The Recovery of Latent Fingermarks from Evidence Exposed to Ionizing Radiation*

Abstract: Continual reports of illicit trafficking incidents involving radioactive materials have prompted authorities to consider the likelihood of forensic evidence being exposed to radiation. In this study, we investigated the ability to recover latent fingermark evidence from a variety of substrates that were exposed to ionizing radiation. Fingermarks deposited on common surfaces, including aluminum, glass, office paper, and plastic, were exposed to doses ranging from 1 to 1000 kGy, in an effort to simulate realistic situations where evidence is exposed to significant doses of radiation from sources used in a criminal act. The fingermarks were processed using routine fingermark detection techniques. With the exception of glass and aluminum substrates, radiolysis had a considerable effect on the quality of the developed fingermarks. The damage to ridge characteristics can, in part, be attributed to chemical interactions between the substrate and the components of the fingermark secretions that react with the detection reagents.     

Forensic Taxonomy of Android Social Apps

An Android social app taxonomy incorporating artifacts that are of forensic interest will enable users and forensic investigators to identify the personally identifiable information (PII) stored by the apps. In this study, 30 popular Android social apps were examined. Artifacts of forensic interest (e.g., contacts lists, chronology of messages, and timestamp of an added contact) were recovered. In addition, images were located, and Facebook token strings used to tie account identities and gain access to information entered into Facebook by a user were identified. Based on the findings, a two‐dimensional taxonomy of the forensic artifacts of the social apps is proposed. A comparative summary of existing forensic taxonomies of different categories of Android apps, designed to facilitate timely collection and analysis of evidentiary materials from Android devices, is presented.     

Blast Suppression Foam,Aqueous Gel Blocks,and their Effect on Subsequent Analysis of Forensic Evidence*

In addition to having blast mitigation properties, aqueous foam concentrate AFC-380 blast suppression foam is designed to capture aerosolized chemical, biological, and radioactive particles during render-safe procedures of explosive devices. Exposure to aqueous environments and surfactants may negatively affect forensic evidence found at the scene, but the effects of AFC-380 foam and aqueous gel on the preservation and subsequent analysis of forensic evidence have not previously been investigated. Sebaceous finger and palm prints and DNA samples on paper, cardboard, tape, and various metal and plastic items, along with hairs, carpet and yarn fibers, and inks and documents, were exposed to AFC-380 foam. Similar mock evidence was also exposed to a superabsorbent gel of the type found in aqueous gel blocks used for shrapnel containment. Exposure to foam or aqueous gel was associated with a dilution effect for recovered DNA samples, but quality of the samples was not substantially affected. In contrast, exposure to AFC-380 foam or gel was detrimental to development of latent finger and palm prints on any substrate. Neither the hair nor the fiber samples were affected by exposure to either the foam or gel. Indented writing on the document samples was detrimentally affected by foam or gel exposure, but not inks and toners. The results from this study indicate that most types of forensic evidence recovered after being exposed to aqueous gel or blast suppression foam can be reliably analyzed, but latent finger and palm prints may be adversely affected.     

The analysis of forensic samples using laser micro-pyrolysis gas chromatography mass spectrometry

Laser micropyrolysis gas chromatography-mass spectrometry is used for the analysis of paint, photocopier toner, and synthetic fiber materials to test the forensic potential of this emerging technology. It uses a laser microprobe to selectively target very small parts of the materials for GC-MS analysis. Whereas the paint and the toner samples were amenable to direct laser pyrolysis, the synthetic fibers proved transparent to the 1064 nm laser radiation. The difficulty with the fibers demonstrates that a specific laser wavelength may not be appropriate for all types of materials. Nevertheless, the fibers were able to be indirectly pyrolyzed by impregnation in a strongly absorbing graphite matrix. A vast array of hydrocarbon pyrolysates was detected from the different materials studied. Unique product distributions were detected from each sample and in sufficient detail to facilitate individual molecular characterization (i.e., molecular fingerprinting). The integrity of the laser data were confirmed by comparison to data obtained from the same samples by the more conventional pyroprobe pyrolysis GC-MS method. The high spatial resolution and selectivity of the laser method may be advantageous for specific forensic applications, however, further work may be required to improve the reproducibility of the data.     

An Android Communication App Forensic Taxonomy

Due to the popularity of Android devices and applications (apps), Android forensics is one of the most studied topics within mobile forensics. Communication apps, such as instant messaging and Voice over IP (VoIP), are one popular app category used by mobile device users, including criminals. Therefore, a taxonomy outlining artifacts of forensic interest involving the use of Android communication apps will facilitate the timely collection and analysis of evidentiary materials from such apps. In this paper, 30 popular Android communication apps were examined, where a logical extraction of the Android phone images was collected using XRY, a widely used mobile forensic tool. Various information of forensic interest, such as contact lists and chronology of messages, was recovered. Based on the findings, a two‐dimensional taxonomy of the forensic artifacts of the communication apps is proposed, with the app categories in one dimension and the classes of artifacts in the other dimension. Finally, the artifacts identified in the study of the 30 communication apps are summarized using the taxonomy. It is expected that the proposed taxonomy and the forensic findings in this paper will assist forensic investigations involving Android communication apps.     

