Journal Cover
Digital Investigation
Journal Prestige (SJR): 0.635
Citation Impact (citeScore): 3
Number of Followers: 531  
 
  Full-text available via subscription Subscription journal
ISSN (Print) 1742-2876
Published by Elsevier Homepage  [3184 journals]
  • Panoramic perspective of Digital Investigation
    • Abstract: Publication date: September 2019Source: Digital Investigation, Volume 30Author(s): Eoghan Casey, Zeno Geradts, Bruce Nikkel
       
  • How to detect cryptocurrency miners' By traffic forensics!
    • Abstract: Publication date: Available online 22 August 2019Source: Digital InvestigationAuthor(s): Vladimír Veselý, Martin ŽdníkAbstractCryptocurrencies set a new trend for a financial interaction between people. In order to successfully meet this use-case, cryptocurrencies combine various advanced information technologies (e.g., blockchain as a replicated database, asymmetrical ciphers and hashes guaranteeing integrity properties, peer-to-peer networking providing fault-tolerant service). Mining process not only introduces new cryptocurrency units, but it has become a business how to generate revenue in real life. This paper aims at different approaches how to detect cryptocurrency mining within corporate networks (where it should not be present). Mining activity is often a sign of malware presence or unauthorized exploitation of company resources. The article provides an in-depth overview of pooled mining process including deployment and operational details. Two detection methods and their implementations are available for network administrators, law enforcement agents and the general public interested in cryptocurrency mining forensics.
       
  • A formal model for event reconstruction in digital forensic investigation
    • Abstract: Publication date: Available online 13 August 2019Source: Digital InvestigationAuthor(s): Somayeh Soltani, Seyed Amin Hosseini SenoEvent reconstruction is an important phase in digital forensic investigation, which determines what happened during the incident. The digital investigator uses the findings of this phase to prepare reports for the court. Since the results must be reproducible and verifiable, it is necessary that the event reconstruction methods be rigorous and strict. In order to fulfill the legal requirements, this study proposes an event reconstruction framework which is based on the formal mathematical methods. In particular, it uses the temporal logic model checking that is an automatic verification technique. The idea is that the system under investigation is modeled as a transition system. Then the digital forensic property is specified using the modal μ-calculus. Finally, a model checking algorithm verifies whether the transition system meets the property. In order to demonstrate the proposed formal event reconstruction framework, an abstract model of the FAT file system is presented and some digital forensic properties are formulated. A big problem in model checking is the so-called state space explosion. This study addresses this problem and suggests some solutions to it. Finally, the proposed framework is applied to a case study to demonstrate how some hypotheses can be proved or refuted.
       
  • Distributed password cracking with BOINC and hashcat
    • Abstract: Publication date: Available online 8 August 2019Source: Digital InvestigationAuthor(s): Radek Hranický, Lukáš Zobal, Ondřej Ryšavý, Dušan KolářAbstractConsidering today's challenges in digital forensics, for password cracking, distributed computing is a necessity. If we limit the selection of password-cracking tools strictly to open-source software, hashcat tool unambiguously wins in speed, repertory of supported hash formats, updates, and community support. Though hashcat itself is by design a single-machine solution, its interface makes it possible to use the tool as a base construction block of a larger distributed system. Creating a “distributed hashcat” which supports the maximum of hashcat's original features requires a smart controller that employs different distribution strategies in different cases. In the paper, we show how to use BOINC framework to control a network of hashcat-equipped nodes and provide a working solution for performing different cracking attacks. We also provide experimental results of multiple cracking tasks to demonstrate the applicability of our approach. Last but not least, we compare our solution to an existing hashcat-based distributed tool - Hashtopolis.
       
  • Methods for detecting manipulations in 3D scan data
    • Abstract: Publication date: Available online 2 August 2019Source: Digital InvestigationAuthor(s): Kevin Ponto, Simon Smith, Ross TredinnickAbstractWhile interest in using 3D scanning technology for crime scene investigation (CSI) has grown in recent years, a number of barriers still remain that prevent its wide adoption in the criminal justice system. One such barrier comes from the lack of tools that can validate a 3D scan and verify that it has not been manipulated. While a great deal of research has gone into the detection of manipulations for 2D images, the detection of manipulations for 3D scenes has yet to be fully realized.This paper introduces a series of techniques to detect if a 3D point cloud generated from a LiDAR scan has been subsequently manipulated. These techniques exploit fundamental structures inherent in the collection and storage of these types of data. While the proposed techniques are able to detect a number of different types of manipulations, their limitations are also discussed. The goal of this work is to provide a foundation for the creation of a validation toolkit that can ensure 3D scan data is valid and unaltered.
       
