Forensic Science International-Digital Investigation最新文献

{"title":"Towards reliable data in the scope of unmanned aircraft systems","authors":"Karolin Lohre ,&nbsp;Harald Baier ,&nbsp;Lukas Hardi ,&nbsp;Andreas Attenberger","doi":"10.1016/j.fsidi.2025.301914","DOIUrl":"10.1016/j.fsidi.2025.301914","url":null,"abstract":"<div><div>The goal of a digital forensic examination is to answer legal questions in the scope of IT systems. In order to come up with accurate answers, the data of the IT system at hand needs to be reliable. While the processing of digital traces of classical operating systems like Windows and its corresponding applications is well understood (especially with respect to the reliability of traces), emerging technologies often lack such an understanding of the trustworthiness of the examined data. In this work, we address the reliability of data in the scope of Unmanned Aircraft System (UAS). Although systems like UAS have become popular in various fields of application, digital forensic scientists and investigators currently lack an understanding of how to assess the correctness of UAS information, especially in the scope of Do-It-Yourself drone forensics. We shed light on common challenges when working with UAS data. Our main contribution is the introduction, explanation, and discussion of a conceptual framework to rate the reliability of UAS data. Our framework is based on three different categories representing three different levels of knowledge about the state of the UAS.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301914"},"PeriodicalIF":2.0,"publicationDate":"2025-04-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143882128","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Formulating propositions in Trojan horse defense cases","authors":"M. Vink ,&nbsp;R. Schramp ,&nbsp;C.E.H. Berger ,&nbsp;M.J. Sjerps","doi":"10.1016/j.fsidi.2025.301915","DOIUrl":"10.1016/j.fsidi.2025.301915","url":null,"abstract":"<div><div>This paper demonstrates how to formulate relevant sets of propositions in cases involving alleged possession of illegal content on electronic devices. The primary purpose of exploring how to formulate propositions is to enable a balanced and transparent evaluation of digital evidence, ideally using a likelihood ratio (LR). We present five categories explaining how illegal material can appear on electronic devices, including intentional and unintentional activities by suspects, other individuals, or automated processes (the “Trojan horse defense”). We review existing guidelines on formulating propositions developed for physical evidence and show how each explanation category can be properly formulated into propositions. Our findings indicate that the digital forensic domain can benefit from established principles for evaluating physical evidence. We also observe aspects that are more specific to digital forensic science where observations need to be evaluated in cases where intent is disputed, which can lead to propositions that address whether activities were carried out knowingly or unknowingly. By providing guidance on formulating relevant propositions, this research aims to contribute to the broader implementation of evaluative practices in digital forensic science.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301915"},"PeriodicalIF":2.0,"publicationDate":"2025-04-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143878936","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Horodocs: A scalable, sustainable, robust and privacy compliant system to securely timestamp digital evidence and documents","authors":"David-Olivier Jaquet-Chiffelle ,&nbsp;Ludovic Pfeiffer ,&nbsp;Lionel Brocard ,&nbsp;Emmanuel Benoist ,&nbsp;Noria Foukia","doi":"10.1016/j.fsidi.2025.301913","DOIUrl":"10.1016/j.fsidi.2025.301913","url":null,"abstract":"<div><div>Human activities produce more and more digital traces. Criminal activities are no exception: criminals often operate on computers, carry mobile phones, use GPS devices, or are recorded by surveillance cameras. Moreover, analyses of analog traces can produce results in a digital form. As digital information (evidence or results) becomes highly relevant in today's investigations, there is a pressing need for a trustworthy way to strengthen the chain of custody for digital content, especially its integrity component.</div><div>The Horodocs timestamping system responds to the need for a scalable, robust, trustworthy, independently verifiable, chronological ledger preventing backdating and enabling integrity verification of a digital file.</div><div>In order to make the system scalable and limit costs, submitted file hash values are grouped together into a local, temporary Merkle tree, called the Horodocs tree; this tree is discarded after its root value has been used to record both a derived identifier and an encrypted random control value on the Ethereum blockchain.<span><span>¹</span></span> The main innovation resides in the way information about the Horodocs tree is provided to each participant having requested a timestamp during the lifespan of this tree. Each submitter gets a receipt with enough information to verify the timestamp for the hash values that were submitted to the Horodocs system: the receipt is only valid for the hash values of the original file and allows one to recalculate the root value of the corresponding discarded Horodocs tree independently. The root value is required to find the record in the Ethereum blockchain and to recover and decrypt the stored random control value to validate the date and time of the timestamp.</div><div>Throughout its conception, the Horodocs system has been developed with a concern for strong robustness against backdating, privacy-by-design, transparency, usability, scalability, sustainability, automation, as well as cost and energy savings.