Forensic Science International-Digital Investigation最新文献

Complex networks-based anomaly detection for financial transactions in anti-money laundering 反洗钱金融交易中基于复杂网络的异常检测

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-10-07 DOI: 10.1016/j.fsidi.2025.302005

Rodrigo Marcel Araujo Oliveira , Angelo Marcio Oliveira Sant’Anna , Paulo Henrique Ferreira

{"title":"Complex networks-based anomaly detection for financial transactions in anti-money laundering","authors":"Rodrigo Marcel Araujo Oliveira , Angelo Marcio Oliveira Sant’Anna , Paulo Henrique Ferreira","doi":"10.1016/j.fsidi.2025.302005","DOIUrl":"10.1016/j.fsidi.2025.302005","url":null,"abstract":"<div><div>Money laundering is a global threat that undermines the integrity of the financial system and the stability of the world economy. This paper proposes an approach based on complex network techniques to support investigating financial transactions of individuals suspected of money laundering. The study includes analyses for anomaly detection, community detection, density analysis, and cycle identification, aiming to capture complex patterns of interaction among accounts. Anomaly detection was based on a Graph Neural Networks model. The results highlight the model’s effectiveness, as indicated by the Silhouette score and Davies-Bouldin index metrics obtained on the test set, which were 0.83 and 1.59, respectively. This suggests that the groups of anomalous and normal accounts are well represented in terms of similarity and dissimilarity. The study also incorporates various financial indicators, such as moving averages over different time windows of transactions. The K-means algorithm was employed to identify patterns in financial transactions and determine the number of clusters. Correspondence Analysis was applied to establish similarities among the transactional profiles of the investigated individuals. The findings are relevant to the investigative process, providing analytical support for monitoring and prioritizing cases and identifying potential transactional patterns and groups of individuals possibly involved in illicit activities, such as drug trafficking, fraud, and scams.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"55 ","pages":"Article 302005"},"PeriodicalIF":2.2,"publicationDate":"2025-10-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145267233","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

AI-driven dataset creation in mobile forensics using LLM-based storyboards 使用基于法学硕士的故事板在移动取证中创建ai驱动的数据集

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-10-03 DOI: 10.1016/j.fsidi.2025.302002

Dirk Pawlaszczyk , Philipp Engler , Ronny Bodach , Christian Hummert , Margaux Michel , Ralf Zimmermann

引用次数: 0

AKF: A modern synthesis framework for building datasets in digital forensics AKF：用于在数字取证中构建数据集的现代综合框架

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-10-03 DOI: 10.1016/j.fsidi.2025.302004

Lloyd Gonzales , Nancy LaTourrette, Bill Doherty

{"title":"AKF: A modern synthesis framework for building datasets in digital forensics","authors":"Lloyd Gonzales , Nancy LaTourrette, Bill Doherty","doi":"10.1016/j.fsidi.2025.302004","DOIUrl":"10.1016/j.fsidi.2025.302004","url":null,"abstract":"<div><div>The forensic community depends on datasets containing disk images, network captures, and other forensic artifacts for education and research. These datasets must be reflective of the artifacts that real-world analysts encounter, which can evolve rapidly as new software is released. Additionally, these datasets must be free of sensitive data that would limit their distribution. To address the issues of relevance and sensitivity, many researchers and educators develop datasets by hand. While this approach is viable, it is time-consuming and rarely produces datasets that are fully reflective of real-world conditions. As a result, there is ongoing research into forensic synthesizers, which simplify the process of creating complex datasets that are free of legal and logistical concerns.</div><div>This work introduces the automated kinetic framework (AKF), a modular synthesizer for creating and interacting with virtualized environments to simulate human activity. AKF makes significant improvements to the approaches and implementations of prior synthesizers used to generate forensic artifacts. AKF also improves the process of documenting these datasets by leveraging the CASE standard to provide human- and machine-readable reporting. Finally, AKF offers several options for using these features to build and document datasets, including a custom scripting language. These contributions aim to streamline the development of forensic datasets and ensure the long-term usefulness of AKF-generated datasets and the framework as a whole.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"55 ","pages":"Article 302004"},"PeriodicalIF":2.2,"publicationDate":"2025-10-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145220647","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Drone forensics in law enforcement: Assessing utilisation, challenges, and emerging necessities 执法中的无人机取证：评估利用率，挑战和新兴需求

