Forensic Science International-Digital Investigation最新文献

Residual forensic indicators of file exfiltration in windows preinstallation environment windows预安装环境下文件泄露残留取证指标

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2026-03-01 Epub Date: 2026-01-28 DOI: 10.1016/j.fsidi.2026.302068

Jingue Lee , Jiyun Kim , Doowon Jeong

{"title":"Residual forensic indicators of file exfiltration in windows preinstallation environment","authors":"Jingue Lee , Jiyun Kim , Doowon Jeong","doi":"10.1016/j.fsidi.2026.302068","DOIUrl":"10.1016/j.fsidi.2026.302068","url":null,"abstract":"<div><div>File exfiltration conducted through bypass boot environments, such as the Windows Preinstallation Environment (Windows PE), poses a serious challenge to forensic investigations. Because endpoint security agents and logging mechanisms remain inactive, conventional artifacts of file access are absent. This study investigates the feasibility of using the NTFS $STANDARD_INFORMATION Accessed Time ($SI Atime) as a residual forensic indicator for detecting exfiltration events in Windows PE. Through controlled experiments, we analyze $SI Atime updates during file copy operations, examine their persistence under varying system conditions, and evaluate their evidentiary reliability over time. Our findings show that $SI Atime can reveal PE-based file access patterns in over two-thirds of cases, though reliability diminishes with prolonged use. To enhance robustness, we integrate Atime analysis with complementary artifacts, such as UEFI NVAR variables indicating abnormal boot order changes. This combined approach enables the reconstruction of exfiltration timelines even in the absence of logs or telemetry. The results highlight the potential of $SI Atime as a valuable residual artifact for detecting file exfiltration in bypass boot environments, offering investigators a methodological basis for addressing scenarios where traditional forensic sources are unavailable.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"56 ","pages":"Article 302068"},"PeriodicalIF":2.2,"publicationDate":"2026-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146077997","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Uncovering the impact of SNS processing on device source authentication: A comprehensive optimization approach 揭示SNS处理对设备源认证的影响：一种综合优化方法

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2026-03-01 Epub Date: 2026-02-19 DOI: 10.1016/j.fsidi.2026.302072

Zhu Ningxian

引用次数: 0

Ex Machina: A forensic evaluation of AI companion applications and their evidentiary value Ex Machina：人工智能伴侣应用及其证据价值的法医评估

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2026-03-01 Epub Date: 2026-03-24 DOI: 10.1016/j.fsidi.2026.302050

Kendall J. Comeaux , Trevor T. Spinosa , Ali Ghosn , Ibrahim Baggili

{"title":"Ex Machina: A forensic evaluation of AI companion applications and their evidentiary value","authors":"Kendall J. Comeaux , Trevor T. Spinosa , Ali Ghosn , Ibrahim Baggili","doi":"10.1016/j.fsidi.2026.302050","DOIUrl":"10.1016/j.fsidi.2026.302050","url":null,"abstract":"<div><div>Artificial intelligence (AI) companion applications have emerged as a new class of conversational systems that blur the line between entertainment, intimacy, and sensitive personal data collection. Their rapid adoption and reliance on opaque cloud infrastructures create novel challenges for digital forensics, yet systematic analysis of these platforms has been limited in both academic and practitioner communities. In this paper, we present a cross-application forensic study of leading AI companion applications, combining device acquisition, network interception, and file system analysis within a rooted Android emulator to ensure reproducibility. We developed custom tools to extract and correlate artifacts such as plain-text conversation logs, authentication tokens, profile data, and hidden API calls. We also characterized third-party tracking, session management, and basic encryption, enabling automated forensic user-profile generation. Our evaluation across six applications, representing over 25 million combined downloads, reveals that sensitive user information is often retained locally, transmitted via undocumented APIs, and inconsistently protected by safeguard mechanisms, with cross-app identifiers sometimes enabling correlation of user activity. These findings demonstrate both the evidentiary potential and the privacy risks of AI companions. They offer initial guidance for evidence preservation and lawful access, while laying the groundwork for standardized forensic methodologies in this emerging domain.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"56 ","pages":"Article 302050"},"PeriodicalIF":2.2,"publicationDate":"2026-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"147554544","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Mapping the Tor darkmarket ecosystem: A network analysis of topics, communication channels, and languages 绘制Tor黑市生态系统：主题、沟通渠道和语言的网络分析

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2026-03-01 Epub Date: 2025-12-06 DOI: 10.1016/j.fsidi.2025.302032

