Forensic Science International-Digital Investigation最新文献_第10页

Detecting hidden kernel modules in memory snapshots 检测内存快照中隐藏的内核模块

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-07-01 Epub Date: 2025-08-01 DOI: 10.1016/j.fsidi.2025.301928

Roland Nagy

{"title":"Detecting hidden kernel modules in memory snapshots","authors":"Roland Nagy","doi":"10.1016/j.fsidi.2025.301928","DOIUrl":"10.1016/j.fsidi.2025.301928","url":null,"abstract":"<div><div>Rootkit infections have plagued IT systems for several decades now. As non-trivial threats often employed by sophisticated adversaries, rootkits have received a large amount of attention, from both the industrial and academic communities. Consequently, rootkit detection has a rich literature, but most papers focus on only detecting the fact that an infection happened. They rarely offer mitigation, let alone identifying the piece of malware. We aim to solve this by not only detecting rootkit infections but by finding the malware as well. Our paper has three main goals: extend the state of the art of cross-view-based detection of Loadable Kernel Modules (the de-facto delivery method of Linux kernel rootkits), provide a memory forensics tool that implements our detection method and enables further investigation of loaded modules, and publish the dataset we used to evaluate our solution. We implemented our tool in the form of a Volatility plugin and compared it to the already existing module detection capability of Volatility. We tested them on 55 rootkit-infected memory dumps, covering 27 different versions of the Linux kernel. We also provide compatibility analysis with different kernel versions, ranging from the initial release to the latest (6.13, at the time of writing).</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301928"},"PeriodicalIF":2.2,"publicationDate":"2025-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144749091","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

I know where you have been last summer: Extracting privacy-sensitive information via forensic analysis of the Mercedes-Benz NTG5*2 infotainment system 我知道你去年夏天去了哪里：通过对梅赛德斯-奔驰 NTG5*2 信息娱乐系统的取证分析提取隐私敏感信息

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-06-01 Epub Date: 2025-03-14 DOI: 10.1016/j.fsidi.2025.301909

Dario Stabili, Filip Valgimigli, Mirco Marchetti

{"title":"I know where you have been last summer: Extracting privacy-sensitive information via forensic analysis of the Mercedes-Benz NTG5*2 infotainment system","authors":"Dario Stabili, Filip Valgimigli, Mirco Marchetti","doi":"10.1016/j.fsidi.2025.301909","DOIUrl":"10.1016/j.fsidi.2025.301909","url":null,"abstract":"<div><div>Modern vehicles are equipped with In-Vehicle Infotainment (IVI) systems that offers different functions, such as typical radio and multimedia services, navigation and internet browsing. To operate properly, IVI systems have to store locally different types of data, reflecting user preferences and behaviors. If stored and managed insecurely, these data might expose sensitive information and represent a privacy risk. In this paper we address this issue by presenting a methodology for the extraction of privacy-sensitive information from the popular <span><math><mi>N</mi><mi>T</mi><mi>G</mi><mn>5</mn></math></span> COMMAND IVI system (specifically, the <span><math><mi>N</mi><mi>T</mi><mi>G</mi><mn>5</mn><mo>⁎</mo><mn>2</mn></math></span> version by Harman), deployed in some Mercedes-Benz vehicles from 2013 to 2019. We show that it is possible to extract information related to geographic locations and various vehicles events (such as ignition and doors opening and closing) dating back to the previous 8 months, and that these data can be cross-referenced to precisely identify the activities and habits of the driver. Moreover, we develop a novel forensic tool to automate this task.<span><span><sup>1</sup></span></span> Given the past usage of the <span><math><mi>N</mi><mi>T</mi><mi>G</mi><mn>5</mn></math></span> system, our work might have real life implications for the privacy of millions of drivers, owners and passengers. As a final contribution, we develop a novel technique for SQLite data carving specifically designed to identify deleted data. Comparison with existing state-of-the-art tools for SQLite3 data recovery demonstrates that our approach is more effective in recovering deleted traces than general purpose tools.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301909"},"PeriodicalIF":2.0,"publicationDate":"2025-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143620486","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Blind protocol identification using synthetic dataset: A case study on geographic protocols 基于合成数据集的协议盲识别：以地理协议为例

