Forensic Science International-Digital Investigation最新文献_第5页

Decrypting IndexedDB in private mode of Gecko-based browsers 在基于 Gecko 的浏览器的私人模式下解密 IndexedDB

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2024-07-01 DOI: 10.1016/j.fsidi.2024.301763

Dohun Kim, Sangjin Lee, Jungheum Park

{"title":"Decrypting IndexedDB in private mode of Gecko-based browsers","authors":"Dohun Kim, Sangjin Lee, Jungheum Park","doi":"10.1016/j.fsidi.2024.301763","DOIUrl":"https://doi.org/10.1016/j.fsidi.2024.301763","url":null,"abstract":"<div><p>Various technical and legal issues hinder direct investigation on cloud services, which facilitates alternative approach to investigate services through artifacts left by web browsers. Among diverse web browser artifacts, client-side storages such as IndexedDB have been focused to retrieve contextual information about user behavior. However, analyzing such client-side storages has been difficult in private mode environments, as they were only kept in memory or not supported at all, depending on the browser. Recently, Firefox has started to support IndexedDB storage in private mode by storing encrypted files on disk during private sessions since July 2023. Since then, Gecko-based browsers' effort to support client-side storages through encrypted files on disk has been continued with Tor Browser also began supporting IndexedDB in the same way since October 2023. Meanwhile, the research to utilize those encrypted files on investigation has not progressed much yet. This paper shows how to decrypt client-side storages generated on Gecko-based browsers’ private mode by extracting cipherkeys in memory. Experimental results indicate that when private session is running, our proof-of-concept tool successfully decrypts all encrypted files. Additionally, there is a possibility of recovering data even in an inactive state by utilizing hibernation file on disk.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2024-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281724000829/pdfft?md5=a48e7d9c315cf91c20d644754844ce83&pid=1-s2.0-S2666281724000829-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141542370","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Compiler-provenance identification in obfuscated binaries using vision transformers 使用视觉转换器识别混淆二进制文件中的编译器证明

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2024-07-01 DOI: 10.1016/j.fsidi.2024.301764

Wasif Khan , Saed Alrabaee , Mousa Al-kfairy , Jie Tang , Kim-Kwang Raymond Choo

引用次数: 0

Applying digital stratigraphy to the problem of recycled storage media 将数字地层学应用于再生存储介质问题

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2024-07-01 DOI: 10.1016/j.fsidi.2024.301761

Janine Schneider , Maximilian Eichhorn , Lisa Marie Dreier , Christopher Hargreaves

{"title":"Applying digital stratigraphy to the problem of recycled storage media","authors":"Janine Schneider , Maximilian Eichhorn , Lisa Marie Dreier , Christopher Hargreaves","doi":"10.1016/j.fsidi.2024.301761","DOIUrl":"https://doi.org/10.1016/j.fsidi.2024.301761","url":null,"abstract":"<div><p>Previous work has shown that second-hand or even new devices with recycled components can contain remnants of old data. Given a situation where incriminating evidence is found in non-allocated space of such a device, this presents an attribution problem. In archaeology or geology, stratigraphy studies the arrangement of strata, or layers, often used as a dating technique based on the premise that newer layers are situated above older layers. The digital stratigraphy technique applies the concept to digital forensics and considers how data is positioned and overlayed on disk to make inferences about when data was created. This research investigates the extent to which this technique could resolve the data provenance challenge associated with recycled digital storage media. This paper presents an automated file system activity simulation framework that allows creation, deletion and modification actions to be carried out at scale using specific file system drivers. Using this tool, a series of experiments are carried out to gain an understanding of file system driver behaviour and address this practical question of provenance of data in non-allocated space.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2024-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281724000805/pdfft?md5=9ceba658f8535c2ef3a1c49811a879c1&pid=1-s2.0-S2666281724000805-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141542427","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Beyond timestamps: Integrating implicit timing information into digital forensic timelines 超越时间戳：将隐含时间信息纳入数字取证时间线

