Forensic Science International-Digital Investigation最新文献

{"title":"Enhancing abnormality identification: Robust out-of-distribution strategies for deepfake detection","authors":"Luca Maiano,&nbsp;Fabrizio Casadei,&nbsp;Irene Amerini","doi":"10.1016/j.fsidi.2026.302062","DOIUrl":"10.1016/j.fsidi.2026.302062","url":null,"abstract":"<div><div>Detecting deepfakes has become a critical challenge in Computer Vision and Artificial Intelligence. Despite significant progress in detection techniques, generalizing them to open-set scenarios continues to be a persistent difficulty. Neural networks are often trained on the closed-world assumption, but with new generative models constantly evolving, it is inevitable to encounter data generated by models that are not part of the training distribution. To address these challenges, in this paper, we propose two novel Out-Of-Distribution (OOD) detection approaches. The first approach is trained to reconstruct the input image, while the second incorporates an attention mechanism for detecting OODs. Our experiments validate the effectiveness of the proposed approaches compared to existing state-of-the-art techniques. Our method achieves promising results in deepfake detection and ranks among the top-performing configurations on the benchmark, demonstrating their potential for robust, adaptable solutions in dynamic, real-world applications.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"56 ","pages":"Article 302062"},"PeriodicalIF":2.2,"publicationDate":"2026-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"147554555","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"The investigator's friend and foe: A forensic analysis of GrapheneOS","authors":"Katharina De Rentiis,&nbsp;Julian Geus,&nbsp;Felix Freiling","doi":"10.1016/j.fsidi.2026.302048","DOIUrl":"10.1016/j.fsidi.2026.302048","url":null,"abstract":"<div><div>Due to differing hardware and software security mechanisms, the forensic analysis of smartphones is strongly device-dependent. Given their prevalence in forensic investigations, the research community and tool manufacturers have focused primarily on devices with standard Operating Systems (OSs) from major manufacturers. Consequently, privacy advocates promote devices based on highly configurable OSs, such as the Android Open Source Project (AOSP), or custom ROMs like GrapheneOS, which prioritize privacy and security. These OSs benefit investigators in both private use and covert investigations. However, they present a significant challenge when used by the opposing side. To properly assess the situation, we conduct the first forensic analysis of GrapheneOS: We give an overview of AOSP and the custom ROM ecosystem. We also explain security and privacy features of GrapheneOS and how they compare to Android's. Finally, we perform a data acquisition analysis, including tool support for GrapheneOS, and a network traffic analysis. Our results demonstrate that GrapheneOS improves upon Android security, and that its privacy features considerably complicate the remote acquisition of user data.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"56 ","pages":"Article 302048"},"PeriodicalIF":2.2,"publicationDate":"2026-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"147554587","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"AutoDFBench 1.0: A benchmarking framework for digital forensic tool testing and generated code evaluation","authors":"Akila Wickramasekara ,&nbsp;Tharusha Mihiranga ,&nbsp;Aruna Withanage ,&nbsp;Buddhima Weerasinghe ,&nbsp;Frank Breitinger ,&nbsp;John Sheppard ,&nbsp;Mark Scanlon","doi":"10.1016/j.fsidi.2026.302055","DOIUrl":"10.1016/j.fsidi.2026.302055","url":null,"abstract":"<div><div>The National Institute of Standards and Technology (NIST) Computer Forensic Tool Testing (CFTT) programme has become the <em>de facto</em> standard for providing digital forensic tool testing and validation. However to date, no comprehensive framework exists to automate benchmarking across the diverse forensic tasks included in the programme. This gap results in inconsistent validation, challenges in comparing tools, and limited validation reproducibility. This paper introduces AutoDFBench 1.0, a modular benchmarking framework that supports the evaluation of both conventional DF tools and scripts, as well as AI-generated code and agentic approaches. The framework integrates five areas defined by the CFTT programme: string search, deleted file recovery, file carving, Windows registry recovery, and SQLite data recovery. AutoDFBench 1.0 includes ground truth data comprising of 63 test cases and 10,968 unique test scenarios, and execute evaluations through a RESTful API that produces structured JSON outputs with standardised metrics, including precision, recall, and F1 score for each test case, and the average of these F1 scores becomes the <em>AutoDFBench Score</em>. The benchmarking framework is validated against CFTT's datasets. The framework enables fair and reproducible comparison across tools and forensic scripts, establishing the first unified, automated, and extensible benchmarking framework for digital forensic tool testing and validation. AutoDFBench 1.0 supports tool vendors, researchers, practitioners, and standardisation bodies by facilitating transparent, reproducible, and comparable assessments of DF technologies.