We are meeting on Microsoft Teams: Forensic analysis in Windows,Android, and iOS operating systems

Microsoft released a new communication platform, Microsoft Teams, in 2017. Due in part to COVID-19, the popularity of communication platforms, like Microsoft Teams, increased exponentially. Given its user base and increased popularity, it seems likely that digital forensic investigators will encounter cases where Microsoft Teams is a relevant component. However, because Microsoft Teams is a relatively new application, there is limited forensic research on the application particularly focusing on mobile operating systems. To address this gap, an analysis of data stored at rest by Microsoft Teams was conducted on the Windows 10 operating system as well as on Android and Apple iOS mobile operating systems. Basic functionalities, such as messaging, sharing files, participating in video conferences, and other functionalities that Teams provides, were performed in an isolated testing environment. Cellebrite UFED Physical Analyzer and Magnet AXIOM Examine tools were used to analyze the mobile devices and the Windows device, respectively. Manual or non-automated investigation recovered, at least partially, the majority of artifacts across all three operating systems. In this study, a total of 77.6% of the populated artifacts were partially or fully recovered in the manual investigation. On the other hand, forensic tools used did not automatically recover many of the artifacts found with the manual investigation. Only 13.8% of artifacts were partially or fully recovered by the forensic tools across all three devices. These discovered artifacts and the results of the investigations are presented in order to aid digital forensic investigations.     

Unmanned aerial vehicles: A preliminary analysis of forensic challenges

As unmanned aerial vehicles have become more affordable, their popularity with the general public and commercial organisations has seen significant growth in recent years. Whilst remaining a device for both the hobbyist and aircraft-enthusiast to enjoy, they are now also used for carrying out activities such as law enforcement surveillance, agricultural maintenance, acquiring specialist movie and sports event footage along with search and seizure activities. Conversely, despite maintaining many legitimate uses, there are also increasing media reports of unmanned aerial vehicle technology being abused, ranging from physical assaults due to negligent flights to breaches of Civil Aviation Authority Air Navigation Regulations, requiring a forensic analysis of these devices in order to establish the chain of events. This article presents an introductory discussion of unmanned aerial vehicle analysis and provides the results of a digital forensic investigation of a test Parrot Bebop unmanned aerial vehicle. Directions for the acquisition and analysis of the device's internal storage are provided along with an interpretation of on-board flight data, captured media and operating system. Further, as the device can be controlled via Android and iOS devices using the application FreeFlight3, forensic analysis of these devices is also presented. Results showed the ability to recover flight data from both the unmanned aerial vehicle and controller handsets along with captured media, however problems exist with establishing the definitive owner of the device, particularly if a user had abandoned it at the scene of a crime.     

An Evidence‐based Forensic Taxonomy of Windows Phone Dating Apps

Advances in technologies including development of smartphone features have contributed to the growth of mobile applications, including dating apps. However, online dating services can be misused. To support law enforcement investigations, a forensic taxonomy that provides a systematic classification of forensic artifacts from Windows Phone 8 (WP8) dating apps is presented in this study. The taxonomy has three categories, namely: Apps Categories, Artifacts Categories, and Data Partition Categories. This taxonomy is built based on the findings from a case study of 28 mobile dating apps, using mobile forensic tools. The dating app taxonomy can be used to inform future studies of dating and related apps, such as those from Android and iOS platforms.     

An investigation of anonymous and spoof SMS resources used for the purposes of cyberstalking

In 2012, the United Kingdom actively sought to tackle acts of stalking through amendments to the Protection from Harassment Act 1997. Now, not only is stalking a recognised criminal offence, acts associated with stalking behaviour have finally been properly defined in legislation. Further, the role of technology in digital stalking offences, frequently termed as acts of cyberstalking, has been duly highlighted. The prosecution of such cyberstalking offences is reliant on the forensic analysis of devices capable of communication with a victim, in order to identify the offender and evidence the offending content for presentation to a court of law. However, with the recent proliferation of anonymous communication services, it is becoming increasingly difficult for digital forensic specialists to analyse and detect the origin of stalking messages, particularly those involving mobile devices. This article identifies the legal factors involved, along with a scenario-based investigation of sample anonymous and spoof SMS (Short Message Service) messages, documenting the evidence that remains on a victim's handset for the purpose of locating an offender, which often may be minimal or non-existent.     

