{"title":"I know where you have been last summer: Extracting privacy-sensitive information via forensic analysis of the Mercedes-Benz NTG5*2 infotainment system","authors":"Dario Stabili, Filip Valgimigli, Mirco Marchetti","doi":"10.1016/j.fsidi.2025.301909","DOIUrl":"10.1016/j.fsidi.2025.301909","url":null,"abstract":"<div><div>Modern vehicles are equipped with In-Vehicle Infotainment (IVI) systems that offers different functions, such as typical radio and multimedia services, navigation and internet browsing. To operate properly, IVI systems have to store locally different types of data, reflecting user preferences and behaviors. If stored and managed insecurely, these data might expose sensitive information and represent a privacy risk. In this paper we address this issue by presenting a methodology for the extraction of privacy-sensitive information from the popular <span><math><mi>N</mi><mi>T</mi><mi>G</mi><mn>5</mn></math></span> COMMAND IVI system (specifically, the <span><math><mi>N</mi><mi>T</mi><mi>G</mi><mn>5</mn><mo>⁎</mo><mn>2</mn></math></span> version by Harman), deployed in some Mercedes-Benz vehicles from 2013 to 2019. We show that it is possible to extract information related to geographic locations and various vehicles events (such as ignition and doors opening and closing) dating back to the previous 8 months, and that these data can be cross-referenced to precisely identify the activities and habits of the driver. Moreover, we develop a novel forensic tool to automate this task.<span><span><sup>1</sup></span></span> Given the past usage of the <span><math><mi>N</mi><mi>T</mi><mi>G</mi><mn>5</mn></math></span> system, our work might have real life implications for the privacy of millions of drivers, owners and passengers. As a final contribution, we develop a novel technique for SQLite data carving specifically designed to identify deleted data. Comparison with existing state-of-the-art tools for SQLite3 data recovery demonstrates that our approach is more effective in recovering deleted traces than general purpose tools.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301909"},"PeriodicalIF":2.0,"publicationDate":"2025-03-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143620486","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Mohammad Abbasi-Azar , Mehdi Teimouri , Mohsen Nikray
{"title":"Blind protocol identification using synthetic dataset: A case study on geographic protocols","authors":"Mohammad Abbasi-Azar , Mehdi Teimouri , Mohsen Nikray","doi":"10.1016/j.fsidi.2025.301911","DOIUrl":"10.1016/j.fsidi.2025.301911","url":null,"abstract":"<div><div>Network forensics faces major challenges, including increasingly sophisticated cyberattacks and the difficulty of obtaining labeled datasets for training AI-driven security tools. Blind Protocol Identification (BPI), essential for detecting covert data transfers, is particularly impacted by these data limitations. This paper introduces a novel and inherently scalable method for generating synthetic datasets tailored for BPI in network forensics. Our approach emphasizes feature engineering and a statistical-analytical model of feature distributions to address the scarcity and imbalance of labeled data. We demonstrate the effectiveness of this method through a case study on geographic protocols, where we train Random Forest models using only synthetic datasets and evaluate their performance on real-world traffic. This work presents a promising solution to the data challenges in BPI, enabling reliable protocol identification while maintaining data privacy and overcoming traditional data collection limitations.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301911"},"PeriodicalIF":2.0,"publicationDate":"2025-03-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143610262","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Thiago J. Silva , Edson OliveiraJr , Maximiano Eduardo Pereira , Avelino F. Zorzo
{"title":"A review study of digital forensics in IoT: Process models, phases, architectures, and ontologies","authors":"Thiago J. Silva , Edson OliveiraJr , Maximiano Eduardo Pereira , Avelino F. Zorzo","doi":"10.1016/j.fsidi.2025.301912","DOIUrl":"10.1016/j.fsidi.2025.301912","url":null,"abstract":"<div><div>The Internet of Things (IoT) involves integrating uniquely identifiable computing devices into various infrastructures. Technological advancements have led to a proliferation of interconnected devices in public and private infrastructures, such as healthcare, transportation, and manufacturing. However, this expansion also presents significant challenges, including managing large volumes of data, navigating diverse infrastructures, dealing with network limitations, and lacking standards in IoT device formats. The increase in digital crimes has spurred the growth of the Digital Forensics (DF) field, which plays a crucial role in various interdisciplinary contexts. DF involves analyzing digital crime-related data and going through phases such as identification, collection, organization, and presentation of evidence. As DF develops, there are emerging structural and methodological initiatives aimed at formalizing concepts and establishing a common vocabulary. The literature has proposed various frameworks, conceptual models, methodologies, and ontologies to support this area. To identify and examine existing models, frameworks, methodologies, or ontologies for digital forensics on the Internet of Things (IoT), this article presents a systematic literature review (SLR). The systematic literature review outlined methods for constructing models, different types of models, feasibility criteria, evaluation methods, and models for different stages and aspects of DF. The findings were derived from an analysis of 23 primary studies, which helped address four specific research questions. Additionally, the paper suggests further model-based assistance for DF research, aiming to assist researchers and professionals in addressing current research gaps. The contributions of this work aim to fill the gaps imposed by the practical implications for digital forensic investigators in IoT. In this case, one can mention the use of DF models and phases to assist in the analysis of evidence, recoveries, information, and identification of data patterns sent via IoT.