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301913"},"PeriodicalIF":2.0,"publicationDate":"2025-04-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143829696","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"I know where you have been last summer: Extracting privacy-sensitive information via forensic analysis of the Mercedes-Benz NTG5*2 infotainment system","authors":"Dario Stabili,&nbsp;Filip Valgimigli,&nbsp;Mirco Marchetti","doi":"10.1016/j.fsidi.2025.301909","DOIUrl":"10.1016/j.fsidi.2025.301909","url":null,"abstract":"<div><div>Modern vehicles are equipped with In-Vehicle Infotainment (IVI) systems that offers different functions, such as typical radio and multimedia services, navigation and internet browsing. To operate properly, IVI systems have to store locally different types of data, reflecting user preferences and behaviors. If stored and managed insecurely, these data might expose sensitive information and represent a privacy risk. In this paper we address this issue by presenting a methodology for the extraction of privacy-sensitive information from the popular <span><math><mi>N</mi><mi>T</mi><mi>G</mi><mn>5</mn></math></span> COMMAND IVI system (specifically, the <span><math><mi>N</mi><mi>T</mi><mi>G</mi><mn>5</mn><mo>⁎</mo><mn>2</mn></math></span> version by Harman), deployed in some Mercedes-Benz vehicles from 2013 to 2019. We show that it is possible to extract information related to geographic locations and various vehicles events (such as ignition and doors opening and closing) dating back to the previous 8 months, and that these data can be cross-referenced to precisely identify the activities and habits of the driver. Moreover, we develop a novel forensic tool to automate this task.<span><span>¹</span></span> Given the past usage of the <span><math><mi>N</mi><mi>T</mi><mi>G</mi><mn>5</mn></math></span> system, our work might have real life implications for the privacy of millions of drivers, owners and passengers. As a final contribution, we develop a novel technique for SQLite data carving specifically designed to identify deleted data. Comparison with existing state-of-the-art tools for SQLite3 data recovery demonstrates that our approach is more effective in recovering deleted traces than general purpose tools.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301909"},"PeriodicalIF":2.0,"publicationDate":"2025-03-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143620486","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Blind protocol identification using synthetic dataset: A case study on geographic protocols","authors":"Mohammad Abbasi-Azar ,&nbsp;Mehdi Teimouri ,&nbsp;Mohsen Nikray","doi":"10.1016/j.fsidi.2025.301911","DOIUrl":"10.1016/j.fsidi.2025.301911","url":null,"abstract":"<div><div>Network forensics faces major challenges, including increasingly sophisticated cyberattacks and the difficulty of obtaining labeled datasets for training AI-driven security tools. Blind Protocol Identification (BPI), essential for detecting covert data transfers, is particularly impacted by these data limitations. This paper introduces a novel and inherently scalable method for generating synthetic datasets tailored for BPI in network forensics. Our approach emphasizes feature engineering and a statistical-analytical model of feature distributions to address the scarcity and imbalance of labeled data. We demonstrate the effectiveness of this method through a case study on geographic protocols, where we train Random Forest models using only synthetic datasets and evaluate their performance on real-world traffic. This work presents a promising solution to the data challenges in BPI, enabling reliable protocol identification while maintaining data privacy and overcoming traditional data collection limitations.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301911"},"PeriodicalIF":2.0,"publicationDate":"2025-03-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143610262","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A review study of digital forensics in IoT: Process models, phases, architectures, and ontologies","authors":"Thiago J. Silva ,&nbsp;Edson OliveiraJr ,&nbsp;Maximiano Eduardo Pereira ,&nbsp;Avelino F. Zorzo","doi":"10.1016/j.fsidi.2025.301912","DOIUrl":"10.1016/j.fsidi.2025.301912","url":null,"abstract":"<div><div>The Internet of Things (IoT) involves integrating uniquely identifiable computing devices into various infrastructures. Technological advancements have led to a proliferation of interconnected devices in public and private infrastructures, such as healthcare, transportation, and manufacturing. However, this expansion also presents significant challenges, including managing large volumes of data, navigating diverse infrastructures, dealing with network limitations, and lacking standards in IoT device formats. The increase in digital crimes has spurred the growth of the Digital Forensics (DF) field, which plays a crucial role in various interdisciplinary contexts. DF involves analyzing digital crime-related data and going through phases such as identification, collection, organization, and presentation of evidence. As DF develops, there are emerging structural and methodological initiatives aimed at formalizing concepts and establishing a common vocabulary. The literature has proposed various frameworks, conceptual models, methodologies, and ontologies to support this area. To identify and examine existing models, frameworks, methodologies, or ontologies for digital forensics on the Internet of Things (IoT), this article presents a systematic literature review (SLR). The systematic literature review outlined methods for constructing models, different types of models, feasibility criteria, evaluation methods, and models for different stages and aspects of DF. The findings were derived from an analysis of 23 primary studies, which helped address four specific research questions. Additionally, the paper suggests further model-based assistance for DF research, aiming to assist researchers and professionals in addressing current research gaps. The contributions of this work aim to fill the gaps imposed by the practical implications for digital forensic investigators in IoT. In this case, one can mention the use of DF models and phases to assist in the analysis of evidence, recoveries, information, and identification of data patterns sent via IoT.