  • Automatic cephalometric landmarks detection on frontal faces: An approach
           based on supervised learning techniques
    • Abstract: Publication date: Available online 2 August 2019Source: Digital InvestigationAuthor(s): Lucas Faria Porto, Laise Nascimento Correia Lima, Marta Flores, Andrea Valsecchi, Oscar Ibanez, Carlos Eduardo Machado Palhares, Flavio de Barros VidalAbstractFacial landmarks are employed in many research areas, including facial recognition, craniofacial identification, age and sex estimation being the most important. In forensics, the focus is on the analysis of a particular set of facial landmarks, defined as cephalometric landmarks. Previous studies demonstrated that the descriptive adequacy of these anatomical references for indirect application (photo-anthropometric description) increased the marking precision of these points, contributing to greater reliability of these analyses. Nevertheless, most are performed manually and all are subject to bias on the part of expert examiners. Therefore, the purpose of this work was to develop and validate automatic techniques for detection of cephalometric landmarks from digital images of frontal facial images in forensics. The presented approach uses a combination of computer vision and image processing techniques within supervised learning procedures. The proposed methodology obtains similar precision to a group of human manual cephalometric reference markers and results that are more accurate than other state-of-the-art facial landmark detection frameworks. It achieves a normalized mean distance (in pixels) error of 0.014, similar to the mean inter-expert dispersion (0.009) and clearly better than other automatic approaches that were analyzed during the course of this study (0.026 and 0.101).
       
  • Automated recovery of damaged audio files using deep neural networks
    • Abstract: Publication date: Available online 1 August 2019Source: Digital InvestigationAuthor(s): Hee-Soo Heo, Byung-Min So, IL-Ho Yang, Sung-Hyun Yoon, Ha-Jin YuAbstractIn this paper, we propose two methods to recover damaged audio files using deep neural networks. The presented audio file recovery methods differ from the conventional file carving-based recovery method because the former restore lost data, which are difficult to recover with the latter method. This research suggests that recovery tasks, which are essential yet very difficult or very time consuming, can be automated with the proposed recovery methods using deep neural networks. We apply feed-forward and Long Short Term Memory neural networks for the tasks. The experimental results show that deep neural networks can distinguish speech signals from non-speech signals, and can also identify the encoding methods of the audio files at the level of bits. This leads to successful recovery of the damaged audio files, which are otherwise difficult to recover using the conventional file-carving-based methods.
       
  • Reverse Engineering of ReFS
    • Abstract: Publication date: Available online 23 July 2019Source: Digital InvestigationAuthor(s): Rune Nordvik, Henry Georges, Fergus Toolan, Stefan AxelssonFile system forensics is an important part of Digital Forensics. Investigators of storage media have traditionally focused on the most commonly used file systems such as NTFS, FAT, ExFAT, Ext2-4, HFS+, APFS, etc. NTFS is the current file system used by Windows for the system volume, but this may change in the future. In this paper we will show the structure of the Resilient File System (ReFS), which has been available since Windows Server 2012 and Windows 8. The main purpose of ReFS is to be used on storage spaces in server systems, but it can also be used in Windows 8 or newer. Although ReFS is not the current standard file system in Windows, while users have the option to create ReFS file systems, digital forensic investigators need to investigate the file systems identified on a seized media. Further, we will focus on remnants of non-allocated metadata structures or attributes. This may allow metadata carving, which means searching for specific attributes that are not allocated. Attributes found can then be used for file recovery. ReFS uses superblocks and checkpoints in addition to a VBR, which is different from other Windows file systems. If the partition is reformatted with another file system, the backup superblocks can be used for partition recovery. Further, it is possible to search for checkpoints in order to recover both metadata and content.Another concept not seen for Windows file systems, is the sharing of blocks. When a file is copied, both the original and the new file will share the same content blocks. If the user changes the copy, new data runs will be created for the modified content, but unchanged blocks remain shared. This may impact file carving, because part of the blocks previously used by a deleted file might still be in use by another file. The large default cluster size, 64 KiB, in ReFS v1.2 is an advantage when carving for deleted files, since most deleted files are less than 64 KiB and therefore only use a single cluster. For ReFS v3.2 this advantage has decreased because the standard cluster size is 4 KiB.Preliminary support for ReFS v1.2 has been available in EnCase 7 and 8, but the implementation has not been documented or peer-reviewed. The same is true for Paragon Software, which recently added ReFS support to their forensic product. Our work documents how ReFS v1.2 and ReFS v3.2 are structured at an abstraction level that allows digital forensic investigation of this new file system. At the time of writing this paper, Paragon Software is the only digital forensic tool that supports ReFS v3.x.It is the most recent version of the ReFS file system that is most relevant for digital forensics, as Windows automatically updates the file system to the latest version on mount. This is why we have included information about ReFS v3.2. However, it is possible to change a registry value to avoid updating. The latest ReFS version observed is 3.4, but the information presented about 3.2 is still valid. In any criminal case, the investigator needs to investigate the file system version found.
       
