Forensic Science International-Digital Investigation最新文献

{"title":"Geotagging accuracy in smartphone photography","authors":"Elénore Ryser ,&nbsp;Hannes Spichiger ,&nbsp;David-Olivier Jaquet-Chiffelle","doi":"10.1016/j.fsidi.2024.301813","DOIUrl":"10.1016/j.fsidi.2024.301813","url":null,"abstract":"<div><div>After a decade of technological advancements, digital forensic science is under increasing pressure to deliver investigative findings with a high degree of scientific rigor. The judicial community has voiced growing concerns regarding digital traces and their interpretation. This research focuses on assessing the significance of geolocation information embedded within the metadata of photographs captured using a mobile phone. In order to examine the variability in the accuracy of this geolocation metadata and identify potential external influences, images were taken at 29 different locations distributed along three distinct paths. The photographs were captured using two Samsung Galaxy S8 SM-G950F devices running on Android 8.0. Various configurations of GNSS and mobile network connections were tested, and their potential impact on the accuracy of geolocation metadata was investigated. The findings show the dependency of geolocation accuracy on the specific measurement location. This research ultimately highlights the imperative for evaluative approaches to take into account the specific characteristics of each point of interest, as opposed to leaning on broad statements about the reliability of geolocation processes in general.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"50 ","pages":"Article 301813"},"PeriodicalIF":2.0,"publicationDate":"2024-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142530439","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"MIC: Memory analysis of IndexedDB data on Chromium-based applications","authors":"Byeongchan Jeong,&nbsp;Sangjin Lee,&nbsp;Jungheum Park","doi":"10.1016/j.fsidi.2024.301809","DOIUrl":"10.1016/j.fsidi.2024.301809","url":null,"abstract":"<div><div>As Chromium-based applications continue to gain popularity, it is necessary for forensic investigators to obtain a comprehensive understanding of how they store and manage browsing artifacts from both filesystem and memory perspectives. In particular, the <em>incognito</em> mode developed in the current version of Chromium uses only physical memory to manage data related to active sessions. Therefore, handling physical memory is essential for tracking a user's browsing behaviour in incognito mode. This paper provides an in-depth examination of LevelDB, a lightweight key-value database utilized as Chromium's implementation for IndexedDB. In particular, we delve into the details of how IndexedDB data is managed through LevelDB, taking into account its low-level database file format. Furthermore, we thoroughly explore the possibility of residual data, both complete and incomplete, being retained as applications create and initialize IndexedDB-related data. Based on our research findings, we propose a systematic methodology for inspecting the internal structures of LevelDB-related C++ classes, carving these structures from binary streams, and interpreting the data for forensic analysis. In addition, we develop a proof-of-concept tool based on our approach and demonstrate its performance and effectiveness through case studies.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"50 ","pages":"Article 301809"},"PeriodicalIF":2.0,"publicationDate":"2024-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142530827","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Video source identification using machine learning: A case study of 16 instant messaging applications","authors":"Hyomin Yang ,&nbsp;Junho Kim ,&nbsp;Jungheum Park","doi":"10.1016/j.fsidi.2024.301812","DOIUrl":"10.1016/j.fsidi.2024.301812","url":null,"abstract":"<div><div>In recent years, there has been a notable increase in the prevalence of cybercrimes related to video content, including the distribution of illegal videos and the sharing of copyrighted material. This has led to the growing importance of identifying the source of video files to trace the owner of the files involved in the incident or identify the distributor. Previous research has concentrated on revealing the device (brand and/or model) that “originally” created a video file. This has been achieved by analysing the pattern noise generated by the image sensor in the camera, the storage structural features of the file, and the metadata patterns. However, due to the widespread use of mobile environments, instant messaging applications (IMAs) such as Telegram and Wire have been utilized to share illegal videos, which can result in the loss of information from the original file due to re-encoding at the application level, depending on the transmission settings. Consequently, it is necessary to extend the scope of existing research to identify the various applications that are capable of re-encoding video files in transit. Furthermore, it is essential to determine whether there are features that can be leveraged to distinguish them from the source identification perspective. In this paper, we propose a machine learning-based methodology for classifying the source application by extracting various features stored in the storage format and internal metadata of video files. To conduct this study, we analyzed 16 IMAs that are widely used in mobile environments and generated a total of 1974 sample videos, taking into account both the transmission options and encoding settings offered by each IMA. The training and testing results on this dataset indicate that the ExtraTrees model achieved an identification accuracy of approximately 99.96 %. Furthermore, we developed a proof-of-concept tool based on the proposed method, which extracts the suggested features from videos and queries a pre-trained model. This tool is released as open-source software for the community.