Forensic investigation framework for the document store NoSQL DBMS: MongoDB as a case study

The NoSQL DBMS provides an efficient means of storing and accessing big data because its servers are more easily horizontally scalable and replicable than relational DBMSs. Its data model lacks a fixed schema, so that users can easily dynamically change the data model of applications. These characteristics of the NoSQL DBMS mean that it is increasingly used in real-time analysis, web services such as SNS, mobile apps and the storage of machine generated data such as logs and IoT (Internet of Things) data. Although the increased usage of the NoSQL DBMS increases the possibility of it becoming a target of crime, there are few papers about forensic investigation of NoSQL DBMS.In this paper, we propose a forensic investigation framework for the document store NoSQL DBMS. It is difficult to cover all of the NoSQL DBMS, as 'NoSQL' includes several distinct architectures; our forensic investigation framework, however, is focused on the document store NoSQL DBMS. In order to conduct an evaluative case study, we need to apply it to MongoDB, which is, a widely used document store NoSQL DBMS. For this case study, a crime scenario is created in an experimental environment, and then we propose in detail a forensic procedure and technical methods for MongoDB. We suggested many substantial technical investigation methods for MongoDB, including identifying real servers storing evidences in a distributed environment and transaction reconstruction method, using log analysis and recovering deleted data from the MongoDB data file structure.     

A comparison of forensic evidence recovery techniques for a windows mobile smart phone

Acquisition, decoding and presentation of information from mobile devices is complex and challenging. Device memory is usually integrated into the device, making isolation prior to recovery difficult. In addition, manufacturers have adopted a variety of file systems and formats complicating decoding and presentation.A variety of tools and methods have been developed (both commercially and in the open source community) to assist mobile forensics investigators. However, it is unclear to what extent these tools can present a complete view of the information held on a mobile device, or the extent the results produced by different tools are consistent.This paper investigates what information held on a Windows Mobile smart phone can be recovered using several different approaches to acquisition and decoding. The paper demonstrates that no one technique recovers all information of potential forensic interest from a Windows Mobile device; and that in some cases the information recovered is conflicting.     

Forensic acquisition and analysis of palm webOS on mobile devices

The emergence of webOS on Palm devices has created new challenges and opportunities for digital investigators. With the purchase of Palm by Hewlett Packard, there are plans to use webOS on an increasing number and variety of computer systems. These devices can store substantial amounts of information relevant to an investigation, including digital photographs, videos, call logs, SMS/MMS messages, e-mail, remnants of Web browsing and much more. Although some files can be obtained from such devices with relative ease, the majority of information of forensic interest is stored in databases on a system partition that many mobile forensic tools do not acquire. This paper provides a methodology for acquiring and examining forensic duplicates of user and system partitions from a device running webOS. The primary sources of digital evidence on these devices are covered with illustrative examples. In addition, the recovery of deleted items from various areas on webOS devices is discussed.     

Placing the suspect at a PC: A preliminary study involving fingerprints on keyboards and mice

Digital devices now play an important role in the lives of many in society. Whilst they are used predominantly for legitimate purposes, instances of digital crime are witnessed, where determining their usage is important to any criminal investigation. Typically, when determining who has used a digital device, digital forensic analysis is utilised, however, biological trace evidence or fingerprints residing on its surfaces may also be of value. This work provides a preliminary study which examines the potential for fingerprint recovery from computer peripherals, namely keyboards and mice. Our implementation methodology is outlined, and results discussed which indicate that print recovery is possible. Findings are intended to support those operating at-scene in an evidence collection capacity.     

