Journal Cover
Digital Investigation
Journal Prestige (SJR): 0.635
Citation Impact (citeScore): 3
Number of Followers: 503  
  Full-text available via subscription Subscription journal
ISSN (Print) 1742-2876
Published by Elsevier Homepage  [3162 journals]
  • The Bylock fallacy: An In-depth Analysis of the Bylock Investigations in
    • Abstract: Publication date: Available online 15 June 2018Source: Digital InvestigationAuthor(s): Yasir Gokce Bylock is a secure communication app, whose availability Turkish authorities believe was exclusively allocated for the members of the Gülen Movement, a social and religious group which has been regarded by the regime in Turkey as a terrorist organization. The allegation of having been downloaded the Bylock app is currently a sufficient finding for the Turkish judiciary to arrest dozens of thousands of followers as well as other Turkish citizens who have had no link whatsoever with the Movement, on the basis of their alleged ties with a so-called terrorist organization. Examining the legality of the process of retrieving the Bylock metadata as well as the way the data were linked with the individual Bylock users, this article aims at informing the readers about the extent to which digital forensic principles are overlooked in Turkey via a recent case. The procedure for legally obtaining data from an electronic device and for intercepting a private communication under the Turkish Criminal Procedure Code is defined, and how the process of retrieving the Bylock data infringed that procedure is explained. The article also delves deep into what the Turkish data retention law envisages with related to the Bylock case and why the use of Bylock data in judicial proceedings contravenes the law. In a nutshell, this paper exposes the great extent to which the Turkish authorities manipulates digital data in such a way as to incriminate the critics profiled beforehand. All in all, it would be pertinent to advance that the Turkish administrative and judicial authorities joining the acquisition of the Bylock metadata, preparation of the Bylock user lists, and apprehension, detention and conviction of individuals based on those lists clearly infringe the Turkish legislation and commits serious crimes under the Turkish Penal Code.
  • How to decrypt PIN-Based encrypted backup data of Samsung smartphones
    • Abstract: Publication date: Available online 2 June 2018Source: Digital InvestigationAuthor(s): Myungseo Park, Hangi Kim, Jongsung Kim Smartphones, which are a necessity for modern people, have become important to forensic investigators, as they have a lot of user information which can be potential evidences. In order to obtain such evidences, forensic investigators should first extract the data from the smartphone. However, if the smartphone is lost or broken, it would be difficult to collect the data from the phone itself. In this case, the backup data can be very useful because it stores almost all information that the smartphone has. Nevertheless, since the backup data is basically encrypted by applications provided by vendors, the encrypted backup data which acts as anti-forensic is difficult to use. Therefore, it is crucial to decrypt the acquired encrypted backup data in order to effectively use it.In this paper, we propose a method to decrypt the Samsung smartphone backup data which is encrypted by a user input called PIN (Personal Identification Number) and a Samsung backup program called Smart Switch. In particular, we develop algorithms to recover the PIN and to decrypt the PIN-based encrypted backup data as well. We have experimentally verified the PIN recovery backup data decryption up to 9 digits of PIN. Our implementation using a precomputed PIN-table with memory 30.51 GB takes about 11 min to recover a 9-digit PIN. To the best of our knowledge, this is the first result of decrypting PIN-based encrypted backup data of Samsung smartphones.
  • I didn't see that! An examination of internet browser cache behaviour
           following website visits
    • Abstract: Publication date: June 2018Source: Digital Investigation, Volume 25Author(s): Graeme Horsman By default, all major web browsing applications cache visited website content to the local disk to improve browser efficiency and enhance user experience. As a result of this action, the cache provides a window of opportunity for the digital forensic practitioner to establish the nature of the content which was hosted on the websites which had been visited. Cache content is often evidential during cases surrounding Indecent Images of Children (IIoC) where it is often assumed that cached IIoC is a record of the content viewed by a defendant via their browser. However, this may not always be the case. This article investigates web browser cache behaviour in an attempt to identify whether it is possible to definitively establish what quantity of cached content was viewable by a user following a visit to a website. Both the Mozilla Firefox and Google Chrome browser caches are analysed following visits to 10 test websites in order to quantify cache behaviour. Results indicate that the volume of locally cached content differs between both web browsers and websites visited, with instances of images cached which would not have been viewable by the user upon landing on a website. Further, the number of cached images appears to be effected by how much of a website a user scrolls through.