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"50 ","pages":"Article 301812"},"PeriodicalIF":2.0,"publicationDate":"2024-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142530438","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Welcome to the proceedings of the Fourth Annual DFRWS APAC Conference 2024!","authors":"Raymond Chan","doi":"10.1016/j.fsidi.2024.301819","DOIUrl":"10.1016/j.fsidi.2024.301819","url":null,"abstract":"","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"50 ","pages":"Article 301819"},"PeriodicalIF":2.0,"publicationDate":"2024-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142530824","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Do You “Relay” Want to Give Me Away? – Forensic Cues of Smart Relays and Their IoT Companion Apps","authors":"Maximilian Eichhorn,&nbsp;Gaston Pugliese","doi":"10.1016/j.fsidi.2024.301810","DOIUrl":"10.1016/j.fsidi.2024.301810","url":null,"abstract":"<div><div>As IoT devices become more prevalent in everyday environments, their relevance to digital investigations increases. The product class of “smart relays”, which are connected to the low-voltage grid and usually installed in sockets behind walls, has not yet received much attention in the context of smart home forensics. To close a category-specific gap in the device forensics literature, we conducted a multi-device analysis of 16 smart relays from 9 manufacturers, which support six different companion apps in total. Our examination shows that forensic artifacts can be found locally on the smart relays and in the companion app data, as well as remotely on cloud servers of the vendors. Based on our findings, we developed a Python framework to extract forensic artifacts automatically from obtained firmware dumps, from companion app data, and from captured network traffic.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"50 ","pages":"Article 301810"},"PeriodicalIF":2.0,"publicationDate":"2024-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142530828","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Forensically analyzing IoT smart camera using MAoIDFF-IoT framework","authors":"Yaman Salem,&nbsp;Mohammad M.N. Hamarsheh","doi":"10.1016/j.fsidi.2024.301829","DOIUrl":"10.1016/j.fsidi.2024.301829","url":null,"abstract":"<div><p>IoT devices spread over a wide range of applications these days, and their vast amount of data generated becomes a target for intruders. IoT digital forensics, which involves extracting the digital evidence from the IoT device itself and/or its network traffic using a framework is important and challenging. The challenges include the diversity of types of IoT devices, resource constraints, and users’ privacy. In this article, we focus on network forensics investigations of smart camera traffic as a case study. The investigation process followed the MAoIDFF-IoT framework, a comprehensive and effective framework for IoT devices, and focusing on the locations of potential Artifacts of Interest (AoI). In addition, a few scenarios in using the camera are investigated to obtain a valuable artifact. The results show that it is possible to extract a few artifacts from the network captured traffic even though the traffic is encrypted. Moreover, this research offers guidelines for digital investigators to conduct network forensics on smart camera devices, with detailed results provided.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"51 ","pages":"Article 301829"},"PeriodicalIF":2.0,"publicationDate":"2024-09-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142239585","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Examining and detecting academic misconduct in written documents using revision save identifier numbers in MS Word as exemplified by multiple scenarios","authors":"Dirk HR. Spennemann ,&nbsp;Rudolf J. Spennemann ,&nbsp;Clare L. Singh","doi":"10.1016/j.fsidi.2024.301821","DOIUrl":"10.1016/j.fsidi.2024.301821","url":null,"abstract":"<div><p>Deliberate academic misconduct by students often relies on the use of segments of externally authored text, generated either by commercial contract authoring services or by generative Artificial intelligence language models. While revision save identifier (rsid) numbers in Microsoft Word files are associated with edit and save actions of a document, MS Word does not adhere to the ECMA specifications for the Office Open XML. Existing literature shows that digital forensics using rsid requires access to multiple document versions or the user's machine. In cases of academic misconduct allegations usually only