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2024-07-01 DOI: 10.1016/j.fsidi.2024.301755

Lisa Marie Dreier , Céline Vanini , Christopher J. Hargreaves , Frank Breitinger , Felix Freiling

{"title":"Beyond timestamps: Integrating implicit timing information into digital forensic timelines","authors":"Lisa Marie Dreier , Céline Vanini , Christopher J. Hargreaves , Frank Breitinger , Felix Freiling","doi":"10.1016/j.fsidi.2024.301755","DOIUrl":"https://doi.org/10.1016/j.fsidi.2024.301755","url":null,"abstract":"<div><p>Generating timelines, i.e., sorting events by their respective timestamps, is an essential technique commonly used in digital forensic investigations. But timestamps are not the only source of timing information. For example, sequence numbers embedded in databases or positional information, such as the line numbers in log files, often contain implicit information about the order of events without directly referencing a timestamp. We present a method that can integrate such timing information into digital forensic timelines by separating sources of timing information into distinct time domains, each with its own timeline, and then connecting these timelines based on relations observed within digital evidence. The classical “flat” timeline is thereby extended into a “rich” partial order, which we call <em>hyper timeline</em>. Our technique allows ordering of events without timestamps and opens a rich set of possibilities to identify and characterize timestamp inconsistencies, e.g., those that arise from timestamp tampering.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2024-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S266628172400074X/pdfft?md5=3d7ed88e17969c0ac894392935750eb9&pid=1-s2.0-S266628172400074X-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141540830","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Was the clock correct? Exploring timestamp interpretation through time anchors for digital forensic event reconstruction 时钟是否正确？通过用于数字取证事件重建的时间锚探索时间戳解释

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2024-07-01 DOI: 10.1016/j.fsidi.2024.301759

Céline Vanini , Christopher J. Hargreaves , Harm van Beek , Frank Breitinger

{"title":"Was the clock correct? Exploring timestamp interpretation through time anchors for digital forensic event reconstruction","authors":"Céline Vanini , Christopher J. Hargreaves , Harm van Beek , Frank Breitinger","doi":"10.1016/j.fsidi.2024.301759","DOIUrl":"https://doi.org/10.1016/j.fsidi.2024.301759","url":null,"abstract":"<div><p>Timestamps and their correct interpretation play a crucial role in digital forensic investigations, particularly when the objective is to establish a timeline of events a.k.a. event reconstruction. However, the way these timestamps are generated heavily depends on an internal clock, or ‘system time’, from which many are derived. Consequently, when this system time is skewed due to tampering, natural clock drift, or system malfunctions, recorded timestamps will not reflect the actual times the (real-world) events occurred. This raises the question of how to validate the correctness of the system clock when recording timestamps and, if found incorrect, how to determine system clock skew. To address this problem, this paper defines several important concepts such as <em>time anchors</em>, <em>anchoring events</em>, <em>non-anchoring events</em> and <em>time anomalies</em> which can be used to determine if the system time was correct. Using two examples - a Google search and a file creation - and comparing correct and skewed versions of the same set of performed actions, we illustrate the use and potential benefits of time anchors to demonstrate the correctness of the system clock for event reconstruction.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2024-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281724000787/pdfft?md5=d90b9d227754411bc7a8251bdcae6923&pid=1-s2.0-S2666281724000787-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141542422","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Enhancing speaker identification in criminal investigations through clusterization and rank-based scoring 通过聚类和基于等级的评分加强刑事调查中的说话者识别

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2024-07-01 DOI: 10.1016/j.fsidi.2024.301765