  • Detecting fake iris in iris bio-metric system
    • Abstract: Publication date: June 2018Source: Digital Investigation, Volume 25Author(s): Vijay Kumar Sinha, Anuj Kumar Gupta, Manish Mahajan Iris recognition is an automated method of biometric identification that uses mathematical pattern-recognition techniques on video images of the irises of an individual's eyes, whose complex random patterns are unique and can be seen from some distance. Now days, Iris is being used widely by several organizations, including governments, for identification and authentication purposes. Aadhar, India's UID project uses Iris scan along with fingerprints to uniquely identify people and allocate a Unique Identification Number. Most of the work done in the area of Iris pattern recognition systems emphasizes only on matching of the patterns with the stored templates. Security aspects of the system are still unexplored. The available security algorithms provide only some cryptographic solutions that keeps the template database in a secret cryptographic form. We successfully enhanced the detection of fake iris images and add the provision of detection of false of scanned iris images as template. This enhanced significantly the performance of the system in terms of security and reliability. We use Flash and motion detection of natural eye to detect the liveliness of real iris images before matching from stored templates.
  • Dismantling OpenPuff PDF steganography
    • Abstract: Publication date: June 2018Source: Digital Investigation, Volume 25Author(s): Thomas Sloan, Julio Hernandez-Castro We present a steganalytic attack against the PDF component of the popular OpenPuff tool. We show that our findings allow us to accurately detect the presence of OpenPuff steganography over the PDF format by using a simple script. OpenPuff is a prominent multi-format and semi-open-source stego-system with a large user base. Because of its popularity, we think our results could potentially have relevant security and privacy implications. The relative simplicity of our attack, paired with its high accuracy and the existence of previous steganalytic findings against this software, warrants major concerns over the real security offered by this steganography tool.
  • I know what you streamed last night: On the security and privacy of
    • Abstract: Publication date: June 2018Source: Digital Investigation, Volume 25Author(s): Alexios Nikas, Efthimios Alepis, Constantinos Patsakis Streaming media are currently conquering traditional multimedia by means of services like Netflix, Amazon Prime and Hulu which provide to millions of users worldwide with paid subscriptions in order to watch the desired content on-demand. Simultaneously, numerous applications and services infringing this content by sharing it for free have emerged. The latter has given ground to a new market based on illegal downloads which monetizes from ads and custom hardware, often aggregating peers to maximize multimedia content sharing. Regardless of the ethical and legal issues involved, the users of such streaming services are millions and they are severely exposed to various threats, mainly due to poor hardware and software configurations. Recent attacks have also shown that they may, in turn, endanger others as well. This work details these threats and presents new attacks on these systems as well as forensic evidence that can be collected in specific cases.
  • Speaker verification from codec distorted speech for forensic
           investigation through serial combination of classifiers
    • Abstract: Publication date: June 2018Source: Digital Investigation, Volume 25Author(s): M.S. Athulya, P.S. Sathidevi Forensic investigation often uses biometric evidence as important aids for identifying the culprits. Speech is one of the easily available biometrics in today's hi-tech world. But, most of the speech biometric evidence acquired for investigative purposes will usually be highly distorted. Among these distortions, most prominent is the distortion introduced by the speech codec. Speech codec may either remove or distort some of the speaker-specific features, and this may reduce the speaker verification accuracy. The effect of distortion on commonly used speaker-specific features namely Mel Frequency Cepstral Coefficients (MFCC) and Power Normalized Cepstral Coefficients (PNCC), due to Code Excited Linear Prediction (CELP) codec (the most widely used speech codec in today's mobile telephony), is quantified in this paper. The features which are least affected by the codec are experimentally determined as PNCC. But, when these PNCC coefficients are directly employed, speaker verification error rate obtained is 20% with Gaussian Mixture Model-Universal Background Model (GMM-UBM) classifier. To improve the verification accuracy, PNCCs are slightly modified, and these modified PNCCs (MPNCC) are used as the feature set for the speaker verification. With these modified PNCCs, the error rate is reduced to 15%. By fusing these MPNCCs with MFCC, the error rate is further reduced to 8.75%. A series combination of GMM-UBM and Support Vector Machine (SVM) classifiers is also proposed here to enhance the speaker verification accuracy further. The speaker verification error rates for different baseline classifiers are compared with that of the proposed serially combined GMM-UBM and SVM classifiers. The classifier fusion with the fused feature set largely reduced the error rates to 2.5% which is very much less than that of baseline classifiers with normal PNCC features. Hence, this system is a good candidate for investigative purposes.
