Forensic Science International-Digital Investigation最新文献

This study explores the challenges with utilizing application logs for incident response or forensic analysis. Application logs have the potential to significantly enhance security analysis as sometimes they provide information regarding user actions, error messages, and performance metrics of the application. Although these logs can offer vital information about user activities, errors, and application performance, their use for security needs better understanding. We looked at the current logging implementation of 60 open-source applications. We checked the logs to see if they could help with five key security tasks: making timelines, linking events, separating different actions, spotting misuse, and detecting attacks. By examining source code, extracting log statements, and evaluating them for security relevance, we found many logs lacked essential elements. Specifically, 29 applications omitted timestamps, crucial for identifying the timing of actions. Furthermore, logs frequently missed unique identifiers (UIDs) for event correlation, with 23 not noting UIDs for new activities. Inconsistent logging of user activities and an absence of logs detailing successful attacks indicate current application logs need significant enhancements to be effective for security checks. The findings of our research suggest that current application logs are inadequately equipped for in-depth security analysis. Enhancements are imperative for their optimal utility. This investigation underscores the inherent challenges in leveraging logs for security and emphasizes the pressing need for refining logging methodologies.

Conventional face forgery detectors have primarily relied on image artifacts produced by deepfake video generation models. These methods have performed well when the training and test sets were derived from the same deepfake algorithm, but accuracy and generalizability remain a challenge for diverse datasets. In this study, both supervised and unsupervised approaches are proposed for more accurate detection in in-domain and cross-domain experiments. Specifically, two descriptors are introduced to extract rich information in the spatial domain to achieve higher accuracy. A frequency domain reconstruction module is then included to expand the representation space for facial features. A reconstruction method based on an auto-encoder was also applied to obtain a frequency domain coding vector. In this process, reconstruction learning was sufficient for extracting unknown information, while a combination with classification learning provided essential high-frequency pixel differences between real and fake samples, thus facilitating forgery identification. A series of validation experiments with large-scale benchmark datasets demonstrated that the proposed technique was superior to existing methods.

Internet of Things (IoT) systems often consist of heterogeneous, resource-constrained devices that generate massive amounts of data. This data is important for assessments, behaviour analysis, and decision-making. However, IoT devices are also susceptible to cyber-attacks, such as information theft, personal device intervention, and privacy invasion. In case of an incident, these devices are subject to digital forensic investigation to identify and analyze crimes and misuse. Over the years, several forensic frameworks and techniques have been proposed to facilitate the investigation of IoT networks and devices, but finding a perfect solution that covers the diversity of IoT devices and networks is still a research challenge.

In this study, we present a comparative analysis of existing forensic investigation frameworks and identify their strengths and weaknesses in handling forensic challenges of IoT devices. The study uses evaluation metrics of ten important parameters, including heterogeneity, scalability, and chain of custody, to thoroughly audit the effectiveness of these models. Our analysis concludes that the existing investigation frameworks do not cater to all requirements and aspects of IoT forensics. It further highlights the need for standard mechanisms to acquire and analyze digital artifacts in IoT devices.

As the capabilities and utility of Artificial Intelligence and Machine Learning systems continue to improve, they are expected to have an increasingly powerful influence in the digital forensic investigation process. The concurrent proliferation of mobile devices and rapid increase of forensic value of related artifacts creates the requirement for a comprehensive review of the current status of artificial intelligence software usage and usefulness in Mobile Forensics. In this context, we conducted a survey to evaluate the characteristics and properties of AI functions in mobile forensic software from the practitioners' perspective and enhance understanding to the work in the field. In this study, we evaluated the performance of image categorization software in digital forensics using a variety of evaluation metrics including accuracy, precision, recall, and F1-score, as well as the confusion matrix. In this research we also identify and integrate theoretical principles to conceptualize an AI Alignment framework pertaining to Mobile Forensics and Digital Forensics in general, in order to accurately determine specific AI strategy objectives and potential solutions to the current technical and administrative landscape. We emphasized the importance of interpretability and transparency in AI systems and the need for a comprehensive approach to understanding the reasoning behind the software's decisions. Additionally, we highlighted the importance of robustness in image categorization software, as well as the consideration of AI governance and standardized procedures concepts. Our results show that the accuracy and robustness of the image categorization software have a significant impact on the outcome of legal cases and that the software should be designed with interpretability, transparency, and robustness in mind. Through the examination of the survey responses, the evaluation of the image categorization software and research literature, we explore existing and potential approaches to aligned Artificial Intelligence and analyze their contribution to the forensic examination of cases.

