Forensic Science International-Digital Investigation最新文献

Unique traits generated automatically or artificially, such as firewall logs, OS event logs, and various metadata, are well hidden in the digital evidence that cannot be easily perceived by the investigator in some cases. Digital data is invisible, and it is necessary that attention is focused on traditional management with integrity because of the involvement of various stakeholders in the secure preservation and analysis of the forensic process. Similar to file formats, digital evidence bags (DEB), such as E01 and L01, are widely used to contain digital data for certain facilities in a raw format, which also include metadata. The DEB can provide a way to obtain data through selective imaging, extracting and collecting only the parts necessary from the extensive data for proof. However, it cannot flexibly handle information obtained from large amounts of data or when sensitive data is involved or destroy superfluous materials that must be protected. Therefore, in this study, we propose a new container format based on the Merkle tree, which is used as a universal DEB. The proposed ECo-Bag can store physical and logical images from the storage medium, bit streams transmitted over networks, file segments in the cloud or distributed system, secondary outcomes, and metadata. Furthermore, it can support operations to destruct or seal the data initially collected while verifying the data integrity and tracking the provenance within the chain of custody. Thus, it is expected to contribute to the elastic management of addition and deletion of evidence in digital investigation and e-discovery.

Forensic genetic genealogy (FGG), also known as investigative genetic genealogy (IGG), produces investigative leads in criminal cases where unidentified DNA is discovered at the crime scene and does not match any profiles in criminal databases. It works by comparing crime scene DNA samples to public or private genealogical databases to identify potential familial relationships and narrow down suspects or identify unknown individuals. Although the fields of FGG and digital forensics (DF) work with different types of evidence and techniques, and consequently develop independently, they share several common characteristics. This study aims to demonstrate that despite their independent development and differences, the experiences of progress in DF field can be utilized in some respects, especially concerning the protection of the rights of the individuals concerned. The aim of this article is to outline some areas where DF can provide assistance in dealing with ethical and social challenges that FGG must address.

Intimate partner violence (IPV) is a form of abuse in romantic relationships, more frequently, against the female partner. IPV can vary in severity and frequency, ranging from emotional abuse or stalking to recurring and severe violent episodes over a long period. Easy access to stalkerware apps helps foster such behaviors by allowing non-tech-savvy individuals to spy on their victims. These apps offer features for discreetly monitoring and remotely controlling compromised mobile devices, thereby infringing the victim's privacy and the security of their data. In this work, we investigate methods for gathering evidence about an abuser and the stalkerware they employ on a victim's device. We develop a semi-automated tool intended for use by investigators, helping them to analyze Android phones for potential threats in cases of IPV stalkerware. As a first step towards this goal, we perform an experimental privacy and security study to investigate currently available stalkerware apps. We specifically study the vectors through which vulnerabilities found in stalkerware apps could be exploited by investigators, allowing them to gather information about the IPV services, IPV abusers, and the victims' stolen data. We then design and implement a tool called WARNE, leveraging the identified flaws to facilitate the information and evidence collection process. In our experiments, we identified 50 unique stalkerware apps and their corresponding download websites that are still reachable, including one available on the Google Play Store. Among these apps, we found 30 that were free or offered a free trial. We enumerated and experimentally verified several invasive capabilities offered by these apps to clearly identify the severe privacy risks posed by them. We also found that most stalkerware apps store private information locally on the compromised device, potentially giving away information about the abuser. Our evidence-gathering tool found data related to the abuser and/or the stalkerware company, such as account credentials, dashboard URLs, and API tokens in 20 apps out of 30 tested apps. We hope our tool will help IPV victims and investigators against the growing threat of stalkerware abuse.

The availability of research data (datasets) and compliance with FAIR principles—Findability, Accessibility, Interoperability, and Reusability—is critical to progressing digital forensics. This study evaluates metadata completeness and assesses the alignment with the FAIR principles using all 212 datasets from NIST's Computer Forensic Reference DataSet Portal (CFReDS). The findings underscore deficiencies in metadata quality and FAIR compliance, emphasizing the need for improved data management standards. Based on our critical review, we then propose and discuss various approaches to improve the status quo.