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301912"},"PeriodicalIF":2.0,"publicationDate":"2025-03-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143579615","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"More on digital evidence exceptionalism: Critique of the argument-based method for evaluative opinions","authors":"Alex Biedermann , Kyriakos N. Kotsoglou","doi":"10.1016/j.fsidi.2025.301885","DOIUrl":"10.1016/j.fsidi.2025.301885","url":null,"abstract":"<div><div>This paper critically analyses and discusses the “Argument-Based Method for Evaluative Opinions” (ABMEO) recently proposed by Sunde and Franqueira in a paper published in <em>Forensic Science International: Digital Investigation</em> (<span><span>Sunde and Franqueira, 2023</span></span>). According to its developers, this novel method allows one to produce evaluative opinions in criminal proceedings by constructing arguments. The method is said to incorporate concepts from argumentation and probability theory, while ensuring adherence to accepted principles of evaluative reporting, in particular the ENFSI Guideline for Evaluative Reporting in Forensic Science. While this sounds promising, our analysis of the ABMEO, as well as Sunde and Franqueira's account of a number of evidence-related concepts such as probative value (and its assessment), credibility, relevance, normativity, and probability, among others, reveals a number of fundamental problems that are indicative of <em>digital evidence exceptionalism</em>; i.e. the idea that digital forensic science can somehow exempt itself from adhering to methodologically and scientifically rigorous evidence evaluation procedures. In this paper we explain why the ABMEO cannot and should not be considered as an appropriate complement, supplement or replacement for the existing reference framework for evaluative reporting in forensic science. In particular, we argue that the ABMEO is internally contradictory and tends to undermine the substantial progress made over the past two decades in the development and implementation of principles for the evaluative reporting of forensic science evidence.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301885"},"PeriodicalIF":2.0,"publicationDate":"2025-02-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143428108","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Yee Ching Tok, Davis Yang Zheng, Sudipta Chattopadhyay
{"title":"A Smart City Infrastructure ontology for threats, cybercrime, and digital forensic investigation","authors":"Yee Ching Tok, Davis Yang Zheng, Sudipta Chattopadhyay","doi":"10.1016/j.fsidi.2025.301883","DOIUrl":"10.1016/j.fsidi.2025.301883","url":null,"abstract":"<div><div>Cybercrime and the market for cyber-related compromises are becoming attractive revenue sources for state-sponsored actors, cybercriminals and technical individuals affected by financial hardships. Due to burgeoning cybercrime on new technological frontiers, efforts have been made to assist digital forensic investigators (DFI) and law enforcement agencies (LEA) in their investigative efforts.</div><div>Forensic tool innovations and ontology developments, such as the Unified Cyber Ontology (UCO) and Cyber-investigation Analysis Standard Expression (CASE), have been proposed to assist DFI and LEA. Although these tools and ontologies are useful, they lack extensive information sharing and tool interoperability features, and the ontologies lack the latest Smart City Infrastructure (SCI) context that was proposed.</div><div>To mitigate the weaknesses in both solutions and to ensure a safer cyber-physical environment for all, we propose the Smart City Ontological Paradigm Expression (<span>Scope</span>), an expansion profile of the UCO and CASE ontology that implements SCI threat models, SCI digital forensic evidence, attack techniques, patterns and classifications from MITRE.</div><div>We showcase how <span>Scope</span> could present complex data such as SCI-specific threats, cybercrime, investigation data and incident handling workflows via an incident scenario modeled after publicly reported real-world incidents attributed to Advanced Persistent Threat (APT) groups. We also make <span>Scope</span> available to the community so that threats, digital evidence and cybercrime in emerging trends such as SCI can be identified, represented, and shared collaboratively.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301883"},"PeriodicalIF":2.0,"publicationDate":"2025-02-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143347830","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Data hiding in the XFS file system","authors":"Fergus Toolan, Georgina Humphries","doi":"10.1016/j.fsidi.2025.301884","DOIUrl":"10.1016/j.fsidi.2025.301884","url":null,"abstract":"<div><div>The ever increasing volume of anti-forensic tools and the growth in data hiding at the file system level has led to research in data hiding techniques in recent years. These techniques have focused on common file systems such as NTFS and the ext family. Less common file systems can also be used as a means of hiding data. This paper examines data hiding in the XFS file system, the default file system on all Red Hat Enterprise Linux distributions. The paper introduces five methods of data hiding in XFS and evaluates these techniques using the metrics of capacity, the amount of data that can be hidden, detection difficulty, the effort required to detect hidden data, and stability, the likelihood that the hidden data will persist through file system usage.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301884"},"PeriodicalIF":2.0,"publicationDate":"2025-02-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143310433","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Akila Wickramasekara , Frank Breitinger , Mark Scanlon
