Forensic Science International-Digital Investigation最新文献_第4页

Leveraging metadata in social media forensic investigations: Unravelling digital clues- A survey study 在社交媒体取证调查中利用元数据：揭开数字线索--一项调查研究

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2024-07-08 DOI: 10.1016/j.fsidi.2024.301798

Akarshan Suryal

引用次数: 0

Letter to Editor regarding article, “Grand theft API: A forensic analysis of vehicle cloud data” 致编辑的信，内容涉及文章 "Grand theft API：车辆云数据的法证分析"

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2024-07-06 DOI: 10.1016/j.fsidi.2024.301800

Nishchal Soni

引用次数: 0

Key extraction-based lawful access to encrypted data: Taxonomy and survey 基于密钥提取的加密数据合法访问：分类与调查

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2024-07-05 DOI: 10.1016/j.fsidi.2024.301796

Christian Lindenmeier, Andreas Hammer, Jan Gruber, Jonas Röckl, Felix Freiling

{"title":"Key extraction-based lawful access to encrypted data: Taxonomy and survey","authors":"Christian Lindenmeier, Andreas Hammer, Jan Gruber, Jonas Röckl, Felix Freiling","doi":"10.1016/j.fsidi.2024.301796","DOIUrl":"https://doi.org/10.1016/j.fsidi.2024.301796","url":null,"abstract":"<div><p>The rise of end-to-end encryption has enabled end-users to protect their data to a point that classical techniques of lawful access (seizure of devices, wiretaps) are futile. While there is a heated discussion about regulating the access primitive to end-user devices for law enforcement, little attention is given to the technical design of <em>how</em> evidence should be collected. This is especially critical during remote surveillance, as law enforcement may have unrestricted access to end-user devices over longer periods of time. In this paper, we propose the novel category of <em>key extraction-based lawful interception</em> (KEX-LI), meaning that instead of directly accessing plaintext data, law enforcement only extracts the necessary key material from end-user devices, thus minimizing the requirements of data extraction on end-user devices. When subsequently collecting <em>encrypted</em> data (e.g., via wiretapping), law enforcement can use these keys for decryption. We structure and survey the state-of-the-art of key extraction techniques, thus embedding KEX-LI in the broader context of device forensics. Furthermore, we describe specific requirements for a practical solution to conduct KEX-LI and evaluate currently available technical implementations. Our results are intended to help practitioners select the most suitable techniques as well as to identify research gaps.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2024-07-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281724001203/pdfft?md5=77c3dcb49bff2636a03dd9fc94b62337&pid=1-s2.0-S2666281724001203-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141543701","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

A Formal Concept Analysis approach to hierarchical description of malware threats 对恶意软件威胁进行分级描述的形式概念分析方法

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2024-07-04 DOI: 10.1016/j.fsidi.2024.301797

Manuel Ojeda-Hernández, Domingo López-Rodríguez, Ángel Mora

{"title":"A Formal Concept Analysis approach to hierarchical description of malware threats","authors":"Manuel Ojeda-Hernández, Domingo López-Rodríguez, Ángel Mora","doi":"10.1016/j.fsidi.2024.301797","DOIUrl":"https://doi.org/10.1016/j.fsidi.2024.301797","url":null,"abstract":"<div><p>The problem of intelligent malware detection has become increasingly relevant in the industry, as there has been an explosion in the diversity of threats and attacks that affect not only small users, but also large organisations and governments. One of the problems in this field is the lack of homogenisation or standardisation in the nomenclature used by different antivirus programs for different malware threats. The lack of a clear definition of what a category is and how it relates to individual threats makes it difficult to share data and extract common information from multiple antivirus programs. Therefore, efforts to create a common naming convention and hierarchy for malware are important to improve collaboration and information sharing in this field.</p><p>Our approach uses as a tool the methods of Formal Concept Analysis (FCA) to model and attempt to solve this problem. FCA is an algebraic framework able to discover useful knowledge in the form of a concept lattice and implications relating to the detection and diagnosis of suspicious files and threats. The knowledge extracted using this mathematical tool illustrates how formal methods can help prevent new threats and attacks. We will show the results of applying the proposed methodology to the identification of hierarchical relationships between malware.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2024-07-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281724001215/pdfft?md5=697d14b6aecc4eca8d00c3562237fedd&pid=1-s2.0-S2666281724001215-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141543693","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

On enhancing memory forensics with FAME: Framework for advanced monitoring and execution 利用 FAME 加强内存取证：高级监控和执行框架

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2024-07-01 DOI: 10.1016/j.fsidi.2024.301757

