{"title":"I know where you have been last summer: Extracting privacy-sensitive information via forensic analysis of the Mercedes-Benz NTG5*2 infotainment system","authors":"Dario Stabili, Filip Valgimigli, Mirco Marchetti","doi":"10.1016/j.fsidi.2025.301909","DOIUrl":"10.1016/j.fsidi.2025.301909","url":null,"abstract":"<div><div>Modern vehicles are equipped with In-Vehicle Infotainment (IVI) systems that offers different functions, such as typical radio and multimedia services, navigation and internet browsing. To operate properly, IVI systems have to store locally different types of data, reflecting user preferences and behaviors. If stored and managed insecurely, these data might expose sensitive information and represent a privacy risk. In this paper we address this issue by presenting a methodology for the extraction of privacy-sensitive information from the popular <span><math><mi>N</mi><mi>T</mi><mi>G</mi><mn>5</mn></math></span> COMMAND IVI system (specifically, the <span><math><mi>N</mi><mi>T</mi><mi>G</mi><mn>5</mn><mo>⁎</mo><mn>2</mn></math></span> version by Harman), deployed in some Mercedes-Benz vehicles from 2013 to 2019. We show that it is possible to extract information related to geographic locations and various vehicles events (such as ignition and doors opening and closing) dating back to the previous 8 months, and that these data can be cross-referenced to precisely identify the activities and habits of the driver. Moreover, we develop a novel forensic tool to automate this task.<span><span><sup>1</sup></span></span> Given the past usage of the <span><math><mi>N</mi><mi>T</mi><mi>G</mi><mn>5</mn></math></span> system, our work might have real life implications for the privacy of millions of drivers, owners and passengers. As a final contribution, we develop a novel technique for SQLite data carving specifically designed to identify deleted data. Comparison with existing state-of-the-art tools for SQLite3 data recovery demonstrates that our approach is more effective in recovering deleted traces than general purpose tools.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301909"},"PeriodicalIF":2.0,"publicationDate":"2025-03-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143620486","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Mohammad Abbasi-Azar , Mehdi Teimouri , Mohsen Nikray
{"title":"Blind protocol identification using synthetic dataset: A case study on geographic protocols","authors":"Mohammad Abbasi-Azar , Mehdi Teimouri , Mohsen Nikray","doi":"10.1016/j.fsidi.2025.301911","DOIUrl":"10.1016/j.fsidi.2025.301911","url":null,"abstract":"<div><div>Network forensics faces major challenges, including increasingly sophisticated cyberattacks and the difficulty of obtaining labeled datasets for training AI-driven security tools. Blind Protocol Identification (BPI), essential for detecting covert data transfers, is particularly impacted by these data limitations. This paper introduces a novel and inherently scalable method for generating synthetic datasets tailored for BPI in network forensics. Our approach emphasizes feature engineering and a statistical-analytical model of feature distributions to address the scarcity and imbalance of labeled data. We demonstrate the effectiveness of this method through a case study on geographic protocols, where we train Random Forest models using only synthetic datasets and evaluate their performance on real-world traffic. This work presents a promising solution to the data challenges in BPI, enabling reliable protocol identification while maintaining data privacy and overcoming traditional data collection limitations.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301911"},"PeriodicalIF":2.0,"publicationDate":"2025-03-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143610262","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Thiago J. Silva , Edson OliveiraJr , Maximiano Eduardo Pereira , Avelino F. Zorzo
{"title":"A review study of digital forensics in IoT: Process models, phases, architectures, and ontologies","authors":"Thiago J. Silva , Edson OliveiraJr , Maximiano Eduardo Pereira , Avelino F. Zorzo","doi":"10.1016/j.fsidi.2025.301912","DOIUrl":"10.1016/j.fsidi.2025.301912","url":null,"abstract":"<div><div>The Internet of Things (IoT) involves integrating uniquely identifiable computing devices into various infrastructures. Technological advancements have led to a proliferation of interconnected devices in public and private infrastructures, such as healthcare, transportation, and manufacturing. However, this expansion also presents significant challenges, including managing large volumes of data, navigating diverse infrastructures, dealing with network limitations, and lacking standards in IoT device formats. The increase in digital crimes has spurred the growth of the Digital Forensics (DF) field, which plays a crucial role in various interdisciplinary contexts. DF involves analyzing digital crime-related data and going through phases such as identification, collection, organization, and presentation of evidence. As DF develops, there are emerging structural and methodological initiatives aimed at formalizing concepts and establishing a common vocabulary. The literature has proposed various frameworks, conceptual models, methodologies, and ontologies to support this area. To identify and examine existing models, frameworks, methodologies, or ontologies for digital forensics on the Internet of Things (IoT), this article presents a systematic literature review (SLR). The systematic literature review outlined methods for constructing models, different types of models, feasibility criteria, evaluation methods, and models for different stages and aspects of DF. The findings were derived from an analysis of 23 primary studies, which helped address four specific research questions. Additionally, the paper suggests further model-based assistance for DF research, aiming to assist researchers and professionals in addressing current research gaps. The contributions of this work aim to fill the gaps imposed by the practical implications for digital forensic investigators in IoT. In this case, one can mention the use of DF models and phases to assist in the analysis of evidence, recoveries, information, and identification of data patterns sent via IoT.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301912"},"PeriodicalIF":2.0,"publicationDate":"2025-03-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143579615","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Lisa Rzepka , Jenny Ottmann , Radina Stoykova , Felix Freiling , Harald Baier