Automated event and social network extraction from digital evidence sources with ontological mapping

The sharp rise in consumer computing, electronic and mobile devices and data volumes has resulted in increased workloads for digital forensic investigators and analysts. The number of crimes involving electronic devices is increasing, as is the amount of data for each job. This is becoming unscaleable and alternate methods to reduce the time trained analysts spend on each job are necessary.This work leverages standardised knowledge representations techniques and automated rule-based systems to encapsulate expert knowledge for forensic data. The implementation of this research can provide high-level analysis based on low-level digital artefacts in a way that allows an understanding of what decisions support the facts. Analysts can quickly make determinations as to which artefacts warrant further investigation and create high level case data without manually creating it from the low-level artefacts. Extraction and understanding of users and social networks and translating the state of file systems to sequences of events are the first uses for this work.A major goal of this work is to automatically derive ‘events’ from the base forensic artefacts. Events may be system events, representing logins, start-ups, shutdowns, or user events, such as web browsing, sending email. The same information fusion and homogenisation techniques are used to reconstruct social networks. There can be numerous social network data sources on a single computer; internet cache can locate Facebook, LinkedIn, Google Plus caches; email has address books and copies of emails sent and received; instant messenger has friend lists and call histories. Fusing these into a single graph allows a more complete, less fractured view for an investigator.Both event creation and social network creation are expected to assist investigator-led triage and other fast forensic analysis situations.     

手机物证检验及其在刑事侦查中的应用

随着移动通信技术的迅速发展和广泛应用,手机内部包含的信息已经成为犯罪侦查重要的线索和证据来源。采用专门的符合物证鉴定原理要求的技术方法检验手机的SIM卡存储器、主板存储器和闪存卡,可以获得大量的手机使用者个人信息、通信内容信息、通信发生信息、使用者写入存储信息和手机设置信息等大量信息资料。手机检验结果给出的这些信息具有非常高的侦查和证据价值的,手机也因此成为物证鉴定领域内一个新的检验对象。     

A Forensic Exploration of the Microsoft Windows 10 Timeline

The Microsoft Windows operating system continues to dominate the desktop computing market. With such high levels of usage comes an inferred likelihood of digital forensic practitioners encountering this platform during their investigations. As part of any forensic examination of a digital device, operating system artifacts, which support the identification and understanding of how a user has behaved on their system provide a potential source of evidence. Now, following Microsoft's April 2018 build 1803 release with its incorporated “Timeline” feature, the potential for identifying and tracking user activity has increased. This work provides a timely examination of the Windows 10 Timeline feature demonstrating the ability to recover activity‐based content from within its stored database log files. Examination results and underpinning experimental methodologies are offered, demonstrating the ability to recover activity tile and process information in conjunction with the Windows Timeline. Further, an SQL query has been provided to support the interpretation of data stored within the ActivitiesCache.db .     

Advanced carving techniques

Carving is the term most often used to indicate the act of recovering a file from unstructured digital forensic images. The term unstructured indicates that the original digital image does not contain useful filesystem information which may be used to assist in this recovery.Typically, forensic analysts resort to carving techniques as an avenue of last resort due to the difficulty of current techniques. Most current techniques rely on manual inspection of the file to be recovered and manually reconstructing this file using trial and error. Manual processing is typically impractical for modern disk images which might contain hundreds of thousands of files.At the same time the traditional process of recovering deleted files using filesystem information is becoming less practical because most modern filesystems purge critical information for deleted files. As such the need for automated carving techniques is quickly arising even when a filesystem does exist on the forensic image.This paper explores the theory of carving in a formal way. We then proceed to apply this formal analysis to the carving of PDF and ZIP files based on the internal structure inherent within the file formats themselves. Specifically this paper deals with carving from the Digital Forensic Research Work-Shop's (DFRWS) 2007 carving challenge.     

