An Android Communication App Forensic Taxonomy

Due to the popularity of Android devices and applications (apps), Android forensics is one of the most studied topics within mobile forensics. Communication apps, such as instant messaging and Voice over IP (VoIP), are one popular app category used by mobile device users, including criminals. Therefore, a taxonomy outlining artifacts of forensic interest involving the use of Android communication apps will facilitate the timely collection and analysis of evidentiary materials from such apps. In this paper, 30 popular Android communication apps were examined, where a logical extraction of the Android phone images was collected using XRY, a widely used mobile forensic tool. Various information of forensic interest, such as contact lists and chronology of messages, was recovered. Based on the findings, a two‐dimensional taxonomy of the forensic artifacts of the communication apps is proposed, with the app categories in one dimension and the classes of artifacts in the other dimension. Finally, the artifacts identified in the study of the 30 communication apps are summarized using the taxonomy. It is expected that the proposed taxonomy and the forensic findings in this paper will assist forensic investigations involving Android communication apps.     

An Evidence‐Based Forensic Taxonomy of Windows Phone Communication Apps

Communication apps can be an important source of evidence in a forensic investigation (e.g., in the investigation of a drug trafficking or terrorism case where the communications apps were used by the accused persons during the transactions or planning activities). This study presents the first evidence‐based forensic taxonomy of Windows Phone communication apps, using an existing two‐dimensional Android forensic taxonomy as a baseline. Specifically, 30 Windows Phone communication apps, including Instant Messaging (IM) and Voice over IP (VoIP) apps, are examined. Artifacts extracted using physical acquisition are analyzed, and seven digital evidence objects of forensic interest are identified, namely: Call Log, Chats, Contacts, Locations, Installed Applications, SMSs and User Accounts. Findings from this study would help to facilitate timely and effective forensic investigations involving Windows Phone communication apps.     

Forensic Taxonomy of Android Social Apps

An Android social app taxonomy incorporating artifacts that are of forensic interest will enable users and forensic investigators to identify the personally identifiable information (PII) stored by the apps. In this study, 30 popular Android social apps were examined. Artifacts of forensic interest (e.g., contacts lists, chronology of messages, and timestamp of an added contact) were recovered. In addition, images were located, and Facebook token strings used to tie account identities and gain access to information entered into Facebook by a user were identified. Based on the findings, a two‐dimensional taxonomy of the forensic artifacts of the social apps is proposed. A comparative summary of existing forensic taxonomies of different categories of Android apps, designed to facilitate timely collection and analysis of evidentiary materials from Android devices, is presented.     

Taxonomy of Challenges for Digital Forensics

Since its inception, over a decade ago, the field of digital forensics has faced numerous challenges. Despite different researchers and digital forensic practitioners having studied and analysed various known digital forensic challenges, as of 2013, there still exists a need for a formal classification of these challenges. This article therefore reviews existing research literature and highlights the various challenges that digital forensics has faced for the last 10 years. In conducting this research study, however, it was difficult for the authors to review all the existing research literature in the digital forensic domain; hence, sampling and randomization techniques were employed to facilitate the review of the gathered literature. Taxonomy of the various challenges is subsequently proposed in this paper based on our review of the literature. The taxonomy classifies the large number of digital forensic challenges into four well‐defined and easily understood categories. The proposed taxonomy can be useful, for example, in future developments of automated digital forensic tools by explicitly describing processes and procedures that focus on addressing specific challenges identified in this paper. However, it should also be noted that the purpose of this paper was not to propose any solutions to the individual challenges that digital forensics face, but to serve as a survey of the state of the art of the research area.     

Who’s going to leave? An examination of absconding events by forensic inpatients in a psychiatric hospital

Absconding is a potentially risky event that has wide reaching consequences both for the institution and greater community; however, few studies have examined the characteristics of clients who abscond, their motivations, and details about their absconding event, especially within a forensic context. The purpose of this research was to determine if risk factors could be identified that might predict absconding behavior. A retrospective chart review was conducted of all reported absconding events between 1 January 2012 and 31 August 2015 by clients on forensic units in a public psychiatric hospital in Ontario, Canada. In addition, these clients were matched with a comparison group. Categories of motivations for absconding including goal-directed, frustration/boredom, symptomatic/disorganized, and impulsive/opportunistic were identified. The best indicator of a client’s risk for absconding was having experienced a stressful, significant event in the two weeks prior to the absconding event. Additionally, total scores on the HCR-20 and the presence of a co-occurring substance use disorder differentiated the absconders from the comparison group. This research contributes to our knowledge base regarding absconding events by forensic psychiatric patients and highlights specific targets for clinical staff in assessing risk for absconding and managing privileges leading to more effective care planning.     

