Triaging digital device content at-scene:- Formalising the decision-making process

The prominence of technology usage in society has inevitably led to increasing numbers of digital devices being seized, where digital evidence often features in criminal investigations. Such demand has led to well documented backlogs placing pressure on digital forensic labs, where in an effort to combat this issue, the ‘at-scene triage’ of devices has been touted as a solution. Yet such triage approaches are not straightforward to implement with multiple technical and procedural issues existing, including determining when it is actually appropriate to triage the contents of a device at-scene. This work remains focused on this point due to the complexities associated with it, and to support first responders a nine-stage triage decision model is offered which is designed to promote consistent and transparent practice when determining if a device should be triaged.     

Odor exposure and recall of a virtual reality crime scene: A preliminary study

Environmental context reinstatement has a particular value for recall of information in forensic interviews. Since odors are valuable memory cues and can act as memory triggers, in our preliminary study we explored whether odor exposure can help people recall details of a crime scene. The study comprised 58 women and 15 men aged 22–35 who immersed in a carefully controlled environment closely resembling an actual crime setting, i.e., a virtual reality crime. Participants were exposed to an odor at encoding, recall, both or neither of these instances, yielding a total of 4 experimental groups that further completed a memory recall task. The crime scene content recall was tested in a free recall and a forced-response test immediately after seeing the crime scene and one month later. We found no significant effects of odor exposure on the free or the cued recall of the crime scene. The memory scores correlated neither with the self-assessed olfactory/visual sensitivity of the subjects, nor with the perceived odor pleasantness. These preliminary findings suggest that introduction of a vanilla odor while encoding and recalling a crime scene does not aid witness recall accuracy.     

Policing and Crime Act 2017: Changes to pre-charge bail and the impact on digital forensic analysis

Following the enactment of the Police and Crime Act 2017, subsequent amendments to the Police and Criminal Evidence Act 1984 have seen a ‘cap’ placed on the length of time a suspect can be released on bail; a process commonly referred to as ‘police bail’ or ‘pre-charge bail’. Whilst designed to instil consistency and certainty into bail processes to prevent individuals being subject to lengthy periods of regulation and uncertainty, it places additional pressures on forensic services. With a focus on digital forensics, examination of digital media is a complex and time-consuming process, with existing backlogs well documented. The need for timely completion of investigations to adhere to pre-charge bail rules places additional stress on an already stretched service. This comment submission provides an initial analysis of new pre-charge bail regulations, assessing their impact on digital forensic services.     

When finding nothing may be evidence of something: Anti-forensics and digital tool marks

There are an abundance of measures available to the standard digital device users which provide the opportunity to act in an anti-forensic manner and conceal any potential digital evidence denoting a criminal act. Whilst there is a lack of empirical evidence which evaluates the scale of this threat to digital forensic investigations leaving the true extent of engagement with such tools unknown, arguably the field should take proactive steps to examine and record the capabilities of these measures. Whilst forensic science has long accepted the concept of toolmark analysis as part of criminal investigations, ‘digital tool marks’ (DTMs) are a notion rarely acknowledged and considered in digital investigations. DTMs are the traces left behind by a tool or process on a suspect system which can help to determine what malicious behaviour has occurred on a device. This article discusses and champions the need for DTM research in digital forensics highlighting the benefits of doing so.     

A case study on anonymised sharing platforms and digital traces left by their usage

Non-local forms of file storage and transfer provide investigatory concerns. Whilst mainstream cloud providers offer a well-established challenge to those involved in criminal enquiries, there are also a host of services offering non-account based ‘anonymous’ online temporary file storage and transfer. From the context of a digital forensic investigation, the practitioner examining a suspect device must detect when such services have been utilised by a user, as offending files may not be resident on local storage media. In addition, identifying the use of a service may also expose networks of illegal file distribution, supporting wider investigations into criminal activity. This work examines 16 anonymous file transfer services and identifies and interprets the digital traces left behind on a device following their use to support law enforcement investigations.     