  • Automatic categorization of Arabic articles based on their political
    • Abstract: Publication date: June 2018Source: Digital Investigation, Volume 25Author(s): Raddad Abooraig, Shadi Al-Zu'bi, Tarek Kanan, Bilal Hawashin, Mahmoud Al Ayoub, Ismail Hmeidi The ability to automatically determine the political orientation of an article can be of great benefit in many areas from academia to security. However, this problem has been largely understudied for Arabic texts in the literature. The contribution of this work lies in two aspects. First, collecting and manually labeling a corpus of articles and comments from different political orientations in the Arab world and making different versions of it. Second, studying the performance of various feature reduction methods and various classifiers on these synthesized datasets. The two most popular feature extraction approaches for such a problem were compared, namely the Traditional Text Categorization (TC) approach and the Stylometric Features approach (SF). Although the experimental results show the superiority of the TC approach over the SF approach, the results also indicate that the latter approach can be significantly improved by adding new and more discriminating features. The experimental results also show that the feature selection techniques reduce the accuracies of the considered classifiers under the TC and SF approaches in general. The only exception is the Partition Membership (PM) technique which has an opposite effect. The highest accuracies are obtained when PM feature selection method is used with the Support Vector Machine (SVM) classifier.
  • Forensics study of IMO call and chat app
    • Abstract: Publication date: June 2018Source: Digital Investigation, Volume 25Author(s): M.A.K. Sudozai, Shahzad Saleem, William J. Buchanan, Nisar Habib, Haleemah Zia Smart phones often leave behind a wealth of information that can be used as an evidence during an investigation. There are thus many smart phone applications that employ encryption to store and/or transmit data, and this can add a layer of complexity for an investigator. IMO is a popular application which employs encryption for both call and chat activities. This paper explores important artifacts from both the device and from the network traffic. This was generated for both Android and iOS platforms. The novel aspect of the work is the extensive analysis of encrypted network traffic generated by IMO. Along with this the paper defines a new method of using a firewall to explore the obscured options of connectivity, and in a way which is independent of the protocol used by the IMO client and server. Our results outline that we can correctly detect IMO traffic flows and classify different events of its chat and call related activities. We have also compared IMO network traffic of Android and iOS platforms to report the subtle differences. The results are valid for IMO 9.8.00 on Android and 7.0.55 on iOS.
  • Accrediting digital forensics: What are the choices'
    • Abstract: Publication date: June 2018Source: Digital Investigation, Volume 25Author(s): Peter Sommer There are three apparent competing routes to providing re-assurance about the quality of digital forensics work: accredit the individual expert, accredit the laboratory and its processes, let the courts test via its procedures. The strengths and weaknesses of each are discussed against the variety of activities within “forensic science”. The particular problems of digital forensics, including its complexity and rate of change, are reviewed. It is argued that formal standards may not always be practical or value for money compared with advisory good practice guides.
  • Prelim iii - Contents List
    • Abstract: Publication date: June 2018Source: Digital Investigation, Volume 25Author(s):
  • Prelim i - Editorial Board
    • Abstract: Publication date: June 2018Source: Digital Investigation, Volume 25Author(s):
  • WhatsApp server-side media persistence
    • Abstract: Publication date: June 2018Source: Digital Investigation, Volume 25Author(s): Angus M. Marshall
  • An analytical analysis of Turkish digital forensics
    • Abstract: Publication date: June 2018Source: Digital Investigation, Volume 25Author(s): Mesut Ozel, H. Ibrahim Bulbul, H. Guclu Yavuzcan, Omer Faruk Bay The first glimpses of digital forensics (DF) starts back in 1970's, mainly financial frauds, with the widespread use of computers. The evolution of information technologies and their wider use made the digital forensics evolve and flourish. Digital forensics passed a short but complex way of “Ad-Hoc”, “Structured” and “Enterprise” phases nearly in four decades. The national readiness of countries might vary for those phases depending on the economy, legislation, adoption level, expertise and other factors. Today digital forensics discipline is one of the major issues of law enforcement (LE), government, defense, industry, academics, justice and other non-governmental organizations as stakeholders have to deal with. We wanted to assess the maturity level of “Turkish Digital Forensics” in view of the digital forensics historical phases, along with some specific institutional & organizational digital forensics issues. The current digital forensic capacity and ability, understanding and adoption level of the discipline, education and training forecasts, current organizational digital forensics framework and infrastructure, expertise, certification and knowledge gained/needed by digital forensics community, tools and SW-HW used in digital forensics, national legislation, policy making and standardization issues along with the anticipated requirements for near future are aimed to address by an online survey. This paper discusses the aforementioned national issues with respect to the digital forensics discipline. It does not examine all aspects of digital forensics. The general assessment we had reached for the maturity level of “National DF” is in between the structured and enterprise phases, with a long way to go but with promising developments.
