An Evidence‐based Forensic Taxonomy of Windows Phone Dating Apps

Advances in technologies including development of smartphone features have contributed to the growth of mobile applications, including dating apps. However, online dating services can be misused. To support law enforcement investigations, a forensic taxonomy that provides a systematic classification of forensic artifacts from Windows Phone 8 (WP8) dating apps is presented in this study. The taxonomy has three categories, namely: Apps Categories, Artifacts Categories, and Data Partition Categories. This taxonomy is built based on the findings from a case study of 28 mobile dating apps, using mobile forensic tools. The dating app taxonomy can be used to inform future studies of dating and related apps, such as those from Android and iOS platforms.     

An Evidence‐Based Forensic Taxonomy of Windows Phone Communication Apps

Communication apps can be an important source of evidence in a forensic investigation (e.g., in the investigation of a drug trafficking or terrorism case where the communications apps were used by the accused persons during the transactions or planning activities). This study presents the first evidence‐based forensic taxonomy of Windows Phone communication apps, using an existing two‐dimensional Android forensic taxonomy as a baseline. Specifically, 30 Windows Phone communication apps, including Instant Messaging (IM) and Voice over IP (VoIP) apps, are examined. Artifacts extracted using physical acquisition are analyzed, and seven digital evidence objects of forensic interest are identified, namely: Call Log, Chats, Contacts, Locations, Installed Applications, SMSs and User Accounts. Findings from this study would help to facilitate timely and effective forensic investigations involving Windows Phone communication apps.     

An Android Communication App Forensic Taxonomy

Due to the popularity of Android devices and applications (apps), Android forensics is one of the most studied topics within mobile forensics. Communication apps, such as instant messaging and Voice over IP (VoIP), are one popular app category used by mobile device users, including criminals. Therefore, a taxonomy outlining artifacts of forensic interest involving the use of Android communication apps will facilitate the timely collection and analysis of evidentiary materials from such apps. In this paper, 30 popular Android communication apps were examined, where a logical extraction of the Android phone images was collected using XRY, a widely used mobile forensic tool. Various information of forensic interest, such as contact lists and chronology of messages, was recovered. Based on the findings, a two‐dimensional taxonomy of the forensic artifacts of the communication apps is proposed, with the app categories in one dimension and the classes of artifacts in the other dimension. Finally, the artifacts identified in the study of the 30 communication apps are summarized using the taxonomy. It is expected that the proposed taxonomy and the forensic findings in this paper will assist forensic investigations involving Android communication apps.     

We are meeting on Microsoft Teams: Forensic analysis in Windows,Android, and iOS operating systems

Microsoft released a new communication platform, Microsoft Teams, in 2017. Due in part to COVID-19, the popularity of communication platforms, like Microsoft Teams, increased exponentially. Given its user base and increased popularity, it seems likely that digital forensic investigators will encounter cases where Microsoft Teams is a relevant component. However, because Microsoft Teams is a relatively new application, there is limited forensic research on the application particularly focusing on mobile operating systems. To address this gap, an analysis of data stored at rest by Microsoft Teams was conducted on the Windows 10 operating system as well as on Android and Apple iOS mobile operating systems. Basic functionalities, such as messaging, sharing files, participating in video conferences, and other functionalities that Teams provides, were performed in an isolated testing environment. Cellebrite UFED Physical Analyzer and Magnet AXIOM Examine tools were used to analyze the mobile devices and the Windows device, respectively. Manual or non-automated investigation recovered, at least partially, the majority of artifacts across all three operating systems. In this study, a total of 77.6% of the populated artifacts were partially or fully recovered in the manual investigation. On the other hand, forensic tools used did not automatically recover many of the artifacts found with the manual investigation. Only 13.8% of artifacts were partially or fully recovered by the forensic tools across all three devices. These discovered artifacts and the results of the investigations are presented in order to aid digital forensic investigations.     

How Cross‐Examination on Subjectivity and Bias Affects Jurors’ Evaluations of Forensic Science Evidence

Contextual bias has been widely discussed as a possible problem in forensic science. The trial simulation experiment reported here examined reactions of jurors at a county courthouse to cross‐examination and arguments about contextual bias in a hypothetical case. We varied whether the key prosecution witness (a forensic odontologist) was cross‐examined about the subjectivity of his interpretations and about his exposure to potentially biasing task‐irrelevant information. Jurors found the expert less credible and were less likely to convict when the expert admitted that his interpretation rested on subjective judgment, and when he admitted having been exposed to potentially biasing task‐irrelevant contextual information (relative to when these issues were not raised by the lawyers). The findings suggest, however, that forensic scientists can immunize themselves against such challenges and maximize the weight jurors give their evidence by adopting context management procedures that blind them to task‐irrelevant information.     

