Forensic Science International-Digital Investigation最新文献_第3页

Video capturing device identification through block-based PRNU matching

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-03-01 DOI: 10.1016/j.fsidi.2025.301873

Jian Li , Fei Wang , Bin Ma , Chunpeng Wang , Xiaoming Wu

{"title":"Video capturing device identification through block-based PRNU matching","authors":"Jian Li , Fei Wang , Bin Ma , Chunpeng Wang , Xiaoming Wu","doi":"10.1016/j.fsidi.2025.301873","DOIUrl":"10.1016/j.fsidi.2025.301873","url":null,"abstract":"<div><div>This paper addresses the performance of a PRNU-based (photo response non-uniformity) scheme to identify the capturing device of a video. A common concern is PRNU in each frame being misaligned due to the video stabilization process compensating for unintended camera movements. We first derive the expectation of a similarity measure between two PRNUs: a reference and a test. The statistical analysis of the similarity measure helps us to understand the effect of homogeneous or heterogeneous misalignment of PRNU on the performance of identification for video capturing devices. We notice that dividing a test PRNU into several blocks and then matching each block with a part of the reference PRNU can decrease the negative effect of video stabilization. Hence a block-based matching algorithm for identifying video capturing devices is designed to improve the identification efficiency, especially when only a limited number of test video frames is available. Extensive experimental results prove that the proposed block-based matching algorithm can outperform the prior arts under the same test conditions.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301873"},"PeriodicalIF":2.0,"publicationDate":"2025-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143679883","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Unmixing the mix: Patterns and challenges in Bitcoin mixer investigations

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-03-01 DOI: 10.1016/j.fsidi.2025.301876

Pascal Tippe, Christoph Deckers

{"title":"Unmixing the mix: Patterns and challenges in Bitcoin mixer investigations","authors":"Pascal Tippe, Christoph Deckers","doi":"10.1016/j.fsidi.2025.301876","DOIUrl":"10.1016/j.fsidi.2025.301876","url":null,"abstract":"<div><div>This paper investigates the operational patterns and forensic traceability of Bitcoin mixing services, which pose significant challenges to anti-money laundering efforts. We analyze blockchain data using Neo4j to identify unique mixing patterns and potential deanonymization techniques. Our research includes a comprehensive survey of 20 currently available mixing services, examining their features such as input/output address policies, delay options, and security measures. We also analyze three legal cases from the U.S. involving Bitcoin mixers to understand investigative techniques used by law enforcement. We conduct two test transactions and use graph analysis to identify distinct transaction patterns associated with specific mixers, including peeling chains and multi-input transactions. We simulate scenarios where investigators have partial knowledge about transactions, demonstrating how this information can be leveraged to trace funds through mixers. Our findings reveal that while mixers significantly obfuscate transaction trails, certain patterns and behaviors can still be exploited for forensic analysis. We examine current investigative approaches for identifying users and operators of mixing services, primarily focusing on methods that associate addresses with entities and utilize off-chain attacks. Additionally, we discuss the limitations of our approach and propose potential improvements that can aid investigators in applying effective techniques. This research contributes to the growing field of cryptocurrency forensics by providing a comprehensive analysis of mixer operations and investigative techniques. Our insights can assist law enforcement agencies in developing more effective strategies to tackle the challenges posed by Bitcoin mixers in cybercrime investigations.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301876"},"PeriodicalIF":2.0,"publicationDate":"2025-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143679889","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

When is logging sufficient? — Tracking event causality for improved forensic analysis and correlation

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-03-01 DOI: 10.1016/j.fsidi.2025.301877

Johannes Olegård, Stefan Axelsson, Yuhong Li

{"title":"When is logging sufficient? — Tracking event causality for improved forensic analysis and correlation","authors":"Johannes Olegård, Stefan Axelsson, Yuhong Li","doi":"10.1016/j.fsidi.2025.301877","DOIUrl":"10.1016/j.fsidi.2025.301877","url":null,"abstract":"<div><div>It is generally agreed that logs are necessary for understanding cyberattacks post-incident. However, little is known about what specific information logs should contain to be forensically helpful. This uncertainty, combined with the fact that conventional logs are often not designed with security in mind, often results in logs with too much or too little information. Events in one log are also often challenging to correlate with events in other logs. Most previous research has focused on preserving, filtering, and interpreting logs, rather than addressing what should be logged in the first place. This paper explores logging sufficiency through the lens of Digital Forensic Readiness, and highlights the absence of <em>causal information</em> in conventional logs. To address this gap, we propose a novel logging system leveraging “gretel numbers” to track causal information—such as attacker movement—across multiple applications in a tamper-resistant manner. A prototype, implemented using the Extended Berkeley Packet Filter (EBPF) and an Nginx web server, shows that causality tracking imposes minimal resource overhead, though log size management remains critical for scalability.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301877"},"PeriodicalIF":2.0,"publicationDate":"2025-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143679890","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Tumbling down the stairs: Exploiting a tumbler’s attempt to hide with ordinary-looking transactions using wallet fingerprinting

