Lojenaa Navanesan , Nhien-An Le-Khac , Mark Scanlon , Kasun De Zoysa , Asanka P. Sayakkara
{"title":"Ensuring cross-device portability of electromagnetic side-channel analysis for digital forensics","authors":"Lojenaa Navanesan , Nhien-An Le-Khac , Mark Scanlon , Kasun De Zoysa , Asanka P. Sayakkara","doi":"10.1016/j.fsidi.2023.301684","DOIUrl":"https://doi.org/10.1016/j.fsidi.2023.301684","url":null,"abstract":"<div><p>Investigation on smart devices has become an essential subdomain in digital forensics. The inherent diversity and complexity of smart devices pose a challenge to the extraction of evidence without physically tampering with it, which is often a strict requirement in law enforcement and legal proceedings. Recently, this has led to the application of non-intrusive Electromagnetic Side-Channel Analysis (EM-SCA) as an emerging approach to extract forensic insights from smart devices. EM-SCA for digital forensics is still in its infancy, and has only been tested on a small number of devices so far. Most importantly, the question still remains whether Machine Learning (ML) models in EM-SCA are portable across multiple devices to be useful in digital forensics, i.e., <em>cross-device portability</em>. This study experimentally explores this aspect of EM-SCA using a wide set of smart devices. The experiments using various iPhones and Nordic Semiconductor nRF52-DK devices indicate that the direct application of pre-trained ML models across multiple identical devices does not yield optimal outcomes (under 20 % accuracy in most cases). Subsequent experiments included collecting distinct samples of EM traces from all the devices to train new ML models with mixed device data; this also fell short of expectations (still below 20 % accuracy). This prompted the adoption of transfer learning techniques, which showed promise for cross-model implementations. In particular, for the iPhone 13 and nRF52-DK devices, applying transfer learning techniques resulted in achieving the highest accuracy, with accuracy scores of 98 % and 96 %, respectively. This result makes a significant advancement in the application of EM-SCA to digital forensics by enabling the use of pre-trained models across identical or similar devices.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2024-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281723002032/pdfft?md5=f602da7e26538dab7cb8dc04dbd22b4a&pid=1-s2.0-S2666281723002032-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140133966","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Ubi est indicium? On forensic analysis of the UBI file system","authors":"Matthias Deutschmann, Harald Baier","doi":"10.1016/j.fsidi.2023.301689","DOIUrl":"https://doi.org/10.1016/j.fsidi.2023.301689","url":null,"abstract":"<div><p>Crimes involving Internet of Things (IoT) or embedded devices like drones are on the rise. A widespread class of file systems for storing data on embedded devices are flash file systems (FFS). FFS are optimized to manage conceptual limitations and characteristics of raw flash memory, i.e., memory that is not managed by an additional hardware controller that hides the characteristics of flash (called the Flash Translation Layer). Thus, FFS incorporate mechanisms and structures, which are not part of traditional block-based file systems like NTFS, APFS, or ExtX. Regarding analyses of FFS-based embedded devices, digital forensics tools handling FFS are needed. Unfortunately, currently available tools are not able to analyze FFS or raw flash images in general. In this paper, we provide a concept and an open-source implementation of a digital forensics tool bridging this gap for the widespread UBI File System. Our concept is inspired by the well-known Sleuth Kit and reflects the different abstraction layers of a digital forensics analysis (e.g., the storage device level, the volume level, the file system level). We provide an open-source tool of our concept, which we call UBI Forensic Toolkit (UBIFT). In contrast to previous work, UBIFT is able to parse file system structures like the directory tree or the UBIFS journal to recover deleted files including the respective metadata. We show the usefulness of UBIFT by a twofold evaluation: we first apply our tool to a publicly available Internet camera flash dump to perform a forensically sound analysis of the flash device. Our second evaluation comprises both a methodology for creating adaptable flash dumps in general and the comparison of our tool to competitors with similar functionality on the basis of self-generated flash dumps. Finally, we address the usability aspect of UBIFT by providing an Autopsy plugin of our tool.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2024-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281723002081/pdfft?md5=94fb7d24e3801fa777ccdbe6cc547b38&pid=1-s2.0-S2666281723002081-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140133962","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Simon Ebbers , Stefan Gense , Mouad Bakkouch , Felix Freiling , Sebastian Schinzel
