{"title":"Navigating the digital frontier – Key themes in digital forensics","authors":"Zeno Geradts","doi":"10.1016/j.fsidi.2025.301940","DOIUrl":"10.1016/j.fsidi.2025.301940","url":null,"abstract":"","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301940"},"PeriodicalIF":2.0,"publicationDate":"2025-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144177998","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Kyung-Jong Kim , Chan-Hwi Lee , So-Eun Bae , Ju-Hyun Choi , Wook Kang
{"title":"Digital forensics in law enforcement: A case study of LLM-driven evidence analysis","authors":"Kyung-Jong Kim , Chan-Hwi Lee , So-Eun Bae , Ju-Hyun Choi , Wook Kang","doi":"10.1016/j.fsidi.2025.301939","DOIUrl":"10.1016/j.fsidi.2025.301939","url":null,"abstract":"<div><div>The advent of digital technology and the ubiquity of mobile devices in today's society has led to a significant increase in the importance of mobile forensics in criminal investigations. Responding to the escalating volume and complexity of data due to enhanced smartphone capabilities and pervasive messaging apps, law enforcement agencies face challenges in data analysis. This study explores improving investigative efficiency through LLM-driven analysis of text from mobile messenger communications. We have conducted experiments on anonymized data collected from real crime scenes by employing three state-of-the-art LLM models, namely GPT-4o, Gemini 1.5 and Claude 3.5. The study focuses on optimizing model performance by employing prompt engineering, interpreting expressions embedded with hidden meanings such as slang, and contextually inferring ambiguous word usage. Finally, model performance is quantitatively evaluated using metrics such as precision, recall, F1 score, and hallucination rate.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"54 ","pages":"Article 301939"},"PeriodicalIF":2.0,"publicationDate":"2025-05-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144154363","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abdul Boztas, Jeroen De Jong, Christos Hadjigeorghiou
{"title":"Argus: A new approach for forensic analysis of apps on mobile devices","authors":"Abdul Boztas, Jeroen De Jong, Christos Hadjigeorghiou","doi":"10.1016/j.fsidi.2025.301938","DOIUrl":"10.1016/j.fsidi.2025.301938","url":null,"abstract":"<div><div>The availability of a multitude of apps on mobile devices offers many investigative opportunities due to the large amount of information on all kinds of activities stored by these apps. On the other hand, it also creates problems because it can be difficult to identify the location of relevant information and to properly interpret the great number of digital traces stored by apps. This is especially true for apps currently not supported by commercial forensic tools. This calls for the development of new tools that can quickly analyse specific applications and identify all files containing important information.</div><div>In this paper, we introduce the Argus tool for dynamically analysing apps on mobile devices. Argus monitors the file system on mobile devices to quickly identify which files have been modified, deleted, or created as a result of actions performed on the device, such as using an app. The Argus tool supports physical iOS and Android devices, as well as Android and iOS emulators.</div><div>The results of Argus experiments are stored locally on the computer conducting the experiment, but Argus also offers the option to publish and share these results in a forensic artifacts reference database called Aardwolf, accessible at https://www.aardwolfproject.eu.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301938"},"PeriodicalIF":2.0,"publicationDate":"2025-05-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144147941","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Unearthing the hidden path of MANET's nodes with signal strength measurements: Forensics challenges, survey and a novel approach for data collection, preservation and examination","authors":"Omar Ragheb , Mena Safwat , Marianne A. Azer","doi":"10.1016/j.fsidi.2025.301916","DOIUrl":"10.1016/j.fsidi.2025.301916","url":null,"abstract":"<div><div>Mobile Ad hoc Networks (MANETs) are self-configuring networks of mobile devices that communicate with each other without the need for infrastructure. This makes them highly flexible and adaptable to changing environments, making them ideal for applications such as transportation and tactical domains. However, the mobility feature of the network poses new challenges for digital forensics investigators due to their specific characteristics. One challenge is how the investigator can prove the Chain of Custody (COC) in court in this highly volatile network to ensure the integrity of the evidence. This paper studies the forensic challenges in several wireless technologies, including the Internet of Things (IoT), Vehicular Ad-hoc Networks (VANETs), and, especially in Mobile Ad-hoc Networks (MANETs), critically reviews several approaches to cover the challenges, and also proposes a novel digital forensics framework that is built on Fog Computing (FC). Using regular communication signal strength measurements, the proposed framework enables investigators to learn details about nodes' locations over time and mobility characteristics without requiring changes to communication protocols or overwhelming nodes with additional tasks. This can help to ensure the availability and integrity of the digital evidence and its admissibility in court. Additionally, the paper suggests a novel automated detection technique for Hello Flood attacks in ad-hoc networks. The viability of the approach has been demonstrated on a network simulator.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301916"},"PeriodicalIF":2.0,"publicationDate":"2025-05-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144071062","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Nils Antonson , Darren Quick , Kim-Kwang Raymond Choo
