Computer forensic timeline visualization tool

Computer Forensics is mainly about investigating crime where computers have been involved. There are many tools available to aid the investigator with this task. We have created a prototype of a new type of tool called CyberForensic TimeLab where all evidence is indexed by their time variables and plotted on a timeline. We believed that this way of visualizing the evidence allows the investigators to find coherent evidence faster and more intuitively. We have performed a user test where a group of people has evaluated our prototype tool against a modern commercial computer forensic tool and the results of this preliminary test are very promising. The results show that users completed the task in shorter time, with greater accuracy and with less errors using CyberForensic TimeLab. The subjects also experienced that the prototype were more intuitive to use and that it allowed them to easier locate evidence that was coherent in time.     

Imaging electrostatic fingerprints with implications for a forensic timeline

The electrical charge deposited by contact electrification due to a finger touching a thin insulating surface is imaged using an electric field microscopy system. It is based on an ultrahigh impedance electric potential sensor used as a non-contact raster scanning probe to measure surface charge density with a spatial resolution of up to 5 μm. Preliminary results are presented which yield two principle findings. First, they indicate that the spatial resolution of the fingerprint image is sufficient for identification purposes. Secondly, that the decay of the surface charge may be considered as a candidate method for the dating or sequencing of these electrical charge fingerprints. The decay of surface charge with time is well defined, largely material dependent, and may take many days. This intrinsic decay rate for the material may be quantified using the charge imaging system described in this paper and a known test charge. The measurement technique described is non-destructive, may be repeated without degradation of the sample, and does not preclude the subsequent use of other techniques such as DNA analysis or conventional latent fingerprint development.     

A formal model for event reconstruction in digital forensic investigation

Event reconstruction is an important phase in digital forensic investigation, which determines what happened during the incident. The digital investigator uses the findings of this phase to prepare reports for the court. Since the results must be reproducible and verifiable, it is necessary that the event reconstruction methods be rigorous and strict. In order to fulfill the legal requirements, this study proposes an event reconstruction framework which is based on the formal mathematical methods. In particular, it uses the temporal logic model checking that is an automatic verification technique. The idea is that the system under investigation is modeled as a transition system. Then the digital forensic property is specified using the modal μ-calculus. Finally, a model checking algorithm verifies whether the transition system meets the property. In order to demonstrate the proposed formal event reconstruction framework, an abstract model of the FAT file system is presented and some digital forensic properties are formulated. A big problem in model checking is the so-called state space explosion. This study addresses this problem and suggests some solutions to it. Finally, the proposed framework is applied to a case study to demonstrate how some hypotheses can be proved or refuted.     

An ontology-based approach for the reconstruction and analysis of digital incidents timelines

Due to the democratisation of new technologies, computer forensics investigators have to deal with volumes of data which are becoming increasingly large and heterogeneous. Indeed, in a single machine, hundred of events occur per minute, produced and logged by the operating system and various software. Therefore, the identification of evidence, and more generally, the reconstruction of past events is a tedious and time-consuming task for the investigators. Our work aims at reconstructing and analysing automatically the events related to a digital incident, while respecting legal requirements. To tackle those three main problems (volume, heterogeneity and legal requirements), we identify seven necessary criteria that an efficient reconstruction tool must meet to address these challenges. This paper introduces an approach based on a three-layered ontology, called ORD2I, to represent any digital events. ORD2I is associated with a set of operators to analyse the resulting timeline and to ensure the reproducibility of the investigation.     

The different types of reports produced in digital forensic investigations

The importance of ensuring the results of any digital forensic (DF) examination are effectively communicated cannot be understated. In most cases, this communication will be done via written report, yet despite this there is arguably limited best practice guidance available which is specific for this field in regards to report construction. Poor reporting practices in DF are likely to undermine the reliability of evidence provided across this field, where there is a need for formalised guidance regarding the requirements for effective DF report construction; this should not be a task left solely to each individual practitioner to determine without instruction. For this, the field of DF should look to the wider forensic community and the existing work in this area for support. In line with many other ‘traditional’ forensic science types, a DF practitioner can be commissioned to report in one of three ways - ‘technical’, ‘investigative’ or ‘evaluative’, where each reporting type maintains a specific purpose and interpretative-context, determined by the examination workflow undertaken by a practitioner following client instruction. This work draws upon guidance set out in fundamental forensic science reporting literature in order to describe each reporting type in turn, outlining their scope, content and construction requirements in an attempt to provide support for the DF field.     

