Illuminating the benefits and limitations of forensic light sources

Forensic light sources, such as a Crime-lite, are used in forensic laboratories and by police staff in the examination for, and detection of, biological material. Whilst the benefits of using forensic light sources are relatively well understood, their limitations are less-so. This report details the outcome of studies, validation and review by three forensic laboratories, as well as three case examples, to highlight both the strengths and weaknesses of the tested forensic light sources and to demonstrate that, whilst a useful preliminary screening tool, they should not be used in isolation without subsequent presumptive chemical testing. False positives and negatives are common, and the background substrate and specific biological material present can have a significant effect on the outcome of examination when using a forensic light source.     

A typology of hackers: Classifying cyber malfeasance using a weighted arc circumplex model

Cyber attacks continue to increase in frequency and variety, making cyber malfeasance a rising area of study and a major policy issue. Categorizing cyber attackers aids targeted organizations in efficiently directing resources to enhance security. However, extant hacker typologies do not fully account for the multifaceted nature of cyber malfeasance, including the rise in socially and ideologically motivated hacking (e.g. crowdsourcing, hacktivism). I clarify the current state of the field by uniting recent case studies on hackers with existing categorization techniques. Previous researchers have employed circumplex models—visualizations which depict relationships and boundaries between groups—as a way to organize hacker types. I propose an updated model—a weighted arc circumplex model—that is designed to represent the multidimensional nature of contemporary hacker types by offering a means of visually representing multiple motivations simultaneously. Finally, I demonstrate how archetypical circumplex models can be wed with sociograms to depict social and technical relationships between hacker groups.     

Data Breach,Privacy, and Cyber Insurance: How Insurance Companies Act as “Compliance Managers” for Businesses

While data theft and cyber risk are major threats facing organizations, existing research suggests that most organizations do not have sufficient protection to prevent data breaches, deal with notification responsibilities, and comply with privacy laws. This article explores how insurance companies play a critical, yet unrecognized, role in assisting organizations in complying with privacy laws and dealing with cyber theft. My analysis draws from and contributes to two literatures on organizational compliance: new institutional organizational sociology studies of how organizations respond to legal regulation and sociolegal insurance scholars' research on how institutions govern through risk. Through participant observation at conferences, interviews, and content analysis of insurer manuals and risk management services, my study highlights how insurers act as compliance managers for organizations dealing with cyber security threats. Well beyond pooling and transferring risk, insurance companies offer cyber insurance and unique risk management services that influence the ways organizations comply with privacy laws.     

司法鉴定机构适应《司法鉴定程序通则》要求的探讨

作者通过对新颁布的《司法鉴定程序通则》研读与思考,结合目前多数司法鉴定机构的现状,对于作为《司法鉴定程序通则》主要管理对象之一的司法鉴定机构如何尽快适应这部重要法规的要求,制定和完善各项相关制度,科学规范司法鉴定工作,作了探讨。     

The GeFI (Italian Forensic Geneticists) code of conduct

The Ge.F.I. (Italian Forensic Geneticists) board has set up a working group aimed to develop the “Code of conduct of a Forensic Geneticist”. This group includes all practitioners working in the field of forensic genetics. The rules of the code of conduct apply to forensic geneticists belonging to the GeFI group and all of those sharing the GeFI’s mission, vision and values applicable to their professional practice, reciprocal relationship and relationship with third parties.     

Do we need a forensic science teaching network?

The challenging events of the past year have forced those of us working in higher education to adapt our teaching practices to conform to the restrictions put in place. For many this has been an opportunity to take a fresh view of the way material has been delivered in the past, and critically reflect on how it might be delivered in the future. There has been an explosion of innovative ideas and the introduction of support networks such as ‘#RemoteForensicCSI’ to aid with sharing these new innovations and examples of good practice.However, the past year has also helped to highlight a lack of an established network that could support the teaching of forensic science in the UK. Teaching networks within the UK exist for related disciplines, such as the Royal Society of Chemistry’s Higher Education Chemistry Teaching Network, but no network focuses on the teaching challenges specific to forensic science. Such a network could help to address the gap in pedagogical research to help support more effective teaching and give learners the best opportunities possible. This would complement the work of the Chartered Society of Forensic Science including upholding accreditation standards and the existing Link Member Scheme, whilst providing an environment to specifically support the teaching of forensic science. Any network could also look to link with other networks internationally such as the Council of Forensic Science Educators in the USA and identify examples of good practice worldwide that could be used to enhance and inform forensic science teaching in the UK.The teaching of forensic science is multifaceted with a need to strike a balance between practical skills and theoretical knowledge. Like many vocational courses forensic science teaching staff have a diverse range of backgrounds, encompassing both academic and practitioner experience. This results in a range of experiences and approaches to teaching and delivery, creating a fantastic melting pot for ideas, but outlets for sharing these innovative approaches are limited. This article will highlight some of the pedagogical gaps within forensic science teaching and areas that we could learn from. Most importantly, it will issue a clarion call to those working in this area to push for a UK Forensic Teaching Network.     