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-09-29 DOI: 10.1016/j.fsidi.2025.302003

Ranul Deelaka Thantilage , Gerry Buttner , Ray Genoe

{"title":"Drone forensics in law enforcement: Assessing utilisation, challenges, and emerging necessities","authors":"Ranul Deelaka Thantilage , Gerry Buttner , Ray Genoe","doi":"10.1016/j.fsidi.2025.302003","DOIUrl":"10.1016/j.fsidi.2025.302003","url":null,"abstract":"<div><div>The proliferation of drone technology has introduced new challenges and opportunities for law enforcement, necessitating the development of drone forensics as a specialised field within digital forensics. This survey paper explores the critical role of drone forensics in modern policing, focusing on its applications in investigating crimes involving unmanned aerial vehicles (UAVs) and addressing emerging security threats. This paper examines the tools, data extraction methods, and operational practices employed in drone forensic investigations, with particular attention to cases of unauthorised surveillance, smuggling, and cyber-attacks. Furthermore, this study discusses the technical, legal, and ethical challenges associated with drone forensics, including encryption, anti-forensic techniques, proprietary software, and privacy concerns. Through a synthesis of current practices, technological advancements, and relevant case studies, this survey provides insights into the effectiveness, limitations, and evolving needs of drone forensics. Recommendations are offered to enhance law enforcement capabilities, emphasising the importance of continuous training, standardised protocols, and collaboration across agencies. This survey paper aims to support policymakers, law enforcement agencies, and forensic practitioners in integrating drone forensics as a versatile and effective approach for safeguarding public safety and ensuring justice in an increasingly drone-integrated world.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"55 ","pages":"Article 302003"},"PeriodicalIF":2.2,"publicationDate":"2025-09-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145220646","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

An effective automotive forensic technique utilizing various logs of Android-based In-vehicle infotainment systems 一种有效的汽车取证技术，利用基于android的车载信息娱乐系统的各种日志

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-09-01 DOI: 10.1016/j.fsidi.2025.301990

Sunjae Kim , Jeehun Jung , Haein Kang , Yejin Yoon , Seong-je Cho , Minkyu Park , Sangchul Han

{"title":"An effective automotive forensic technique utilizing various logs of Android-based In-vehicle infotainment systems","authors":"Sunjae Kim , Jeehun Jung , Haein Kang , Yejin Yoon , Seong-je Cho , Minkyu Park , Sangchul Han","doi":"10.1016/j.fsidi.2025.301990","DOIUrl":"10.1016/j.fsidi.2025.301990","url":null,"abstract":"<div><div>Android-based In-vehicle infotainment (IVI) systems generate log message containing valuable forensic artifacts from interactions with internal or external devices. These log messages can help in vehicle accidents or criminal investigations; however, there is limited knowledge of the stored information and the methods of accessing them. In addition, digital forensic analysis of the Android-based IVI systems is not supported by the popular forensic tool, Berla's iVe. To address this, we first acquire multiple types of logs from three Jellybean-based systems (2017-2019) and two KitKat-based IVI systems (2022-2023) using a practical and non-invasive method, and then perform a comprehensive and comparative analysis of the logging mechanisms in the IVI systems. We then examine volatile and nonvolatile log data acquired from the IVI systems from the perspective of vehicle forensics. Jellybean-based systems maintain seven ring buffers for volatile logs, while KitKat-based systems use five. Volatile logs are erased when the system is powered off. Both versions of the Android systems store nonvolatile log files of seven different types, with data retained for up to a year. We conducted a thorough analysis of the acquired logs, uncovering artifacts related to navigation use, radio listening, engine start/stop, door access, seat belt use, and Bluetooth connections, including phone calls and SMS messages. In addition, we compare the artifacts identified within those IVI systems. Finally, our analysis creates a timeline to track driver behavior, and provides critical insights into driver actions and vehicle events.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"55 ","pages":"Article 301990"},"PeriodicalIF":2.2,"publicationDate":"2025-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144922521","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Research on smartphone image source identification based on PRNU features collected multivariate sampling strategy 基于PRNU特征采集多元采样策略的智能手机图像源识别研究

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-08-26 DOI: 10.1016/j.fsidi.2025.301991