  • Transdisciplinary strategies for digital investigation challenges
    • Abstract: Publication date: June 2018Source: Digital Investigation, Volume 25Author(s): Eoghan Casey, Zeno Geradts, Bruce Nikkel
  • Forensic smartphone analysis using adhesives: Transplantation of Package
           on Package components
    • Abstract: Publication date: Available online 31 May 2018Source: Digital InvestigationAuthor(s): Th Heckmann, K. Markantonakis, D. Naccache, Th Souvignet Investigators routinely recover data from mobile devices. In many cases the target device is severely damaged. Events such as airplane crashes, accidents, terrorism or long submersion may bend or crack the device's main board and hence prevent using standard forensic tools. This paper shows how to salvage forensic information when NAND memory, SoC or cryptographic chips are still intact. We do not make any assumptions on the state of the other components. In usual forensic investigations, damaged phone components are analysed using a process called “forensic transplantation”. This procedure consists of unsoldering (or lapping) chips, re-soldering them on a functionnal donor board and rebooting.Package on Package (PoP) component packaging is a new technique allowing manufacturers to stack two silicon chips, e.g. memory, CPU or cryptographic processors. Currently, PoP is widely used by most device manufacturers and in particular by leading brands such as Apple, BlackBerry, Samsung, HTC and Huawei. Unfortunately, forensic transplantation destroys PoP components.This work overcomes this difficulty by introducing a new chip-off analysis method based on High Temperature Thixotropic Thermal Conductive Adhesive (HTTTCA) for gluing the PoP packages to prevent misalignment during the transplantation process. The HTTTCA process allows the investigator to safely unsolder PoP components, which is a crucial step for transplantation. To demonstrate feasibility, we describe in detail an experimental forensic transplantation of a secure mobile phone PoP CPU.
  • Laying foundations for effective machine learning in law enforcement.
           Majura – A labelling schema for child exploitation materials
    • Abstract: Publication date: Available online 31 May 2018Source: Digital InvestigationAuthor(s): Janis Dalins, Yuriy Tyshetskiy, Campbell Wilson, Mark J. Carman, Douglas Boudry The health impacts of repeated exposure to distressing concepts such as child exploitation materials (CEM, aka ‘child pornography’) have become a major concern to law enforcement agencies and associated entities. Existing methods for ‘flagging’ materials largely rely upon prior knowledge, whilst predictive methods are unreliable, particularly when compared with equivalent tools used for detecting ‘lawful’ pornography. In this paper we detail the design and implementation of a deep-learning based CEM classifier, leveraging existing pornography detection methods to overcome infrastructure and corpora limitations in this field. Specifically, we further existing research through direct access to numerous contemporary, real-world, annotated cases taken from Australian Federal Police holdings, demonstrating the dangers of overfitting due to the influence of individual users' proclivities. We quantify the performance of skin tone analysis in CEM cases, showing it to be of limited use. We assess the performance of our classifier and show it to be sufficient for use in forensic triage and ‘early warning’ of CEM, but of limited efficacy for categorising against existing scales for measuring child abuse severity.We identify limitations currently faced by researchers and practitioners in this field, whose restricted access to training material is exacerbated by inconsistent and unsuitable annotation schemas. Whilst adequate for their intended use, we show existing schemas to be unsuitable for training machine learning (ML) models, and introduce a new, flexible, objective, and tested annotation schema specifically designed for cross-jurisdictional collaborative use.This work, combined with a world-first ‘illicit data airlock’ project currently under construction, has the potential to bring a ‘ground truth’ dataset and processing facilities to researchers worldwide without compromising quality, safety, ethics and legality.
  • Logical acquisition method based on data migration for Android mobile
    • Abstract: Publication date: Available online 31 May 2018Source: Digital InvestigationAuthor(s): Peijun Feng, Qingbao Li, Ping Zhang, Zhifeng Chen Android dominates the mobile operating system market. The data acquisition method of Android devices has been the focus of research on mobile forensics technology. However, due to the continuous updates of the Android system version and the deployment of security technologies, existing data acquisition methods are limited and difficult to apply to new Android mobile devices. In order to address this problem, we propose a logical acquisition method based on system-level data migration services provided by Android mobile device manufacturers. The experimental result demonstrates that, for unrooted Android mobile devices, the proposed method is superior to existing logical forensic methods in terms of data acquisition capability.