Evaluative approach to semen transfer in a case of alleged sexual assault: A case study

This paper demonstrates a logical framework for evaluating forensic evidence, first described by Cook et al. [1,2], using a casework example of an alleged sexual assault involving semen transfer. Here we show in real time how the case strategy can change with additional information and how to use available experience and published data to interpret the findings obtained, given the background information provided. The findings of the case are interpreted using the Bayesian approach and are reported by giving the strength of support of scientific findings for one proposition rather than a competing proposition, as per the European Network of Forensic Science Institutes (ENSFI) guideline for evaluative reporting. We believe that using this paper as a template will aid other Forensic Science Practitioners (FSP) to add value and weight to their work by assisting them in evaluating and interpreting their own findings.     

司法会计不等于司法会计鉴定——暨谈涉案会计事实证明中的几个误区

目前,涉案会计事实证明中存在着几个认识上的误区。诸如“司法会计就是司法会计鉴定”,“司法会计鉴定的主要功能是发现涉案会计事实”,“司法会计鉴定对象载体是财务会计资料”,“只要是涉案会计事实的证明活动就是司法会计鉴定”和“司法会计鉴定越客观越好,应该看到什么说什么”,等等。这些认识不利于合理发挥各种涉案会计事实专业证明手段的作用,削弱了这些专业证明手段的证明力,影响了诉讼效率。     

Concepts and possibilities in forensic intelligence

Forensic intelligence can be viewed as comprising two parts, one directly concerning intelligence delivery in forensic casework, the other considering performance aspects of forensic work, loosely termed here as business intelligence. Forensic casework can be viewed as processes that produce an intelligence product useful to police investigations. Traditionally, forensic intelligence production has been confined to discipline-specific activity. This paper examines the concepts, processes and intelligence products delivered in forensic casework, the information repositories available from forensic examinations, and ways to produce within- and across-discipline casework correlations by using information technology to capitalise on the information sets available. Such analysis presents opportunities to improve forensic intelligence services as well as challenges for technical solutions to deliver appropriate data-mining capabilities for available information sets, such as digital photographs. Business intelligence refers primarily to examination of efficiency and effectiveness of forensic service delivery. This paper discusses measures of forensic activity and their relationship to crime outcomes as a measure of forensic effectiveness.     

Automated event and social network extraction from digital evidence sources with ontological mapping

The sharp rise in consumer computing, electronic and mobile devices and data volumes has resulted in increased workloads for digital forensic investigators and analysts. The number of crimes involving electronic devices is increasing, as is the amount of data for each job. This is becoming unscaleable and alternate methods to reduce the time trained analysts spend on each job are necessary.This work leverages standardised knowledge representations techniques and automated rule-based systems to encapsulate expert knowledge for forensic data. The implementation of this research can provide high-level analysis based on low-level digital artefacts in a way that allows an understanding of what decisions support the facts. Analysts can quickly make determinations as to which artefacts warrant further investigation and create high level case data without manually creating it from the low-level artefacts. Extraction and understanding of users and social networks and translating the state of file systems to sequences of events are the first uses for this work.A major goal of this work is to automatically derive ‘events’ from the base forensic artefacts. Events may be system events, representing logins, start-ups, shutdowns, or user events, such as web browsing, sending email. The same information fusion and homogenisation techniques are used to reconstruct social networks. There can be numerous social network data sources on a single computer; internet cache can locate Facebook, LinkedIn, Google Plus caches; email has address books and copies of emails sent and received; instant messenger has friend lists and call histories. Fusing these into a single graph allows a more complete, less fractured view for an investigator.Both event creation and social network creation are expected to assist investigator-led triage and other fast forensic analysis situations.     

Extracting Windows command line details from physical memory

Current memory forensic tools concentrate mainly on system-related information like processes and sockets. There is a need for more memory forensic techniques to extract user-entered data retained in various Microsoft Windows applications such as the Windows command prompt. The command history is a prime source of evidence in many intrusions and other computer crimes, revealing important details about an offender’s activities on the subject system. This paper dissects the data structures of the command prompt history and gives forensic practitioners a tool for reconstructing the Windows command history from a Windows XP memory capture. At the same time, this paper demonstrates a methodology that can be generalized to extract user-entered data on other versions of Windows.     

