In‐Depth Analysis of Computer Memory Acquisition Software for Forensic Purposes

The comparison studies on random access memory (RAM) acquisition tools are either limited in metrics or the selected tools were designed to be executed in older operating systems. Therefore, this study evaluates widely used seven shareware or freeware/open source RAM acquisition forensic tools that are compatible to work with the latest 64‐bit Windows operating systems. These tools' user interface capabilities, platform limitations, reporting capabilities, total execution time, shared and proprietary DLLs, modified registry keys, and invoked files during processing were compared. We observed that Windows Memory Reader and Belkasoft's Live Ram Capturer leaves the least fingerprints in memory when loaded. On the other hand, ProDiscover and FTK Imager perform poor in memory usage, processing time, DLL usage, and not‐wanted artifacts introduced to the system. While Belkasoft's Live Ram Capturer is the fastest to obtain an image of the memory, Pro Discover takes the longest time to do the same job.     

Windows 7 Antiforensics: A Review and a Novel Approach

In this paper, we review literature on antiforensics published between 2010 and 2016 and reveal the surprising lack of up‐to‐date research on this topic. This research aims to contribute to this knowledge gap by investigating different antiforensic techniques for devices running Windows 7, one of the most popular operating systems. An approach which allows for removal or obfuscation of most forensic evidence is then presented. Using the Trojan software DarkComet RAT as a case study, we demonstrate the utility of our approach and that a Trojan Horse infection may be a legitimate possibility, even if there is no evidence of an infection on a seized computer's hard drive. Up‐to‐date information regarding how forensic artifacts can be compromised will allow relevant stakeholders to make informed decisions when deciding the outcome of legal cases involving digital evidence.     

Taxonomy of Challenges for Digital Forensics

Since its inception, over a decade ago, the field of digital forensics has faced numerous challenges. Despite different researchers and digital forensic practitioners having studied and analysed various known digital forensic challenges, as of 2013, there still exists a need for a formal classification of these challenges. This article therefore reviews existing research literature and highlights the various challenges that digital forensics has faced for the last 10 years. In conducting this research study, however, it was difficult for the authors to review all the existing research literature in the digital forensic domain; hence, sampling and randomization techniques were employed to facilitate the review of the gathered literature. Taxonomy of the various challenges is subsequently proposed in this paper based on our review of the literature. The taxonomy classifies the large number of digital forensic challenges into four well‐defined and easily understood categories. The proposed taxonomy can be useful, for example, in future developments of automated digital forensic tools by explicitly describing processes and procedures that focus on addressing specific challenges identified in this paper. However, it should also be noted that the purpose of this paper was not to propose any solutions to the individual challenges that digital forensics face, but to serve as a survey of the state of the art of the research area.     

Forensic Taxonomy of Android Social Apps

An Android social app taxonomy incorporating artifacts that are of forensic interest will enable users and forensic investigators to identify the personally identifiable information (PII) stored by the apps. In this study, 30 popular Android social apps were examined. Artifacts of forensic interest (e.g., contacts lists, chronology of messages, and timestamp of an added contact) were recovered. In addition, images were located, and Facebook token strings used to tie account identities and gain access to information entered into Facebook by a user were identified. Based on the findings, a two‐dimensional taxonomy of the forensic artifacts of the social apps is proposed. A comparative summary of existing forensic taxonomies of different categories of Android apps, designed to facilitate timely collection and analysis of evidentiary materials from Android devices, is presented.     

Analyzing Data Remnant Remains on User Devices to Determine Probative Artifacts in Cloud Environment

Cloud storage service allows users to store their data online, so that they can remotely access, maintain, manage, and back up data from anywhere via the Internet. Although helpful, this storage creates a challenge to digital forensic investigators and practitioners in collecting, identifying, acquiring, and preserving evidential data. This study proposes an investigation scheme for analyzing data remnants and determining probative artifacts in a cloud environment. Using pCloud as a case study, this research collected the data remnants available on end‐user device storage following the storing, uploading, and accessing of data in the cloud storage. Data remnants are collected from several sources, including client software files, directory listing, prefetch, registry, network PCAP, browser, and memory and link files. Results demonstrate that the collected remnants data are beneficial in determining a sufficient number of artifacts about the investigated cybercrime.     

