Forensic Science International-Digital Investigation最新文献

英文中文

I know where you have been last summer: Extracting privacy-sensitive information via forensic analysis of the Mercedes-Benz NTG5*2 infotainment system 我知道你去年夏天去了哪里：通过对梅赛德斯-奔驰 NTG5*2 信息娱乐系统的取证分析提取隐私敏感信息

IF 2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-03-14 DOI: 10.1016/j.fsidi.2025.301909

Dario Stabili, Filip Valgimigli, Mirco Marchetti

Modern vehicles are equipped with In-Vehicle Infotainment (IVI) systems that offers different functions, such as typical radio and multimedia services, navigation and internet browsing. To operate properly, IVI systems have to store locally different types of data, reflecting user preferences and behaviors. If stored and managed insecurely, these data might expose sensitive information and represent a privacy risk. In this paper we address this issue by presenting a methodology for the extraction of privacy-sensitive information from the popular

N T G 5

COMMAND IVI system (specifically, the

N T G 5 ⁎ 2

version by Harman), deployed in some Mercedes-Benz vehicles from 2013 to 2019. We show that it is possible to extract information related to geographic locations and various vehicles events (such as ignition and doors opening and closing) dating back to the previous 8 months, and that these data can be cross-referenced to precisely identify the activities and habits of the driver. Moreover, we develop a novel forensic tool to automate this task.¹ Given the past usage of the

N T G 5

system, our work might have real life implications for the privacy of millions of drivers, owners and passengers. As a final contribution, we develop a novel technique for SQLite data carving specifically designed to identify deleted data. Comparison with existing state-of-the-art tools for SQLite3 data recovery demonstrates that our approach is more effective in recovering deleted traces than general purpose tools.

现代车辆配备了车载信息娱乐系统（IVI），提供不同的功能，如典型的广播和多媒体服务，导航和互联网浏览。为了正常运行，IVI系统必须在本地存储不同类型的数据，以反映用户的偏好和行为。如果存储和管理不安全，这些数据可能会暴露敏感信息并带来隐私风险。在本文中，我们通过提出一种从流行的NTG5 COMMAND IVI系统（特别是Harman的NTG5 2版本）中提取隐私敏感信息的方法来解决这个问题，该系统从2013年到2019年部署在一些梅赛德斯-奔驰汽车上。我们的研究表明，有可能提取出过去8个月的地理位置和各种车辆事件（如点火和车门打开和关闭）相关信息，并且这些数据可以交叉引用，以精确识别驾驶员的活动和习惯。此外，我们开发了一种新的取证工具来自动化这项任务鉴于NTG5系统过去的使用情况，我们的工作可能会对数百万司机、车主和乘客的隐私产生现实影响。最后，我们开发了一种新的SQLite数据雕刻技术，专门用于识别已删除的数据。与用于SQLite3数据恢复的现有最先进工具的比较表明，我们的方法在恢复已删除的轨迹方面比通用工具更有效。

{"title":"I know where you have been last summer: Extracting privacy-sensitive information via forensic analysis of the Mercedes-Benz NTG5*2 infotainment system","authors":"Dario Stabili, Filip Valgimigli, Mirco Marchetti","doi":"10.1016/j.fsidi.2025.301909","DOIUrl":"10.1016/j.fsidi.2025.301909","url":null,"abstract":"<div><div>Modern vehicles are equipped with In-Vehicle Infotainment (IVI) systems that offers different functions, such as typical radio and multimedia services, navigation and internet browsing. To operate properly, IVI systems have to store locally different types of data, reflecting user preferences and behaviors. If stored and managed insecurely, these data might expose sensitive information and represent a privacy risk. In this paper we address this issue by presenting a methodology for the extraction of privacy-sensitive information from the popular <span><math><mi>N</mi><mi>T</mi><mi>G</mi><mn>5</mn></math></span> COMMAND IVI system (specifically, the <span><math><mi>N</mi><mi>T</mi><mi>G</mi><mn>5</mn><mo>⁎</mo><mn>2</mn></math></span> version by Harman), deployed in some Mercedes-Benz vehicles from 2013 to 2019. We show that it is possible to extract information related to geographic locations and various vehicles events (such as ignition and doors opening and closing) dating back to the previous 8 months, and that these data can be cross-referenced to precisely identify the activities and habits of the driver. Moreover, we develop a novel forensic tool to automate this task.<span><span><sup>1</sup></span></span> Given the past usage of the <span><math><mi>N</mi><mi>T</mi><mi>G</mi><mn>5</mn></math></span> system, our work might have real life implications for the privacy of millions of drivers, owners and passengers. As a final contribution, we develop a novel technique for SQLite data carving specifically designed to identify deleted data. Comparison with existing state-of-the-art tools for SQLite3 data recovery demonstrates that our approach is more effective in recovering deleted traces than general purpose tools.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301909"},"PeriodicalIF":2.0,"publicationDate":"2025-03-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143620486","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Blind protocol identification using synthetic dataset: A case study on geographic protocols 基于合成数据集的协议盲识别：以地理协议为例