A New Anti‐forensic Scheme—Hiding the Single JPEG Compression Trace for Digital Image

To prevent image forgeries, a number of forensic techniques for digital image have been developed that can detect an image's origin, trace its processing history, and can also locate the position of tampering. Especially, the statistical footprint left by JPEG compression operation can be a valuable source of information for the forensic analyst, and some image forensic algorithm have been raised based on the image statistics in the DCT domain. Recently, it has been shown that footprints can be removed by adding a suitable anti‐forensic dithering signal to the image in the DCT domain, this results in invalid for some image forensic algorithms. In this paper, a novel anti‐forensic algorithm is proposed, which is capable of concealing the quantization artifacts that left in the single JPEG compressed image. In the scheme, a chaos‐based dither is added to an image's DCT coefficients to remove such artifacts. Effectiveness of both the scheme and the loss of image quality are evaluated through the experiments. The simulation results show that the proposed anti‐forensic scheme can verify the reliability of the JPEG forensic tools.     

Forensic Taxonomy of Android Social Apps

An Android social app taxonomy incorporating artifacts that are of forensic interest will enable users and forensic investigators to identify the personally identifiable information (PII) stored by the apps. In this study, 30 popular Android social apps were examined. Artifacts of forensic interest (e.g., contacts lists, chronology of messages, and timestamp of an added contact) were recovered. In addition, images were located, and Facebook token strings used to tie account identities and gain access to information entered into Facebook by a user were identified. Based on the findings, a two‐dimensional taxonomy of the forensic artifacts of the social apps is proposed. A comparative summary of existing forensic taxonomies of different categories of Android apps, designed to facilitate timely collection and analysis of evidentiary materials from Android devices, is presented.     

Considerations on the ASTM Standards 1789‐04 and 1422‐05 on the Forensic Examination of Ink

Abstract: The ASTM standards on Writing Ink Identification (ASTM 1789‐04) and on Writing Ink Comparison (ASTM 1422‐05) are the most up‐to‐date guidelines that have been published on the forensic analysis of ink. The aim of these documents is to cover most aspects of the forensic analysis of ink evidence, from the analysis of ink samples, the comparison of the analytical profile of these samples (with the aim to differentiate them or not), through to the interpretation of the result of the examination of these samples in a forensic context. Significant evolutions in the technology available to forensic scientists, in the quality assurance requirements brought onto them, and in the understanding of frameworks to interpret forensic evidence have been made in recent years. This article reviews the two standards in the light of these evolutions and proposes some practical improvements in terms of the standardization of the analyses, the comparison of ink samples, and the interpretation of ink examination. Some of these suggestions have already been included in a DHS funded project aimed at creating a digital ink library for the United States Secret Service.     

DigLA – A Digsby log analysis tool to identify forensic artifacts

Since the inception of Web 2.0, instant messaging, e-mailing, and social networking have emerged as cheap and efficient means of communication over the Web. As a result, a number of communication platforms like Digsby have been developed by various research groups to facilitate access to multiple e-mail, instant messaging, and social networking sites using a single credential. Although such platforms are advantageous for end-users, they present new challenges to digital forensic examiners because of their illegitimate use by anti-social elements. To identify digital artifacts from Digsby log data, an examiner is assumed to have knowledge of the whereabouts of Digsby traces before starting an investigation process. This paper proposes a design for a user-friendly GUI-based forensic tool, DigLA, which provides a unified platform for analyzing Digsby log data at different levels of granularity. DigLA is also equipped with password decryption methods for both machine-specific and portable installation versions of Digsby. By considering Windows registry and Digsby log files as dynamic sources of evidence, specifically when Digsby has been used to commit a cyber crime, this paper presents a systematic approach to analyzing Digsby log data. It also presents an approach to analyzing RAM and swap files to collect relevant traces, specifically the login credentials of Digsby and IM users. An expected insider attack from a server security perspective is also studied and discussed in this paper.     

Media analyses based on Microsoft NTFS file ownership

The ever-increasing size of digital media presents a continuous challenge to digital investigators who must rapidly assess computer media to find and identify evidence. To meet this challenge, methods must continuously be sought to expedite the examination process. This paper investigates using the file ownership property as an analytical tool focusing on activity by individuals associated with the computer. Research centered on the New Technology File System (NTFS), which is the default file system in Microsoft Windows Operating System (OS). This was done because Microsoft's worldwide market penetration makes Windows and NTFS the most likely OS and file system to be encountered in digital forensic examinations. Significantly, digital forensic software now allows examination of NTFS file attributes and properties including the ownership property. The paper outlines potential limitations regarding interpreting ownership findings, and suggests areas for further research. Overall, file ownership is seen as a potentially viable new digital forensic tool.     

