篡改Microsoft Office办公文件的实验研究

本文利用现有的篡改Microsoft Office办公文件的工具和方法,设计了若干套篡改Microsoft Office办公文件内容、属性的实验方案,使用工具软件对Microsoft Office办公文件的属性进行检验和分析,总结出检验Microsoft Office办公文件的方法。     

文书排版特征专家辅助识别系统之行列信息识别

通过介绍印刷文件排版格式检验专家辅助识别系统,对行间距、字间距识别及相关检验目标得以实现的设计进展和实现方法,提出了基于直方图判据结合计算机图像处理技术进行印刷文书的行间距、字间距自动识别的技术路线.现代办公机具所形成印刷文件排版格式的检验是印刷文件篡改(变造)检验基本的检验内容之一,为避免通常的人工测量检验所带来的误识率和误判率较高的蔽端,并将相应检验作为文件印刷特征检验的通用基础环节,设计或研发印刷文件排版格式检验专家辅助识别系统.     

Windows系统中文件时间属性的变化及影响因素

目的分析Windows系统中不同因素对文件时间属性的影响,总结文件时间属性的变化规律。方法在FAT32和NTFS两种文件系统中,对文件和文件夹进行各种操作,记录其时间属性的变化情况,总结其规律并分析各种因素的影响。结果文件时间属性的更新与系统环境、操作方法、文件类型等因素有关,而且文件时间属性更新有特定的周期。结论Windows系统中文件时间属性的变化既有特定的规律,又受其它因素影响,在检验中应加以注意。     

Microsoft SQL Server数据库中删除数据的恢复

目的恢复Microsoft SQL Server数据库中删除数据。方法解析SQL Server的数据文件和日志文件结构,使用Lumigent Log Explorer软件分析提取的日志中的记录。结果从某案件提取的数据库日志文件中提取有效记录70万余条。结论该方法可以分析并且提取Microsoft SQL Server日志文件中的记录,恢复被删除数据,具有很强的实用性。     

DESI-HRMS-HDI在添改字迹鉴定中的应用研究

目的通过电喷雾解吸电离(DESI)—高分辨飞行时间质谱(HRMS-HDI)成像技术建立了一种新型添改字迹鉴别技术。方法对10支黑色签字笔书写的“11”被添改成“47”的90个样本用分子成像技术测试。结果该技术可将84个被添改的原始字迹“11”以二维成像方式显现。结论DESI-HRMS-HDI技术无需检材预处理,在大气压下即可进行操作,接近无损检验,操作简便,是一种有效的文件检验技术,适用于文件材料鉴别和篡改文件鉴定。     

微软欲注册新的“Mod”商标

正1月6日,微软公司尝试注册"Microsoft Mod"商标,这一行为被业界解读为即将对Windows 8/8.1进行重新命名的初期准备。软件巨头在刚刚过去的12月向USPTO递交了一份文字商标申请,要求注册"Microsoft Mod"与"Microsoft Office Mod"两个商标。与以往的此类申请一样,在资料中看不到关于商标潜在     

国际标准ISO/IEC 24790解读及在印刷文件检验中应用展望

采用平板扫描仪、数码相机等图像捕捉设备,将印刷文件转化为数字图像加以检验目前是文书鉴定领域研究的热点,这种方法与页面经扫描后成为图像的数字印刷有相似之处,对数字印刷图像质量的评估方法或可适用于分析文件。本综述从标准内容、度量方式、与国内标准比较及在印刷文件检验中的应用性四个方面,对含有较为完备的印刷质量评估方法的国际印刷质量评估标准ISO/IEC 24790进行详细解读,重点介绍了ISO/IEC 24790中大面积图形图像质量属性、字符和线条图像质量属性评估方法,并对引入基于ISO/IEC 24790标准的新方法在鉴定领域未来发展方向作出了展望。     

文件检验的困惑与反思

文件检验做为一门已经成熟的物证技术,新的研究和经验层出不穷,但多未能突破文件检验的常规方法,新的检验仪器设备不断更新,仍然无法解除文件检验的方法局限.本文通过对同一认定理论的认识,尝试用检验鉴定的基础理论对文件检验中发现的问题进行反思,力图用最原始、最根本、最有效的理论解除文件检验中发现的困惑.     

