Triaging digital device content at-scene:- Formalising the decision-making process

The prominence of technology usage in society has inevitably led to increasing numbers of digital devices being seized, where digital evidence often features in criminal investigations. Such demand has led to well documented backlogs placing pressure on digital forensic labs, where in an effort to combat this issue, the ‘at-scene triage’ of devices has been touted as a solution. Yet such triage approaches are not straightforward to implement with multiple technical and procedural issues existing, including determining when it is actually appropriate to triage the contents of a device at-scene. This work remains focused on this point due to the complexities associated with it, and to support first responders a nine-stage triage decision model is offered which is designed to promote consistent and transparent practice when determining if a device should be triaged.     

Forensic investigation of cross platform massively multiplayer online games: Minecraft as a case study

Minecraft, a Massively Multiplayer Online Game (MMOG), has reportedly millions of players from different age groups worldwide. With Minecraft being so popular, particularly with younger audiences, it is no surprise that the interactive nature of Minecraft has facilitated the commission of criminal activities such as denial of service attacks against gamers, cyberbullying, swatting, sexual communication, and online child grooming. In this research, there is a simulated scenario of a typical Minecraft setting, using a Linux Ubuntu 16.04.3 machine (acting as the MMOG server) and Windows client devices running Minecraft. Server and client devices are then examined to reveal the type and extent of evidential artefacts that can be extracted.     

A study on the forensic mechanisms of VoIP attacks: Analysis and digital evidence

This paper discusses the use of communication technology to commit crimes, including crime facts and crime techniques. The analysis focuses on the security of voice over Internet protocol (VoIP), a prevention method against VoIP call attack and the attention points for setting up an Internet phone. The importance of digital evidence and digital forensics are emphasised. This paper provides the VoIP digital evidence forensics standard operating procedures (DEFSOP) to help police organisations and establishes an experimental platform to simulate phone calls, hacker attacks and forensic data. Finally, this paper provides a general discussion of a digital evidence strategy that includes VoIP for crime investigators who are interested in digital evidence forensics.     

Automated event and social network extraction from digital evidence sources with ontological mapping

The sharp rise in consumer computing, electronic and mobile devices and data volumes has resulted in increased workloads for digital forensic investigators and analysts. The number of crimes involving electronic devices is increasing, as is the amount of data for each job. This is becoming unscaleable and alternate methods to reduce the time trained analysts spend on each job are necessary.This work leverages standardised knowledge representations techniques and automated rule-based systems to encapsulate expert knowledge for forensic data. The implementation of this research can provide high-level analysis based on low-level digital artefacts in a way that allows an understanding of what decisions support the facts. Analysts can quickly make determinations as to which artefacts warrant further investigation and create high level case data without manually creating it from the low-level artefacts. Extraction and understanding of users and social networks and translating the state of file systems to sequences of events are the first uses for this work.A major goal of this work is to automatically derive ‘events’ from the base forensic artefacts. Events may be system events, representing logins, start-ups, shutdowns, or user events, such as web browsing, sending email. The same information fusion and homogenisation techniques are used to reconstruct social networks. There can be numerous social network data sources on a single computer; internet cache can locate Facebook, LinkedIn, Google Plus caches; email has address books and copies of emails sent and received; instant messenger has friend lists and call histories. Fusing these into a single graph allows a more complete, less fractured view for an investigator.Both event creation and social network creation are expected to assist investigator-led triage and other fast forensic analysis situations.     

Policing and Crime Act 2017: Changes to pre-charge bail and the impact on digital forensic analysis

Following the enactment of the Police and Crime Act 2017, subsequent amendments to the Police and Criminal Evidence Act 1984 have seen a ‘cap’ placed on the length of time a suspect can be released on bail; a process commonly referred to as ‘police bail’ or ‘pre-charge bail’. Whilst designed to instil consistency and certainty into bail processes to prevent individuals being subject to lengthy periods of regulation and uncertainty, it places additional pressures on forensic services. With a focus on digital forensics, examination of digital media is a complex and time-consuming process, with existing backlogs well documented. The need for timely completion of investigations to adhere to pre-charge bail rules places additional stress on an already stretched service. This comment submission provides an initial analysis of new pre-charge bail regulations, assessing their impact on digital forensic services.     

