{"title":"A forensic analysis of AnyDesk Remote Access application by using various forensic tools and techniques","authors":"Nishchal Soni , Manpreet Kaur , Vishwas Bhardwaj","doi":"10.1016/j.fsidi.2024.301695","DOIUrl":"https://doi.org/10.1016/j.fsidi.2024.301695","url":null,"abstract":"<div><p>This study delves into a forensic analysis of the AnyDesk Remote Access application, focusing prominently on disk forensic acquisitions. We aim to assess the security and privacy features of AnyDesk, uncovering insights vital for forensic investigators and potential adversaries. The recovery of artifacts from Android Mobile and Window-based PC devices, employing acquisition techniques, plays a pivotal role in forensic analysis. The study underscores the significance of log files, housing crucial details like user IDs, dates, transfer times, and file movements. Manual scrutiny of the extracted data establishes user connections and reveals user-centric information, encompassing wallpapers, chat logs, AnyDesk-IDs, and transferred files. As the data lacks encryption, artifacts are easily comprehensible and interlinked. AnyDesk-related files, including session recordings, media files, and documents, undergo successful extraction via forensic methods. Root permissions on the Android phone emerge as a critical asset, facilitating the identification of more reliable and concealed data. In contrast, on the PC, all files related to AnyDesk were identified through a combination of automatic and manual examination. In essence, this study provides profound insights into AnyDesk's security and privacy features, underscored by the instrumental role of forensic acquisitions in pinpointing and extracting pertinent data.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2024-02-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281724000040/pdfft?md5=84d83a61a2c6868aec0b282dfcba3760&pid=1-s2.0-S2666281724000040-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"139700335","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"A comprehensive analysis of the role of artificial intelligence and machine learning in modern digital forensics and incident response","authors":"Dipo Dunsin , Mohamed C. Ghanem , Karim Ouazzane , Vassil Vassilev","doi":"10.1016/j.fsidi.2023.301675","DOIUrl":"10.1016/j.fsidi.2023.301675","url":null,"abstract":"<div><p>In the dynamic landscape of digital forensics, the integration of Artificial Intelligence (AI) and Machine Learning (ML) stands as a transformative technology, poised to amplify the efficiency and precision of digital forensics investigations. However, the use of ML and AI in digital forensics is still in its nascent stages. As a result, this paper gives a thorough and in-depth analysis that goes beyond a simple survey and review. The goal is to look closely at how AI and ML techniques are used in digital forensics and incident response. This research explores cutting-edge research initiatives that cross domains such as data collection and recovery, the intricate reconstruction of cybercrime timelines, robust big data analysis, pattern recognition, safeguarding the chain of custody, and orchestrating responsive strategies to hacking incidents. This endeavour digs far beneath the surface to unearth the intricate ways AI-driven methodologies are shaping these crucial facets of digital forensics practice. While the promise of AI in digital forensics is evident, the challenges arising from increasing database sizes and evolving criminal tactics necessitate ongoing collaborative research and refinement within the digital forensics profession. This study examines the contributions, limitations, and gaps in the existing research, shedding light on the potential and limitations of AI and ML techniques. By exploring these different research areas, we highlight the critical need for strategic planning, continual research, and development to unlock AI's full potential in digital forensics and incident response. Ultimately, this paper underscores the significance of AI and ML integration in digital forensics, offering insights into their benefits, drawbacks, and broader implications for tackling modern cyber threats.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2024-01-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281723001944/pdfft?md5=23073248e25e43e978e06f7c8eabe90e&pid=1-s2.0-S2666281723001944-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"139589605","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Ziad A. Al-Sharif , Reema Al-Senjalawi , Omar A. Alzoubi
