Forensic Science International-Digital Investigation最新文献

{"title":"IF-DSS: A forensic investigation framework for decentralized storage services","authors":"Jihun Son ,&nbsp;Gyubin Kim ,&nbsp;Hyunwoo Jung ,&nbsp;Jewan Bang ,&nbsp;Jungheum Park","doi":"10.1016/j.fsidi.2023.301611","DOIUrl":"https://doi.org/10.1016/j.fsidi.2023.301611","url":null,"abstract":"<div><p>Decentralized storage services are growing in popularity owing to their lower costs, increased resilience, and privacy compared with traditional cloud storage services. However, these characteristics also attract malicious actors, who abuse them to create phishing URLs, distribute malware, infringe on copyrights, and conduct other crime-related activities. Investigating these services is challenging because of their censorship resistance and decentralization, which renders the existing methodologies for cloud-based storage services and peer-to-peer-based file-sharing services insufficient. To address these challenges, we introduce a novel forensic investigation framework that encompasses identifying, collecting, examining, analyzing potential evidence, and preventing the further distribution of the content. The framework works on each node, peer, gateway, and Internet area of the decentralized storage services, integrating investigation steps on both remote and local sides. The usefulness and applicability of the proposed framework were demonstrated through case studies involving phishing and large-scale file sharing using <em>IPFS</em> with <em>Filecoin</em>.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2023-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"49889160","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"DFRWS 2024 USA Baton Rouge","authors":"","doi":"10.1016/S2666-2817(23)00168-3","DOIUrl":"https://doi.org/10.1016/S2666-2817(23)00168-3","url":null,"abstract":"","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2023-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"49906458","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Identification of data wiping tools based on deletion patterns in ReFS $Logfile","authors":"Eun Ji Lee ,&nbsp;Seo Yeon Lee ,&nbsp;Hyeon Kwon ,&nbsp;Sung Jin Lee ,&nbsp;Gi Bum Kim","doi":"10.1016/j.fsidi.2023.301607","DOIUrl":"https://doi.org/10.1016/j.fsidi.2023.301607","url":null,"abstract":"<div><p>Data wiping tools permanently delete files by repeatedly overwriting data on a digital device, making file recovery impossible. Unlike the conventional deletion methods, which merely remove the file system pointer to the data, these tools are designed to entirely and irretrievably erase the data. This method can be exploited to obliterate evidence of a crime. Given the growing prevalence of such tools, a comprehensive analysis of permanent deletion behavior is essential, especially concerning the Resilient File System (ReFS). In this study, we propose a method for detecting user behavior concerning data wiping tools and algorithms in ReFS 3.7. Our approach relies on the fact that file modifications are logged in the redo record of the $Logfile, and that the opcode value of the redo record varies depending on the data wiping tool used. Since opcodes were only analyzed up to version 3.4, we analyzed the newly updated opcodes. Initially, we selected the 12 most commonly used data wiping tools for our research. In the pattern analysis phase, we applied the algorithms supported by each tool, generating a distinct deletion pattern for each one. This was accomplished by utilizing consecutive opcodes to formulate the patterns and monitor transitions in file and directory names. The patterns discerned in the $Logfile allowed us to determine which data wiping tool was deployed. The proposed methodology simplifies the identification of not only which data wiping tool has been used, but also the specific deletion behavior exhibited. We developed a tool incorporating the proposed method. Our subsequent verification confirmed the effectiveness of our methodology and tools in accurately detecting the use of comprehensive deletion tools. These findings contribute valuable insights to the acquisition of digital evidence of user deletion behavior in ReFS. Our proposed methodology will help digital forensic examiners in the detection and identification of data wiping tools' behavior.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2023-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"49889163","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Prelim iii - Contents List","authors":"","doi":"10.1016/S2666-2817(23)00166-X","DOIUrl":"https://doi.org/10.1016/S2666-2817(23)00166-X","url":null,"abstract":"","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2023-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"49889151","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Data remnants analysis of document files in Windows: Microsoft 365 as a case study","authors":"Jihun Joun,&nbsp;Sangjin Lee,&nbsp;Jungheum Park","doi":"10.1016/j.fsidi.2023.301612","DOIUrl":"https://doi.org/10.1016/j.fsidi.2023.301612","url":null,"abstract":"<div><p>In the era of digitization, electronic evidence has become increasingly important for investigations and legal proceedings. However, traditional digital forensic technologies, such as recovery and carving, face limitations because of difficulties acquiring unallocated areas intact. Furthermore, artifacts and files previously used for tracing can be easily deleted manually or via anti-forensic tools, which hinders traceability. This paper presents a novel framework to overcome these limitations. This method facilitates a more precise and comprehensive tracing of residual files through data remnants analysis, a forensic approach that investigates traces of deleted or overwritten data. By systematically constructing a dataset based on user action, we identify and analyze all data remnants within the system, thereby revealing file traces. The results of a case study on Microsoft 365 demonstrate our proposed framework's superior efficacy and accuracy compared to existing methods. Our approach offers valuable insights into data remnants analysis and contributes to digital forensic investigations conducted on Windows systems.