{"title":"Thumb: A forensic automation framework leveraging MLLMs and OCR on Android device","authors":"Dingjie Shang, Amin Sakzad, Stuart W. Hall","doi":"10.1016/j.fsidi.2025.301949","DOIUrl":"10.1016/j.fsidi.2025.301949","url":null,"abstract":"<div><div>The forensic of Android devices is challenging due to automated thumbnail generation by applications and the operating system, complicating attribution to specific user actions. This paper presents the design, implementation, and evaluation of a forensic framework, Thumb, which performs real-time experiments on physical Android devices. Thumb integrates multimodal large language models (MLLM) and Optical Character Recognition (OCR) to capture on-screen information and simulate user interactions, while extracting data from internal storage to monitor changes in cached and thumbnail files. A proof-of-concept implementation demonstrates the framework's accuracy across various applications, highlighting its potential to simplify Android forensic analysis. However, current MLLM limitations and the framework's structure pose challenges in complex scenarios and detailed data analysis.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"54 ","pages":"Article 301949"},"PeriodicalIF":2.0,"publicationDate":"2025-06-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144297437","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"DrIfTeR: A Drone Identification Technique using RF signals","authors":"Pankaj Choudhary , Vikas Sihag , Gaurav Choudhary , Nicola Dragoni","doi":"10.1016/j.fsidi.2025.301948","DOIUrl":"10.1016/j.fsidi.2025.301948","url":null,"abstract":"<div><div>The civilian drone market is experiencing explosive growth, with projections estimating it will hit USD 54.81 billion by 2030. This surge in drone numbers brings with it significant privacy and security challenges. To defend critical infrastructure and safeguard personal privacy from misuse, an effective drone detection system has become essential. There is a demand for detection solution that is not only efficient and accurate but also robust, cost-effective, and scalable to meet the evolving needs of this rapidly expanding field. In this paper, we present DrIfTeR, a drone detection, identification and classification model based on the radio frequency signals. Firstly we employ wavelet domain extraction and 3-stage wavelet decomposition during RF signal preprocessing. Secondly, we employ traditional machine learning, deep learning and ensemble learning models to evaluate effectiveness. Thirdly, we evaluate performance of DrIfTeR against drone detection, drone manufacturer identification and drone model identification. The performance of the approach is evaluated against benchmark dataset and is found to be effective and accurate.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"54 ","pages":"Article 301948"},"PeriodicalIF":2.0,"publicationDate":"2025-06-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144290613","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Gonçalo Paulino , Miguel Negrão , Miguel Frade , Patrício Domingues
{"title":"Decrypting messages: Extracting digital evidence from signal desktop for windows","authors":"Gonçalo Paulino , Miguel Negrão , Miguel Frade , Patrício Domingues","doi":"10.1016/j.fsidi.2025.301941","DOIUrl":"10.1016/j.fsidi.2025.301941","url":null,"abstract":"<div><div>With growing concerns over the security and privacy of personal conversations, end-to-end encrypted instant messaging applications have become a key focus of forensic research. This study presents a detailed methodology along with an automated Python script for decrypting and analyzing forensic artifacts from Signal Desktop for Windows. The methodology is divided into two phases: i) decryption of locally stored data and ii) analysis and documentation of forensic artifacts. To ensure data integrity, the proposed approach enables retrieval without launching Signal Desktop, preventing potential alterations. Additionally, a reporting module organizes extracted data for forensic investigators, enhancing usability. Our approach is effective in extracting and analyzing encrypted Signal artifacts, providing a reliable method for forensic investigations.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"54 ","pages":"Article 301941"},"PeriodicalIF":2.0,"publicationDate":"2025-06-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144243118","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Srikanth Madikeri , Petr Motlicek , Dairazalia Sanchez-Cortes , Pradeep Rangappa , Joshua Hughes , Jakub Tkaczuk , Alejandra Sanchez Lara , Driss Khalil , Johan Rohdin , Dawei Zhu , Aravind Krishnan , Dietrich Klakow , Zahra Ahmadi , Marek Kováč , Dominik Boboš , Costas Kalogiros , Andreas Alexopoulos , Denis Marraud
{"title":"Autocrime - open multimodal platform for combating organized crime","authors":"Srikanth Madikeri , Petr Motlicek , Dairazalia Sanchez-Cortes , Pradeep Rangappa , Joshua Hughes , Jakub Tkaczuk , Alejandra Sanchez Lara , Driss Khalil , Johan Rohdin , Dawei Zhu , Aravind Krishnan , Dietrich Klakow , Zahra Ahmadi , Marek Kováč , Dominik Boboš , Costas Kalogiros , Andreas Alexopoulos , Denis Marraud","doi":"10.1016/j.fsidi.2025.301937","DOIUrl":"10.1016/j.fsidi.2025.301937","url":null,"abstract":"<div><div>A criminal investigation is a labor-intensive work requiring expert knowledge from several disciplines. Due to a large amount of heterogeneous data available from several modalities (i.e., audio/speech, text, video, non-content data), its processing raises many challenges. It may become impossible for law enforcement agents to deal with large amounts of highly-diverse data, especially for cross-border investigations focused on organized crime. ROXANNE EC H2020 project developed an all-in-one investigation platform for processing such diverse