{"title":"The effects of document's format, size, and storage media on memory forensics","authors":"Ziad A. Al-Sharif , Reema Al-Senjalawi , Omar A. Alzoubi","doi":"10.1016/j.fsidi.2024.301692","DOIUrl":"https://doi.org/10.1016/j.fsidi.2024.301692","url":null,"abstract":"<div><p>Main memory or RAM contains volatile but critical data about the system's state and its recent activities. Often, RAM based artifacts are hard to be found elsewhere. Digital investigators can find in this volatile data an essential information about the recent usage of a system including the used documents. Nowadays, documents are often fetched from a variety of storage media, most of which are internet based. This can complicate the digital investigation process due to the remote nature of these storage media; most of these remote files cannot be traced on the local hard disk drive (HDD) of the captured machine. However, whenever the document's contents are successfully recovered from RAM images, it can ensure the actual usage of the document. This paper studies the effects of various storage media (<em>local and remote</em>) on the amount of volatile artifacts of different types of documents. Experiments are designed to evaluate the effects of local hard drives, removable media, and a set of cloud based platforms such as Dropbox, Google Drive, and OneDrive on the RAM based artifacts of a used document. Results show that the recovered contents are significantly affected by the used storage media. Moreover, the document's type has an effect too. Frequently, a good ratio of the document's contents are recovered from RAM even when the document is living on the cloud, the document is closed, and the connection is terminated.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2024-01-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281724000015/pdfft?md5=47f894a33d4dcb10c0cee7b8447cd252&pid=1-s2.0-S2666281724000015-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"139503952","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Chunyan Zeng , Shixiong Feng , Zhifeng Wang , Yuhao Zhao , Kun Li , Xiangkui Wan
{"title":"Audio source recording device recognition based on representation learning of sequential Gaussian mean matrix","authors":"Chunyan Zeng , Shixiong Feng , Zhifeng Wang , Yuhao Zhao , Kun Li , Xiangkui Wan","doi":"10.1016/j.fsidi.2023.301676","DOIUrl":"10.1016/j.fsidi.2023.301676","url":null,"abstract":"<div><p>Audio source recording device recognition is a critical digital forensic task that involves identifying the source device based on intrinsic audio characteristics. This technology finds widespread application in various digital audio forensic scenarios, including audio source forensics, tamper detection forensics, and copyright protection forensics. However, existing methods often suffer from low accuracy due to limited information utilization. In this study, we propose a novel method for source recording device recognition, grounded in feature representation learning. Our approach aims to overcome the limitations of current methods. We introduce a temporal audio feature called the “Sequential Gaussian Mean Matrix (SGMM),” which is derived from temporal segmented acoustic features. We then design a structured representation learning model that combines Convolutional Neural Networks (CNN) and Bidirectional Long Short-Term Memory Networks (BiLSTM). This model leverages temporal Gaussian representation and convolutional bottleneck representation to effectively condense spatial information and achieve accurate recognition through temporal modeling. Our experimental results demonstrate an impressive recognition accuracy of 98.78%, showcasing the effectiveness of our method in identifying multiple classes of recording devices. Importantly, our approach outperforms state-of-the-art methods in terms of recognition performance. Our implementing code is publicly available at <span>https://github.com/CCNUZFW/SGMM</span><svg><path></path></svg>.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2024-01-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281723001956/pdfft?md5=c1cfb493d8976bb73053a81857e80514&pid=1-s2.0-S2666281723001956-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"139398362","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"A novel method for real-time object-based copy-move tampering localization in videos using fine-tuned YOLO V8","authors":"Sandhya, Abhishek Kashyap","doi":"10.1016/j.fsidi.2023.301663","DOIUrl":"10.1016/j.fsidi.2023.301663","url":null,"abstract":"<div><p>The research community faces challenges for video forgery detection techniques as advancements in multimedia technology have made it easy to alter the original video content and share it on electronic and social media with false propaganda. The copy-move attack is the most commonly practiced type of attack in videos/images, where an object is copied and moved into the current frame or any other frame of the video. Hence an illusion of recreation can be created to forge the content. It is very difficult to differentiate to uncover the forgery traces by the naked eye. Hence, a passive method-based algorithm is proposed to scientifically investigate the statistical properties of the video by normalizing the median difference of the frames at the pixel level, and graphical analysis successfully shows the clear peak in the forged region. After that, a new deep learning approach, “You Only Look at Once”, the latest eighth version of YOLO, is tuned and trained for the localization of forged objects in the real-time domain. The validation and testing results obtained from the trained YOLO V8 are successfully able to detect and localize the forged objects in the videos with mean average precision (mAP) of 0.99, recall is 0.99, precision is 0.99, and highest confidence score. The proposed YOLO V8 is fine-tuned in three different ways, and the performance of the proposed method outperforms existing state-of-the-art techniques in terms of inference speed, accuracy, precision, recall, testing, and training time.