Specifying digital forensics: A forensics policy approach

In this paper we present an approach to digital forensics specification based on forensic policy definition. Our methodology borrows from computer security policy specification, which has accumulated a significant body of research over the past 30 years. We first define the process of specifying forensics properties through a forensics policy and then present an example application of the process. This approach lends itself to formal policy specification and verification, which would allow for more clarity and less ambiguity in the specification process.     

Treasure and tragedy in kmem_cache mining for live forensics investigation

This paper presents the first deep investigation of the kmem_cache facility in Linux from a forensics perspective. The kmem_cache is used by the Linux kernel to quickly allocate and deallocate kernel structures associated with processes, files, and the network stack. Our focus is on deallocated information that remains in the cache and the major contribution of this paper is to illustrate what forensically relevant information can be retrieved from the kmem_cache and what information is definitively not retrievable. We show that the kmem_cache contains a wealth of digital evidence, much of which was either previously unavailable or difficult to obtain, requiring ad hoc methods for extraction. Previously executed processes, memory mappings, sent and received network packets, NAT translations, accessed file system inodes, and more can all be recovered through examination of the kmem_cache contents. We also discuss portable methods for erasing this information, to ensure that private data is no longer recoverable.     

A novel approach for fingerprinting mummified hands

Abstract:  Fingerprinting has long been used as a method for identifying bodies and, since first discovered, many advances have been made in both fingerprint acquisition and interpretation. However, in the field of forensic pathology, the attainment of fingerprints from mummified bodies has remained difficult. The most common technique historically used to obtain fingerprints in these cases usually employs the amputation of the fingers combined with soaking and/or injecting the fingers with various solutions in order to enhance the fingerprints. A novel approach to fingerprinting mummified fingers is presented which involves removal and rehydration of the fingerpads (including the epidermal, dermal, and adipose tissues) followed by inking and rolling, using a gloved finger for support. The technique presented produces a superior quality of print without amputation of the finger, yielding excellent results and assisting in obtaining positive identification.     

遗传标记微单倍型在法医学中的研究进展

微单倍型作为一种新型的法医学遗传标记,在国际法医学界已经引起了越来越多的关注。微单倍型是在较短片段内(例如200bp),包含2个或以上个SNP,具有单倍型多态性的序列。相较于STR,微单倍型突变率低,在混合斑鉴定中具有一定优势;与SNP相比较,微单倍型的多态性更高。选择含有祖先信息特征的微单倍型,在种群分析鉴定中具有应用价值。本文就微单倍型的演变,分型方法,命名及群体特征等方面作一综述。     

MEGA: A tool for Mac OS X operating system and application forensics

Computer forensic tools for Apple Mac hardware have traditionally focused on low-level file system details. Mac OS X and common applications on the Mac platform provide an abundance of information about the user's activities in configuration files, caches, and logs. We are developing MEGA, an extensible tool suite for the analysis of files on Mac OS X disk images. MEGA provides simple access to Spotlight metadata maintained by the operating system, yielding efficient file content search and exposing metadata such as digital camera make and model. It can also help investigators to assess FileVault encrypted home directories. MEGA support tools are under development to interpret files written by common Mac OS applications such as Safari, Mail, and iTunes.     

MEGA: A tool for Mac OS X operating system and application forensics

Computer forensic tools for Apple Mac hardware have traditionally focused on low-level file system details. Mac OS X and common applications on the Mac platform provide an abundance of information about the user's activities in configuration files, caches, and logs. We are developing MEGA, an extensible tool suite for the analysis of files on Mac OS X disk images. MEGA provides simple access to Spotlight metadata maintained by the operating system, yielding efficient file content search and exposing metadata such as digital camera make and model. It can also help investigators to assess FileVault encrypted home directories. MEGA support tools are under development to interpret files written by common Mac OS applications such as Safari, Mail, and iTunes.     

Dynamic recreation of kernel data structures for live forensics

The role of live forensics in digital forensic investigations has become vital due to the importance of volatile data such as encryption keys, network activity, currently running processes, in memory only malware, and other key pieces of data that are lost when a device is powered down. While the technology to perform the first steps of a live investigation, physical memory collection and preservation, is available, the tools for completing the remaining steps remain incomplete. First-generation memory analyzers performed simple string and regular expression operations on the memory dump to locate data such as passwords, credit card numbers, fragments of chat conversations, and social security numbers. A more in-depth analysis can reveal information such as running processes, networking information, open file data, loaded kernel modules, and other critical information that can be used to gain insight into activity occurring on the machine when a memory acquisition occurred. To be useful, tools for performing this in-depth analysis must support a wide range of operating system versions with minimum configuration. Current live forensics tools are generally limited to a single kernel version, a very restricted set of closely related versions, or require substantial manual intervention.This paper describes techniques developed to allow automatic adaptation of memory analysis tools to a wide range of kernel versions. Dynamic reconstruction of kernel data structures is obtained by analyzing the memory dump for the instructions that reference needed kernel structure members. The ability to dynamically recreate C structures used within the kernel allows for a large amount of information to be obtained and processed. Currently, this capability is used within a tool called RAMPARSER that is able to simulate commands such as ps and netstat as if an investigator were sitting at the machine at the time of the memory acquisition. Other applications of the developed capabilities include kernel-level malware detection, recovery of processes memory and file mappings, and other areas of forensics interest.     

