Distributed filesystem forensics: XtreemFS as a case study

Distributed filesystems provide a cost-effective means of storing high-volume, velocity and variety information in cloud computing, big data and other contemporary systems. These technologies have the potential to be exploited for illegal purposes, which highlights the need for digital forensic investigations. However, there have been few papers published in the area of distributed filesystem forensics. In this paper, we aim to address this gap in knowledge. Using our previously published cloud forensic framework as the underlying basis, we conduct an in-depth forensic experiment on XtreemFS, a Contrail EU-funded project, as a case study for distributed filesystem forensics. We discuss the technical and process issues regarding collection of evidential data from distributed filesystems, particularly when used in cloud computing environments. A number of digital forensic artefacts are also discussed. We then propose a process for the collection of evidential data from distributed filesystems.     

Digital Stratigraphy: Contextual Analysis of File System Traces in Forensic Science

This work introduces novel methods for conducting forensic analysis of file allocation traces, collectively called digital stratigraphy. These in‐depth forensic analysis methods can provide insight into the origin, composition, distribution, and time frame of strata within storage media. Using case examples and empirical studies, this paper illuminates the successes, challenges, and limitations of digital stratigraphy. This study also shows how understanding file allocation methods can provide insight into concealment activities and how real‐world computer usage can complicate digital stratigraphy. Furthermore, this work explains how forensic analysts have misinterpreted traces of normal file system behavior as indications of concealment activities. This work raises awareness of the value of taking the overall context into account when analyzing file system traces. This work calls for further research in this area and for forensic tools to provide necessary information for such contextual analysis, such as highlighting mass deletion, mass copying, and potential backdating.     

A forensic science perspective on the role of images in crime investigation and reconstruction

This article presents a global vision of images in forensic science. The proliferation of perspectives on the use of images throughout criminal investigations and the increasing demand for research on this topic seem to demand a forensic science-based analysis. In this study, the definitions of and concepts related to material traces are revisited and applied to images, and a structured approach is used to persuade the scientific community to extend and improve the use of images as traces in criminal investigations. Current research efforts focus on technical issues and evidence assessment. This article provides a sound foundation for rationalising and explaining the processes involved in the production of clues from trace images. For example, the mechanisms through which these visual traces become clues of presence or action are described. An extensive literature review of forensic image analysis emphasises the existing guidelines and knowledge available for answering investigative questions (who, what, where, when and how). However, complementary developments are still necessary to demystify many aspects of image analysis in forensic science, including how to review and select images or use them to reconstruct an event or assist intelligence efforts. The hypothetico-deductive reasoning pathway used to discover unknown elements of an event or crime can also help scientists understand the underlying processes involved in their decision making. An analysis of a single image in an investigative or probative context is used to demonstrate the highly informative potential of images as traces and/or clues. Research efforts should be directed toward formalising the extraction and combination of clues from images. An appropriate methodology is key to expanding the use of images in forensic science.     

The Kodak Syndrome: Risks and Opportunities Created by Decentralization of Forensic Capabilities

Forensic science laboratories are being challenged by the expanding decentralization of forensic capabilities, particularly for digital traces. This study recommends laboratories undertake digital transformations to capitalize on the decentralization movement, develop a more comprehensive understanding of crime and security‐relevant problems, and play a more central role in problem‐solving collaboratively with law enforcement organizations and other stakeholders. A framework for the bilateral transfer of information and knowledge is proposed to magnify the impact of forensic science laboratories on abating crime, strengthening security, and reinforcing the criminal justice system. To accomplish digital transformations, laboratories require personnel with different expertise, including investigative reasoning, knowledge codification, data analytics, and forensic intelligence. Ultimately, this study encourages managers, educators, researchers, and policymakers to look beyond the usefulness of forensic results for solving individual investigations, and to realize the value of combined forensic knowledge and intelligence for developing broader strategies to deal with crime in digitalized society.     

New perspectives in the use of ink evidence in forensic science: Part III: Operational applications and evaluation

