of analog traces can produce results in a digital form. As digital information (evidence or results) becomes highly relevant in today's investigations, there is a pressing need for a trustworthy way to strengthen the chain of custody for digital content, especially its integrity component.

The Horodocs timestamping system responds to the need for a scalable, robust, trustworthy, independently verifiable, chronological ledger preventing backdating and enabling integrity verification of a digital file.

In order to make the system scalable and limit costs, submitted file hash values are grouped together into a local, temporary Merkle tree, called the Horodocs tree; this tree is discarded after its root value has been used to record both a derived identifier and an encrypted random control value on the Ethereum blockchain.¹ The main innovation resides in the way information about the Horodocs tree is provided to each participant having requested a timestamp during the lifespan of this tree. Each submitter gets a receipt with enough information to verify the timestamp for the hash values that were submitted to the Horodocs system: the receipt is only valid for the hash values of the original file and allows one to recalculate the root value of the corresponding discarded Horodocs tree independently. The root value is required to find the record in the Ethereum blockchain and to recover and decrypt the stored random control value to validate the date and time of the timestamp.

Throughout its conception, the Horodocs system has been developed with a concern for strong robustness against backdating, privacy-by-design, transparency, usability, scalability, sustainability, automation, as well as cost and energy savings.

人类活动产生了越来越多的数字痕迹。犯罪活动也不例外：犯罪分子经常在电脑上操作、携带移动电话、使用 GPS 设备或被监控摄像头记录。此外，对模拟痕迹的分析可以产生数字形式的结果。由于数字信息（证据或结果）在当今的调查中变得非常重要，因此迫切需要一种值得信赖的方式来加强数字内容的监管链，特别是其完整性部分。Horodocs 时间戳系统满足了人们对可扩展、稳健、值得信赖、可独立验证、按时间顺序排列的分类账的需求，这种分类账可以防止数字文件的日期倒置并实现完整性验证。为了使系统具有可扩展性并限制成本，提交的文件哈希值被组合成一棵本地的临时梅克尔树，称为 Horodocs 树；这棵树在其根值被用于在以太坊区块链上记录衍生标识符和加密随机控制值之后就会被丢弃1。主要的创新在于，在 Horodocs 树的生命周期内，向每个申请时间戳的参与者提供 Horodocs 树信息的方式。每个提交者都会收到一份收据，其中包含足够的信息来验证提交给 Horodocs 系统的哈希值的时间戳：该收据只对原始文件的哈希值有效，并允许人们独立重新计算相应废弃 Horodocs 树的根值。需要根值才能在以太坊区块链中找到记录，并恢复和解密存储的随机控制值，以验证时间戳的日期和时间。Horodocs 系统在整个构思过程中，一直关注其强大的鲁棒性，以防止反向操作、隐私设计、透明度、可用性、可扩展性、可持续性、自动化以及成本和能源节约。

{"title":"Horodocs: A scalable, sustainable, robust and privacy compliant system to securely timestamp digital evidence and documents","authors":"David-Olivier Jaquet-Chiffelle , Ludovic Pfeiffer , Lionel Brocard , Emmanuel Benoist , Noria Foukia","doi":"10.1016/j.fsidi.2025.301913","DOIUrl":"10.1016/j.fsidi.2025.301913","url":null,"abstract":"<div><div>Human activities produce more and more digital traces. Criminal activities are no exception: criminals often operate on computers, carry mobile phones, use GPS devices, or are recorded by surveillance cameras. Moreover, analyses of analog traces can produce results in a digital form. As digital information (evidence or results) becomes highly relevant in today's investigations, there is a pressing need for a trustworthy way to strengthen the chain of custody for digital content, especially its integrity component.</div><div>The Horodocs timestamping system responds to the need for a scalable, robust, trustworthy, independently verifiable, chronological ledger preventing backdating and enabling integrity verification of a digital file.</div><div>In order to make the system scalable and limit costs, submitted file hash values are grouped together into a local, temporary Merkle tree, called the Horodocs tree; this tree is discarded after its root value has been used to record both a derived identifier and an encrypted random control value on the Ethereum blockchain.<span><span><sup>1</sup></span></span> The main innovation resides in the way information about the Horodocs tree is provided to each participant having requested a timestamp during the lifespan of this tree. Each submitter gets a receipt with enough information to verify the timestamp for the hash values that were submitted to the Horodocs system: the receipt is only valid for the hash values of the original file and allows one to recalculate the root value of the corresponding discarded Horodocs tree independently. The root value is required to find the record in the Ethereum blockchain and to recover and decrypt the stored random control value to validate the date and time of the timestamp.</div><div>Throughout its conception, the Horodocs system has been developed with a concern for strong robustness against backdating, privacy-by-design, transparency, usability, scalability, sustainability, automation, as well as cost and energy savings.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301913"},"PeriodicalIF":2.0,"publicationDate":"2025-04-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143829696","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

