{"title":"Adding transparency to uncertainty: An argument-based method for evaluative opinions","authors":"Nina Sunde , Virginia N.L. Franqueira","doi":"10.1016/j.fsidi.2023.301657","DOIUrl":"https://doi.org/10.1016/j.fsidi.2023.301657","url":null,"abstract":"<div><p>Over the past 15 years, digital evidence has been identified as a leading cause, or contributing factor, in wrongful convictions in England and Wales. To prevent legal decision-makers from being misled about the relevance and credibility of digital evidence and to ensure a fair administration of justice, adopting a balanced, systematic and transparent approach to evaluating digital evidence and disseminating results is crucial. This paper draws on general concepts from argumentation theory, combined with key principles and concepts from probabilistic and narrative/scenario approaches to develop arguments and analyse evidence. We present the “Argument-Based Method for Evaluative Opinions”, which is a novel method for producing argument-based evaluative opinions in the context of criminal investigation. The method may be used stand-alone or in combination with other qualitative or quantitative/statistical methods to produce evaluative opinions, highlighting the logical relationships between the components making up the argument supporting a hypothesis. To facilitate a structured assessment of the credibility and relevance of the individual argument components, we introduce an Argument Evaluation Scale and, ultimately, an Argument Matrix for a holistic determination of the probative value of the evidence.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2023-10-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"49874361","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Forensic analysis of SQL server transaction log in unallocated area of file system","authors":"Hoyong Choi, Sangjin Lee","doi":"10.1016/j.fsidi.2023.301605","DOIUrl":"https://doi.org/10.1016/j.fsidi.2023.301605","url":null,"abstract":"<div><p>The importance of database forensics is increasing day by day as the use of databases to store sensitive corporate and personal data increases. Database forensics is a field of digital forensics that deals with database-related incidents such as data corruption, breaches, and leaks. One of the key functions of database forensics is information reconstruction, which is the tracing of actions from the time of an event to the present based on various information stored in the database. This feature allows investigators to identify unauthorized user actions and data deletion or manipulation when an incident occurs. Database log data is primarily used to reconstruct information. Database logs include transaction logs, error logs, event logs, and trace logs. Among them, we focus on the transaction log of Microsoft SQL Server (MSSQL), one of the most popular database management systems in the world. Raw-level studies have been conducted on the transaction logs of Oracle and MySQL, other databases used at the enterprise level. However, there is very little research on MSSQL transaction logs. For this reason, we analyze the internal structure of the MSSQL transaction log. Based on these finding, we present an empirical method to identify and extract transaction log records in unallocated area.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2023-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"49889155","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Geunyeong Choi , Jewan Bang , Sangjin Lee , Jungheum Park
{"title":"Chracer: Memory analysis of Chromium-based browsers","authors":"Geunyeong Choi , Jewan Bang , Sangjin Lee , Jungheum Park","doi":"10.1016/j.fsidi.2023.301613","DOIUrl":"https://doi.org/10.1016/j.fsidi.2023.301613","url":null,"abstract":"<div><p>The web browsing activities of a user provide useful evidence for digital forensic investigations. However, existing analysis techniques that aim to analyze local artifacts (e.g., history and cache) cannot find useful data (e.g., visited URLs) if a user accesses the web using private or secret mode. Hence, string-searching and pattern-matching techniques have been proposed and used to examine user activities from a memory dump. These simple techniques are useful for identifying individual URLs visited in both normal and private modes. However, since a piece of individually detected data does not have context on how it is created, additional analysis efforts are required to properly interpret the meaning of the data. This paper proposes <em>Chracer</em>, a practical methodology for extracting forensically meaningful information from the virtual memory of a Chromium-based browser by systematically discovering objects of web browsing-related classes. Moreover, a proof-of-concept tool developed based on the proposed methodology demonstrates that users’ web browsing-related artifacts can be extracted effectively from the virtual memory of any Chromium-based browser, such as Google Chrome, Microsoft Edge and Brave.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2023-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"49889156","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Mark Scanlon , Frank Breitinger , Christopher Hargreaves , Jan-Niclas Hilgert , John Sheppard
