Forensic Science International-Digital Investigation最新文献_第2页

Structural analysis of the Windows NT heap for memory forensics 用于内存取证的Windows NT堆的结构分析

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2026-03-01 Epub Date: 2026-03-24 DOI: 10.1016/j.fsidi.2026.302060

Daniel Uroz , Abraham Díaz-Campo Pinilla , Ricardo J. Rodríguez

{"title":"Structural analysis of the Windows NT heap for memory forensics","authors":"Daniel Uroz , Abraham Díaz-Campo Pinilla , Ricardo J. Rodríguez","doi":"10.1016/j.fsidi.2026.302060","DOIUrl":"10.1016/j.fsidi.2026.302060","url":null,"abstract":"<div><div>Modern attacks increasingly target user-space memory, leveraging dynamic heap allocations to store payloads, obfuscate runtime behavior, and evade traditional detection mechanisms. These heap-based techniques complicate memory forensics, as existing tools typically treat dynamic memory as a flat, unstructured region. To address this gap, in this paper we present a forensic methodology for the extraction and structural analysis of Windows NT heap entries, implemented in an open-source plugin for the Volatility 3 framework, called HeapList. Our approach supports all major Windows versions, from Vista to Windows 11, on both ×86 and ×64 architectures. We reconstruct the backend and frontend heap layers, decode encoded metadata, and enable navigation and directed extraction of heap entries. We validate our methodology through cross-verification with <span>WinDbg</span> and controlled testing using the Windows Heap API. Additionally, we discuss how our plugin can facilitate reverse engineering, the identification of dynamic payloads, heap layout inspection, and memory triage. By providing structured access to user-space heap memory, our work improves forensic visibility into dynamic memory and enables deeper analysis of heap-centric behavior in modern threat landscapes. Finally, we demonstrate the applicability of our approach in real-world scenarios by extracting information relevant to forensic analysis of user-space applications (specifically, from Telegram Desktop) through heap analysis.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"56 ","pages":"Article 302060"},"PeriodicalIF":2.2,"publicationDate":"2026-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"147554550","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

A hybrid neural-symbolic approach for the longitudinal profiling of coercive control in digital investigations 数字调查中强制控制的纵向分析的混合神经-符号方法

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2026-03-01 Epub Date: 2026-02-24 DOI: 10.1016/j.fsidi.2026.302074

Dhruv Patel, Soran Parsa, Anju P. Johnson

{"title":"A hybrid neural-symbolic approach for the longitudinal profiling of coercive control in digital investigations","authors":"Dhruv Patel, Soran Parsa, Anju P. Johnson","doi":"10.1016/j.fsidi.2026.302074","DOIUrl":"10.1016/j.fsidi.2026.302074","url":null,"abstract":"<div><div>The exponential growth of text-based digital evidence, particularly in mobile chat logs, challenges current forensic workflows. This is especially acute in investigations of coercive control, where evidence manifests not as a single ‘smoking gun’ but as a cumulative behavioural profiling of psychological abuse often missed by standard keyword searches. To address this data-to-insight gap, we present the Digital Conversation Analysis Pipeline (DCAP), a proof-of-concept Human-in-the-Loop (HITL) framework designed for investigative triage. The pipeline parses heterogeneous text-based evidence and analyses it using a novel hybrid classification architecture. The system detects individual linguistic markers and aggregates them into a cumulative behavioural profile, combining the precision of rule-based forensic search with the contextual recall of a BERT-based model. Acknowledging the strict ethical and privacy constraints that limit access to real-world forensic datasets, the model was initialised on a synthetic dataset and validated using a ‘Hybrid Injection’ stress-test, embedding 200 confirmed real-world toxic samples into the forensic timeline. In comparative experiments, the hybrid model achieved a 0.85 macro F1-score, significantly outperforming standard forensic keyword search baselines. We demonstrate the pipeline’s engineering utility on a simulated 8451-message case file. By isolating the Person Under Investigation (PUI), the system generated an auditable, quantitative triage report that reduced the target’s review volume by 92.8%. While further validation on diverse real-world data is required, this work proposes a foundational ‘warm-start’ framework for AI-assisted lead generation, prioritising explainability and investigator oversight over autonomous decision-making.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"56 ","pages":"Article 302074"},"PeriodicalIF":2.2,"publicationDate":"2026-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"147395556","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

DFRWS USA 2026 Arlington

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2026-03-01 Epub Date: 2026-03-24 DOI: 10.1016/S2666-2817(26)00043-0

引用次数: 0

Welcome to the 13th annual DFRWS Europe conference! 欢迎参加第13届DFRWS欧洲年会！

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2026-03-01 Epub Date: 2026-03-24 DOI: 10.1016/j.fsidi.2026.302065