{"title":"Infotainment system Forensics: Ford SYNC 3 gen 2 infotainment system as a use case","authors":"Nils Antonson , Darren Quick , Kim-Kwang Raymond Choo","doi":"10.1016/j.fsidi.2025.301917","DOIUrl":"10.1016/j.fsidi.2025.301917","url":null,"abstract":"<div><div>The digital era is ushering in the next generation of motor vehicles supported by dozens of dispersed electronic control units (ECUs) communicating with each other over controller area networks (e.g., CAN bus). Each ECU is responsible for a specific set of functions. For example, built-in cellular modems, typically part of the telecommunication control unit (TCU), are used to call first responders when a crash is detected, but also surreptitiously send back vehicle telematics, and enable convenient features such as remote unlock/lock, remote start, and log the GPS position of the automobile into the cloud. Potentially, every input by the driver is logged and recorded within these ECUs. Indeed, modern automobiles are inadvertently equipped with proverbial black boxes. As a result, a new subdivision of digital forensics to extract and analyze this black box data is emerging. Smart vehicle forensics, also known as digital vehicle forensics (DVF), enables investigators to examine data produced by and stored inside automobiles. The infotainment system typically holds the most valuable data because it contains GPS tracklogs, artifacts left behind from paired mobile devices, and receives data from many other modules within the automobile. Therefore, DVF primarily focuses on the automobiles infotainment system, and specializes in extracting and analyzing stored electronic data. Law enforcement is increasingly becoming aware and making use of this new source of data. It is only a matter of time and budget before DVF investigations become routine and common practice.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301917"},"PeriodicalIF":2.0,"publicationDate":"2025-05-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143947549","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pedro H.V. Valois , João Macedo , Leo S.F. Ribeiro , Jefersson A. dos Santos , Sandra Avila
{"title":"Leveraging self-supervised learning for scene classification in child sexual abuse imagery","authors":"Pedro H.V. Valois , João Macedo , Leo S.F. Ribeiro , Jefersson A. dos Santos , Sandra Avila","doi":"10.1016/j.fsidi.2025.301918","DOIUrl":"10.1016/j.fsidi.2025.301918","url":null,"abstract":"<div><div>Crime in the 21st century is split into a virtual and real world. However, the former has become a global menace to people's well-being and security in the latter. The challenges it presents must be faced with unified global cooperation, and we must rely more than ever on automated yet trustworthy tools to combat the ever-growing nature of online offenses. Over 10 million child sexual abuse reports are submitted to the US National Center for Missing & Exploited Children every year, and over 80% originate from online sources. Therefore, investigation centers cannot manually process and correctly investigate all imagery. In light of that, reliable automated tools that can securely and efficiently deal with this data are paramount. In this sense, the scene classification task looks for contextual cues in the environment, being able to group and classify child sexual abuse data without requiring to be trained on sensitive material. The scarcity and limitations of working with child sexual abuse images lead to self-supervised learning, a machine-learning methodology that leverages unlabeled data to produce powerful representations that can be more easily transferred to downstream tasks. This work shows that self-supervised deep learning models pre-trained on scene-centric data can reach 71.6% balanced accuracy on our indoor scene classification task and, on average, 2.2 percentage points better performance than a fully supervised version. We cooperate with Brazilian Federal Police experts to evaluate our indoor classification model on actual child abuse material. The results demonstrate a notable discrepancy between the features observed in widely used scene datasets and those depicted on sensitive materials.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301918"},"PeriodicalIF":2.0,"publicationDate":"2025-05-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143947548","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Data hiding in symbolic link slack space","authors":"Fergus Toolan, Georgina Humphries","doi":"10.1016/j.fsidi.2025.301919","DOIUrl":"10.1016/j.fsidi.2025.301919","url":null,"abstract":"<div><div>Recent research has begun to focus on data hiding in file systems, however, much of this is focused on individual file systems such as ext, NTFS and XFS. This paper examines an exploitation of symbolic link storage methods to manufacture slack space which can be used for hiding information in file systems. Many modern file systems, including ext, XFS, BtrFS, HFS+, APFS and NTFS support symbolic links at the file system level. This paper investigates these structures in the various file systems and determines if the symbolic links can be used to create slack space, and if so determines their effectiveness in hiding data from users, system administrators and forensic analysts.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301919"},"PeriodicalIF":2.0,"publicationDate":"2025-05-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143936684","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Karolin Lohre , Harald Baier , Lukas Hardi , Andreas Attenberger