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-06-01 Epub Date: 2025-03-13 DOI: 10.1016/j.fsidi.2025.301911

Mohammad Abbasi-Azar , Mehdi Teimouri , Mohsen Nikray

引用次数: 0

Data hiding in symbolic link slack space 隐藏在符号链接松弛空间中的数据

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-06-01 Epub Date: 2025-05-13 DOI: 10.1016/j.fsidi.2025.301919

Fergus Toolan, Georgina Humphries

引用次数: 0

Argus: A new approach for forensic analysis of apps on mobile devices Argus：对移动设备上的应用程序进行取证分析的新方法

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-06-01 Epub Date: 2025-05-27 DOI: 10.1016/j.fsidi.2025.301938

Abdul Boztas, Jeroen De Jong, Christos Hadjigeorghiou

{"title":"Argus: A new approach for forensic analysis of apps on mobile devices","authors":"Abdul Boztas, Jeroen De Jong, Christos Hadjigeorghiou","doi":"10.1016/j.fsidi.2025.301938","DOIUrl":"10.1016/j.fsidi.2025.301938","url":null,"abstract":"<div><div>The availability of a multitude of apps on mobile devices offers many investigative opportunities due to the large amount of information on all kinds of activities stored by these apps. On the other hand, it also creates problems because it can be difficult to identify the location of relevant information and to properly interpret the great number of digital traces stored by apps. This is especially true for apps currently not supported by commercial forensic tools. This calls for the development of new tools that can quickly analyse specific applications and identify all files containing important information.</div><div>In this paper, we introduce the Argus tool for dynamically analysing apps on mobile devices. Argus monitors the file system on mobile devices to quickly identify which files have been modified, deleted, or created as a result of actions performed on the device, such as using an app. The Argus tool supports physical iOS and Android devices, as well as Android and iOS emulators.</div><div>The results of Argus experiments are stored locally on the computer conducting the experiment, but Argus also offers the option to publish and share these results in a forensic artifacts reference database called Aardwolf, accessible at https://www.aardwolfproject.eu.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301938"},"PeriodicalIF":2.0,"publicationDate":"2025-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144147941","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Navigating the digital frontier – Key themes in digital forensics 导航数字前沿-数字取证的关键主题

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-06-01 Epub Date: 2025-05-30 DOI: 10.1016/j.fsidi.2025.301940

Zeno Geradts

引用次数: 0

Infotainment system Forensics: Ford SYNC 3 gen 2 infotainment system as a use case 信息娱乐系统取证：以福特SYNC 3代信息娱乐系统为例

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-06-01 Epub Date: 2025-05-15 DOI: 10.1016/j.fsidi.2025.301917

Nils Antonson , Darren Quick , Kim-Kwang Raymond Choo

{"title":"Infotainment system Forensics: Ford SYNC 3 gen 2 infotainment system as a use case","authors":"Nils Antonson , Darren Quick , Kim-Kwang Raymond Choo","doi":"10.1016/j.fsidi.2025.301917","DOIUrl":"10.1016/j.fsidi.2025.301917","url":null,"abstract":"<div><div>The digital era is ushering in the next generation of motor vehicles supported by dozens of dispersed electronic control units (ECUs) communicating with each other over controller area networks (e.g., CAN bus). Each ECU is responsible for a specific set of functions. For example, built-in cellular modems, typically part of the telecommunication control unit (TCU), are used to call first responders when a crash is detected, but also surreptitiously send back vehicle telematics, and enable convenient features such as remote unlock/lock, remote start, and log the GPS position of the automobile into the cloud. Potentially, every input by the driver is logged and recorded within these ECUs. Indeed, modern automobiles are inadvertently equipped with proverbial black boxes. As a result, a new subdivision of digital forensics to extract and analyze this black box data is emerging. Smart vehicle forensics, also known as digital vehicle forensics (DVF), enables investigators to examine data produced by and stored inside automobiles. The infotainment system typically holds the most valuable data because it contains GPS tracklogs, artifacts left behind from paired mobile devices, and receives data from many other modules within the automobile. Therefore, DVF primarily focuses on the automobiles infotainment system, and specializes in extracting and analyzing stored electronic data. Law enforcement is increasingly becoming aware and making use of this new source of data. It is only a matter of time and budget before DVF investigations become routine and common practice.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301917"},"PeriodicalIF":2.0,"publicationDate":"2025-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143947549","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Formulating propositions in Trojan horse defense cases 在特洛伊木马辩护案件中提出主张

