Triaging digital device content at-scene:- Formalising the decision-making process

The prominence of technology usage in society has inevitably led to increasing numbers of digital devices being seized, where digital evidence often features in criminal investigations. Such demand has led to well documented backlogs placing pressure on digital forensic labs, where in an effort to combat this issue, the ‘at-scene triage’ of devices has been touted as a solution. Yet such triage approaches are not straightforward to implement with multiple technical and procedural issues existing, including determining when it is actually appropriate to triage the contents of a device at-scene. This work remains focused on this point due to the complexities associated with it, and to support first responders a nine-stage triage decision model is offered which is designed to promote consistent and transparent practice when determining if a device should be triaged.     

Windows Surface RT tablet forensics

Small scale digital device forensics is particularly critical as a result of the mobility of these devices, leading to closer proximity to crimes as they occur when compared to computers. The Windows Surface tablet is one such device, combining tablet mobility with familiar Microsoft Windows productivity tools. This research considers the acquisition and forensic analysis of the Windows Surface RT tablet. We discuss the artifacts of both the Windows RT operating system and third-party applications. The contribution of this research is to provide a road map for the digital forensic examination of Windows Surface RT tablets.     

OpenLV: Empowering investigators and first-responders in the digital forensics process

The continuing decline in the cost-per-megabyte of hard disk storage has inevitably led to a ballooning volume of data that needs to be reviewed in digital investigations. The result: case backlogs that commonly stretch for months at forensic labs, and per-case processing that occupies days or weeks of analytical effort. Yet speed is critical in situations where delay may render the evidence useless or endanger personal safety, such as when a suspect may flee, a victim is at risk, criminal tactics or control infrastructure may change, etc. In these and other cases, investigators need tools to enable quick triage of computer evidence in order to answer urgent questions, maintain the pace of an investigation and assess the likelihood of acquiring pertinent information from the device.This paper details the design and application of a tool, OpenLV, that not only meets the needs for speedy initial triage, but also can facilitate the review of digital evidence at later stages of investigation. With OpenLV, an investigator can quickly and safely interact with collected evidence, much as if they had sat down at the computer at the time the evidence was collected. Since OpenLV works without modifying the evidence, its use in triage does not preclude subsequent, in-depth forensic analysis. Unlike many popular forensics tools, OpenLV requires little training and facilitates a unprecedented level of interaction with the evidence.     

Digital evidence and the crime scene

Many criminal investigations maintain an element of digital evidence, where it is the role of the first responder in many cases to both identify its presence at any crime scene, and assess its worth. Whilst in some instances the existence and role of a digital device at-scene may be obvious, in others, the first responder will be required to evaluate whether any ‘digital opportunities’ exist which could support their inquiry, and if so, where these are. This work discusses the potential presence of digital evidence at crime scenes, approaches to identifying it and the contexts in which it may exist, focusing on the investigative opportunities that devices may offer. The concept of digital devices acting as ‘digital witnesses’ is proposed, followed by an examination of potential ‘digital crime scene’ scenarios and strategies for processing them.     

Impacts of increasing volume of digital forensic data: A survey and future research challenges

A major challenge to digital forensic analysis is the ongoing growth in the volume of data seized and presented for analysis. This is a result of the continuing development of storage technology, including increased storage capacity in consumer devices and cloud storage services, and an increase in the number of devices seized per case. Consequently, this has led to increasing backlogs of evidence awaiting analysis, often many months to years, affecting even the largest digital forensic laboratories. Over the preceding years, there has been a variety of research undertaken in relation to the volume challenge. Solutions posed range from data mining, data reduction, increased processing power, distributed processing, artificial intelligence, and other innovative methods. This paper surveys the published research and the proposed solutions. It is concluded that there remains a need for further research with a focus on real world applicability of a method or methods to address the digital forensic data volume challenge.     

Windows 7 Antiforensics: A Review and a Novel Approach

In this paper, we review literature on antiforensics published between 2010 and 2016 and reveal the surprising lack of up‐to‐date research on this topic. This research aims to contribute to this knowledge gap by investigating different antiforensic techniques for devices running Windows 7, one of the most popular operating systems. An approach which allows for removal or obfuscation of most forensic evidence is then presented. Using the Trojan software DarkComet RAT as a case study, we demonstrate the utility of our approach and that a Trojan Horse infection may be a legitimate possibility, even if there is no evidence of an infection on a seized computer's hard drive. Up‐to‐date information regarding how forensic artifacts can be compromised will allow relevant stakeholders to make informed decisions when deciding the outcome of legal cases involving digital evidence.     