Proposal for internet-based Digital Dental Chart for personal dental identification in forensics

A dental chart is very useful as a standard source of evidence in the personal identification of bodies. However, the kind of dental chart available will often vary as a number of types of odontogram have been developed where the visual representation of dental conditions has relied on hand-drawn representation. We propose the Digital Dental Chart (DDC) as a new style of dental chart, especially for open investigations aimed at establishing the identity of unknown bodies. Each DDC is constructed using actual oral digital images and dental data, and is easy to upload onto an Internet website. The DDC is a more useful forensic resource than the standard types of dental chart in current use as it has several advantages, among which are its ability to carry a large volume of information and reproduce dental conditions clearly and in detail on a cost-effective basis.     

A novel approach to the visualisation of heat-induced structural change in bone.

A new approach to visualising heat-induced change in bone was attempted. This was an attempt to counter the serious limitations of existing analytical methods yet still allow for the examination of subtle changes that occur due to burning. A new form of Magnetic Resonance Imaging was deemed to fulfil this remit. Preliminary tests were performed and proved successful in creating clear, well-defined images of progressive heat-induced structural changes in bone. The implications for improving our understanding of heat-induced change, and therefore our methods of human identification, are significant.     

A mock juror investigation of blame attribution in the punishment of hate crime perpetrators

We examined blame attribution as a moderator of perceptions of hate crimes against gay, African American, and transgender victims. Participants were 510 Texas jury panel members. Results of vignette-based crime scenarios showed that victim blame displayed significant negative, and perpetrator blame significant positive, effects on sentencing recommendations. Also as hypothesized, victim and perpetrator blame moderated the effect of support for hate crime legislation. Interaction patterns suggested that both types of blame attribution influence sentencing recommendations, but only for participants disagreeing with hate crime legislation. Three-way interactions with victim type also emerged, indicating that the effects of both types of blame attribution show particular influences when the victim is gay, as opposed to transgender or African American. Implications for attribution theory, hate crime policy, and jury selection are discussed.     

A novel approach to obtaining reliable PCR results from luminol treated bloodstains

In recent years the forensic scientist has been afforded great advances in technology both in the detection of latent bloodstains and in acquiring reliable DNA typing results from very small pieces of physical evidence. Scientists are now able to detect minute quantities of latent bloodstains by utilizing the luminol reagent, oftentimes indicating that an attempt has been made to conceal any evidence of bloodshed. With the introduction of PCR based technology to the forensic arena, scientists are now routinely able to obtain DNA typing results from previously insufficient amounts of biological material, items as small as a single hair, saliva on a cigarette butt, or a bloodstain the size of a pin head. We present here a merging of these two advances coupled with a new collection medium for post luminol treated latent bloodstains. The forensic scientist is now able to routinely isolate and recover an adequate amount of DNA suitable for PCR typing at all of the Promega GenePrint PowerPlex 1.1 loci. In this study, several dilutions of latent bloodstains were prepared in an effort to simulate transferred bloodstains that are routinely encountered in a crime scene setting. The latent bloodstains were treated with luminol and subsequently collected using conventional cotton tipped swabs as well as a Puritan sponge tipped swab. PCR typing at the Promega GenePrint PowerPlex 1.1 loci was then attempted upon all dilutions of the latent bloodstains for both collection mediums. The results clearly indicate that it is now routinely possible to recover adequate amounts of DNA suitable for PCR typing upon post luminol treated bloodstains.     

It was not me: attribution of blame for criminal acts in psychiatric offenders

The current article addresses the psychometric qualities of the German Version of Gudjonsson's Blame Attribution Inventory (GBAI), a self-report scale for measuring attribution of blame for crime. The GBAI was administered to a criminal sample of forensic and criminal inmates (n=107). Findings indicate that the German version of the Gudjonsson Blame Attribution Inventory possesses acceptable test-retest stability and good internal consistency. Factor analysis reproduced the three basic dimensions of the GBAI: external attribution, mental-element attribution, and guilt-feeling attribution. Forensic patients had higher mental-element attribution and guilt-feeling attribution scores than the prison inmates. Interestingly, sexual offenders who were prisoners, showed the lowest guilt-feeling attribution, while sexual offenders who were forensic patients had the highest guilt-feeling attribution scores. Since earlier research reported a tendency of faking good in sexual offenders, we suggest that the forensic sexual offenders may demonstrate a social desirable response tendency in an attempt to gain sympathy and/or earlier parole. All in all, our data show that the German version of the GBAI is a valuable tool for measuring attributional styles of offenders.     