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2023-12-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281723001828/pdfft?md5=35ac6006d6528037ce8427b12e149b58&pid=1-s2.0-S2666281723001828-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"138579118","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Internet of things (IoT) forensics and incident response: The good, the bad, and the unaddressed","authors":"George Grispos, Hudan Studiawan, Saed Alrabaee","doi":"10.1016/j.fsidi.2023.301671","DOIUrl":"https://doi.org/10.1016/j.fsidi.2023.301671","url":null,"abstract":"","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2023-12-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281723001907/pdfft?md5=35c2c509784423339d30fb9bf45f038c&pid=1-s2.0-S2666281723001907-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"138570394","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Techniques and methods for obtaining access to data protected by linux-based encryption – A reference guide for practitioners","authors":"Ben Findlay","doi":"10.1016/j.fsidi.2023.301662","DOIUrl":"https://doi.org/10.1016/j.fsidi.2023.301662","url":null,"abstract":"<div><p>This research presents an overview of the typical disc and folder-level encryption that a digital forensic investigator may encounter when investigating a Linux operating system. Based on prior first-hand experience and significant follow-up testing and research, this work examines the operation of such encryption from the user's perspective, discusses how the encryption operates “under the hood”; and explores methods and techniques that can be used to access and retrieve data from such encrypted devices, both during at-scene/live forensic investigation and also post-scene. Worked examples are presented, to aid the reader's understanding. This research also presents considerations, approaches and steps that can be used by an investigator, in order to maximise the potential for data acquisition, and most crucially discusses lessons learnt to facilitate getting the best evidence in such cases. A breakdown of the binary structure of the key files associated with <em>fscrypt</em> is also presented, for reference. Current limitations and gaps in knowledge are also discussed.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2023-12-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281723001816/pdfft?md5=09cf1be607089778a7ef98c74df23839&pid=1-s2.0-S2666281723001816-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"138549271","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Digital forensics in healthcare: An analysis of data associated with a CPAP machine","authors":"Veronica Schmitt, Emlyn Butterfield","doi":"10.1016/j.fsidi.2023.301661","DOIUrl":"10.1016/j.fsidi.2023.301661","url":null,"abstract":"<div><p>The need for digital forensic services across all sectors is not a new concept, nor is the increasing demand seen globally. However, the devices on which we perform digital forensics have changed and continue to evolve. For each device new approaches need to be developed or adapted to facilitate the secure preservation and analysis of the data it contains. The healthcare sector has seen particular adoption of a range of devices, from traditional through to cutting edge. The Covid-19 pandemic facilitated the need for a more boundary-agnostic level of care for patients, and medical devices are becoming increasingly more interconnected to facilitate remote care. This presents challenges in that devices are no longer “secured” in medical premises and will often be found in patient's homes, making them more exposed to attack, but also in a position to record significant amounts of personal data. The integration of information technology in medical environments has influenced the need for the development of a digital forensic process to perform analysis on medical devices. One such device is a continuous positive airway pressure (CPAP) machine, used by patients who suffer from Obstructive Sleep Apnea (OSA). It is estimated that 3-9% of the world's population suffer from this disorder, the normal medical treatment is the use of some form of CPAP machine. The research undertaken focuses on the ResMed AirSense 10 CPAP machine and a complete forensic postmortem analysis of the data contained and recorded by the device. The application of digital forensics to a traditional medical device, such as a CPAP machine, requires an adapted version of digital forensics, but in general the same tools and processes can be used. Through the analysis conducted, all patient data was located on a removable FAT32 formatted SD card, allowing the recovery of specific medical information about the device and personally identifiable information about the patient. The recovered data was then visualised using a variety of tools and systems. Information that can be derived from the visualisations include a sequence of events, to some extent how the device was operating, and the clinical information recorded on the device.