Forensic Science International-Digital Investigation最新文献_第2页

DFRWS EU 2026 Sweden

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-07-01 DOI: 10.1016/S2666-2817(25)00103-9

引用次数: 0

Forensic recovery via chip-transplantation in samsung smartphones 三星智能手机芯片移植法鉴定

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-07-01 DOI: 10.1016/j.fsidi.2025.301926

Sunbum Song , Hongseok Yang , Eunji Lee , Sangeun Lee , Gibum Kim

{"title":"Forensic recovery via chip-transplantation in samsung smartphones","authors":"Sunbum Song , Hongseok Yang , Eunji Lee , Sangeun Lee , Gibum Kim","doi":"10.1016/j.fsidi.2025.301926","DOIUrl":"10.1016/j.fsidi.2025.301926","url":null,"abstract":"<div><div>The advancement of mobile forensic technology has induced the increase of anti-forensic activities such as smartphone destruction, while prompting major manufacturers to strengthen their data encryption policies at the same time. Such changes resulted in forensic analysts having to perform ‘Chip-transplantation’ when extracting data from damaged smartphones. Chip-transplantation is a method referring to transplanting data storage and decryption modules from the original damaged device to a compatible device of same model. However, chip-transplantation consists of procedures such as chip-off which are risky in terms of data integrity, and require comprehensive understanding of the target device's hardware for a successful recovery. This study explores the improvements to chip-transplantation techniques that are compatible with Samsung's premium smartphone's AP and eSE modules. Experimental results indicate that for a successful data acquisition via Chip-Transplantation on Samsung smartphones, transplantation of the eSE module along with the AP and flash memory is required irrespective of user password settings. As there is a lack of research on the physical structure and PCB placement of the eSE, this study provides eSE's terminal information, PCB placement, and jump points to bypass damage to PCB pin terminals. Lastly, for cases where damage to AP or eSE modules is suspected prior to or after transplantation, this study suggests two less invasive and cost-effective diagnostic methods – smartphone log analysis during the boot process and current consumption pattern analysis – that can be used along with conventional continuity testing, thermal imaging, and X-ray analysis. As the adoption of dedicated encryption modules in smartphones grows with privacy protection schemes, this study will contribute to advancing the chip-transplantation success rate against ever-evolving hardware landscape.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301926"},"PeriodicalIF":2.2,"publicationDate":"2025-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144749089","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

25th DFRWS USA 2025

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-07-01 DOI: 10.1016/j.fsidi.2025.301936

引用次数: 0

SoK: Timeline based event reconstruction for digital forensics: Terminology, methodology, and current challenges 基于时间线的数字取证事件重建：术语、方法和当前挑战

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-07-01 DOI: 10.1016/j.fsidi.2025.301932

Frank Breitinger , Hudan Studiawan , Chris Hargreaves

{"title":"SoK: Timeline based event reconstruction for digital forensics: Terminology, methodology, and current challenges","authors":"Frank Breitinger , Hudan Studiawan , Chris Hargreaves","doi":"10.1016/j.fsidi.2025.301932","DOIUrl":"10.1016/j.fsidi.2025.301932","url":null,"abstract":"<div><div>Event reconstruction is a technique that examiners can use to attempt to infer past activities by analyzing digital artifacts. Despite its significance, the field suffers from fragmented research, with studies often focusing narrowly on aspects like timeline creation or tampering detection. This paper addresses the lack of a unified perspective by proposing a comprehensive framework for timeline-based event reconstruction, adapted from traditional forensic science models. We begin by harmonizing existing terminology and presenting a cohesive diagram that clarifies the relationships between key elements of the reconstruction process. Through a comprehensive literature survey, we classify and organize the main challenges, extending the discussion beyond common issues like data volume. Lastly, we highlight recent advancements and propose directions for future research, including specific research gaps. By providing a structured approach, key findings, and a clearer understanding of the underlying challenges, this work aims to strengthen the foundation of digital forensics.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301932"},"PeriodicalIF":2.2,"publicationDate":"2025-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144748995","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Memory Analysis of the Python Runtime Environment Python运行环境的内存分析