  • Crime control in the sphere of information technologies in the Republic of
           Turkey
    • Abstract: Publication date: Available online 23 July 2019Source: Digital InvestigationAuthor(s): Aliya Shukan, Aitugan Abdizhami, Gulnar Ospanova, Dana AbdakimovaAbstractCybercrime is considered an issue of both local and global concern. Therefore, this study focuses on the local experience in cybercrime control of different countries, including the Republic of Turkey. The article discusses issues in cybersecurity policy and analyzes the legislative framework of the Republic of Turkey on cybercrime issues. The findings underlie the continuing education policy for cybersecurity employees. The study concludes that Turkey handles the current cybercrime situation with efficiency.
       
  • Digital behavioral-fingerprint for user attribution in digital forensics:
           Are we there yet'
    • Abstract: Publication date: Available online 22 July 2019Source: Digital InvestigationAuthor(s): Adeyemi R. Ikuesan, Hein S. VenterAbstractthe need for a reliable and complementary identifier mechanism in a digital forensic analysis is the focus of this study. Mouse dynamics have been applied in information security studies, particularly, continuous authentication and authorization. However, the method applied in security is void of specific behavioral signature of a user, which inhibits its applicability in digital forensic science. This study investigated the likelihood of the observation of a unique signature from mouse dynamics of a computer user. An initial mouse path model was developed using non-finite automata. Thereafter, a set-theory based adaptive two-stage hash function and a multi-stage rule-based semantic algorithm were developed to observe the feasibility of a unique signature for forensic usage. An experimental process which comprises three existing mouse dynamics datasets were used to evaluate the applicability of the developed mechanism. The result showed a low likelihood of extracting unique behavioral signature which can be used in a user attribution process. Whilst digital forensic readiness mechanism could be a potential approach that can be used to achieve a reliable behavioral biometrics modality, the lack of unique signature presents a limitation. In addition, the result supports the logic that the current state of behavioral biometric modality, particularly mouse dynamics, is not suitable for forensic usage. Hence, the study concluded that whilst mouse dynamics-based behavioral biometrics may be a complementary modality in security studies, more will be required to adopt it as a forensic modality in litigation. Furthermore, the result from this study finds relevance in other human attributional studies such as user identification in recommender systems, e-commerce, and online profiling systems, where the degree of accuracy is not relatively high.
       
  • Standardization of file recovery classification and authentication
    • Abstract: Publication date: Available online 20 July 2019Source: Digital InvestigationAuthor(s): Eoghan Casey, Alex Nelson, Jessica HydeAbstractDigital forensics can no longer tolerate software that cannot be relied upon to perform specific functions such as file recovery. Indistinct and non-standardized results increase the risk of misinterpretation by digital forensic practitioners, and hinder automated correlation of file recovery results in forensic analysis and tool testing. Treating file recovery results in a clear, distinct manner helps reduce the risk of misunderstandings, incorrect assertions and, ultimately, miscarriages of justice. The root of this problem is a lack of clearly defined software requirements, which compels users and tool testers to make educated guesses and assumptions about how digital forensic tools work. To address this problem, this work applies the core forensic processes of classification, authentication and evaluation to file recovery. Specifically, this work defines a vocabulary for software developers, testers and practitioners to classify, authenticate, evaluate and present results of file recovery operations. This vocabulary can be used by software developers to normalize how file recovery is treated, improving clarity, testability and interoperability of results, and reducing the risk or mistakes in digital investigations. This work also proposes an inaugural set of requirements for applying this vocabulary to file recovery results, providing a foundation for further development by the digital forensic community. This work demonstrates how this vocabulary can be implemented using DFXML, and presents a normalized representation of file recovery results using the Cyber-investigation Analysis Standard Expression (CASE). To demonstrate the more generalized utility of this vocabulary, it is applied to recovery results from versioning file systems and SQLite databases. The formalized vocabulary and forensic methods developed in this work support tool validation as called for in the international standard ISO/IEC 27041 and required for accreditation under the international standard ISO 17025. This work also demonstrates how the European Network of Forensic Science Institutes (ENFSI) Guideline for Evaluative Reporting can be applied to express the results of file recovery classification, authentication and evaluation.
       