The research reported in this series of article aimed at (1) automating the search of questioned ink specimens in ink reference collections and (2) at evaluating the strength of ink evidence in a transparent and balanced manner. These aims require that ink samples are analysed in an accurate and reproducible way and that they are compared in an objective and automated way. This latter requirement is due to the large number of comparisons that are necessary in both scenarios. A research programme was designed to (a) develop a standard methodology for analysing ink samples in a reproducible way, (b) comparing automatically and objectively ink samples and (c) evaluate the proposed methodology in forensic contexts.This report focuses on the last of the three stages of the research programme. The calibration and acquisition process and the mathematical comparison algorithms were described in previous papers [C. Neumann, P. Margot, New perspectives in the use of ink evidence in forensic science—Part I: Development of a quality assurance process for forensic ink analysis by HPTLC, Forensic Sci. Int. 185 (2009) 29–37; C. Neumann, P. Margot, New perspectives in the use of ink evidence in forensic science—Part II: Development and testing of mathematical algorithms for the automatic comparison of ink samples analysed by HPTLC, Forensic Sci. Int. 185 (2009) 38–50].In this paper, the benefits and challenges of the proposed concepts are tested in two forensic contexts: (1) ink identification and (2) ink evidential value assessment. The results show that different algorithms are better suited for different tasks. This research shows that it is possible to build digital ink libraries using the most commonly used ink analytical technique, i.e. high-performance thin layer chromatography, despite its reputation of lacking reproducibility. More importantly, it is possible to assign evidential value to ink evidence in a transparent way using a probabilistic model. It is therefore possible to move away from the traditional subjective approach, which is entirely based on experts’ opinion, and which is usually not very informative.While there is room for the improvement, this report demonstrates the significant gains obtained over the traditional subjective approach for the search of ink specimens in ink databases, and the interpretation of their evidential value.     

“I couldn't find it your honour,it mustn't be there!” – Tool errors,tool limitations and user error in digital forensics

The field of digital forensics maintains significant reliance on the software it uses to acquire and investigate forms of digital evidence. Without these tools, analysis of digital devices would often not be possible. Despite such levels of reliance, techniques for validating digital forensic software are sparse and research is limited in both volume and depth. As practitioners pursue the goal of producing robust evidence, they face the onerous task of both ensuring the accuracy of their tools and, their effective use. Whilst tool errors provide one issue, establishing a tool's limitations also provides an investigatory challenge leading the potential for practitioner user-error and ultimately a grey area of accountability. This article debates the problems surrounding digital forensic tool usage, evidential reliability and validation.     

Evaluating Bioinformatic Pipeline Performance for Forensic Microbiome Analysis*,†,‡

Microbial communities have potential evidential utility for forensic applications. However, bioinformatic analysis of high-throughput sequencing data varies widely among laboratories. These differences can potentially affect microbial community composition and downstream analyses. To illustrate the importance of standardizing methodology, we compared analyses of postmortem microbiome samples using several bioinformatic pipelines, varying minimum library size or minimum number of sequences per sample, and sample size. Using the same input sequence data, we found that three open-source bioinformatic pipelines, MG-RAST, mothur, and QIIME2, had significant differences in relative abundance, alpha-diversity, and beta-diversity, despite the same input data. Increasing minimum library size and sample size increased the number of low-abundant and infrequent taxa detected. Our results show that bioinformatic pipeline and parameter choice affect results in important ways. Given the growing potential application of forensic microbiology to the criminal justice system, continued research on standardizing computational methodology will be important for downstream applications.     

The use of the likelihood ratio for evaluative and investigative purposes in comparative forensic handwriting examination

This paper extends previous research and discussion on the use of multivariate continuous data, which are about to become more prevalent in forensic science. As an illustrative example, attention is drawn here on the area of comparative handwriting examinations. Multivariate continuous data can be obtained in this field by analysing the contour shape of loop characters through Fourier analysis. This methodology, based on existing research in this area, allows one describe in detail the morphology of character contours throughout a set of variables. This paper uses data collected from female and male writers to conduct a comparative analysis of likelihood ratio based evidence assessment procedures in both, evaluative and investigative proceedings. While the use of likelihood ratios in the former situation is now rather well established (typically, in order to discriminate between propositions of authorship of a given individual versus another, unknown individual), focus on the investigative setting still remains rather beyond considerations in practice. This paper seeks to highlight that investigative settings, too, can represent an area of application for which the likelihood ratio can offer a logical support. As an example, the inference of gender of the writer of an incriminated handwritten text is forwarded, analysed and discussed in this paper. The more general viewpoint according to which likelihood ratio analyses can be helpful for investigative proceedings is supported here through various simulations. These offer a characterisation of the robustness of the proposed likelihood ratio methodology.     

Exploring the Disclosure of Forensic Evidence in Police Interviews with Suspects

Despite many years of empirical research focusing on investigative interviewing and detecting deception, very little research attention has been paid to the various types of evidence which feature in police interviews with suspects. In particular, the use of forensic evidence in the context of police interviews has not been previously considered, although in recent years the availability of various types of forensic analyses has dramatically increased. In the current study 398 experienced police interviewers from various countries completed a questionnaire about their experience of using various types of forensic evidence in interviews with suspects, as well as their perceptions regarding the strength of various sources of forensic information and how this may affect their interviewing strategy. The results indicated that although the participants have forensic evidence available in a large proportion of their interviews with suspects, the vast majority of police interviewers have received no training about how to interpret or use such forensic information. However, the perceived strength of forensic evidence was reported by some participants to affect their interview strategy and specifically the timing of the disclosure of such evidence during an interview. These findings are discussed with reference to police training and interview techniques, and suggestions for further research are offered.     