  • Efficient monitoring and forensic analysis via accurate network-attached
           provenance collection with minimal storage overhead
    • Abstract: Publication date: Available online 8 May 2018Source: Digital InvestigationAuthor(s): Yulai Xie, Dan Feng, Xuelong Liao, Leihua Qin Provenance, the history or lineage of an object, has been used to enable efficient forensic analysis in intrusion prevention system to detect intrusion, correlate anomaly, and reduce false alert. Especially for the network-attached environment, it is critical and necessary to accurately capture network context to trace back the intrusion source and identify the system vulnerability. However, most of the existing methods fail to collect accurate and complete network-attached provenance. In addition, how to enable efficient forensic analysis with minimal provenance storage overhead remains a big challenge.This paper proposes a provenance-based monitoring and forensic analysis framework called PDMS that builds upon existing provenance tracking framework. On one hand, it monitors and records every network session, and collects the dependency relationships between files, processes and network sockets. By carefully describing and collecting the network socket information, PDMS can accurately track the data flow in and out of the system. On the other hand, this framework unifies both efficient provenance filtering and query-friendly compression. Evaluation results show that this framework can make accurate and highly efficient forensic analysis with minimal provenance storage overhead.
  • TREDE and VMPOP: Cultivating multi-purpose datasets for digital forensics
           – A Windows registry corpus as an example
    • Abstract: Publication date: Available online 28 April 2018Source: Digital InvestigationAuthor(s): Jungheum Park The demand is rising for publicly available datasets to support studying emerging technologies, performing tool testing, detecting incorrect implementations, and also ensuring the reliability of security and digital forensics related knowledge. While a variety of data is being created on a day-to-day basis in; security, forensics and incident response labs, the created data is often not practical to use or has other limitations. In this situation, a variety of researchers, practitioners and research projects have released valuable datasets acquired from computer systems or digital devices used by actual users or are generated during research activities. Nevertheless, there is still a significant lack of reference data for supporting a range of purposes, and there is also a need to increase the number of publicly available testbeds as well as to improve verifiability as ‘reference’ data. Although existing datasets are useful and valuable, some of them have critical limitations on the verifiability if they are acquired or created without ground truth data. This paper introduces a practical methodology to develop synthetic reference datasets in the field of security and digital forensics. This work's proposal divides the steps for generating a synthetic corpus into two different classes: user-generated and system-generated reference data. In addition, this paper presents a novel framework to assist the development of system-generated data along with a virtualization system and elaborate automated virtual machine control, and then proceeds to perform a proof-of-concept implementation. Finally, this work demonstrates that the proposed concepts are feasible and effective through practical deployment and then evaluate its potential values.
  • Navigating the Windows Mail database
    • Abstract: Publication date: Available online 21 March 2018Source: Digital InvestigationAuthor(s): Howard Chivers The Windows Mail application in Windows 10 uses an ESE database to store messages, appointments and related data; however, field (column) names used to identify these records are hexadecimal property tags, many of which are undocumented. To support forensic analysis a series of experiments were carried out to diagnose the function of these tags, and this work resulted in a body of related information about the Mail application. This paper documents property tags that have been diagnosed, and presents how Windows Mail artifacts recovered from the ESE store.vol database can be interpreted, including how the paths of file recorded by the Mail system are derived from database records. We also present example emails and appointment records that illustrate forensic issues in the interpretation of message and appointment records, and show how additional information can be obtained by associating these records with other information in the ESE database.
  • Criminal motivation on the dark web: A categorisation model for law
    • Abstract: Publication date: March 2018Source: Digital Investigation, Volume 24Author(s): Janis Dalins, Campbell Wilson, Mark Carman Research into the nature and structure of ‘Dark Webs’ such as Tor has largely focused upon manually labelling a series of crawled sites against a series of categories, sometimes using these labels as a training corpus for subsequent automated crawls. Such an approach is adequate for establishing broad taxonomies, but is of limited value for specialised tasks within the field of law enforcement. Contrastingly, existing research into illicit behaviour online has tended to focus upon particular crime types such as terrorism. A gap exists between taxonomies capable of holistic representation and those capable of detailing criminal behaviour. The absence of such a taxonomy limits interoperability between agencies, curtailing development of standardised classification tools.We introduce the Tor-use Motivation Model (TMM), a two-dimensional classification methodology specifically designed for use within a law enforcement context. The TMM achieves greater levels of granularity by explicitly distinguishing site content from motivation, providing a richer labelling schema without introducing inefficient complexity or reliance upon overly broad categories of relevance. We demonstrate this flexibility and robustness through direct examples, showing the TMM's ability to distinguish a range of unethical and illegal behaviour without bloating the model with unnecessary detail.The authors of this paper received permission from the Australian government to conduct an unrestricted crawl of Tor for research purposes, including the gathering and analysis of illegal materials such as child pornography. The crawl gathered 232,792 pages from 7651 Tor virtual domains, resulting in the collation of a wide spectrum of materials, from illicit to downright banal. Existing conceptual models and their labelling schemas were tested against a small sample of gathered data, and were observed to be either overly prescriptive or vague for law enforcement purposes - particularly when used for prioritising sites of interest for further investigation.In this paper we deploy the TMM by manually labelling a corpus of over 4000 unique Tor pages. We found a network impacted (but not dominated) by illicit commerce and money laundering, but almost completely devoid of violence and extremism. In short, criminality on this ‘dark web’ is based more upon greed and desire, rather than any particular political motivations.