引用次数: 0

Forensic activity classification using digital traces from iPhones: A machine learning-based approach 使用iphone的数字痕迹进行取证活动分类：一种基于机器学习的方法

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2026-03-01 Epub Date: 2026-03-24 DOI: 10.1016/j.fsidi.2026.302047

Conor McCarthy , Jan Peter van Zandwijk , Marcel Worring , Zeno Geradts

{"title":"Forensic activity classification using digital traces from iPhones: A machine learning-based approach","authors":"Conor McCarthy , Jan Peter van Zandwijk , Marcel Worring , Zeno Geradts","doi":"10.1016/j.fsidi.2026.302047","DOIUrl":"10.1016/j.fsidi.2026.302047","url":null,"abstract":"<div><div>Smartphones and smartwatches are ever-present in daily life, and provide a rich source of information on their users' behaviour. In particular, digital traces derived from the phone's embedded movement sensors present an opportunity for a forensic investigator to gain insight into a person's physical activities. In this work, we present a machine learning-based approach to translate digital traces into likelihood ratios (LRs) for different types of physical activities. Evaluating on a new dataset, NFI_FARED, which contains digital traces from four different types of iPhones labelled with 19 activities, it was found that our approach could produce useful LR systems to distinguish 167 out of a possible 171 activity pairings. The same approach was extended to analyse likelihoods for multiple activities (or groups of activities) simultaneously and create activity timelines to aid in both the early and latter stages of forensic investigations. The dataset and all code required to replicate the results have also been made public<sup>⋆</sup> to encourage further research on this topic. ∗Dataset: <span><span>https://huggingface.co/datasets/NetherlandsForensicInstitute/NFI_FARED_Digital_Traces</span><svg><path></path></svg></span>, Code: <span><span>https://github.com/Con-or-McCarthy/Data2Activity_1</span><svg><path></path></svg></span>.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"56 ","pages":"Article 302047"},"PeriodicalIF":2.2,"publicationDate":"2026-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"147554586","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

The implementation of digital forensic science in a Swiss police force 数字法医科学在瑞士警察部队的应用

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2026-03-01 Epub Date: 2026-02-12 DOI: 10.1016/j.fsidi.2026.302069

Elénore Ryser , Simon Baechler

{"title":"The implementation of digital forensic science in a Swiss police force","authors":"Elénore Ryser , Simon Baechler","doi":"10.1016/j.fsidi.2026.302069","DOIUrl":"10.1016/j.fsidi.2026.302069","url":null,"abstract":"<div><div>To contribute to the understanding of the operationalisation of digital forensic science and the associated challenges, this study observes daily practices and interactions of a digital forensic unit. The observation was focused on four main questions: (1) What are the primary missions of a DFU? (2) What workflow procedures do DFUs use in performing their duties? (3) How useful are DFUs and digital traces at various stages of an investigation? (4) What obstacles do DFUs face in fulfilling their missions?</div><div>This study draws on 160 hours of field observations conducted between January and March 2020 in a Swiss police force, the analysis of the unit internal casework database (2018-2019 past cases) and 6 semi-structured interviews with different stakeholders. The study is divided between an active participation in the digital forensic work (handling, analysing digital objects and reporting) and a passive participation in field work. Different uses and expectations of the digital forensic unit services depending on the investigation context were observed during the analysis of the field search notes, casework database and while conducting the interviews. The findings also allowed for the categorization and timelining of the types of activities conducted by a digital forensic unit.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"56 ","pages":"Article 302069"},"PeriodicalIF":2.2,"publicationDate":"2026-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"147395550","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Large language models in digital forensics: capabilities, challenges and future directions 数字取证中的大型语言模型：能力、挑战和未来方向

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2026-03-01 Epub Date: 2026-01-08 DOI: 10.1016/j.fsidi.2025.302043

Maxim Chernyshev, Zubair Baig, Naeem Syed, Robin Doss, Malcolm Shore

{"title":"Large language models in digital forensics: capabilities, challenges and future directions","authors":"Maxim Chernyshev, Zubair Baig, Naeem Syed, Robin Doss, Malcolm Shore","doi":"10.1016/j.fsidi.2025.302043","DOIUrl":"10.1016/j.fsidi.2025.302043","url":null,"abstract":"<div><div>The rapid advancement of large language models (LLMs) has simultaneously created opportunities and challenges for digital forensic science. This survey systematically examines the emerging intersection between generative artificial intelligence and digital forensics through our analysis of 33 peer-reviewed works. We map LLM capabilities across the established Digital Forensic Research Workshop (DFRWS) process model, identifying three strategic integration points where these technologies demonstrate measurable benefits – pattern recognition during the examination phase, evidence analysis during the analysis phase, and evidence presentation and reporting during the presentation phase. Our findings show that LLMs achieve substantial performance improvements across diverse forensic tasks, but critical challenges persist, including the fundamental tension between the probabilistic nature of LLM outputs and deterministic forensic requirements, alongside concerns regarding explainability, reproducibility, and legal admissibility. We identify significant research gaps in validation frameworks, forensic-ready architectures, and standardised evaluation protocols. The survey establishes a comprehensive research agenda spanning technical, methodological, and legal domains, emphasising the necessity for interdisciplinary collaboration and human-AI collaborative approaches to preserve forensic integrity when leveraging LLM capabilities.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"56 ","pages":"Article 302043"},"PeriodicalIF":2.2,"publicationDate":"2026-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145926262","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

