Anti-forensic resilient memory acquisition

Memory analysis has gained popularity in recent years proving to be an effective technique for uncovering malware in compromised computer systems. The process of memory acquisition presents unique evidentiary challenges since many acquisition techniques require code to be run on a potential compromised system, presenting an avenue for anti-forensic subversion. In this paper, we examine a number of simple anti-forensic techniques and test a representative sample of current commercial and free memory acquisition tools. We find that current tools are not resilient to very simple anti-forensic measures. We present a novel memory acquisition technique, based on direct page table manipulation and PCI hardware introspection, without relying on operating system facilities - making it more difficult to subvert. We then evaluate this technique's further vulnerability to subversion by considering more advanced anti-forensic attacks.     

Structure and application of IconCache.db files for digital forensics

Anti-forensics has developed to prevent digital forensic investigations, thus forensic investigations to prevent anti-forensic behaviors have been studied in various area. In the area of user activity analysis, “IconCache.db” files contain icon cache information related to applications, which can yield meaningful information for digital forensic investigations such as the traces of deleted files. A previous study investigated the general artifacts found in the IconCache.db file. In the present study, further features and structures of the IconCache.db file are described. We also propose methods for analyzing anti-forensic behaviors (e.g., time information related to the deletion of files). Finally, we introduce an analytical tool that was developed based on the file structure of IconCache.db. The tool parses out strings from the IconCache.db to assist an analyst. Therefore, an analyst can more easily analyze the IconCache.db file using the tool.     

网络电子证据取证技术与反取证技术研究

随着网络技术的发展,计算机网络犯罪现象日趋严重。为了有效地打击网络犯罪行为,完善网络电子证据立法基础,取证技术专家不仅要研究网络取证相关技术,同时还必须对网络反取证技术充分进行研究。通过研究反取证技术来促进取证技术的提高,这样才能在网络取证过程中拓宽思路,提高获取有效证据的效率。     

Differentiating synthetic and optical zooming for passive video forgery detection: An anti-forensic perspective

A video can be manipulated using synthetic zooming without using the state-of-the-art video forgeries. Synthetic zooming is performed by upscaling individual frames of a video with varying scale factors followed by cropping them to the original frame size. These manipulated frames resemble genuine natural (optical) camera zoomed frames and hence may be misclassified as a pristine video by video forgery detection algorithms. Even if such a video is classified as forged, forensic investigators may ignore the results, believing it as part of an optical camera zooming activity. Hence, this can be used as an anti-forensic method which eliminates digital evidence. In this paper, we propose a method for differentiating optical camera zooming from synthetic zooming for video tampering detection. The features used for this method are pixel variance correlation and sensor pattern noise. Experimental results on a dataset containing 3200 videos show the effectiveness of the proposed method.     

Assessment of approximate likelihood ratios from continuous distributions: a case study of digital camera identification

A reported likelihood ratio for the value of evidence is very often a point estimate based on various types of reference data. When presented in court, such frequentist likelihood ratio gets a higher scientific value if it is accompanied by an error bound. This becomes particularly important when the magnitude of the likelihood ratio is modest and thus is giving less support for the forwarded proposition. Here, we investigate methods for error bound estimation for the specific case of digital camera identification. The underlying probability distributions are continuous and previously proposed models for those are used, but the derived methodology is otherwise general. Both asymptotic and resampling distributions are applied in combination with different types of point estimators. The results show that resampling is preferable for assessment based on asymptotic distributions. Further, assessment of parametric estimators is superior to evaluation of kernel estimators when background data are limited.     

Reliability Study on Quantitative Detection of Extensor Digitorum Brevis Strength with Needle Electromyography and Nerve Conduction

Objective To study the objectivity and reliability of needle electromyography and nerve con- duction for detection of musculus extensor digitorum brevis strength, which may provide a basis for es- tablishing a quantitative detection of muscle strength in forensic clinical study. Methods Forty-four healthy people were enrolled as the subjects, and during toe dorsiflexion, the following items including needle electromyography indexes, motor unit potential （MUP） amplitude, MUP count, recruitment reaction type, and nerve conduction detection indexes, compound muscle action potential （CMAP） amplitude, CMAP latent period and motor nerve conduction velocity （MNCV）, were simultaneously detected under the co- operation and disguise condition. Results Under the cooperation condition, regardless of the same opera- tor or different operators, there were good test-retest reliabilities in MUP amplitude, CMAP amplitude, CMAP latent period and MNCV, while there were normal test-retest reliabilities in MUP count and re- cruitment reaction type and the repeatability of the same operator was slightly better than the repeatabili- ty between different operators. Under the disguise condition, test-retest reliabilities of MUP amplitude, CMAP amplitude, CMAP latent period and M-NCV were relatively high, while test-retest reliabilities of MUP count and recruitment reaction type were relatively low. Conclusion There are good test-retest reli- abilities in MUP amplitude, CMAP amplitude, CMAP latent period and M-NCV, which can be conducive to comparison between different operators and results at various times; MUP count and recruitment reac- tion type, which can be easily affected by subjectivity of operators and examinees, can be used to dif- ferentiate whether an examinee disguises or not. The indexes used to objectively judge muscle strength remain to be further investigated.     

