Forensic Science International-Digital Investigation最新文献_第7页

Well Played, Suspect! – Forensic examination of the handheld gaming console “Steam Deck” 玩得好，嫌疑犯！- 对掌上游戏机 "Steam Deck "的法医鉴定

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2024-03-01 DOI: 10.1016/j.fsidi.2023.301688

Maximilian Eichhorn, Janine Schneider, Gaston Pugliese

{"title":"Well Played, Suspect! – Forensic examination of the handheld gaming console “Steam Deck”","authors":"Maximilian Eichhorn, Janine Schneider, Gaston Pugliese","doi":"10.1016/j.fsidi.2023.301688","DOIUrl":"https://doi.org/10.1016/j.fsidi.2023.301688","url":null,"abstract":"<div><p>The video game industry has been experiencing consistent growth, accompanied by an increase in the number of players. After the remarkable success of the Nintendo Switch, it comes as no surprise that various other manufacturers have ventured into developing their own handheld gaming consoles. As a consequence, it is likely that these types of devices will be found more frequently in households in the near future and that they will start to play a more important role in forensic investigations. In light of this, we conducted a forensic examination of Valve's recent Steam Deck console to assist forensic investigators in retrieving and interpreting digital evidence obtained from such devices. The Steam Deck console runs on SteamOS and ships with a custom version of Valve's highly popular Steam gaming platform. Our examination encompasses exploring the console's architecture, the SteamOS operating system, and the pre-installed cross-platform Steam client. Using differential forensic analysis, we systematically identify forensically relevant artifacts on the handheld console and report on their locations and contents. Based on our findings, we developed Autopsy plugins for the automated extraction of forensic artifacts from images taken of Steam Deck devices.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2024-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S266628172300207X/pdfft?md5=4942e4f1f339b7f090d006e561f314ce&pid=1-s2.0-S266628172300207X-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140134363","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

DFRWS EU 10-year review and future directions in Digital Forensic Research DFRWS 欧盟数字取证研究十年回顾与未来方向

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2024-03-01 DOI: 10.1016/j.fsidi.2023.301685

Frank Breitinger , Jan-Niclas Hilgert , Christopher Hargreaves , John Sheppard , Rebekah Overdorf , Mark Scanlon

引用次数: 0

Welcome to the 11th annual DFRWS Europe conference! 欢迎参加第 11 届 DFRWS 欧洲年会！

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2024-03-01 DOI: 10.1016/j.fsidi.2024.301694

引用次数: 0

Exploiting RPMB authentication in a closed source TEE implementation 在封闭源 TEE 实施中利用 RPMB 身份验证

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2024-03-01 DOI: 10.1016/j.fsidi.2023.301682

Aya Fukami , Richard Buurke , Zeno Geradts

{"title":"Exploiting RPMB authentication in a closed source TEE implementation","authors":"Aya Fukami , Richard Buurke , Zeno Geradts","doi":"10.1016/j.fsidi.2023.301682","DOIUrl":"https://doi.org/10.1016/j.fsidi.2023.301682","url":null,"abstract":"<div><p>Embedded Multimedia Cards (eMMCs) provide a protected memory area called the Replay Protected Memory Block (RPMB). eMMCs are commonly used as storage media in modern smartphones. In order to protect these devices from unauthorized access, important data is stored in the RPMB area in an authenticated manner. Modification of the RPMB data requires a pre-shared authentication key. An unauthorized user cannot change the stored data.</p><p>On modern devices, this pre-shared key is generated and used exclusively within a Trusted Execution Environment (TEE) preventing attackers from access. In this paper, we investigate how the authentication key for RPMB is programmed on the eMMC. We found that this key can be extracted directly from the target memory chip. Once obtained, the authentication key can be used to manipulate stored data. In addition, poor implementation of certain security features, aimed at preventing replay attacks using RPMB on the host system can be broken by an attacker. We show how the authentication key can be extracted and how it can be used to break the anti-rollback protection to enable data restoration even after a data wipe operation has been completed.</p><p>Our findings show that non-secure RPMB implementations can enable forensic investigators to break security features implemented on modern smartphones.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2024-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281723002019/pdfft?md5=fb11101f9e02b7ee1646a53366d1bf42&pid=1-s2.0-S2666281723002019-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140134362","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Hypervisor-based data synthesis: On its potential to tackle the curse of client-side agent remnants in forensic image generation 基于管理程序的数据合成：在法证图像生成中解决客户端代理残留问题的潜力