Taha Gharaibeh , Ibrahim Baggili , Anas Mahmoud

{"title":"On enhancing memory forensics with FAME: Framework for advanced monitoring and execution","authors":"Taha Gharaibeh , Ibrahim Baggili , Anas Mahmoud","doi":"10.1016/j.fsidi.2024.301757","DOIUrl":"https://doi.org/10.1016/j.fsidi.2024.301757","url":null,"abstract":"<div><p>Memory Forensics (MF) is an essential aspect of digital investigations, but practitioners often face time-consuming challenges when using popular tools like the Volatility Framework (VF). VF, a widely-adopted Python-based memory forensics tool, presents difficulties for practitioners due to its slow performance. Thus, in this study, we evaluated methods to accelerate VF without modifying its code by testing four alternative Python Just In Time (JIT) interpreters - CPython, Pyston, PyPy, and Pyjion - using CPython as our baseline. Tests were conducted on 14 memory samples, totaling 173 GB, using a search-intensive VF plugin for Windows hosts. Employing our custom Framework for Advanced Monitoring and Execution (FAME), we deployed interpreters in Docker containers and monitored their real-time performance. A statistically significant difference was observed between the Python JIT interpreters and the standard interpreter. With PyPy emerging as the best interpreter, yielding a 15–20 % performance increase compared to the standard interpreter. Implementing PyPy has the potential to save significant time (many hours) when processing substantial memory samples. FAME enhances the efficiency of deploying and monitoring robust forensic tool testing, fostering reproducible research and yielding reliable results in both MF and the broader field of digital forensics.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2024-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281724000763/pdfft?md5=1f7f0db390ef407e9290e4cf098b3028&pid=1-s2.0-S2666281724000763-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141542373","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

volGPT: Evaluation on triaging ransomware process in memory forensics with Large Language Model volGPT：利用大型语言模型对内存取证中的勒索软件进程进行分流评估

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2024-07-01 DOI: 10.1016/j.fsidi.2024.301756

Dong Bin Oh , Donghyun Kim , Donghyun Kim , Huy Kang Kim

{"title":"volGPT: Evaluation on triaging ransomware process in memory forensics with Large Language Model","authors":"Dong Bin Oh , Donghyun Kim , Donghyun Kim , Huy Kang Kim","doi":"10.1016/j.fsidi.2024.301756","DOIUrl":"https://doi.org/10.1016/j.fsidi.2024.301756","url":null,"abstract":"<div><p>In the face of the harm that ransomware can inflict upon users’ computers, the imperative to efficiently and accurately triage its processes within memory forensics becomes increasingly crucial. However, ransomware perpetrators employ sophisticated techniques, such as process masquerading, to evade detection and analysis. In response to these challenges, we propose a novel ransomware triage method leveraging a Large Language Model (LLM) in conjunction with the Volatility framework, the de-facto standard in memory forensics. We conducted experiments on memory dumps infected by five different ransomware families, utilizing LLM-based approaches. Through extensive experiments, our method named volGPT demonstrated high accuracy in identifying ransomware-related processes within memory dumps. Additionally, our approach exhibited greater efficiency and provided more comprehensive explanations during ransomware triage than other state-of-the-art methods.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2024-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281724000751/pdfft?md5=1146cd1fa02f1199396b49faab24db03&pid=1-s2.0-S2666281724000751-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141542316","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

A step in a new direction: NVIDIA GPU kernel driver memory forensics 向新方向迈进：英伟达™（NVIDIA®）GPU 内核驱动程序内存取证

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2024-07-01 DOI: 10.1016/j.fsidi.2024.301760

Christopher J. Bowen , Andrew Case , Ibrahim Baggili , Golden G. Richard III

{"title":"A step in a new direction: NVIDIA GPU kernel driver memory forensics","authors":"Christopher J. Bowen , Andrew Case , Ibrahim Baggili , Golden G. Richard III","doi":"10.1016/j.fsidi.2024.301760","DOIUrl":"https://doi.org/10.1016/j.fsidi.2024.301760","url":null,"abstract":"<div><p>In the ever-expanding landscape of computation, graphics processing units have become one of the most essential types of devices for personal and commercial needs. Nearly all modern computers have one or more dedicated GPUs due to advancements in artificial intelligence, high-performance computing, 3D graphics rendering, and the growing demand for enhanced gaming experiences. As the GPU industry continues to grow, forensic investigations will need to incorporate these devices, given that they have large amounts of VRAM, computing power, and are used to process highly sensitive data. Past research has also shown that malware can hide its payloads within these devices and out of the view of traditional memory forensics. While memory forensics research aims to address the critical threat of memory-only malware, no current work focuses on video memory malware and the malicious use of the GPU. Our work investigates the largest GPU manufacturer, NVIDIA, by examining the newly released open-source GPU kernel modules for the development of forensic tool creation. We extend our impact by creating symbol mappings between open and closed-source NVIDIA software that enables researchers to develop tools for both “flavors” of software. We specifically focus our research on artifacts found in RAM, providing the foundational methods to detect and map NVIDIA Object Compiler Structures for forensic investigations. As a part of our analysis and evaluation, we examined the similarities between open-and-closed kernel modules by collecting structure sizes and class IDs to understand the similarities and differences. A standalone tool, NVSYMMAP, and Volatility plugins were created with this foundation to automate this process and provide forensic investigators with knowledge involving processes that utilized the GPU.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2024-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281724000799/pdfft?md5=1b4ae87eaf8d79a9cfad984d68ffa72b&pid=1-s2.0-S2666281724000799-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141542426","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