IF 2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-03-13 DOI: 10.1016/j.fsidi.2025.301911

Mohammad Abbasi-Azar , Mehdi Teimouri , Mohsen Nikray

Network forensics faces major challenges, including increasingly sophisticated cyberattacks and the difficulty of obtaining labeled datasets for training AI-driven security tools. Blind Protocol Identification (BPI), essential for detecting covert data transfers, is particularly impacted by these data limitations. This paper introduces a novel and inherently scalable method for generating synthetic datasets tailored for BPI in network forensics. Our approach emphasizes feature engineering and a statistical-analytical model of feature distributions to address the scarcity and imbalance of labeled data. We demonstrate the effectiveness of this method through a case study on geographic protocols, where we train Random Forest models using only synthetic datasets and evaluate their performance on real-world traffic. This work presents a promising solution to the data challenges in BPI, enabling reliable protocol identification while maintaining data privacy and overcoming traditional data collection limitations.

网络取证面临着重大挑战，包括日益复杂的网络攻击，以及难以获得标记数据集来训练人工智能驱动的安全工具。盲协议识别（BPI）对于检测隐蔽数据传输至关重要，尤其受到这些数据限制的影响。本文介绍了一种新颖且具有固有可扩展性的方法，用于生成针对网络取证中BPI定制的合成数据集。我们的方法强调特征工程和特征分布的统计分析模型，以解决标记数据的稀缺性和不平衡性。我们通过地理协议的案例研究证明了这种方法的有效性，其中我们仅使用合成数据集训练随机森林模型，并评估其在现实世界流量中的性能。这项工作为BPI中的数据挑战提供了一个有希望的解决方案，在保持数据隐私和克服传统数据收集限制的同时实现可靠的协议识别。

引用次数: 0

A review study of digital forensics in IoT: Process models, phases, architectures, and ontologies 物联网中数字取证的回顾研究：流程模型、阶段、架构和本体

IF 2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-03-10 DOI: 10.1016/j.fsidi.2025.301912

Thiago J. Silva , Edson OliveiraJr , Maximiano Eduardo Pereira , Avelino F. Zorzo

The Internet of Things (IoT) involves integrating uniquely identifiable computing devices into various infrastructures. Technological advancements have led to a proliferation of interconnected devices in public and private infrastructures, such as healthcare, transportation, and manufacturing. However, this expansion also presents significant challenges, including managing large volumes of data, navigating diverse infrastructures, dealing with network limitations, and lacking standards in IoT device formats. The increase in digital crimes has spurred the growth of the Digital Forensics (DF) field, which plays a crucial role in various interdisciplinary contexts. DF involves analyzing digital crime-related data and going through phases such as identification, collection, organization, and presentation of evidence. As DF develops, there are emerging structural and methodological initiatives aimed at formalizing concepts and establishing a common vocabulary. The literature has proposed various frameworks, conceptual models, methodologies, and ontologies to support this area. To identify and examine existing models, frameworks, methodologies, or ontologies for digital forensics on the Internet of Things (IoT), this article presents a systematic literature review (SLR). The systematic literature review outlined methods for constructing models, different types of models, feasibility criteria, evaluation methods, and models for different stages and aspects of DF. The findings were derived from an analysis of 23 primary studies, which helped address four specific research questions. Additionally, the paper suggests further model-based assistance for DF research, aiming to assist researchers and professionals in addressing current research gaps. The contributions of this work aim to fill the gaps imposed by the practical implications for digital forensic investigators in IoT. In this case, one can mention the use of DF models and phases to assist in the analysis of evidence, recoveries, information, and identification of data patterns sent via IoT.