{"title":"Grand theft API: A forensic analysis of vehicle cloud data","authors":"Simon Ebbers , Stefan Gense , Mouad Bakkouch , Felix Freiling , Sebastian Schinzel","doi":"10.1016/j.fsidi.2023.301691","DOIUrl":"https://doi.org/10.1016/j.fsidi.2023.301691","url":null,"abstract":"<div><p>Modern vehicles such as cars, trucks and motorcycles contain an increasing number of embedded computers that continuously exchange telemetry data like current mileage, tire pressure, expected range and geolocation to the manufacturer's cloud. Vehicle owners can access this data via Vehicle Assistant Apps (VAA). Naturally, this data is of increasing interest to law enforcement in criminal investigations. While manufacturers must comply with local laws requiring them to hand over the data of suspects upon the issuance of a warrant, this process can be time-consuming and cause an additional delay in a case. Making use of novel API-based access methods in cloud forensic investigations, we present a method to get permanent access to a vehicle's cloud data by directly accessing cloud servers given suspects' credentials. We analysed a set of 23 different VAAs and pointed out the potentially accessible data categories. With our proof of concept tool <span>gta.py</span> in combination with six provided vehicles from BMW, Dacia, Ford, Hyundai, Mercedes and Tesla, we verified the accessibility of the data categories. Our findings demonstrate that the API-based forensic acquisition and analysis of vehicle cloud data provides important insights to be considered in future digital forensic investigations of vehicles.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2024-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S266628172300210X/pdfft?md5=8e1636b6793dec184feeca7cf3b0ff1b&pid=1-s2.0-S266628172300210X-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140133964","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Christopher Hargreaves , Alex Nelson , Eoghan Casey
{"title":"An abstract model for digital forensic analysis tools - A foundation for systematic error mitigation analysis","authors":"Christopher Hargreaves , Alex Nelson , Eoghan Casey","doi":"10.1016/j.fsidi.2023.301679","DOIUrl":"https://doi.org/10.1016/j.fsidi.2023.301679","url":null,"abstract":"<div><p>As automation within digital forensic tools becomes more advanced there is a need for a systematic approach to ensure the validity, reliability, and standardization of digital forensic results. This paper argues for intermediate output in a standardized format within digital forensic tools to allow a methodical approach to tool validation that targets errors at each stage of processing. To achieve this, a detailed process model of digital forensic analysis tools is created, extrapolating the details of the internal processes performed by monolithic forensic tools. The research deconstructs the process flow within tools and presents an ‘abstract digital forensic tool’, revisiting earlier abstraction layer ideas. This not only identifies the interconnected processes within tools but allows discussion of the potential error that could be introduced at each stage, and how it could potentially propagate within a tool. A demonstration, with a dataset, is also included, structurally annotated using Cyber-investigation Analysis Standard Expression (CASE).</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2024-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281723001981/pdfft?md5=525c9cdc52e8d92ec005cd51f4e65163&pid=1-s2.0-S2666281723001981-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140133977","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"The role of R&D in combating digital deception","authors":"","doi":"10.1016/j.fsidi.2024.301732","DOIUrl":"https://doi.org/10.1016/j.fsidi.2024.301732","url":null,"abstract":"","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2024-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281724000489/pdfft?md5=d484925faa482caa4cb5d4eb7198123b&pid=1-s2.0-S2666281724000489-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140000309","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"PHASER: Perceptual hashing algorithms evaluation and results - An open source forensic framework","authors":"Sean McKeown, Peter Aaby, Andreas Steyven","doi":"10.1016/j.fsidi.2023.301680","DOIUrl":"https://doi.org/10.1016/j.fsidi.2023.301680","url":null,"abstract":"<div><p>The automated comparison of visual content is a contemporary solution to scale the detection of illegal media and extremist material, both for detection on individual devices and in the cloud. However, the problem is difficult, and perceptual similarity algorithms often have weaknesses and anomalous edge cases that may not be clearly