Design and implementation of FROST: Digital forensic tools for the OpenStack cloud computing platform

We describe the design, implementation, and evaluation of FROST—three new forensic tools for the OpenStack cloud platform. Our implementation for the OpenStack cloud platform supports an Infrastructure-as-a-Service (IaaS) cloud and provides trustworthy forensic acquisition of virtual disks, API logs, and guest firewall logs. Unlike traditional acquisition tools, FROST works at the cloud management plane rather than interacting with the operating system inside the guest virtual machines, thereby requiring no trust in the guest machine. We assume trust in the cloud provider, but FROST overcomes non-trivial challenges of remote evidence integrity by storing log data in hash trees and returning evidence with cryptographic hashes. Our tools are user-driven, allowing customers, forensic examiners, and law enforcement to conduct investigations without necessitating interaction with the cloud provider. We demonstrate how FROST's new features enable forensic investigators to obtain forensically-sound data from OpenStack clouds independent of provider interaction. Our preliminary evaluation indicates the ability of our approach to scale in a dynamic cloud environment. The design supports an extensible set of forensic objectives, including the future addition of other data preservation, discovery, real-time monitoring, metrics, auditing, and acquisition capabilities.     

Shifting forensic science focus from means to purpose: A path forward for the discipline?

Forensic science is facing a persistent crisis that is often addressed by organizational responses, with a strong focus on the improvement and standardisation of means and processes. However, organisations and processes are highly dependent on the political, economical and legal structures in which they operate. This may explain why most proposed solutions had difficulties in addressing the crisis up to now, as they could hardly be applied transversally to all forensic science models. Moreover, new tools and technologies are continuously developed by a quasi-infinite number of different scientific disciplines, thus leading to further diversity and fragmentation of forensic science. In this paper, it is proposed to shift the focus from means to purpose and consider forensic science current challenges in terms of discipline, before addressing organisations’ specific issues. As a distinct discipline, forensic science can refocus research and development on shared principles and purposes, such as reconstructing, monitoring, and preventing crime and security issues. This focus change will facilitate a better understanding of the trace as the object of study of forensic science and eventually lead to a more impactful and long-lasting effect. This approach will also foster the development of a forensic science culture (instead of a primarily technological culture) unified by purpose rather than means through more relevant education and research.     

Future challenges for smart cities: Cyber-security and digital forensics

Smart cities are comprised of diverse and interconnected components constantly exchanging data and facilitating improved living for a nation's population. Our view of a typical smart city consists of four key components, namely, Smart Grids, Building Automation Systems (BAS), Unmanned Aerial Vehicles (UAVs), Smart Vehicles; with enabling Internet of Things (IoT) sensors and the Cloud platform. The adversarial threats and criminal misuses in a smart city are increasingly heterogenous and significant, with provisioning of resilient and end-to-end security being a daunting task. When a cyber incident involving critical components of the smart city infrastructure occurs, appropriate measures can be taken to identify and enumerate concrete evidence to facilitate the forensic investigation process. Forensic preparedness and lessons learned from past forensic analysis can help protect the smart city against future incidents. This paper presents a holistic view of the security landscape of a smart city, identifying security threats and providing deep insight into digital investigation in the context of the smart city.     

A forensic visual aid: Traces versus knowledge

In this paper, I introduce the Forensic Field Map (FFM) that provides a two-dimensional view on the forensic field. This field is by definition very broad, encompassing a wide range of scientific areas and activities. The forensic work that supports solving criminal cases ranges from recognizing and preserving traces at crime scenes to explaining forensic results as expert witness in court. This goes hand in hand with the development of scientifically based methods and tooling as well as legal, forensic and laboratory procedures. Although the FFM came into being while developing a (visual) framework for digital forensic investigations, the framework turned out to be generically applicable to other forensic disciplines.     