Of earprints, fingerprints, scent dogs, cot deaths and cognitive contamination--a brief look at the present state of play in the forensic arena

Over the last decades, the importance of technical and scientific evidence for the criminal justice system has been steadily increasing. Unfortunately, the weight of forensic evidence is not always easy for the trier of fact to assess, as appears from a brief discussion of some recent cases in which the weight of expert evidence was either grossly over- or understated. Also, in recent years, questions surrounding the value of forensic evidence have played a major role in the appeal and revision stages of a number of highly publicized criminal cases in several countries, including the UK and the Netherlands. Some of the present confusion is caused by the different ways in which conclusions are formulated by experts working within the traditional approach to forensic identification, as exemplified by (1) dactyloscopy and (2) the other traditional forensic identification disciplines like handwriting analysis, firearms analysis and fibre analysis, as opposed to those working within the modern scientific approach used in forensic DNA analysis. Though most clearly expressed in the way conclusions are formulated within the diverse fields, these differences essentially reflect the scientific paradigms underlying the various identification disciplines. The types of conclusions typically formulated by practitioners of the traditional identification disciplines are seen to be directly related to the two major principles underpinning traditional identification science, i.e. the uniqueness assumption and the individualization principle. The latter of these is shown to be particularly problematic, especially when carried to its extreme, as embodied in the positivity doctrine, which is almost universally embraced by the dactyloscopy profession and allows categorical identification only. Apart from issues arising out of the interpretation of otherwise valid expert evidence there is growing concern over the validity and reliability of the expert evidence submitted to courts. While in various countries including the USA, Canada and the Netherlands criteria have been introduced which may be used as a form of input or output control on expert evidence, in England and Wales expert evidence is much less likely to be subject to forms of admissibility or reliability testing. Finally, a number of measures are proposed which may go some way to address some of the present concerns over the evaluation of technical and scientific evidence.     

道路交通事故痕迹鉴定中常见问题分析

道路交通事故痕迹鉴定是道路交通事故技术鉴定中的重要鉴定项目之一,也是道路交通事故技术鉴定其他鉴定项目的基础,除应用手、足、工、枪、特等刑事技术传统痕迹的基础理论和方法外,还需要结合力学、道路工程学、道路安全学、车辆工程学、法医学等多学科知识综合评判的一门鉴定科学门类。道路交通事故痕迹鉴定的步骤主要分为合同评审、痕迹勘验、比对分析、作出评判、形成文书五个方面,在其发展的十几年时间里,出现了许多亟待解决的问题,根据道路交通事故痕迹鉴定实践工作中遇到的常见问题,重点归纳这些问题并提出解决方案。     

Identification of Natural Images and Computer‐Generated Graphics Based on Statistical and Textural Features

To discriminate the acquisition pipelines of digital images, a novel scheme for the identification of natural images and computer‐generated graphics is proposed based on statistical and textural features. First, the differences between them are investigated from the view of statistics and texture, and 31 dimensions of feature are acquired for identification. Then, LIBSVM is used for the classification. Finally, the experimental results are presented. The results show that it can achieve an identification accuracy of 97.89% for computer‐generated graphics, and an identification accuracy of 97.75% for natural images. The analyses also demonstrate the proposed method has excellent performance, compared with some existing methods based only on statistical features or other features. The method has a great potential to be implemented for the identification of natural images and computer‐generated graphics.     

When finding nothing may be evidence of something: Anti-forensics and digital tool marks

There are an abundance of measures available to the standard digital device users which provide the opportunity to act in an anti-forensic manner and conceal any potential digital evidence denoting a criminal act. Whilst there is a lack of empirical evidence which evaluates the scale of this threat to digital forensic investigations leaving the true extent of engagement with such tools unknown, arguably the field should take proactive steps to examine and record the capabilities of these measures. Whilst forensic science has long accepted the concept of toolmark analysis as part of criminal investigations, ‘digital tool marks’ (DTMs) are a notion rarely acknowledged and considered in digital investigations. DTMs are the traces left behind by a tool or process on a suspect system which can help to determine what malicious behaviour has occurred on a device. This article discusses and champions the need for DTM research in digital forensics highlighting the benefits of doing so.     