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"56 ","pages":"Article 302055"},"PeriodicalIF":2.2,"publicationDate":"2026-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"147554543","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Plug to place: Indoor multimedia geolocation from electrical sockets for digital investigation","authors":"Kanwal Aftab ,&nbsp;Graham Adams ,&nbsp;Mark Scanlon","doi":"10.1016/j.fsidi.2026.302056","DOIUrl":"10.1016/j.fsidi.2026.302056","url":null,"abstract":"<div><div>Computer vision is a rapidly evolving field, giving rise to powerful new tools and techniques in digital forensic investigation, and shows great promise for novel digital forensic applications. One such application, indoor multimedia geolocation, has the potential to become a crucial aid for law enforcement in the fight against human trafficking, child exploitation, and other serious crimes. While outdoor multimedia geolocation has been widely explored, its indoor counterpart remains underdeveloped due to challenges such as similar room layouts, frequent renovations, visual ambiguity, indoor lighting variability, unreliable GPS signals, and limited datasets in sensitive domains.</div><div>This paper introduces a pipeline that uses electrical sockets as consistent indoor markers for geolocation, since plug socket types are standardised by country or region. The three-stage deep learning pipeline detects plug sockets (YOLOv11, [email protected] = 0.843), classifies them into one of 12 plug socket types (Xception, accuracy = 0.912), and maps the detected socket types to countries (accuracy = 0.96 at &gt;90 % threshold confidence). To address data scarcity, two dedicated datasets were created: socket detection dataset of 2328 annotated images expanded to 4074 through augmentation, and a classification dataset of 3187 images across 12 plug socket classes. The pipeline was evaluated on the Hotels-50K dataset, focusing on the TraffickCam subset of crowd-sourced hotel images, which capture real-world conditions such as poor lighting and amateur angles. This dataset provides a more realistic evaluation than using professional, well-lit, often wide-angle images from travel websites. This framework demonstrates a practical step toward real-world digital forensic applications. The code, trained models, and the data for this paper are available open source.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"56 ","pages":"Article 302056"},"PeriodicalIF":2.2,"publicationDate":"2026-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"147554545","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"LEMON: A universal eBPF-based volatile memory acquisition tool for modern android devices and hardened linux systems","authors":"Andrea Oliveri,&nbsp;Marco Cavenati,&nbsp;Stefano De Rosa,&nbsp;Sudharsun Lakshmi Narasimhan,&nbsp;Davide Balzarotti","doi":"10.1016/j.fsidi.2026.302045","DOIUrl":"10.1016/j.fsidi.2026.302045","url":null,"abstract":"<div><div>Acquiring volatile memory (RAM) from modern Linux and Generic Kernel Image (GKI) Android systems has become increasingly difficult due to recent hardening features such as Secure Boot, Kernel Lockdown, and strict module signing and loading policies. As a result, traditional open-source tools such as LiME and AVML are no longer viable, preventing the acquisition and analysis of complete physical memory dumps.</div><div>To address this limitation, we introduce LEMON, the first eBPF-based universal memory acquisition tool for both hardened Linux systems and modern GKI Android devices, extending the range of devices on which volatile memory acquisition is possible. LEMON <em>requires neither kernel source code, code signing, nor prior deployment</em>. It is compatible with <span>x86_64</span> and <span>ARM64</span> architectures and supports acquisition either to local storage or over the network in standard forensic file formats.</div><div>In this paper, we provide a detailed description of LEMON's implementation, compare it with state-of-the-art open-source acquisition tools, evaluate the byte-level atomicity of its dumps and its acquisition time against existing alternatives, and show the deployment and use of LEMON on two real GKI-equipped Android phones. Furthermore, to enable a complete memory forensics analysis chain on modern Android phones, we adapt a method for generating Volatility 3 profiles from BTF debug information emitted by the kernel at runtime. In a simulated scenario on a real phone, this enabled us to recover contact details from the volatile memory of a terminated password manager. The contact details were unavailable in persistent storage and entirely absent from the logs, contradicting the belief that disk forensics alone is sufficient to extract all relevant evidence from an Android device.</div><div>Finally, in the spirit of open science and to support the forensics community, we release LEMON as an open-source project.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"56 ","pages":"Article 302045"},"PeriodicalIF":2.2,"publicationDate":"2026-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"147554581","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"DFRWS EU 2027 Edinburgh","authors":"","doi":"10.1016/S2666-2817(26)00044-2","DOIUrl":"10.1016/S2666-2817(26)00044-2","url":null,"abstract":"","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"56 ","pages":"Article 302087"},"PeriodicalIF":2.2,"publicationDate":"2026-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"147554637","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Integrated validation framework for EDR data reliability: Application to Korean traffic accident cases","authors":"Youngsoo Choi ,&nbsp;Jongjin Park ,&nbsp;Seung-Hyun Kong","doi":"10.1016/j.fsidi.2026.302071","DOIUrl":"10.1016/j.fsidi.2026.302071","url":null,"abstract":"<div><div>The importance of digital evidence in traffic accident analysis is