物联网（IoT）涉及将唯一可识别的计算设备集成到各种基础设施中。技术进步导致公共和私人基础设施（如医疗保健、交通和制造业）中互连设备的激增。然而，这种扩展也带来了重大挑战，包括管理大量数据、导航不同的基础设施、处理网络限制以及缺乏物联网设备格式的标准。数字犯罪的增加刺激了数字取证（DF）领域的发展，该领域在各种跨学科背景下发挥着至关重要的作用。DF包括分析与数字犯罪相关的数据，并经历识别、收集、组织和提供证据等阶段。随着DF的发展，出现了旨在形式化概念和建立通用词汇表的结构和方法倡议。文献提出了各种框架、概念模型、方法和本体来支持这一领域。为了识别和检查物联网（IoT）上数字取证的现有模型、框架、方法或本体，本文提出了系统的文献综述（SLR）。系统的文献综述概述了构建模型的方法、不同类型的模型、可行性标准、评价方法以及DF的不同阶段和方面的模型。这些发现来自对23项初步研究的分析，这些研究有助于解决四个具体的研究问题。此外，本文建议进一步基于模型的DF研究援助，旨在帮助研究人员和专业人员解决当前的研究差距。这项工作的贡献旨在填补物联网中数字法医调查员的实际影响所带来的空白。在这种情况下，可以提到使用DF模型和阶段来协助分析证据、恢复、信息和识别通过物联网发送的数据模式。

{"title":"A review study of digital forensics in IoT: Process models, phases, architectures, and ontologies","authors":"Thiago J. Silva , Edson OliveiraJr , Maximiano Eduardo Pereira , Avelino F. Zorzo","doi":"10.1016/j.fsidi.2025.301912","DOIUrl":"10.1016/j.fsidi.2025.301912","url":null,"abstract":"<div><div>The Internet of Things (IoT) involves integrating uniquely identifiable computing devices into various infrastructures. Technological advancements have led to a proliferation of interconnected devices in public and private infrastructures, such as healthcare, transportation, and manufacturing. However, this expansion also presents significant challenges, including managing large volumes of data, navigating diverse infrastructures, dealing with network limitations, and lacking standards in IoT device formats. The increase in digital crimes has spurred the growth of the Digital Forensics (DF) field, which plays a crucial role in various interdisciplinary contexts. DF involves analyzing digital crime-related data and going through phases such as identification, collection, organization, and presentation of evidence. As DF develops, there are emerging structural and methodological initiatives aimed at formalizing concepts and establishing a common vocabulary. The literature has proposed various frameworks, conceptual models, methodologies, and ontologies to support this area. To identify and examine existing models, frameworks, methodologies, or ontologies for digital forensics on the Internet of Things (IoT), this article presents a systematic literature review (SLR). The systematic literature review outlined methods for constructing models, different types of models, feasibility criteria, evaluation methods, and models for different stages and aspects of DF. The findings were derived from an analysis of 23 primary studies, which helped address four specific research questions. Additionally, the paper suggests further model-based assistance for DF research, aiming to assist researchers and professionals in addressing current research gaps. The contributions of this work aim to fill the gaps imposed by the practical implications for digital forensic investigators in IoT. In this case, one can mention the use of DF models and phases to assist in the analysis of evidence, recoveries, information, and identification of data patterns sent via IoT.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301912"},"PeriodicalIF":2.0,"publicationDate":"2025-03-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143579615","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Corrigendum to “Adding transparency to uncertainty: An argument-based method for evaluative opinions” [FSIDI 48 (2023) 301657] “为不确定性增加透明度：基于论证的评估意见方法”的勘误表[FSIDI 48 (2023) 301657]