documented. Additionally, it is a complex task to perform an evaluation of such tools in order to best utilise them. To address this, we present PHASER, a still-image perceptual hashing framework enabling forensics specialists and scientists to conduct experiments on bespoke datasets for their individual deployment scenarios. The framework utilises a modular approach, allowing users to specify and define a perceptual hash/image transform/distance metric triplet, which can be explored to better understand their behaviour and interactions. PHASER is open-source and we demonstrate its utility via case studies which briefly explore setting an appropriate dataset size and the potential to optimise the performance of existing algorithms by utilising learned weight vectors for comparing hashes.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2024-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281723001993/pdfft?md5=bf4f7f2cae2a9401e3c7e72438aaf79a&pid=1-s2.0-S2666281723001993-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140134334","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Forensic implications of stacked file systems","authors":"Jan-Niclas Hilgert, Martin Lambertz, Daniel Baier","doi":"10.1016/j.fsidi.2023.301678","DOIUrl":"https://doi.org/10.1016/j.fsidi.2023.301678","url":null,"abstract":"<div><p>While file system analysis is a cornerstone of forensic investigations and has been extensively studied, certain file system classes have not yet been thoroughly examined from a forensic perspective. Stacked file systems, which use an underlying file system for data storage instead of a volume, are a prominent example. With the growth of cloud infrastructure and big data, it is increasingly likely that investigators will encounter distributed stacked file systems, such as MooseFS and the Hadoop File System, that employ this architecture. However, current standard models and tools for file system analysis fall short of addressing the complexities of stacked file systems. This paper highlights the forensic challenges and implications associated with stacked file systems, discussing their unique characteristics in the context of forensic analyses. We provide insights through three analyses of different stacked file systems, illustrating their operational details and emphasizing the necessity of understanding this file system category during forensic investigations. For this purpose, we present general considerations that must be made when dealing with the analysis of stacked file systems.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2024-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S266628172300197X/pdfft?md5=9c76c4773a2d4b6e6105a47e0cd439ce&pid=1-s2.0-S266628172300197X-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140133974","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abdur Rahman Onik , Ruba Alsmadi , Ibrahim Baggili , Andrew M. Webb
{"title":"So fresh, so clean: Cloud forensic analysis of the Amazon iRobot Roomba vacuum","authors":"Abdur Rahman Onik , Ruba Alsmadi , Ibrahim Baggili , Andrew M. Webb","doi":"10.1016/j.fsidi.2023.301686","DOIUrl":"https://doi.org/10.1016/j.fsidi.2023.301686","url":null,"abstract":"<div><p>The advent of the smart home has been made possible by Internet of Things (IoT) devices that continually collect and transmit private user data. In this paper, we explore how data from these devices can be accessed and applied for forensic investigations. Our research focuses on the iRobot Roomba autonomous vacuum cleaner. Through detailed analysis of Roomba's cloud infrastructure, we discovered undocumented Application Program Interfaces (APIs). Leveraging these APIs, we developed PyRoomba – an open-source Python application that acquires a Roomba's complete mission history and navigational data. From this information, PyRoomba generates detailed mission logs and maps of navigated spaces, informing the user about mission duration, detected objects, degree of coverage, and encrypted image captures. We compared the outcomes of PyRoomba with Roomba's mobile application across six navigation runs in two environments of different sizes. We found that PyRoomba provides more detailed environmental information. A simulated crime scene case study demonstrated PyRoomba's ability to detect environmental changes, such as bodies and knives, which were identified as hazards or obstacles. PyRoomba offers a more forensically sound approach to cloud acquisition compared to Roomba's standard mobile application, minimizing the risk of inadvertently triggering the device during a crime scene investigation.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2024-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281723002056/pdfft?md5=1c89d48540f77b7767d9dc8b2df83b01&pid=1-s2.0-S2666281723002056-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140134307","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}