Forensic memory analysis: Files mapped in memory

In this paper we describe a method for recovering files mapped in memory and to link mapped-file information process data. This information is forensically interesting, because it helps determine the origin and usage of the file and because it reduces the amount of unidentified data in a memory dump. To find mapped-file content, we apply several different techniques. Together, these techniques can identify approximately 25% of test memory dumps as being part of a memory-mapped file.     

Forensic memory analysis: Files mapped in memory

In this paper we describe a method for recovering files mapped in memory and to link mapped-file information process data. This information is forensically interesting, because it helps determine the origin and usage of the file and because it reduces the amount of unidentified data in a memory dump. To find mapped-file content, we apply several different techniques. Together, these techniques can identify approximately 25% of test memory dumps as being part of a memory-mapped file.     

Forensic analysis of the Windows registry in memory

This paper describes the structure of the Windows registry as it is stored in physical memory. We present tools and techniques that can be used to extract this data directly from memory dumps. We also provide guidelines to aid investigators and experimentally demonstrate the value of our techniques. Finally, we describe a compelling attack that modifies the cached version of the registry without altering the on-disk version. While this attack would be undetectable with conventional on-disk registry analysis techniques, we demonstrate that such malicious modifications are easily detectable by examining memory.     

Forensic analysis of the Windows registry in memory

This paper describes the structure of the Windows registry as it is stored in physical memory. We present tools and techniques that can be used to extract this data directly from memory dumps. We also provide guidelines to aid investigators and experimentally demonstrate the value of our techniques. Finally, we describe a compelling attack that modifies the cached version of the registry without altering the on-disk version. While this attack would be undetectable with conventional on-disk registry analysis techniques, we demonstrate that such malicious modifications are easily detectable by examining memory.     

司法鉴定的历史演变：从神权走向民权

人类对自然、社会认识的历史是从无知愚味到科学探索、科学认识的过程,对于解决纠纷的诉讼证据,也是伴随人类认识水平的提高而提高。根据我国三大诉讼法规定,鉴定结论是证据种类之一,司法鉴定就是随着如何发现证据,认识证据,努力实现其科学性、客观性而产生和发展的。为此,贯彻落实《决定》,建立一个中立、科学、公开、公正解决社会与司法诉争的科学体系,是开创一个运用科学解决纠纷新时代的呼唤。     

The persistence of memory: Forensic identification and extraction of cryptographic keys

The increasing popularity of cryptography poses a great challenge in the field of digital forensics. Digital evidence protected by strong encryption may be impossible to decrypt without the correct key. We propose novel methods for cryptographic key identification and present a new proof of concept tool named Interrogate that searches through volatile memory and recovers cryptographic keys used by the ciphers AES, Serpent and Twofish. By using the tool in a virtual digital crime scene, we simulate and examine the different states of systems where well known and popular cryptosystems are installed. Our experiments show that the chances of uncovering cryptographic keys are high when the digital crime scene are in certain well-defined states. Finally, we argue that the consequence of this and other recent results regarding memory acquisition require that the current practices of digital forensics should be guided towards a more forensically sound way of handling live analysis in a digital crime scene.     

从观念走向制度——中国检察制度的历史探源与解析

对中国检察制度研究，在持客观态度的同时，科学的研究方法也同样重要。因此，笔者从历史角度对目前中国检察制度研究中出现的一些问题进行梳理．中国检察制度历史渊源主要有古代御史制度、苏联检察制度和西方检察制度，对历史渊源追行客观评价对检察制度改革至关重要。在改革中，司法理念与制度建设具有互动性，二者既可能相互取利又可能产生冲突，只有以史为鉴，妥善处理这些问题，才能保证检察制度改革稳步推进。     

Forensic analysis of smart TV: A current issue and call to arms

A number of new entertainment systems have appeared on the market that have embedded computing capabilities. Smart Televisions have the ability to connect to networks, browse the web, purchase applications and play games. Early versions were based on proprietary operating systems; newer versions released from 2012 are based on existing operating systems such as Linux and Android. The question arises as to what sort of challenges and opportunities they present to the forensics examiner. Are these new platforms or simply new varieties of existing forms of devices? What data do they retain and how easy is it to access this data? This paper explores this as a future forensic need and asks if we are missing potential sources of forensic data and to what degree we are ready to process these systems as part of an investigation.     

From Abstract to Publication: The Fate of Research Presented at an Annual Forensic Meeting

Abstract: In forensic sciences, the fate of abstracts presented at international meetings has not yet been assessed. The purpose of this study is to estimate publication ratio and evaluate possible predictors of publication after the 58th edition of the 2006 American Academy of Forensic Sciences annual meeting. Section of the meeting, type of presentation (oral platform or poster), number of authors per abstract and per paper, time span to publication, countries involved, and journal of publication were tabulated. A total of 623 abstracts were presented, from which 102 were subsequently published as a full paper. The overall publication rate was 16.4%, ranging from 3.4% (jurisprudence) to 28.8% (toxicology). The type of presentation (oral platform or poster) did not significantly affect the outcome of the abstract. However, a higher number of authors, foreign authors, and international collaboration were found to be good predictive factors of publication.     