IF 2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-03-05 DOI: 10.1016/j.fsidi.2025.301910

Nina Sunde , Virginia N.L. Franqueira

引用次数: 0

Welcome to the 12th Annual DFRWS Europe Conference! 欢迎参加第12届DFRWS欧洲年会！

IF 2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-03-01 DOI: 10.1016/j.fsidi.2025.301879

Edita Bajramovic, Olga Angelopoulou

引用次数: 0

A scenario-based quality assessment of memory acquisition tools and its investigative implications 基于场景的记忆获取工具质量评估及其研究意义

IF 2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-03-01 DOI: 10.1016/j.fsidi.2025.301868

Lisa Rzepka , Jenny Ottmann , Radina Stoykova , Felix Freiling , Harald Baier

During digital forensic investigations volatile data from random-access memory (RAM) can provide crucial information such as access credentials or encryption keys. This data is usually obtained using software that copies contents of RAM to a memory dump file concurrently to normal system operation. It is well-known that this results in many inconsistencies in the copied data. Based on established quality criteria from the literature and on four typical investigative scenarios, we present and evaluate a methodology to assess the quality of memory acquisition tools in these scenarios. The methodology basically relates three factors: (1) the quality criteria of the memory dump, (2) the applied memory forensics analysis technique, and (3) its success in the given investigative scenario. We apply our methodology to four memory acquisition tools (from both the open source and the commercial community). It turns out that all tools have weaknesses but that their inconsistencies appear to be not as bad as anticipated. Another finding is that unstructured memory analysis methods are more robust against low quality (i.e., inconsistent) memory dumps than structured analysis methods. We provide the measurement dataset together with the tool by which it was acquired and also examine our findings in the context of legal and international standards for digital forensics in law enforcement investigations.

在数字取证调查过程中，来自随机存取存储器（RAM）的易失性数据可以提供关键信息，如访问凭据或加密密钥。这些数据通常是通过软件获得的，该软件将RAM的内容复制到内存转储文件中，同时进行正常的系统操作。众所周知，这会导致复制数据中的许多不一致。基于文献中建立的质量标准和四个典型的调查场景，我们提出并评估了在这些场景中评估记忆获取工具质量的方法。该方法主要涉及三个因素：(1)内存转储的质量标准，(2)应用内存取证分析技术，以及(3)其在给定调查场景中的成功。我们将我们的方法应用于四种内存获取工具（来自开源和商业社区）。事实证明，所有工具都有弱点，但它们的不一致性似乎没有预期的那么糟糕。另一个发现是，与结构化分析方法相比，非结构化内存分析方法对于低质量（例如，不一致的）内存转储更健壮。我们提供测量数据集以及获取数据集的工具，并在执法调查中数字取证的法律和国际标准的背景下检查我们的发现。

{"title":"A scenario-based quality assessment of memory acquisition tools and its investigative implications","authors":"Lisa Rzepka , Jenny Ottmann , Radina Stoykova , Felix Freiling , Harald Baier","doi":"10.1016/j.fsidi.2025.301868","DOIUrl":"10.1016/j.fsidi.2025.301868","url":null,"abstract":"<div><div>During digital forensic investigations volatile data from random-access memory (RAM) can provide crucial information such as access credentials or encryption keys. This data is usually obtained using software that copies contents of RAM to a memory dump file concurrently to normal system operation. It is well-known that this results in many inconsistencies in the copied data. Based on established quality criteria from the literature and on four typical investigative scenarios, we present and evaluate a methodology to assess the quality of memory acquisition tools in these scenarios. The methodology basically relates three factors: (1) the quality criteria of the memory dump, (2) the applied memory forensics analysis technique, and (3) its success in the given investigative scenario. We apply our methodology to four memory acquisition tools (from both the open source and the commercial community). It turns out that all tools have weaknesses but that their inconsistencies appear to be not as bad as anticipated. Another finding is that unstructured memory analysis methods are more robust against low quality (i.e., inconsistent) memory dumps than structured analysis methods. We provide the measurement dataset together with the tool by which it was acquired and also examine our findings in the context of legal and international standards for digital forensics in law enforcement investigations.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301868"},"PeriodicalIF":2.0,"publicationDate":"2025-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143679790","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Tapping .IPAs: An automated analysis of iPhone applications using apple silicon macs tap .IPAs：使用苹果硅mac对iPhone应用程序进行自动分析

