Taxonomy of Challenges for Digital Forensics

Since its inception, over a decade ago, the field of digital forensics has faced numerous challenges. Despite different researchers and digital forensic practitioners having studied and analysed various known digital forensic challenges, as of 2013, there still exists a need for a formal classification of these challenges. This article therefore reviews existing research literature and highlights the various challenges that digital forensics has faced for the last 10 years. In conducting this research study, however, it was difficult for the authors to review all the existing research literature in the digital forensic domain; hence, sampling and randomization techniques were employed to facilitate the review of the gathered literature. Taxonomy of the various challenges is subsequently proposed in this paper based on our review of the literature. The taxonomy classifies the large number of digital forensic challenges into four well‐defined and easily understood categories. The proposed taxonomy can be useful, for example, in future developments of automated digital forensic tools by explicitly describing processes and procedures that focus on addressing specific challenges identified in this paper. However, it should also be noted that the purpose of this paper was not to propose any solutions to the individual challenges that digital forensics face, but to serve as a survey of the state of the art of the research area.     

微生物物证检验

面对21世纪生物犯罪或生物恐怖活动的新挑战,物证鉴定的新专业--微生物物证检验将成为执法部门侦查和起诉生物犯罪必不可少的手段。微生物物证检验以用作犯罪武器的各种微生物为检验对象,获得微生物种类和能够提供来源信息的菌毒株细致分型结果,达到提供犯罪侦查线索和法庭证据的目的。本文综述了微生物物证检验的定义、特征、技术应用以及美国近年来在微生物物证检验的实践和值得借鉴的成功经验。并建议我国物证鉴定实验室应积极开展研究,建立能够满足生物犯罪侦查需求的微生物物证检验能力。     

Quantitative evaluation of the results of digital forensic investigations: a review of progress

Unlike conventional forensics, digital forensics does not at present generally quantify the results of its investigations. It is suggested that digital forensics should aim to catch up with other forensic disciplines by using Bayesian and other numerical methodologies to quantify its investigations’ results. Assessing the plausibility of alternative hypotheses (or propositions, or claims) which explain how recovered digital evidence came to exist on a device could assist both the prosecution and the defence sides in criminal proceedings: helping the prosecution to decide whether to proceed to trial and helping defence lawyers to advise a defendant how to plead. This paper reviews some numerical approaches to the goal of quantifying the relative weights of individual items of digital evidence and the plausibility of hypotheses based on that evidence. The potential advantages enabling the construction of cost-effective digital forensic triage schemas are also outlined.

Key points

• The absence of quantified results from digital forensic investigations, unlike those of conventional forensics, is highlighted.
• A number of approaches towards quantitative evaluation of the results of digital forensic investigations are reviewed.
• The significant potential benefits accruing from such approaches are discussed.

     

The Influence of Evidence on Animal Cruelty Prosecution and Case Outcomes: Results of a Survey

Two hundred prosecuting attorneys completed a survey concerning priorities in taking on animal cruelty cases and the factors that help or hinder prosecuting such cases. Respondents commented on the priority given such cases. Questions also addressed specific kinds of evidence that had been used to decide whether to take on a cruelty case and were used in court. Results showed that prosecutors most frequently relied upon “traditional” sources of evidence, including detailed medical and crime scene reports and good quality photographic evidence. Other sources of forensic evidence such as DNA, computer forensics, forensic accounting, blood, and trace evidence were rarely employed. Veterinary forensic evidence, including forensic necropsies and detailed medical reports, was viewed as an important factor by a majority of prosecutors in deciding whether to accept a case for prosecution and in achieving a successful outcome, but a need for additional training for investigators was indicated.     

Advanced Framework for Digital Forensic Technologies and Procedures*

Abstract: Recent trends in global networks are leading toward service‐oriented architectures and sensor networks. On one hand of the spectrum, this means deployment of services from numerous providers to form new service composites, and on the other hand this means emergence of Internet of things. Both these kinds belong to a plethora of realms and can be deployed in many ways, which will pose serious problems in cases of abuse. Consequently, both trends increase the need for new approaches to digital forensics that would furnish admissible evidence for litigation. Because technology alone is clearly not sufficient, it has to be adequately supported by appropriate investigative procedures, which have yet become a subject of an international consensus. This paper therefore provides appropriate a holistic framework to foster an internationally agreed upon approach in digital forensics along with necessary improvements. It is based on a top‐down approach, starting with legal, continuing with organizational, and ending with technical issues. More precisely, the paper presents a new architectural technological solution that addresses the core forensic principles at its roots. It deploys so‐called leveled message authentication codes and digital signatures to provide data integrity in a way that significantly eases forensic investigations into attacked systems in their operational state. Further, using a top‐down approach a conceptual framework for forensics readiness is given, which provides levels of abstraction and procedural guides embellished with a process model that allow investigators perform routine investigations, without becoming overwhelmed by low‐level details. As low‐level details should not be left out, the framework is further evaluated to include these details to allow organizations to configure their systems for proactive collection and preservation of potential digital evidence in a structured manner. The main reason behind this approach is to stimulate efforts on an internationally agreed “template legislation,” similarly to model law in the area of electronic commerce, which would enable harmonized national implementations in the area of digital forensics.     