REPDF: Repairing corrupted PDF files through font mapping and object relationship reconstruction REPDF：修复损坏的PDF文件通过字体映射和对象关系重建

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2026-03-01 Epub Date: 2026-03-24 DOI: 10.1016/j.fsidi.2026.302061

Seungeun Park, Byeongchan Jeong, Jieon Kim, Jungheum Park

引用次数: 0

FOREST: Inspecting and tracking RESTful APIs for constructing a cloud forensic knowledge base FOREST：检查和跟踪用于构建云取证知识库的RESTful api

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2026-03-01 Epub Date: 2026-02-13 DOI: 10.1016/j.fsidi.2026.302070

Byeongchan Jeong, Jieon Kim, Sangjin Lee, Jungheum Park

{"title":"FOREST: Inspecting and tracking RESTful APIs for constructing a cloud forensic knowledge base","authors":"Byeongchan Jeong, Jieon Kim, Sangjin Lee, Jungheum Park","doi":"10.1016/j.fsidi.2026.302070","DOIUrl":"10.1016/j.fsidi.2026.302070","url":null,"abstract":"<div><div>Modern cloud-based services increasingly rely on RESTful APIs to manage user data. However, many of these APIs are undocumented and frequently change without notice, posing challenges to digital forensic investigations. First, undocumented APIs may expose forensic-relevant data while bypassing standard access logging. Second, frequent structural changes hinder reproducible and verifiable evidence acquisition. To address these challenges, we present FOREST, a framework for the automated discovery, analysis, and tracking of RESTful API behavior in real-world cloud environments. FOREST analyzes live API traffic generated through natural user interactions, identifies undocumented endpoints, extracts artifact-bearing responses, and generates OpenAPI Specifications. It also supports longitudinal schema comparison and parameter dependency analysis to ensure consistent data acquisition across service versions. We evaluate FOREST on Microsoft OneDrive, Microsoft Teams, and Mattermost. The results demonstrate its effectiveness in uncovering undocumented APIs, tracing structural API changes, and supporting reliable forensic analysis in dynamic cloud service environments.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"56 ","pages":"Article 302070"},"PeriodicalIF":2.2,"publicationDate":"2026-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"147395551","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Examining black-box forensic tools in digital vehicle forensics: Capabilities, limitations, and practical implications 研究数字车辆取证中的黑箱取证工具：能力、限制和实际意义

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2026-03-01 Epub Date: 2026-02-03 DOI: 10.1016/j.fsidi.2026.302067

Kevin Mayer

{"title":"Examining black-box forensic tools in digital vehicle forensics: Capabilities, limitations, and practical implications","authors":"Kevin Mayer","doi":"10.1016/j.fsidi.2026.302067","DOIUrl":"10.1016/j.fsidi.2026.302067","url":null,"abstract":"<div><div>Proprietary “black-box” forensic tools such as Bosch Crash Data Retrieval (CDR) and Berla iVe are widely deployed in vehicle event data recorder (EDR) and infotainment system investigations. While they offer rapid acquisition, broad hardware coverage, and outputs tailored for legal contexts, their internal decoding logic is opaque and complex to validate independently. This paper presents two controlled demonstrations simulating typical extraction scenarios: (1) EDR field completeness and temporal alignment testing, and (2) infotainment data completeness and parsing accuracy across simulated tool variants. In Demonstration 1, black-box output exhibited quantization, timestamp offsets, and missing fields that could materially alter accident reconstruction. In Demonstration 2, simulated GPS track extractions demonstrated spatial downsampling, coordinate rounding, and timezone misinterpretation, each of which could undermine cross-source correlation. Benefits, challenges, and limitations of commercial automotive forensic tools are discussed, alongside recommendations for independent validation, open-source crosschecks, and forensic quality assurance standards. The results underscore the importance of transparent methodologies and reproducible testing in the use of proprietary automotive forensic solutions.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"56 ","pages":"Article 302067"},"PeriodicalIF":2.2,"publicationDate":"2026-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"147395557","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0