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2023-12-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281723001804/pdfft?md5=b12d26ad2eba434e2e50386f4c137ab6&pid=1-s2.0-S2666281723001804-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"138547353","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Have you been upstairs? On the accuracy of registrations of ascended and descended floors in iPhones","authors":"Jan Peter van Zandwijk, Kim Lensen, Abdul Boztas","doi":"10.1016/j.fsidi.2023.301660","DOIUrl":"https://doi.org/10.1016/j.fsidi.2023.301660","url":null,"abstract":"<div><p>The strong integration of smartphones in everyday life offers many new investigative opportunities. In particular, digital traces from smartphones can now increasingly be used to infer information about actions performed by their users in the physical world. For instance, the iPhone Health App is known to contain a large number of timestamped digital traces related to activities in the physical world, such as number of steps taken, distances travelled and floors ascended. In this study, we experimentally investigate the accuracy of registration of number of floors in iPhones. For this, seven test subjects ascended and descended floors of different heights with five different iPhones, where number of floors, walking speed and carrying location were varied.</p><p>Analysis of data shows that the iPhone Health App predominantly records information on floors when walking upstairs and virtually never when walking downstairs. iPhones contain other timestamped traces from which information on both ascended and descended floors in specific periods can be derived. The number of registered floors is primarily determined by the height difference travelled. From our experiments and information in the Health App, it follows that a height difference of approximately 3 m corresponds to the registration of one floor. For the height differences studied, the number of floors registered by the iPhones match the number of 3 m blocks in the height difference in 70–80 % of the cases. Other factors, such as walking speed and carrying location of the phones only have a minor effect on the accuracy of registered information. Additional experimentation shows that no floors are registered by the iPhones when ascending or descending using an elevator. When ascending or descending using an escalator, floors are only registered by the iPhones when the subjects walked on the escalator, not when standing still on the escalator.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2023-11-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"138413420","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Forensic analysis for multi-platform Cisco Webex","authors":"Uk Hur , Giyoon Kim , Soojin Kang , Jongsung Kim","doi":"10.1016/j.fsidi.2023.301659","DOIUrl":"https://doi.org/10.1016/j.fsidi.2023.301659","url":null,"abstract":"<div><p><span>As contactless work has become more popular, the use of video conferencing and collaboration applications has increased. These applications provide versions for each platform in order to enable communications using various OS and devices. In order to provide a continuous workflow when switching between devices, data is stored on the cloud and then synchronized. Therefore, methods for extracting and analyzing data from various platforms and collecting data stored in the cloud must be preceded for digital forensic investigation<span>. We present the data analysis results of Cisco's Webex, a popular video conferencing and collaboration application, in Windows, macOS, iOS, and Android environments. Webex uses the data protection API provided by each OS to encrypt user data. We propose a method to unprotect data protected by the data protection API as well as a method to decrypt encrypted Webex user data. The decrypted data contained most of the user's data, and we analyze it to propose a method to recover deleted messages. We also propose a method to acquire cloud data by utilizing the decrypted data to migrate credential data stored on a device. The proposed method decrypts </span></span>encrypted data on any platform and allows login via credentials.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2023-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"92046211","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}