Fu-Yuan Liang, Shu-Hui Gao, Liang-Ju Xu

{"title":"Research on smartphone image source identification based on PRNU features collected multivariate sampling strategy","authors":"Fu-Yuan Liang, Shu-Hui Gao, Liang-Ju Xu","doi":"10.1016/j.fsidi.2025.301991","DOIUrl":"10.1016/j.fsidi.2025.301991","url":null,"abstract":"<div><div>Photo Response Non-Uniformity (PRNU)-based image source attribution is one of the core methods for identifying the imaging device of a given picture, and has significant applications in the field of digital media forensics. However, with the increasing complexity of smartphone imaging systems, PRNU features extracted from smartphone images exhibit greater instability compared to those from traditional cameras. This instability can lead to performance degradation in conventional single-sample extraction strategies when applied to smartphone image source attribution. To address this challenge, this paper proposes a robust multi-sample enhancement scheme. To verify its generalizability, we employ both a non–data-driven wavelet-domain decomposition algorithm and a deep U-shaped residual neural network (DRUNet) as noise extractors, and conduct experiments on the FODB dataset. Experimental results demonstrate that the proposed multi-sample framework exhibits superior performance in improving feature stability, providing a new technical pathway for digital image source attribution in smart terminal devices. Furthermore, we perform PCE distribution statistics on positive and negative samples in the dataset and quantitatively analyze the regional instability of PRNU features.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"54 ","pages":"Article 301991"},"PeriodicalIF":2.2,"publicationDate":"2025-08-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144896324","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Tool type identification for forensic digital document examination 法医数字文件检验工具类型识别

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-08-04 DOI: 10.1016/j.fsidi.2025.301972

Muhammad Abdul Moiz Zia, Oluwasola Mary Adedayo

{"title":"Tool type identification for forensic digital document examination","authors":"Muhammad Abdul Moiz Zia, Oluwasola Mary Adedayo","doi":"10.1016/j.fsidi.2025.301972","DOIUrl":"10.1016/j.fsidi.2025.301972","url":null,"abstract":"<div><div>Digital documents have become a significant part of our everyday lives. From identity documents to various legal agreements and business communications, the ability to determine the authenticity and origin of different types of documents is incredibly important. In the physical domain, this need is addressed by forensic document examiners. Although many of the analysis methods used in the physical domain do not apply in the digital realm, the forensic analysis processes in both realms still address similar objectives. In this paper, we focus on the objective of identifying the tool that created a digital document to support answering questions about the origin of a document. In contrast to many existing works on the forensic analysis of digital documents which focus on file type identification, this paper focuses on identifying the tool that is used to create a document. This is particularly relevant for forensic digital document examination (FDDE). The paper explores the use of different machine learning algorithms to analyze PDF documents to determine the tool that created the document. Given that traditional methods for digital document analysis often rely on metadata and visible content that can be tampered with, we used a structural analysis approach that builds on methods that have previously been used for file type identification. We explored the use of byte histograms and entropy measurements in developing models capable of identifying the specific software used to create PDF documents using several machine learning models. Our results showed that Convolutional Neural Networks (CNNs) outperformed other models. In further experiments, we explored the use of the same approach to identify the version of a specific tool used to create a document and alternative ways of creating PDFs from a tool. Our results confirm the feasibility of this approach for digital document tool type identification with a high level of accuracy.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"54 ","pages":"Article 301972"},"PeriodicalIF":2.2,"publicationDate":"2025-08-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144766757","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Digital forensic approaches to Intel and AMD firmware RAID systems 英特尔和AMD固件RAID系统的数字取证方法

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-07-07 DOI: 10.1016/j.fsidi.2025.301971