Establishing the personal identity of the victims in aviation catastrophes

Algorithm of organization measures and expert investigations is proposed, based on experience gained in expert studies during liquidation of aircraft catastrophes. It permits effective classification, differentiation, and identification of victims and is based on traditional and high technological methods of investigation.     

“Bike litter” and obligations of the platform operators: Lessons from China's dockless sharing bikes

The boom of dockless share bikes in China has brought about enormous private benefits and social benefits. However, it has also imposed upon the public a new cost which can be termed as “bike litter”¹: share bikes parked or abandoned in pathways, rivers and other public spaces. It has not only damaged the aesthetic value of cities but has created serious safety hazards and public nuisances. None of the conventional methods of regulating road and traffic safety hazards, such as private actions, public enforcement and self-regulation, seem to have stopped bike-litter without also stopping dockless bike services. Without having to stop such services, or overly burdening their operators, it is proposed here that certain obligations should be imposed upon the operators of dockless bike services. Unlike tort-related obligations that focus on results (e.g., the reduction or sanction of bike litter), these new obligations compel operators to establish systems for monitoring the behaviors of bike users. In short, these obligations are as follows: (1) an obligation for operators to mandatorily include provisions in their terms of service to allow the operators to monitor, sanction and rewards certain parking behavior of users of the service; (2) an obligation for operators to create and maintain monitoring systems to detect bike littering and to enforce the user agreements; and (3) an obligation for operators to report on, and disclose, details regarding the operation and effectiveness of these systems. The mandatory disclosure obligation of operators, however, should be strictly subject to the protection of privacy rights of bike riders and the protection of fair competition between different platforms. It is also proposed that these obligations should be created through voluntary agreements between the government regulator and operators under a permit system, rather than by creating new statutory obligations, as the former is much more flexible and allows for the adoption of various incentive schemes. Such an approach may also help regulate torts incidence in other types of platform economies.     

算法时代的垄断协议规制:挑战与应对

算法具备自主学习和大数据处理的能力,有助于达成、实施垄断协议,形成算法驱动的合谋现象。算法合谋并无明显的意思联络,缺乏明确的合意证据,因而对传统的垄断协议概念带来挑战。算法决策存在"黑箱",导致经营者排除、限制竞争的主观意图无法得到验证。"人—机"联系弱化,进而导致宽恕政策和法律制裁失灵。面对算法技术的进步,反垄断法亟待建立因应时代变化的垄断协议检测、认定和制裁规则体系。为此,垄断协议的检测应当保持前摄性,借助大数据和经济分析手段筛选市场异质信号,进而在垄断协议认定方面适当降低证明标准,发挥算法作为间接证据的证明功能,最后,通过续造法律责任督促算法设计者、提供者履行竞争义务,保持算法的可问责性。     

Discriminating natural images and computer generated graphics based on the impact of CFA interpolation on the correlation of PRNU

To discriminate natural images from computer generated graphics, a novel identification method based on the features of the impact of color filter array (CFA) interpolation on the local correlation of photo response non-uniformity noise (PRNU) is proposed. As CFA interpolation generally exists in the generation of natural images and it imposes influence on the local correlation of PRNU, the differences between the PRNU correlations of natural images and those of computer generated graphics are investigated. Nine dimensions of histogram features are extracted from the local variance histograms of PRNU to represent the identification features. The discrimination is accomplished by using a support vector machine (SVM) classifier. Experimental results and analysis show that it can achieve an average identification accuracy of 99.43%, and it is robust against scaling, JPEG compression, rotation and additive noise. Thus, it has great potential to be used in image source pipelines forensics.     

Molecular study of time dependent changes in DNA stability in soil buried skeletal residues

Stamp marks are used as a unique identification for a range of items, but these can be erased for criminal activities. Erased marks can sometimes be recovered by etching or magnetic means. The present study looked at the application of Fry's reagent to recover erased marks from steel. The investigation also demonstrated that Fry's reagent can deteriorate on storing and will require a longer etching time. The effect of different applied forces of stamping was investigated, and the depth of the underlying deformation was determined by etching after varying degrees of metal removal. The amount of metal needing to be removed depends on the force applied to the die. Metal removal also affects the time needed for recovery. The underlying structural change remains as a hidden identification mark, and could potentially be used by manufacturers as an unseen identifier. A model for the underlying deformation is proposed.     

