Forensic Science International-Digital Investigation最新文献_第4页

A study on the evolution of kernel data types used in memory forensics and their dependency on compilation options 研究内存取证中使用的内核数据类型的演变及其对编译选项的依赖

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-03-01 DOI: 10.1016/j.fsidi.2025.301863

Andrea Oliveri , Nikola Nemes , Branislav Andjelic , Davide Balzarotti

{"title":"A study on the evolution of kernel data types used in memory forensics and their dependency on compilation options","authors":"Andrea Oliveri , Nikola Nemes , Branislav Andjelic , Davide Balzarotti","doi":"10.1016/j.fsidi.2025.301863","DOIUrl":"10.1016/j.fsidi.2025.301863","url":null,"abstract":"<div><div>Over the years, memory forensics has emerged as a powerful analysis technique for uncovering security breaches that often evade detection. However, the differences in layouts used by the operating systems to organize data in memory can undermine its effectiveness. To overcome this problem, forensics tools rely on specialized “maps”, the profiles, that describe the location and layout of kernel data types in volatile memory for each different OS. To avoid compromising the entire forensics analysis, it is crucial to meticulously select the profile to use, which is also tailored to the specific version of the OS.</div><div>In this work, for the first time, we conduct a longitudinal measurement study on kernel data types evolution across multiple kernel releases and its impact on memory forensics profiles. We analyze 2298 Linux, macOS, and Windows Volatility 3 profiles from 2007 to 2024 to investigate patterns in data type changes across different OS releases, with a particular focus on types relevant to forensic analysis. This allowed the identification of fields commonly affected by modifications and, consequently, the Volatility plugins that are more vulnerable to these changes. In cases where an exact profile is unavailable, we propose guidelines for deciding on the most appropriate alternative profile to modify and use. Additionally, using a tool we developed, we analyze the source code of 77 Linux kernel versions to measure, for the first time, how the evolution of compile-time options influences kernel data types. Our findings show that even options unrelated to memory forensics can significantly alter data structure layouts and derived profiles, offering crucial insights for forensic analysts in navigating kernel configuration changes.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301863"},"PeriodicalIF":2.0,"publicationDate":"2025-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143679786","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

DFRWS APAC 2025 Seoul DFRWS APAC 2025首尔

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-03-01 DOI: 10.1016/S2666-2817(25)00036-8

引用次数: 0

Beyond the dictionary attack: Enhancing password cracking efficiency through machine learning-induced mangling rules 超越字典攻击：通过机器学习诱导的篡改规则提高密码破解效率

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-03-01 DOI: 10.1016/j.fsidi.2025.301865

Radek Hranický, Lucia Šírová, Viktor Rucký

{"title":"Beyond the dictionary attack: Enhancing password cracking efficiency through machine learning-induced mangling rules","authors":"Radek Hranický, Lucia Šírová, Viktor Rucký","doi":"10.1016/j.fsidi.2025.301865","DOIUrl":"10.1016/j.fsidi.2025.301865","url":null,"abstract":"<div><div>In the realm of digital forensics, password recovery is a critical task, with dictionary attacks representing one of the oldest yet most effective methods. To increase the attack power, developers of cracking tools have introduced password-mangling rules that apply modifications to the dictionary entries such as character swapping, substitution, or capitalization. Despite several attempts to automate rule creation that have been proposed over the years, creating a suitable ruleset is still a significant challenge. The current research lacks a deeper comparison and evaluation of the individual methods and their implications. We present RuleForge, a machine learning-based mangling-rule generator that leverages four clustering techniques and 19 commands with configurable priorities. Key innovations include an extended command set, advanced cluster representative selection, and various performance optimizations. We conduct extensive experiments on real-world datasets, evaluating clustering-based methods in terms of time, memory use, and hit ratios. Additionally, we compare RuleForge to existing rule-creation tools, password-cracking solutions, and popular existing rulesets. Our solution with an improved MDBSCAN clustering method achieves up to an 11.67%pt. Higher hit ratio than the original method and also outperformed the best yet-known state-of-the-art solutions for automated rule creation.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301865"},"PeriodicalIF":2.0,"publicationDate":"2025-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143679782","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Video capturing device identification through block-based PRNU matching 基于分块PRNU匹配的视频采集设备识别

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-03-01 DOI: 10.1016/j.fsidi.2025.301873

