Structure and application of IconCache.db files for digital forensics

Anti-forensics has developed to prevent digital forensic investigations, thus forensic investigations to prevent anti-forensic behaviors have been studied in various area. In the area of user activity analysis, “IconCache.db” files contain icon cache information related to applications, which can yield meaningful information for digital forensic investigations such as the traces of deleted files. A previous study investigated the general artifacts found in the IconCache.db file. In the present study, further features and structures of the IconCache.db file are described. We also propose methods for analyzing anti-forensic behaviors (e.g., time information related to the deletion of files). Finally, we introduce an analytical tool that was developed based on the file structure of IconCache.db. The tool parses out strings from the IconCache.db to assist an analyst. Therefore, an analyst can more easily analyze the IconCache.db file using the tool.     

Forensic artefacts left by Pidgin Messenger 2.0

Pidgin, formerly known as Gaim, is a multi-protocol instant messaging (IM) client that supports communication on most of the popular IM networks. Pidgin is chiefly popular under Linux, and is available for Windows, BSD and other UNIX versions. This article presents a number of traces that are left behind after the use of Pidgin on Linux, enabling digital investigators to search for and interpret instant messaging activities, including online conversations and file transfers. Specifically, the contents and structures of user settings, log files, contact files and the swap partition are discussed. In addition looking for such information in active files on a computer, forensic examiners can recover deleted items by searching a hard drive for file signatures and known file structures detailed in this article.     

Investigating the uses of mobile phone evidence in China criminal proceedings

Data from mobile phones are regularly used in the investigation of crime and court proceedings. Previously published research has primarily addressed technical issues or provided operational manuals for using forensic science evidence, rather than analysing human factors and the implementation of forensic tools in investigation settings. Moreover, previous research has focused almost entirely on western countries, and there is a dearth of research into the uses of forensic evidence in China. In this study, a review was carried out of court sentencing documents referring to mobile phone evidence in China over the period 2013–2018. Automated content analysis was used to identify the specific evidence types utilised and the sentencing outcome for each case. Results show that mobile phone evidence was used in 3.3% of criminal proceedings. Among various data types mentioned in criminal proceedings, call records sustained as the most frequently used type of data. After which, instant messaging tools (e.g. WeChat) are an increasing proportion of all mobile phone evidence, from 1% in 2015 to 25% in 2018. For cases that utilised mobile phone data, the analysis of instant messaging and online transaction tools is routine, with little variation in the use of each application (WeChat, Alipay, QQ) for investigations of different types of crime. However, in the majority of criminal cases, mobile phone data function as subsidiary evidence and posed limited impacts on verdict reached. The current findings indicate that a large amount of mobile phone evidence was transformed into other evidence formats or filtered out directly before court proceedings.     

Forensic analysis of Telegram Messenger on Android smartphones

In this paper we present a methodology for the forensic analysis of the artifacts generated on Android smartphones by Telegram Messenger, the official client for the Telegram instant messaging platform, which provides various forms of secure individual and group communication, by means of which both textual and non-textual messages can be exchanged among users, as well as voice calls.Our methodology is based on the design of a set of experiments suitable to elicit the generation of artifacts and their retention on the device storage, and on the use of virtualized smartphones to ensure the generality of the results and the full repeatability of the experiments, so that our findings can be reproduced and validated by a third-party.In this paper we show that, by using the proposed methodology, we are able (a) to identify all the artifacts generated by Telegram Messenger, (b) to decode and interpret each one of them, and (c) to correlate them in order to infer various types of information that cannot be obtained by considering each one of them in isolation.As a result, in this paper we show how to reconstruct the list of contacts, the chronology and contents of the messages that have been exchanged by users, as well as the contents of files that have been sent or received. Furthermore, we show how to determine significant properties of the various chats, groups, and channels in which the user has been involved (e.g., the identifier of the creator, the date of creation, the date of joining, etc.). Finally, we show how to reconstruct the log of the voice calls made or received by the user.Although in this paper we focus on Telegram Messenger, our methodology can be applied to the forensic analysis of any application running on the Android platform.     

DigLA – A Digsby log analysis tool to identify forensic artifacts

Since the inception of Web 2.0, instant messaging, e-mailing, and social networking have emerged as cheap and efficient means of communication over the Web. As a result, a number of communication platforms like Digsby have been developed by various research groups to facilitate access to multiple e-mail, instant messaging, and social networking sites using a single credential. Although such platforms are advantageous for end-users, they present new challenges to digital forensic examiners because of their illegitimate use by anti-social elements. To identify digital artifacts from Digsby log data, an examiner is assumed to have knowledge of the whereabouts of Digsby traces before starting an investigation process. This paper proposes a design for a user-friendly GUI-based forensic tool, DigLA, which provides a unified platform for analyzing Digsby log data at different levels of granularity. DigLA is also equipped with password decryption methods for both machine-specific and portable installation versions of Digsby. By considering Windows registry and Digsby log files as dynamic sources of evidence, specifically when Digsby has been used to commit a cyber crime, this paper presents a systematic approach to analyzing Digsby log data. It also presents an approach to analyzing RAM and swap files to collect relevant traces, specifically the login credentials of Digsby and IM users. An expected insider attack from a server security perspective is also studied and discussed in this paper.     