An Android Communication App Forensic Taxonomy

Due to the popularity of Android devices and applications (apps), Android forensics is one of the most studied topics within mobile forensics. Communication apps, such as instant messaging and Voice over IP (VoIP), are one popular app category used by mobile device users, including criminals. Therefore, a taxonomy outlining artifacts of forensic interest involving the use of Android communication apps will facilitate the timely collection and analysis of evidentiary materials from such apps. In this paper, 30 popular Android communication apps were examined, where a logical extraction of the Android phone images was collected using XRY, a widely used mobile forensic tool. Various information of forensic interest, such as contact lists and chronology of messages, was recovered. Based on the findings, a two‐dimensional taxonomy of the forensic artifacts of the communication apps is proposed, with the app categories in one dimension and the classes of artifacts in the other dimension. Finally, the artifacts identified in the study of the 30 communication apps are summarized using the taxonomy. It is expected that the proposed taxonomy and the forensic findings in this paper will assist forensic investigations involving Android communication apps.     

A Forensic Exploration of the Microsoft Windows 10 Timeline

The Microsoft Windows operating system continues to dominate the desktop computing market. With such high levels of usage comes an inferred likelihood of digital forensic practitioners encountering this platform during their investigations. As part of any forensic examination of a digital device, operating system artifacts, which support the identification and understanding of how a user has behaved on their system provide a potential source of evidence. Now, following Microsoft's April 2018 build 1803 release with its incorporated “Timeline” feature, the potential for identifying and tracking user activity has increased. This work provides a timely examination of the Windows 10 Timeline feature demonstrating the ability to recover activity‐based content from within its stored database log files. Examination results and underpinning experimental methodologies are offered, demonstrating the ability to recover activity tile and process information in conjunction with the Windows Timeline. Further, an SQL query has been provided to support the interpretation of data stored within the ActivitiesCache.db .     

An Evidence‐based Forensic Taxonomy of Windows Phone Dating Apps

Advances in technologies including development of smartphone features have contributed to the growth of mobile applications, including dating apps. However, online dating services can be misused. To support law enforcement investigations, a forensic taxonomy that provides a systematic classification of forensic artifacts from Windows Phone 8 (WP8) dating apps is presented in this study. The taxonomy has three categories, namely: Apps Categories, Artifacts Categories, and Data Partition Categories. This taxonomy is built based on the findings from a case study of 28 mobile dating apps, using mobile forensic tools. The dating app taxonomy can be used to inform future studies of dating and related apps, such as those from Android and iOS platforms.     

Web Content Management Systems: An Analysis of Forensic Investigatory Challenges

With an increase in the creation and maintenance of personal websites, web content management systems are now frequently utilized. Such systems offer a low cost and simple solution for those seeking to develop an online presence, and subsequently, a platform from which reported defamatory content, abuse, and copyright infringement has been witnessed. This article provides an introductory forensic analysis of the three current most popular web content management systems available, WordPress, Drupal, and Joomla! Test platforms have been created, and their site structures have been examined to provide guidance for forensic practitioners facing investigations of this type. Result's document available metadata for establishing site ownership, user interactions, and stored content following analysis of artifacts including Wordpress's wp_users, and wp_comments tables, Drupal's “watchdog” records, and Joomla!'s _users, and _content tables. Finally, investigatory limitations documenting the difficulties of investigating WCMS usage are noted, and analysis recommendations are offered.     

A reference database of Windows artifacts for file-wiping tool execution analysis

Anti-forensic technology can play an effective role in protecting information, but it can make forensic investigations difficult. Specifically, file-wiping permanently erases evidence, making it challenging for investigators to determine whether a file ever existed and prolonging the investigation process. To address this issue, forensic researchers have studied anti-forensic techniques that detect file-wiping activities. Many previous studies have focused on the effects of file-wiping tools on $MFT, $LogFile, and $DATA, rather than on Windows artifacts. Additionally, previous studies that have examined Windows artifacts have considered different artifacts, making it difficult to study them in a comprehensive manner. To address this, we focused on analyzing traces in 13 Windows artifacts of 10 file-wiping tools' operations in the Windows operating system comprehensively. For our experiments, we installed each file-wiping tool on separate virtual machines and checked the traces that the tools left behind in each artifact. We then organized the results in a database format. Our analysis revealed that most of the tools left traces on other artifacts, except for JumpList, Open&SavePidlMRU, and lnk. There were also some cases where traces remained on the other three artifacts. Based on our research, forensic investigators can quickly identify whether a file-wiping tool has been used, and it can assist in decision-making for evidence collection and forensic triage.     

