Field Of Digital Forensics Research Articles

Decoding digital interactions: An extensive study of TeamViewer's Forensic Artifacts across Windows and android platforms

The pervasive influence of digital technology has ushered in a new era of connectivity, reshaping the landscape of forensic science and challenging investigators to adapt to evolving methods of digital interaction. Remote access applications (RAAs) like TeamViewer have become integral tools for facilitating remote collaboration and support across various platforms. However, the widespread adoption of such applications has also led to an increase in cybercrimes, underscoring the critical need for meticulous forensic analysis. This study presents a comprehensive examination of TeamViewer's forensic artifacts across Windows and Android platforms, employing advanced forensic techniques such as registry analysis, disk forensics, memory forensics, and Android forensics. By meticulously dissecting digital evidence and uncovering valuable insights into user interactions, configuration settings, and session dynamics, this research aims to enhance understanding of remote access activities and empower forensic investigators with the tools needed to combat cybercrimes effectively. The findings highlight the forensic significance of each investigative approach and underscore the importance of continuous innovation in the field of digital forensics.

Towards a unified XAI-based framework for digital forensic investigations

Explainable Artificial Intelligence (XAI) aims to alleviate the black-box AI conundrum in the field of Digital Forensics (DF) (and others) by providing layman-interpretable explanations to predictions made by AI models. It also handles the increasing volumes of forensic images that are impossible to investigate via manual methods; or even automated forensic tools. A holistic, generalized, yet exhaustive framework detailing the workflow of XAI for DF is proposed for standardization. A case study examining the implementation of the framework in a network forensics investigative scenario is presented for demonstration. In addition, the XAI-DF project lays the basis for a collaborative effort from the forensics community, aimed at creating an open-source forensic database that may be employed to train AI models for the digital forensics domain. As an onset contribution to the project, we create a memory forensics database of 27 memory dumps (Windows 7, 10, and 11) simulating malware activity and extracting relevant features (specific to processes, injected code, network connections, API hooks, and process privileges) that may be used for training, testing, and validating AI models in keeping with the XAI-DF framework.

Forensic analysis of bad USB attacks: A methodology for detecting and mitigating malicious USB device activities

BadUSB is one of the most dangerous cybersecurity threats, given that it uses the firmware of USB devices to perform various undetectable actions with numerous tools. This research aims to evaluate the efficiency of different forensic approaches, such as signature-based detection, behavioral analysis, and the machine learning (ML) approach, in detecting and analyzing BadUSB attacks. Experiments were conducted with preconfigured USB peripherals to perform keystroke injection, data exfiltration, malware delivery, and network traffic manipulation. The analysis shows that the behavioral analysis and the ML-based methods show high detection accuracy and low false positives. Machine learning detection is the most efficient method. Behavioral analysis had higher accuracy in detecting abnormal device behavior but had a longer detection time than the ML methods. This research beneficently addresses the issues and challenges in the field of digital forensics and calls for further improvement in the detection methods. It proposes ways to implement these methods within the existing cybersecurity models. Future studies should focus on the best approaches to fine-tune these techniques, diversify datasets for machine learning detection methods, and advance methodologies in forensics to accommodate new generations of technologies like the Internet of Things and cloud systems.

ВОЗМОЖНОСТИ ПОЛУЧЕНИЯ И ИСПОЛЬЗОВАНИЯ КРИМИНАЛИСТИЧЕСКИ ЗНАЧИМОЙ ИНФОРМАЦИИ ИЗ МЕТАДАННЫХ ФАЙЛОВ ПРИ РАСКРЫТИИ И РАССЛЕДОВАНИИ ПРЕСТУПЛЕНИЙ