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-07-01 DOI: 10.1016/j.fsidi.2025.301920

Hala Ali , Andrew Case , Irfan Ahmed

{"title":"Memory Analysis of the Python Runtime Environment","authors":"Hala Ali , Andrew Case , Irfan Ahmed","doi":"10.1016/j.fsidi.2025.301920","DOIUrl":"10.1016/j.fsidi.2025.301920","url":null,"abstract":"<div><div>Memory forensics has become a crucial component of digital investigations, particularly for detecting sophisticated malware that operates solely in system memory without leaving traces on the file system. Although memory forensics provides a complete view of the system state during acquisition, prior research efforts have primarily focused on analyzing kernel-level data structures for malware detection. With the propagation of kernel-level malware, operating system vendors implemented stringent kernel access restrictions, leading the malware authors to shift their focus to developing userland malware. This evolution in tactics necessitated a corresponding shift in forensic research toward analyzing userland runtime environments. While significant memory analysis capabilities have been developed for various runtime environments, including Android, Objective-C, and.NET, no effort has addressed the analysis of Python despite its growing popularity among legitimate software developers and malware authors. To address this critical gap, we present a comprehensive analysis of the Python runtime, encompassing its hierarchical memory management, garbage collection mechanism, and thread execution context management. We automated this analysis by developing a suite of new Volatility 3 plugins that provide detailed visibility into Python applications, including classes and their runtime instances, modules, functions, dynamically generated values, and execution traces across application threads. We evaluated our plugins against real-world malware samples, including cryptocurrency hijackers, ransomware variants, and remote access trojans (RATs). Results demonstrated 100% extraction accuracy of application objects within practical time constraints. The plugins recovered critical artifacts, including cryptocurrency wallet addresses, encryption keys, malicious functions, and execution paths. Through these new automated analysis capabilities, investigators of all levels of experience will be able to detect and analyze Python-based malware.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301920"},"PeriodicalIF":2.2,"publicationDate":"2025-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144749084","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

An extensible and scalable system for hash lookup and approximate similarity search with similarity digest algorithms 一个可扩展和可扩展的系统，用于散列查找和使用相似摘要算法的近似相似搜索

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-07-01 DOI: 10.1016/j.fsidi.2025.301930

Daniel Huici , Ricardo J. Rodríguez , Eduardo Mena

{"title":"An extensible and scalable system for hash lookup and approximate similarity search with similarity digest algorithms","authors":"Daniel Huici , Ricardo J. Rodríguez , Eduardo Mena","doi":"10.1016/j.fsidi.2025.301930","DOIUrl":"10.1016/j.fsidi.2025.301930","url":null,"abstract":"<div><div>Efficient management and analysis of large volumes of digital data has emerged as a major challenge in the field of digital forensics. To quickly identify and analyze relevant artifacts within large datasets, we introduce <span>APOTHEOSIS</span>, an approximate similarity search system designed for scalability and efficiency. Our system integrates approximate search techniques (which allow searching for a match on a close value) with Similarity Digest Algorithms (SDA; which capture common features between similar elements), using a space-saving radix tree and a graph-based hierarchical navigable small world structure to perform fast approximate nearest neighbor searches. We demonstrate the effectiveness and versatility of our system through two key case studies: first, in plagiarism detection, demonstrating the effectiveness of our system in identifying similar or duplicate documents within a large source code dataset; then, in memory artifact detection, showing its scalability and performance in processing large-scale forensic data collected from various versions of Microsoft Windows. Our comprehensive evaluation shows that <span>APOTHEOSIS</span> not only efficiently handles large datasets, but also provides a way to evaluate the performance of various SDA and their approximate similarity search in different forensic scenarios.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301930"},"PeriodicalIF":2.2,"publicationDate":"2025-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144749093","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Out of Control: Igniting SCADA investigations with an HMI forensics framework and the ignition forensics artifact carving tool (IFACT) 失控：用HMI取证框架和点火取证工件雕刻工具（IFACT）点燃SCADA调查

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-07-01 DOI: 10.1016/j.fsidi.2025.301933