IF 2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-03-01 DOI: 10.1016/j.fsidi.2025.301871

Steven Seiden , Andrew M. Webb , Ibrahim Baggili

Dynamic analysis of iOS applications poses significant challenges due to the platform's stringent security measures. Historically, investigations often required jailbreaking, but recent enhancements in iOS security have diminished the viability of this approach. Consequently, alternative methodologies are necessary. In this study, we explore the feasibility of automated iOS application analysis on the ARM-based M1 Mac platform. To do so, we utilized an ARM-based Mac to install several popular iOS applications. Our manual analysis using existing macOS tools demonstrated the potential to uncover artifacts such as chat messages and browsing history. To streamline this process, we developed a tool, AppTap, which facilitates the entire forensic procedure from installation to artifact extraction. AppTap enables analysts to quickly install, test, and retrieve file system artifacts from these applications and allows for the easy checkpointing of user files generated by iOS apps. These checkpoints help analysts correlate artifacts with user actions. We tested AppTap with the top 100 iPhone apps and top 100 iPhone games from the U.S. App Store (n=200). Our results showed that 46 % of these applications were installed and operated as expected, while 30.5% failed to install, likely due to the older macOS version—a necessary condition for this study. We discuss several strategies to enhance application support in the future, which could significantly increase the number of supported applications. Applying our methodologies as-is to the M1 Mac platform has significantly streamlined the forensic process for iOS applications, saving time for analysts and expanding future capabilities.

由于iOS平台严格的安全措施，动态分析iOS应用程序带来了巨大的挑战。从历史上看，调查通常需要越狱，但最近iOS安全性的增强削弱了这种方法的可行性。因此，替代方法是必要的。在本研究中，我们探讨了在基于arm的M1 Mac平台上自动化iOS应用分析的可行性。为此，我们利用基于arm的Mac安装了几个流行的iOS应用程序。我们使用现有的macOS工具进行手工分析，展示了发现诸如聊天消息和浏览历史等工件的潜力。为了简化这一过程，我们开发了一个工具AppTap，它简化了从安装到提取工件的整个取证过程。AppTap使分析人员能够快速安装、测试和检索这些应用程序中的文件系统工件，并允许轻松检查iOS应用程序生成的用户文件。这些检查点帮助分析人员将工件与用户操作关联起来。我们使用美国App Store前100名iPhone应用和前100名iPhone游戏（n=200）测试AppTap。我们的结果显示，46%的应用程序按照预期安装和运行，而30.5%的应用程序安装失败，可能是由于较旧的macOS版本——这是本研究的必要条件。我们将讨论未来增强应用程序支持的几种策略，这可能会显著增加受支持的应用程序的数量。将我们的方法应用到M1 Mac平台上，大大简化了iOS应用程序的取证过程，为分析师节省了时间，并扩展了未来的功能。