{"title":"ChatGPT for digital forensic investigation: The good, the bad, and the unknown","authors":"Mark Scanlon , Frank Breitinger , Christopher Hargreaves , Jan-Niclas Hilgert , John Sheppard","doi":"10.1016/j.fsidi.2023.301609","DOIUrl":"https://doi.org/10.1016/j.fsidi.2023.301609","url":null,"abstract":"<div><p>The disruptive application of ChatGPT (GPT-3.5, GPT-4) to a variety of domains has become a topic of much discussion in the scientific community and society at large. Large Language Models (LLMs), e.g., BERT, Bard, Generative Pre-trained Transformers (GPTs), LLaMA, etc., have the ability to take instructions, or prompts, from users and generate answers and solutions based on very large volumes of text-based training data. This paper assesses the impact and potential impact of ChatGPT on the field of digital forensics, specifically looking at its latest pre-trained LLM, GPT-4. A series of experiments are conducted to assess its capability across several digital forensic use cases including artefact understanding, evidence searching, code generation, anomaly detection, incident response, and education. Across these topics, its strengths and risks are outlined and a number of general conclusions are drawn. Overall this paper concludes that while there are some potential low-risk applications of ChatGPT within digital forensics, many are either unsuitable at present, since the evidence would need to be uploaded to the service, or they require sufficient knowledge of the topic being asked of the tool to identify incorrect assumptions, inaccuracies, and mistakes. However, to an appropriately knowledgeable user, it could act as a useful supporting tool in some circumstances.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2023-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"49889161","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Digital forensic approaches for metaverse ecosystems","authors":"Donghyun Kim , Subin Oh , Taeshik Shon","doi":"10.1016/j.fsidi.2023.301608","DOIUrl":"https://doi.org/10.1016/j.fsidi.2023.301608","url":null,"abstract":"<div><p>The accelerating pace of digital transformation has given rise to metaverses that can participate freely in contactless environments. More than just game content, metaverses are driving everyday innovation across industries. However, threats are also prevalent, with crimes such as child sexual exploitation and privacy violations occurring in metaverses that mimic reality, making digital forensics for metaverse threats essential. Nevertheless, technical standards for different types of metaverses have yet to be defined, making investigation difficult. Furthermore, even though metaverses are complex forms that combine multiple hardware devices and software applications, existing studies have either focused on a single component or not analyzed the real-world environment. In this study, we derived a metaverse ecosystem with common components that comprise a metaverse and analyzed the hardware and software used throughout the user's metaverse lifecycle from a digital forensics perspective. In particular, we applied real-case-based scenario to the metaverse environment of the most popular <em>Meta</em>'s currently in use to identify various artifacts that can be used across the ecosystem and validate the effectiveness of the process. We also developed a metaverse digital forensics tool for the first time in the current situation where open-source and commercial tools do not support metaverse investigations.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2023-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"49889162","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Yanan Gong, Kam Pui Chow, Siu Ming Yiu, Hing Fung Ting
{"title":"Analyzing the peeling chain patterns on the Bitcoin blockchain","authors":"Yanan Gong, Kam Pui Chow, Siu Ming Yiu, Hing Fung Ting","doi":"10.1016/j.fsidi.2023.301614","DOIUrl":"https://doi.org/10.1016/j.fsidi.2023.301614","url":null,"abstract":"<div><p>Bitcoin is a widely used decentralized cryptocurrency. The proportion of Bitcoin transactions used for illegal activities is increasing. Mixing services are commonly applied to enhance anonymity and make transaction records more challenging to follow and analyze. The current research on peeling chains is generally based on heuristic algorithms to identify change addresses. However, due to the characteristics and limitations of the Bitcoin blockchain, there is no such ground truth to ensure the accuracy of each derived change address. This research analyzes the peeling chain patterns based on self-change addresses. The use of self-change addresses implies that the input address and the address used for receiving the change are controlled by the same entity. Also, each chain's transaction details and generated chain parameters are further verified for more precise results. Combining the two methods ensures the accuracy of the extracted peeling chains to some extent. And the corresponding behavior pattern of the extracted chains is studied.