Analyzing Data Remnant Remains on User Devices to Determine Probative Artifacts in Cloud Environment

Cloud storage service allows users to store their data online, so that they can remotely access, maintain, manage, and back up data from anywhere via the Internet. Although helpful, this storage creates a challenge to digital forensic investigators and practitioners in collecting, identifying, acquiring, and preserving evidential data. This study proposes an investigation scheme for analyzing data remnants and determining probative artifacts in a cloud environment. Using pCloud as a case study, this research collected the data remnants available on end‐user device storage following the storing, uploading, and accessing of data in the cloud storage. Data remnants are collected from several sources, including client software files, directory listing, prefetch, registry, network PCAP, browser, and memory and link files. Results demonstrate that the collected remnants data are beneficial in determining a sufficient number of artifacts about the investigated cybercrime.     

Unlocking the potential of forensic traces: Analytical approaches to generate investigative leads

Forensic investigation involves gathering the information necessary to understand the criminal events as well as linking objects or individuals to an item, location or other individual(s) for investigative purposes. For years techniques such as presumptive chemical tests, DNA profiling or fingermark analysis have been of great value to this process. However, these techniques have their limitations, whether it is a lack of confidence in the results obtained due to cross-reactivity, subjectivity and low sensitivity; or because they are dependent on holding reference samples in a pre-existing database. There is currently a need to devise new ways to gather as much information as possible from a single trace, particularly from biological traces commonly encountered in forensic casework. This review outlines the most recent advancements in the forensic analysis of biological fluids, fingermarks and hair. Special emphasis is placed on analytical methods that can expand the information obtained from the trace beyond what is achieved in the usual practices. Special attention is paid to those methods that accurately determine the nature of the sample, as well as how long it has been at the crime scene, along with individualising information regarding the donor source of the trace.     

Structure and application of IconCache.db files for digital forensics

Anti-forensics has developed to prevent digital forensic investigations, thus forensic investigations to prevent anti-forensic behaviors have been studied in various area. In the area of user activity analysis, “IconCache.db” files contain icon cache information related to applications, which can yield meaningful information for digital forensic investigations such as the traces of deleted files. A previous study investigated the general artifacts found in the IconCache.db file. In the present study, further features and structures of the IconCache.db file are described. We also propose methods for analyzing anti-forensic behaviors (e.g., time information related to the deletion of files). Finally, we introduce an analytical tool that was developed based on the file structure of IconCache.db. The tool parses out strings from the IconCache.db to assist an analyst. Therefore, an analyst can more easily analyze the IconCache.db file using the tool.     

Questions,propositions and assessing different levels of evidence: Forensic voice comparison in practice

This paper contributes to the ongoing discussion about the distinction between observations and propositions in forensic inference, with a specific focus on forensic voice comparison casework conducted in the UK. We outline both linguistic and legal issues which make the evaluation of voice evidence and the refinement of propositions problematic in practice, and illustrate these using case examples. We will argue that group-level observations from the offender sample will always be evidential and that the value of this evidence must be determined by the expert. As such, a proposal is made that experts should, at least conceptually, think of voice evidence as having two levels, both with evidential value: group-level and individual-level. The two rely on different underlying assumptions, and the group-level observations can be used to inform the individual-level propositions. However, for the sake of interpretability, it is probably preferable to present only one combined conclusion to the end user. We also wish to reiterate points made in previous work: in providing conclusions, the forensic expert must acknowledge that the value of the evidence is dependent on a number of assumptions (propositions and background information) and these assumptions must be made clear and explicit to the user.     

手机物证检验及其在刑事侦查中的应用

随着移动通信技术的迅速发展和广泛应用,手机内部包含的信息已经成为犯罪侦查重要的线索和证据来源。采用专门的符合物证鉴定原理要求的技术方法检验手机的SIM卡存储器、主板存储器和闪存卡,可以获得大量的手机使用者个人信息、通信内容信息、通信发生信息、使用者写入存储信息和手机设置信息等大量信息资料。手机检验结果给出的这些信息具有非常高的侦查和证据价值的,手机也因此成为物证鉴定领域内一个新的检验对象。     

Use of Bayesian networks in forensic soil casework

Forensic soil comparisons can be of high evidential value in a forensic case, but become complex when multiple methods and factors are considered. Bayesian networks are well suited to support forensic practitioners in complex casework. This study discusses the structure of a Bayesian network, elaborates on the in- and output data and evaluates two examples, one using source level propositions and one using activity level propositions. These examples can be applied as a template to construct a case specific network and can be used to assess sensitivity of the target output to different factors and identify avenues for research.     