Modern technologies and the digitalization of society have led to the fact that most of the information in the world is stored and transmitted electronically. This circumstance opens up new opportunities for law enforcement agencies in the detection and investigation of crimes. In today's world, where technology plays a key role in society, digital footprints are becoming an important element in crime investigation. Everyone has already got used to the fact that the main object of computer expertise in the field of computer information is the contents of files. However, such an important area as the study of file metadata remains underestimated in the investigation process. Metadata is an integral part of mod-ern crime investigation, providing investigators with valuable data for analysis and helping to restore the chronology of events and actions of persons associated with the crime. In the field of digital fo-rensics, special attention should be paid to the study and analysis of electronic traces that can be found in metadata. The issues of using file metadata have been touched upon in one way or another by many scien-tists, such as L.A. Buraeva [1], V.A. Gauzhaeva [2], R.R. Kardanov [3], Yu.M. Usoltsev [4], A.S. Arutyunov [5] and others. However, these authors made only an attempt to draw attention to the use of metadata in the investigation of crimes. Metadata may contain information about the time the file was created, its author, location, and other data that can be used in proving criminal cases. Metadata in the commission of crimes related to the use of information and telecommunication technologies can be compared with micro-objects in the commission of traditional crimes. Both are invisible traces, which are not so easy to destroy and to which few criminals pay attention. At the same time, they can provide significant assistance to the investigation in uncovering and investigat-ing crimes. This article attempts to draw the attention of the scientific world and employees involved in the preliminary investigation of crimes to the problems and possibilities of using metadata in the process of disclosure and investigation of crimes.

On enhancing memory forensics with FAME: Framework for advanced monitoring and execution

Memory Forensics (MF) is an essential aspect of digital investigations, but practitioners often face time-consuming challenges when using popular tools like the Volatility Framework (VF). VF, a widely-adopted Python-based memory forensics tool, presents difficulties for practitioners due to its slow performance. Thus, in this study, we evaluated methods to accelerate VF without modifying its code by testing four alternative Python Just In Time (JIT) interpreters - CPython, Pyston, PyPy, and Pyjion - using CPython as our baseline. Tests were conducted on 14 memory samples, totaling 173 GB, using a search-intensive VF plugin for Windows hosts. Employing our custom Framework for Advanced Monitoring and Execution (FAME), we deployed interpreters in Docker containers and monitored their real-time performance. A statistically significant difference was observed between the Python JIT interpreters and the standard interpreter. With PyPy emerging as the best interpreter, yielding a 15–20 % performance increase compared to the standard interpreter. Implementing PyPy has the potential to save significant time (many hours) when processing substantial memory samples. FAME enhances the efficiency of deploying and monitoring robust forensic tool testing, fostering reproducible research and yielding reliable results in both MF and the broader field of digital forensics.

Digital forensics in the context of digitalisation of modern society

The author substantiates the relevance of digital forensics in the context of digitalisation of modern society, notes the active use of digital technologies in solving various types of illegal activities in the field of computer information, and defines the concepts of “digital trace” and “digital forensics”. The author emphasises the need to develop new knowledge and developments in forensic techniques, standards and principles for evaluating and verifying collected evidence (digital traces), to carry out mandatory standardisation when working with digital information, and to consider and develop appropriate methodology for training specialists in the field of digital forensics. Attention is focused on ethical, legal and privacy issues related to the collection and use of digital data during an investigation, confidentiality and protection of personal information of persons not involved in a criminal offence, compliance of the collection and use of digital data during an investigation with certain legal norms and standards (obtaining court orders for evidence collection, requirements for information storage, observance of the rights and freedoms of persons under investigation), ensuring an appropriate level of protection, storage and transmission of personal information and restricting access to it only on certain grounds. The role of forensics in improving and increasing the effectiveness of the fight against modern crime, including war and cybercrime, through the active use of digital technologies is emphasised.

A template for creating and sharing ground truth data in digital forensics.

Ground truth data (GTD) is used by those in the field of digital forensics (DF) for a variety of purposes including to evaluate the functionality of undocumented, new, or emerging technology and services and the digital traces left behind following their usage. Most accepted and reliable trace interpretations must be derived from an examination of relevant GTD, yet despite the importance of it to the DF community, there is little formal guidance available for supporting those who create it, to do so in a way that ensures any data is of good quality, reliable, and therefore usable. In an attempt to address this issue, this work proposes a minimum standard of documentation that must accompany the production of any GTD, particularly when it is intended for use in the process of discovering new knowledge, proposing original interpretations of a digital trace, or determining the functionality of any technology or service. A template structure is discussed and provided in Appendix S1 which sets out a minimum standard for metadata describing any GTD's production process and content. It is suggested that such an approach can support the maintenance of trust in any GTD and improve the shareability of it.

