Forensic Science International-Digital Investigation最新文献

Fuzzy hashing has been utilised in digital forensics and malware analysis for malware detection, malware variant classification, file clustering, document similarity detection, embedded object detection and fragment detection. Previous research considered the efficacy of fuzzy hashing at a point in time for malware classification and did not specifically address the problem of malware evolution. Android malware presents a significant cybersecurity threat, and since malware is constantly mutating, a temporal analysis of the effectiveness of fuzzy hashing techniques for Android malware detection and classification contributes to understanding the value of fuzzy hashes in the evolution of malware. Through experimental examination, this study sought to determine whether or not fuzzy hashes are always effective, how quickly malware is evolving, and how malware evolution affects fuzzy hashing. Comparisons are made between the performance of different fuzzy hashing algorithms and the distinction between hashes at the file and class levels. Experiments with known malware family and analysis with over 4500 APK files, including 100 benign samples collected from 2012 - 2022 were conducted using various fuzzy hashing algorithms, file-level and section-level similarity hashing, symbolic and raw opcode hashing, and optimisations for improving fuzzy hashing comparisons. The performance of the methods was evaluated using detection and false positive rates. The results show that fuzzy hashing algorithms remain a valuable technique that demonstrates robustness to malware evolution with 10-year detection rates of over 80%.

Modern vehicles including smart cars have been equipped with many electronic devices such as electronic control units (ECUs), on-board diagnostics (OBD) systems, telematics and infotainment systems, gateways, sensors, etc. Because these devices create, transmit, and store a lot of digital data, modern vehicles are becoming key source of digital evidence in vehicular forensics. In addition, some dedicated mobile apps can capture driving and diagnostic data from a vehicle via a Bluetooth-enabled OBD-II scanner. In this paper, we propose a new process for effective automotive forensics. It collects and analyzes three different types of data left on an Android phone which has been connected to the OBD-II port of a vehicle via Bluetooth communication. The three types of data are OBD-II Android apps' data, Bluetooth HCI snoop log, and the main log buffer of the Android logging system. By analyzing them individually and integratedly, we find Bluetooth connection time, vehicle information, MAC address of the OBD-II scanner, vehicle velocity, sharp speeding event, sudden braking event, refueling event, and so on. We also construct a timeline of Bluetooth traffic and driving events through the timeline analysis, which can be used to determine the driver's behaviors in terms of vehicle forensics.

Infotainment systems in vehicles have become important sources of digital evidence in forensic investigations. Analyzing data from these systems can provide valuable insights into a suspect's activities and interactions. In this paper, we propose a hybrid artificial intelligence (AI) framework that combines unsupervised learning using K-means clustering and language model analysis to enhance the forensic analysis process. The proposed methodology was applied to two distinct datasets from Hyundai and Mitsubishi infotainment systems. In the Hyundai dataset, the recall for contact names and phone numbers improved by 18% and 3% respectively when compared to clustering alone. Similarly, in the Mitsubishi dataset, the recall of song names improved by 2%. In addition, this hybrid approach enabled the discovery of more forms of forensically-relevant data stored in the infotainment systems, such as geographical locations and connected devices, that would have been infeasible to find with either manual analysis or clustering alone. Despite the presence of some hallucinations, the combination of these techniques resulted in improved ease of analysis and increased recall, demonstrating the potential of this hybrid approach in forensic investigations.

This study explores the challenges with utilizing application logs for incident response or forensic analysis. Application logs have the potential to significantly enhance security analysis as sometimes they provide information regarding user actions, error messages, and performance metrics of the application. Although these logs can offer vital information about user activities, errors, and application performance, their use for security needs better understanding. We looked at the current logging implementation of 60 open-source applications. We checked the logs to see if they could help with five key security tasks: making timelines, linking events, separating different actions, spotting misuse, and detecting attacks. By examining source code, extracting log statements, and evaluating them for security relevance, we found many logs lacked essential elements. Specifically, 29 applications omitted timestamps, crucial for identifying the timing of actions. Furthermore, logs frequently missed unique identifiers (UIDs) for event correlation, with 23 not noting UIDs for new activities. Inconsistent logging of user activities and an absence of logs detailing successful attacks indicate current application logs need significant enhancements to be effective for security checks. The findings of our research suggest that current application logs are inadequately equipped for in-depth security analysis. Enhancements are imperative for their optimal utility. This investigation underscores the inherent challenges in leveraging logs for security and emphasizes the pressing need for refining logging methodologies.