Jian Li , Fei Wang , Bin Ma , Chunpeng Wang , Xiaoming Wu

{"title":"Video capturing device identification through block-based PRNU matching","authors":"Jian Li , Fei Wang , Bin Ma , Chunpeng Wang , Xiaoming Wu","doi":"10.1016/j.fsidi.2025.301873","DOIUrl":"10.1016/j.fsidi.2025.301873","url":null,"abstract":"<div><div>This paper addresses the performance of a PRNU-based (photo response non-uniformity) scheme to identify the capturing device of a video. A common concern is PRNU in each frame being misaligned due to the video stabilization process compensating for unintended camera movements. We first derive the expectation of a similarity measure between two PRNUs: a reference and a test. The statistical analysis of the similarity measure helps us to understand the effect of homogeneous or heterogeneous misalignment of PRNU on the performance of identification for video capturing devices. We notice that dividing a test PRNU into several blocks and then matching each block with a part of the reference PRNU can decrease the negative effect of video stabilization. Hence a block-based matching algorithm for identifying video capturing devices is designed to improve the identification efficiency, especially when only a limited number of test video frames is available. Extensive experimental results prove that the proposed block-based matching algorithm can outperform the prior arts under the same test conditions.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301873"},"PeriodicalIF":2.0,"publicationDate":"2025-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143679883","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Unmixing the mix: Patterns and challenges in Bitcoin mixer investigations 拆解混合：比特币混合调查中的模式和挑战

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-03-01 DOI: 10.1016/j.fsidi.2025.301876

Pascal Tippe, Christoph Deckers

{"title":"Unmixing the mix: Patterns and challenges in Bitcoin mixer investigations","authors":"Pascal Tippe, Christoph Deckers","doi":"10.1016/j.fsidi.2025.301876","DOIUrl":"10.1016/j.fsidi.2025.301876","url":null,"abstract":"<div><div>This paper investigates the operational patterns and forensic traceability of Bitcoin mixing services, which pose significant challenges to anti-money laundering efforts. We analyze blockchain data using Neo4j to identify unique mixing patterns and potential deanonymization techniques. Our research includes a comprehensive survey of 20 currently available mixing services, examining their features such as input/output address policies, delay options, and security measures. We also analyze three legal cases from the U.S. involving Bitcoin mixers to understand investigative techniques used by law enforcement. We conduct two test transactions and use graph analysis to identify distinct transaction patterns associated with specific mixers, including peeling chains and multi-input transactions. We simulate scenarios where investigators have partial knowledge about transactions, demonstrating how this information can be leveraged to trace funds through mixers. Our findings reveal that while mixers significantly obfuscate transaction trails, certain patterns and behaviors can still be exploited for forensic analysis. We examine current investigative approaches for identifying users and operators of mixing services, primarily focusing on methods that associate addresses with entities and utilize off-chain attacks. Additionally, we discuss the limitations of our approach and propose potential improvements that can aid investigators in applying effective techniques. This research contributes to the growing field of cryptocurrency forensics by providing a comprehensive analysis of mixer operations and investigative techniques. Our insights can assist law enforcement agencies in developing more effective strategies to tackle the challenges posed by Bitcoin mixers in cybercrime investigations.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301876"},"PeriodicalIF":2.0,"publicationDate":"2025-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143679889","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

When is logging sufficient? — Tracking event causality for improved forensic analysis and correlation 什么时候记录就足够了？-跟踪事件因果关系，以改进法医分析和相关性

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-03-01 DOI: 10.1016/j.fsidi.2025.301877

Johannes Olegård, Stefan Axelsson, Yuhong Li

{"title":"When is logging sufficient? — Tracking event causality for improved forensic analysis and correlation","authors":"Johannes Olegård, Stefan Axelsson, Yuhong Li","doi":"10.1016/j.fsidi.2025.301877","DOIUrl":"10.1016/j.fsidi.2025.301877","url":null,"abstract":"<div><div>It is generally agreed that logs are necessary for understanding cyberattacks post-incident. However, little is known about what specific information logs should contain to be forensically helpful. This uncertainty, combined with the fact that conventional logs are often not designed with security in mind, often results in logs with too much or too little information. Events in one log are also often challenging to correlate with events in other logs. Most previous research has focused on preserving, filtering, and interpreting logs, rather than addressing what should be logged in the first place. This paper explores logging sufficiency through the lens of Digital Forensic Readiness, and highlights the absence of <em>causal information</em> in conventional logs. To address this gap, we propose a novel logging system leveraging “gretel numbers” to track causal information—such as attacker movement—across multiple applications in a tamper-resistant manner. A prototype, implemented using the Extended Berkeley Packet Filter (EBPF) and an Nginx web server, shows that causality tracking imposes minimal resource overhead, though log size management remains critical for scalability.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301877"},"PeriodicalIF":2.0,"publicationDate":"2025-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143679890","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