Efficient Deepfake Audio Detection Using Spectro-Temporal Analysis and Deep Learning

With the advancement of deepfake technology, particularly in the audio domain, there is an imperative need for robust detection mechanisms to maintain digital security and integrity. Our research presents an "Enhanced Deepfake Audio Detection with Spectro-Temporal Deep Learning Approach," aimed at addressing the escalating challenge of distinguishing genuine audio from sophisticated deepfake manipulations. Our methodology leverages the ADD2022 dataset, which encompasses a wide range of audio clips, to train and evaluate a novel deep learning model. The core of our approach consists of a meticulous data preprocessing phase, where audio samples are resampled, normalized, and subjected to silence removal to ensure uniformity and enhance model input quality. Our deep learning model architecture innovatively combines Convolutional Neural Networks (CNNs) for extracting spectral features and Recurrent Neural Networks (RNNs) or Long Short-Term Memory (LSTM) networks for analyzing temporal dynamics. This hybrid model is adept at identifying the nuanced anomalies characteristic of deepfake audios. The model undergoes rigorous training and optimization, with performance evaluated against key metrics such as accuracy, precision, F1, recall score, and the Equal Error Rate (EER). Our findings exhibit the Enhanced Deepfake Audio Detection model's superior capability to discern deepfake audio, highlighting its potential as a pivotal tool in the fight against digital audio manipulation. This research contributes significantly to the field of digital forensics, offering a scalable and effective solution for ensuring the authenticity of audio content in an era dominated by deepfake technology.

Comparative analysis of software used in anonymised search and seizure cases: acquisition, examination and analysis

It is discussed that within the production of digital evidence, the use of forensic software to support the acquisition, examination and analysis of evidence in a correct manner plays a role of great importance, mainly to maintain the credibility of evidence and its acceptance in the judiciary. The objective is to evaluate a sample of real judicial search and seizure cases that occurred between 2014 and 2023, presenting the forensic software used in each stage of each evaluated case. A random selection of one case will be made for each year, with anonymised data, to carry out a continuity analysis of the software used. The article seeks to identify whether these software remain in force or whether it has been discontinued, rendered obsolete or replaced over the selected sampling period, The research is structured in operational stages, starting with the selection of cases until the analysis of software continuity, revealing a predominance of software with valid status and indicating a tendency to update technological solutions in the field of digital forensics. The results also highlight the need for periodic reviews of the solutions that exist in the market. Based on the sample analyzed, the software evaluated shows, in their majority, continuity, with 87.5% of the solutions considered current when adding the software in force and replaced. This study contributes to the understanding of the evolution of forensic software by offering details on the status of continuity of such software for the digital evidence production process and the respective credibility of the acceptance of evidence in the judicial environment.

Hypervisor-based data synthesis: On its potential to tackle the curse of client-side agent remnants in forensic image generation

In the field of digital forensics, the number and heterogeneity of devices typically involved in an investigation is increasing. In order to train digital forensics practitioners and make faster progress in the development and validation of forensic tools, the demand for up-to-date data sets is high. However, manually creating data sets is a complex, tedious, and time-consuming task increasing the need for automated solutions. Existing data generation frameworks typically use components that run directly on the simulated client (e.g., a client-side agent controlled via SSH). On the one hand, this facilitates simulation by providing direct feedback from the client and the ability to use client-side libraries to access software. On the other hand, however, this approach creates unintended traces in the generated data sets that quickly reveal their synthetic origin and affect their realism and thus their relevance. To avoid such traces, this paper presents a hypervisor-based solution to eliminate such a client-side software component in a recent digital forensic data set generator, while compensating for its absence only through host-side means. To demonstrate the practicability of the proposed approach as well as the indistinguishability of the generated traces, a multi-participant scenario is performed as a proof of concept to replicate a realistic attack scenario on a Linux system from a Kali attacker machine. During the evaluation, the generated data set is compared in terms of unintended traces and realism to a data set generated by the same framework using an agent component. In this way, we demonstrate the benefits and overall usefulness of an agent-less data synthesis approach.

Exploring the Effectiveness of Machine Learning Algorithms in Image Forgery Detection

This study investigates the efficacy of various machine learning algorithms for detecting image forgery, a prevalent issue in the realm of digital media manipulation. The research focuses on assessing the performance of these algorithms in accurately identifying instances of image tampering, aiming to contribute valuable insights to the field of digital forensics. The evaluation encompasses a diverse set of machine learning techniques, including but not limited to convolutional neural networks (CNNs), support vector machines (SVMs), and decision trees. Through rigorous experimentation and comparative analysis, the research aims to discern the strengths and limitations of each algorithm in the context of image forgery detection. The findings of this study hold significance for enhancing the capabilities of digital forensics tools, thereby aiding in the mitigation of fraudulent activities, and ensuring the integrity of visual content in the digital' domain.