文件形成时间检验方法及实践中存在的问题

文件形成时间检验是文件检验领域里比较疑难的检验项目。目前的检验方法从检验思路上大致分为确定文件形成时间上限的方法和确定文字色料随时间变化规律的方法两大类。前者通过对检材及检材记载内容进行分析、调查研究来确定文件形成时间;后者通过物理化学分析的方法,来确定文件形成时间。以上方法在实践中存在一定的局限性,我们还可以用系统论的方法从案情分析、纸张信息、文字特征、理化分析等方面进行综合检验分析, 扩大检验范围。今后我们应当进一步强调文件形成时间检验工作的科学态度,加强科学研究,探索更加有效的检验方法。     

运用系统鉴定方法检验一起添加变造文件的思考

运用系统鉴定的理论和方法检验变造文件,可以摆脱具体问题的困扰,避开技术难题,转向其它相关要素的研究,从不同角度,不同层面同时揭露文件被变造的事实,以确保检验结论的科学可靠性。系统鉴定理论和方法,尤其是已经研究成功并经实践检验证明科学可靠又易推广的技术方法,应尽快普及到基层文件检验部门,以提高基层部门文件检验技术的科技含量。     

We are meeting on Microsoft Teams: Forensic analysis in Windows,Android, and iOS operating systems

Microsoft released a new communication platform, Microsoft Teams, in 2017. Due in part to COVID-19, the popularity of communication platforms, like Microsoft Teams, increased exponentially. Given its user base and increased popularity, it seems likely that digital forensic investigators will encounter cases where Microsoft Teams is a relevant component. However, because Microsoft Teams is a relatively new application, there is limited forensic research on the application particularly focusing on mobile operating systems. To address this gap, an analysis of data stored at rest by Microsoft Teams was conducted on the Windows 10 operating system as well as on Android and Apple iOS mobile operating systems. Basic functionalities, such as messaging, sharing files, participating in video conferences, and other functionalities that Teams provides, were performed in an isolated testing environment. Cellebrite UFED Physical Analyzer and Magnet AXIOM Examine tools were used to analyze the mobile devices and the Windows device, respectively. Manual or non-automated investigation recovered, at least partially, the majority of artifacts across all three operating systems. In this study, a total of 77.6% of the populated artifacts were partially or fully recovered in the manual investigation. On the other hand, forensic tools used did not automatically recover many of the artifacts found with the manual investigation. Only 13.8% of artifacts were partially or fully recovered by the forensic tools across all three devices. These discovered artifacts and the results of the investigations are presented in order to aid digital forensic investigations.     

Carving contiguous and fragmented files with fast object validation

“File carving” reconstructs files based on their content, rather than using metadata that points to the content. Carving is widely used for forensics and data recovery, but no file carvers can automatically reassemble fragmented files. We survey files from more than 300 hard drives acquired on the secondary market and show that the ability to reassemble fragmented files is an important requirement for forensic work. Next we analyze the file carving problem, arguing that rapid, accurate carving is best performed by a multi-tier decision problem that seeks to quickly validate or discard candidate byte strings – “objects” – from the media to be carved. Validators for the JPEG, Microsoft OLE (MSOLE) and ZIP file formats are discussed. Finally, we show how high speed validators can be used to reassemble fragmented files.     

Using the HFS+ journal for deleted file recovery

This paper describes research and analysis that were performed to identify a robust and accurate method for identifying and extracting the residual contents of deleted files stored within an HFS+ file system. A survey performed during 2005 of existing tools and techniques for HFS+ deleted file recovery reinforced the need for newer, more accurate techniques.Our research and analysis were based on the premise that a transactional history of file I/O operations is maintained in a Journal on HFS+ file systems, and that this history could be used to reconstruct recent deletions of active files from the file system. Such an approach offered a distinct advantage over other current techniques, including recovery of free/unallocated blocks and “file carving” techniques. If the journal entries contained or referenced file attributes such as the extents that specify which file system blocks were occupied by each file, then a much more accurate identification and recovery of deleted file data would be possible.     