Digital evidence and the crime scene

Many criminal investigations maintain an element of digital evidence, where it is the role of the first responder in many cases to both identify its presence at any crime scene, and assess its worth. Whilst in some instances the existence and role of a digital device at-scene may be obvious, in others, the first responder will be required to evaluate whether any ‘digital opportunities’ exist which could support their inquiry, and if so, where these are. This work discusses the potential presence of digital evidence at crime scenes, approaches to identifying it and the contexts in which it may exist, focusing on the investigative opportunities that devices may offer. The concept of digital devices acting as ‘digital witnesses’ is proposed, followed by an examination of potential ‘digital crime scene’ scenarios and strategies for processing them.     

A study on the forensic mechanisms of VoIP attacks: Analysis and digital evidence

This paper discusses the use of communication technology to commit crimes, including crime facts and crime techniques. The analysis focuses on the security of voice over Internet protocol (VoIP), a prevention method against VoIP call attack and the attention points for setting up an Internet phone. The importance of digital evidence and digital forensics are emphasised. This paper provides the VoIP digital evidence forensics standard operating procedures (DEFSOP) to help police organisations and establishes an experimental platform to simulate phone calls, hacker attacks and forensic data. Finally, this paper provides a general discussion of a digital evidence strategy that includes VoIP for crime investigators who are interested in digital evidence forensics.     

Forensic investigation framework for the document store NoSQL DBMS: MongoDB as a case study

The NoSQL DBMS provides an efficient means of storing and accessing big data because its servers are more easily horizontally scalable and replicable than relational DBMSs. Its data model lacks a fixed schema, so that users can easily dynamically change the data model of applications. These characteristics of the NoSQL DBMS mean that it is increasingly used in real-time analysis, web services such as SNS, mobile apps and the storage of machine generated data such as logs and IoT (Internet of Things) data. Although the increased usage of the NoSQL DBMS increases the possibility of it becoming a target of crime, there are few papers about forensic investigation of NoSQL DBMS.In this paper, we propose a forensic investigation framework for the document store NoSQL DBMS. It is difficult to cover all of the NoSQL DBMS, as 'NoSQL' includes several distinct architectures; our forensic investigation framework, however, is focused on the document store NoSQL DBMS. In order to conduct an evaluative case study, we need to apply it to MongoDB, which is, a widely used document store NoSQL DBMS. For this case study, a crime scenario is created in an experimental environment, and then we propose in detail a forensic procedure and technical methods for MongoDB. We suggested many substantial technical investigation methods for MongoDB, including identifying real servers storing evidences in a distributed environment and transaction reconstruction method, using log analysis and recovering deleted data from the MongoDB data file structure.     

Digital Forensics as a Service: A game changer

How is it that digital investigators are always busy and still never have enough time to actually dig deep into digital evidence? In this paper we will explore the current implementation of the digital forensic process and analyze factors that impact the efficiency of this process. Next we explain how in the Netherlands a Digital Forensics as a Service implementation reduced case backlogs and freed up digital investigators to help detectives better understand the digital material.     

Digital forensics as a service: Game on

The big data era has a high impact on forensic data analysis. Work is done in speeding up the processing of large amounts of data and enriching this processing with new techniques. Doing forensics calls for specific design considerations, since the processed data is incredibly sensitive. In this paper we explore the impact of forensic drivers and major design principles like security, privacy and transparency on the design and implementation of a centralized digital forensics service.     

An evaluation of the reagent NBD chloride for the production of luminescent fingerprints on paper: II. A comparison with ninhydrin

The effectiveness of the fluorogenic reagent NBD chloride has been compared with the popular colour reagent ninhydrin for the development of fingerprints on paper. NBD chloride was found to be more sensitive than ninhydrin for moderately old fingerprints (3–9 months) and never inferior to ninhydrin in all other cases. A qualitative evaluation technique was used to establish the relative efficiency of each method. This is based on the number of points of identification, assessed on a 1–4 scale, where 4 represents a courtworthy print (> 12 points) and 1 represents a print containing no identification points.     