Investigation on smart devices has become an essential subdomain in digital forensics. The inherent diversity and complexity of smart devices pose a challenge to the extraction of evidence without physically tampering with it, which is often a strict requirement in law enforcement and legal proceedings. Recently, this has led to the application of non-intrusive Electromagnetic Side-Channel Analysis (EM-SCA) as an emerging approach to extract forensic insights from smart devices. EM-SCA for digital forensics is still in its infancy, and has only been tested on a small number of devices so far. Most importantly, the question still remains whether Machine Learning (ML) models in EM-SCA are portable across multiple devices to be useful in digital forensics, i.e., cross-device portability. This study experimentally explores this aspect of EM-SCA using a wide set of smart devices. The experiments using various iPhones and Nordic Semiconductor nRF52-DK devices indicate that the direct application of pre-trained ML models across multiple identical devices does not yield optimal outcomes (under 20 % accuracy in most cases). Subsequent experiments included collecting distinct samples of EM traces from all the devices to train new ML models with mixed device data; this also fell short of expectations (still below 20 % accuracy). This prompted the adoption of transfer learning techniques, which showed promise for cross-model implementations. In particular, for the iPhone 13 and nRF52-DK devices, applying transfer learning techniques resulted in achieving the highest accuracy, with accuracy scores of 98 % and 96 %, respectively. This result makes a significant advancement in the application of EM-SCA to digital forensics by enabling the use of pre-trained models across identical or similar devices.

Crimes involving Internet of Things (IoT) or embedded devices like drones are on the rise. A widespread class of file systems for storing data on embedded devices are flash file systems (FFS). FFS are optimized to manage conceptual limitations and characteristics of raw flash memory, i.e., memory that is not managed by an additional hardware controller that hides the characteristics of flash (called the Flash Translation Layer). Thus, FFS incorporate mechanisms and structures, which are not part of traditional block-based file systems like NTFS, APFS, or ExtX. Regarding analyses of FFS-based embedded devices, digital forensics tools handling FFS are needed. Unfortunately, currently available tools are not able to analyze FFS or raw flash images in general. In this paper, we provide a concept and an open-source implementation of a digital forensics tool bridging this gap for the widespread UBI File System. Our concept is inspired by the well-known Sleuth Kit and reflects the different abstraction layers of a digital forensics analysis (e.g., the storage device level, the volume level, the file system level). We provide an open-source tool of our concept, which we call UBI Forensic Toolkit (UBIFT). In contrast to previous work, UBIFT is able to parse file system structures like the directory tree or the UBIFS journal to recover deleted files including the respective metadata. We show the usefulness of UBIFT by a twofold evaluation: we first apply our tool to a publicly available Internet camera flash dump to perform a forensically sound analysis of the flash device. Our second evaluation comprises both a methodology for creating adaptable flash dumps in general and the comparison of our tool to competitors with similar functionality on the basis of self-generated flash dumps. Finally, we address the usability aspect of UBIFT by providing an Autopsy plugin of our tool.

Modern vehicles such as cars, trucks and motorcycles contain an increasing number of embedded computers that continuously exchange telemetry data like current mileage, tire pressure, expected range and geolocation to the manufacturer's cloud. Vehicle owners can access this data via Vehicle Assistant Apps (VAA). Naturally, this data is of increasing interest to law enforcement in criminal investigations. While manufacturers must comply with local laws requiring them to hand over the data of suspects upon the issuance of a warrant, this process can be time-consuming and cause an additional delay in a case. Making use of novel API-based access methods in cloud forensic investigations, we present a method to get permanent access to a vehicle's cloud data by directly accessing cloud servers given suspects' credentials. We analysed a set of 23 different VAAs and pointed out the potentially accessible data categories. With our proof of concept tool gta.py in combination with six provided vehicles from BMW, Dacia, Ford, Hyundai, Mercedes and Tesla, we verified the accessibility of the data categories. Our findings demonstrate that the API-based forensic acquisition and analysis of vehicle cloud data provides important insights to be considered in future digital forensic investigations of vehicles.

As automation within digital forensic tools becomes more advanced there is a need for a systematic approach to ensure the validity, reliability, and standardization of digital forensic results. This paper argues for intermediate output in a standardized format within digital forensic tools to allow a methodical approach to tool validation that targets errors at each stage of processing. To achieve this, a detailed process model of digital forensic analysis tools is created, extrapolating the details of the internal processes performed by monolithic forensic tools. The research deconstructs the process flow within tools and presents an ‘abstract digital forensic tool’, revisiting earlier abstraction layer ideas. This not only identifies the interconnected processes within tools but allows discussion of the potential error that could be introduced at each stage, and how it could potentially propagate within a tool. A demonstration, with a dataset, is also included, structurally annotated using Cyber-investigation Analysis Standard Expression (CASE).