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2023-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"49889157","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"DFRWS 2023 APAC Singapore","authors":"","doi":"10.1016/j.fsidi.2023.301655","DOIUrl":"https://doi.org/10.1016/j.fsidi.2023.301655","url":null,"abstract":"","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2023-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"49889164","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Bike computer forensics: An efficient and robust method for FIT file recovery","authors":"Kwangkeun Song ,&nbsp;Dongbin Oh","doi":"10.1016/j.fsidi.2023.301606","DOIUrl":"https://doi.org/10.1016/j.fsidi.2023.301606","url":null,"abstract":"<div><p>The popularity of bike computer devices has grown in recent years. These devices generate a wealth of data in the form of Flexible and Interoperable Data Transfer (FIT) files, which can be used to store fitness related data efficiently. However, the recovery of corrupted FIT files remains a significant challenge due to their inherent structure. The format relies on a chain of messages stored sequentially, with each message referencing previous data to parse the subsequent record. As a result, the recovery of data situated between corrupted portions becomes notably challenging. This study introduces an efficient, and robust method for dense recovery of corrupted files. Our approach combines multiple phases of data carving techniques to maximize data recovery. By employing this method, investigators can effectively access crucial information including accident reconstruction, and criminal activities. The proposed methods demonstrate higher recovery rate through the proof-of-concept and real-world experiments, proving its utility and reliability in the field of digital forensics.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2023-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"49889153","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"DFRWS 2024 EU Zaragoza","authors":"","doi":"10.1016/S2666-2817(23)00167-1","DOIUrl":"https://doi.org/10.1016/S2666-2817(23)00167-1","url":null,"abstract":"","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2023-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"49906459","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Comparison of deep learning classification models for facial image age estimation in digital forensic investigations","authors":"Monika Roopak ,&nbsp;Saad Khan ,&nbsp;Simon Parkinson ,&nbsp;Rachel Armitage","doi":"10.1016/j.fsidi.2023.301637","DOIUrl":"https://doi.org/10.1016/j.fsidi.2023.301637","url":null,"abstract":"<div><p>There has been a significant rise in digital forensic investigations containing Indecent Images of Children (IIoC), and one of the major challenges faced by investigators is the time-consuming task of manually investigating images for illicit content. In the UK, law enforcement maintains and uses a standard national repository of IIoC, known as CAID (Child Abuse Image Database), to identify known illegal images by matching their image hashes and metadata. The CAID plays a significant role in making IIoC investigations faster and more effective. However, all images that are not matched through using CAID require manual analysis. Every image has to be viewed and verified as IIoC by investigators. The victim age estimation in the images (i.e., determining whether they are juvenile or adult as this would change the course of the investigation) is a crucial part of this verification process and takes time due to a large number of images to inspect, therefore impacting the speed of the investigation, and consequently victims. This is a time-consuming and challenging task for human investigators.</p><p>Previous work has demonstrated that deep learning has the capability to estimate age with high accuracy in images. This reduces the number of images that will need to be manually processed, thereby finishing the investigation faster. However, in terms of practical implementation in IIoC investigations, there is an absence of a comparative study using the same datasets to establish the most appropriate deep learning model and classification approach to use. This is important as different models have different capabilities and previous works utilise various binary, multi-class, and regression approaches. It is not yet known which is the most accurate for use in digital forensic investigations. In this paper, we construct an extensive dataset before experimenting with four pre-trained deep learning models: VGG16, ResNet50, Xception, and InceptionV3. We have identified that binary classification works best for the identification of images as a child or adult, with the ResNet50 obtaining the best results in terms of accuracy (91.70%) on unseen images.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2023-09-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"49874362","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Post-mortem digital forensic analysis of the Garmin Connect application for Android","authors":"Fabian Nunes ,&nbsp;Patrício Domingues ,&nbsp;Miguel Frade","doi":"10.1016/j.fsidi.2023.301624","DOIUrl":"https://doi.org/10.1016/j.fsidi.2023.301624","url":null,"abstract":"<div><p><span>The Garmin Vivosmart 4 smartband can monitor various health metrics, including heart rate, oxygen saturation, body composition, and stress levels. It is a quite popular fitness tracking device, as its Android<span> companion application – Garmin Connect – has been downloaded more than 10 million times and can provide critical forensic artifacts such as timestamped GPS-based locations. In this work, we analyze the Garmin Connect application to identify </span></span><em>i</em><span>) relevant digital forensic artifacts, and </span><span><math><mi>i</mi><mi>i</mi><mo>)</mo></math></span> assess methods to retrieve cloud-based data relevant to a digital forensic examination. For this purpose, we first establish a test scenario where the paired device/application collects data in regular real-world situations using a rooted smartphone running Android 11. The smartphone is then examined to gain insights into the data stored by the application and identify meaningful digital artifacts.</p><p><span>To ease and automate the task of digital forensic practitioners, we have developed the Garmin Connect for Android Analyzer (GC4AA) set of Python 3 modules tailored for the digital forensic framework Android Logs Events And Protobuf Parser (ALEAPP). These open-source modules parse dumps of a Vivosmart 4 data directory and create reports displaying several digital artifacts, such as health metrics, GPS data and routes, and phone notifications. They automate the information-gathering process and produce a report specially tailored for Garmin Connect data, highlighting the most relevant artifacts. Our results show that the analysis of paired Garmin Collect/Vivosmart 4 with GC4AA can yield more digital forensic artifacts than existing open-source tools, including the following new artifacts: </span><em>i</em>) Daily Summary data; <span><math><mi>i</mi><mi>i</mi><mo>)</mo></math></span> GPS data; <span><math><mi>i</mi><mi>i</mi><mi>i</mi><mo>)</mo></math></span> Response Cache data; <span><math><mi>i</mi><mi>v</mi><mo>)</mo></math></span> Network Logs; <em>v</em>) Facebook API tokens; <span><math><mi>v</mi><mi>i</mi><mo>)</mo></math></span> Device Synchronization cache; <span><math><mi>v</mi><mi>i</mi><mi>i</mi><mo>)</mo></math></span> SpO₂ reading charts. Our contributions include a graphical presentation of the collected data, greatly improving its readability and analysis.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2023-09-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"49874358","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}