Luis de-Marcos , Adrián Domínguez-Díaz , Zlatko Stapic

{"title":"Mapping the Tor darkmarket ecosystem: A network analysis of topics, communication channels, and languages","authors":"Luis de-Marcos , Adrián Domínguez-Díaz , Zlatko Stapic","doi":"10.1016/j.fsidi.2025.302032","DOIUrl":"10.1016/j.fsidi.2025.302032","url":null,"abstract":"<div><div>The Tor darkmarket ecosystem, a hidden segment of the internet hosting a range of illicit activities, remains a critical challenge for cybersecurity and law enforcement. This study employs network analysis to explore the structure, connectivity, and vulnerabilities of Tor hidden services, focusing on the interplay of topics, communication channels, and languages. Using a bipartite network framework, we analyzed 82,285 onion services and 57,071 identification forms (IDs) collected over a 20-week period. Our findings reveal hacking as the dominant topic (57,233 services), followed by finance-crypto (17,900 services), with email (43,298 IDs) and Telegram (11,218 IDs) serving as primary communication channels. Linguistically, Russian prevails in hacking (50,852 services), while English dominates other topics (29,762 services), with Portuguese activity notable in Q&A forums (781 services). Network metrics and visualizations highlight structural contrasts: hacking's expansive, collaborative structure (high diameter, long average path length) contrasts with finance-crypto's compact, centralized network (high density, low path length), reliant on just four IDs to link its services. High-degree nodes underscore vulnerabilities to targeted disruptions. The overall network's fragmentation (1848 components) alongside a large dominant component (76.72 %) suggests both resilience and exploitable interconnectedness. These insights provide a comprehensive understanding of the Tor darkmarket's organization, identifying key leverage points for intervention. By bridging gaps in topical, linguistic, and structural analyses, this study offers actionable strategies for law enforcement to investigate and mitigate illicit activities on the Dark Web, demonstrating the power of network science in addressing cybercrime.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"56 ","pages":"Article 302032"},"PeriodicalIF":2.2,"publicationDate":"2026-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145685824","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Forensic analysis of the infotainment system of BMW vehicles 宝马汽车信息娱乐系统的法医分析

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2026-03-01 Epub Date: 2026-01-24 DOI: 10.1016/j.fsidi.2026.302066

Ricardo Marques , Patricio Domingues , Miguel Frade , Miguel Negrão

{"title":"Forensic analysis of the infotainment system of BMW vehicles","authors":"Ricardo Marques , Patricio Domingues , Miguel Frade , Miguel Negrão","doi":"10.1016/j.fsidi.2026.302066","DOIUrl":"10.1016/j.fsidi.2026.302066","url":null,"abstract":"<div><div>The automotive industry is undergoing a significant transformation driven by digitization. Modern cars are transitioning to digital and are now sophisticated computers on wheels. This digital revolution is driven by the integration of various computerized systems. One of the most noticeable systems, at least for drivers and occupants, is the In-Vehicle Infotainment (IVI) system. This system offers features such as radio, music playback and streaming, navigation, hands-free calling, and, in some cases, smartphone and internet connectivity. Data generated from user interactions with the vehicle information system can be valuable for digital forensics, providing artifacts such as call logs, contacts, GPS location history, and diagnostic data. However, acquiring and analyzing these data is challenging, as there are no universal standards for IVI systems. In this paper, we study the infotainment systems of four BMW vehicles from a digital forensic perspective. Specifically, we focus on two Computer-in-Car (CIC) BMW 3 Series systems, one from 2010 and another from 2012. We also analyze the Next Big Thing Evolution (NBT EVO) systems of two 2017’s BMWs, a 5 Series and a 7 Series. For this purpose, data from the infotainment hard disks were acquired and forensically analyzed. To overcome the lack of specific open-source tools to process these datasets, we developed two modules for the well-known Autopsy forensic software. The most relevant data recovered from the hard disks of the analyzed infotainment systems include phone call history, text messages, and linked smartphone IDs, such as Bluetooth addresses, International Mobile Equipment Identity (IMEI) and International Mobile Subscriber Identity (IMSI). The results indicate that the newer NBT EVO systems have more forensically meaningful data than the older CIC ones.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"56 ","pages":"Article 302066"},"PeriodicalIF":2.2,"publicationDate":"2026-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146077996","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Forensic readiness for autonomous mobility: The forensic incident recorder and information system concept 自动移动的法医准备：法医事件记录仪和信息系统概念