Antonio Artur Moura , Napoleão Nepomuceno , Vasco Furtado

{"title":"Enhancing speaker identification in criminal investigations through clusterization and rank-based scoring","authors":"Antonio Artur Moura , Napoleão Nepomuceno , Vasco Furtado","doi":"10.1016/j.fsidi.2024.301765","DOIUrl":"https://doi.org/10.1016/j.fsidi.2024.301765","url":null,"abstract":"<div><p>This paper introduces an approach that supports speaker identification in criminal investigations, specifically addressing challenges associated with large volumes of audio recordings featuring unknown speaker identities. Our approach clusters related recordings – potentially from the same person – based on representative voice embeddings extracted using the ECAPA-TDNN speaker recognition model. Grouping audio recordings from the same person enhances variability and richness in voice patterns, thereby improving confidence in automatic speaker recognition. We propose a combination of cosine similarity and a rank-based adjustment function to determine matches of audio clusters with individuals in an enrollment database. Our approach was validated through experiments on a Common Voice-based synthesized dataset and a real-life application involving cell phones seized in prisons, which contained thousands of conversational audio recordings. Results demonstrated satisfactory performance and stability, consistently reducing the pool of candidate speakers for subsequent analysis by a human investigator.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2024-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281724000842/pdfft?md5=5c54ecf083c31c2d3dfc285faf7d7b1c&pid=1-s2.0-S2666281724000842-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141542372","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

MARS: The first line of defense for IoT incident response MARS：物联网事件响应的第一道防线

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2024-07-01 DOI: 10.1016/j.fsidi.2024.301754

Karley M. Waguespack , Kaitlyn J. Smith , Olame A. Muliri , Ramyapandian Vijayakanthan , Aisha Ali-Gombe

{"title":"MARS: The first line of defense for IoT incident response","authors":"Karley M. Waguespack , Kaitlyn J. Smith , Olame A. Muliri , Ramyapandian Vijayakanthan , Aisha Ali-Gombe","doi":"10.1016/j.fsidi.2024.301754","DOIUrl":"https://doi.org/10.1016/j.fsidi.2024.301754","url":null,"abstract":"<div><p>The proliferation of Internet of Things (IoT) devices across homes, businesses, and industrial landscapes has significantly increased our capability to gather data and automate tasks. Despite their ubiquity, these devices are notably resource-constrained and frequently lack robust security defenses, presenting a substantial risk of intrusion and cyber threats. To address these concerns, we propose a novel anomaly-based host intrusion detection system specifically designed for IoT devices, titled <em>MARS</em> (Memory Anomaly Recognition System). <em>MARS</em> is designed to function as a crucial component in the incident response framework, acting as an early detection system for potential security breaches within an organization’s network or systems. The fundamental architecture of <em>MARS</em> leverages the device’s memory as a key indicator for monitoring system-level events. To enhance its security and integrity, <em>MARS</em> is embedded within a Trusted Execution Environment—a secure, hardware-isolated region of a microcontroller protected from untrusted software. This design choice not only makes <em>MARS</em> tamper-proof but also ensures reliable monitoring of the device’s memory. Deviations from established memory baselines, indicative of a security compromise, are detected through an anomaly detection algorithm hosted on a remote server. Our evaluation of the <em>MARS</em> prototype on STM32L562QEI6QU showed our proposed architecture can achieve decent scalability while maintaining trust, accuracy, and robustness of memory changes.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2024-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281724000738/pdfft?md5=09a1fb9a920fb8dccb2a5090d50aa3bd&pid=1-s2.0-S2666281724000738-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141540829","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

DFRWS Euro 2025 BRNO DFRWS Euro 2025 BRNO

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2024-07-01 DOI: 10.1016/S2666-2817(24)00114-8

引用次数: 0

Twenty-Fourth DFRWS USA 2024 美国 2024 年第二十四届 DFRWS 会议

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2024-07-01 DOI: 10.1016/j.fsidi.2024.301771

引用次数: 0

DFRWS APAC 2024 Brisbane DFRWS 2024 年亚太地区会议布里斯班

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2024-07-01 DOI: 10.1016/S2666-2817(24)00113-6

引用次数: 0