Principal component analysis and analysis of variance on the effects of Entellan New on the Raman spectra of fibers

During the forensic examination of textile fibers, fibers are usually mounted on glass slides for visual inspection and identification under the microscope. One method that has the capability to accurately identify single textile fibers without subsequent demounting is Raman microspectroscopy. The effect of the mountant Entellan New on the Raman spectra of fibers was investigated to determine if it is suitable for fiber analysis. Raman spectra of synthetic fibers mounted in three different ways were collected and subjected to multivariate analysis. Principal component analysis score plots revealed that while spectra from different fiber classes formed distinct groups, fibers of the same class formed a single group regardless of the mounting method. The spectra of bare fibers and those mounted in Entellan New were found to be statistically indistinguishable by analysis of variance calculations. These results demonstrate that fibers mounted in Entellan New may be identified directly by Raman microspectroscopy without further sample preparation.     

The Analysis of Colored Acrylic,Cotton, and Wool Textile Fibers Using Micro‐Raman Spectroscopy. Part 2: Comparison with the Traditional Methods of Fiber Examination

In the second part of this survey, the ability of micro‐Raman spectroscopy to discriminate 180 fiber samples of blue, black, and red cottons, wools, and acrylics was compared to that gathered with the traditional methods for the examination of textile fibers in a forensic context (including light microscopy methods, UV‐vis microspectrophotometry and thin‐layer chromatography). This study shows that the Raman technique plays a complementary and useful role to obtain further discriminations after the application of light microscopy methods and UV‐vis microspectrophotometry and assure the nondestructive nature of the analytical sequence. These additional discriminations were observed despite the lower discriminating powers of Raman data considered individually, compared to those of light microscopy and UV‐vis MSP. This study also confirms that an instrument equipped with several laser lines is necessary for an efficient use as applied to the examination of textile fibers in a forensic setting.     

A case study on anonymised sharing platforms and digital traces left by their usage

Non-local forms of file storage and transfer provide investigatory concerns. Whilst mainstream cloud providers offer a well-established challenge to those involved in criminal enquiries, there are also a host of services offering non-account based ‘anonymous’ online temporary file storage and transfer. From the context of a digital forensic investigation, the practitioner examining a suspect device must detect when such services have been utilised by a user, as offending files may not be resident on local storage media. In addition, identifying the use of a service may also expose networks of illegal file distribution, supporting wider investigations into criminal activity. This work examines 16 anonymous file transfer services and identifies and interprets the digital traces left behind on a device following their use to support law enforcement investigations.     

A multidisciplinary investigation of chronic animal abuse: Collaboration between veterinary forensics and forensic anthropology

An unknown juvenile female mixed breed dog was found non‐ambulatory on a dead‐end street in an urban setting adjacent to a public park. During initial veterinary examination, she was assessed to have untreatable injuries and was humanely euthanized. The forensic veterinarian requested consultation from a forensic anthropologist to assist with documenting antemortem skeletal trauma. Analyses of skeletal tissues indicated numerous injuries in various stages of healing diagnostic of non‐accidental injuries. Veterinary forensic cases may benefit from collaborative analysis of bony remains by forensic anthropologists.     

Toward a General Ontology for Digital Forensic Disciplines

Ontologies are widely used in different disciplines as a technique for representing and reasoning about domain knowledge. However, despite the widespread ontology‐related research activities and applications in different disciplines, the development of ontologies and ontology research activities is still wanting in digital forensics. This paper therefore presents the case for establishing an ontology for digital forensic disciplines. Such an ontology would enable better categorization of the digital forensic disciplines, as well as assist in the development of methodologies and specifications that can offer direction in different areas of digital forensics. This includes such areas as professional specialization, certifications, development of digital forensic tools, curricula, and educational materials. In addition, the ontology presented in this paper can be used, for example, to better organize the digital forensic domain knowledge and explicitly describe the discipline's semantics in a common way. Finally, this paper is meant to spark discussions and further research on an internationally agreed ontological distinction of the digital forensic disciplines. Digital forensic disciplines ontology is a novel approach toward organizing the digital forensic domain knowledge and constitutes the main contribution of this paper.     