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2026-03-01 Epub Date: 2026-01-19 DOI: 10.1016/j.fsidi.2026.302044

Klara Dološ , Tobias Reichel , Mathias Gerstner , Leo Schiller , Liron Ahmeti , Andreas Attenberger , Victor Bialek , Rudolf Hackenberg , Conrad Meyer , Michael Nicks , Dennis Röck , Mirko Ross , Gerhard Steininger , Hugues Tamatcho Sontia , Svenja Wendler

{"title":"Forensic readiness for autonomous mobility: The forensic incident recorder and information system concept","authors":"Klara Dološ , Tobias Reichel , Mathias Gerstner , Leo Schiller , Liron Ahmeti , Andreas Attenberger , Victor Bialek , Rudolf Hackenberg , Conrad Meyer , Michael Nicks , Dennis Röck , Mirko Ross , Gerhard Steininger , Hugues Tamatcho Sontia , Svenja Wendler","doi":"10.1016/j.fsidi.2026.302044","DOIUrl":"10.1016/j.fsidi.2026.302044","url":null,"abstract":"<div><div>This paper outlines the essential needs for a forensic incident recorder (FIR) in autonomous vehicles, emphasizing its role in providing comprehensive data for post-incident analysis. The FIR must capture data from various vehicle systems, including onboard sensors, AI decision-making processes, internal diagnostics, V2X communications and cloud-based services, ensuring transparency and accountability. To ensure data integrity, the system must include encryption, tamper detection and redundancy. Furthermore, we introduce the concept of a forensic information system (FIS), an integrated solution for data storage, relevance determination and secure access, incorporating local and cloud-based storage. Triggers for permanent data storage and data upload to the cloud are suggested. Ultimately, the paper aims to highlight the need for comprehensive strategic and operational preparation for forensic investigations in the environment of autonomous, connected mobility.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"56 ","pages":"Article 302044"},"PeriodicalIF":2.2,"publicationDate":"2026-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146022914","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

DFRWS down the Rabbit-Hole: A forensic analysis of the Matrix protocol and Synapse server DFRWS掉进兔子洞：对Matrix协议和Synapse服务器的法医分析

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2026-03-01 Epub Date: 2026-03-24 DOI: 10.1016/j.fsidi.2026.302049

Yikai Wang , Xuepei Zhang , Shufan Wu , Yan Chen

{"title":"DFRWS down the Rabbit-Hole: A forensic analysis of the Matrix protocol and Synapse server","authors":"Yikai Wang , Xuepei Zhang , Shufan Wu , Yan Chen","doi":"10.1016/j.fsidi.2026.302049","DOIUrl":"10.1016/j.fsidi.2026.302049","url":null,"abstract":"<div><div>The widespread adoption of end-to-end encrypted messaging platforms presents significant challenges for digital forensic investigations. This paper presents the first comprehensive forensic analysis of Synapse, the official Matrix Homeserver implementation, focusing on server-side artifacts persisting in both database structures and system logs despite end-to-end encryption. Through systematic examination of production deployments, we identify recoverable digital evidence across 175 database tables and structured log entries, including authentication records, communication timelines, device fingerprints, and file transfer metadata. While message content remains cryptographically protected, our analysis demonstrates substantial investigative value in metadata accessible to investigators with lawful server access. We developed SynExtract, a specialized tool that automates extraction and correlation of artifacts from both Synapse databases and log files. Our findings provide practical guidance and a tool for law enforcement personnel conducting forensic examinations of Matrix infrastructure in criminal investigations.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"56 ","pages":"Article 302049"},"PeriodicalIF":2.2,"publicationDate":"2026-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"147554636","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Ctrl+Alt+Deceit: Policing the Deepfake Dilemma Ctrl+Alt+ deception: Policing the Deepfake Dilemma

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2026-03-01 Epub Date: 2026-03-24 DOI: 10.1016/j.fsidi.2026.302058