Distributed filesystem forensics: XtreemFS as a case study

Distributed filesystems provide a cost-effective means of storing high-volume, velocity and variety information in cloud computing, big data and other contemporary systems. These technologies have the potential to be exploited for illegal purposes, which highlights the need for digital forensic investigations. However, there have been few papers published in the area of distributed filesystem forensics. In this paper, we aim to address this gap in knowledge. Using our previously published cloud forensic framework as the underlying basis, we conduct an in-depth forensic experiment on XtreemFS, a Contrail EU-funded project, as a case study for distributed filesystem forensics. We discuss the technical and process issues regarding collection of evidential data from distributed filesystems, particularly when used in cloud computing environments. A number of digital forensic artefacts are also discussed. We then propose a process for the collection of evidential data from distributed filesystems.     

Impacts of increasing volume of digital forensic data: A survey and future research challenges

A major challenge to digital forensic analysis is the ongoing growth in the volume of data seized and presented for analysis. This is a result of the continuing development of storage technology, including increased storage capacity in consumer devices and cloud storage services, and an increase in the number of devices seized per case. Consequently, this has led to increasing backlogs of evidence awaiting analysis, often many months to years, affecting even the largest digital forensic laboratories. Over the preceding years, there has been a variety of research undertaken in relation to the volume challenge. Solutions posed range from data mining, data reduction, increased processing power, distributed processing, artificial intelligence, and other innovative methods. This paper surveys the published research and the proposed solutions. It is concluded that there remains a need for further research with a focus on real world applicability of a method or methods to address the digital forensic data volume challenge.     

Design and implementation of FROST: Digital forensic tools for the OpenStack cloud computing platform

We describe the design, implementation, and evaluation of FROST—three new forensic tools for the OpenStack cloud platform. Our implementation for the OpenStack cloud platform supports an Infrastructure-as-a-Service (IaaS) cloud and provides trustworthy forensic acquisition of virtual disks, API logs, and guest firewall logs. Unlike traditional acquisition tools, FROST works at the cloud management plane rather than interacting with the operating system inside the guest virtual machines, thereby requiring no trust in the guest machine. We assume trust in the cloud provider, but FROST overcomes non-trivial challenges of remote evidence integrity by storing log data in hash trees and returning evidence with cryptographic hashes. Our tools are user-driven, allowing customers, forensic examiners, and law enforcement to conduct investigations without necessitating interaction with the cloud provider. We demonstrate how FROST's new features enable forensic investigators to obtain forensically-sound data from OpenStack clouds independent of provider interaction. Our preliminary evaluation indicates the ability of our approach to scale in a dynamic cloud environment. The design supports an extensible set of forensic objectives, including the future addition of other data preservation, discovery, real-time monitoring, metrics, auditing, and acquisition capabilities.     

Identifying background microbiomes in an evidence recovery laboratory: A preliminary study

16S rRNA profiling of bacterial communities may have forensic utility in the identification or association of individuals involved with criminal activities. Microbial profiling of evidence may, in the future, be performed within environments currently utilised for human DNA recovery, such as a forensic biology laboratory. It would be important to establish the background microbiome of such an environment to determine the potential presence of human or environmental microbial signatures to assist forensic scientists in the appropriate interpretation of target microbial communities. This study sampled various surfaces of an Evidence Recovery Laboratory (ERL) on three occasions including (a) before a monthly deep-clean, (b) immediately following the deep-clean, and (c) immediately after the laboratory’s use by a single participant for the purposes of routine item examinations. Microbial profiles were also generated for the involved participant and researcher for comparison purposes. Additionally, human nuclear DNA was profiled for each of the samples collected, using standard forensic profiling techniques, to provide a prospective link to the presence or absence of a background microbial signature within the ERL after its use. Taxonomic distributions across ERL samples revealed no consistent signature of any of the items sampled over time, however, major phyla noted within all ERL samples across the three timepoints were consistent with those found in human skin microbiomes. PCoA plots based on the Unweighted Unifrac metric revealed some clustering between participant microbial reference samples and surfaces of the ERL after use, suggesting that despite a lack of direct contact, and adherence to standard operating procedures (SOPs) suitable for human DNA recovery, microbiomes may be deposited into a forensic setting over time. The reference samples collected from the involved participant and researcher generated full STR profiles. Human DNA was observed to varying degrees in samples taken from the ERL across each of the sampling timepoints. There was no correlation observed between samples that contained or did not contain detectable quantities of human nuclear DNA and microbial profile outputs.     