Addressing the National Academy of Sciences' challenge: a method for statistical pattern comparison of striated tool marks

In February 2009, the National Academy of Sciences published a report entitled "Strengthening Forensic Science in the United States: A Path Forward." The report notes research studies must be performed to "…understand the reliability and repeatability…" of comparison methods commonly used in forensic science. Numerical classification methods have the ability to assign objective quantitative measures to these words. In this study, reproducible sets of ideal striation patterns were made with nine slotted screwdrivers, encoded into high-dimensional feature vectors, and subjected to multiple statistical pattern recognition methods. The specific methods employed were chosen because of their long peer-reviewed track records, widespread successful use for both industry and academic applications, rely on few assumptions on the data's underlying distribution, can be accompanied by standard confidence levels, and are falsifiable. For PLS-DA, correct classification rates of 97% or higher were achieved by retaining only eight dimensions (8D) of data. PCA-SVM required even fewer dimensions, 4D, for the same level of performance. Finally, for the first time in forensic science, it is shown how to use conformal prediction theory to compute identifications of striation patterns at a given level of confidence.     

Impacts of increasing volume of digital forensic data: A survey and future research challenges

A major challenge to digital forensic analysis is the ongoing growth in the volume of data seized and presented for analysis. This is a result of the continuing development of storage technology, including increased storage capacity in consumer devices and cloud storage services, and an increase in the number of devices seized per case. Consequently, this has led to increasing backlogs of evidence awaiting analysis, often many months to years, affecting even the largest digital forensic laboratories. Over the preceding years, there has been a variety of research undertaken in relation to the volume challenge. Solutions posed range from data mining, data reduction, increased processing power, distributed processing, artificial intelligence, and other innovative methods. This paper surveys the published research and the proposed solutions. It is concluded that there remains a need for further research with a focus on real world applicability of a method or methods to address the digital forensic data volume challenge.     

Two-dimensional linear analysis of dynamic bare footprints: A comparison of measurement techniques

In forensic intelligence-gathering, footprints have been shown to be valued evidence found at crime scenes. Forensic podiatrists and footprint examiners use a variety of techniques for measuring footprints for comparison of the crime scene evidence with the exemplar footprints. This study examines three different techniques of obtaining two-dimensional linear measurement data of dynamic bare footprints. Dynamic bare footprints were gathered from 50 students from a podiatric medical school using the Identicator® Inkless Shoe Print Model LE 25P system. After obtaining 100 bilateral footprints from the participants, the quantitative measurement data were collected by using three different measurement techniques: (i) a manual technique using a ruler (direct technique); (ii) an Adobe® Photoshop® technique; and (iii) a GIMP (GNU Image Manipulation Program) technique. The seven Reel linear measurement methodology was used for producing measurements using these three techniques.This study showed that all the mean bare footprint measurements on the right and left feet obtained using the direct technique were larger than those obtained using GIMP and Adobe® Photoshop® images. Differences were also observed in measurements produced using GIMP software and Photoshop images. However, the differences observed in the three techniques used for bare footprint measurements were not found to be statistically significant. The study concludes that there are no significant differences between the three measurement techniques when applied to two-dimensional bare footprints using the Reel method. It further concluded that any of these measurement techniques can be used when employing the Reel methodology for footprint analysis without significant difference.     

Journey history reconstruction from the soils and sediments on footwear: An empirical approach