data. The platform mainly focuses on analyzing lawfully intercepted telephone conversations extended by non-content data (e.g., metadata related to the calls, time/spatial positions, and data collected from social media). Several state-of-the-art components are integrated into the pipeline, including speaker identification, automatic speech recognition, and named entity detection. With information extracted from this pipeline, the platform builds multiple knowledge graphs that capture phone and speaker criminal network interactions, including the central network and their clans. After hands-on sessions, law enforcement agents found the Autocrime platform easy to understand and highlighted its innovative, multi-technology functionalities that streamline forensic investigations, reducing manual effort. The AI-powered platform marks a significant first step toward creating an open investigative tool that combines advanced speech, text, and video processing algorithms with criminal network analysis, aimed at mitigating organized crime.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"54 ","pages":"Article 301937"},"PeriodicalIF":2.0,"publicationDate":"2025-06-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144205090","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Navigating the digital frontier – Key themes in digital forensics","authors":"Zeno Geradts","doi":"10.1016/j.fsidi.2025.301940","DOIUrl":"10.1016/j.fsidi.2025.301940","url":null,"abstract":"","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301940"},"PeriodicalIF":2.0,"publicationDate":"2025-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144177998","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Kyung-Jong Kim , Chan-Hwi Lee , So-Eun Bae , Ju-Hyun Choi , Wook Kang
{"title":"Digital forensics in law enforcement: A case study of LLM-driven evidence analysis","authors":"Kyung-Jong Kim , Chan-Hwi Lee , So-Eun Bae , Ju-Hyun Choi , Wook Kang","doi":"10.1016/j.fsidi.2025.301939","DOIUrl":"10.1016/j.fsidi.2025.301939","url":null,"abstract":"<div><div>The advent of digital technology and the ubiquity of mobile devices in today's society has led to a significant increase in the importance of mobile forensics in criminal investigations. Responding to the escalating volume and complexity of data due to enhanced smartphone capabilities and pervasive messaging apps, law enforcement agencies face challenges in data analysis. This study explores improving investigative efficiency through LLM-driven analysis of text from mobile messenger communications. We have conducted experiments on anonymized data collected from real crime scenes by employing three state-of-the-art LLM models, namely GPT-4o, Gemini 1.5 and Claude 3.5. The study focuses on optimizing model performance by employing prompt engineering, interpreting expressions embedded with hidden meanings such as slang, and contextually inferring ambiguous word usage. Finally, model performance is quantitatively evaluated using metrics such as precision, recall, F1 score, and hallucination rate.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"54 ","pages":"Article 301939"},"PeriodicalIF":2.0,"publicationDate":"2025-05-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144154363","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abdul Boztas, Jeroen De Jong, Christos Hadjigeorghiou
{"title":"Argus: A new approach for forensic analysis of apps on mobile devices","authors":"Abdul Boztas, Jeroen De Jong, Christos Hadjigeorghiou","doi":"10.1016/j.fsidi.2025.301938","DOIUrl":"10.1016/j.fsidi.2025.301938","url":null,"abstract":"<div><div>The availability of a multitude of apps on mobile devices offers many investigative opportunities due to the large amount of information on all kinds of activities stored by these apps. On the other hand, it also creates problems because it can be difficult to identify the location of relevant information and to properly interpret the great number of digital traces stored by apps. This is especially true for apps currently not supported by commercial forensic tools. This calls for the development of new tools that can quickly analyse specific applications and identify all files containing important information.</div><div>In this paper, we introduce the Argus tool for dynamically analysing apps on mobile devices. Argus monitors the file system on mobile devices to quickly identify which files have been modified, deleted, or created as a result of actions performed on the device, such as using an app. The Argus tool supports physical iOS and Android devices, as well as Android and iOS emulators.</div><div>The results of Argus experiments are stored locally on the computer conducting the experiment, but Argus also offers the option to publish and share these results in a forensic artifacts reference database called Aardwolf, accessible at https://www.aardwolfproject.eu.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301938"},"PeriodicalIF":2.0,"publicationDate":"2025-05-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144147941","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Unearthing the hidden path of MANET's nodes with signal strength measurements: Forensics challenges, survey and a novel approach for data collection, preservation and examination","authors":"Omar Ragheb , Mena Safwat , Marianne A. Azer","doi":"10.1016/j.fsidi.2025.301916","DOIUrl":"10.1016/j.fsidi.2025.301916","url":null,"abstract":"<div><div>Mobile Ad hoc Networks (MANETs) are self-configuring networks of mobile devices that communicate with each other without the need for infrastructure. This makes them highly flexible and adaptable to changing environments, making them ideal for applications such as transportation and tactical domains. However, the mobility feature of the network poses new challenges for digital forensics