Áine MacDermott

{"title":"Ctrl+Alt+Deceit: Policing the Deepfake Dilemma","authors":"Áine MacDermott","doi":"10.1016/j.fsidi.2026.302058","DOIUrl":"10.1016/j.fsidi.2026.302058","url":null,"abstract":"<div><div>In a digital world where “truth” can be rewritten with a few lines of code, <em>Ctrl + Alt + Deceit</em> has become the new normal for forensic practitioners. The rapid growth of deepfake technologies presents a mounting challenge for digital forensics, threatening the integrity and reliability of multimedia evidence. This paper presents findings from a practitioner-focused survey designed to assess the real-world impact of synthetic media on forensic workflows. The study explores the prevalence of deepfake-related cases, regional trends in AI-generated media, and the operational readiness of digital forensic units (DFUs) to respond to these emerging threats. Despite increasing interest in detection technologies, the results reveal a substantial gap between technical capabilities and practical deployment, with many DFUs operating without formal guidance, policy structures, or legislative backing. The paper concludes with a set of best practice recommendations tailored to the unique demands of deepfake forensics, offering insights to support both practitioners and researchers in developing robust, informed approaches to multimedia evidence in the era of synthetic media.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"56 ","pages":"Article 302058"},"PeriodicalIF":2.2,"publicationDate":"2026-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"147554549","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Boon or Bane: Source Camera Identification meets AI-generated images 恩或祸：源相机识别满足人工智能生成的图像

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2026-03-01 Epub Date: 2026-03-24 DOI: 10.1016/j.fsidi.2026.302064

Samantha Klier, Harald Baier

{"title":"Boon or Bane: Source Camera Identification meets AI-generated images","authors":"Samantha Klier, Harald Baier","doi":"10.1016/j.fsidi.2026.302064","DOIUrl":"10.1016/j.fsidi.2026.302064","url":null,"abstract":"<div><div>Linking an image to its origin is a fundamental task in digital forensics often addressed through Source Camera Identification (SCI) based on Sensor Pattern Noise (SPN). However, recent advances in AI-enhanced smartphone photography challenge the reliability of SPN. On the other hand, noise-based identification approaches have been successfully transferred to AI-generated images. Therefore, we investigate whether the noise patterns of AI-generated images interfere with those of modern smartphones and analyze the implications for standard procedures. Our empirical evaluation reveals that the noise in AI-generated images is not predominantly additive, contradicting prior assumptions. Furthermore, we show that fingerprints of AI image generators can identify corresponding images only when the prompted resolution matches. Additionally, the standard PCE threshold leads to high false-positive rates — 61 % for Adobe Firefly Image 4 and 100 % for ChatGPT 5 — when comparing AI images to smartphone fingerprints. We demonstrate that simple center-cropping effectively eliminates these false positives without reducing true-positive identification performance. Our findings highlight the need for updated forensic methodologies due to the influence of software on imaging pipelines.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"56 ","pages":"Article 302064"},"PeriodicalIF":2.2,"publicationDate":"2026-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"147554554","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

CPR: Corrupted PDF recovery algorithm for digital forensic investigations 用于数字法医调查的损坏PDF恢复算法

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2026-03-01 Epub Date: 2026-03-24 DOI: 10.1016/j.fsidi.2026.302054

Seoyoung Kim , Yunji Park , Woobeen Park , Doowon Jeong

{"title":"CPR: Corrupted PDF recovery algorithm for digital forensic investigations","authors":"Seoyoung Kim , Yunji Park , Woobeen Park , Doowon Jeong","doi":"10.1016/j.fsidi.2026.302054","DOIUrl":"10.1016/j.fsidi.2026.302054","url":null,"abstract":"<div><div>As digital documents have become the dominant medium for information exchange, PDF has emerged as a standard format and a crucial source of evidence in digital forensic investigations. However, PDFs are internally organized as reference-based object structures whose interdependencies make recovery from corruption particularly challenging. Moreover, variations in encoding and storage—stemming from different producer tools—further complicate forensic analysis and reconstruction. This paper presents a comprehensive byte-level forensic analysis of the PDF structure and characterizes content-generation patterns across multiple producer types. Focusing on text data, we classify character storage within Content Objects into three categories—Text, XObject, and Path—and systematically analyze structural differences by generation method. Building on these insights, we propose CPR (Corrupted PDF Recovery), an algorithm designed to restore content from partially damaged PDFs. CPR carves objects from raw bytes, reconstructs inter-object relationships, and dynamically adapts its recovery process to the file's generation characteristics. For text restoration, CPR leverages a font mapping database (FontDB) and employs a large language model (LLM) to validate recovered outputs. Evaluation on a multilingual dataset encompassing three languages and multiple corruption scenarios demonstrates CPR's superiority over existing tools, achieving approximately 166 % higher recovery rate and greater forensic completeness, even when only a single content object exists. The CPR implementation, dataset, and FontDB are openly released as open source to support reproducibility and further forensic research.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"56 ","pages":"Article 302054"},"PeriodicalIF":2.2,"publicationDate":"2026-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"147554642","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0