Recovering erased digital evidence from CD-RW discs in a child exploitation investigation

The paper describes an innovative method used to recover digital images and videos from an evidentiary CD-RW disc that had been erased. The digital evidence had been erased by the subject of the investigation in an attempt destroy incriminating evidence of the crime. Without the recovery of the digital evidence, there would have been no conviction in the child exploitation case as there was no physical or testimonial evidence.     

Triaging digital device content at-scene:- Formalising the decision-making process

The prominence of technology usage in society has inevitably led to increasing numbers of digital devices being seized, where digital evidence often features in criminal investigations. Such demand has led to well documented backlogs placing pressure on digital forensic labs, where in an effort to combat this issue, the ‘at-scene triage’ of devices has been touted as a solution. Yet such triage approaches are not straightforward to implement with multiple technical and procedural issues existing, including determining when it is actually appropriate to triage the contents of a device at-scene. This work remains focused on this point due to the complexities associated with it, and to support first responders a nine-stage triage decision model is offered which is designed to promote consistent and transparent practice when determining if a device should be triaged.     

电子证据的相关问题

在美国，使用电子证据已经成为法庭上非常普遍的现象。陪审团审案时，试图使用电子证据的检察官要想使得初审法官采纳该电子证据必须克服一些阻碍。一些证据标准被设计来限制陪审团的事实发现过程。检察官可要求法院启动庭前审理程序来决定电子证据是否可以被采纳。建立一个电子证据保管链和专门处理电子证据的既定机构程序是检方工作的关键环节，这样能确保法庭调查中获得陪审团的信任。挑选能认同电子证据重要性的人员担任陪审团成员非常重要，同时还要避免选择那些想要根据自己专业知识来主导陪审团决议的人员。     

Human Identification Using Automatic and Semi‐Automatically Detected Facial Marks

Continuing advancements in the field of digital cameras and surveillance imaging devices have led law enforcement and intelligence agencies to use analysis of images and videos for the investigation and prosecution of crime. When determining identity from photographic evidence, forensic analysts perform comparison of visible facial features manually, which is inefficient. In this study, we will address research efforts to use facial marks as biometric signatures to distinguish between individuals. We propose two systems to assist forensic analysts during photographic comparison: an improved multiscale facial mark system in which facial marks are detected automatically, and a semi‐automatic facial mark system that integrates human knowledge within the improved multiscale facial mark system. Experiment results employ a high‐resolution time‐elapsed dataset acquired at the University of Notre Dame between 2009 and 2011. The results indicate that the geometric distributions of facial mark patterns can be used to distinguish between individuals.     

Study on the standard components of digital forensics laboratory

Recently, digital forensics has become increasingly important as it is used by investigation agencies, corporate, and private sector. To supplement the limitations of evidence capacity and be recognized in court, it is essential to establish an environment that ensures the integrity of the entire process ranging from collecting and analyzing to submitting digital evidence to court. In this study, common elements were extracted by comparing and analyzing ISO/IEC 17025, 27001 standards and Interpol and Council of Europe (CoE) guidelines to derive the necessary components for building a digital forensic laboratory. Subsequently, based on 21 digital forensic experts in the field, Delphi survey and verifications were conducted in three rounds. As a result, 40 components from seven areas were derived. The research results are based on the establishment, operation, management, and authentication of a digital forensics laboratory suitable for the domestic environment, with added credibility through collection of the opinions of 21 experts in the field of digital forensics in Korea. This study can be referred to in establishing digital forensic laboratories in national, public, and private digital forensic organizations as well as for employing as competency measurement criteria in courts to evaluate the reliability of the analysis results.     