“In the public interest”: The privacy implications of international business-to-business sharing of cyber-threat intelligence

This article reports on preliminary findings and recommendations of a cross-discipline project to accelerate international business-to-business automated sharing of cyber-threat intelligence, particularly IP addresses. The article outlines the project and its objectives and the importance of determining whether IP addresses can be lawfully shared as cyber threat intelligence.The goal of the project is to enhance cyber-threat intelligence sharing throughout the cyber ecosystem. The findings and recommendations from this project enable businesses to navigate the international legal environment and develop their policy and procedures to enable timely, effective and legal sharing of cyber-threat information. The project is the first of its kind in the world. It is unique in both focus and scope. Unlike the cyber-threat information sharing reviews and initiatives being developed at country and regional levels, the focus of this project and this article is on business-to-business sharing. The scope of this project in terms of the 34 jurisdictions reviewed as to their data protection requirements is more comprehensive than any similar study to date.This article focuses on the sharing of IP addresses as cyber threat intelligence in the context of the new European Union (EU) data protection initiatives agreed in December 2015 and formally adopted by the European Council and Parliament in April 2016. The new EU General Data Protection Regulation (GDPR) applies to EU member countries, a major focus of the international cyber threat sharing project. The research also reveals that EU data protection requirements, particularly the currently applicable law of the Data Protection Directive 95/46/EC (1995 Directive) (the rules of which the GDPR will replace in practice in 2018), generally form the basis of current data protection requirements in countries outside Europe. It is expected that this influence will continue and that the GDPR will shape the development of data protection internationally.In this article, the authors examine whether static and dynamic IP addresses are “personal data” as defined in the GDPR and its predecessor the 1995 Directive that is currently the model for data protection in many jurisdictions outside Europe. The authors then consider whether sharing of that data by a business without the consent of the data subject, can be justified in the public interest so as to override individual rights under Articles 7 and 8(1) of the Charter of Fundamental Rights of the European Union, which underpin EU data protection. The analysis shows that the sharing of cyber threat intelligence is in the public interest so as to override the rights of a data subject, as long as it is carried out in ways that are strictly necessary in order to achieve security objectives. The article concludes by summarizing the project findings to date, and how they inform international sharing of cyber-threat intelligence within the private sector.     

The Kodak Syndrome: Risks and Opportunities Created by Decentralization of Forensic Capabilities

Forensic science laboratories are being challenged by the expanding decentralization of forensic capabilities, particularly for digital traces. This study recommends laboratories undertake digital transformations to capitalize on the decentralization movement, develop a more comprehensive understanding of crime and security‐relevant problems, and play a more central role in problem‐solving collaboratively with law enforcement organizations and other stakeholders. A framework for the bilateral transfer of information and knowledge is proposed to magnify the impact of forensic science laboratories on abating crime, strengthening security, and reinforcing the criminal justice system. To accomplish digital transformations, laboratories require personnel with different expertise, including investigative reasoning, knowledge codification, data analytics, and forensic intelligence. Ultimately, this study encourages managers, educators, researchers, and policymakers to look beyond the usefulness of forensic results for solving individual investigations, and to realize the value of combined forensic knowledge and intelligence for developing broader strategies to deal with crime in digitalized society.     

Use of the Rorschach in forensic settings for treatment planning and monitoring

Forensic psychiatric patients exhibit complex clinical issues that are neither readily understood by staff nor necessarily responsive to traditional psychotherapy or treatment milieu approaches. Individualized treatment planning identifies treatment needs and matches them to treatment services, thereby increasing the opportunity for a positive therapeutic outcome. The nature of the Rorschach, particularly that it bypasses volitional resources, enables observation and quantification of personality processes, making the Rorschach uniquely suited for treatment planning in forensic settings. In this article, the authors review relevant Rorschach literature, address the importance of incorporating Rorschach data into the assessment process, and discuss how Rorschach data fit into a thorough assessment that includes historical, clinical, dispositional, and contextual information. The authors offer two case examples to illustrate how Rorschach data are integrated in forensic treatment planning.     

Forensic occupational therapy to reduce risk of reoffending: a survey of practice in the United Kingdom

Forensic services are required to reduce an individual’s risk of reoffending. Despite being integral to forensic mental health services, the contribution of forensic occupational therapy to achieving this aim is unclear. This study describes current forensic occupational therapy practice to reduce reoffending risk in the United Kingdom. Responses to a cross-sectional survey consisting of multiple choice and free-text questions were analysed using frequency counts and percentages, and thematic analysis respectively. Of the 58 participants, 83% actively addressed reoffending risk. Participants informed practice with occupation-focused theories, models and assessment tools. Five themes described forensic occupational therapy to reduce reoffending risk: an occupational perspective of risk assessment and formulation; volitional realignment; increasing protective factors; community integration; and enhancing understanding of forensic occupational therapy. Forensic occupational therapists perceive their practice to contribute to reducing reoffending risk, but are yet to establish routine outcome measurement in this area. Implications for practice and future research are discussed.