Forensic Investigation of Cooperative Storage Cloud Service: Symform as a Case Study

Researchers envisioned Storage as a Service (StaaS) as an effective solution to the distributed management of digital data. Cooperative storage cloud forensic is relatively new and is an under‐explored area of research. Using Symform as a case study, we seek to determine the data remnants from the use of cooperative cloud storage services. In particular, we consider both mobile devices and personal computers running various popular operating systems, namely Windows 8.1, Mac OS X Mavericks 10.9.5, Ubuntu 14.04.1 LTS, iOS 7.1.2, and Android KitKat 4.4.4. Potential artefacts recovered during the research include data relating to the installation and uninstallation of the cloud applications, log‐in to and log‐out from Symform account using the client application, file synchronization as well as their time stamp information. This research contributes to an in‐depth understanding of the types of terrestrial artifacts that are likely to remain after the use of cooperative storage cloud on client devices.     

The reliability of forensic osteology--a case in point. Case study

The medico-legal investigation of skeletons is a trans-disciplinary effort by forensic scientists as well as physical anthropologists. The advent of DNA extraction and amplification from bones and teeth has led to the assumption that morphological assessment of skeletal remains might soon become obsolete. But despite the introduction and success of molecular biology, the analysis of skeletal biology will remain an integral part of the identification process. This is due to the fact, that the skeletal record allows relatively fast and accurate inferences about the identity of the victim. Moreover, a standard biological profile may be established to effectively narrow the police investigator's search parameters. The following study demonstrates how skeletal biology may collaborate in the forensic investigation and support DNA fingerprinting evidence.In this case, the information gained from standard morphological methods about the unknown person's sex, age and heritage immediately led the police to suspect, that the remains were that of a young man from Vietnam, who had been missing for 2.5 years. The investigation then quickly shifted to prove the victim's identity via DNA extraction and mtDNA sequence analysis and biostatistical calculations involving questions of kinship [4].     

Spherical Photography and Virtual Tours for Presenting Crime Scenes and Forensic Evidence in New Zealand Courtrooms

The delivery of forensic science evidence in a clear and understandable manner is an important aspect of a forensic scientist's role during expert witness delivery in a courtroom trial. This article describes an Integrated Evidence Platform (IEP) system based on spherical photography which allows the audience to view the crime scene via a virtual tour and view the forensic scientist's evidence and results in context. Equipment and software programmes used in the creation of the IEP include a Nikon DSLR camera, a Seitz Roundshot VR Drive, PTGui Pro, and Tourweaver Professional Edition. The IEP enables a clear visualization of the crime scene, with embedded information such as photographs of items of interest, complex forensic evidence, the results of laboratory analyses, and scientific opinion evidence presented in context. The IEP has resulted in significant improvements to the pretrial disclosure of forensic results, enhanced the delivery of evidence in court, and improved the jury's understanding of the spatial relationship between results.     

A comprehensive micro unmanned aerial vehicle (UAV/Drone) forensic framework

In the early 1990s, unmanned aerial vehicles (UAV) were used exclusively in military applications by various developed countries. Now with its ease of availability and affordability in the electronic device market, this aerial vehicular technology has augmented its familiarity in public and has expanded its usage to countries all over the world. However, expanded use of UAVs, colloquially known as drones, is raising understandable security concerns. With the increasing possibility of drones' misuse and their abilities to get close to critical targets, drones are prone to potentially committing crimes and, therefore, investigation of such activities is a much-needed facet. This motivated us to devise a comprehensive drone forensic framework that includes hardware/physical and digital forensics, proficient enough for the post-flight investigation of drone's activity. For hardware/physical forensics, we propose a model for investigating drone components at the crime scene. Additionally, we propose a robust digital drone forensic application with a primary focus on analyzing the essential log parameters of drones through a graphical user interface (GUI) developed using JavaFX 8.0. This application interface would allow users to extract and examine onboard flight information. It also includes a file converter created for easy and effective 3D flight trajectory visualization. We used two popular drones for conducting this research; namely, DJI Phantom 4 and Yuneec Typhoon H. The interface also provides a visual representation of the sensor recordings from which pieces of evidence could be acquired. Our research is intended to offer the forensic science community a powerful approach for investigating drone-related crimes effectively.     