In the time loop: Data remanence in main memory of virtual machines 在时间循环中虚拟机主内存中的数据重存

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2024-07-01 DOI: 10.1016/j.fsidi.2024.301758

Ella Savchenko, Jenny Ottmann, Felix Freiling

引用次数: 0

TLS key material identification and extraction in memory: Current state and future challenges 记忆中的 TLS 密钥材料识别和提取：现状与未来挑战

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2024-07-01 DOI: 10.1016/j.fsidi.2024.301766

Daniel Baier , Alexander Basse , Jan-Niclas Hilgert , Martin Lambertz

{"title":"TLS key material identification and extraction in memory: Current state and future challenges","authors":"Daniel Baier , Alexander Basse , Jan-Niclas Hilgert , Martin Lambertz","doi":"10.1016/j.fsidi.2024.301766","DOIUrl":"https://doi.org/10.1016/j.fsidi.2024.301766","url":null,"abstract":"<div><p>Memory forensics is a crucial part of digital forensics as it can be used to extract valuable information such as running processes, network connections, and encryption keys from memory. The last is especially important when considering the widely used Transport Layer Security (TLS) protocol used to secure internet communication, thus hampering network traffic analysis. Particularly in the context of cybercrime investigations (such as malware analysis), it is therefore paramount for investigators to decrypt TLS traffic. This can provide vital insights into the methods and strategies employed by attackers. For this purpose, it is first and foremost necessary to identify and extract the corresponding TLS key material in memory.</p><p>In this paper, we systematize and evaluate the current state of techniques, tools, and methodologies for identifying and extracting TLS key material in memory. We consider solutions from academia but also identify innovative and promising approaches used “in the wild” that are not considered by the academic literature. Furthermore, we identify the open research challenges and opportunities for future research in this domain. Our work provides a profound foundation for future research in this crucial area.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2024-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281724000854/pdfft?md5=a76adc8897d71246d0088ed7c98c0315&pid=1-s2.0-S2666281724000854-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141542376","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Hit and run: Forensic vehicle event reconstruction through driver-based cloud data from Progressive's snapshot application 肇事逃逸：通过 Progressive 快照应用程序中基于驾驶员的云数据重建法证车辆事件

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2024-07-01 DOI: 10.1016/j.fsidi.2024.301762

Abdur Rahman Onik , Trevor T. Spinosa , Abdulla M. Asad , Ibrahim Baggili

{"title":"Hit and run: Forensic vehicle event reconstruction through driver-based cloud data from Progressive's snapshot application","authors":"Abdur Rahman Onik , Trevor T. Spinosa , Abdulla M. Asad , Ibrahim Baggili","doi":"10.1016/j.fsidi.2024.301762","DOIUrl":"https://doi.org/10.1016/j.fsidi.2024.301762","url":null,"abstract":"<div><p>Driving Insurance Applications (DIAs) have emerged as a valuable resource in the ever-evolving digital landscape. Automobile owners are storing extensive data on driving behaviors and patterns. This study pioneers the forensic analysis of Progressive's Snapshot application, focusing on the extraction and potential forensic use of data that remains inaccessible through the mobile application's interface. In our approach we focused on four research questions: <em>How accurate is location and speed data collected by Progressive Snapshot?</em>, <em>What forensically relevant data can we extract from the Progressive Cloud that is unavailable to the user from the mobile application interface?</em>, <em>Can we employ anti-forensics techniques, specifically fake location data, to create false trip details?</em>, <em>Can we reconstruct a hit-and-run scenario from trip event details?</em> To answer these questions, we developed PyShot, a Python-based open-source tool, to extract data from the Progressive cloud. Our tests confirmed Snapshot's accuracy in recording speed and location. Despite efforts to fake the Global Positioning System (GPS) location, the cloud still maintained accurate records. PyShot revealed more detailed driving data, like dangerous maneuvers and distracted driving, compared to the mobile application. This study also explores the forensic reconstruction of hit-and-run incidents, using a mannequin and focusing on Progressive's server data. Analyzing event categories, geographical coordinates, and timestamps provides insights into the capabilities and constraints of this application in forensic investigations. The findings offer valuable insights into the forensic capability of data retained by DIAs, contributing to their potential use in forensic investigations.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2024-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281724000817/pdfft?md5=035e3a4196f1a178b3238b8ac6ffe2b3&pid=1-s2.0-S2666281724000817-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141542369","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0