LaSean Salmon , Ibrahim Baggili

{"title":"Out of Control: Igniting SCADA investigations with an HMI forensics framework and the ignition forensics artifact carving tool (IFACT)","authors":"LaSean Salmon , Ibrahim Baggili","doi":"10.1016/j.fsidi.2025.301933","DOIUrl":"10.1016/j.fsidi.2025.301933","url":null,"abstract":"<div><div>In the modern industrial landscape, Programmable Logic Controllers (PLCs) and Supervisory Control and Data Acquisition (SCADA) systems serve as critical components in the automation and control of various industrial processes. While their widespread availability and overall efficiency are crucial, the increasing integration of these systems with networked environments has exposed them to a growing array of cyber threats. Meanwhile, the rapid growth and deployment of SCADA systems worldwide pose increasing challenges to managing their security effectively. We explore the value of HMI-focused digital forensics within SCADA environments, emphasizing the unique challenges in their evaluation and the information contained in digital artifacts. We present a comprehensive forensic analysis of Ignition: a popular SCADA software platform developed by Inductive Automation. We also develop a generic forensic analysis framework that can be used when conducting a forensic investigation on an HMI environment. Our investigative process is supported with the creation of IFACT: an HMI Forensic Analysis Tool created to streamline the process of parsing system information presented in Ignition HMI-sourced forensic data. The data recovered from memory, network, and disk forensic investigations provides insight into the state of the SCADA system, including tag and PLC utilization and configurations. Using IFACT, we investigate how long this data persists in volatile memory and how its lifetime is variable.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301933"},"PeriodicalIF":2.2,"publicationDate":"2025-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144748996","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Bridging knowledge gaps in digital forensics using unsupervised explainable AI 使用无监督可解释的人工智能弥合数字取证方面的知识差距

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-07-01 DOI: 10.1016/j.fsidi.2025.301924

Zainab Khalid , Farkhund Iqbal , Mohd Saqib

{"title":"Bridging knowledge gaps in digital forensics using unsupervised explainable AI","authors":"Zainab Khalid , Farkhund Iqbal , Mohd Saqib","doi":"10.1016/j.fsidi.2025.301924","DOIUrl":"10.1016/j.fsidi.2025.301924","url":null,"abstract":"<div><div>Artificial Intelligence (AI) has found multi-faceted applications in critical sectors including Digital Forensics (DF) which also require eXplainability (XAI) as a non-negotiable for its applicability, such as admissibility of expert evidence in the court of law. The state-of-the-art XAI workflows focus more on utilizing XAI tools for supervised learning. This is in contrast to the fact that unsupervised learning may be practically more relevant in DF and other sectors that largely produce complex and unlabeled data continuously, in considerable volumes. This research study explores the challenges and utility of unsupervised learning-based XAI for DF's complex datasets. A memory forensics-based case scenario is implemented to detect anomalies and cluster obfuscated malware using the Isolation Forest, Autoencoder, K-means, DBSCAN, and Gaussian Mixture Model (GMM) unsupervised algorithms on three categorical levels. The CIC MalMemAnalysis-2022 dataset's binary, and multivariate (4, 16) categories are used as a reference to perform clustering. The anomaly detection and clustering results are evaluated using accuracy, confusion matrices and Adjusted Rand Index (ARI) and explained through Shapley Additive Explanations (SHAP), using force, waterfall, scatter, summary, and bar plots' local and global explanations. We also explore how some SHAP explanations may be used for dimensionality reduction.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301924"},"PeriodicalIF":2.2,"publicationDate":"2025-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144749087","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

DFRWS APAC 2025 Seoul DFRWS APAC 2025首尔

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-07-01 DOI: 10.1016/S2666-2817(25)00100-3

引用次数: 0

If at first you don't succeed, trie, trie again: Correcting TLSH scalability claims for large-dataset malware forensics 如果一开始你没有成功，尝试，再尝试：纠正大数据集恶意软件取证的TLSH可伸缩性声明

IF 2.2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-07-01 DOI: 10.1016/j.fsidi.2025.301922

Jordi Gonzalez

引用次数: 0