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2024-03-01 DOI: 10.1016/j.fsidi.2023.301690

Dennis Wolf , Thomas Göbel , Harald Baier

{"title":"Hypervisor-based data synthesis: On its potential to tackle the curse of client-side agent remnants in forensic image generation","authors":"Dennis Wolf , Thomas Göbel , Harald Baier","doi":"10.1016/j.fsidi.2023.301690","DOIUrl":"https://doi.org/10.1016/j.fsidi.2023.301690","url":null,"abstract":"<div><p>In the field of digital forensics, the number and heterogeneity of devices typically involved in an investigation is increasing. In order to train digital forensics practitioners and make faster progress in the development and validation of forensic tools, the demand for up-to-date data sets is high. However, manually creating data sets is a complex, tedious, and time-consuming task increasing the need for automated solutions. Existing data generation frameworks typically use components that run directly on the simulated client (e.g., a client-side agent controlled via SSH). On the one hand, this facilitates simulation by providing direct feedback from the client and the ability to use client-side libraries to access software. On the other hand, however, this approach creates unintended traces in the generated data sets that quickly reveal their synthetic origin and affect their realism and thus their relevance. To avoid such traces, this paper presents a hypervisor-based solution to eliminate such a client-side software component in a recent digital forensic data set generator, while compensating for its absence only through host-side means. To demonstrate the practicability of the proposed approach as well as the indistinguishability of the generated traces, a multi-participant scenario is performed as a proof of concept to replicate a realistic attack scenario on a Linux system from a Kali attacker machine. During the evaluation, the generated data set is compared in terms of unintended traces and realism to a data set generated by the same framework using an agent component. In this way, we demonstrate the benefits and overall usefulness of an agent-less data synthesis approach.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2024-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281723002093/pdfft?md5=e999660e34e9dfdd4cd9e4ea9eab250e&pid=1-s2.0-S2666281723002093-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140133963","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Problem solved: A reliable, deterministic method for JPEG fragmentation point detection 问题解决了：一种可靠的、确定性的 JPEG 碎片点检测方法

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2024-03-01 DOI: 10.1016/j.fsidi.2023.301687

Vincent van der Meer , Jeroen van den Bos , Hugo Jonker , Laurent Dassen

{"title":"Problem solved: A reliable, deterministic method for JPEG fragmentation point detection","authors":"Vincent van der Meer , Jeroen van den Bos , Hugo Jonker , Laurent Dassen","doi":"10.1016/j.fsidi.2023.301687","DOIUrl":"https://doi.org/10.1016/j.fsidi.2023.301687","url":null,"abstract":"<div><p>Recovery of deleted JPEG files is severely hindered by fragmentation. Current state-of-the-art JPEG file recovery methods rely on content-based approaches. That is, they consider whether a sequence of bytes translates into a consistent picture based on its visual representation, treating fragmentation indirectly, with varying results. In contrast, in this paper, we focus on identifying fragmentation points on bit-level, that is, identifying whether a candidate next block of bytes is a valid extension of the current JPEG. Concretely, we extend, implement and exhaustively test a novel deterministic algorithm for finding fragmentation points in JPEGs. Even in the worst case scenario, our implementation finds over 99.4 % of fragmentation points within 4 kB – i.e., within the standard block size on NTFS and exFAT file systems. As such, we consider the problem of detecting JPEG fragmentation points solved.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2024-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281723002068/pdfft?md5=cd50e080cf971349294eddc303a4a864&pid=1-s2.0-S2666281723002068-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140133978","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Sources of error in digital forensics 数字取证中的错误来源