Digital traces and physical activities: opportunities,challenges and pitfalls

The strong integration of consumer electronics in everyday life offers many new investigative opportunities. In particular, digital traces from smartphones, smartwatches and activity trackers can now increasingly be used to infer information about actions performed by their users in the physical world that might not be obtainable from any other types of forensic evidence.While potentially very valuable from an investigative perspective, making forensically justifiable statements about such traces can sometimes be more difficult than expected. Requirements for this have not yet received much attention in the digital forensic literature. To help filling this gap, we describe the principles we use in determining the evidential value of such traces, which emphasize the need for experimental verification. For such research, aimed at determining the evidential value of these traces, we coin the term data2activity.In this paper, we devote attention to the potential and limitations of data2activity traces, focusing on challenges and giving two examples to illustrate potential pitfalls in interpreting data. Finally, future research directions into data2activity traces are indicated that, in our opinion, should be given attention. These include development of future-proof data acquisition and storage methodology, enabling division-of-effort and sharing of information, as well as development of labeling methodology for free-living experiments.     

When finding nothing may be evidence of something: Anti-forensics and digital tool marks

There are an abundance of measures available to the standard digital device users which provide the opportunity to act in an anti-forensic manner and conceal any potential digital evidence denoting a criminal act. Whilst there is a lack of empirical evidence which evaluates the scale of this threat to digital forensic investigations leaving the true extent of engagement with such tools unknown, arguably the field should take proactive steps to examine and record the capabilities of these measures. Whilst forensic science has long accepted the concept of toolmark analysis as part of criminal investigations, ‘digital tool marks’ (DTMs) are a notion rarely acknowledged and considered in digital investigations. DTMs are the traces left behind by a tool or process on a suspect system which can help to determine what malicious behaviour has occurred on a device. This article discusses and champions the need for DTM research in digital forensics highlighting the benefits of doing so.     

Descrambling data on solid-state disks by reverse-engineering the firmware

Data recovery is an important component of digital forensic research. Although recovering data from hard drives or small-scale mobile devices has been well studied, solid-state disks (SSDs) have a very different internal architecture and some additional functions, and it is not clear whether these differences will have an effect on data recovery. Data scrambling is an additional function of an SSD controller which can improve data reliability, but makes data recovery difficult. In this research, the dedicated flash software was first introduced that can acquire the physical image of an SSD without destroying the device hardware. Based on the software, a validation experiment was presented to evaluate the effect of data scrambling on data recovery and the causes of the effect were analyzed. Then two approaches to descrambling the data in the flash chips were proposed and their advantages and disadvantages discussed. After that, a procedure to identify the scrambling seeds that are used to descramble the scrambled data was described. Finally, descrambling software was implemented based on the second descrambling method. The experiment shows that this software can successfully descramble the data from an SSD flash drive regardless of the internal structure of the scrambler in the SSD controller and can generate an unscrambled physical image on which most existing data-recovery techniques can be effective.     

Reverse engineering of ReFS

File system forensics is an important part of Digital Forensics. Investigators of storage media have traditionally focused on the most commonly used file systems such as NTFS, FAT, ExFAT, Ext2-4, HFS+, APFS, etc. NTFS is the current file system used by Windows for the system volume, but this may change in the future. In this paper we will show the structure of the Resilient File System (ReFS), which has been available since Windows Server 2012 and Windows 8. The main purpose of ReFS is to be used on storage spaces in server systems, but it can also be used in Windows 8 or newer. Although ReFS is not the current standard file system in Windows, while users have the option to create ReFS file systems, digital forensic investigators need to investigate the file systems identified on a seized media. Further, we will focus on remnants of non-allocated metadata structures or attributes. This may allow metadata carving, which means searching for specific attributes that are not allocated. Attributes found can then be used for file recovery. ReFS uses superblocks and checkpoints in addition to a VBR, which is different from other Windows file systems. If the partition is reformatted with another file system, the backup superblocks can be used for partition recovery. Further, it is possible to search for checkpoints in order to recover both metadata and content.Another concept not seen for Windows file systems, is the sharing of blocks. When a file is copied, both the original and the new file will share the same content blocks. If the user changes the copy, new data runs will be created for the modified content, but unchanged blocks remain shared. This may impact file carving, because part of the blocks previously used by a deleted file might still be in use by another file. The large default cluster size, 64 KiB, in ReFS v1.2 is an advantage when carving for deleted files, since most deleted files are less than 64 KiB and therefore only use a single cluster. For ReFS v3.2 this advantage has decreased because the standard cluster size is 4 KiB.Preliminary support for ReFS v1.2 has been available in EnCase 7 and 8, but the implementation has not been documented or peer-reviewed. The same is true for Paragon Software, which recently added ReFS support to their forensic product. Our work documents how ReFS v1.2 and ReFS v3.2 are structured at an abstraction level that allows digital forensic investigation of this new file system. At the time of writing this paper, Paragon Software is the only digital forensic tool that supports ReFS v3.x.It is the most recent version of the ReFS file system that is most relevant for digital forensics, as Windows automatically updates the file system to the latest version on mount. This is why we have included information about ReFS v3.2. However, it is possible to change a registry value to avoid updating. The latest ReFS version observed is 3.4, but the information presented about 3.2 is still valid. In any criminal case, the investigator needs to investigate the file system version found.     