A Forensic Exploration of the Microsoft Windows 10 Timeline

The Microsoft Windows operating system continues to dominate the desktop computing market. With such high levels of usage comes an inferred likelihood of digital forensic practitioners encountering this platform during their investigations. As part of any forensic examination of a digital device, operating system artifacts, which support the identification and understanding of how a user has behaved on their system provide a potential source of evidence. Now, following Microsoft's April 2018 build 1803 release with its incorporated “Timeline” feature, the potential for identifying and tracking user activity has increased. This work provides a timely examination of the Windows 10 Timeline feature demonstrating the ability to recover activity‐based content from within its stored database log files. Examination results and underpinning experimental methodologies are offered, demonstrating the ability to recover activity tile and process information in conjunction with the Windows Timeline. Further, an SQL query has been provided to support the interpretation of data stored within the ActivitiesCache.db .     

We are meeting on Microsoft Teams: Forensic analysis in Windows,Android, and iOS operating systems

Microsoft released a new communication platform, Microsoft Teams, in 2017. Due in part to COVID-19, the popularity of communication platforms, like Microsoft Teams, increased exponentially. Given its user base and increased popularity, it seems likely that digital forensic investigators will encounter cases where Microsoft Teams is a relevant component. However, because Microsoft Teams is a relatively new application, there is limited forensic research on the application particularly focusing on mobile operating systems. To address this gap, an analysis of data stored at rest by Microsoft Teams was conducted on the Windows 10 operating system as well as on Android and Apple iOS mobile operating systems. Basic functionalities, such as messaging, sharing files, participating in video conferences, and other functionalities that Teams provides, were performed in an isolated testing environment. Cellebrite UFED Physical Analyzer and Magnet AXIOM Examine tools were used to analyze the mobile devices and the Windows device, respectively. Manual or non-automated investigation recovered, at least partially, the majority of artifacts across all three operating systems. In this study, a total of 77.6% of the populated artifacts were partially or fully recovered in the manual investigation. On the other hand, forensic tools used did not automatically recover many of the artifacts found with the manual investigation. Only 13.8% of artifacts were partially or fully recovered by the forensic tools across all three devices. These discovered artifacts and the results of the investigations are presented in order to aid digital forensic investigations.     

Automated event and social network extraction from digital evidence sources with ontological mapping

The sharp rise in consumer computing, electronic and mobile devices and data volumes has resulted in increased workloads for digital forensic investigators and analysts. The number of crimes involving electronic devices is increasing, as is the amount of data for each job. This is becoming unscaleable and alternate methods to reduce the time trained analysts spend on each job are necessary.This work leverages standardised knowledge representations techniques and automated rule-based systems to encapsulate expert knowledge for forensic data. The implementation of this research can provide high-level analysis based on low-level digital artefacts in a way that allows an understanding of what decisions support the facts. Analysts can quickly make determinations as to which artefacts warrant further investigation and create high level case data without manually creating it from the low-level artefacts. Extraction and understanding of users and social networks and translating the state of file systems to sequences of events are the first uses for this work.A major goal of this work is to automatically derive ‘events’ from the base forensic artefacts. Events may be system events, representing logins, start-ups, shutdowns, or user events, such as web browsing, sending email. The same information fusion and homogenisation techniques are used to reconstruct social networks. There can be numerous social network data sources on a single computer; internet cache can locate Facebook, LinkedIn, Google Plus caches; email has address books and copies of emails sent and received; instant messenger has friend lists and call histories. Fusing these into a single graph allows a more complete, less fractured view for an investigator.Both event creation and social network creation are expected to assist investigator-led triage and other fast forensic analysis situations.     