  • HDFS file operation fingerprints for forensic investigations
    • Abstract: Publication date: March 2018Source: Digital Investigation, Volume 24Author(s): Mariam Khader, Ali Hadi, Ghazi Al-Naymat Understanding the Hadoop Distributed File System (HDFS) is currently an important issue for forensic investigators because it is the core of most Big Data environments. The HDFS requires more study to understand how forensic investigations should be performed and what artifacts can be extracted from this framework. The HDFS framework encompasses a large amount of data; thus, in most forensic analyses, it is not possible to gather all of the data, resulting in metadata and logs playing a vital role. In a good forensic analysis, metadata artifacts could be used to establish a timeline of events, highlight patterns of file-system operation, and point to gaps in the data.This paper provides metadata observations for HDFS operations based on fsimage and hdfs-audit logs. These observations draw a roadmap of metadata changes that aids in forensic investigations in an HDFS environment. Understanding metadata changes assists a forensic investigator in identifying what actions were performed on the HDFS.This study focuses on executing day-to-day (regular) file-system operations and recording which file metadata changes occur after each operation. Each operation was executed, and its fingerprints were detailed. The use of those fingerprints as artifacts for file-system forensic analysis was elaborated via two case studies. The results of the research include a detailed study of each operation, including which system entity (user or service) performed this operation and when, which is vital for most analysis cases. Moreover, the forensic value of examined observations is indicated by employing these artifacts in forensic analysis.
  • An in-depth analysis of Android malware using hybrid techniques
    • Abstract: Publication date: March 2018Source: Digital Investigation, Volume 24Author(s): Abdullah Talha Kabakus, Ibrahim Alper Dogru Android malware is widespread despite the effort provided by Google in order to prevent it from the official application market, Play Store. Two techniques namely static and dynamic analysis are commonly used to detect malicious applications in Android ecosystem. Both of these techniques have their own advantages and disadvantages. In this paper, we propose a novel hybrid Android malware analysis approach namely mad4a which uses the advantages of both static and dynamic analysis techniques. The aim of this study is revealing some unknown characteristics of Android malware through the used various analysis techniques. As the result of static and dynamic analysis on the widely used Android application datasets, digital investigators are informed about some underestimated characteristics of Android malware.
  • Smartphone data evaluation model: Identifying authentic smartphone data
    • Abstract: Publication date: March 2018Source: Digital Investigation, Volume 24Author(s): Heloise Pieterse, Martin Olivier, Renier van Heerden Ever improving smartphone technology, along with the widespread use of the devices to accomplish daily tasks, leads to the collection of rich sources of smartphone data. Smartphone data are, however, susceptible to change and can be altered intentionally or accidentally by end-users or installed applications. It becomes, therefore, important to establish the authenticity of smartphone data, confirming the data refer to actual events, before submitting the data as potential evidence. This paper focuses on data created by smartphone applications and the techniques that can be used to establish the authenticity of the data. To identify authentic smartphone data, a better understanding of the smartphone, related smartphone applications and the environment in which the smartphone operates are required. From the gathered knowledge and insight, requirements are identified that authentic smartphone data must adhere to. These requirements are captured in a new model to assist digital forensic professionals with the evaluation of smartphone data. Experiments, involving different smartphones, are conducted to determine the practicality of the new evaluation model with the identification of authentic smartphone data. The presented results provide preliminary evidence that the suggested model offers the necessary guidance to identify authentic smartphone data.
  • Keystroke dynamics features for gender recognition
    • Abstract: Publication date: March 2018Source: Digital Investigation, Volume 24Author(s): Ioannis Tsimperidis, Avi Arampatzis, Alexandros Karakos This work attempts to recognize the gender of an unknown user with data derived only from keystroke dynamics. Keystroke dynamics, which can be described as the way a user is typing, usually amount to tens of thousands of features, each of them enclosing some information. The question that arises is which of these characteristics are most suitable for gender classification. To answer this question, a new dataset was created by recording users during the daily usage of their computer, the information gain of each keystroke dynamics feature was calculated, and five well-known classification models were used to test the feature sets. The results show that the gender of an unknown user can be identified with an accuracy of over 95% with only a few hundred features. This percentage, which is the highest found in the literature, is quite promising for the development of reliable systems that can alert an unsuspecting user to being a victim of deception. Moreover, having the ability to identify the gender of a user who types a certain piece of text is of significant importance in digital forensics. This holds true, as it could be the source of circumstantial evidence for “putting fingers on the keyboard” and for arbitrating cases where the true origin of a message needs to be identified.