Structure and application of IconCache.db files for digital forensics

Anti-forensics has developed to prevent digital forensic investigations, thus forensic investigations to prevent anti-forensic behaviors have been studied in various area. In the area of user activity analysis, “IconCache.db” files contain icon cache information related to applications, which can yield meaningful information for digital forensic investigations such as the traces of deleted files. A previous study investigated the general artifacts found in the IconCache.db file. In the present study, further features and structures of the IconCache.db file are described. We also propose methods for analyzing anti-forensic behaviors (e.g., time information related to the deletion of files). Finally, we introduce an analytical tool that was developed based on the file structure of IconCache.db. The tool parses out strings from the IconCache.db to assist an analyst. Therefore, an analyst can more easily analyze the IconCache.db file using the tool.     

Determination of disperse dyes on polyester fibers by UHPLC–Orbitrap MS

The determination of fiber dyes is important in forensic investigations. Although a variety of fiber dyes detection methods have been established, the sensitive and accurate determination of trace fiber dyes remains a challenge due to the possible interferences caused by complex environmental matrix and various fiber additives. Orbitrap mass spectrometry (Orbitrap MS) is a type of high-resolution mass spectrometry with high qualitative accuracy and detection sensitivity which highly meet the identification requirements of fiber dyes in real cases. However, the application of Orbitrap MS in fiber dye analysis is limited. In this regard, this study used polyester fiber, which is the most commonly-found fiber in forensic cases, as a model and established a UHPLC–Orbitrap MS method to analyze disperse dyes on polyester fibers. Using the optimized UHPLC–Orbitrap MS method, nine disperse dyes were accurately identified and well separated, and the limits of detection ranged between 0.1 ng/mL and 5.0 ng/mL. The developed method was applied to analyze actual fiber samples, and dyes from single fibers of 1 mm in length could be accurately detected. The established method is sensitive, accurate, and demonstrates good application prospects.     

Private browsing: A window of forensic opportunity

The release of Internet Explorer 10 marks a significant change in how browsing artifacts are stored in the Windows file system, moving away from well-understood Index.dat files to use a high performance database, the Extensible Storage Engine. Researchers have suggested that despite this change there remain forensic opportunities to recover InPrivate browsing records from the new browser. The prospect of recovering such evidence, together with its potential forensic significance, prompts questions including where and when such evidence can be recovered, and if it is possible to prove that a recovered artefact originated from InPrivate browsing. This paper reports the results of experiments which answer these questions, and also provides some explanation of the increasingly complex data structures used to record Internet activity from both the desktop and Windows 8 Applications. We conclude that there is a time window between the private browsing session and the next use of the browser in which browsing records may be carved from database log files, after which it is necessary to carve from other areas of disk. It proved possible to recover a substantial record of a user's InPrivate browsing, and to reliably associate such records with InPrivate browsing.     

The Use of an Alternate Light Source for Detecting Bones Underwater

When searching underwater crime scenes or disaster scenes for fragmentary human remains, it may be advantageous for forensic divers to be able to detect the presence of bones and teeth among other marine materials (such as shells and rocks). In terrestrial environments, this can typically be accomplished by visual and instrumental methods, but underwater conditions make it difficult to employ detection and sorting techniques in these environments. This study investigates fluorescence of bones and teeth and other marine materials using a submersible alternate light source (ALS) and concludes that an ALS can be a useful tool for detecting bones and teeth in underwater searches as well in terrestrial searches and laboratory environments. The results could impact the methods and equipment used by forensic divers and forensic anthropologists when searching for skeletal remains, potentially increasing the quantity and efficiency of forensic evidence recovered.     

Forensic investigation framework for the document store NoSQL DBMS: MongoDB as a case study

The NoSQL DBMS provides an efficient means of storing and accessing big data because its servers are more easily horizontally scalable and replicable than relational DBMSs. Its data model lacks a fixed schema, so that users can easily dynamically change the data model of applications. These characteristics of the NoSQL DBMS mean that it is increasingly used in real-time analysis, web services such as SNS, mobile apps and the storage of machine generated data such as logs and IoT (Internet of Things) data. Although the increased usage of the NoSQL DBMS increases the possibility of it becoming a target of crime, there are few papers about forensic investigation of NoSQL DBMS.In this paper, we propose a forensic investigation framework for the document store NoSQL DBMS. It is difficult to cover all of the NoSQL DBMS, as 'NoSQL' includes several distinct architectures; our forensic investigation framework, however, is focused on the document store NoSQL DBMS. In order to conduct an evaluative case study, we need to apply it to MongoDB, which is, a widely used document store NoSQL DBMS. For this case study, a crime scenario is created in an experimental environment, and then we propose in detail a forensic procedure and technical methods for MongoDB. We suggested many substantial technical investigation methods for MongoDB, including identifying real servers storing evidences in a distributed environment and transaction reconstruction method, using log analysis and recovering deleted data from the MongoDB data file structure.     