The COLLECTORS ranking scale for ‘at‐scene’ digital device triage

As digital evidence now features prominently in many criminal investigations, such large volumes of requests for the forensic examination of devices has led to well publicized backlogs and delays. In an effort to cope, triage policies are frequently implemented in order to reduce the number of digital devices which are seized unnecessarily. Often first responders are tasked with performing triage at scene in order to decide whether any identified devices should be seized and submitted for forensic examination. In some cases, this is done with the assistance of software which allows device content to be “previewed”; however, in some cases, a first responder will triage devices using their judgment and experience alone, absent of knowledge of the devices content, referred to as “decision‐based device triage” (DBDT). This work provides a discussion of the challenges first responders face when carrying out DBDT at scene. In response, the COLLECTORS ranking scale is proposed to help first responders carry out DBDT and to formalize this process in an effort to support quality control of this practice. The COLLECTORS ranking scale consists of 10 categories which first responders should rank a given device against. Each devices cumulative score should be queried against the defined “seizure thresholds” which offer support to first responders in assessing when to seize a device. To offer clarify, an example use‐case involving the COLLECTORS ranking scale is included, highlighting its application when faced with multiple digital devices at scene.     

WhatsApp network forensics: Decrypting and understanding the WhatsApp call signaling messages

WhatsApp is a widely adopted mobile messaging application with over 800 million users. Recently, a calling feature was added to the application and no comprehensive digital forensic analysis has been performed with regards to this feature at the time of writing this paper. In this work, we describe how we were able to decrypt the network traffic and obtain forensic artifacts that relate to this new calling feature which included the: a) WhatsApp phone numbers, b) WhatsApp server IPs, c) WhatsApp audio codec (Opus), d) WhatsApp call duration, and e) WhatsApp's call termination. We explain the methods and tools used to decrypt the traffic as well as thoroughly elaborate on our findings with respect to the WhatsApp signaling messages. Furthermore, we also provide the community with a tool that helps in the visualization of the WhatsApp protocol messages.     

An Android Communication App Forensic Taxonomy

Due to the popularity of Android devices and applications (apps), Android forensics is one of the most studied topics within mobile forensics. Communication apps, such as instant messaging and Voice over IP (VoIP), are one popular app category used by mobile device users, including criminals. Therefore, a taxonomy outlining artifacts of forensic interest involving the use of Android communication apps will facilitate the timely collection and analysis of evidentiary materials from such apps. In this paper, 30 popular Android communication apps were examined, where a logical extraction of the Android phone images was collected using XRY, a widely used mobile forensic tool. Various information of forensic interest, such as contact lists and chronology of messages, was recovered. Based on the findings, a two‐dimensional taxonomy of the forensic artifacts of the communication apps is proposed, with the app categories in one dimension and the classes of artifacts in the other dimension. Finally, the artifacts identified in the study of the 30 communication apps are summarized using the taxonomy. It is expected that the proposed taxonomy and the forensic findings in this paper will assist forensic investigations involving Android communication apps.     

Constructing Legal Order in an Intelligent Society

Legal order originated in a land-centered agricultural society, having now gone through a market-centered industrial society and a network-centered information society. With the rise of the intelligent society, it is transforming into an algorithmcentered legal order of an intelligent society. The “digital” “networking” “intelligent” revolution brought by the intelligent technologies including big data, cloud computing, the Internet, blockchain, and artificial intelligence (AI), has been causing critical challenges to the current legal order, and has generated powerful momentum for construction of fresh legal order featuring scientificness, people centeredness, justice, inclusiveness and co-governance. Construction of such a new jurisprudential legal order to solve this intelligent society’s “governance deficit” is an urgent task. There is a need to set up a new foundation on which an intelligent society can build steady and lasting progress.     

Forensic Taxonomy of Android Social Apps

An Android social app taxonomy incorporating artifacts that are of forensic interest will enable users and forensic investigators to identify the personally identifiable information (PII) stored by the apps. In this study, 30 popular Android social apps were examined. Artifacts of forensic interest (e.g., contacts lists, chronology of messages, and timestamp of an added contact) were recovered. In addition, images were located, and Facebook token strings used to tie account identities and gain access to information entered into Facebook by a user were identified. Based on the findings, a two‐dimensional taxonomy of the forensic artifacts of the social apps is proposed. A comparative summary of existing forensic taxonomies of different categories of Android apps, designed to facilitate timely collection and analysis of evidentiary materials from Android devices, is presented.     

Cybersex with minors: forensic implications.

This paper is designed to assist forensic psychiatrists/psychologists who evaluate adults who commit sexual crimes against children on the Internet. The typical offender is an adult male who logs onto the Internet and enters a chat room in which children congregate. Unbeknownst to the offender, undercover police officers are posing as minors in the chat rooms. The undercover officer (pretend kid) and offender engage in increasingly explicit, sexual conversation; the offender may transmit erotic photographs to the undercover officer and/or arrange to meet at a motel in order to have sexual intercourse. The authors will discuss the relevant legal, clinical, and ethical aspects of examining these offenders, and describe specific cases that the author (2) evaluated.     