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2024-02-09 DOI: 10.1016/j.fsidi.2024.301693

Graeme Horsman

{"title":"Sources of error in digital forensics","authors":"Graeme Horsman","doi":"10.1016/j.fsidi.2024.301693","DOIUrl":"https://doi.org/10.1016/j.fsidi.2024.301693","url":null,"abstract":"<div><p>The occurrence of errors in forensic practice is inevitable, and whilst we may not feel comfortable with the idea, the truth of it must be acknowledged. At a time where forensic science is under intense scrutiny regarding the quality of its work, there has never been a greater need for it. In relation to the field of digital forensics (DF), the support it offers law enforcement is fundamental to many of its inquiries, and ensuring the reliability and accuracy of its services is vital. Errors in forensic practice can have far-reaching consequences for all those involved in an investigation, and practitioners and their organisations must take steps to identify, mitigate and manage them. This work focuses on the concept of error in relation to the field of DF. It first explores what an error is and the language used to describe one before mapping potential sources of error against the stages of the DF investigative process. This is done to assist those in the DF field to identify error sources, what they are and where they come from, and to facilitate the attribution of errors to a source, helping them to address them effectively.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2024-02-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281724000027/pdfft?md5=a69a4f57d3fba7816aa8f76efd5e88d0&pid=1-s2.0-S2666281724000027-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"139714979","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Case of study for in situ memory reading on damaged MultiMedia Card 在损坏的多媒体卡上就地读取内存的研究案例

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2024-02-09 DOI: 10.1016/j.fsidi.2024.301698

F. Thomas-Brans , A. Fukami , Q. Clement , Th. Heckmann , D. Sauveron

{"title":"Case of study for in situ memory reading on damaged MultiMedia Card","authors":"F. Thomas-Brans , A. Fukami , Q. Clement , Th. Heckmann , D. Sauveron","doi":"10.1016/j.fsidi.2024.301698","DOIUrl":"https://doi.org/10.1016/j.fsidi.2024.301698","url":null,"abstract":"<div><p>As the storage requirements of systems have increased, the evolution of data storage technologies has undergone a major shift. System manufacturers have recently switched from traditional flash technology to MultiMedia Cards (MMC), which are embedded memories with a dedicated controller. This technology allows for faster data transfer, greater reliability, and an increase in the storage capacity of a component as well as its lifespan. By design, the main weakness of these medium lies in the controller. If the controller fails to respond, the memory becomes unusable, which may negatively impact the user and the forensic expert who intends to retrieve essential data. The aim of the paper is to provide an overview of MMC technologies through their data transfer protocols. The main contribution is to share a diagnostic approach for extracting data from a flash chip controlled by a defective controller, based on the insights from a case study analysis. This work involves the study of the hardware conception of the MMC system as well as the reverse engineering and manipulations of the board with special equipment like X-Ray tomography, laser ablation, computer numerical control technology and logic analyzer.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2024-02-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281724000076/pdfft?md5=444191adee9cab582f0a8cb9307ef0d7&pid=1-s2.0-S2666281724000076-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"139715045","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Advanced forensic method to authenticate audio files from Tizen-based Samsung Galaxy Watches 验证基于 Tizen 的三星 Galaxy 手表音频文件的先进取证方法

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2024-02-09 DOI: 10.1016/j.fsidi.2024.301697

Nam In Park , Ji Woo Lee , Seong Ho Lim , Oc-Yueb Jeon , Jin-Hwan Kim , Jun Seok Byun , Chanjun Chun , Jung-Hwan Lee