Toward a General Ontology for Digital Forensic Disciplines

Ontologies are widely used in different disciplines as a technique for representing and reasoning about domain knowledge. However, despite the widespread ontology‐related research activities and applications in different disciplines, the development of ontologies and ontology research activities is still wanting in digital forensics. This paper therefore presents the case for establishing an ontology for digital forensic disciplines. Such an ontology would enable better categorization of the digital forensic disciplines, as well as assist in the development of methodologies and specifications that can offer direction in different areas of digital forensics. This includes such areas as professional specialization, certifications, development of digital forensic tools, curricula, and educational materials. In addition, the ontology presented in this paper can be used, for example, to better organize the digital forensic domain knowledge and explicitly describe the discipline's semantics in a common way. Finally, this paper is meant to spark discussions and further research on an internationally agreed ontological distinction of the digital forensic disciplines. Digital forensic disciplines ontology is a novel approach toward organizing the digital forensic domain knowledge and constitutes the main contribution of this paper.     

The Interplay Between Diabetes and Pancreatitis: Two Case Reports of Sudden,Natural Deaths and a Review of the Literature

Diabetes mellitus (DM) is a common disease involving insulin resistance or deficit that, when left unchecked, may cause severe hyperglycemia and subsequent end‐organ damage. Acute pancreatitis (AP) is inflammation of the pancreas that can lead to significant morbidity and mortality. AP and DM both account for a significant amount of sudden deaths, and rarely both disease processes may be present in the same decedent, causing some difficulty in wording the cause of death statement. Although much research has been directed at studying the causes and risk factors for AP and DM, there is a complex interplay between these diseases that is not fully understood. This study presents two autopsy cases of sudden, natural deaths that illustrate this interplay, along with a review of the literature. An algorithm for differentiating AP and DM is then discussed in the context of the presented cases as a proposed aid for forensic pathologists in the certification of such deaths.     

A forensic examination of four popular cross‐platform file‐sharing apps with Wi‐Fi P2P

File‐sharing apps with Wi‐Fi hotspot or Wi‐Fi Direct functions become more popular. They can work on multiple platforms and allow users to transfer files in a concealed manner. However, when criminals use these apps in illegal activities, it becomes an important issue for investigators to find digital evidence on multiple platforms. At present, there are few studies on this topic, and most of them are limited to the single platform problem. In this paper, we propose a forensic examination method for four popular cross‐platform file‐sharing apps with Wi‐Fi hotspot and Wi‐Fi Direct functions: Zapya, SHAREit, Xender, and Feem. We use 22 static and live forensic tools for 11 platforms to acquire, analyze, and classify the forensic artifacts. In our experiments, we find many useful forensic artifacts and classify them into six categories. The experimental results can support law enforcement investigations of digital evidence and provide information for future studies on other cross‐platform file‐sharing apps.     

A Bayesian Approach to Age‐at‐Death Estimation from Osteoarthritis of the Shoulder in Modern North Americans

Osteoarthritis (OA) is a marker of degeneration within the skeleton, frequently associated with age. This study quantifies the correlation between OA and age‐at‐death and investigates the utility of shoulder OA as a forensic age indicator using a modern North American sample of 206 individuals. Lipping, surface porosity, osteophyte formation, eburnation, and percentage of joint surface affected were recorded on an ordinal scale and summed to create composite scores that were assigned a specific phase. Spearman's correlation indicated a positive relationship between each composite score and age (right shoulder = 0.752; left shoulder = 0.734). Transition analysis revealed a tendency toward earlier degeneration of the right shoulder. Bayesian statistics generated phase‐related age estimates based on highest posterior density regions. Best age estimates were into the seventh decade at the 90th and 50th percentile. The proposed method supplements traditional techniques by providing age estimates beyond a homogenous 50+ age cohort.     