I know where you have been last summer: Extracting privacy-sensitive information via forensic analysis of the Mercedes-Benz NTG5*2 infotainment system 我知道你去年夏天去了哪里：通过对梅赛德斯-奔驰 NTG5*2 信息娱乐系统的取证分析提取隐私敏感信息

IF 2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-03-14 DOI: 10.1016/j.fsidi.2025.301909

Dario Stabili, Filip Valgimigli, Mirco Marchetti

Modern vehicles are equipped with In-Vehicle Infotainment (IVI) systems that offers different functions, such as typical radio and multimedia services, navigation and internet browsing. To operate properly, IVI systems have to store locally different types of data, reflecting user preferences and behaviors. If stored and managed insecurely, these data might expose sensitive information and represent a privacy risk. In this paper we address this issue by presenting a methodology for the extraction of privacy-sensitive information from the popular

N T G 5

COMMAND IVI system (specifically, the

N T G 5 ⁎ 2

version by Harman), deployed in some Mercedes-Benz vehicles from 2013 to 2019. We show that it is possible to extract information related to geographic locations and various vehicles events (such as ignition and doors opening and closing) dating back to the previous 8 months, and that these data can be cross-referenced to precisely identify the activities and habits of the driver. Moreover, we develop a novel forensic tool to automate this task.¹ Given the past usage of the

N T G 5

system, our work might have real life implications for the privacy of millions of drivers, owners and passengers. As a final contribution, we develop a novel technique for SQLite data carving specifically designed to identify deleted data. Comparison with existing state-of-the-art tools for SQLite3 data recovery demonstrates that our approach is more effective in recovering deleted traces than general purpose tools.

现代车辆配备了车载信息娱乐系统（IVI），提供不同的功能，如典型的广播和多媒体服务，导航和互联网浏览。为了正常运行，IVI系统必须在本地存储不同类型的数据，以反映用户的偏好和行为。如果存储和管理不安全，这些数据可能会暴露敏感信息并带来隐私风险。在本文中，我们通过提出一种从流行的NTG5 COMMAND IVI系统（特别是Harman的NTG5 2版本）中提取隐私敏感信息的方法来解决这个问题，该系统从2013年到2019年部署在一些梅赛德斯-奔驰汽车上。我们的研究表明，有可能提取出过去8个月的地理位置和各种车辆事件（如点火和车门打开和关闭）相关信息，并且这些数据可以交叉引用，以精确识别驾驶员的活动和习惯。此外，我们开发了一种新的取证工具来自动化这项任务鉴于NTG5系统过去的使用情况，我们的工作可能会对数百万司机、车主和乘客的隐私产生现实影响。最后，我们开发了一种新的SQLite数据雕刻技术，专门用于识别已删除的数据。与用于SQLite3数据恢复的现有最先进工具的比较表明，我们的方法在恢复已删除的轨迹方面比通用工具更有效。