论法庭科学实验室认可的特殊要求

本文从价值观、证据资格和优质法庭科学服务3个方面分析了法庭科学实验室认可特殊性的产生根源;分析和总结了ILAC和部分国家法庭科学实验室认可的特殊要求,给此项工作在我国的开展提供了借鉴。     

数字录音真实性司法鉴定研究现状

随着数字录音设备的普及,以及音频编辑技术的大众化趋势,传统的检验方法和技术在当前数字录音真实性司法鉴定实践中面临着极大的挑战。模式识别和人工智能等领域的最新进展为数字录音真实性鉴定提供了有效的检验角度。通过分析和总结当前机器学习和模式识别等研究领域在数字录音真实性研究方面的前沿探索性成果,结合对当前录音真实性司法鉴定实践应用中的关键技术和方法的论述,分析和探讨数字录音真实性司法鉴定领域研究所面临的问题、挑战及未来发展趋势。指出专家经验判断分析技术和统计量化检验方法的协作并存是数字录音真实性鉴定的必然趋势和高效解决方案。     

Meeting a Forensic Podiatry Admissibility Challenge: A Daubert Case Study

This article is an introduction to the United States Supreme Court's standard of admissibility of forensic evidence and testimony at trial, known as the Daubert standard, with emphasis on how this standard applies to the field of forensic podiatry. The author, a forensic podiatrist, provided law enforcement with evidence tying a bloody sock‐clad footprint found at the scene of a homicide to the suspect. In 2014, the author testified at a pretrial hearing, known as “a Daubert hearing,” to address the admissibility of this evidence in court. This was the first instance of forensic podiatry being the primary subject of a Daubert hearing. The hearing resulted in the court ordering this evidence admissible. The expert's testimony contributed to the suspect's conviction. This article serves as a reference for forensic podiatrists and experts in similar fields that involve impression evidence, providing evidentiary standards and their impact on expert evidence and testimony.     

Investigation Delayed Is Justice Denied: Proposals for Expediting Forensic Examinations of Digital Evidence*

Abstract: There is an urgent need to reduce the growing backlog of forensic examinations in Digital Forensics Laboratories (DFLs). Currently, DFLs routinely create forensic duplicates and perform in‐depth forensic examinations of all submitted media. This approach is rapidly becoming untenable as more cases involve increasing quantities of digital evidence. A more efficient and effective three‐tiered strategy for performing forensic examinations will enable DFLs to produce useful results in a timely manner at different phases of an investigation, and will reduce unnecessary expenditure of resources on less serious matters. The three levels of forensic examination are described along with practical examples and suitable tools. Realizing that this is not simply a technical problem, we address the need to update training and establish thresholds in DFLs. Threshold considerations include the likelihood of missing exculpatory evidence and seriousness of the offense. We conclude with the implications of scaling forensic examinations to the investigation.     

Data fragment forensics for embedded DVR systems

A recent increase in the prevalence of embedded systems has led them to become a primary target of digital forensic investigations. Embedded systems with DVR (Digital Video Recorder) capabilities are able to generate multimedia (video/audio) data, and can act as vital pieces of evidence in the field of digital forensics.To counter anti-forensics, it is necessary to derive systematic forensic techniques that can be used on data fragments in unused (unallocated) areas of files or images. Specifically, the techniques should extract meaningful information from various types of data fragments, such as non-sequential fragmentation and missing fragments overwritten by other data.This paper proposes a new digital forensic system for use on video data fragments related to DVRs. We demonstrate in detail special techniques for the classification, reassembly, and extraction of video data fragments, and introduce an integrated framework for data fragment forensics based on techniques described in this paper.     