Live memory forensics of mobile phones

In this paper, we proposed an automated system to perform a live memory forensic analysis for mobile phones. We investigated the dynamic behavior of the mobile phone’s volatile memory, and the analysis is useful in real-time evidence acquisition analysis of communication based applications. Different communication scenarios with varying parameters were investigated. Our experimental results showed that outgoing messages (from the phone) have a higher persistency than the incoming messages. In our experiments, we consistently achieved a 100% evidence acquisition rate with the outgoing messages. For the incoming messages, the acquisition rates ranged from 75.6% to 100%, considering a wide range of varying parameters in different scenarios. Hence, in a more realistic scenario where the parties may occasionally take turns to send messages and consecutively send a few messages, our acquisition can capture most of the data to facilitate further detailed forensic investigation.     

Social Media and Medicolegal Death Investigation: Logged in…To the Morgue

Social media (SM) represent a global consumer phenomenon with an exponential rise in usage within the last few years. The various applications and websites are relatively easy and fast to access, and the number of users increases continuously. SM are an incredible source of freely available, public information about their users. The purpose of this study is to provide information about the usefulness of SM in forensic practice. The electronic database of the Cook County of Medical Examiner's Office (“CCMEO”) in Illinois was searched for investigative narratives that included specific SM keywords, in the period from August 2014 to January 2018. A total of 48 cases met the study's criteria. Among these, “Facebook” has been found to be the most helpful SM for medicolegal investigation purposes. Information obtained by SM can play an important role in forensic practice since it can be used to clarify certain aspects of the medicolegal death investigation, with particular regard to time and manner of death.     

Tackling the U3 trend with computer forensics

A new technology has emerged, allowing applications to be stored and run on portable devices, such as flash drives and iPods. Sandisk's U3™ smart technology appears to be becoming the standard in this new realm of portability. With the advent of this technology, questions are arising as to the effects it will have on computer forensic investigations. Probably hundreds of thousands of people have purchased devices with U3 or similar technologies already. The fear is that these people will be able to plug their devices into computers, do their misdeeds and then simply unplug those devices, removing any trace. This article will illustrate that this is not the case and will discuss different artifacts that a device such as this will leave behind. For the purposes of this illustration we have investigated the use of some of the most common applications used on U3 drives. This information will serve as a guide to investigating computer crimes perpetrated via U3 or similar technologies. Investigators must keep in mind during their investigations the possibility that their suspects have used such technology, particularly when their investigations seem to lead to a dead end.     

Automated identification of installed malicious Android applications

Increasingly, Android smartphones are becoming more pervasive within the government and industry, despite the limited ways to detect malicious applications installed to these phones' operating systems. Although enterprise security mechanisms are being developed for use on Android devices, these methods cannot detect previously unknown malicious applications. As more sensitive enterprise information becomes available and accessible on these smartphones, the risk of data loss inherently increases. A malicious application's actions could potentially leave sensitive data exposed with little recourse. Without an effective corporate monitoring solution in place for these mobile devices, organizations will continue to lack the ability to determine when a compromise has occurred. This paper presents research that applies traditional digital forensic techniques to remotely monitor and audit Android smartphones. The smartphone sends changed file system data to a remote server, allowing for expensive forensic processing and the offline application of traditional tools and techniques rarely applied to the mobile environment. The research aims at ascertaining new ways of identifying malicious Android applications and ultimately attempts to improve the state of enterprise smartphone monitoring. An on-phone client, server, database, and analysis framework was developed and tested using real mobile malware. The results are promising that the developed detection techniques identify changes to important system partitions; recognize file system changes, including file deletions; and find persistence and triggering mechanisms in newly installed applications. It is believed that these detection techniques should be performed by enterprises to identify malicious applications affecting their phone infrastructure.