Digital Stratigraphy: Contextual Analysis of File System Traces in Forensic Science

This work introduces novel methods for conducting forensic analysis of file allocation traces, collectively called digital stratigraphy. These in‐depth forensic analysis methods can provide insight into the origin, composition, distribution, and time frame of strata within storage media. Using case examples and empirical studies, this paper illuminates the successes, challenges, and limitations of digital stratigraphy. This study also shows how understanding file allocation methods can provide insight into concealment activities and how real‐world computer usage can complicate digital stratigraphy. Furthermore, this work explains how forensic analysts have misinterpreted traces of normal file system behavior as indications of concealment activities. This work raises awareness of the value of taking the overall context into account when analyzing file system traces. This work calls for further research in this area and for forensic tools to provide necessary information for such contextual analysis, such as highlighting mass deletion, mass copying, and potential backdating.     

A reference database of Windows artifacts for file-wiping tool execution analysis

Anti-forensic technology can play an effective role in protecting information, but it can make forensic investigations difficult. Specifically, file-wiping permanently erases evidence, making it challenging for investigators to determine whether a file ever existed and prolonging the investigation process. To address this issue, forensic researchers have studied anti-forensic techniques that detect file-wiping activities. Many previous studies have focused on the effects of file-wiping tools on $MFT, $LogFile, and $DATA, rather than on Windows artifacts. Additionally, previous studies that have examined Windows artifacts have considered different artifacts, making it difficult to study them in a comprehensive manner. To address this, we focused on analyzing traces in 13 Windows artifacts of 10 file-wiping tools' operations in the Windows operating system comprehensively. For our experiments, we installed each file-wiping tool on separate virtual machines and checked the traces that the tools left behind in each artifact. We then organized the results in a database format. Our analysis revealed that most of the tools left traces on other artifacts, except for JumpList, Open&SavePidlMRU, and lnk. There were also some cases where traces remained on the other three artifacts. Based on our research, forensic investigators can quickly identify whether a file-wiping tool has been used, and it can assist in decision-making for evidence collection and forensic triage.     

Peer‐Reviewed Forensic Consultation in Practice: Multidisciplinary Oversight in Common Expertise

The fallibility of forensic science consultation is an ongoing and major justice concern. Prospective peer‐reviewed forensic consultation has over 10 years of application in American criminal and civil courts, adapting from the traditional oversight of teaching hospitals, rules of evidence and discovery, conventions of testimony of expert witnesses, and attorneys' overall trial strategy. In systematizing heightened oversight, this process ensures greater accountability in forensic science consultation. The integration of peer reviewers' complementary expertise and experience enhances the sophistication and overall quality of assessment. Forensic examination frequently involves the interface of different specialties. Multidisciplinary peer review augments expert proficiency with that of professional peers having different vantage points from relevant scientific disciplines. This approach ensures greater sophistication of a case inquiry, built‐in accountability, and streamlined processes when multiple experts are necessitated. Here, the authors present examples of several cases and the primary and secondary benefits of this collaborative, rigorous, cross‐disciplinary exercise.     

Structure and application of IconCache.db files for digital forensics

Anti-forensics has developed to prevent digital forensic investigations, thus forensic investigations to prevent anti-forensic behaviors have been studied in various area. In the area of user activity analysis, “IconCache.db” files contain icon cache information related to applications, which can yield meaningful information for digital forensic investigations such as the traces of deleted files. A previous study investigated the general artifacts found in the IconCache.db file. In the present study, further features and structures of the IconCache.db file are described. We also propose methods for analyzing anti-forensic behaviors (e.g., time information related to the deletion of files). Finally, we introduce an analytical tool that was developed based on the file structure of IconCache.db. The tool parses out strings from the IconCache.db to assist an analyst. Therefore, an analyst can more easily analyze the IconCache.db file using the tool.     

A Forensic Exploration of the Microsoft Windows 10 Timeline

The Microsoft Windows operating system continues to dominate the desktop computing market. With such high levels of usage comes an inferred likelihood of digital forensic practitioners encountering this platform during their investigations. As part of any forensic examination of a digital device, operating system artifacts, which support the identification and understanding of how a user has behaved on their system provide a potential source of evidence. Now, following Microsoft's April 2018 build 1803 release with its incorporated “Timeline” feature, the potential for identifying and tracking user activity has increased. This work provides a timely examination of the Windows 10 Timeline feature demonstrating the ability to recover activity‐based content from within its stored database log files. Examination results and underpinning experimental methodologies are offered, demonstrating the ability to recover activity tile and process information in conjunction with the Windows Timeline. Further, an SQL query has been provided to support the interpretation of data stored within the ActivitiesCache.db .     