  • Clearly conveying digital forensic results
    • Abstract: Publication date: March 2018Source: Digital Investigation, Volume 24Author(s): Eoghan Casey
  • Prelim iii - Contents List
    • Abstract: Publication date: March 2018Source: Digital Investigation, Volume 24Author(s):
  • Prelim i - Editorial Board
    • Abstract: Publication date: March 2018Source: Digital Investigation, Volume 24Author(s):
  • Lempel-Ziv Jaccard Distance, an effective alternative to ssdeep and sdhash
    • Abstract: Publication date: March 2018Source: Digital Investigation, Volume 24Author(s): Edward Raff, Charles Nicholas Recent work has proposed the Lempel-Ziv Jaccard Distance (LZJD) as a method to measure the similarity between binary byte sequences for malware classification. We propose and test LZJD's effectiveness as a similarity digest hash for digital forensics. To do so we develop a high performance Java implementation with the same command-line arguments as sdhash, making it easy to integrate into existing work-flows. Our testing shows that LZJD is effective for this task, and significantly outperforms sdhash and ssdeep in its ability to match related file fragments and files corrupted with random noise. In addition, LZJD is up to 60× faster than sdhash at comparison time.
  • Alexa, did you get that' Determining the evidentiary value of data
           stored by the Amazon® Echo
    • Abstract: Publication date: March 2018Source: Digital Investigation, Volume 24Author(s): Douglas A. Orr, Laura Sanchez
  • Investigation of Indecent Images of Children cases: Challenges and
           suggestions collected from the trenches
    • Abstract: Publication date: March 2018Source: Digital Investigation, Volume 24Author(s): Virginia N.L. Franqueira, Joanne Bryce, Noora Al Mutawa, Andrew Marrington Previous studies examining the investigative challenges and needs of Digital Forensic (DF) practitioners have typically taken a sector-wide focus. This paper presents the results of a survey which collected text-rich comments about the challenges experienced and related suggestions for improvement in the investigation of Indecent Images of Children (IIOC) cases. The comments were provided by 153 international DF practitioners (28.1% survey response rate) and were processed using Thematic Analysis. This resulted in the identification of 4 IIOC-specific challenge themes, and 6 DF-generic challenges which directly affect IIOC. The paper discusses these identified challenges from a practitioner perspective, and outlines their suggestions for addressing them.
  • A method and tool to recover data deleted from a MongoDB
    • Abstract: Publication date: March 2018Source: Digital Investigation, Volume 24Author(s): Jongseong Yoon, Sangjin Lee DBMS stores an important data, which is one of the important analytical subjects for analysis in digital forensics. The technique of recovering deleted data from the DBMS plays an important role in finding the evidence in forensic investigation cases. Although relational DBMS is used as important data storage until now, NoSQL DBMSs is used more often due to the growing pursue of Big Data. This increases the potential to analyze a NoSQL DMBS in forensic cases. In reality, data from approximately 26,000 servers has been deleted by a massive ransom attack on vulnerable MongoDB server. Therefore, investigation of internal structure analysis and deleted data recovery techniques of NoSQL DBMS is essential.In this paper, we research the recovery method on deleted data in MongoDB that is widely used. We have analyzed the internal structures of the WiredTiger and MMAPv1 storage engines, which are the MongoDB's disk-based storage engines. Moreover, we have implemented the recovery algorithm as a tool as well as have evaluated its performance on real and self-generated experiment data.
  • Improving source camera identification performance using DCT based image
           frequency components dependent sensor pattern noise extraction method
    • Abstract: Publication date: March 2018Source: Digital Investigation, Volume 24Author(s): Bhupendra Gupta, Mayank Tiwari Sensor imperfections in the form of photo response non-uniformity (PRNU) are widely used to perform various image forensic tasks such as source camera identification, image integrity verification, and device linking. The PRNU contains important information about the sensor in terms of frequency contents, this information makes it suitable for various image forensic applications. The main drawback of existing methods of PRNU extraction is that the extracted PRNU contains fine details of the image i.e., the high-frequency details (edges and texture). For solving this problem we have applied a pre-processing step on widely accepted PRNU extraction methods. Our pre-processing step is based on the fact that ‘PRNU is a very weak noise signal and hence it can be efficiently extracted from the image by applying PRNU extraction method in low frequency (LF) and high frequency (HF) components of the image separately’. Initially, we have applied this pre-processing concept to the widely accepted PRNU extraction methods and found that it is able to improve the performance of most of the PRNU extraction methods. The best improvement takes place for Mihcak filter. Hence in the remaining part of the work, this generalized concept is more precisely applied to the Mihcak filter only. By utilizing the proposed pre-processing idea with the Mihcak filer, the new filter is termed as the pMihcak filter. PRNU extracted using pMihcak filter contains the least amount of HF details of the image. Also, the pMihcak filter is able to extract PRNU from low-frequency components of the image which otherwise not possible for existing PRNU extractors.