{"title":"I know where you have been last summer: Extracting privacy-sensitive information via forensic analysis of the Mercedes-Benz NTG5*2 infotainment system","authors":"Dario Stabili, Filip Valgimigli, Mirco Marchetti","doi":"10.1016/j.fsidi.2025.301909","DOIUrl":"10.1016/j.fsidi.2025.301909","url":null,"abstract":"<div><div>Modern vehicles are equipped with In-Vehicle Infotainment (IVI) systems that offers different functions, such as typical radio and multimedia services, navigation and internet browsing. To operate properly, IVI systems have to store locally different types of data, reflecting user preferences and behaviors. If stored and managed insecurely, these data might expose sensitive information and represent a privacy risk. In this paper we address this issue by presenting a methodology for the extraction of privacy-sensitive information from the popular <span><math><mi>N</mi><mi>T</mi><mi>G</mi><mn>5</mn></math></span> COMMAND IVI system (specifically, the <span><math><mi>N</mi><mi>T</mi><mi>G</mi><mn>5</mn><mo>⁎</mo><mn>2</mn></math></span> version by Harman), deployed in some Mercedes-Benz vehicles from 2013 to 2019. We show that it is possible to extract information related to geographic locations and various vehicles events (such as ignition and doors opening and closing) dating back to the previous 8 months, and that these data can be cross-referenced to precisely identify the activities and habits of the driver. Moreover, we develop a novel forensic tool to automate this task.<span><span><sup>1</sup></span></span> Given the past usage of the <span><math><mi>N</mi><mi>T</mi><mi>G</mi><mn>5</mn></math></span> system, our work might have real life implications for the privacy of millions of drivers, owners and passengers. As a final contribution, we develop a novel technique for SQLite data carving specifically designed to identify deleted data. Comparison with existing state-of-the-art tools for SQLite3 data recovery demonstrates that our approach is more effective in recovering deleted traces than general purpose tools.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301909"},"PeriodicalIF":2.0,"publicationDate":"2025-03-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143620486","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Blind protocol identification using synthetic dataset: A case study on geographic protocols 基于合成数据集的协议盲识别：以地理协议为例

IF 2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-03-13 DOI: 10.1016/j.fsidi.2025.301911

Mohammad Abbasi-Azar , Mehdi Teimouri , Mohsen Nikray

Network forensics faces major challenges, including increasingly sophisticated cyberattacks and the difficulty of obtaining labeled datasets for training AI-driven security tools. Blind Protocol Identification (BPI), essential for detecting covert data transfers, is particularly impacted by these data limitations. This paper introduces a novel and inherently scalable method for generating synthetic datasets tailored for BPI in network forensics. Our approach emphasizes feature engineering and a statistical-analytical model of feature distributions to address the scarcity and imbalance of labeled data. We demonstrate the effectiveness of this method through a case study on geographic protocols, where we train Random Forest models using only synthetic datasets and evaluate their performance on real-world traffic. This work presents a promising solution to the data challenges in BPI, enabling reliable protocol identification while maintaining data privacy and overcoming traditional data collection limitations.

网络取证面临着重大挑战，包括日益复杂的网络攻击，以及难以获得标记数据集来训练人工智能驱动的安全工具。盲协议识别（BPI）对于检测隐蔽数据传输至关重要，尤其受到这些数据限制的影响。本文介绍了一种新颖且具有固有可扩展性的方法，用于生成针对网络取证中BPI定制的合成数据集。我们的方法强调特征工程和特征分布的统计分析模型，以解决标记数据的稀缺性和不平衡性。我们通过地理协议的案例研究证明了这种方法的有效性，其中我们仅使用合成数据集训练随机森林模型，并评估其在现实世界流量中的性能。这项工作为BPI中的数据挑战提供了一个有希望的解决方案，在保持数据隐私和克服传统数据收集限制的同时实现可靠的协议识别。

引用次数: 0

A review study of digital forensics in IoT: Process models, phases, architectures, and ontologies 物联网中数字取证的回顾研究：流程模型、阶段、架构和本体

IF 2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-03-10 DOI: 10.1016/j.fsidi.2025.301912

Thiago J. Silva , Edson OliveiraJr , Maximiano Eduardo Pereira , Avelino F. Zorzo