{"title":"Tapping .IPAs: An automated analysis of iPhone applications using apple silicon macs","authors":"Steven Seiden , Andrew M. Webb , Ibrahim Baggili","doi":"10.1016/j.fsidi.2025.301871","DOIUrl":"10.1016/j.fsidi.2025.301871","url":null,"abstract":"<div><div>Dynamic analysis of iOS applications poses significant challenges due to the platform's stringent security measures. Historically, investigations often required jailbreaking, but recent enhancements in iOS security have diminished the viability of this approach. Consequently, alternative methodologies are necessary. In this study, we explore the feasibility of automated iOS application analysis on the ARM-based M1 Mac platform. To do so, we utilized an ARM-based Mac to install several popular iOS applications. Our manual analysis using existing macOS tools demonstrated the potential to uncover artifacts such as chat messages and browsing history. To streamline this process, we developed a tool, <em>AppTap</em>, which facilitates the entire forensic procedure from installation to artifact extraction. AppTap enables analysts to quickly install, test, and retrieve file system artifacts from these applications and allows for the easy checkpointing of user files generated by iOS apps. These checkpoints help analysts correlate artifacts with user actions. We tested AppTap with the top 100 iPhone apps and top 100 iPhone games from the U.S. App Store (<em>n</em>=200). Our results showed that 46 % of these applications were installed and operated as expected, while 30.5% failed to install, likely due to the older macOS version—a necessary condition for this study. We discuss several strategies to enhance application support in the future, which could significantly increase the number of supported applications. Applying our methodologies as-is to the M1 Mac platform has significantly streamlined the forensic process for iOS applications, saving time for analysts and expanding future capabilities.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301871"},"PeriodicalIF":2.0,"publicationDate":"2025-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143679881","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

DFRWS USA 2025 Chicago DFRWS USA 2025芝加哥

IF 2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-03-01 DOI: 10.1016/S2666-2817(25)00035-6

引用次数: 0

DFRWS EU 2026 Sweden

IF 2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-03-01 DOI: 10.1016/S2666-2817(25)00037-X

引用次数: 0

Forensic analysis of Telegram Messenger on iOS smartphones iOS智能手机上Telegram Messenger的取证分析

IF 2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation

Pub Date : 2025-03-01 DOI: 10.1016/j.fsidi.2025.301866

Lukas Jaeckel, Michael Spranger, Dirk Labudde

As mobile messengers have dominated and penetrated our daily communication and activities, the odds of them being involved in criminal activities have increased. Since each messenger usually uses its own proprietary data schema (including encoding, encryption and frequent updates) to store communication data, with a pressing demand, investigative authorities require a solution to transfer the data in a processable structure to analyse it efficiently, especially in a forensic context. Therefore, this work identifies and examines locally stored data of the Telegram Messenger with high forensic value on iOS devices. In particular, this work deals with extracting contact and communication data to link and analyse it. For this purpose, artificially generated test data, as well as the open source code of the Telegram Messenger under iOS, are analysed. The main focus of this work lies on the primary database in which a large part of data is coded and, therefore, needs to be transferred into an interpretable form. In summary, this work enables a manual or automated analysis of Messenger data for investigative authorities and IT companies with forensic reference. The proposed method can also be adapted in research to analyse further instant messaging services.

随着手机信使主导并渗透到我们的日常交流和活动中，他们参与犯罪活动的几率也在增加。由于每个信使通常使用自己专有的数据模式（包括编码、加密和频繁更新）来存储通信数据，因此调查当局迫切需要一种解决方案，以可处理的结构传输数据，以便有效地分析数据，特别是在取证环境中。因此，这项工作识别和检查在iOS设备上具有高取证价值的本地存储的Telegram Messenger数据。特别是，这项工作涉及提取联系和通信数据，以链接和分析它。为此，本文分析了人工生成的测试数据以及iOS下Telegram Messenger的开源代码。这项工作的主要重点在于主数据库，其中大部分数据是编码的，因此需要将其转换为可解释的形式。总之，这项工作为调查当局和IT公司提供了具有法医参考的Messenger数据的手动或自动分析。所提出的方法也可用于进一步分析即时通讯服务的研究。