ForensicLLM: A local large language model for digital forensics ForensicLLM：用于数字取证的本地大型语言模型

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-03-01 DOI: 10.1016/j.fsidi.2025.301872

Binaya Sharma , James Ghawaly , Kyle McCleary , Andrew M. Webb , Ibrahim Baggili

{"title":"ForensicLLM: A local large language model for digital forensics","authors":"Binaya Sharma , James Ghawaly , Kyle McCleary , Andrew M. Webb , Ibrahim Baggili","doi":"10.1016/j.fsidi.2025.301872","DOIUrl":"10.1016/j.fsidi.2025.301872","url":null,"abstract":"<div><div>Large Language Models (LLMs) excel in diverse natural language tasks but often lack specialization for fields like digital forensics. Their reliance on cloud-based APIs or high-performance computers restricts use in resource-limited environments, and response hallucinations could compromise their applicability in forensic contexts. We introduce ForensicLLM, a 4-bit quantized LLaMA-3.1–8B model fine-tuned on Q&A samples extracted from digital forensic research articles and curated digital artifacts. Quantitative evaluation showed that ForensicLLM outperformed both the base LLaMA-3.1–8B model and the Retrieval Augmented Generation (RAG) model. ForensicLLM accurately attributes sources 86.6 % of the time, with 81.2 % of the responses including both authors and title. Additionally, a user survey conducted with digital forensics professionals confirmed significant improvements of ForensicLLM and RAG model over the base model. ForensicLLM showed strength in <em>“correctness”</em> and <em>“relevance”</em> metrics, while the RAG model was appreciated for providing more detailed responses. These advancements mark ForensicLLM as a transformative tool in digital forensics, elevating model performance and source attribution in critical investigative contexts.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301872"},"PeriodicalIF":2.0,"publicationDate":"2025-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143679882","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Tumbling down the stairs: Exploiting a tumbler’s attempt to hide with ordinary-looking transactions using wallet fingerprinting 从楼梯上摔下来：利用钱包指纹识别技术，利用一个不倒客试图隐藏普通交易的行为

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-03-01 DOI: 10.1016/j.fsidi.2025.301869

Jan Zavřel, Michal Koutenský, Daniel Dolejška, Vladimír Veselý

{"title":"Tumbling down the stairs: Exploiting a tumbler’s attempt to hide with ordinary-looking transactions using wallet fingerprinting","authors":"Jan Zavřel, Michal Koutenský, Daniel Dolejška, Vladimír Veselý","doi":"10.1016/j.fsidi.2025.301869","DOIUrl":"10.1016/j.fsidi.2025.301869","url":null,"abstract":"<div><div>The privacy of Bitcoin transactions is a subject of ongoing research from parties interested in enhancing their security, as well as those seeking to analyze the flow of funds happening in the network. Various techniques have been identified to de-obfuscate pseudonymity, e.g., heuristics to cluster addresses and transactions, automatic tracing of transaction chains based on usage patterns/features that may reveal common ownership. These techniques gave rise to services that attempt to make these techniques unreliable with specific forms of behavior. Examples of such behavior include using one-time addresses or transactions with multiple participants. Centralized services employing these behavior patterns, commonly known as <em>tumblers</em> or <em>mixers</em>, offer customers a way to obfuscate their financial flows. In turn, new approaches have been proposed in recent scientific literature to exploit the way the mixers operate in order to gain insight into the underlying financial flows. In this paper, we analyze some of these approaches and identify challenges in the context of their application to a particular modern mixing service – Anonymixer. Furthermore, based on this analysis, we propose a novel approach for identification of addresses involved in mixing with capability to distinguish between depositing/withdrawing parties and mixer inner addresses. The approach utilizes wallet fingerprints, which we have extracted using statistical measurements of mixer’s behavior. An internally developed tool implementing the proposed techniques automates the deobfuscation process and outputs individual money transfers.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301869"},"PeriodicalIF":2.0,"publicationDate":"2025-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143679791","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