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-06-01 Epub Date: 2025-04-28 DOI: 10.1016/j.fsidi.2025.301915

M. Vink , R. Schramp , C.E.H. Berger , M.J. Sjerps

{"title":"Formulating propositions in Trojan horse defense cases","authors":"M. Vink , R. Schramp , C.E.H. Berger , M.J. Sjerps","doi":"10.1016/j.fsidi.2025.301915","DOIUrl":"10.1016/j.fsidi.2025.301915","url":null,"abstract":"<div><div>This paper demonstrates how to formulate relevant sets of propositions in cases involving alleged possession of illegal content on electronic devices. The primary purpose of exploring how to formulate propositions is to enable a balanced and transparent evaluation of digital evidence, ideally using a likelihood ratio (LR). We present five categories explaining how illegal material can appear on electronic devices, including intentional and unintentional activities by suspects, other individuals, or automated processes (the “Trojan horse defense”). We review existing guidelines on formulating propositions developed for physical evidence and show how each explanation category can be properly formulated into propositions. Our findings indicate that the digital forensic domain can benefit from established principles for evaluating physical evidence. We also observe aspects that are more specific to digital forensic science where observations need to be evaluated in cases where intent is disputed, which can lead to propositions that address whether activities were carried out knowingly or unknowingly. By providing guidance on formulating relevant propositions, this research aims to contribute to the broader implementation of evaluative practices in digital forensic science.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301915"},"PeriodicalIF":2.0,"publicationDate":"2025-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143878936","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Corrigendum to “Adding transparency to uncertainty: An argument-based method for evaluative opinions” [FSIDI 48 (2023) 301657] “为不确定性增加透明度：基于论证的评估意见方法”的勘误表[FSIDI 48 (2023) 301657]

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-06-01 Epub Date: 2025-03-05 DOI: 10.1016/j.fsidi.2025.301910

Nina Sunde , Virginia N.L. Franqueira

引用次数: 0

Towards reliable data in the scope of unmanned aircraft systems 朝着可靠的数据在无人机系统的范围

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-06-01 Epub Date: 2025-04-29 DOI: 10.1016/j.fsidi.2025.301914

Karolin Lohre , Harald Baier , Lukas Hardi , Andreas Attenberger

{"title":"Towards reliable data in the scope of unmanned aircraft systems","authors":"Karolin Lohre , Harald Baier , Lukas Hardi , Andreas Attenberger","doi":"10.1016/j.fsidi.2025.301914","DOIUrl":"10.1016/j.fsidi.2025.301914","url":null,"abstract":"<div><div>The goal of a digital forensic examination is to answer legal questions in the scope of IT systems. In order to come up with accurate answers, the data of the IT system at hand needs to be reliable. While the processing of digital traces of classical operating systems like Windows and its corresponding applications is well understood (especially with respect to the reliability of traces), emerging technologies often lack such an understanding of the trustworthiness of the examined data. In this work, we address the reliability of data in the scope of Unmanned Aircraft System (UAS). Although systems like UAS have become popular in various fields of application, digital forensic scientists and investigators currently lack an understanding of how to assess the correctness of UAS information, especially in the scope of Do-It-Yourself drone forensics. We shed light on common challenges when working with UAS data. Our main contribution is the introduction, explanation, and discussion of a conceptual framework to rate the reliability of UAS data. Our framework is based on three different categories representing three different levels of knowledge about the state of the UAS.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301914"},"PeriodicalIF":2.0,"publicationDate":"2025-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143882128","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0