Using the HFS+ journal for deleted file recovery

This paper describes research and analysis that were performed to identify a robust and accurate method for identifying and extracting the residual contents of deleted files stored within an HFS+ file system. A survey performed during 2005 of existing tools and techniques for HFS+ deleted file recovery reinforced the need for newer, more accurate techniques.Our research and analysis were based on the premise that a transactional history of file I/O operations is maintained in a Journal on HFS+ file systems, and that this history could be used to reconstruct recent deletions of active files from the file system. Such an approach offered a distinct advantage over other current techniques, including recovery of free/unallocated blocks and “file carving” techniques. If the journal entries contained or referenced file attributes such as the extents that specify which file system blocks were occupied by each file, then a much more accurate identification and recovery of deleted file data would be possible.     

Introducing the Microsoft Vista event log file format

Several operating systems provide a central logging service which collects event messages from the kernel and applications, filters them and writes them into log files. Since more than a decade such a system service exists in Microsoft Windows NT. Its file format is well understood and supported by forensic software. Microsoft Vista introduces an event logging service which entirely got newly designed. This confronts forensic examiners and software authors with unfamiliar system behavior and a new, widely undocumented file format.This article describes the history of Windows system loggers, what has been changed over time and for what reason. It compares Vista log files in their native binary form and in a textual form. Based on the results, this paper for the first time publicly describes the key-elements of the new log file format and the proprietary binary encoding of XML. It discusses the problems that may arise during daily work. Finally it proposes a procedure for how to recover information from log fragments. During a criminal investigation this procedure was successfully applied to recover information from a corrupted event log.     

Relevance analysis using revision identifier in MS word

Electronic documents often contain personal or confidential information, which can be used as valuable evidence in criminal investigations. In the digital investigation, special techniques are required for grouping and screening electronic documents, because it is challenging to analyze relationships between numerous documents in storage devices manually. To this end, although techniques such as keyword search, similarity search, topic modeling, metadata analysis, and document clustering are continually being studied, there are still limitations for revealing the relevance of documents. Specifically, metadata used in previous research are not always values present in the documents, and clustering methods with specific keywords may be incomplete because text‐based contents (including metadata) can be easily modified or deleted by users. In this work, we propose a novel method to efficiently group Microsoft Office Word 2007+ (MS Word) files by using revision identifier (RSID). Through a thorough understanding of the RSID, examiners can predict organizations to which a specific user belongs, and further, it is likely to discover unexpected interpersonal relationships. An experiment with a public dataset (GovDocs) provides that it is possible to categorize documents more effectively by combining our proposal with previously studied methods. Furthermore, we introduce a new document tracking method to understand the editing history and movement of a file, and then demonstrate its usefulness through an experiment with documents from a real case.     

Forensic artefacts left by Windows Live Messenger 8.0

Windows Live Messenger – commonly referred by MSN Messenger – is the most used instant messaging client worldwide, and is mostly used on Microsoft Windows XP.Previous examination into MSN Messenger concludes that few traces reside on the hard disk after MSN usage [Dickson M. An examination into MSN Messenger 7.5 contact identification. Digit Investig 2006;3]. In this article the opposite is concluded based on user settings, contact files and log files. With the use of file signatures and known file structures it is possible to recover useful information when deleted. Programs such as Forensic Box can help to analyse artefacts which are left behind after the use of Windows Live Messenger.     

Ultralight aircraft fatalities. Report of five cases

A study of ultralight aircraft fatalities was performed based on the cases files of the Office of the Medical Examiner of Metropolitan Dade County in Miami, Florida. A total of five cases were collected during the years 1981-1985. These are presented in some detail. A discussion ensues concerning the safety of ultralight aircraft and whether people should be allowed to fly them.