More on digital evidence exceptionalism: Critique of the argument-based method for evaluative opinions 更多关于数字证据例外论：对基于论证的评估意见方法的批判

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-02-18 DOI: 10.1016/j.fsidi.2025.301885

Alex Biedermann , Kyriakos N. Kotsoglou

{"title":"More on digital evidence exceptionalism: Critique of the argument-based method for evaluative opinions","authors":"Alex Biedermann , Kyriakos N. Kotsoglou","doi":"10.1016/j.fsidi.2025.301885","DOIUrl":"10.1016/j.fsidi.2025.301885","url":null,"abstract":"<div><div>This paper critically analyses and discusses the “Argument-Based Method for Evaluative Opinions” (ABMEO) recently proposed by Sunde and Franqueira in a paper published in <em>Forensic Science International: Digital Investigation</em> (<span><span>Sunde and Franqueira, 2023</span></span>). According to its developers, this novel method allows one to produce evaluative opinions in criminal proceedings by constructing arguments. The method is said to incorporate concepts from argumentation and probability theory, while ensuring adherence to accepted principles of evaluative reporting, in particular the ENFSI Guideline for Evaluative Reporting in Forensic Science. While this sounds promising, our analysis of the ABMEO, as well as Sunde and Franqueira's account of a number of evidence-related concepts such as probative value (and its assessment), credibility, relevance, normativity, and probability, among others, reveals a number of fundamental problems that are indicative of <em>digital evidence exceptionalism</em>; i.e. the idea that digital forensic science can somehow exempt itself from adhering to methodologically and scientifically rigorous evidence evaluation procedures. In this paper we explain why the ABMEO cannot and should not be considered as an appropriate complement, supplement or replacement for the existing reference framework for evaluative reporting in forensic science. In particular, we argue that the ABMEO is internally contradictory and tends to undermine the substantial progress made over the past two decades in the development and implementation of principles for the evaluative reporting of forensic science evidence.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301885"},"PeriodicalIF":2.0,"publicationDate":"2025-02-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143428108","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

A Smart City Infrastructure ontology for threats, cybercrime, and digital forensic investigation 针对威胁、网络犯罪和数字取证调查的智慧城市基础设施本体

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2025-02-07 DOI: 10.1016/j.fsidi.2025.301883

Yee Ching Tok, Davis Yang Zheng, Sudipta Chattopadhyay

{"title":"A Smart City Infrastructure ontology for threats, cybercrime, and digital forensic investigation","authors":"Yee Ching Tok, Davis Yang Zheng, Sudipta Chattopadhyay","doi":"10.1016/j.fsidi.2025.301883","DOIUrl":"10.1016/j.fsidi.2025.301883","url":null,"abstract":"<div><div>Cybercrime and the market for cyber-related compromises are becoming attractive revenue sources for state-sponsored actors, cybercriminals and technical individuals affected by financial hardships. Due to burgeoning cybercrime on new technological frontiers, efforts have been made to assist digital forensic investigators (DFI) and law enforcement agencies (LEA) in their investigative efforts.</div><div>Forensic tool innovations and ontology developments, such as the Unified Cyber Ontology (UCO) and Cyber-investigation Analysis Standard Expression (CASE), have been proposed to assist DFI and LEA. Although these tools and ontologies are useful, they lack extensive information sharing and tool interoperability features, and the ontologies lack the latest Smart City Infrastructure (SCI) context that was proposed.</div><div>To mitigate the weaknesses in both solutions and to ensure a safer cyber-physical environment for all, we propose the Smart City Ontological Paradigm Expression (<span>Scope</span>), an expansion profile of the UCO and CASE ontology that implements SCI threat models, SCI digital forensic evidence, attack techniques, patterns and classifications from MITRE.</div><div>We showcase how <span>Scope</span> could present complex data such as SCI-specific threats, cybercrime, investigation data and incident handling workflows via an incident scenario modeled after publicly reported real-world incidents attributed to Advanced Persistent Threat (APT) groups. We also make <span>Scope</span> available to the community so that threats, digital evidence and cybercrime in emerging trends such as SCI can be identified, represented, and shared collaboratively.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301883"},"PeriodicalIF":2.0,"publicationDate":"2025-02-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143347830","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0