Forensic Investigation of Cooperative Storage Cloud Service: Symform as a Case Study

Researchers envisioned Storage as a Service (StaaS) as an effective solution to the distributed management of digital data. Cooperative storage cloud forensic is relatively new and is an under‐explored area of research. Using Symform as a case study, we seek to determine the data remnants from the use of cooperative cloud storage services. In particular, we consider both mobile devices and personal computers running various popular operating systems, namely Windows 8.1, Mac OS X Mavericks 10.9.5, Ubuntu 14.04.1 LTS, iOS 7.1.2, and Android KitKat 4.4.4. Potential artefacts recovered during the research include data relating to the installation and uninstallation of the cloud applications, log‐in to and log‐out from Symform account using the client application, file synchronization as well as their time stamp information. This research contributes to an in‐depth understanding of the types of terrestrial artifacts that are likely to remain after the use of cooperative storage cloud on client devices.     

Funds sharing regulation in the context of the sharing economy: Understanding the logic of China's P2P lending regulation

“Sharing economy” is an umbrella term that encompasses a wide range of digital platform-based activities that includes P2P lending and other forms of internet-based lending. The core aim of the sharing economy is to leverage the utilization of idle capacity. P2P lending can not only be used to leverage small amounts of money on the lender's side, but also be used to promote financial democracy and inclusion both on the lender and borrower's sides. P2P lending regulation, therefore, should place an emphasis on the utilization of dead money and promotion of financial democracy. This article scrutinizes the regulation of P2P lending in China. The existing regulatory system for P2P lending in China is built upon rules and regulations that have been designed solely with traditional brokers in mind. The article contends that the rigid rules placed on lending platforms limited their ability to maintain their roles as brokers and, in turn, heavily endangered the commercial sustainability of P2P platforms, thereby harming the sharing economy's openness and inclusivity. Additionally, the article argues that the fact that there is no limit on the amount a lender can invest poses a threat to the notions of leveraging idle money and financial inclusivity. The closed-ended P2P lending regime in China would cause some chilling effects to financial innovation in the P2P lending industry, and in a wider sense, the rising FinTech sector. Regulators in China need to cope with these challenges in a flexible but pragmatic manner, and particularly make use of the benefits the sharing economy may bring to the Chinese economy more broadly.     

Combatting peer-to-peer file sharing of copyrighted material via anti-piracy laws: Issues,trends, and solutions

This article analyses potential end-user copyright violations associated with peer-to-peer (P2P) file sharing and the anti-piracy efforts currently underway in order to tackle them. This article discusses international developments in terms of trends, issues and solutions aimed at addressing peer-to-peer file sharing of copyrighted material. First, the article introduces P2P file sharing, its increasing significance in the growing digital media economy, and the legal issues surrounding this topic. Next, the article provides a comparative analysis of global efforts and trends in preventing digital piracy by analyzing relevant legislation, case law and practices in multiple jurisdictions, including the United States, United Kingdom, France, Sweden, and Japan. In addition, the article reviews Hong Kong's current case law and proposed legal reforms including an analysis of their deficiencies with respect to addressing P2P copyright infringement. The article concludes with an analysis of existing trends in preventive measures against copyright infringement through P2P file sharing and suggests directions on future legal and non-legal measures that Hong Kong as well as the international community can take in combating digital piracy and copyright infringement through peer-to-peer file sharing.     

Artifacts of CD burning in the Microsoft Windows master file table

When theft of a physical item occurs it is detectable by the fact that the object is missing, however, when the theft of a digital item occurs it can go unnoticed as exact replicas can be created. The original file is left intact but valuable information has been absconded. One of the challenges facing digital forensic examiners is detecting when files have been copied off of a computer system in some fashion. While certain methods do leave residual evidence behind, CD Burning has long been held as a copying method that cannot be identified. Through testing of the burning process and close examination of the New Technology File System (NTFS), artifacts from the master file table in the various versions of Microsoft Windows, markers have been found that are associated with copying or "burning" files to CD or DVD. Potential evidence that was once overlooked may now be detectable.     

Windows 7 Antiforensics: A Review and a Novel Approach

In this paper, we review literature on antiforensics published between 2010 and 2016 and reveal the surprising lack of up‐to‐date research on this topic. This research aims to contribute to this knowledge gap by investigating different antiforensic techniques for devices running Windows 7, one of the most popular operating systems. An approach which allows for removal or obfuscation of most forensic evidence is then presented. Using the Trojan software DarkComet RAT as a case study, we demonstrate the utility of our approach and that a Trojan Horse infection may be a legitimate possibility, even if there is no evidence of an infection on a seized computer's hard drive. Up‐to‐date information regarding how forensic artifacts can be compromised will allow relevant stakeholders to make informed decisions when deciding the outcome of legal cases involving digital evidence.