{"title":"Exploring the potential of large language models for improving digital forensic investigation efficiency","authors":"Akila Wickramasekara , Frank Breitinger , Mark Scanlon","doi":"10.1016/j.fsidi.2024.301859","DOIUrl":"10.1016/j.fsidi.2024.301859","url":null,"abstract":"<div><div>The ever-increasing workload of digital forensic labs raises concerns about law enforcement's ability to conduct both cyber-related and non-cyber-related investigations promptly. Consequently, this article explores the potential and usefulness of integrating Large Language Models (LLMs) into digital forensic investigations to address challenges such as bias, explainability, censorship, resource-intensive infrastructure, and ethical and legal considerations. A comprehensive literature review is carried out, encompassing existing digital forensic models, tools, LLMs, deep learning techniques, and the use of LLMs in investigations. The review identifies current challenges within existing digital forensic processes and explores both the obstacles and the possibilities of incorporating LLMs. In conclusion, the study states that the adoption of LLMs in digital forensics, with appropriate constraints, has the potential to improve investigation efficiency, improve traceability, and alleviate the technical and judicial barriers faced by law enforcement entities.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301859"},"PeriodicalIF":2.0,"publicationDate":"2025-02-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143141118","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Optimising data set creation in the cybersecurity landscape with a special focus on digital forensics: Principles, characteristics, and use cases","authors":"Thomas Göbel , Frank Breitinger , Harald Baier","doi":"10.1016/j.fsidi.2025.301882","DOIUrl":"10.1016/j.fsidi.2025.301882","url":null,"abstract":"<div><div>Data sets (samples) are important for research, training, and tool development. While the FAIR principles, data repositories and archives like Zenodo and NIST's Computer Forensic Reference Data Sets (CFReDS) enhance the accessibility and reusability of data sets, standardised practices for crafting and describing these data sets require further attention. This paper analyses the existing literature to identify the key data set (generation) characteristics, issues, desirable attributes, and use cases. Although our findings are generally applicable, i.e., to the cybersecurity domain, our special focus is on the digital forensics domain. We define principles and properties for cybersecurity-relevant data sets and their implications for the data creation process to maximise their quality, utility and applicability, taking into account specific data set use cases and data origin. We aim to guide data set creators in enhancing their data sets' value for the cybersecurity and digital forensics field.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301882"},"PeriodicalIF":2.0,"publicationDate":"2025-01-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143097417","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Norah Ahmed Almubairik , Fakhri Alam Khan , Rami Mustafa Mohammad , Mubarak Alshahrani
{"title":"WristSense framework: Exploring the forensic potential of wrist-wear devices through case studies","authors":"Norah Ahmed Almubairik , Fakhri Alam Khan , Rami Mustafa Mohammad , Mubarak Alshahrani","doi":"10.1016/j.fsidi.2025.301862","DOIUrl":"10.1016/j.fsidi.2025.301862","url":null,"abstract":"<div><div>Wrist devices have revolutionized our interaction with technology, monitoring various aspects of our activities and making them valuable in digital forensic investigations. Previous research has explored specific wrist device operating systems, often concentrating on devices from particular manufacturers. However, the broader market of wrist-worn devices, which includes a wide range of manufacturers, remains less explored. This oversight presents challenges in retrieving and analyzing data from wrist devices with different operating systems. Additionally, there has been limited exploration of utilizing health data from wrist devices in digital investigations. To address these gaps, this study presents a framework called “WristSense,” which systematically extracts health-related data from heterogeneous sources of wrist devices. The framework has been evaluated through case studies involving Huawei, Amazfit, Xiaomi, and Samsung wrist devices. The WristSense ensures compatibility with devices from different vendors and analyzes health data such as sleep patterns, heart rate, blood oxygen saturation, activities, and stress levels. The research uncovers potential circumstantial evidence applicable to law enforcement and introduces a wrist-wear device artifact catalog, which also serves as a taxonomy, enabling practitioners to codify and leverage their forensic collective knowledge. The findings demonstrate the effectiveness of the WristSense framework in extracting and analyzing data from various vendors, providing valuable insights for forensic investigations. However, challenges such as encryption mechanisms on certain devices present areas that require further investigation. This research provides a comprehensive overview of suspect or victim health data, empowering digital forensic investigators to reconstruct detailed timelines and gather crucial evidence in criminal investigations involving wrist devices.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301862"},"PeriodicalIF":2.0,"publicationDate":"2025-01-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143141117","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}