The Internet of Things (IoT) involves integrating uniquely identifiable computing devices into various infrastructures. Technological advancements have led to a proliferation of interconnected devices in public and private infrastructures, such as healthcare, transportation, and manufacturing. However, this expansion also presents significant challenges, including managing large volumes of data, navigating diverse infrastructures, dealing with network limitations, and lacking standards in IoT device formats. The increase in digital crimes has spurred the growth of the Digital Forensics (DF) field, which plays a crucial role in various interdisciplinary contexts. DF involves analyzing digital crime-related data and going through phases such as identification, collection, organization, and presentation of evidence. As DF develops, there are emerging structural and methodological initiatives aimed at formalizing concepts and establishing a common vocabulary. The literature has proposed various frameworks, conceptual models, methodologies, and ontologies to support this area. To identify and examine existing models, frameworks, methodologies, or ontologies for digital forensics on the Internet of Things (IoT), this article presents a systematic literature review (SLR). The systematic literature review outlined methods for constructing models, different types of models, feasibility criteria, evaluation methods, and models for different stages and aspects of DF. The findings were derived from an analysis of 23 primary studies, which helped address four specific research questions. Additionally, the paper suggests further model-based assistance for DF research, aiming to assist researchers and professionals in addressing current research gaps. The contributions of this work aim to fill the gaps imposed by the practical implications for digital forensic investigators in IoT. In this case, one can mention the use of DF models and phases to assist in the analysis of evidence, recoveries, information, and identification of data patterns sent via IoT.

物联网（IoT）涉及将唯一可识别的计算设备集成到各种基础设施中。技术进步导致公共和私人基础设施（如医疗保健、交通和制造业）中互连设备的激增。然而，这种扩展也带来了重大挑战，包括管理大量数据、导航不同的基础设施、处理网络限制以及缺乏物联网设备格式的标准。数字犯罪的增加刺激了数字取证（DF）领域的发展，该领域在各种跨学科背景下发挥着至关重要的作用。DF包括分析与数字犯罪相关的数据，并经历识别、收集、组织和提供证据等阶段。随着DF的发展，出现了旨在形式化概念和建立通用词汇表的结构和方法倡议。文献提出了各种框架、概念模型、方法和本体来支持这一领域。为了识别和检查物联网（IoT）上数字取证的现有模型、框架、方法或本体，本文提出了系统的文献综述（SLR）。系统的文献综述概述了构建模型的方法、不同类型的模型、可行性标准、评价方法以及DF的不同阶段和方面的模型。这些发现来自对23项初步研究的分析，这些研究有助于解决四个具体的研究问题。此外，本文建议进一步基于模型的DF研究援助，旨在帮助研究人员和专业人员解决当前的研究差距。这项工作的贡献旨在填补物联网中数字法医调查员的实际影响所带来的空白。在这种情况下，可以提到使用DF模型和阶段来协助分析证据、恢复、信息和识别通过物联网发送的数据模式。

{"title":"A review study of digital forensics in IoT: Process models, phases, architectures, and ontologies","authors":"Thiago J. Silva , Edson OliveiraJr , Maximiano Eduardo Pereira , Avelino F. Zorzo","doi":"10.1016/j.fsidi.2025.301912","DOIUrl":"10.1016/j.fsidi.2025.301912","url":null,"abstract":"<div><div>The Internet of Things (IoT) involves integrating uniquely identifiable computing devices into various infrastructures. Technological advancements have led to a proliferation of interconnected devices in public and private infrastructures, such as healthcare, transportation, and manufacturing. However, this expansion also presents significant challenges, including managing large volumes of data, navigating diverse infrastructures, dealing with network limitations, and lacking standards in IoT device formats. The increase in digital crimes has spurred the growth of the Digital Forensics (DF) field, which plays a crucial role in various interdisciplinary contexts. DF involves analyzing digital crime-related data and going through phases such as identification, collection, organization, and presentation of evidence. As DF develops, there are emerging structural and methodological initiatives aimed at formalizing concepts and establishing a common vocabulary. The literature has proposed various frameworks, conceptual models, methodologies, and ontologies to support this area. To identify and examine existing models, frameworks, methodologies, or ontologies for digital forensics on the Internet of Things (IoT), this article presents a systematic literature review (SLR). The systematic literature review outlined methods for constructing models, different types of models, feasibility criteria, evaluation methods, and models for different stages and aspects of DF. The findings were derived from an analysis of 23 primary studies, which helped address four specific research questions. Additionally, the paper suggests further model-based assistance for DF research, aiming to assist researchers and professionals in addressing current research gaps. The contributions of this work aim to fill the gaps imposed by the practical implications for digital forensic investigators in IoT. In this case, one can mention the use of DF models and phases to assist in the analysis of evidence, recoveries, information, and identification of data patterns sent via IoT.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301912"},"PeriodicalIF":2.0,"publicationDate":"2025-03-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143579615","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0