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-03-01 DOI: 10.1016/j.fsidi.2025.301869

Jan Zavřel, Michal Koutenský, Daniel Dolejška, Vladimír Veselý

{"title":"Tumbling down the stairs: Exploiting a tumbler’s attempt to hide with ordinary-looking transactions using wallet fingerprinting","authors":"Jan Zavřel, Michal Koutenský, Daniel Dolejška, Vladimír Veselý","doi":"10.1016/j.fsidi.2025.301869","DOIUrl":"10.1016/j.fsidi.2025.301869","url":null,"abstract":"<div><div>The privacy of Bitcoin transactions is a subject of ongoing research from parties interested in enhancing their security, as well as those seeking to analyze the flow of funds happening in the network. Various techniques have been identified to de-obfuscate pseudonymity, e.g., heuristics to cluster addresses and transactions, automatic tracing of transaction chains based on usage patterns/features that may reveal common ownership. These techniques gave rise to services that attempt to make these techniques unreliable with specific forms of behavior. Examples of such behavior include using one-time addresses or transactions with multiple participants. Centralized services employing these behavior patterns, commonly known as <em>tumblers</em> or <em>mixers</em>, offer customers a way to obfuscate their financial flows. In turn, new approaches have been proposed in recent scientific literature to exploit the way the mixers operate in order to gain insight into the underlying financial flows. In this paper, we analyze some of these approaches and identify challenges in the context of their application to a particular modern mixing service – Anonymixer. Furthermore, based on this analysis, we propose a novel approach for identification of addresses involved in mixing with capability to distinguish between depositing/withdrawing parties and mixer inner addresses. The approach utilizes wallet fingerprints, which we have extracted using statistical measurements of mixer’s behavior. An internally developed tool implementing the proposed techniques automates the deobfuscation process and outputs individual money transfers.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301869"},"PeriodicalIF":2.0,"publicationDate":"2025-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143679791","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

ForensicLLM: A local large language model for digital forensics

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-03-01 DOI: 10.1016/j.fsidi.2025.301872

Binaya Sharma , James Ghawaly , Kyle McCleary , Andrew M. Webb , Ibrahim Baggili

{"title":"ForensicLLM: A local large language model for digital forensics","authors":"Binaya Sharma , James Ghawaly , Kyle McCleary , Andrew M. Webb , Ibrahim Baggili","doi":"10.1016/j.fsidi.2025.301872","DOIUrl":"10.1016/j.fsidi.2025.301872","url":null,"abstract":"<div><div>Large Language Models (LLMs) excel in diverse natural language tasks but often lack specialization for fields like digital forensics. Their reliance on cloud-based APIs or high-performance computers restricts use in resource-limited environments, and response hallucinations could compromise their applicability in forensic contexts. We introduce ForensicLLM, a 4-bit quantized LLaMA-3.1–8B model fine-tuned on Q&A samples extracted from digital forensic research articles and curated digital artifacts. Quantitative evaluation showed that ForensicLLM outperformed both the base LLaMA-3.1–8B model and the Retrieval Augmented Generation (RAG) model. ForensicLLM accurately attributes sources 86.6 % of the time, with 81.2 % of the responses including both authors and title. Additionally, a user survey conducted with digital forensics professionals confirmed significant improvements of ForensicLLM and RAG model over the base model. ForensicLLM showed strength in <em>“correctness”</em> and <em>“relevance”</em> metrics, while the RAG model was appreciated for providing more detailed responses. These advancements mark ForensicLLM as a transformative tool in digital forensics, elevating model performance and source attribution in critical investigative contexts.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301872"},"PeriodicalIF":2.0,"publicationDate":"2025-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143679882","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

More on digital evidence exceptionalism: Critique of the argument-based method for evaluative opinions

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-02-18 DOI: 10.1016/j.fsidi.2025.301885