一种指纹快速比对的新方法

目的　提出一种大容量指纹数据的快速比对新方法。方法　采用多处理机并行比对技术 ,通过专用软件调动多处理机并行工作。结果　使指纹比对实现了快速化、准确化和性价比最优化。结论　解决了专用硬件产品价格昂贵且兼容性差、升级困难而仅靠优化比对软件算法提高速度终有极限的难题     

A social graph based text mining framework for chat log investigation

This paper presents a unified social graph based text mining framework to identify digital evidences from chat logs data. It considers both users' conversation and interaction data in group-chats to discover overlapping users' interests and their social ties. The proposed framework applies n-gram technique in association with a self-customized hyperlink-induced topic search (HITS) algorithm to identify key-terms representing users' interests, key-users, and key-sessions. We propose a social graph generation technique to model users' interactions, where ties (edges) between a pair of users (nodes) are established only if they participate in at least one common group-chat session, and weights are assigned to the ties based on the degree of overlap in users' interests and interactions. Finally, we present three possible cyber-crime investigation scenarios and a user-group identification method for each of them. We present our experimental results on a data set comprising 1100 chat logs of 11,143 chat sessions continued over a period of 29 months from January 2010 to May 2012. Experimental results suggest that the proposed framework is able to identify key-terms, key-users, key-sessions, and user-groups from chat logs data, all of which are crucial for cyber-crime investigation. Though the chat logs are recovered from a single computer, it is very likely that the logs are collected from multiple computers in real scenario. In this case, logs collected from multiple computers can be combined together to generate more enriched social graph. However, our experiments show that the objectives can be achieved even with logs recovered from a single computer by using group-chats data to draw relationships between every pair of users.     

A steroidomic approach for biomarkers discovery in doping control

Anti-doping authorities have high expectations of the athlete steroidal passport (ASP) for anabolic-androgenic steroids misuse detection. However, it is still limited to the monitoring of known well-established compounds and might greatly benefit from the discovery of new relevant biomarkers candidates. In this context, steroidomics opens the way to the untargeted simultaneous evaluation of a high number of compounds. Analytical platforms associating the performance of ultra-high pressure liquid chromatography (UHPLC) and the high mass-resolving power of quadrupole time-of-flight (QTOF) mass spectrometers are particularly adapted for such purpose. An untargeted steroidomic approach was proposed to analyse urine samples from a clinical trial for the discovery of relevant biomarkers of testosterone undecanoate oral intake. Automatic peak detection was performed and a filter of reference steroid metabolites mass-to-charge ratio (m/z) values was applied to the raw data to ensure the selection of a subset of steroid-related features. Chemometric tools were applied for the filtering and the analysis of UHPLC-QTOF-MS(E) data. Time kinetics could be assessed with N-way projections to latent structures discriminant analysis (N-PLS-DA) and a detection window was confirmed. Orthogonal projections to latent structures discriminant analysis (O-PLS-DA) classification models were evaluated in a second step to assess the predictive power of both known metabolites and unknown compounds. A shared and unique structure plot (SUS-plot) analysis was performed to select the most promising unknown candidates and receiver operating characteristic (ROC) curves were computed to assess specificity criteria applied in routine doping control. This approach underlined the pertinence to monitor both glucuronide and sulphate steroid conjugates and include them in the athletes passport, while promising biomarkers were also highlighted.     

A novel network-based analysis to measure efficiency in science and technology parks: the ISA framework approach

In the last years, Science and Technology Parks (STPs) have been considered facilitators of inter-organizational relationships, as well as instruments of public policy, by creating networks and allowing access for the learning of local innovation. In this study, we propose a quantitative tool as support for measuring the efficiency of STPs through the analysis of the complex networks they form. We present a generic framework called the Inter-Relationship Science-Park Analysis (ISA) framework to study STPs at three different levels of management: (1) individual entities (research centres, universities, innovation companies, etc.); (2) STP global management; and (3) productive sector development. Moreover, we have applied the ISA framework to a real-world case study: the Walqa Science and Technology Park. Through it we have been able to know what relationships are established within this Science and Technology Park and which are the most important nodes in this network of interactions.     

DNA forensics and the poaching of wildlife in Italy: a case study

DNA molecular techniques were used in a forensic investigation involving the poaching of wildlife in a national park of Italy. A poacher, after having snared a wild boar (Sus scrofa) sow, knifed it to death. The animal was retrieved by conservation officers at the scene before the poacher could remove the carcass. Subsequently, the suspect denied the charges. During a search of his home, a bloodstained knife was confiscated. A method to identify the species from the DNA extracted from the stains revealed the blood to be that of the non-domestic form of Sus scrofa. Further DNA typing for individual identity using species-specific single tandem repeats or microsatellites (STRs) showed that the DNA on the knife matched that of the poached boar. Based upon the forensic evidence obtained, the suspect was convicted of poaching and of cruelty to animals.     

A planned approach for transferring research knowledge

Several sources are quoted that substantiate the concept that for technology to be effectively used it is necessary to disseminate the technology using a variety of means. The paper then goes on to describe in detail the Forest Service approach to technology dissemination. Some data is shown that substantiates the effectiveness of the Forest Service planned approach to the transferring of research knowledge.