A new method for the recovery and evidential comparison of footwear impressions using 3D structured light scanning

Footwear impressions are one of the most common forms of evidence to be found at a crime scene, and can potentially offer the investigator a wealth of intelligence. Our aim is to highlight a new and improved technique for the recovery of footwear impressions, using three-dimensional structured light scanning. Results from this preliminary study demonstrate that this new approach is non-destructive, safe to use and is fast, reliable and accurate. Further, since this is a digital method, there is also the option of digital comparison between items of footwear and footwear impressions, and an increased ability to share recovered footwear impressions between forensic staff thus speeding up the investigation.     

Forensic acquisition and analysis of palm webOS on mobile devices

The emergence of webOS on Palm devices has created new challenges and opportunities for digital investigators. With the purchase of Palm by Hewlett Packard, there are plans to use webOS on an increasing number and variety of computer systems. These devices can store substantial amounts of information relevant to an investigation, including digital photographs, videos, call logs, SMS/MMS messages, e-mail, remnants of Web browsing and much more. Although some files can be obtained from such devices with relative ease, the majority of information of forensic interest is stored in databases on a system partition that many mobile forensic tools do not acquire. This paper provides a methodology for acquiring and examining forensic duplicates of user and system partitions from a device running webOS. The primary sources of digital evidence on these devices are covered with illustrative examples. In addition, the recovery of deleted items from various areas on webOS devices is discussed.     

Digital evidence and the crime scene

Many criminal investigations maintain an element of digital evidence, where it is the role of the first responder in many cases to both identify its presence at any crime scene, and assess its worth. Whilst in some instances the existence and role of a digital device at-scene may be obvious, in others, the first responder will be required to evaluate whether any ‘digital opportunities’ exist which could support their inquiry, and if so, where these are. This work discusses the potential presence of digital evidence at crime scenes, approaches to identifying it and the contexts in which it may exist, focusing on the investigative opportunities that devices may offer. The concept of digital devices acting as ‘digital witnesses’ is proposed, followed by an examination of potential ‘digital crime scene’ scenarios and strategies for processing them.     

Quantifying and Ranking Quality for Acquired Recordings on Digital Video Recorders

As the closed-circuit television (CCTV) security industry transitioned from analog media to digital video recorders (DVRs) with digital storage, the law enforcement community struggled with the means with which to collect the recordings. New guidelines needed to be established to determine the collection method which would be efficient as well as provide the best quality evidence from live DVRs. A test design was developed to measure, quantify, and rank the quality of acquisition methods used on live systems from DVRs typically used in digital CCTV systems. The purpose was to determine guidelines for acquiring the best quality video for investigative purposes. A test pattern which provided multiple quantifiable metrics for comparison between the methods of acquisition was used. The methods of acquisition included direct data download of the proprietary file and open file format as well as recording the video playback from the DVR via the available display monitor connections including the composite video, Video Graphics Array (VGA), and high-definition multimedia interface (HDMI). While some acquisition methods may provide the best quality evidence, other methods of acquisition are not to be discounted depending on the situation and need for efficiency. As an investigator that needs to retrieve video evidence from live digital CCTV systems, the proprietary file format, overall, provides the best quality evidence. However, depending on the circumstance and as recording technology continues to evolve, options other than the proprietary file format may provide quality that is equal to or greater than the proprietary file format.     