Alex Biedermann , Kyriakos N. Kotsoglou

{"title":"More on digital evidence exceptionalism: Critique of the argument-based method for evaluative opinions","authors":"Alex Biedermann , Kyriakos N. Kotsoglou","doi":"10.1016/j.fsidi.2025.301885","DOIUrl":"10.1016/j.fsidi.2025.301885","url":null,"abstract":"<div><div>This paper critically analyses and discusses the “Argument-Based Method for Evaluative Opinions” (ABMEO) recently proposed by Sunde and Franqueira in a paper published in <em>Forensic Science International: Digital Investigation</em> (<span><span>Sunde and Franqueira, 2023</span></span>). According to its developers, this novel method allows one to produce evaluative opinions in criminal proceedings by constructing arguments. The method is said to incorporate concepts from argumentation and probability theory, while ensuring adherence to accepted principles of evaluative reporting, in particular the ENFSI Guideline for Evaluative Reporting in Forensic Science. While this sounds promising, our analysis of the ABMEO, as well as Sunde and Franqueira's account of a number of evidence-related concepts such as probative value (and its assessment), credibility, relevance, normativity, and probability, among others, reveals a number of fundamental problems that are indicative of <em>digital evidence exceptionalism</em>; i.e. the idea that digital forensic science can somehow exempt itself from adhering to methodologically and scientifically rigorous evidence evaluation procedures. In this paper we explain why the ABMEO cannot and should not be considered as an appropriate complement, supplement or replacement for the existing reference framework for evaluative reporting in forensic science. In particular, we argue that the ABMEO is internally contradictory and tends to undermine the substantial progress made over the past two decades in the development and implementation of principles for the evaluative reporting of forensic science evidence.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301885"},"PeriodicalIF":2.0,"publicationDate":"2025-02-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143428108","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

A Smart City Infrastructure ontology for threats, cybercrime, and digital forensic investigation

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-02-07 DOI: 10.1016/j.fsidi.2025.301883

Yee Ching Tok, Davis Yang Zheng, Sudipta Chattopadhyay

{"title":"A Smart City Infrastructure ontology for threats, cybercrime, and digital forensic investigation","authors":"Yee Ching Tok, Davis Yang Zheng, Sudipta Chattopadhyay","doi":"10.1016/j.fsidi.2025.301883","DOIUrl":"10.1016/j.fsidi.2025.301883","url":null,"abstract":"<div><div>Cybercrime and the market for cyber-related compromises are becoming attractive revenue sources for state-sponsored actors, cybercriminals and technical individuals affected by financial hardships. Due to burgeoning cybercrime on new technological frontiers, efforts have been made to assist digital forensic investigators (DFI) and law enforcement agencies (LEA) in their investigative efforts.</div><div>Forensic tool innovations and ontology developments, such as the Unified Cyber Ontology (UCO) and Cyber-investigation Analysis Standard Expression (CASE), have been proposed to assist DFI and LEA. Although these tools and ontologies are useful, they lack extensive information sharing and tool interoperability features, and the ontologies lack the latest Smart City Infrastructure (SCI) context that was proposed.</div><div>To mitigate the weaknesses in both solutions and to ensure a safer cyber-physical environment for all, we propose the Smart City Ontological Paradigm Expression (<span>Scope</span>), an expansion profile of the UCO and CASE ontology that implements SCI threat models, SCI digital forensic evidence, attack techniques, patterns and classifications from MITRE.</div><div>We showcase how <span>Scope</span> could present complex data such as SCI-specific threats, cybercrime, investigation data and incident handling workflows via an incident scenario modeled after publicly reported real-world incidents attributed to Advanced Persistent Threat (APT) groups. We also make <span>Scope</span> available to the community so that threats, digital evidence and cybercrime in emerging trends such as SCI can be identified, represented, and shared collaboratively.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301883"},"PeriodicalIF":2.0,"publicationDate":"2025-02-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143347830","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Data hiding in the XFS file system

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-02-06 DOI: 10.1016/j.fsidi.2025.301884

Fergus Toolan, Georgina Humphries

引用次数: 0

Exploring the potential of large language models for improving digital forensic investigation efficiency

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-02-03 DOI: 10.1016/j.fsidi.2024.301859

Akila Wickramasekara , Frank Breitinger , Mark Scanlon

{"title":"Exploring the potential of large language models for improving digital forensic investigation efficiency","authors":"Akila Wickramasekara , Frank Breitinger , Mark Scanlon","doi":"10.1016/j.fsidi.2024.301859","DOIUrl":"10.1016/j.fsidi.2024.301859","url":null,"abstract":"<div><div>The ever-increasing workload of digital forensic labs raises concerns about law enforcement's ability to conduct both cyber-related and non-cyber-related investigations promptly. Consequently, this article explores the potential and usefulness of integrating Large Language Models (LLMs) into digital forensic investigations to address challenges such as bias, explainability, censorship, resource-intensive infrastructure, and ethical and legal considerations. A comprehensive literature review is carried out, encompassing existing digital forensic models, tools, LLMs, deep learning techniques, and the use of LLMs in investigations. The review identifies current challenges within existing digital forensic processes and explores both the obstacles and the possibilities of incorporating LLMs. In conclusion, the study states that the adoption of LLMs in digital forensics, with appropriate constraints, has the potential to improve investigation efficiency, improve traceability, and alleviate the technical and judicial barriers faced by law enforcement entities.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301859"},"PeriodicalIF":2.0,"publicationDate":"2025-02-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143141118","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Optimising data set creation in the cybersecurity landscape with a special focus on digital forensics: Principles, characteristics, and use cases

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-01-29 DOI: 10.1016/j.fsidi.2025.301882

Thomas Göbel , Frank Breitinger , Harald Baier

引用次数: 0