A Bayesian Item Response Theory Approach to Symptom Validity Detection: Evaluating Psychological Screening Inventory-2 Response Profile Likelihoods

Invalid data in forensic assessment are most often indicated by excessive endorsement of psychiatric symptoms. Although this method of identifying invalid profiles is generally effective, it does not make use of all conditional dependencies in data. Modern psychometric methodologies can be used to identify aberrant response profiles through model-based indices known as person fit statistics. Specifically, the likelihoods of examinees' response profiles can be compared against observed or simulated likelihoods that are derived from empirical models of emotional and psychiatric functioning. This study demonstrates how person fit indices based on item response theory models can be used to detect misfitting response profiles in forensic assessment. Archival data from the Psychological Screening Inventory-2 (R. I. Lanyon, 2010a) were evaluated with Bayesian estimation and posterior predictive model checking to compare the response profile log-likelihoods of 74 forensic participants with 1,046 normative participants. Results suggest 61 % of forensic examinees but only 5 % of normative examinees had misfitting data. Misfitting “fake bad” forensic profiles appeared to be associated with overly discrepant endorsement of symptoms, and misfitting “fake good” forensic profiles appeared to be associated with overly narrow endorsement of symptoms. The high rate of misfit among forensic examinees challenges the appropriateness of basing interpretations of forensic data on reliability and validity coefficients from normative samples. However, because aspects of the methodology are still untested in forensic and clinical assessment (e.g., the use of priors in this study), future research is needed to evaluate its appropriateness for clinical practice.     

The Image of the Hyper City

Since the nineteenth and twentieth century, information has been pivotal both in the cultural tradition and then in the economic tradition. While the Fordism economic model and its specialisation requirements originated a simplistic zoning and single-use development approach to the design of a city. It, however, determined a fragmented growth of cities. Inevitably, the zoning as an urban strategy affected the architectural scale. Nevertheless, the idea of information, commercial goods and thereby people freely able to flow through the city allowed architects and urban designer to conceive new types of urban infrastructures. For example, trains, which were designed on the model of urban “arteries and veins.” Over time, the persistence of urban and architectural segmentation has strengthened social and economic inequalities among urban society. In addition, information has played a more vital role in this strengthening process. The technological achievements of the twenty-first century such as information technologies have significantly affected cities. The new informational patterns have provided new ways of designing, and in turn how societies experience cities. These “quantified cities” consist of digital data that dynamically interacts with “quantified human beings.” Consequently, a renewed urban semiotics is established, which is built around an alternate sociological comprehension. Is this new urban semiotics able to heal an ill and divided urban body? The paper will investigate a new concept of “quantified city” based on the notion of “Hyper-Reality,” and its inhabitants who are entering in a “post-human” condition while living in a dynamic urban environment. In particular, the critical analysis will be used as a “tool” for redefining the perception of the city (i.e., the image of the Hyper City) through inhabitants’ (post-humans’) relational patterns which are technologically mediated (i.e., Google Maps, Uber, Instagram, etc.). The more traditional notion of urbanisation is questioned with a focus on how the an urban society is embedded within the digital condition and the notion of a city.

     

腭皱法医学同一认定数字化系统的建立

目的建立腭皱法医学同一认定数字化系统并对其进行效果评价。方法在标准条件下获取腭皱的数字图像,对腭皱信息都进行采集、降噪、增强、分割、特征提取、边缘检测、信息匹配等处理,运用Matlab软件研制腭皱法医学同一认定系统,并进行效果评价。结果本研究成功建立腭皱法医学同一认定数字化系统,从匹配结果来看,正确率达到100%。结论腭皱法医学同一认定数字化系统的建立,为同一认定提供一种新的方法和途径。     

Development of a Mobile Toolmark Characterization/Comparison System

Since the development of the striagraph, various attempts have been made to enhance forensic investigation through the use of measuring and imaging equipment. This study describes the development of a prototype system employing an easy‐to‐use software interface designed to provide forensic examiners with the ability to measure topography of a toolmarked surface and then conduct various comparisons using a statistical algorithm. Acquisition of the data is carried out using a portable 3D optical profilometer, and comparison of the resulting data files is made using software named “MANTIS” (Mark and Tool Inspection Suite). The system has been tested on laboratory‐produced markings that include fully striated marks (e.g., screwdriver markings), quasistriated markings produced by shear‐cut pliers, impression marks left by chisels, rifling marks on bullets, and cut marks produced by knives. Using the system, an examiner has the potential to (i) visually compare two toolmarked surfaces in a manner similar to a comparison microscope and (ii) use the quantitative information embedded within the acquired data to obtain an objective statistical comparison of the data files. This study shows that, based on the results from laboratory samples, the system has great potential for aiding examiners in conducting comparisons of toolmarks.