A Forensic Exploration of the Microsoft Windows 10 Timeline

The Microsoft Windows operating system continues to dominate the desktop computing market. With such high levels of usage comes an inferred likelihood of digital forensic practitioners encountering this platform during their investigations. As part of any forensic examination of a digital device, operating system artifacts, which support the identification and understanding of how a user has behaved on their system provide a potential source of evidence. Now, following Microsoft's April 2018 build 1803 release with its incorporated “Timeline” feature, the potential for identifying and tracking user activity has increased. This work provides a timely examination of the Windows 10 Timeline feature demonstrating the ability to recover activity‐based content from within its stored database log files. Examination results and underpinning experimental methodologies are offered, demonstrating the ability to recover activity tile and process information in conjunction with the Windows Timeline. Further, an SQL query has been provided to support the interpretation of data stored within the ActivitiesCache.db .     

Quantitative evaluation of the results of digital forensic investigations: a review of progress

Unlike conventional forensics, digital forensics does not at present generally quantify the results of its investigations. It is suggested that digital forensics should aim to catch up with other forensic disciplines by using Bayesian and other numerical methodologies to quantify its investigations’ results. Assessing the plausibility of alternative hypotheses (or propositions, or claims) which explain how recovered digital evidence came to exist on a device could assist both the prosecution and the defence sides in criminal proceedings: helping the prosecution to decide whether to proceed to trial and helping defence lawyers to advise a defendant how to plead. This paper reviews some numerical approaches to the goal of quantifying the relative weights of individual items of digital evidence and the plausibility of hypotheses based on that evidence. The potential advantages enabling the construction of cost-effective digital forensic triage schemas are also outlined.

Key points

• The absence of quantified results from digital forensic investigations, unlike those of conventional forensics, is highlighted.
• A number of approaches towards quantitative evaluation of the results of digital forensic investigations are reviewed.
• The significant potential benefits accruing from such approaches are discussed.

     

Decision support for using mobile Rapid DNA analysis at the crime scene

Mobile Rapid DNA technology is close to being incorporated into crime scene investigations, with the potential to identify a perpetrator within hours. However, the use of these techniques entails the risk of losing the sample and potential evidence, because the device not only consumes the inserted sample, it is also is less sensitive than traditional technologies used in forensic laboratories. Scene of Crime Officers (SoCOs) therefore will face a ‘time/success rate trade-off’ issue when making a decision to apply this technology.In this study we designed and experimentally tested a Decision Support System (DSS) for the use of Rapid DNA technologies based on Rational Decision Theory (RDT). In a vignette study, where SoCOs had to decide on the use of a Rapid DNA analysis device, participating SoCOs were assigned to either the control group (making decisions under standard conditions), the Success Rate (SR) group (making decisions with additional information on DNA success rates of traces), or the DSS group (making decisions supported by introduction to RDT, including information on DNA success rates of traces).This study provides positive evidence that a systematic approach for decision-making on using Rapid DNA analysis assists SoCOs in the decision to use the rapid device. The results demonstrated that participants using a DSS made different and more transparent decisions on the use of Rapid DNA analysis when different case characteristics were explicitly considered. In the DSS group the decision to apply Rapid DNA analysis was influenced by the factors “time pressure” and “trace characteristics” like DNA success rates. In the SR group, the decisions depended solely on the trace characteristics and in the control group the decisions did not show any systematic differences on crime type or trace characteristic.Guiding complex decisions on the use of Rapid DNA analyses with a DSS could be an important step towards the use of these devices at the crime scene.     

Toward a General Ontology for Digital Forensic Disciplines

Ontologies are widely used in different disciplines as a technique for representing and reasoning about domain knowledge. However, despite the widespread ontology‐related research activities and applications in different disciplines, the development of ontologies and ontology research activities is still wanting in digital forensics. This paper therefore presents the case for establishing an ontology for digital forensic disciplines. Such an ontology would enable better categorization of the digital forensic disciplines, as well as assist in the development of methodologies and specifications that can offer direction in different areas of digital forensics. This includes such areas as professional specialization, certifications, development of digital forensic tools, curricula, and educational materials. In addition, the ontology presented in this paper can be used, for example, to better organize the digital forensic domain knowledge and explicitly describe the discipline's semantics in a common way. Finally, this paper is meant to spark discussions and further research on an internationally agreed ontological distinction of the digital forensic disciplines. Digital forensic disciplines ontology is a novel approach toward organizing the digital forensic domain knowledge and constitutes the main contribution of this paper.     