  • A Comprehensive Micro Unmanned Aerial Vehicle (UAV/Drone) Forensic
           Framework
    • Abstract: Publication date: Available online 11 July 2019Source: Digital InvestigationAuthor(s): Ankit Renduchintala, Farha Jahan, Raghav Khanna, Ahmad Y. JavaidAbstractIn the early 1990s, unmanned aerial vehicles (UAV) were used exclusively in military applications by various developed countries. Now with its ease of availability and affordability in the electronic device market, this aerial vehicular technology has augmented its familiarity in public and has expanded its usage to countries all over the world. However, expanded use of UAVs, colloquially known as drones, is raising understandable security concerns. With the increasing possibility of drones' misuse and their abilities to get close to critical targets, drones are prone to potentially committing crimes and, therefore, investigation of such activities is a much-needed facet. This motivated us to devise a comprehensive drone forensic framework that includes hardware/physical and digital forensics, proficient enough for the post-flight investigation of drone's activity. For hardware/physical forensics, we propose a model for investigating drone components at the crime scene. Additionally, we propose a robust digital drone forensic application with a primary focus on analyzing the essential log parameters of drones through a graphical user interface (GUI) developed using JavaFX 8.0. This application interface would allow users to extract and examine onboard flight information. It also includes a file converter created for easy and effective 3D flight trajectory visualization. We used two popular drones for conducting this research; namely, DJI Phantom 4 and Yuneec Typhoon H. The interface also provides a visual representation of the sensor recordings from which pieces of evidence could be acquired. Our research is intended to offer the forensic science community a powerful approach for investigating drone-related crimes effectively.
       
  • Investigating the incidence of sexual assault in martial arts coaching
           using media reports
    • Abstract: Publication date: Available online 6 July 2019Source: Digital InvestigationAuthor(s): William F. MurphyAbstractThe rapidly expanding martial arts industry, which is presently unregulated within the United States, has seen multiple coaches convicted of sex offenses in recent years. However, there is currently no existing literature on sexual assault within the martial arts industry. We used major search platforms to collect media reports concerning martial arts coaches who were convicted of sex offenses within the United States. We analyzed the reports for information concerning the perpetrators, victims, and offenses as a first step toward filling the need for insight in this area. We found that a significant number of convicted sex offenders resumed martial arts coaching following initial law enforcement intervention.
       
  • Digital forensic artifacts of the Your Phone application in Windows 10
    • Abstract: Publication date: Available online 26 June 2019Source: Digital InvestigationAuthor(s): Patricio Domingues, Miguel Frade, Luis Miguel Andrade, João Victor SilvaAbstractYour Phone is a Microsoft system that comprises two applications: a smartphone app for Android 7 + smartphones and a desktop application for Windows 10/18.03+. It allows users to access their most recent smartphone-stored photos/screenshots and send/receive short message service (SMS) and multimedia messaging service (MMS) within their Your Phone-linked Windows 10 personal computers. In this paper, we analyze the digital forensic artifacts created at Windows 10 personal computers whose users have the Your Phone system installed and activated. Our results show that besides the most recent 25 photos/screenshots and the content of the last 30-day of sent/received SMS/MMS, the contact database of the linked smartphone(s) is available in a accessible SQLite3 database kept at the Windows 10 system. This way, when the linked smartphone cannot be forensically analyzed, data gathered through the Your Phone artifacts may constitute a valuable digital forensic asset. Furthermore, to explore and export the main data of the Your Phone database as well as recoverable deleted data, a set of python scripts – Your Phone Analyzer (YPA) – is presented. YPA is available wrapped within an Autopsy module to assist digital practitioners to extract the main artifacts from the Your Phone system.
       
  • PRNU based source camera attribution for image sets anonymized with
           patch-match algorithm
    • Abstract: Publication date: Available online 21 June 2019Source: Digital InvestigationAuthor(s): Ahmet Karaküçük, A. Emir DirikAbstractPatch-Match is an efficient algorithm used for structural image editing and available as a tool on popular commercial photo-editing software. The tool allows users to insert or remove objects from photos using information from similar scene content. Recently, a modified version of this algorithm was proposed as a counter-measure against Photo-Response Non-Uniformity (PRNU) based Source Camera Identification (SCI). The algorithm can provide anonymity at a great rate (97%) and impede PRNU based SCI without the need of any other information, hence leaving no-known recourse for the PRNU-based SCI. In this paper, we propose a method to identify sources of the Patch-Match-applied images by using randomized subsets of images and the traditional PRNU based SCI methods. We evaluate the proposed method on two forensics scenarios in which an adversary makes use of the Patch-Match algorithm and distorts the PRNU noise pattern in the incriminating images he took with his camera. Our results show that it is possible to link sets of Patch-Match-applied images back to their source camera even in the presence of images that come from unknown cameras. To our best knowledge, the proposed method represents the very first counter-measure against the usage of Patch-Match in the digital forensics literature.
       