A framework for post-event timeline reconstruction using neural networks

Post-event timeline reconstruction plays a critical role in forensic investigation and serves as a means of identifying evidence of the digital crime. We present an artificial neural networks based approach for post-event timeline reconstruction using the file system activities. A variety of digital forensic tools have been developed during the past two decades to assist computer forensic investigators undertaking digital timeline analysis, but most of the tools cannot handle large volumes of data efficiently. This paper looks at the effectiveness of employing neural network methodology for computer forensic analysis by preparing a timeline of relevant events occurring on a computing machine by tracing the previous file system activities. Our approach consists of monitoring the file system manipulations, capturing file system snapshots at discrete intervals of time to characterise the use of different software applications, and then using this captured data to train a neural network to recognise execution patterns of the application programs. The trained version of the network may then be used to generate a post-event timeline of a seized hard disk to verify the execution of different applications at different time intervals to assist in the identification of available evidence.     

Quantitative evaluation of the results of digital forensic investigations: a review of progress

Unlike conventional forensics, digital forensics does not at present generally quantify the results of its investigations. It is suggested that digital forensics should aim to catch up with other forensic disciplines by using Bayesian and other numerical methodologies to quantify its investigations’ results. Assessing the plausibility of alternative hypotheses (or propositions, or claims) which explain how recovered digital evidence came to exist on a device could assist both the prosecution and the defence sides in criminal proceedings: helping the prosecution to decide whether to proceed to trial and helping defence lawyers to advise a defendant how to plead. This paper reviews some numerical approaches to the goal of quantifying the relative weights of individual items of digital evidence and the plausibility of hypotheses based on that evidence. The potential advantages enabling the construction of cost-effective digital forensic triage schemas are also outlined.

Key points

• The absence of quantified results from digital forensic investigations, unlike those of conventional forensics, is highlighted.
• A number of approaches towards quantitative evaluation of the results of digital forensic investigations are reviewed.
• The significant potential benefits accruing from such approaches are discussed.

     

Use of forensic investigations in anti-doping

The fight against doping is mainly focused on direct detection, using analytical methods for the detection of doping agents in biological samples. However, the World Anti-Doping Code also defines doping as possession, administration or attempted administration of prohibited substances or methods, trafficking or attempted trafficking in any prohibited substance or methods. As these issues correspond to criminal investigation, a forensic approach can help assessing potential violation of these rules. In the context of a rowing competition, genetic analyses were conducted on biological samples collected in infusion apparatus, bags and tubing in order to obtain DNA profiles. As no database of athletes' DNA profiles was available, the use of information from the location detection as well as contextual information were key to determine a population of suspected athletes and to obtain reference DNA profiles for comparison. Analysis of samples from infusion systems provided 8 different DNA profiles. The comparison between these profiles and 8 reference profiles from suspected athletes could not be distinguished. This case-study is one of the first where a forensic approach was applied for anti-doping purposes. Based on this investigation, the International Rowing Federation authorities decided to ban not only the incriminated athletes, but also the coaches and officials for 2 years.     

Digital evidence strategies for digital forensic science examinations

Given the size and complexity of many digital forensic science device examinations, there is a need for practitioners to formally and strategically determine a course of conduct which allows them to undertake the most robust and efficient examination possible. This work outlines both the need for practitioners to have a digital evidence strategy (DES) when tackling any given examination scenario, how to construct one and the concerns which exist when no formal DES is in place. Approaches to DES development are examined and the context to which they should be deployed are analysed, with focus being on the use of DESs at the examination/processing stage of the investigative workflow. Finally, a ‘DES skeleton’ is offered to guide practitioners as they seek to create their own DES.     

Evaluating digital video transcoding for forensic derivative results

Video data received for analysis often come in a variety of file formats and compression schemes. These data are often transcoded to a consistent file format for forensic examination and/or ingesting into a video analytic system. The file format often requested is an MP4 file format. The MP4 file format is a very common and a universally accepted file format. The practical application of this transcoding process, across the analytical community, has generated differences in video quality. This study sought to explore possible origins of the differences and assist the practitioner by defining minimum recommendations to ensure that quality of the video data is maintained through the transcoding process. This study sought to generate real world data by asking participants to transcode provided video files to an MP4 file format using programs they would typically utilize to perform this task. The transcoded results were evaluated based on measurable metrics of quality. As the results were analyzed, determining why these differences might have occurred became less about a particular software application and more about the settings employed by the practitioner or of the capabilities of the program. This study supports the need for any video examiner who is transcoding video data to be cognizant of the settings utilized by the programs employed for transcoding video data, as loss of video quality can affect analytics as well as further analysis.     