Sudden Death Due To Acute Cocaine Toxicity—Excited Delirium in a Body Packer

Excited delirium denotes a life-threatening medical condition characterized by the acute onset of agitated and violent behavior that often results in a sudden and unexplained death. Cocaine-induced excited delirium refers to fatal cocaine intoxication with the following symptoms occurring sequentially: hyperthermia, delirium with agitation, respiratory arrest, and death. We present a case of cocaine-induced excited delirium in a cocaine “body packer” or a “mule”, specifically an individual who attempts to smuggle cocaine within the body. Investigators at the scene initially suspected homicide due to the victim's sharp and blunt force injuries. Three rubber packets containing cocaine were removed from the victim's rectum. Blood toxicological analysis revealed an alcohol concentration of 0.016 g/100 and cocaine >1 mg/L. The forensic pathologist should consider cocaine-induced excited delirium when an individual exhibits aggressive behavior, unexpected strength, and resistance to pain who dies suddenly. Further analysis should be performed during the scene investigation and autopsy for evidence of body packing.     

Automated shape annotation for illicit tablet preparations: A contour angle based classification from digital images

In order to facilitate forensic intelligence efforts in managing large collections of physical feature data pertaining to illicit tablets, we have developed an automated shape classification method. This approach performs categorical shape annotation for the domain of illicit tablets. It is invariant to scale, rotation and translation and operates on digital images of seized tablets. The approach employs two processing levels. The first (coarse) level is being based on comparing the contour curvature space of tablet pairs. The second (fine) level is a rule based approach, implemented as a classification tree, that exploits characteristic similarities of shape categories. Annotation is demonstrated over a collection of 169 tablets selected for their diverse shapes with an accuracy of 97.6% when 19 shape categories are defined.     

A Comprehensive and Harmonized Digital Forensic Investigation Process Model

Performing a digital forensic investigation (DFI) requires a standardized and formalized process. There is currently neither an international standard nor does a global, harmonized DFI process (DFIP) exist. The authors studied existing state-of-the-art DFIP models and concluded that there are significant disparities pertaining to the number of processes, the scope, the hierarchical levels, and concepts applied. This paper proposes a comprehensive model that harmonizes existing models. An effort was made to incorporate all types of processes proposed by the existing models, including those aimed at achieving digital forensic readiness. The authors introduce a novel class of processes called concurrent processes. This is a novel contribution that should, together with the rest of the model, enable more efficient and effective DFI, while ensuring admissibility of digital evidence. Ultimately, the proposed model is intended to be used for different types of DFI and should lead to standardization.     

High-speed search using Tarari content processor in digital forensics

Recently, “Speed” is one of the hot issues in digital forensics. Thanks to a recent advanced technology, today we can get bigger hard drive disks at a lower price than previously. But unfortunately, it means for forensic investigators that they need tremendous time and effort in the sequence of process of creating forensic images, searching into them and analyzing them. In order to solve this problem, some methods have been proposed to improve performance of forensic tools. One of them getting attention is a hardware-based approach. However, such a way is limited in the field of evidence cloning or password cracking while it is rarely used in searching and analysis of the digital evidence. In this paper, we design and implement a high-speed search engine using a Tarari content processor. Furthermore, we show feasibility of our approach by comparing its performance and features to those of a popular forensic tool currently on the market.     

Unmanned aerial vehicles: A preliminary analysis of forensic challenges

As unmanned aerial vehicles have become more affordable, their popularity with the general public and commercial organisations has seen significant growth in recent years. Whilst remaining a device for both the hobbyist and aircraft-enthusiast to enjoy, they are now also used for carrying out activities such as law enforcement surveillance, agricultural maintenance, acquiring specialist movie and sports event footage along with search and seizure activities. Conversely, despite maintaining many legitimate uses, there are also increasing media reports of unmanned aerial vehicle technology being abused, ranging from physical assaults due to negligent flights to breaches of Civil Aviation Authority Air Navigation Regulations, requiring a forensic analysis of these devices in order to establish the chain of events. This article presents an introductory discussion of unmanned aerial vehicle analysis and provides the results of a digital forensic investigation of a test Parrot Bebop unmanned aerial vehicle. Directions for the acquisition and analysis of the device's internal storage are provided along with an interpretation of on-board flight data, captured media and operating system. Further, as the device can be controlled via Android and iOS devices using the application FreeFlight3, forensic analysis of these devices is also presented. Results showed the ability to recover flight data from both the unmanned aerial vehicle and controller handsets along with captured media, however problems exist with establishing the definitive owner of the device, particularly if a user had abandoned it at the scene of a crime.     