{"title":"Advanced forensic method to authenticate audio files from Tizen-based Samsung Galaxy Watches","authors":"Nam In Park , Ji Woo Lee , Seong Ho Lim , Oc-Yueb Jeon , Jin-Hwan Kim , Jun Seok Byun , Chanjun Chun , Jung-Hwan Lee","doi":"10.1016/j.fsidi.2024.301697","DOIUrl":"https://doi.org/10.1016/j.fsidi.2024.301697","url":null,"abstract":"<div><p>In this study, we propose a forensic-forgery detecting approach for audio files, an extension of previous research on the Android-based Samsung Galaxy Watch4 series, captured by the Voice Recorder application on Samsung Galaxy smartwatches with the Tizen operating system (OS). We collected 200 audio files from five different Galaxy Watch models equipped with the Tizen OS and paired them with smartphones using Bluetooth. We analyzed the specific features of the audio files captured by smartwatches, such as audio latency, audio tailing, timestamps, and file structure, and examined the specific features between audio files captured in the smartwatches and those manipulated by the recording application installed by default in the paired smartphones. Furthermore, audio files from smartwatches can be analyzed using the Smart Development Bridge (SDB) tool and it compares the timestamps from smartwatch audio files with those in the file system. The experiments revealed that the audio latency/tailing, attributes, and file structure of audio files captured by smartwatches differed from those of smartphones with the Tizen OS. Additionally, by examining the audio latency/tailing and attributes of the file structure, we detected if the audio files were manipulated, and track and classify where the audio files were manipulated. Finally, the audio files captured in the Samsung Galaxy Watches with the Tizen OS can be authenticated forensically by comparing the timestamps of the audio files in the smartwatch file system and those stored in the audio files. We believe our findings may be useful for audio-related digital forensics.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2024-02-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281724000064/pdfft?md5=e1795316b3d740ff97ed68e1612ff0ed&pid=1-s2.0-S2666281724000064-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"139715044","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

A forensic analysis of AnyDesk Remote Access application by using various forensic tools and techniques 使用各种取证工具和技术对 AnyDesk 远程访问应用程序进行取证分析

IF 2 4区医学

Forensic Science International-Digital Investigation Pub Date : 2024-02-06 DOI: 10.1016/j.fsidi.2024.301695

Nishchal Soni , Manpreet Kaur , Vishwas Bhardwaj

{"title":"A forensic analysis of AnyDesk Remote Access application by using various forensic tools and techniques","authors":"Nishchal Soni , Manpreet Kaur , Vishwas Bhardwaj","doi":"10.1016/j.fsidi.2024.301695","DOIUrl":"https://doi.org/10.1016/j.fsidi.2024.301695","url":null,"abstract":"<div><p>This study delves into a forensic analysis of the AnyDesk Remote Access application, focusing prominently on disk forensic acquisitions. We aim to assess the security and privacy features of AnyDesk, uncovering insights vital for forensic investigators and potential adversaries. The recovery of artifacts from Android Mobile and Window-based PC devices, employing acquisition techniques, plays a pivotal role in forensic analysis. The study underscores the significance of log files, housing crucial details like user IDs, dates, transfer times, and file movements. Manual scrutiny of the extracted data establishes user connections and reveals user-centric information, encompassing wallpapers, chat logs, AnyDesk-IDs, and transferred files. As the data lacks encryption, artifacts are easily comprehensible and interlinked. AnyDesk-related files, including session recordings, media files, and documents, undergo successful extraction via forensic methods. Root permissions on the Android phone emerge as a critical asset, facilitating the identification of more reliable and concealed data. In contrast, on the PC, all files related to AnyDesk were identified through a combination of automatic and manual examination. In essence, this study provides profound insights into AnyDesk's security and privacy features, underscored by the instrumental role of forensic acquisitions in pinpointing and extracting pertinent data.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2024-02-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281724000040/pdfft?md5=84d83a61a2c6868aec0b282dfcba3760&pid=1-s2.0-S2666281724000040-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"139700335","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0