Forensic medicine in the Indo-Pacific region: history and current practice of forensic medicine

A brief history of forensic medicine in the Indo-Pacific region followed by the extent of medical education imparted to undergraduates and current practice in various countries of the region are examined.     

Forensic analysis of hallucinogenic fungi: a DNA-based approach

Hallucinogenic fungi synthesize two controlled substances, psilocin and psilocybin. Possession of the fungal species that contain these compounds is a criminal offence in North America. Some related species that are morphologically similar, do not contain the controlled substances. Therefore, unambiguous identification of fungi to the species level is critical in determining if a mushroom is illegal. We investigate a phylogenetic approach for the identification of species that contain the psychoactive compounds. We analyzed 35 North American specimens representing seven different genera of hallucinogenic and non-hallucinogenic mushrooms. We amplified and sequenced the internal transcribed spacer region of the rDNA (ITS-1) and a 5' portion of the nuclear large ribosomal subunit of rRNA (nLSU rRNA or 28S). ITS-1 locus sequence data was highly variable and produced a phylogenetic resolution that was not consistent with morphological identifications. In contrast, the nLSU rRNA data clustered isolates from the same species and separated hallucinogen containing and non-hallucinogen containing isolates into distinct clades. With this information, we propose an approach that combines the specificity of PCR detection and the resolving power of phylogenetic analysis to efficiently and unambiguously identify hallucinogenic fungal specimens for legal purposes.     

Forensic analysis of hallucinogenic fungi: a DNA-based approach

Hallucinogenic fungi synthesize two controlled substances, psilocin and psilocybin. Possession of the fungal species that contain these compounds is a criminal offence in North America. Some related species that are morphologically similar, do not contain the controlled substances. Therefore, unambiguous identification of fungi to the species level is critical in determining if a mushroom is illegal. We investigate a phylogenetic approach for the identification of species that contain the psychoactive compounds. We analyzed 35 North American specimens representing seven different genera of hallucinogenic and non-hallucinogenic mushrooms. We amplified and sequenced the internal transcribed spacer region of the rDNA (ITS-1) and a 5′ portion of the nuclear large ribosomal subunit of rRNA (nLSU rRNA or 28S). ITS-1 locus sequence data was highly variable and produced a phylogenetic resolution that was not consistent with morphological identifications. In contrast, the nLSU rRNA data clustered isolates from the same species and separated hallucinogen containing and non-hallucinogen containing isolates into distinct clades. With this information, we propose an approach that combines the specificity of PCR detection and the resolving power of phylogenetic analysis to efficiently and unambiguously identify hallucinogenic fungal specimens for legal purposes.     

Forensic DNA analysis on microfluidic devices: a review

The advent of microfluidic technology for genetic analysis has begun to impact forensic science. Recent advances in microfluidic separation of short-tandem-repeat (STR) fragments has provided unprecedented potential for improving speed and efficiency of DNA typing. In addition, the analytical processes associated with sample preparation--which include cell sorting, DNA extraction, DNA quantitation, and DNA amplification--can all be integrated with the STR separation in a seamless manner. The current state of these microfluidic methods as well as their advantages and potential shortcomings are detailed. Recent advances in microfluidic device technology, as they pertain to forensic DNA typing, are discussed with a focus on the forensic community.     

Payment card forensic analysis: From concepts to desktop and mobile analysis tools

While one would not even consider them alike, payment cards are one of the most valuable and widely used embedded systems. Payment card systems are probably the most attacked and counterfeited. In fact, even though the use of smart cards have introduced high security capabilities, criminal activity has not been deterred and payment card fraud remains a lucrative activity.From low-tech (carding) to high-tech (man in the middle attack) fraud, all payment card based frauds require stealing or modifying card data and reusing it with a direct profit. Physical forms of fraud, such as Automated Teller Machine (ATM) withdrawals or in store payments, are mostly based on and associated with manipulated cards. Through their nefarious actions, that may include overwriting the magnetic strip data or injecting attacks on the embedded microcontroller, criminals are able to realise significant monetary gains.To effectively deal with these fraud cases, investigators have to quickly determine whether a card is authentic or a counterfeit. Currently no known easy forensic tool exists that provides a quick effective and accurate response.In this article, after having conceptualised payment cards as multi-interface embedded systems, we propose simple and fast forensic analysis methods to finally provide investigators with associated desktop and mobile forensic tools.     

Forensic science and criminal justice: An analysis of curricular models

The multi-disciplinary field of forensic science frequently finds its academic home within criminal justice programs. After examining the reasons for this academic linkage, an analysis of criminal justice curricular models and courses was undertaken to assess their applicability to forensic science education and careers. The authors concluded that the relationship between criminal justice and forensic science can be mutually beneficial; however, most criminal justice programs do not provide adequate preparation for meaningful careers in forensic science.     

从伦理规则到生活法则——中国传统法律制度史的另类解读

从长时段考察中国传统法律的发展和演变,特别是国家制定法的发展和演变,就可发现这样一个明显的规律:从伦理规则向生活规则的演变,这一点在有关民事方面的法律里面表现得更为明显。这一演变过程是漫长的,甚至是残酷的。它提醒我们,法律的作用不应过分夸大,立法时应注意听取民众的意见。