GrinLine Identification Using Digital Imaging and Adobe Photoshop*

Abstract: The purpose of this study was to outline a method by which an antemortem photograph of a victim can be critically compared with a postmortem photograph in an effort to facilitate the identification process. Ten subjects, between 27 and 55 years old provided historical pictures of themselves exhibiting a broad smile showing anterior teeth to some extent (a grin). These photos were termed “antemortem” for the purpose of the study. A digital camera was used to take a current photo of each subject’s grin. These photos represented the “postmortem” images. A single subject’s “postmortem” photo set was randomly selected to be the “unknown victim.” These combined data of the unknown and the 10 antemortem subjects were digitally stored and, using Adobe Photoshop software, the images were sized and oriented for comparative analysis. The goal was to devise a technique that could facilitate the accurate determination of which “antemortem” subject was the “unknown.” The generation of antemortem digital overlays of the teeth visible in a grin and the comparison of those overlays to the images of the postmortem dentition is the foundation of the technique. The comparisons made using the GrinLine Identification Technique may assist medical examiners and coroners in making identifications or exclusions.     

High-speed search using Tarari content processor in digital forensics

Recently, “Speed” is one of the hot issues in digital forensics. Thanks to a recent advanced technology, today we can get bigger hard drive disks at a lower price than previously. But unfortunately, it means for forensic investigators that they need tremendous time and effort in the sequence of process of creating forensic images, searching into them and analyzing them. In order to solve this problem, some methods have been proposed to improve performance of forensic tools. One of them getting attention is a hardware-based approach. However, such a way is limited in the field of evidence cloning or password cracking while it is rarely used in searching and analysis of the digital evidence. In this paper, we design and implement a high-speed search engine using a Tarari content processor. Furthermore, we show feasibility of our approach by comparing its performance and features to those of a popular forensic tool currently on the market.     

Empirical Evaluation of the Reliability of Photogrammetry Software in the Recovery of Three-Dimensional Footwear Impressions

This paper examines the reliability of Structure from Motion (SfM) photogrammetry as a tool in the capture of forensic footwear marks. This is applicable to photogrammetry freeware DigTrace but is equally relevant to other SfM solutions. SfM simply requires a digital camera, a scale bar, and a selection of oblique photographs of the trace in question taken at the scene. The output is a digital three-dimensional point cloud of the surface and any plastic trace thereon. The first section of this paper examines the reliability of photogrammetry to capture the same data when repeatedly used on one impression, while the second part assesses the impact of varying cameras. Using cloud to cloud comparisons that measure the distance between two-point clouds, we assess the variability between models. The results highlight how little variability is evident and therefore speak to the accuracy and consistency of such techniques in the capture of three-dimensional traces. Using this method, 3D footwear impressions can, in many substrates, be collected with a repeatability of 97% with any variation between models less than ~0.5 mm.     

From crime scene to courtroom: A review of the current bioanalytical evidence workflows used in rape and sexual assault investigations in the United Kingdom

Sexual assault casework requires the collaboration of multiple agency staff to formalise an investigative pipeline running from crime scene to court. While the same could be said of many other forensic investigations, few require the additional support of health care staff and the combined forensic involvement of body-fluid examiners, DNA experts and analytical chemists. The sheer amount of collaborative effort between agencies is laid out through a detailed examination of the investigative workflow from crime scene to courtroom with each step in the pipelines detailed and discussed. Beginning with a review of sexual assault legislation in the United Kingdom this article details how sexual assault investigations are initiated by police and supported by sexual assault referral centre (SARC) staff who are often the first responders providing primary healthcare and patient support to victims while simultaneously collecting and assessing forensic evidence. Detailing the myriad of evidential material that can be documented and collected at the SARC, the review identifies and categorises key forensic tests to first detect and identify body-fluids recovered from evidence through to the secondary analysis of DNA to help identify the suspect. This review also focusses on the collection and analysis of biological material used to support the allegation that the sexual activity was non-consensual and provides a breakdown of common marks and trauma as well as a review of common analytical methods used to infer Drug Facilitated Sexual Assault (DFSA). The culmination of the investigative pipeline is discussed by reviewing the Rape and Serious Sexual Assault (RASSO) workflow used by the Crown Prosecution Service before providing our thoughts on the future of forensic analysis and possible changes to the described workflows.     

Parole decision-making: A salient factor score

Although considerable effort during the past thirty years has been devoted to the attempted construction of actuarial aids for parole selection, such devices have not generally been adopted by paroling agencies for operational use. One recent exception is the United States Board of Parole which has commenced usage of an actuarial device, termed a “salient factor score,” as a risk assessment aid in conjunction with explicit parole decision-making guidelines. This paper describes the construction, validation, and operational usage of this device.