A Static Approach for Malware Analysis: A Guide to Analysis Tools and Techniques

Abstract: Malicious code presents a severe risk to computer systems, making work difficult for information security and cyber experts. Malware analysis is in great demand because of its importance and function in digital forensics and cyber security. Malware, often known as malicious software, is purposefully written software that harms or damages people, computers, servers, or networks. An overview of malware analysis methods and techniques in the fields of digital forensics and cyber security is given in this article. The study examines several malware types, their characteristics, and analysts' challenges in locating and analyzing them. It also highlights the importance of continuing this field's research and development to stay ahead of evolving malware threats. Trojan horses, worms, backdoors, rootkits, and adware are examples of malware. There are several methods for analyzing malware, but one of the most well-known is static analysis. This article will look at several methods for doing malware analysis and detection on corporate systems, as well as the resources available to assist with sample inspection to reduce the impact of malware assaults on an organization's operations. The investigator must first choose which methods and instruments to use for analysis. Static analysis, which includes malware scanners and detectors, is the first line of defense against malware. As technology advances, malware creators use various techniques to conceal their source code from scanners and detectors that search for strings, pattern matching, and other similar patterns to determine hash values that may be used to identify the infection. Malware experts decompress the packed file into unpacked one to examine obfuscated malware. This study examines efforts to investigate the many techniques and instruments malware uses in the real world.

Fostering an “investigating mindset”: Why is it important in digital forensic science education?

AbstractThe importance of the field of digital forensics (DF) is growing, where digital evidence is increasingly recognized as a crucial part of many investigations. As a result, criminal justice systems rely on DF practitioners to conduct robust investigations of digital devices and their data, and interpret and present these results in a way that can be relied upon. Undertaking this task appropriately requires a practitioner to have a range of skills; however, focus is often placed on the need for and importance of technical competency. Technical skills are vital in this role, that cannot be in dispute; however, this work discusses the need for practitioners to also have an “investigative mindset.”This article is categorized under: Digital and Multimedia Science > Cybercrime Investigation

Enhancing Digital Forensic Investigation: A Focus on Compact Electronic Devices and Social Media Metadata

The rise of portable electronic devices and social media has led to new criminal activities, necessitating advancements in digital forensics. This paper introduces Small-Scale Digital Device Forensics (SSDDF), focusing on the forensic examination of miniature digital devices often used in crimes. SSDDF addresses the challenges posed by these devices, particularly in extracting and analyzing data from them. A key aspect of this research is exploring ontology in social media forensics, particularly within the Android operating system. This involves extracting digital evidence like user accounts, messages, and images from social media platforms. While the paper primarily focuses on social media data, it acknowledges the importance of the devices used in crimes. The integration of SSDDF and the analysis of Android system structures are highlighted as key advancements in digital forensic methodologies. These enhancements are expected to improve the process of collecting and analyzing digital evidence from both compact electronic devices and social media platforms. The study offers significant contributions to the field of digital forensics. It provides new strategies for more efficient and effective forensic investigations, especially in the context of extracting and analyzing digital evidence from small electronic devices and social media, thus paving the way for more robust digital evidence handling in future forensic inquiries.

Software para recolección de evidencias digitales rápidas en sistemas Windows

In the field of Digital Forensics, there are numerous criteria to consider when determining which elements are relevant for obtaining useful information to clarify a case. During a search and seizure procedure, when there are numerous technological items that could be candidates for confiscation for in-depth analysis in the laboratory, it becomes necessary to discern which elements would be of interest, and which would not provide useful information. This is because the analysis times grow exponentially as more equipment and mass storage devices are added to the list of items to be seized. In this paper, we present an "on-site" application software for obtaining digital forensic evidence during search and seizure procedures, following the current protocol of action. This software will also be used as an "indicator" of the content of the equipment under analysis, allowing the acting expert to make decisions (such as whether to confiscate a specific piece of equipment or not) at the location where the procedure is being carried out.

Interpreting digital traces:- 8 foundational pillars to support the formation of opinion in digital forensics

The field of digital forensics (DF) is facing increasing scrutiny of the quality of the work it produces. Fundamental to it is the need for its practitioners to be able to accurately determine the meaning of potentially relevant digital traces found during an examination of a device. As the reliance on digital evidence continues to grow, so does the importance of digital trace-interpretation. It is therefore imperative that this task is conducted robustly, where this work describes ‘eight pillars’ that should underpin how a practitioner has gone about interpreting any given digital trace.