{"title":"A scenario-based quality assessment of memory acquisition tools and its investigative implications","authors":"Lisa Rzepka , Jenny Ottmann , Radina Stoykova , Felix Freiling , Harald Baier","doi":"10.1016/j.fsidi.2025.301868","DOIUrl":"10.1016/j.fsidi.2025.301868","url":null,"abstract":"<div><div>During digital forensic investigations volatile data from random-access memory (RAM) can provide crucial information such as access credentials or encryption keys. This data is usually obtained using software that copies contents of RAM to a memory dump file concurrently to normal system operation. It is well-known that this results in many inconsistencies in the copied data. Based on established quality criteria from the literature and on four typical investigative scenarios, we present and evaluate a methodology to assess the quality of memory acquisition tools in these scenarios. The methodology basically relates three factors: (1) the quality criteria of the memory dump, (2) the applied memory forensics analysis technique, and (3) its success in the given investigative scenario. We apply our methodology to four memory acquisition tools (from both the open source and the commercial community). It turns out that all tools have weaknesses but that their inconsistencies appear to be not as bad as anticipated. Another finding is that unstructured memory analysis methods are more robust against low quality (i.e., inconsistent) memory dumps than structured analysis methods. We provide the measurement dataset together with the tool by which it was acquired and also examine our findings in the context of legal and international standards for digital forensics in law enforcement investigations.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301868"},"PeriodicalIF":2.0,"publicationDate":"2025-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143679790","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Tapping .IPAs: An automated analysis of iPhone applications using apple silicon macs","authors":"Steven Seiden , Andrew M. Webb , Ibrahim Baggili","doi":"10.1016/j.fsidi.2025.301871","DOIUrl":"10.1016/j.fsidi.2025.301871","url":null,"abstract":"<div><div>Dynamic analysis of iOS applications poses significant challenges due to the platform's stringent security measures. Historically, investigations often required jailbreaking, but recent enhancements in iOS security have diminished the viability of this approach. Consequently, alternative methodologies are necessary. In this study, we explore the feasibility of automated iOS application analysis on the ARM-based M1 Mac platform. To do so, we utilized an ARM-based Mac to install several popular iOS applications. Our manual analysis using existing macOS tools demonstrated the potential to uncover artifacts such as chat messages and browsing history. To streamline this process, we developed a tool, <em>AppTap</em>, which facilitates the entire forensic procedure from installation to artifact extraction. AppTap enables analysts to quickly install, test, and retrieve file system artifacts from these applications and allows for the easy checkpointing of user files generated by iOS apps. These checkpoints help analysts correlate artifacts with user actions. We tested AppTap with the top 100 iPhone apps and top 100 iPhone games from the U.S. App Store (<em>n</em>=200). Our results showed that 46 % of these applications were installed and operated as expected, while 30.5% failed to install, likely due to the older macOS version—a necessary condition for this study. We discuss several strategies to enhance application support in the future, which could significantly increase the number of supported applications. Applying our methodologies as-is to the M1 Mac platform has significantly streamlined the forensic process for iOS applications, saving time for analysts and expanding future capabilities.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301871"},"PeriodicalIF":2.0,"publicationDate":"2025-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143679881","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Forensic analysis of Telegram Messenger on iOS smartphones","authors":"Lukas Jaeckel, Michael Spranger, Dirk Labudde","doi":"10.1016/j.fsidi.2025.301866","DOIUrl":"10.1016/j.fsidi.2025.301866","url":null,"abstract":"<div><div>As mobile messengers have dominated and penetrated our daily communication and activities, the odds of them being involved in criminal activities have increased. Since each messenger usually uses its own proprietary data schema (including encoding, encryption and frequent updates) to store communication data, with a pressing demand, investigative authorities require a solution to transfer the data in a processable structure to analyse it efficiently, especially in a forensic context. Therefore, this work identifies and examines locally stored data of the Telegram Messenger with high forensic value on iOS devices. In particular, this work deals with extracting contact and communication data to link and analyse it. For this purpose, artificially generated test data, as well as the open source code of the Telegram Messenger under iOS, are analysed. The main focus of this work lies on the primary database in which a large part of data is coded and, therefore, needs to be transferred into an interpretable form. In summary, this work enables a manual or automated analysis of Messenger data for investigative authorities and IT companies with forensic reference. The proposed method can also be adapted in research to analyse further instant messaging services.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301866"},"PeriodicalIF":2.0,"publicationDate":"2025-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143679788","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Preserving meaning of evidence from evolving systems","authors":"Hannes Spichiger , Frank Adelstein","doi":"10.1016/j.fsidi.2025.301867","DOIUrl":"10.1016/j.fsidi.2025.301867","url":null,"abstract":"<div><div>Preservation is generally considered as the step in the forensic process that stops evidence from decaying. In this paper, we argue that the traditional scope of preservation in digital forensic science, focused on the trace, is not sufficient to ensure the stop of decay in the context of evolving systems. Instead, insufficiently preserved reference material may lead to the loss of meaning, resulting in an overall increase of uncertainty in the presented evidence. An expanded definition of Preservation and a definition of Reference Data are proposed. We present suggestions for future avenues of research of ways to preserve reference data in order to avoid a loss of meaning of the trace data.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301867"},"PeriodicalIF":2.0,"publicationDate":"2025-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143679789","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}