Toward a General Ontology for Digital Forensic Disciplines

Ontologies are widely used in different disciplines as a technique for representing and reasoning about domain knowledge. However, despite the widespread ontology‐related research activities and applications in different disciplines, the development of ontologies and ontology research activities is still wanting in digital forensics. This paper therefore presents the case for establishing an ontology for digital forensic disciplines. Such an ontology would enable better categorization of the digital forensic disciplines, as well as assist in the development of methodologies and specifications that can offer direction in different areas of digital forensics. This includes such areas as professional specialization, certifications, development of digital forensic tools, curricula, and educational materials. In addition, the ontology presented in this paper can be used, for example, to better organize the digital forensic domain knowledge and explicitly describe the discipline's semantics in a common way. Finally, this paper is meant to spark discussions and further research on an internationally agreed ontological distinction of the digital forensic disciplines. Digital forensic disciplines ontology is a novel approach toward organizing the digital forensic domain knowledge and constitutes the main contribution of this paper.     

Likelihood Ratios for Deep Neural Networks in Face Comparison

In this study, we aim to compare the performance of systems and forensic facial comparison experts in terms of likelihood ratio computation to assess the potential of the machine to support the human expert in the courtroom. In forensics, transparency in the methods is essential. Consequently, state-of-the-art free software was preferred over commercial software. Three different open-source automated systems chosen for their availability and clarity were as follows: OpenFace, SeetaFace, and FaceNet; all three based on convolutional neural networks that return a distance (OpenFace, FaceNet) or similarity (SeetaFace). The returned distance or similarity is converted to a likelihood ratio using three different distribution fits: parametric fit Weibull distribution, nonparametric fit kernel density estimation, and isotonic regression with pool adjacent violators algorithm. The results show that with low-quality frontal images, automated systems have better performance to detect nonmatches than investigators: 100% of precision and specificity in confusion matrix against 89% and 86% obtained by investigators, but with good quality images forensic experts have better results. The rank correlation between investigators and software is around 80%. We conclude that the software can assist in reporting officers as it can do faster and more reliable comparisons with full-frontal images, which can help the forensic expert in casework.     

High-speed search using Tarari content processor in digital forensics

Recently, “Speed” is one of the hot issues in digital forensics. Thanks to a recent advanced technology, today we can get bigger hard drive disks at a lower price than previously. But unfortunately, it means for forensic investigators that they need tremendous time and effort in the sequence of process of creating forensic images, searching into them and analyzing them. In order to solve this problem, some methods have been proposed to improve performance of forensic tools. One of them getting attention is a hardware-based approach. However, such a way is limited in the field of evidence cloning or password cracking while it is rarely used in searching and analysis of the digital evidence. In this paper, we design and implement a high-speed search engine using a Tarari content processor. Furthermore, we show feasibility of our approach by comparing its performance and features to those of a popular forensic tool currently on the market.     

High-speed search using Tarari content processor in digital forensics

Recently, “Speed” is one of the hot issues in digital forensics. Thanks to a recent advanced technology, today we can get bigger hard drive disks at a lower price than previously. But unfortunately, it means for forensic investigators that they need tremendous time and effort in the sequence of process of creating forensic images, searching into them and analyzing them. In order to solve this problem, some methods have been proposed to improve performance of forensic tools. One of them getting attention is a hardware-based approach. However, such a way is limited in the field of evidence cloning or password cracking while it is rarely used in searching and analysis of the digital evidence. In this paper, we design and implement a high-speed search engine using a Tarari content processor. Furthermore, we show feasibility of our approach by comparing its performance and features to those of a popular forensic tool currently on the market.     

DNA evidence in South Africa: Lessons learned to date

A trend was noted over the past 15 years in the South African courts. This trend has a multi-factorial origin and highlights the problems faced in the use of forensic science evidence in court. Although there have been improvements on how DNA evidence is gathered and presented in court, due to the fact that certain cases have been contested at the DNA evidence level, multiple issues remain that have not yet been addressed when DNA evidence is submitted to court. These issues include: accreditation, regulation of the forensic science profession, continued education, training of court officials, quality assurance, biased testimony, lack of transparency with regard to processes and procedures followed in the forensic community, incorrect interpretation of DNA evidence, lack of scientific knowledge (including the scientific method) by DNA experts, awareness by the legal profession and an over emphasis on the prosecuting perspective. These same aspects continue to plague current cases. Despite the above, the window of opportunity to address the above has not yet passed. However, it will take continuous and concerted efforts from the scientific and legal professions to bring about the appropriate change to facilitate justice for all in South Africa.     