Conventional face forgery detectors have primarily relied on image artifacts produced by deepfake video generation models. These methods have performed well when the training and test sets were derived from the same deepfake algorithm, but accuracy and generalizability remain a challenge for diverse datasets. In this study, both supervised and unsupervised approaches are proposed for more accurate detection in in-domain and cross-domain experiments. Specifically, two descriptors are introduced to extract rich information in the spatial domain to achieve higher accuracy. A frequency domain reconstruction module is then included to expand the representation space for facial features. A reconstruction method based on an auto-encoder was also applied to obtain a frequency domain coding vector. In this process, reconstruction learning was sufficient for extracting unknown information, while a combination with classification learning provided essential high-frequency pixel differences between real and fake samples, thus facilitating forgery identification. A series of validation experiments with large-scale benchmark datasets demonstrated that the proposed technique was superior to existing methods.

Internet of Things (IoT) systems often consist of heterogeneous, resource-constrained devices that generate massive amounts of data. This data is important for assessments, behaviour analysis, and decision-making. However, IoT devices are also susceptible to cyber-attacks, such as information theft, personal device intervention, and privacy invasion. In case of an incident, these devices are subject to digital forensic investigation to identify and analyze crimes and misuse. Over the years, several forensic frameworks and techniques have been proposed to facilitate the investigation of IoT networks and devices, but finding a perfect solution that covers the diversity of IoT devices and networks is still a research challenge.

In this study, we present a comparative analysis of existing forensic investigation frameworks and identify their strengths and weaknesses in handling forensic challenges of IoT devices. The study uses evaluation metrics of ten important parameters, including heterogeneity, scalability, and chain of custody, to thoroughly audit the effectiveness of these models. Our analysis concludes that the existing investigation frameworks do not cater to all requirements and aspects of IoT forensics. It further highlights the need for standard mechanisms to acquire and analyze digital artifacts in IoT devices.

As the capabilities and utility of Artificial Intelligence and Machine Learning systems continue to improve, they are expected to have an increasingly powerful influence in the digital forensic investigation process. The concurrent proliferation of mobile devices and rapid increase of forensic value of related artifacts creates the requirement for a comprehensive review of the current status of artificial intelligence software usage and usefulness in Mobile Forensics. In this context, we conducted a survey to evaluate the characteristics and properties of AI functions in mobile forensic software from the practitioners' perspective and enhance understanding to the work in the field. In this study, we evaluated the performance of image categorization software in digital forensics using a variety of evaluation metrics including accuracy, precision, recall, and F1-score, as well as the confusion matrix. In this research we also identify and integrate theoretical principles to conceptualize an AI Alignment framework pertaining to Mobile Forensics and Digital Forensics in general, in order to accurately determine specific AI strategy objectives and potential solutions to the current technical and administrative landscape. We emphasized the importance of interpretability and transparency in AI systems and the need for a comprehensive approach to understanding the reasoning behind the software's decisions. Additionally, we highlighted the importance of robustness in image categorization software, as well as the consideration of AI governance and standardized procedures concepts. Our results show that the accuracy and robustness of the image categorization software have a significant impact on the outcome of legal cases and that the software should be designed with interpretability, transparency, and robustness in mind. Through the examination of the survey responses, the evaluation of the image categorization software and research literature, we explore existing and potential approaches to aligned Artificial Intelligence and analyze their contribution to the forensic examination of cases.

In Video forensics, the objective of Source Camera Identification (SCI) is to identify and verify the origin of a video that is under investigation. This aids the investigator to trace the video to its owner or narrow down the search space for identifying the offender. Nowadays, it is easy to record and share videos via internet or social media with smartphones. The availability of sophisticated video editing tools and software allow offenders to modify video's context. Thus, identifying the right source camera that was used to capture the video becomes complicated and strenuous. Existing methods based on video metadata information are no longer reliable as it could be modified or stripped off. Better forensic procedures are therefore required to prove the authenticity and integrity of the video that will be used as evidence in court of law. Certain inherent camera sensor properties such as, subtle traces of Photo Response Non-Uniformity (PRNU) are present in all captured videos due to unnoticeable defect during the manufacture of camera's sensor. These properties are used in SCI to classify devices or models as they are unique. In this work, we focus on SCI from videos or Video Source Camera Identification (VSCI) to verify the authenticity of videos. PRNU can be affected by highly textured content or post-processing when computed from a set of flat field images. To mitigate these effects, Higher Order Wavelet Statistics (HOWS) information from PRNU of a video I-frame is combined with information from two other texture features i.e., Local Binary Pattern (LBP) and Gray Level Co-occurrence Matrix (GLCM). The extracted feature vector is fused via concatenation and fed to Support Vector Machine (SVM) classifier to perform training and testing for VSCI. Experimental evaluation of our proposed method on videos from different publicly available datasets show the effectiveness of our method in terms of accuracy, resource efficiency, and complexity.