{"title":"Forensic analysis of Telegram Messenger on iOS smartphones","authors":"Lukas Jaeckel, Michael Spranger, Dirk Labudde","doi":"10.1016/j.fsidi.2025.301866","DOIUrl":"10.1016/j.fsidi.2025.301866","url":null,"abstract":"<div><div>As mobile messengers have dominated and penetrated our daily communication and activities, the odds of them being involved in criminal activities have increased. Since each messenger usually uses its own proprietary data schema (including encoding, encryption and frequent updates) to store communication data, with a pressing demand, investigative authorities require a solution to transfer the data in a processable structure to analyse it efficiently, especially in a forensic context. Therefore, this work identifies and examines locally stored data of the Telegram Messenger with high forensic value on iOS devices. In particular, this work deals with extracting contact and communication data to link and analyse it. For this purpose, artificially generated test data, as well as the open source code of the Telegram Messenger under iOS, are analysed. The main focus of this work lies on the primary database in which a large part of data is coded and, therefore, needs to be transferred into an interpretable form. In summary, this work enables a manual or automated analysis of Messenger data for investigative authorities and IT companies with forensic reference. The proposed method can also be adapted in research to analyse further instant messaging services.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301866"},"PeriodicalIF":2.0,"publicationDate":"2025-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143679788","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

首页上一页

下一页尾页

类型

全部化学•材料生命科学医学物理工程技术环境•农林材料科学地球科学法学管理学化学环境科学与生态学计算机科学教育学经济学农林科学人文科学生物学数学物理与天体物理心理学综合性期刊其他工业工程理学历史学农学文学信息工程

数据库

全部 ACS Publications Elsevier ieeexplore Springer The Royal Society of Chemistry Wiley

期刊

Forensic Science International-Digital Investigation

全部 Acc. Chem. Res. ACS Applied Bio Materials ACS Appl. Electron. Mater. ACS Appl. Energy Mater. ACS Appl. Mater. Interfaces ACS Appl. Nano Mater. ACS Appl. Polym. Mater. ACS BIOMATER-SCI ENG ACS Catal. ACS Cent. Sci. ACS Chem. Biol. ACS Chemical Health & Safety ACS Chem. Neurosci. ACS Comb. Sci. ACS Earth Space Chem. ACS Energy Lett. ACS Infect. Dis. ACS Macro Lett. ACS Mater. Lett. ACS Med. Chem. Lett. ACS Nano ACS Omega ACS Photonics ACS Sens. ACS Sustainable Chem. Eng. ACS Synth. Biol. Anal. Chem. BIOCHEMISTRY-US Bioconjugate Chem. BIOMACROMOLECULES Chem. Res. Toxicol. Chem. Rev. Chem. Mater. CRYST GROWTH DES ENERG FUEL Environ. Sci. Technol. Environ. Sci. Technol. Lett. Eur. J. Inorg. Chem. IND ENG CHEM RES Inorg. Chem. J. Agric. Food. Chem. J. Chem. Eng. Data J. Chem. Educ. J. Chem. Inf. Model. J. Chem. Theory Comput. J. Med. Chem. J. Nat. Prod. J PROTEOME RES J. Am. Chem. Soc. LANGMUIR MACROMOLECULES Mol. Pharmaceutics Nano Lett. Org. Lett. ORG PROCESS RES DEV ORGANOMETALLICS J. Org. Chem. J. Phys. Chem. J. Phys. Chem. A J. Phys. Chem. B J. Phys. Chem. C J. Phys. Chem. Lett. Analyst Anal. Methods Biomater. Sci. Catal. Sci. Technol. Chem. Commun. Chem. Soc. Rev. CHEM EDUC RES PRACT CRYSTENGCOMM Dalton Trans. Energy Environ. Sci. ENVIRON SCI-NANO ENVIRON SCI-PROC IMP ENVIRON SCI-WAT RES Faraday Discuss. Food Funct. Green Chem. Inorg. Chem. Front. Integr. Biol. J. Anal. At. Spectrom. J. Mater. Chem. A J. Mater. Chem. B J. Mater. Chem. C Lab Chip Mater. Chem. Front. Mater. Horiz. MEDCHEMCOMM Metallomics Mol. Biosyst. Mol. Syst. Des. Eng. Nanoscale Nanoscale Horiz. Nat. Prod. Rep. New J. Chem. Org. Biomol. Chem. Org. Chem. Front. PHOTOCH PHOTOBIO SCI PCCP Polym. Chem.

﹀