Woosung Yun , Jeuk Kang , Sangjin Lee, Jungheum Park

{"title":"Digital forensic approaches to Intel and AMD firmware RAID systems","authors":"Woosung Yun , Jeuk Kang , Sangjin Lee, Jungheum Park","doi":"10.1016/j.fsidi.2025.301971","DOIUrl":"10.1016/j.fsidi.2025.301971","url":null,"abstract":"<div><div>In recent years, as the amount of data that individuals deal with has increased, CPU manufacturers (Intel and AMD) have developed RAID systems that are readily available on desktop PCs. This is referred to as firmware RAID. In contrast to RAID systems on servers and network-attached storage (NAS) devices, which require a relatively complex configuration process, firmware RAID is relatively straightforward and easy to set up via the basic input/output system (BIOS). Intel supports this technology on the majority of its motherboards, with the exception of a few minor models released since 2020, under the name of Intel Rapid Storage Technology (IRST). Similarly, AMD has provided for this technology to all motherboard chipsets released since 2017 under the name of RAIDXpert. From the perspective of digital forensics, a disk with a firmware RAID is recognized by the operating system as a single physical disk and is typically connected to the motherboard without any additional devices. Consequently, during a digital forensics investigation, investigators barely recognize its application, and, as a result, a significant amount of data could be omitted without intention, or could be lost through simple anti-forensic behavior by a malicious user. At present, there are no publicly available techniques for identifying or reconstructing disks in a firmware RAID system, despite the fact that this system is available on nearly every desktop PC. In this paper, we present an analysis of the operational patterns and structures of firmware RAID supported by Intel and AMD. Our approach has led to the development of <em>X-raid</em>, a digital forensic tool capable of identifying firmware-based volumes within a system and reconstructing normal or deleted virtual disks. Furthermore, we propose a methodological digital forensic framework for investigating computer systems with considerations of firmware RAID.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"54 ","pages":"Article 301971"},"PeriodicalIF":2.0,"publicationDate":"2025-07-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144569858","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Exploiting database storage for data exfiltration 利用数据库存储进行数据泄露

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-07-01 DOI: 10.1016/j.fsidi.2025.301934

James Wagner , Alexander Rasin , Vassil Roussev

{"title":"Exploiting database storage for data exfiltration","authors":"James Wagner , Alexander Rasin , Vassil Roussev","doi":"10.1016/j.fsidi.2025.301934","DOIUrl":"10.1016/j.fsidi.2025.301934","url":null,"abstract":"<div><div>Steganography is a technique for hiding messages in plain sight – typically by embedding the message within commonly shared files (e.g., images or video) or within file system slack space. Database management systems (DBMSes) are the de facto centralized data repositories for both personal and business use. As ubiquitous repositories that already offer shared data access to many different users, DBMSes have the potential to be a powerful channel to discretely deliver messages through steganography.</div><div>In this paper we present a method, Hidden Database Records (<span>HiDR</span>), that adapts steganography techniques to all relational row-store DBMSes. <span>HiDR</span> is particularly effective for hiding data within a DBMS because it adds data to the database state without leaving an audit trail in the DBMS (i.e., without executing SQL commands that may be logged and traced to the sender). While sending a message in this way requires administrative privileges from the sender, it also offers them much more control enabling the sender to erase the original message just as easily as it was created. We demonstrate how <span>HiDR</span> keeps data from being unintentionally discovered but at the same time makes that data easy to access using SQL queries from a non-privileged account.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301934"},"PeriodicalIF":2.2,"publicationDate":"2025-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144748997","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Uncovering linux desktop espionage 揭露linux桌面间谍

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-07-01 DOI: 10.1016/j.fsidi.2025.301921

Lukas Schmidt , Sebastian Strasda , Sebastian Schinzel

{"title":"Uncovering linux desktop espionage","authors":"Lukas Schmidt , Sebastian Strasda , Sebastian Schinzel","doi":"10.1016/j.fsidi.2025.301921","DOIUrl":"10.1016/j.fsidi.2025.301921","url":null,"abstract":"<div><div>The increasing adoption of Linux-based desktop systems in various sectors, including critical infrastructures and personal use, has made them an attractive target for Advanced Persistent Threat (APT) groups and state actors. Yet, the espionage capabilities of Linux desktop malware and the forensic strategies for uncovering them remain largely unexamined. This paper addresses this gap by analyzing ten malware families that target the Linux desktop environment, studying the utilized espionage techniques, and introducing novel approaches to detect them using memory forensics.</div><div>Facing the multitude of espionage attack implementations that result from the diverse Linux desktop ecosystem, we propose to reduce the complexity of memory forensic investigations by focusing on the analysis of targeted core services. We evaluate our approach by implementing proof-of-concept Volatility plugins for identification of keylogging, screen capturing as well as camera and microphone recording malware, and prove their effectiveness by performing forensic analyses of real-world espionage techniques that were utilized during APT campaigns. Our evaluation shows that memory forensics is effective in uncovering Linux espionage attacks, and we are confident that our study provides valuable insights for future research and practical analysis of these threats.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301921"},"PeriodicalIF":2.2,"publicationDate":"2025-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144749085","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0