A retrospective comparative study to evaluate the reliability of post-mortem interval sources in UK and US medico-legal death investigations

Post-mortem interval (PMI) information sources may be subject to varying degrees of reliability that could impact the level of confidence associated with PMI estimations in forensic taphonomy research and in the practice of medico-legal death investigation. This study aimed to assess the reliability of PMI information sources in a retrospective comparative analysis of 1813 cases of decomposition from the Allegheny County Office of the Medical Examiner in Pittsburgh, US (n = 1714), and the Crime Scene Investigation department at Southwest Forensics in the UK (n = 99). PMI information sources were subjected to a two-stage evaluation using an adapted version of the 3x5 aspects of the UK police National Intelligence Model (NIM) to determine the confidence level associated with each source. Normal distribution plots were created to show the distribution frequency of the dependent variables (decomposition stage and source evaluation) by the independent variable of PMI. The manner, location, and season of death were recorded to ascertain if these variables influenced the reliability of the PMI. A confidence matrix was then created to assess the overall reliability and provenance of each PMI information source. Reliable PMI sources (including forensic specialists, missing persons reports, and digital evidence) were used across extensive PMI ranges (1 to 2920 days in the US, and 1 to 240 days in the UK) but conferred a low incidence of use with forensic specialists providing a PMI estimation in only 35% of all homicide cases. Medium confidence PMI sources (e.g., last known social contact) accounted for the majority of UK (54%, n = 54) and US (82%, n = 1413) cases and were associated with shorter PMIs and natural causes of death. Low confidence PMI sources represented the lowest frequencies of UK and US cases and exclusively comprised PMI information from scene evidence. In 96% of all cases, only one PMI source was reported, meaning PMI source corroboration was overall very low (4%). This research has important application for studies using police reports of PMI information to validate PMI estimation models, and in the practice of medico-legal death investigation where it is recommended that i) the identified reliable PMI sources are sought ii) untested or unreliable PMI sources are substantiated with corroborating PMI information, iii) all PMI sources are reported with an associated degree of confidence that encapsulates the uncertainty of the originating source.     

Modern ships Voyage Data Recorders: A forensics perspective on the Costa Concordia shipwreck

International regulations about the safety of ships at sea require every modern vessel to be equipped with a Voyage Data Recorder to assist investigations in the event of an accident. As such, these devices are the primary means for acquiring reliable data about an accident involving a ship, and so they must be the first targets in an investigation. Although regulations describe the sources and amount of data to be recorded, they say nothing about the format of the recording. Because of this, nowadays investigators are forced to rely solely on the help of the builder of the system, which provides proprietary software to “replay” the voyage recordings. This paper delves into the examination of data found in the VDR from the actual Costa Concordia accident in 2012, and describes the recovery of information useful for the investigation, both by deduction and by reverse engineering of the data, some of which were not even shown by the official replay software.     