  • Detection of Frame Deletion in HEVC-Coded Video in the Compressed Domain
    • Abstract: Publication date: Available online 19 June 2019Source: Digital InvestigationAuthor(s): Jin Hyung Hong, Yoonmo Yang, Byung Tae OhAbstractIn this paper, we propose an algorithm for detecting frame deletion in HEVC-coded video in the compressed domain. Specifically, we focus on the frame type changes occurring upon frame deletion, which cause slight differences between the coding patterns in original and forged video. Then, we identify discriminating coding patterns for use as features, which are classified by machine learning classifiers. Furthermore, we propose video sequence integrity detection on a group-of-picture basis, which is computationally efficient and robust even when applied to static videos and videos with genuine scene changes. The experimental results show that the proposed technique can classify HEVC-coded videos more accurately than previous methods. In addition, the results demonstrate that the selected features work harmoniously in discrimination and that the learning-based classifiers are more robust and reliable than model-based classifiers.
       
  • Classifying suspicious content in tor darknet through Semantic Attention
           Keypoint Filtering ☆
    • Abstract: Publication date: Available online 8 June 2019Source: Digital InvestigationAuthor(s): Eduardo Fidalgo, Enrique Alegre, Laura Fernández-Robles, Víctor González-CastroOne of the tasks Law Enforcement Agencies are responsible for is to find evidence of criminal activities in the Darknet. However, visiting thousands of domains to locate visual information containing illicit acts manually requires a considerable amount of time and human resources. To support this task, in this paper, we explore the automatic classification of images uploaded to Tor darknet.Unfortunately, the foreground objects on such images are not always presented standalone, without background, due to the environmental conditions. To address this challenge on the digital investigation of Tor darknet visual content, we propose to classify automatically only relevant parts of the image combining saliency maps, i.e. to select the regions with the most salient information, with Bag of Visual Words (BoVW). We introduce Semantic Attention Keypoint Filtering (SAKF), a filtering strategy that removes non-significant features at a pixel level that mainly do not belong to the object of interest or foreground. We assessed SAKF on seven publicly available datasets, obtaining from 1.64 to 15.73 points higher accuracies than the method set as the baseline, i.e. BoVW using dense SIFT (Scale-Invariant Feature Transform) descriptors. We also compared SAKF filtering performance against the deep features extracted from two well-known Convolutional Neural Network (CNN) architectures, namely MobileNet and ResNet50.Experimental results reveal the effectiveness of the proposed approach and highlight that the use of automatic image classification could be advantageous to support daily Law Enforcement Agencies investigations on Tor darknet.Graphical abstractImage 1
       
  • Differentiating synthetic and optical zooming for passive video forgery
           detection: An anti-forensic perspective
    • Abstract: Publication date: Available online 18 May 2019Source: Digital InvestigationAuthor(s): K. Sitara, B.M. MehtreAbstractA video can be manipulated using synthetic zooming without using the state-of-the-art video forgeries. Synthetic zooming is performed by upscaling individual frames of a video with varying scale factors followed by cropping them to the original frame size. These manipulated frames resemble genuine natural (optical) camera zoomed frames and hence may be misclassified as a pristine video by video forgery detection algorithms. Even if such a video is classified as forged, forensic investigators may ignore the results, believing it as part of an optical camera zooming activity. Hence, this can be used as an anti-forensic method which eliminates digital evidence. We propose a method for differentiating optical camera zooming from synthetic zooming for video tampering detection. The features used for this method are pixel variance correlation and sensor pattern noise. Experimental results on a dataset containing 3200 videos show the effectiveness of the proposed method.
       
 
 
JournalTOCs
School of Mathematical and Computer Sciences
Heriot-Watt University
Edinburgh, EH14 4AS, UK
Email: journaltocs@hw.ac.uk
Tel: +00 44 (0)131 4513762
Fax: +00 44 (0)131 4513327
 
Home (Search)
Subjects A-Z
Publishers A-Z
Customise
APIs
Your IP address: 34.226.234.20
 
About JournalTOCs
API
Help
News (blog, publications)
JournalTOCs on Twitter   JournalTOCs on Facebook

JournalTOCs © 2009-