the submitted files are available for digital forensic examination, coupled with assertions by the alleged perpetrators about the document generation and editing process This paper represents a detailed exploratory study that provides educators and digital forensic scientists with tools to examine a single document for the veracity of various commonly asserted scenarios of document generation and editing. It is based on a series of experiments that ascertained whether and how common edit and document generation actions such as copy, paste, insertion of blocks of texts from other documents, leave tell-tale traces in the rsid encoding that is embedded in all MS Word documents. While digital forensics can illuminate document generation processes, the actions that led to these may have innocuous explanations. In consequence, this paper also provides academic misconduct investigators with a set of prompts to guide the interview with alleged perpetrators to glean the information required for cross-correlation with observations based on the rsid data.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"51 ","pages":"Article 301821"},"PeriodicalIF":2.0,"publicationDate":"2024-09-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281724001458/pdfft?md5=1c46f6d9d5928150f3f10e0b2c0b28f0&pid=1-s2.0-S2666281724001458-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142164106","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Forensic analysis and data decryption of tencent meeting in windows environment","authors":"Soojin Kang ,&nbsp;Uk Hur ,&nbsp;Giyoon Kim ,&nbsp;Jongsung Kim","doi":"10.1016/j.fsidi.2024.301818","DOIUrl":"10.1016/j.fsidi.2024.301818","url":null,"abstract":"<div><p>Video conferencing applications have become ubiquitous in the post-COVID-19 era. Remote meetings, briefing sessions, and lectures are gradually becoming part of our culture. Thus, the amount of user data that video conferencing applications collect and manage has increased, and such data can be used as digital evidence. In this study, we analyzed Tencent Meeting, the most widely used video conferencing application in China, to identify the data stored on the user's disk by the application. Tencent Meeting stores user information and the chat history during a video conference on local storage. We found that Tencent Meeting suffers from a vulnerability in the process of encrypting and storing the user data, which can be exploited by anyone who can access and decrypt the user's data. We expect that our findings to help digital forensics investigators conduct efficient investigations when applications are used for malicious purposes.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"51 ","pages":"Article 301818"},"PeriodicalIF":2.0,"publicationDate":"2024-08-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142086964","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Navigating the digital labyrinth: Forensics in the age of AI","authors":"","doi":"10.1016/j.fsidi.2024.301820","DOIUrl":"10.1016/j.fsidi.2024.301820","url":null,"abstract":"","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"50 ","pages":"Article 301820"},"PeriodicalIF":2.0,"publicationDate":"2024-08-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142086871","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"SFormer: An end-to-end spatio-temporal transformer architecture for deepfake detection","authors":"Staffy Kingra ,&nbsp;Naveen Aggarwal ,&nbsp;Nirmal Kaur","doi":"10.1016/j.fsidi.2024.301817","DOIUrl":"10.1016/j.fsidi.2024.301817","url":null,"abstract":"<div><p>Growing AI advancements are continuously pacing GAN enhancement that eventually facilitates the generation of deepfake media. Manipulated media poses serious risks pertaining court proceedings, journalism, politics, and many more where digital media have a substantial impact on society. State-of-the-art techniques for deepfake detection rely on convolutional networks for spatial analysis, and recurrent networks for temporal analysis. Since transformers are capable of recognizing wide-range dependencies with a global spatial view and along temporal sequence too, a novel approach called “SFormer” is proposed in this paper, utilizing a transformer architecture for both spatial and temporal analysis to detect deepfakes. Further, state-of-the-art techniques suffer from high computational complexity and overfitting which causes loss in generalizability. The proposed model utilized a Swin Transformer for spatial analysis that resulted in low complexity, thereby enhancing its generalization ability and robustness against the different manipulation types. Proposed end-to-end transformer based model, SFormer, is proven to be effective for numerous deepfake datasets, including FF++, DFD, Celeb-DF, DFDC and Deeper-Forensics, and achieved an accuracy of 100%, 97.81%, 99.1%, 93.67% and 100% respectively. Moreover, SFormer has demonstrated superior performance compared to existing spatio-temporal and transformer-based approaches for deepfake detection.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"51 ","pages":"Article 301817"},"PeriodicalIF":2.0,"publicationDate":"2024-08-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142083968","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}