Evaluation of the rapid analyte measurement platform (RAMP) for the detection of Bacillus anthracis at a crime scene

The aim of this study was to evaluate the accuracy and reliability of the rapid analyte measurement platform (RAMP) for presumptive identification of Bacillus anthracis spores. Test samples consisted of serial dilutions of spore preparations of several Bacillus species, including B. anthracis, which were tested, using the RAMP Anthrax test cartridge, according to the manufacturer's instructions. The fluorescence labelled antibody-antigen complexes were detected in the portable reader after 15 min following sample addition. Dilutions of common environmental and household powders were also tested to identify possible false positive results. B. anthracis spores were identified reliably in test samples containing more than 6000 spores. The test kits were highly specific, showing no cross reactivity with other Bacillus species or any environmental powders tested. The RAMP system for detection of B. anthracis spores, from environmental samples, showed consistent results under a variety of analytical conditions, enabling the trained user to provide a rapid, accurate preliminary risk assessment of a suspected bioterrorism incident.     

The impact of force,time, and rotation on the transfer of ammonium nitrate: A reductionist approach to understanding evidence dynamics

Empirical studies evaluating the conditions under which the transfer of forensic materials occurs can provide contextual information and offer insight into how that material may have been transferred in a given scenario. Here, a reductionist approach was taken to assess the impact of force, time, and rotation on the transfer of an explosive compound. An Instron ElectroPuls E3000 material testing instrument was used to bring porous and non-porous surfaces adulterated with an ammonium nitrate into direct contact with a human skin analogue, controlling for the force of contact, duration of contact, and rotation applied during contact. Quantifiable amounts of ammonium nitrate were recovered from all of the recipient surfaces demonstrating that ammonium nitrate is readily transferred from one surface to another, even when contact occurs for a short duration with a relatively low force. More particulates were transferred from non-porous surfaces onto the human skin analogue, but the amount of ammonium nitrate transferred did not depend upon the force of contact, duration of contact, or the amount of rotation applied. However, when contact occurred and involved rotation, a greater transfer of ammonium nitrate was observed, compared to those contacts occurring without rotation being applied. This approach complements more commonly-used holistic experiments that test multiple interacting variables in a realistic setting by isolating these variables, allowing them to be examined individually. This can be utilised to better understand the individual impact that specific variables have on the transfer of trace evidence in relevant crime reconstruction contexts.     

Advancing coordinated cyber-investigations and tool interoperability using a community developed specification language

Any investigation can have a digital dimension, often involving information from multiple data sources, organizations and jurisdictions. Existing approaches to representing and exchanging cyber-investigation information are inadequate, particularly when combining data sources from numerous organizations or dealing with large amounts of data from various tools. To conduct investigations effectively, there is a pressing need to harmonize how this information is represented and exchanged. This paper addresses this need for information exchange and tool interoperability with an open community-developed specification language called Cyber-investigation Analysis Standard Expression (CASE). To further promote a common structure, CASE aligns with and extends the Unified Cyber Ontology (UCO) construct, which provides a format for representing information in all cyber domains. This ontology abstracts objects and concepts that are not CASE-specific, so that they can be used across other cyber disciplines that may extend UCO. This work is a rational evolution of the Digital Forensic Analysis eXpression (DFAX) for representing digital forensic information and provenance. CASE is more flexible than DFAX and can be utilized in any context, including criminal, corporate and intelligence. CASE also builds on the Hansken data model developed and implemented by the Netherlands Forensic Institute (NFI). CASE enables the fusion of information from different organizations, data sources, and forensic tools to foster more comprehensive and cohesive analysis. This paper includes illustrative examples of how CASE can be implemented and used to capture information in a structured form to advance sharing, interoperability and analysis in cyber-investigations. In addition to capturing technical details and relationships between objects, CASE provides structure for representing and sharing details about how cyber-information was handled, transferred, processed, analyzed, and interpreted. CASE also supports data marking for sharing information at different levels of trust and classification, and for protecting sensitive and private information. Furthermore, CASE supports the sharing of knowledge related to cyber-investigations, including distinctive patterns of activity/behavior that are common across cases. This paper features a proof-of-concept Application Program Interface (API) to facilitate implementation of CASE in tools. Community members are encouraged to participate in the development and implementation of CASE and UCO.