In Video forensics, the objective of Source Camera Identification (SCI) is to identify and verify the origin of a video that is under investigation. This aids the investigator to trace the video to its owner or narrow down the search space for identifying the offender. Nowadays, it is easy to record and share videos via internet or social media with smartphones. The availability of sophisticated video editing tools and software allow offenders to modify video's context. Thus, identifying the right source camera that was used to capture the video becomes complicated and strenuous. Existing methods based on video metadata information are no longer reliable as it could be modified or stripped off. Better forensic procedures are therefore required to prove the authenticity and integrity of the video that will be used as evidence in court of law. Certain inherent camera sensor properties such as, subtle traces of Photo Response Non-Uniformity (PRNU) are present in all captured videos due to unnoticeable defect during the manufacture of camera's sensor. These properties are used in SCI to classify devices or models as they are unique. In this work, we focus on SCI from videos or Video Source Camera Identification (VSCI) to verify the authenticity of videos. PRNU can be affected by highly textured content or post-processing when computed from a set of flat field images. To mitigate these effects, Higher Order Wavelet Statistics (HOWS) information from PRNU of a video I-frame is combined with information from two other texture features i.e., Local Binary Pattern (LBP) and Gray Level Co-occurrence Matrix (GLCM). The extracted feature vector is fused via concatenation and fed to Support Vector Machine (SVM) classifier to perform training and testing for VSCI. Experimental evaluation of our proposed method on videos from different publicly available datasets show the effectiveness of our method in terms of accuracy, resource efficiency, and complexity.

Unique traits generated automatically or artificially, such as firewall logs, OS event logs, and various metadata, are well hidden in the digital evidence that cannot be easily perceived by the investigator in some cases. Digital data is invisible, and it is necessary that attention is focused on traditional management with integrity because of the involvement of various stakeholders in the secure preservation and analysis of the forensic process. Similar to file formats, digital evidence bags (DEB), such as E01 and L01, are widely used to contain digital data for certain facilities in a raw format, which also include metadata. The DEB can provide a way to obtain data through selective imaging, extracting and collecting only the parts necessary from the extensive data for proof. However, it cannot flexibly handle information obtained from large amounts of data or when sensitive data is involved or destroy superfluous materials that must be protected. Therefore, in this study, we propose a new container format based on the Merkle tree, which is used as a universal DEB. The proposed ECo-Bag can store physical and logical images from the storage medium, bit streams transmitted over networks, file segments in the cloud or distributed system, secondary outcomes, and metadata. Furthermore, it can support operations to destruct or seal the data initially collected while verifying the data integrity and tracking the provenance within the chain of custody. Thus, it is expected to contribute to the elastic management of addition and deletion of evidence in digital investigation and e-discovery.

Forensic genetic genealogy (FGG), also known as investigative genetic genealogy (IGG), produces investigative leads in criminal cases where unidentified DNA is discovered at the crime scene and does not match any profiles in criminal databases. It works by comparing crime scene DNA samples to public or private genealogical databases to identify potential familial relationships and narrow down suspects or identify unknown individuals. Although the fields of FGG and digital forensics (DF) work with different types of evidence and techniques, and consequently develop independently, they share several common characteristics. This study aims to demonstrate that despite their independent development and differences, the experiences of progress in DF field can be utilized in some respects, especially concerning the protection of the rights of the individuals concerned. The aim of this article is to outline some areas where DF can provide assistance in dealing with ethical and social challenges that FGG must address.

Intimate partner violence (IPV) is a form of abuse in romantic relationships, more frequently, against the female partner. IPV can vary in severity and frequency, ranging from emotional abuse or stalking to recurring and severe violent episodes over a long period. Easy access to stalkerware apps helps foster such behaviors by allowing non-tech-savvy individuals to spy on their victims. These apps offer features for discreetly monitoring and remotely controlling compromised mobile devices, thereby infringing the victim's privacy and the security of their data. In this work, we investigate methods for gathering evidence about an abuser and the stalkerware they employ on a victim's device. We develop a semi-automated tool intended for use by investigators, helping them to analyze Android phones for potential threats in cases of IPV stalkerware. As a first step towards this goal, we perform an experimental privacy and security study to investigate currently available stalkerware apps. We specifically study the vectors through which vulnerabilities found in stalkerware apps could be exploited by investigators, allowing them to gather information about the IPV services, IPV abusers, and the victims' stolen data. We then design and implement a tool called WARNE, leveraging the identified flaws to facilitate the information and evidence collection process. In our experiments, we identified 50 unique stalkerware apps and their corresponding download websites that are still reachable, including one available on the Google Play Store. Among these apps, we found 30 that were free or offered a free trial. We enumerated and experimentally verified several invasive capabilities offered by these apps to clearly identify the severe privacy risks posed by them. We also found that most stalkerware apps store private information locally on the compromised device, potentially giving away information about the abuser. Our evidence-gathering tool found data related to the abuser and/or the stalkerware company, such as account credentials, dashboard URLs, and API tokens in 20 apps out of 30 tested apps. We hope our tool will help IPV victims and investigators against the growing threat of stalkerware abuse.