A Novel Method for the Photographic Recovery of Fingermark Impressions from Ammunition Cases Using Digital Imaging

The photographic preservation of fingermark impression evidence found on ammunition cases remains problematic due to the cylindrical shape of the deposition substrate preventing complete capture of the impression in a single image. A novel method was developed for the photographic recovery of fingermarks from curved surfaces using digital imaging. The process involves the digital construction of a complete impression image made from several different images captured from multiple camera perspectives. Fingermark impressions deposited onto 9‐mm and 0.22‐caliber brass cartridge cases and a plastic 12‐gauge shotgun shell were tested using various image parameters, including digital stitching method, number of images per 360° rotation of shell, image cropping, and overlap. The results suggest that this method may be successfully used to recover fingermark impression evidence from the surfaces of ammunition cases or other similar cylindrical surfaces.     

IoT forensics: Exploiting unexplored log records from the HIKVISION file system

CCTV surveillance systems are IoT products that can be found almost everywhere. Their digital forensic analysis often plays a key role in solving crimes. However, it is common for these devices to use proprietary file systems, which frequently hinders a complete examination. HIKVISION is a well-known manufacturer of such devices that typically ships its products with its proprietary file system. The HIKVISION file system has been analyzed before but that research has focused on the recovery of video footage. In this paper, the HIKVISION file system is being revisited regarding the log records it stores. More specifically, these log records are thoroughly examined to uncover both their structure and meaning. These unexplored pieces of evidence remain unexploited by major commercial forensic software, yet they can contain critical information for an investigation. To further assist digital forensic examiners with their analysis, a Python utility, namely the Hikvision Log Analyzer, was developed as part of this study that can automate part of the process.     

That tool is rubbish!…or is it?

Digital forensic practitioners often utilise a range of tools throughout their casework in order to access, identify and analyse relevant data, making them a vital part of conducting thorough, efficient and accurate digital examinations of device content and datasets. Whilst their importance cannot be understated, there is also no guarantee that their functionality is free from error, where similarly, no practitioner can 100% assure that their performance is flawless. Should an error occur during an investigation, assuming that it has been identified, then determining the cause of it is important for the purposes of ensuring quality control in both the immediate investigation and for longer-term practice improvements. Perhaps anecdotally, a starting position in any postmortem review of an error may be to suspect that any tools used may be at fault, where recent narratives and initiatives have enforced the need to evaluate all tools prior to them being used in any live investigation. Yet, in addition, an error may occur as a result of a practitioner’s investigative conduct. This work discusses the concept of ‘fault-attribution’, focusing on the roles of the forensic tool and practitioner, and proposes a series of principles for determining responsibility for an investigative error.     

A novel time-memory trade-off method for password recovery

As users become increasingly aware of the need to adopt strong password, it hinders the digital forensics investigations due to the password protection of potential evidence data. In this paper, we analyse and discuss existing password recovery methods, and identify the need for a more efficient and effective method to aid the digital forensics investigation process. We show that our new time-memory trade-off method is able to achieve up to a 50% reduction in terms of the storage requirement in comparison to the well-known rainbow table method while maintaining the same success rate. Even when taking into consideration the effect of collisions, we are able to demonstrate a significant increase (e.g. 13.28% to 19.14%, or up to 100% based on considering total plaintext–hash pairs generation) in terms of the success rate of recovery if the storage requirement and the computational complexity are to remain the same.     