Root Morphology and Anatomical Patterns in Forensic Dental Identification: A Comparison of Computer‐Aided Identification with Traditional Forensic Dental Identification*

Abstract: An online forensic dental identification exercise was conducted involving 24 antemortem–postmortem (AM–PM) dental radiograph pairs from actual forensic identification cases. Images had been digitally cropped to remove coronal tooth structure and dental restorations. Volunteer forensic odontologists were passively recruited to compare the AM–PM dental radiographs online and conclude identification status using the guidelines for identification from the American Board of Forensic Odontology. The mean accuracy rate for identification was 86.0% (standard deviation 9.2%). The same radiograph pairs were compared using a digital imaging software algorithm, which generated a normalized coefficient of similarity for each pair. Twenty of the radiograph pairs generated a mean accuracy of 85.0%. Four of the pairs could not be used to generate a coefficient of similarity. Receiver operator curve and area under the curve statistical analysis confirmed good discrimination abilities of both methods (online exercise = 0.978; UT‐ID index = 0.923) and Spearman’s rank correlation coefficient analysis (0.683) indicated good correlation between the results of both methods. Computer‐aided dental identification allows for an objective comparison of AM–PM radiographs and can be a useful tool to support a forensic dental identification conclusion.     

Forensic Radiology Pitfalls: CT Imaging in Gunshot Wounds of the Head

Computed tomography (CT) imaging is increasingly used in emergency departments and trauma services and is being offered as a supplemental tool with autopsy in coroner's and medical examiner's offices throughout the United States. The availability of CT images in lieu of traditional X‐rays for medicolegal autopsies may lead to misinterpretation of images for forensic pathologists who are not familiar with these types of images. Forensic pathologists must become familiar with CT imaging, the basis of CT image formation and how to interpret CT images appropriately. We highlight potential pitfalls of CT image interpretation through two cases of fatal gunshot wounds of the head. Antemortem CT imaging available at the time of autopsy led to discrepancy between the initial image findings and the autopsy due to inexperienced manipulation of the images. With appropriate understanding of CT image interpretation and manipulation, forensic personnel should be able to avoid most sources of misinterpretation.     

The Effects of High Dynamic Range on Fingerprint Images Processed by Photoshop

High dynamic range (HDR) imaging is a function that combines five images with different exposures into a single image. This technique may provide fine ridge details of fingerprint images for forensic latent fingerprint examination. Therefore, viewing fingerprints under optimal conditions is of paramount importance. This paper analyzes HDR and non‐HDR photos by using the Michelson contrast formula. The Michelson formula will provide a measurement to determine whether better contrast between the background and print can be achieved using the HDR function and if the background color affects the quality of the images. Two hypothesis were tested: (i) the HDR image provides more details of fingerprints with a better tone, greater clarity, and contrast than a normally exposed image regardless of the background color; (ii) the background color does not affect the quality of HDR fingerprint images overall, but the multi‐color background may increase the contrast of HDR fingerprint images in some cases.     

Doing justice to justice

Adshead's recognition that only when taken together can the many different conceptions of justice accommodate what is called for in the particularly demanding setting of forensic mental health care, is to be applauded. Each must be honoured and built into the systems of assessment and treatment that are the tasks of the forensic psychiatrist, she demonstrates. Adshead's far‐reaching revisions could resolve much that is troubling about the present practice of forensic psychiatry. Yet how much these revisions can overcome the moral dilemmas associated with dual roles in forensic psychiatry, is not so clear.     

An Evidence‐Based Forensic Taxonomy of Windows Phone Communication Apps

Communication apps can be an important source of evidence in a forensic investigation (e.g., in the investigation of a drug trafficking or terrorism case where the communications apps were used by the accused persons during the transactions or planning activities). This study presents the first evidence‐based forensic taxonomy of Windows Phone communication apps, using an existing two‐dimensional Android forensic taxonomy as a baseline. Specifically, 30 Windows Phone communication apps, including Instant Messaging (IM) and Voice over IP (VoIP) apps, are examined. Artifacts extracted using physical acquisition are analyzed, and seven digital evidence objects of forensic interest are identified, namely: Call Log, Chats, Contacts, Locations, Installed Applications, SMSs and User Accounts. Findings from this study would help to facilitate timely and effective forensic investigations involving Windows Phone communication apps.