  • Efficiently searching target data traces in storage devices with region
           based random sector sampling approach
    • Abstract: Publication date: March 2018Source: Digital Investigation, Volume 24Author(s): Nitesh K. Bharadwaj, Upasna Singh Today the pervasiveness and low-cost of storage disk drives have made digital forensics cumbersome, slow and exorbitant task. Since storage drives are the huge reservoir of digital evidence, examination of these devices requires an enormous amount of analysis time and computing resources. In order to efficiently examine large data volumes a random sector sampling method, subpart of forensic triage, has been utilized in literature to attain admissible investigation outcomes. Conventionally the random sampling method imposes the primary requirement of extensive seek and read requests. This paper presents a unique framework to efficiently utilize the sector hashing and random sampling method towards investigating the existence of target data traces, by independently exploiting the regions of the suspected storage drive. In literature, there is no specific work carried out towards the quantification of the number of random samples required to hit a desired target data traces in storage drives. Also, the standard percentage of random samples is analyzed and proposed, which might be necessary and sufficient to validate the existence of target data in the drive. Several experiments were devised to evaluate the method by considering storage media and target data of different capacities and sizes. It was observed that the size of the target data is an important factor in determining the percentage of sector samples i.e., necessarily required for effectively examining the storage disk drives. In the view of the quantified percentage of random samples, finally, a case study is demonstrated to evaluate the adequacy of the derived metrics.
  • Source camera identification using Photo Response Non-Uniformity on
    • Abstract: Publication date: March 2018Source: Digital Investigation, Volume 24Author(s): Christiaan Meij, Zeno Geradts The Photo Response Non-Uniformity pattern can be a method for identification for an individual camera and is often present in digital footage. Therefore, the PRNU-pattern is also called the fingerprint of the camera. This pattern can be extracted and used to identify the source camera with a high likelihood ratio. This can be useful in cases such as child abuse or child pornography. In this research a 2nd order (FSTV) based method is used to extract the PRNU-patterns from videos of ten different mobile phone cameras. By calculating the Peak to Correlation Energy the PRNU-patterns of the natural videos are compared to the PRNU-patterns of the reference flat field videos of each camera to identify the source camera. This has been done for the original videos and the transmitted videos by WhatsApp for Android and IOS to determine if source camera identification by using PRNU is possible when videos are transmitted by WhatsApp. Also the PRNU-patterns of the natural videos are compared to each other to determine the possibility to find out if videos originate from the same source. With most cameras tested the method provides a high likelihood ratio, however for each case a validation of the method is necessary with reference cameras of the same model and type if used in casework. With videos transmitted by the IOS version of Whatsapp the source camera identification was not possible anymore.
  • Following the breadcrumbs: Timestamp pattern identification for cloud
    • Abstract: Publication date: March 2018Source: Digital Investigation, Volume 24Author(s): Shuyuan Mary Ho, Dayu Kao, Wen-Ying Wu This study explores the challenges of digital forensics investigation in file access, transfer and operations, and identifies file operational and behavioral patterns based on timestamps—in both the standalone as well as interactions between Windows NTFS and Ubuntu Ext4 filesystems. File-based metadata is observed, and timestamps across different cloud access behavioral patterns are compared and validated. As critical metadata information cannot be easily observed, a rigorous iterative approach was implemented to extract hidden, critical file attributes and timestamps. Direct observation and cross-sectional analysis were adopted to analyze timestamps, and to differentiate between patterns based on different types of cloud access operations. Fundamental observation rules and characteristics of file interaction in the cloud environment are derived as behavioral patterns for cloud operations. This study contributes to cloud forensics investigation of data breach incidents where the crime clues, characteristics and evidence of the incidents are collected, identified and analyzed. The results demonstrate the effectiveness of pattern identification for digital forensics across various types of cloud access operations.
School of Mathematical and Computer Sciences
Heriot-Watt University
Edinburgh, EH14 4AS, UK
Tel: +00 44 (0)131 4513762
Fax: +00 44 (0)131 4513327
Home (Search)
Subjects A-Z
Publishers A-Z
Your IP address:
About JournalTOCs
News (blog, publications)
JournalTOCs on Twitter   JournalTOCs on Facebook

JournalTOCs © 2009-