Forensic investigation framework for the document store NoSQL DBMS: MongoDB as a case study

The NoSQL DBMS provides an efficient means of storing and accessing big data because its servers are more easily horizontally scalable and replicable than relational DBMSs. Its data model lacks a fixed schema, so that users can easily dynamically change the data model of applications. These characteristics of the NoSQL DBMS mean that it is increasingly used in real-time analysis, web services such as SNS, mobile apps and the storage of machine generated data such as logs and IoT (Internet of Things) data. Although the increased usage of the NoSQL DBMS increases the possibility of it becoming a target of crime, there are few papers about forensic investigation of NoSQL DBMS.In this paper, we propose a forensic investigation framework for the document store NoSQL DBMS. It is difficult to cover all of the NoSQL DBMS, as 'NoSQL' includes several distinct architectures; our forensic investigation framework, however, is focused on the document store NoSQL DBMS. In order to conduct an evaluative case study, we need to apply it to MongoDB, which is, a widely used document store NoSQL DBMS. For this case study, a crime scenario is created in an experimental environment, and then we propose in detail a forensic procedure and technical methods for MongoDB. We suggested many substantial technical investigation methods for MongoDB, including identifying real servers storing evidences in a distributed environment and transaction reconstruction method, using log analysis and recovering deleted data from the MongoDB data file structure.     

A forensic examination of four popular cross‐platform file‐sharing apps with Wi‐Fi P2P

File‐sharing apps with Wi‐Fi hotspot or Wi‐Fi Direct functions become more popular. They can work on multiple platforms and allow users to transfer files in a concealed manner. However, when criminals use these apps in illegal activities, it becomes an important issue for investigators to find digital evidence on multiple platforms. At present, there are few studies on this topic, and most of them are limited to the single platform problem. In this paper, we propose a forensic examination method for four popular cross‐platform file‐sharing apps with Wi‐Fi hotspot and Wi‐Fi Direct functions: Zapya, SHAREit, Xender, and Feem. We use 22 static and live forensic tools for 11 platforms to acquire, analyze, and classify the forensic artifacts. In our experiments, we find many useful forensic artifacts and classify them into six categories. The experimental results can support law enforcement investigations of digital evidence and provide information for future studies on other cross‐platform file‐sharing apps.     

Application of Postmortem 3D‐CT Facial Reconstruction for Personal Identification*

Abstract: Postmortem computed tomography (CT) images can show internal findings related to the cause of death, and it can be a useful method for forensic diagnosis. In this study, we scanned a ready‐made box by helical CT on 2‐mm slices in a mobile CT scanner and measured each side of the box to assess whether reconstructed images are useful for superimposition. The mean difference between the actual measurements and the measurements on the three‐dimensional (3D) reconstructed images (3D‐CT images) is 0.9 mm; we regarded it as having no effect on reconstruction for the superimposition method. Furthermore, we could get 3D‐CT images of the skull, which were consistent with the actual skull, indicating that CT images can be applied to superimposition for identification. This study suggested that postmortem CT images can be applied as superimpositions for unidentified cases, and thinner slices or cone beam CT can be a more precise tool.     

Applicability of DNA analysis on adhesive tape in forensic casework

Adhesive tape is commonly used in crimes and is often the subject of forensic evaluation. DNA analysis of adhesive tape can provide DNA profiles of suspects. The object of this study was to evaluate the applicability of DNA analysis on adhesive tape samples in forensic casework. We retrospectively reviewed all cases involving adhesive tape or similar items received by our institute for DNA analysis during the past 11 years. From 100 forensic cases reviewed, 150 adhesive tape samples were examined. A total of 98 DNA profiles were obtained from these samples. Sixty-two of the profiles provided feasible case-relevant information. In conclusion, DNA profiling of adhesive tape samples can be useful in a variety of forensic cases.     

The Use of an Alternate Light Source for Detecting Bones Underwater

When searching underwater crime scenes or disaster scenes for fragmentary human remains, it may be advantageous for forensic divers to be able to detect the presence of bones and teeth among other marine materials (such as shells and rocks). In terrestrial environments, this can typically be accomplished by visual and instrumental methods, but underwater conditions make it difficult to employ detection and sorting techniques in these environments. This study investigates fluorescence of bones and teeth and other marine materials using a submersible alternate light source (ALS) and concludes that an ALS can be a useful tool for detecting bones and teeth in underwater searches as well in terrestrial searches and laboratory environments. The results could impact the methods and equipment used by forensic divers and forensic anthropologists when searching for skeletal remains, potentially increasing the quantity and efficiency of forensic evidence recovered.     