An inconclusive digital audio authenticity examination: a unique case

This case report sets forth an authenticity examination of 35 encrypted, proprietary-format digital audio files containing recorded telephone conversations between two codefendants in a criminal matter. The codefendant who recorded the conversations did so on a recording system he developed; additionally, he was both a forensic audio authenticity examiner, who had published and presented in the field, and was the head of a professional audio society's writing group for authenticity standards. The authors conducted the examination of the recordings following nine laboratory steps of the peer-reviewed and published 11-step digital audio authenticity protocol. Based considerably on the codefendant's direct involvement with the development of the encrypted audio format, his experience in the field of forensic audio authenticity analysis, and the ease with which the audio files could be accessed, converted, edited in the gap areas, and reconstructed in such a way that the processes were undetected, the authors concluded that the recordings could not be scientifically authenticated through accepted forensic practices.     

Passive forensics in image and video using noise features: A review

Due to present of enormous free image and video editing software on the Internet, tampering of digital images and videos have become very easy. Validating the integrity of images or videos and detecting any attempt of forgery without use of active forensic technique such as Digital Signature or Digital Watermark is a big challenge to researchers. Passive forensic techniques, unlike active techniques, do not need any preembeded information about the image or video. The proposed paper presents a comprehensive review of the recent developments in the field of digital image and video forensic using noise features. The previously existing methods of image and video forensics proved the importance of noises and encourage us for the study and perform extensive research in this field. Moreover, in this paper, forensic task cover mainly source identification and forgery detection in the image and video using noise features. Thus, various source identification and forgery detection methods using noise features are reviewed and compared in this paper for image and video. The overall objective of this paper is to give researchers a broad perspective on various aspects of image and video forensics using noise features. Conclusion part of this paper discusses about the importance of noise features and the challenges encountered by different image and video forensic method using noise features.     

Study on the tracking revision history of MS Word files for forensic investigation

Document forensics remains an important field of digital forensics. To date, previously existing methods focused on the last saved version of the document file stored on the PC; however, the drawback of this approach is that this provides no indication as to how the contents have been modified. This paper provides a novel method for document forensics based on tracking the revision history of a Microsoft Word file. The proposed method concentrates on the TMP file created when the author saves the file and the ASD file created periodically by Microsoft Word during editing. A process whereby the revision history lists are generated based on metadata of the Word, TMP, and ASD files is presented. Furthermore, we describe a technique developed to link the revision history lists based on similarity. These outcomes can provide considerable assistance to a forensic investigator trying to establish the extent to which document file contents have been changed and when the file was created, modified, deleted, and copied.     

Can computer forensic tools be trusted in digital investigations?

This paper investigates whether computer forensic tools (CFTs) can extract complete and credible digital evidence from digital crime scenes in the presence of file system anti-forensic (AF) attacks. The study uses a well-established six stage forensic tool testing methodology based on black-box testing principles to carry out experiments that evaluate four leading CFTs for their potential to combat eleven different file system AF attacks. Results suggest that only a few AF attacks are identified by all the evaluated CFTs, while as most of the attacks considered by the study go unnoticed. These AF attacks exploit basic file system features, can be executed using simple tools, and even attack CFTs to accomplish their task. These results imply that evidences collected by CFTs in digital investigations are not complete and credible in the presence of AF attacks. The study suggests that practitioners and academicians should not absolutely rely on CFTs for evidence extraction from a digital crime scene, highlights the implications of doing so, and makes many recommendations in this regard. The study also points towards immediate and aggressive research efforts that are required in the area of computer forensics to address the pitfalls of CFTs.     

The CSI effect and the Canadian and the Australian Jury

Television shows, such as CBS's CSI and its spin-offs CSI: Miami; CSI: Las Vegas; and CSI: New York, have sparked the imagination of thousands of viewers who want to become forensic scientists. The shows' fictional portrayals of crime scene investigations have prompted fears that jurors will demand DNA and other forensic evidence before they will convict, and have unrealistic expectations of that evidence. This has been dubbed the "CSI effect." This phenomenon was explored using results from a Canadian study based on 605 surveys of Canadian college students who would be considered jury-eligible and Australian quantitative and qualitative findings from a study that surveyed and interviewed real posttrial jurors. Information about the way jurors deal with forensic evidence in the context of other evidence and feedback about the way in which understanding such evidence could be increased were gained from both these studies. The comparison provides insights into the knowledge base of jurors, permitting adaptation of methods of presenting forensic information by lawyers and experts in court, based on evidence rather than folklore. While the Canadian juror data showed statistically significant findings that jurors are clearly influenced in their treatment of some forensic evidence by their television-viewing habits, reassuringly, no support was found in either study for the operation of a detrimental CSI effect as defined above. In the Australian study, in fact, support was found for the proposition that jurors assess forensic evidence in a balanced and thoughtful manner.