BitTorrent Sync: First Impressions and Digital Forensic Implications

With professional and home Internet users becoming increasingly concerned with data protection and privacy, the privacy afforded by popular cloud file synchronisation services, such as Dropbox, OneDrive and Google Drive, is coming under scrutiny in the press. A number of these services have recently been reported as sharing information with governmental security agencies without warrants. BitTorrent Sync is seen as an alternative by many and has gathered over two million users by December 2013 (doubling since the previous month). The service is completely decentralised, offers much of the same synchronisation functionality of cloud powered services and utilises encryption for data transmission (and optionally for remote storage). The importance of understanding BitTorrent Sync and its resulting digital investigative implications for law enforcement and forensic investigators will be paramount to future investigations. This paper outlines the client application, its detected network traffic and identifies artefacts that may be of value as evidence for future digital investigations.     

DNA in the Criminal Justice System: The DNA Success Story in Perspective,

Current figures on the efficiency of DNA as an investigative tool in criminal investigations only tell part of the story. To get the DNA success story in the right perspective, we examined all forensic reports from serious (N = 116) and high‐volume crime cases (N = 2791) over the year 2011 from one police region in the Netherlands. These data show that 38% of analyzed serious crime traces (N = 384) and 17% of analyzed high‐volume crime traces (N = 386) did not result in a DNA profile. Turnaround times (from crime scene to DNA report) were 66 days for traces from serious crimes and 44 days for traces from high‐volume crimes. Suspects were truly identified through a match with the Offender DNA database of the Netherlands in 3% of the serious crime cases and in 1% of the high‐volume crime cases. These data are important for both the forensic laboratory and the professionals in the criminal justice system to further optimize forensic DNA testing as an investigative tool.     

From crime scene to courtroom: A review of the current bioanalytical evidence workflows used in rape and sexual assault investigations in the United Kingdom

Sexual assault casework requires the collaboration of multiple agency staff to formalise an investigative pipeline running from crime scene to court. While the same could be said of many other forensic investigations, few require the additional support of health care staff and the combined forensic involvement of body-fluid examiners, DNA experts and analytical chemists. The sheer amount of collaborative effort between agencies is laid out through a detailed examination of the investigative workflow from crime scene to courtroom with each step in the pipelines detailed and discussed. Beginning with a review of sexual assault legislation in the United Kingdom this article details how sexual assault investigations are initiated by police and supported by sexual assault referral centre (SARC) staff who are often the first responders providing primary healthcare and patient support to victims while simultaneously collecting and assessing forensic evidence. Detailing the myriad of evidential material that can be documented and collected at the SARC, the review identifies and categorises key forensic tests to first detect and identify body-fluids recovered from evidence through to the secondary analysis of DNA to help identify the suspect. This review also focusses on the collection and analysis of biological material used to support the allegation that the sexual activity was non-consensual and provides a breakdown of common marks and trauma as well as a review of common analytical methods used to infer Drug Facilitated Sexual Assault (DFSA). The culmination of the investigative pipeline is discussed by reviewing the Rape and Serious Sexual Assault (RASSO) workflow used by the Crown Prosecution Service before providing our thoughts on the future of forensic analysis and possible changes to the described workflows.     

Forensic analysis of Telegram Messenger for Windows Phone

This article presents a forensic analysis methodology for obtaining the digital evidence generated by one of today's many instant messaging applications, namely “Telegram Messenger” for “Windows Phone”, paying particular attention to the digital forensic artifacts produced. The paper provides an overview of this forensic analysis, while focusing particularly on how the information is structured and the user, chat and conversation data generated by the application are organised, with the goal of extracting related data from the information. The application has several other features (e.g. games, bots, stickers) besides those of an instant messaging application (e.g. messages, images, videos, files). It is therefore necessary to decode and interpret the information, which may relate to criminal offences, and establish the relation of different types of user, chat and conversation.     

Clothing damage analysis and the phenomenon of the false sexual assault

This paper describes three recent false sexual assaults examined at the Victoria Forensic Science Centre laboratory where clothing damage analysis assisted in the resolution of the case. Suspected false reports of sexual assaults are often sensitive cases with little other forensic evidence. Any evidential value that can be obtained is thus valuable in order to minimize any ordeal to the complainant and any suspect and to conserve valuable resources. The findings illustrate the application of clothing damage analysis in a cross section of confirmed false sexual assault reports and the fact that the forensic examiner should be aware of the potential evidential value of this kind of analysis. Furthermore, the corroboration of a victim's scenario when the investigator has doubts may be no less valuable as it may minimize the adversarial ordeal that is often faced by a rape victim.