investigators due to their specific characteristics. One challenge is how the investigator can prove the Chain of Custody (COC) in court in this highly volatile network to ensure the integrity of the evidence. This paper studies the forensic challenges in several wireless technologies, including the Internet of Things (IoT), Vehicular Ad-hoc Networks (VANETs), and, especially in Mobile Ad-hoc Networks (MANETs), critically reviews several approaches to cover the challenges, and also proposes a novel digital forensics framework that is built on Fog Computing (FC). Using regular communication signal strength measurements, the proposed framework enables investigators to learn details about nodes' locations over time and mobility characteristics without requiring changes to communication protocols or overwhelming nodes with additional tasks. This can help to ensure the availability and integrity of the digital evidence and its admissibility in court. Additionally, the paper suggests a novel automated detection technique for Hello Flood attacks in ad-hoc networks. The viability of the approach has been demonstrated on a network simulator.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301916"},"PeriodicalIF":2.0,"publicationDate":"2025-05-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144071062","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Nils Antonson , Darren Quick , Kim-Kwang Raymond Choo
{"title":"Infotainment system Forensics: Ford SYNC 3 gen 2 infotainment system as a use case","authors":"Nils Antonson , Darren Quick , Kim-Kwang Raymond Choo","doi":"10.1016/j.fsidi.2025.301917","DOIUrl":"10.1016/j.fsidi.2025.301917","url":null,"abstract":"<div><div>The digital era is ushering in the next generation of motor vehicles supported by dozens of dispersed electronic control units (ECUs) communicating with each other over controller area networks (e.g., CAN bus). Each ECU is responsible for a specific set of functions. For example, built-in cellular modems, typically part of the telecommunication control unit (TCU), are used to call first responders when a crash is detected, but also surreptitiously send back vehicle telematics, and enable convenient features such as remote unlock/lock, remote start, and log the GPS position of the automobile into the cloud. Potentially, every input by the driver is logged and recorded within these ECUs. Indeed, modern automobiles are inadvertently equipped with proverbial black boxes. As a result, a new subdivision of digital forensics to extract and analyze this black box data is emerging. Smart vehicle forensics, also known as digital vehicle forensics (DVF), enables investigators to examine data produced by and stored inside automobiles. The infotainment system typically holds the most valuable data because it contains GPS tracklogs, artifacts left behind from paired mobile devices, and receives data from many other modules within the automobile. Therefore, DVF primarily focuses on the automobiles infotainment system, and specializes in extracting and analyzing stored electronic data. Law enforcement is increasingly becoming aware and making use of this new source of data. It is only a matter of time and budget before DVF investigations become routine and common practice.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301917"},"PeriodicalIF":2.0,"publicationDate":"2025-05-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143947549","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pedro H.V. Valois , João Macedo , Leo S.F. Ribeiro , Jefersson A. dos Santos , Sandra Avila
{"title":"Leveraging self-supervised learning for scene classification in child sexual abuse imagery","authors":"Pedro H.V. Valois , João Macedo , Leo S.F. Ribeiro , Jefersson A. dos Santos , Sandra Avila","doi":"10.1016/j.fsidi.2025.301918","DOIUrl":"10.1016/j.fsidi.2025.301918","url":null,"abstract":"<div><div>Crime in the 21st century is split into a virtual and real world. However, the former has become a global menace to people's well-being and security in the latter. The challenges it presents must be faced with unified global cooperation, and we must rely more than ever on automated yet trustworthy tools to combat the ever-growing nature of online offenses. Over 10 million child sexual abuse reports are submitted to the US National Center for Missing & Exploited Children every year, and over 80% originate from online sources. Therefore, investigation centers cannot manually process and correctly investigate all imagery. In light of that, reliable automated tools that can securely and efficiently deal with this data are paramount. In this sense, the scene classification task looks for contextual cues in the environment, being able to group and classify child sexual abuse data without requiring to be trained on sensitive material. The scarcity and limitations of working with child sexual abuse images lead to self-supervised learning, a machine-learning methodology that leverages unlabeled data to produce powerful representations that can be more easily transferred to downstream tasks. This work shows that self-supervised deep learning models pre-trained on scene-centric data can reach 71.6% balanced accuracy on our indoor scene classification task and, on average, 2.2 percentage points better performance than a fully supervised version. We cooperate with Brazilian Federal Police experts to evaluate our indoor classification model on actual child abuse material. The results demonstrate a notable discrepancy between the features observed in widely used scene datasets and those depicted on sensitive materials.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301918"},"PeriodicalIF":2.0,"publicationDate":"2025-05-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143947548","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}