Interoperator test for anatomical annotation of earprints

As part of the Forensic Ear Identification (FearID) research project, which aims to obtain estimators for the strength of evidence of earmarks found on crime scenes, a large database of earprints (over 1200 donors) has been collected. Starting from a knowledge-based approach where experts add anatomical annotations of minutiae and landmarks present in prints, comparison of pairs of prints is done using the method of Vector Template Matching (VTM). As the annotation process is subjective, a validation experiment was performed to study its stability. Comparing prints on the basis of VTM, it appears that there are interoperator effects, individual operators yielding significantly more consistent results when annotating prints than different operators. The operators being well trained and educated, the observed variation on both clicking frequency and choice of annotation points suggests that implementation of the above is not the best way to go about objectifying earprint comparison. Processes like the above are relevant for any forensic science dealing with identification (e.g., of glass, tool marks, fibers, faces, fingers, handwriting, speakers) where manual (nonautomated) processes play a role. In these cases, results may be operator dependent and the dependencies need to be studied.     

Calling the cops: Police telephone operators and citizen calls for service

Citizen calls for police service represent direct demands on government. It is the job of police phone operators to translate these demands into official, bureaucratically recognized inputs. As “street-level” bureaucrats, police phone operators enjoy considerable discretion in how they recieve, process, and transmit information. Operators screen all calls, categorize the citizen's problem, and by that process they determine much of the initial police response to that call. This article analyzes data on citizen requests and operator responses coded from a sample of over 26,000 phone calls to police in 21 jurisdictions in three metropolitan areas. The data indicate that most citizen calls to police involve the provision of information or assistance, nuisance abatement, traffic problems, or the regulation of interpersonal disputes. Citizen calls cover a wide range of topics, but only about 20 percent involve predatory crime of any type. The typical operator response to the problems described by most citizens was to promise the dispatch of a patrol unit, although this varied by problem type and by the apparent seriousness of the call. Complaint operators seem to follow a decision rule that a patrol unit will always be sent to the scene except in those situations where it is clear that none is needed. The article concludes with a discussion of the possible impact of operator demeanor on policy-community relations.     

录音设备识别司法鉴定技术研究

目标随着手机和录音笔等数字录音设备的普及,数字录音已基本取代传统的模拟录音,成为录音司法鉴定主导性检材类型。数字录音资料作为视听资料的重要组成部分,其真实性司法鉴定新技术新方法的研究具有重要的理论意义和实际应用价值。方法研究基于录音设备识别的数字录音真实性鉴定技术,通过数字录音背景噪声片段的提取,计算录音设备相关的关键统计特征,包括采样直方图分布特征和平均频谱统计特征,并使用机器学习和模式分类方法对数字录音的载体即录音设备进行准确分类。结果实验中最高的分类准确性达到97.09%。在录音设备可分性研究成果基础上,提出应用于数字录音设备司法鉴定的可行实施方案。结论研究结果表明了基于信号统计特征分析的录音设备识别方法的可行性和准确性。     

Can computer forensic tools be trusted in digital investigations?

This paper investigates whether computer forensic tools (CFTs) can extract complete and credible digital evidence from digital crime scenes in the presence of file system anti-forensic (AF) attacks. The study uses a well-established six stage forensic tool testing methodology based on black-box testing principles to carry out experiments that evaluate four leading CFTs for their potential to combat eleven different file system AF attacks. Results suggest that only a few AF attacks are identified by all the evaluated CFTs, while as most of the attacks considered by the study go unnoticed. These AF attacks exploit basic file system features, can be executed using simple tools, and even attack CFTs to accomplish their task. These results imply that evidences collected by CFTs in digital investigations are not complete and credible in the presence of AF attacks. The study suggests that practitioners and academicians should not absolutely rely on CFTs for evidence extraction from a digital crime scene, highlights the implications of doing so, and makes many recommendations in this regard. The study also points towards immediate and aggressive research efforts that are required in the area of computer forensics to address the pitfalls of CFTs.     

Evaluation of an electronic comparison system and implementation of a quantitative effectiveness criterion

The identification of fired bullets and spent cartridge cases is one of the key tasks of forensic science. The traditional comparison of signatures on specimen with a large collection with only a microscope is a very tedious and time-consuming work. Fortunately, electronic systems for performing a pre-selection have been invented since the last 25 years. On the basis of an expansive database the electronic comparison system used by the BKA, Germany, is evaluated and a mathematical value is proposed to rate the correlation quality. This effectiveness criterion can be valuable to give an objective assessment of different electronic comparison systems. Additionally, the applicability of the system on different calibres and land engraved area (LEA) width is discussed. The so called scores are also on disposition and their benefit to a decision-making is debated.