Real-Time Detection and Identification of Suspects in Forensic Imagery Using Advanced YOLOv8 Object Recognition Models

Rapid advancements in artificial intelligence, machine learning, deep learning, coupled with easy access to high-capacity processing hardware, expansive organized datasets, and the evolution of artificial intelligence algorithms, have extensively influenced numerous fields. Digital Forensics is one such discipline where the application of artificial intelligence has been significantly amplified in recent years. The analysis of extensive image and video files derived from forensic evidence presents challenges in terms of time efficiency and accuracy. To surmount these challenges, artificial intelligence models can be employed to perform identification and classification processes on these data, thus expediting the resolution of forensic cases with enhanced precision. In the current study, state-of-the-art pre-trained YOLOv8 object recognition models - nano, small, medium, large, and extra-large - were utilized. These models were trained on the Wider-Face dataset with the objective of identifying suspects from images and videos sourced from digital materials in the field of digital forensics. The models achieved mean Average Precision (mAP) values of 97.513%, 98.569%, 98.763%, 98.775%, and 99.032% respectively. The YOLOv8 architecture demonstrated superior performance, outperforming the YOLOv5 architecture by a margin of 7.1% to 8.8%. To aid digital forensic experts in the detection and identification of suspicious individuals, a desktop application capable of real-time image analysis was developed.

Forensic analysis of SQL server transaction log in unallocated area of file system

The importance of database forensics is increasing day by day as the use of databases to store sensitive corporate and personal data increases. Database forensics is a field of digital forensics that deals with database-related incidents such as data corruption, breaches, and leaks. One of the key functions of database forensics is information reconstruction, which is the tracing of actions from the time of an event to the present based on various information stored in the database. This feature allows investigators to identify unauthorized user actions and data deletion or manipulation when an incident occurs. Database log data is primarily used to reconstruct information. Database logs include transaction logs, error logs, event logs, and trace logs. Among them, we focus on the transaction log of Microsoft SQL Server (MSSQL), one of the most popular database management systems in the world. Raw-level studies have been conducted on the transaction logs of Oracle and MySQL, other databases used at the enterprise level. However, there is very little research on MSSQL transaction logs. For this reason, we analyze the internal structure of the MSSQL transaction log. Based on these finding, we present an empirical method to identify and extract transaction log records in unallocated area.

ChatGPT for digital forensic investigation: The good, the bad, and the unknown

The disruptive application of ChatGPT (GPT-3.5, GPT-4) to a variety of domains has become a topic of much discussion in the scientific community and society at large. Large Language Models (LLMs), e.g., BERT, Bard, Generative Pre-trained Transformers (GPTs), LLaMA, etc., have the ability to take instructions, or prompts, from users and generate answers and solutions based on very large volumes of text-based training data. This paper assesses the impact and potential impact of ChatGPT on the field of digital forensics, specifically looking at its latest pre-trained LLM, GPT-4. A series of experiments are conducted to assess its capability across several digital forensic use cases including artefact understanding, evidence searching, code generation, anomaly detection, incident response, and education. Across these topics, its strengths and risks are outlined and a number of general conclusions are drawn. Overall this paper concludes that while there are some potential low-risk applications of ChatGPT within digital forensics, many are either unsuitable at present, since the evidence would need to be uploaded to the service, or they require sufficient knowledge of the topic being asked of the tool to identify incorrect assumptions, inaccuracies, and mistakes. However, to an appropriately knowledgeable user, it could act as a useful supporting tool in some circumstances.

Bike computer forensics: An efficient and robust method for FIT file recovery

The popularity of bike computer devices has grown in recent years. These devices generate a wealth of data in the form of Flexible and Interoperable Data Transfer (FIT) files, which can be used to store fitness related data efficiently. However, the recovery of corrupted FIT files remains a significant challenge due to their inherent structure. The format relies on a chain of messages stored sequentially, with each message referencing previous data to parse the subsequent record. As a result, the recovery of data situated between corrupted portions becomes notably challenging. This study introduces an efficient, and robust method for dense recovery of corrupted files. Our approach combines multiple phases of data carving techniques to maximize data recovery. By employing this method, investigators can effectively access crucial information including accident reconstruction, and criminal activities. The proposed methods demonstrate higher recovery rate through the proof-of-concept and real-world experiments, proving its utility and reliability in the field of digital forensics.