continuously increasing. Among them, Event Data Recorder (EDR) data is widely used as critical evidence in traffic accident investigations. However, in Korea, social questions about the reliability of the data itself continue to be raised due to the uncertainty of the recording time (Time Zero) of EDR data. In this study, we proposed a framework for the systematic validation of EDR data and developed a practical program. We cross-validated EDR data using various information from Dashboard Camera (DBC) installed in most vehicles in Korea. By applying the framework to traffic accidents that occurred in Korea, we compared the calculated Principal Direction of Force (PDOF) with actual vehicle damage patterns, verified engine status through audio signal analysis, and estimated Time Zero by extracting text from DBC and synchronizing temporal data. The proposed synchronization algorithm achieved average similarity scores of 0.978 for speed data and 0.83 for acceleration data across various collision scenarios. This framework objectively demonstrates the similarity between EDR and DBC data, improving the accuracy and reliability of traffic accident analysis. It is particularly valuable for controversial cases in Korea, such as suspected sudden unintended acceleration accidents.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"56 ","pages":"Article 302071"},"PeriodicalIF":2.2,"publicationDate":"2026-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"147395547","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Beyond the binary—navigating opaque systems and the privacy paradox","authors":"","doi":"10.1016/j.fsidi.2026.302075","DOIUrl":"10.1016/j.fsidi.2026.302075","url":null,"abstract":"","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"56 ","pages":"Article 302075"},"PeriodicalIF":2.2,"publicationDate":"2026-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"147395549","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Resilience of forensic evidence acquisition under database schema drift","authors":"Afiqah M. Azahari,&nbsp;Andrea Oliveri,&nbsp;Davide Balzarotti","doi":"10.1016/j.fsidi.2026.302059","DOIUrl":"10.1016/j.fsidi.2026.302059","url":null,"abstract":"<div><div>The reliability of mobile forensic analysis depends not only on the ability to extract application databases but also on the stability of the structures that organize user data. As Android applications evolve, their databases undergo continual schema modifications, which alter established acquisition workflows.</div><div>In this paper, we present the first longitudinal study of schema drift in Android mobile applications, examining 320 versions of 20 popular Android apps released between 2022 and 2025. By systematically extracting and analyzing their databases, we reveal how structural changes, ranging from incremental column additions to the removal of entire tables, shape the evidential landscape. We further assess the resilience of SQL-based forensic queries across versions, showing how even minor schema drift can invalidate extractions or may miss newly introduced artifacts. Our results demonstrate that communication and social media apps exhibit the most volatile schema evolution, while navigation, browser, and note-taking apps remain comparatively stable. These findings reveal a critical yet overlooked threat to evidential completeness, motivating the development of adaptive, drift-aware forensic tools that can anticipate and accommodate ongoing application evolution.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"56 ","pages":"Article 302059"},"PeriodicalIF":2.2,"publicationDate":"2026-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"147554552","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"VAAS: Vision-Attention Anomaly Scoring for image manipulation detection in digital forensics","authors":"Opeyemi Bamigbade ,&nbsp;Mark Scanlon ,&nbsp;John Sheppard","doi":"10.1016/j.fsidi.2026.302063","DOIUrl":"10.1016/j.fsidi.2026.302063","url":null,"abstract":"<div><div>Recent advances in AI-driven image generation have introduced new challenges for verifying the authenticity of digital evidence in forensic investigations. Modern generative models can produce visually consistent forgeries that evade traditional detectors based on pixel or compression artefacts. Most existing approaches also lack an explicit measure of anomaly intensity, which limits their ability to quantify the severity of manipulation. This paper introduces V<span>ision-</span>A<span>ttention</span> A<span>nomaly</span> S<span>coring</span> (VAAS), a novel dual-module framework that integrates global attention-based anomaly estimation using Vision Transformers (ViT) with patch-level self-consistency scoring derived from segmentation embeddings. The hybrid formulation provides a continuous and interpretable anomaly score that reflects both the location and degree of manipulation. Evaluations on the <em>DF2023</em> and <em>CASIA v2.0</em> datasets demonstrate that <span>vaas</span> achieves competitive F1 and IoU performance, while enhancing visual explainability through attention-guided anomaly maps. The framework bridges quantitative detection with human-understandable reasoning, supporting transparent and reliable image integrity assessment. The source code for all experiments and corresponding materials for reproducing the results are available open source.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"56 ","pages":"Article 302063"},"PeriodicalIF":2.2,"publicationDate":"2026-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"147554553","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}