{"title":"Towards reliable data in the scope of unmanned aircraft systems","authors":"Karolin Lohre , Harald Baier , Lukas Hardi , Andreas Attenberger","doi":"10.1016/j.fsidi.2025.301914","DOIUrl":"10.1016/j.fsidi.2025.301914","url":null,"abstract":"<div><div>The goal of a digital forensic examination is to answer legal questions in the scope of IT systems. In order to come up with accurate answers, the data of the IT system at hand needs to be reliable. While the processing of digital traces of classical operating systems like Windows and its corresponding applications is well understood (especially with respect to the reliability of traces), emerging technologies often lack such an understanding of the trustworthiness of the examined data. In this work, we address the reliability of data in the scope of Unmanned Aircraft System (UAS). Although systems like UAS have become popular in various fields of application, digital forensic scientists and investigators currently lack an understanding of how to assess the correctness of UAS information, especially in the scope of Do-It-Yourself drone forensics. We shed light on common challenges when working with UAS data. Our main contribution is the introduction, explanation, and discussion of a conceptual framework to rate the reliability of UAS data. Our framework is based on three different categories representing three different levels of knowledge about the state of the UAS.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301914"},"PeriodicalIF":2.0,"publicationDate":"2025-04-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143882128","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
M. Vink , R. Schramp , C.E.H. Berger , M.J. Sjerps
{"title":"Formulating propositions in Trojan horse defense cases","authors":"M. Vink , R. Schramp , C.E.H. Berger , M.J. Sjerps","doi":"10.1016/j.fsidi.2025.301915","DOIUrl":"10.1016/j.fsidi.2025.301915","url":null,"abstract":"<div><div>This paper demonstrates how to formulate relevant sets of propositions in cases involving alleged possession of illegal content on electronic devices. The primary purpose of exploring how to formulate propositions is to enable a balanced and transparent evaluation of digital evidence, ideally using a likelihood ratio (LR). We present five categories explaining how illegal material can appear on electronic devices, including intentional and unintentional activities by suspects, other individuals, or automated processes (the “Trojan horse defense”). We review existing guidelines on formulating propositions developed for physical evidence and show how each explanation category can be properly formulated into propositions. Our findings indicate that the digital forensic domain can benefit from established principles for evaluating physical evidence. We also observe aspects that are more specific to digital forensic science where observations need to be evaluated in cases where intent is disputed, which can lead to propositions that address whether activities were carried out knowingly or unknowingly. By providing guidance on formulating relevant propositions, this research aims to contribute to the broader implementation of evaluative practices in digital forensic science.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301915"},"PeriodicalIF":2.0,"publicationDate":"2025-04-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143878936","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Horodocs: A scalable, sustainable, robust and privacy compliant system to securely timestamp digital evidence and documents","authors":"David-Olivier Jaquet-Chiffelle , Ludovic Pfeiffer , Lionel Brocard , Emmanuel Benoist , Noria Foukia","doi":"10.1016/j.fsidi.2025.301913","DOIUrl":"10.1016/j.fsidi.2025.301913","url":null,"abstract":"<div><div>Human activities produce more and more digital traces. Criminal activities are no exception: criminals often operate on computers, carry mobile phones, use GPS devices, or are recorded by surveillance cameras. Moreover, analyses of analog traces can produce results in a digital form. As digital information (evidence or results) becomes highly relevant in today's investigations, there is a pressing need for a trustworthy way to strengthen the chain of custody for digital content, especially its integrity component.</div><div>The Horodocs timestamping system responds to the need for a scalable, robust, trustworthy, independently verifiable, chronological ledger preventing backdating and enabling integrity verification of a digital file.</div><div>In order to make the system scalable and limit costs, submitted file hash values are grouped together into a local, temporary Merkle tree, called the Horodocs tree; this tree is discarded after its root value has been used to record both a derived identifier and an encrypted random control value on the Ethereum blockchain.<span><span><sup>1</sup></span></span> The main innovation resides in the way information about the Horodocs tree is provided to each participant having requested a timestamp during the lifespan of this tree. Each submitter gets a receipt with enough information to verify the timestamp for the hash values that were submitted to the Horodocs system: the receipt is only valid for the hash values of the original file and allows one to recalculate the root value of the corresponding discarded Horodocs tree independently. The root value is required to find the record in the Ethereum blockchain and to recover and decrypt the stored random control value to validate the date and time of the timestamp.</div><div>Throughout its conception, the Horodocs system has been developed with a concern for strong robustness against backdating, privacy-by-design, transparency, usability, scalability, sustainability, automation, as well as cost and energy savings.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301913"},"PeriodicalIF":2.0,"publicationDate":"2025-04-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143829696","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}