Forensic botany: who?, how?, where?, when?

Plants are a good source of biological forensic evidence; this is due to their ubiquity, their ability to collect reference material, and their sensitivity to environmental changes. However, in many countries, botanical evidence is recognised as being scientifically. Botanical evidence is not mostly used for perpertration, instead it tends to serve as circumstantial evidence. Plant materials constitute the basis, among others, for linking a suspect or object to a crime scene or a victim, confirming or not confirming an alibi, determining the post-mortem interval, and determining the origin of food/object. Forensic botany entails field work, knowledge of plants, understanding ecosystem processes, and a basis understaning of geoscience. In this study, experiments with mammal cadavers were conducted to determine the occurence of an event. The simplest criterion characterising botanical evidence is its size. Therefore, macroremains include whole plants or their larger fragments (e.g. tree bark, leaves, seeds, prickles, and thorns), whereas microscopic evidence includes palynomorphs (spores and pollen grains), diatoms, and tissues. Botanical methods allow for an analysis to be repeated multiple times and the test material is easy to collect in the field. Forensic botany can be supplemented with molecular analyses, which, although specific and sensitive, still require validation.     

Digital imaging methods as an aid in dental identification of human remains

The physical comparison of known (K) and questioned (Q) evidence samples is an accepted tool in numerous forensic identification disciplines (1). A subset of this process is the use of antemortem and postmortem dental radiographs to identify unidentified human remains. This method has been generally accepted for decades (2). The outcome is performed with a considerable degree of accuracy, due in part to a finite pool of possible candidates for identification derived via the NCIC database, passenger lists, and law enforcement Missing Persons reports. This paper describes a dental identification comparison protocol that incorporated digital imaging technology in this process. The computer was used to create digital exemplars of the K and Q evidence that were spatially and quantitatively compared (3). The digital mode allowed direct metric and morphologic comparison through the aid of a digital camera, desktop computer, monitor, and printer. The well-known computer program Adobe Photoshop 5.0 (4) was used to process the digital information in two forensic cases described in this paper. It is a commercially available digital imaging editing program that is operated on laptop and desktop computers possessing sufficient chip speed and RAM (Pentium II or equivalent and at least 76MB RAM) to open the large-size files generated by high-resolution digital capture devices. This program accepts raster-based image formats (e.g. .JPG, .BMP). Photoshop is noted for its diverse imaging functions, which allow the computer monitor to be used as a comparison microscope when Q and K sample images are tiled side-by-side and/or superimposed. Two and three-dimensional Q and K evidence samples can be individually digitized and then independently resized to allow two-dimensional comparison. The investigator also has the ability to create magnified images (200% to 300%) when the original digital image has been captured at near photoquality resolution (300 dpi). The visual comparison of physical features on the computer monitor permits a large field of view and robust digital control over image quality. Photographic measurement and enhancement features of Adobe Photoshop mimics and in some circumstances surpasses the historic use of conventional photographic manipulation in forensic casework. This paper presents two cases processed via routine forensic odontology identification protocols. These protocols had minimal results due to limitations described in the case histories. The additional application of digital methods proved useful in the ultimate identification of these human remains.     

Guidelines for empirically assessing the fairness of a lineup

Issues regarding the fairness of lineups used for criminal identification are discussed in the context of a distinction between nominal size and functional size. Nominal size (the number of persons in the lineup) is less important for determining the fairness of a lineup than is functional size (the number of lineup members resembling the criminal). Functional size decreases to the extent that the nonsuspect members of the lineup are easily ruled out as not being suspected by the police. The extent to which the identification of the suspect can be considered an independently derived piece of incriminating evidence is positively related to functional size. Empirical estimates of functional size can be obtained through pictures of the corporal lineup from which mock witnesses make guesses of whom they believe the police suspect. A distinction is made between a functional size approach and hypothesis testing approaches. Uses of functional size notions in the court, by police, and in research are discussed.