Organizational and Human Factors Affecting Forensic Decision-Making: Workplace Stress and Feedback

Although forensic examiners operate in a stressful environment, there is a lack of understanding about workplace stress and feedback. These organizational and human factors can potentially impact forensic science judgments. In this study, 150 practicing forensic examiners from one laboratory were surveyed about their experiences of workplace stress, and the explicit and implicit feedback they receive. Forensic examiners reported that their high stress levels originated more from workplace-related factors (management and/or supervision, backlogs, and the pressure to do many cases) than from personal related factors (family, medical, and/or financial). The findings showed that a few (8%) of the forensic examiners sometimes felt strong implicit feedback about what conclusions were expected from them and that some (14%) also strongly felt that they were more appreciated when they helped to solve a case (e.g., by reaching a “match” as opposed to an “inconclusive” conclusion). Differences were found when comparing workplace stress and feedback levels across three core forensic science fields (forensic biology, chemistry, and latent prints) and across career stages (early, mid, and late). Gaining insights into the stress factors within a workplace and explicit and implicit feedback has implications for developing policies to improve the well-being, motivation, and performance of forensic examiners.     

法医骨组织学研究

在实际检案中 ,当现场发现的骨骼残片体积较小时 ,用解剖学观察无法进行骨骼残片的法医鉴定 ,需使用骨组织学的方法进行骨骼残片的个体识别。目前 ,这是法医人类学中一门较活跃的领域 ,即法医骨组织学。法医骨组织学的内容主要包括两个方面 :(1)骨骼残片是否属于人类骨骼 ,或属于何种动物骨骼。这方面的研究包括人类骨骼的组织学特征研究及不同动物的组织学特征研究。 (2 )人类骨骼个体识别的组织学研究。这方面的研究主要包括 ,人类骨骼的组织学特征的年龄判断 ,例如股骨、胫骨、肱骨、锁骨等 ,以及使用骨组织学方法 ,进行人类骨骼的年龄评价的准确性研究。本文对上述内容进行了综述。     

美国法庭科学证据的应用与发展

＂法庭科学＂萌芽于古代中国,兴盛于近现代西方国家,最终发展成为具备完整科学体系的现代意义上的法庭科学学科。法庭科学证据的应用与发展显然与法庭科学的发展与应用密切相关,它们相互制约,相互促进。美国司法制度中关于法庭科学证据的证明力、可信度、可采性的分立质疑对法庭科学本身的发展无疑起到鞭策与促进作用。美国法庭科学证据的司法制度以及常用的一些传统与高技术法庭科学证据的使用过程中存在的许多问题,理解法庭科学证据标准,对我国法庭科学及其证据的研究与应用有所启迪。     

Assessing Cognitive Bias in Forensic Decisions: A Review and Outlook

In recent years, a number of studies have demonstrated that forensic examiners can be biased by task-irrelevant contextual information. However, concerns relating to methodological flaws and ecological validity attenuate how much the current body of knowledge can be applied to real-life operational settings. The current review takes a narrative approach to synthesizing the literature across forensic science. Further, the review considers three main issues: (i) primary research on contextual bias within forensic science; (ii) methodological criticisms of this research; (iii) an alternative perspective that task-irrelevant contextual information does not always lead to error. One suggestion for future research is outlined, which is that studies on contextual bias in forensic decisions should be conducted in collaboration between forensic scientists and cognitive psychologists. Only then can rigorous and ecological valid experiments be created that will be able to assess how task-irrelevant contextual information influences forensic analysis and judgments in operationally valid settings.     

Creating a State‐Academic Partnership to Advance a Forensic Teaching Service: Benefits and Barriers

In Washington State, like many states, there is a shortage of forensically trained mental health clinicians to work with criminal justice‐involved individuals. At the direction of the state legislature, a collaborative project was undertaken by the University of Washington, the state Department of Social and Health Services, and a state psychiatric hospital to develop a proposal for a jointly sponsored forensic teaching service. The authors reviewed the literature, surveyed and interviewed forensic psychiatry and psychology training directors, and conducted site visits of selected training programs that offer multidisciplinary training or have affiliations with state hospitals. The authors conducted focus groups of additional stakeholders, including clinicians and patients in forensic settings, to better understand the needs in Washington. The authors report on several common benefits and barriers to establishing forensic teaching services. Other states and forensic programs may find this article useful in identifying common considerations for forensic mental health teaching services.     