Fragrance transfer between fabrics for forensic reconstruction applications

Sexual assault is a serious crime that often has low conviction rates. Recent literature has demonstrated that there is potential for fragrances to be valuable in forensic reconstructions where there has been contact between individuals. However, developing appropriate evidence bases for understanding the nature of fragrance transfer in these contexts is needed. This article presents three experiments that address the transfer process of fragrances that have been transferred from a primary piece of fabric onto a secondary piece of fabric, in a manner that could occur during an assault. The three variables studied were the ageing time of the fragrances on the first fabric prior to transfer, the contact time between the two fabrics, and lastly the fabric type (of the primary material and the recipient material). The transfer was evaluated using a validated solid phase micro-extraction gas chromatography–mass spectrometry (SPME GC–MS) method. The findings demonstrated that all three variables had an impact on the transfer of fragrances between clothing fabrics. Generally, lower volatility compounds were transferred and recovered in larger amounts than higher volatility compounds. All fragrance compounds were successfully recovered from a secondary piece of fabric even when the contact time was as short as 10 s, and even when the perfume was aged on the primary fabric for as long as 48 h. The nature of the fragrance transfer also depended on the fabric type, so that a clear discrimination was observed between the fragrance transfer that occurred onto a natural fabric (cotton) and onto a synthetic fabric (polyester).     

A simple automated instrument for DNA extraction in forensic casework

The Qiagen BioRobot EZ1 is a small, rapid, and reliable automated DNA extraction instrument capable of extracting DNA from up to six samples in as few as 20 min using magnetic bead technology. The San Diego Police Department Crime Laboratory has validated the BioRobot EZ1 for the DNA extraction of evidence and reference samples in forensic casework. The BioRobot EZ1 was evaluated for use on a variety of different evidence sample types including blood, saliva, and semen evidence. The performance of the BioRobot EZ1 with regard to DNA recovery and potential cross-contamination was also assessed. DNA yields obtained with the BioRobot EZ1 were comparable to those from organic extraction. The BioRobot EZ1 was effective at removing PCR inhibitors, which often co-purify with DNA in organic extractions. The incorporation of the BioRobot EZ1 into forensic casework has streamlined the DNA analysis process by reducing the need for labor-intensive phenol-chloroform extractions.     

Use of Lucilia species for forensic investigations in Southern Europe

The aim of this study was to highlight the importance of evaluating entomological evidence in forensic investigations on a regional scale. To evaluate climatic, geographical and environmental influences on the selection of carrion-breeding fauna in Northern Italy and consequently on inferred forensic data (post-mortem intervals and post-mortem transfer), we present details of six indoor-outdoor cases. Results show that the most abundant species was Lucilia sericata, together with other fly species of entomo-forensic interest, belonging to the Calliphoridae and Sarcophagidae families. In particular, for the first time in Italy, we report finding Phormia regina, Lucilia ampullacea, Lucilia caesar and Sarcophaga (Pandelleana) protuberans on fresh cadavers. The active period of L. sericata in Northern Italy, according to previous findings in Southern Europe, revealing clearcut differences with phenologies in Northern Europe, has important consequences in estimating the period (season, months) of death in cases of long post-mortem intervals (several months or years) if empty puparia of this fly are found. According to our results, the distribution of L. sericata in areas with urban sprawl, like Northern Italian regions, cannot be used to evaluate post-mortem transfer from an urban area to a rural one.     

Nuclear forensic investigations: two case studies

This paper describes the methodology and analytical methods used in nuclear forensic investigations. Two case studies are taken as examples to illustrate this. These examples represent typical cases that have been analysed at the Institute for Transuranium Elements (ITU) since last 10 years, i.e. the beginning of the illicit trafficking of nuclear materials. Results of the various analytical techniques are shown, which, together with other type of information, reveal the origin of the material.     

根据数字全颌曲面断层片进行个体识别研究

目的建立中国恒乳牙交替完全人群数字全颌曲面断层片的同一认定方法。方法对120例中国恒乳牙交替完全人群的数字全颌曲面断层片进行测量和分析,对每颗牙齿的影像分别选取5个长度性指标和5个角度性指标,运用efilm workstation 2.1软件进行测量,SPSS 13.0软件对数据进行处理和统计。结果各观测指标的测量值在分段赋值区段里的分布概率有所不同,最大可达99.166 7%。两张同源数字全颌曲面断层片之间的分段赋值匹配概率最高为98.947 368 42%,最低为89.473 684 21%。结论所建立分段赋值匹配概率同一认定法经盲测验证,效果较好,该方法可为个体识别提供参考。