Passive forensics in image and video using noise features: A review

Due to present of enormous free image and video editing software on the Internet, tampering of digital images and videos have become very easy. Validating the integrity of images or videos and detecting any attempt of forgery without use of active forensic technique such as Digital Signature or Digital Watermark is a big challenge to researchers. Passive forensic techniques, unlike active techniques, do not need any preembeded information about the image or video. The proposed paper presents a comprehensive review of the recent developments in the field of digital image and video forensic using noise features. The previously existing methods of image and video forensics proved the importance of noises and encourage us for the study and perform extensive research in this field. Moreover, in this paper, forensic task cover mainly source identification and forgery detection in the image and video using noise features. Thus, various source identification and forgery detection methods using noise features are reviewed and compared in this paper for image and video. The overall objective of this paper is to give researchers a broad perspective on various aspects of image and video forensics using noise features. Conclusion part of this paper discusses about the importance of noise features and the challenges encountered by different image and video forensic method using noise features.     

We are meeting on Microsoft Teams: Forensic analysis in Windows,Android, and iOS operating systems

Microsoft released a new communication platform, Microsoft Teams, in 2017. Due in part to COVID-19, the popularity of communication platforms, like Microsoft Teams, increased exponentially. Given its user base and increased popularity, it seems likely that digital forensic investigators will encounter cases where Microsoft Teams is a relevant component. However, because Microsoft Teams is a relatively new application, there is limited forensic research on the application particularly focusing on mobile operating systems. To address this gap, an analysis of data stored at rest by Microsoft Teams was conducted on the Windows 10 operating system as well as on Android and Apple iOS mobile operating systems. Basic functionalities, such as messaging, sharing files, participating in video conferences, and other functionalities that Teams provides, were performed in an isolated testing environment. Cellebrite UFED Physical Analyzer and Magnet AXIOM Examine tools were used to analyze the mobile devices and the Windows device, respectively. Manual or non-automated investigation recovered, at least partially, the majority of artifacts across all three operating systems. In this study, a total of 77.6% of the populated artifacts were partially or fully recovered in the manual investigation. On the other hand, forensic tools used did not automatically recover many of the artifacts found with the manual investigation. Only 13.8% of artifacts were partially or fully recovered by the forensic tools across all three devices. These discovered artifacts and the results of the investigations are presented in order to aid digital forensic investigations.     

Identification of a red "fiber": chironomid larvae

During preliminary examination of the body of a homicide victim, a peculiar red "fiber" was noticed and recovered. Initially believing this to be a carpet fiber, the item was subjected to fiber analysis. It was found to be a short coiled particle not like any known natural or synthetic fabric fiber. Subsequent examinations determined this "fiber" to be the larva of a common freshwater midge (Diptera; Chironomidae). Chironomid larvae have been observed on other bodies recovered from freshwater environments. Entomological studies of this organism have led to the conclusion that the presence of chironomid larvae indicates submersion of the body.     

The Development and Evaluation of Radiological Decontamination Procedures for Documents,Document Inks,and Latent Fingermarks on Porous Surfaces*†

Abstract: Criminal acts such as an attack utilizing a radiological dispersal device (RDD or dirty bomb), the manufacture of such a device, or the illicit trafficking of radioactive materials would warrant a criminal investigation. This could involve the collection, transportation, and analysis of radiologically contaminated trace evidence. But are law enforcement agencies and forensic scientists capable of dealing with this? This research investigates the decontamination efficacy of two decontamination techniques (chemical and physical) designed for the removal of radiological material from documents of forensic importance. The impact that these procedures have on the development of latent fingermarks and the forensic analysis of the inks on these documents is also studied. It was found that slight changes in the color and chemical composition of a variety of document inks and a destruction of fingermark ridges occurred after chemical decontamination. Physical decontamination had no impact on these parameters.     

An investigation of anonymous and spoof SMS resources used for the purposes of cyberstalking

In 2012, the United Kingdom actively sought to tackle acts of stalking through amendments to the Protection from Harassment Act 1997. Now, not only is stalking a recognised criminal offence, acts associated with stalking behaviour have finally been properly defined in legislation. Further, the role of technology in digital stalking offences, frequently termed as acts of cyberstalking, has been duly highlighted. The prosecution of such cyberstalking offences is reliant on the forensic analysis of devices capable of communication with a victim, in order to identify the offender and evidence the offending content for presentation to a court of law. However, with the recent proliferation of anonymous communication services, it is becoming increasingly difficult for digital forensic specialists to analyse and detect the origin of stalking messages, particularly those involving mobile devices. This article identifies the legal factors involved, along with a scenario-based investigation of sample anonymous and spoof SMS (Short Message Service) messages, documenting the evidence that remains on a victim's handset for the purpose of locating an offender, which often may be minimal or non-existent.