Study on the standard components of digital forensics laboratory

Recently, digital forensics has become increasingly important as it is used by investigation agencies, corporate, and private sector. To supplement the limitations of evidence capacity and be recognized in court, it is essential to establish an environment that ensures the integrity of the entire process ranging from collecting and analyzing to submitting digital evidence to court. In this study, common elements were extracted by comparing and analyzing ISO/IEC 17025, 27001 standards and Interpol and Council of Europe (CoE) guidelines to derive the necessary components for building a digital forensic laboratory. Subsequently, based on 21 digital forensic experts in the field, Delphi survey and verifications were conducted in three rounds. As a result, 40 components from seven areas were derived. The research results are based on the establishment, operation, management, and authentication of a digital forensics laboratory suitable for the domestic environment, with added credibility through collection of the opinions of 21 experts in the field of digital forensics in Korea. This study can be referred to in establishing digital forensic laboratories in national, public, and private digital forensic organizations as well as for employing as competency measurement criteria in courts to evaluate the reliability of the analysis results.     

Public beliefs about the accuracy and importance of forensic evidence in the United States

Recent advances in forensic science, especially the use of DNA technology, have revealed that faulty forensic analyses may have contributed to miscarriages of justice. In this study we build on recent research on the general public’s perceptions of the accuracy of 10 forensic science techniques and of each stage in the investigation process. We find that individuals in the United States hold a pessimistic view of the forensic science investigation process, believing that an error can occur about half of the time at each stage of the process. We find that respondents believe that forensics are far from perfect, with accuracy rates ranging from a low of 55% for voice analysis to a high of 83% for DNA analysis, with most techniques being considered between 65% and 75% accurate. Nevertheless, respondents still believe that forensic evidence is a key part of a criminal case, with nearly 30% of respondents believing that the absence of forensic evidence is sufficient for a prosecutor to drop the case and nearly 40% believing that the presence of forensic evidence – even if other forms of evidence suggest that the defendant is not guilty – is enough to convict the defendant.     

Characteristics of Forensic Imaging Performance—An Analysis of Forensic Imaging Bottlenecks

Disk imaging involves copying all of the data from a source disk drive to a target. Typically, the target for the copy is another disk drive. Forensic processes developed years ago do not appear to be adequate for current storage technology. For example, with disk drive capacities now exceeding 1 Terabyte, a typical disk imaging can take over 8 hours at typical rates. With disk drive capacities increasing, forensic copying is expected to take even longer. Along with increase in disk capacity, the industry has also seen an increase in data transfer rates. In many cases, forensic imaging is taking longer than necessary. To identify the bottlenecks, an examination of different methods used to transfer data from a source disk was performed. Factors considered were differing disk access technologies. One finding is that the USB disk access technology (version 2.0 and earlier) is a significant bottleneck for data transfer rates, especially when the USB device is a write‐blocker. Other factors that contribute to the efficiency of a forensic copy are the file system used to write a forensic image and the data transfer size used when reading from a disk drive. Optimal parameters for performing a forensic acquisition from a disk drive are identified.     

中国司法鉴定乱象之因

在某种程度上,其他证据已经无法取代司法鉴定在目前司法实践中的作用,其也是保障司法公正的重要手段。但是,自司法鉴定制度改革实施以来,司法鉴定服务乱象丛生,不仅与其本该具有的功能不相符合,甚至适得其反,成为导致错案发生的一大诱因,引起各界关注。在此从制度设计缺乏科学性、司法鉴定管理问题突出、市场化运行环境更是雪上加霜等三个方面讨论“乱象”产生的原因,以期能够鉴定制度能从这些方面得到完善。     

等位基因特异性PCR技术及其法医学应用

等位基因特异性PCR（allele-specific polymerase chain reaction,AS-PCR）是一种基于等位基因特异性引物引导的PCR技术,可以有效地分析单核苷酸多态性（SNP）,包括碱基的转换、颠换以及插入/缺失多态性,在疾病研究、分子诊断以及法医物证学研究中具有很好的应用价值.本文系统地综述了AS-PCR技术的原理、检测手段、改进方法及在常染色体、Y染色体和线粒体SNP等领域的研究成果,探讨其法医学应用价值.