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2023-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"49889165","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Welcome to the proceedings of the Third Annual DFRWS APAC Conference 2023","authors":"","doi":"10.1016/j.fsidi.2023.301627","DOIUrl":"https://doi.org/10.1016/j.fsidi.2023.301627","url":null,"abstract":"","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2023-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"49889152","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Daniel Dolejška, Michal Koutenský, Vladimír Veselý, Jan Pluskal
{"title":"Busting up Monopoly: Methods for modern darknet marketplace forensics","authors":"Daniel Dolejška, Michal Koutenský, Vladimír Veselý, Jan Pluskal","doi":"10.1016/j.fsidi.2023.301604","DOIUrl":"https://doi.org/10.1016/j.fsidi.2023.301604","url":null,"abstract":"<div><p>Darknet marketplaces represent the most delinquent evolution step in distributing illicit goods such as drugs, steroids, firearms, warez, or leaked personal information. On the one hand, law enforcement agencies try to catch vendors, buyers, and operators of darknet marketplaces. On the other hand, the criminals mentioned above constantly stretch the limits of overlay networks, applied cryptography, and cryptocurrency pseudonymity. This paper intends to provide relevant and up-to-date (for the year 2022) information about potential ways to deal with darknet marketplaces from the perspective of investigators. The paper outlines methods (based on periodic web scraping) that may help sworn officers to gather evidence about darknet marketplace (ab)users. The potential is demonstrated in a real-life case study of the Monopoly Market. For instance, suggested approaches seem capable: monitoring the demography and activities of darknet marketplace users, estimating the number of procurements and their value, and correlating user identities with their cryptocurrency addresses. The paper also provides an applicability analysis of proposed methods on the subset of currently trending darknet marketplaces.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2023-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"49889154","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Jan-Niclas Hilgert, Roman Schell, Carlo Jakobs, Martin Lambertz
{"title":"About the applicability of Apache2 web server memory forensics","authors":"Jan-Niclas Hilgert, Roman Schell, Carlo Jakobs, Martin Lambertz","doi":"10.1016/j.fsidi.2023.301610","DOIUrl":"https://doi.org/10.1016/j.fsidi.2023.301610","url":null,"abstract":"<div><p>With the increasing use of the Internet for criminal activities, web servers have become more and more important during forensic investigations. In many cases, web servers are used to host leaked data, as a management interface for Command and Control servers, or as a platform for illicit content. As a result, extracting information from web servers has become a critical aspect of digital forensics. By default, a lot of information can already be extracted by performing traditional storage forensics including the analysis of logs. However this approach quickly reaches its limits as soon as anti-forensic techniques such as the deletion of configuration files or the deactivation of logging capabilities are implemented. This paper evaluates the feasibility of memory forensics as a complement to traditional storage forensics for cases involving web servers. For this purpose, we present a methodology for extracting forensically relevant artefacts from the memory of Apache web servers, which are among the most commonly used on the Internet. Through various experiments, we evaluate the applicability of our approach in different scenarios. In the process, we also take a closer look at the overall existence of digital traces, which cannot easily be found by following a structured approach. Our findings demonstrate that certain Apache web server structures contain important information that can be retrieved from memory even after the originating event has passed. Additionally, traces such as IP addresses were still found in memory even after complete structures were already overwritten by further interaction. These results highlight the benefits and the potential of memory analysis for web servers in digital investigations.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2023-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"49889159","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}