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301912"},"PeriodicalIF":2.0,"publicationDate":"2025-03-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143579615","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Corrigendum to “Adding transparency to uncertainty: An argument-based method for evaluative opinions” [FSIDI 48 (2023) 301657]","authors":"Nina Sunde ,&nbsp;Virginia N.L. Franqueira","doi":"10.1016/j.fsidi.2025.301910","DOIUrl":"10.1016/j.fsidi.2025.301910","url":null,"abstract":"","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301910"},"PeriodicalIF":2.0,"publicationDate":"2025-03-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143549353","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Welcome to the 12th Annual DFRWS Europe Conference!","authors":"Edita Bajramovic,&nbsp;Olga Angelopoulou","doi":"10.1016/j.fsidi.2025.301879","DOIUrl":"10.1016/j.fsidi.2025.301879","url":null,"abstract":"","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301879"},"PeriodicalIF":2.0,"publicationDate":"2025-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143679785","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A scenario-based quality assessment of memory acquisition tools and its investigative implications","authors":"Lisa Rzepka ,&nbsp;Jenny Ottmann ,&nbsp;Radina Stoykova ,&nbsp;Felix Freiling ,&nbsp;Harald Baier","doi":"10.1016/j.fsidi.2025.301868","DOIUrl":"10.1016/j.fsidi.2025.301868","url":null,"abstract":"<div><div>During digital forensic investigations volatile data from random-access memory (RAM) can provide crucial information such as access credentials or encryption keys. This data is usually obtained using software that copies contents of RAM to a memory dump file concurrently to normal system operation. It is well-known that this results in many inconsistencies in the copied data. Based on established quality criteria from the literature and on four typical investigative scenarios, we present and evaluate a methodology to assess the quality of memory acquisition tools in these scenarios. The methodology basically relates three factors: (1) the quality criteria of the memory dump, (2) the applied memory forensics analysis technique, and (3) its success in the given investigative scenario. We apply our methodology to four memory acquisition tools (from both the open source and the commercial community). It turns out that all tools have weaknesses but that their inconsistencies appear to be not as bad as anticipated. Another finding is that unstructured memory analysis methods are more robust against low quality (i.e., inconsistent) memory dumps than structured analysis methods. We provide the measurement dataset together with the tool by which it was acquired and also examine our findings in the context of legal and international standards for digital forensics in law enforcement investigations.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301868"},"PeriodicalIF":2.0,"publicationDate":"2025-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143679790","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Tapping .IPAs: An automated analysis of iPhone applications using apple silicon macs","authors":"Steven Seiden ,&nbsp;Andrew M. Webb ,&nbsp;Ibrahim Baggili","doi":"10.1016/j.fsidi.2025.301871","DOIUrl":"10.1016/j.fsidi.2025.301871","url":null,"abstract":"<div><div>Dynamic analysis of iOS applications poses significant challenges due to the platform's stringent security measures. Historically, investigations often required jailbreaking, but recent enhancements in iOS security have diminished the viability of this approach. Consequently, alternative methodologies are necessary. In this study, we explore the feasibility of automated iOS application analysis on the ARM-based M1 Mac platform. To do so, we utilized an ARM-based Mac to install several popular iOS applications. Our manual analysis using existing macOS tools demonstrated the potential to uncover artifacts such as chat messages and browsing history. To streamline this process, we developed a tool, <em>AppTap</em>, which facilitates the entire forensic procedure from installation to artifact extraction. AppTap enables analysts to quickly install, test, and retrieve file system artifacts from these applications and allows for the easy checkpointing of user files generated by iOS apps. These checkpoints help analysts correlate artifacts with user actions. We tested AppTap with the top 100 iPhone apps and top 100 iPhone games from the U.S. App Store (<em>n</em>=200). Our results showed that 46 % of these applications were installed and operated as expected, while 30.5% failed to install, likely due to the older macOS version—a necessary condition for this study. We discuss several strategies to enhance application support in the future, which could significantly increase the number of supported applications. Applying our methodologies as-is to the M1 Mac platform has significantly streamlined the forensic process for iOS applications, saving time for analysts and expanding future capabilities.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301871"},"PeriodicalIF":2.0,"publicationDate":"2025-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143679881","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}