The value of environmental evidence for reconstructing journey histories has significant potential given the high transferability of sediments and the interaction of footwear with the ground. The importance of empirical evidence bases to underpin the collection, analysis, interpretation and presentation of forensic trace materials is increasingly acknowledged. This paper presents two experimental studies designed to address the transfer and persistence of sediments on the soles of footwear in forensically relevant scenarios, by means of quartz grain surface texture analysis, a technique which has been demonstrated to be able to distinguish between samples of mixed provenance.It was identified that there is a consistent trend of transfer and persistence of sediments from hypothetical pre-, syn- and post-crime event locations across the sole of the shoe, with sediments from ‘older’ locations likely to be retained in small proportions. Furthermore, the arch of the shoe (the area of lowest foot pressure distribution) typically (but not exclusively) retained the highest proportion of grain types from previous locations including the crime scene. A lack of chronological layering of the retained sediments was observed indicating that techniques that can identify the components of mixed provenance samples are important for analysing footwear sediment samples. It was also identified that the type of footwear appeared to have an influence on what particles were retained, with high relief soles that incorporate recessed areas being more likely to retain sediments transferred from ‘older’ locations from the journey history. In addition, the inners of footwear were found to retain sediments from multiple locations from the journey history that are less susceptible to differential loss in comparison to the outer sole. These findings provide important data that can form the basis for the effective collection, analysis and interpretation of sediments recovered from both the outer soles and inners of footwear, building on the findings of previously published studies. These data offer insights that enable inferences to be made about mixed source sediments that are identified on footwear in casework, and provide the beginnings of an empirical basis for assessing the significance of such sediment particles for a specific forensic reconstruction.     

Scheduling of new psychoactive substance the Swiss way: A review and critical analysis

Since the introduction of the European Early Warning System in 2005, >700 new psychoactive substances (NPS) have been listed. This review article presents for the first time the Swiss narcotic law in perspective of scheduling of NPS, and compares it to the regulations of the German speaking neighbours Austria and Germany.The Swiss way is a fast and effective way for scheduling NPS, with the purpose to restrict drug trafficking and for controlling the NPS drug market: the legal basis for scheduling substances of abuse is the “Law about narcotics and psychotropic substances” (BetmG, SR 812.121), which includes the “narcotic law directory (BetmVV-EDI, SR 812.121.11) suitable for listing all controlled substances. The BetmVV-EDI, SR 812.121.11 contains seven indices, with index e specifically designed for the fast scheduling of NPS. Newly appearing NPS can either be controlled under a structure analogues definition or by listing single substances. The list of single substances is updated at least once per year, and structure analogues definitions can be implemented, in order to keep track with new developments on the NPS market. The latest version from November 30th 2018 contains ten different structure analogue definitions and 207 single substances. Requirements to list NPS are their appearance on the NPS market, suspected psychotropic effects and their suggestions by Forensic professionals. As soon as substances are newly placed, on Schedule I of the 1961 Convention or Schedule II of the 1971 Convention by the Commission on Narcotic Drugs of the World Health Organization they can easily be transferred from index e to index a-d of the BetmVV-EDI, SR 812.121.11. The Austrian law uses a structure analogue and single substances approach (introduced in 2012, one update in 2016), whereas the German NPS law (established in 2016, no update yet) only lists two structure-analogue-definitions. All three legislations have defined which core structures, kinds and sites of substitutions are regulated.     

In silico toxicity as a tool for harm reduction: A study of new psychoactive amphetamines and cathinones in the context of criminal science

The emergence of new psychoactive substances (NPS) has raised many issues in the context of law enforcement and public drug policies. In this scenario, interdisciplinary studies are crucial to the decision-making process in the field of criminal science. Unfortunately, information about how NPS affect people's health is lacking even though knowledge about the toxic potential of these substances is essential: the more information about these drugs, the greater the possibility of avoiding damage within the scope of a harm reduction policy. Traditional analytical methods may be inaccessible in the field of forensic science because they are relatively expensive and time-consuming. In this sense, less costly and faster in silico methodologies can be useful strategies. In this work, we submitted computer-calculated toxicity values of various amphetamines and cathinones to an unsupervised multivariate analysis, namely Principal Component Analysis (PCA), and to the supervised techniques Soft Independent Modeling of Class Analogy and Partial Least Square-Discriminant Analysis (SIMCA and PLS-DA) to evaluate how these two NPS groups behave. We studied how theoretical and experimental values are correlated by PLS regression. Although experimental data was available for a small amount of molecules, correlation values reproduced literature values. The in silico method efficiently provided information about the drugs. On the basis of our findings, the technical information presented here can be used in decision-making regarding harm reduction policies and help to fulfill the objectives of criminal science.