手机物证检验及其在刑事侦查中的应用

随着移动通信技术的迅速发展和广泛应用,手机内部包含的信息已经成为犯罪侦查重要的线索和证据来源。采用专门的符合物证鉴定原理要求的技术方法检验手机的SIM卡存储器、主板存储器和闪存卡,可以获得大量的手机使用者个人信息、通信内容信息、通信发生信息、使用者写入存储信息和手机设置信息等大量信息资料。手机检验结果给出的这些信息具有非常高的侦查和证据价值的,手机也因此成为物证鉴定领域内一个新的检验对象。     

PDU结构分析在手机短信检验鉴定中的应用

PDU模式下的短信息编码方式,被GSM手机广泛运用。在实际检验鉴定工作中,涉案手机检验量大幅增加,并且手机检验分析系统无法解析镜像文件的情况时有发生,检验人员只有对PDU有足够的了解,才能对手机取证驾轻就熟。通过对PDU模式结构的实例分析,手工成功恢复出手机短信息,这种分析的方法和经验可以应用于所有GSM手机的短信息取证。     

手机通话语音的实验研究

当前,手机通话语音已成为司法语音鉴定中最为常见的一种语音形式。本研究从手机通信系统的信道特点出发,分析手机通话语音的声谱特点和共振峰频率变化等情况;同时还比较了不同通话网络、不同通话方式及不同手机的通话语音特点。实验发现,手机通话语音与直接录音语音有明显的变化,主要表现在高低频信息的带宽滤波效应、高低频共振峰的漂移、语音质量、音色、韵律特征等方面;还发现,不同手机通话条件下的语音变化程度不同。最后,讨论了手机通话语音变化对说话人鉴定的影响及鉴定中的注意事项。     

An Android Communication App Forensic Taxonomy

Due to the popularity of Android devices and applications (apps), Android forensics is one of the most studied topics within mobile forensics. Communication apps, such as instant messaging and Voice over IP (VoIP), are one popular app category used by mobile device users, including criminals. Therefore, a taxonomy outlining artifacts of forensic interest involving the use of Android communication apps will facilitate the timely collection and analysis of evidentiary materials from such apps. In this paper, 30 popular Android communication apps were examined, where a logical extraction of the Android phone images was collected using XRY, a widely used mobile forensic tool. Various information of forensic interest, such as contact lists and chronology of messages, was recovered. Based on the findings, a two‐dimensional taxonomy of the forensic artifacts of the communication apps is proposed, with the app categories in one dimension and the classes of artifacts in the other dimension. Finally, the artifacts identified in the study of the 30 communication apps are summarized using the taxonomy. It is expected that the proposed taxonomy and the forensic findings in this paper will assist forensic investigations involving Android communication apps.     

Investigating the uses of mobile phone evidence in China criminal proceedings

Data from mobile phones are regularly used in the investigation of crime and court proceedings. Previously published research has primarily addressed technical issues or provided operational manuals for using forensic science evidence, rather than analysing human factors and the implementation of forensic tools in investigation settings. Moreover, previous research has focused almost entirely on western countries, and there is a dearth of research into the uses of forensic evidence in China. In this study, a review was carried out of court sentencing documents referring to mobile phone evidence in China over the period 2013–2018. Automated content analysis was used to identify the specific evidence types utilised and the sentencing outcome for each case. Results show that mobile phone evidence was used in 3.3% of criminal proceedings. Among various data types mentioned in criminal proceedings, call records sustained as the most frequently used type of data. After which, instant messaging tools (e.g. WeChat) are an increasing proportion of all mobile phone evidence, from 1% in 2015 to 25% in 2018. For cases that utilised mobile phone data, the analysis of instant messaging and online transaction tools is routine, with little variation in the use of each application (WeChat, Alipay, QQ) for investigations of different types of crime. However, in the majority of criminal cases, mobile phone data function as subsidiary evidence and posed limited impacts on verdict reached. The current findings indicate that a large amount of mobile phone evidence was transformed into other evidence formats or filtered out directly before court proceedings.     

WhatsApp network forensics: Decrypting and understanding the WhatsApp call signaling messages

WhatsApp is a widely adopted mobile messaging application with over 800 million users. Recently, a calling feature was added to the application and no comprehensive digital forensic analysis has been performed with regards to this feature at the time of writing this paper. In this work, we describe how we were able to decrypt the network traffic and obtain forensic artifacts that relate to this new calling feature which included the: a) WhatsApp phone numbers, b) WhatsApp server IPs, c) WhatsApp audio codec (Opus), d) WhatsApp call duration, and e) WhatsApp's call termination. We explain the methods and tools used to decrypt the traffic as well as thoroughly elaborate on our findings with respect to the WhatsApp signaling messages. Furthermore, we also provide the community with a tool that helps in the visualization of the WhatsApp protocol messages.     

An investigation of anonymous and spoof SMS resources used for the purposes of cyberstalking

In 2012, the United Kingdom actively sought to tackle acts of stalking through amendments to the Protection from Harassment Act 1997. Now, not only is stalking a recognised criminal offence, acts associated with stalking behaviour have finally been properly defined in legislation. Further, the role of technology in digital stalking offences, frequently termed as acts of cyberstalking, has been duly highlighted. The prosecution of such cyberstalking offences is reliant on the forensic analysis of devices capable of communication with a victim, in order to identify the offender and evidence the offending content for presentation to a court of law. However, with the recent proliferation of anonymous communication services, it is becoming increasingly difficult for digital forensic specialists to analyse and detect the origin of stalking messages, particularly those involving mobile devices. This article identifies the legal factors involved, along with a scenario-based investigation of sample anonymous and spoof SMS (Short Message Service) messages, documenting the evidence that remains on a victim's handset for the purpose of locating an offender, which often may be minimal or non-existent.     

A comparison of forensic evidence recovery techniques for a windows mobile smart phone

Acquisition, decoding and presentation of information from mobile devices is complex and challenging. Device memory is usually integrated into the device, making isolation prior to recovery difficult. In addition, manufacturers have adopted a variety of file systems and formats complicating decoding and presentation.A variety of tools and methods have been developed (both commercially and in the open source community) to assist mobile forensics investigators. However, it is unclear to what extent these tools can present a complete view of the information held on a mobile device, or the extent the results produced by different tools are consistent.This paper investigates what information held on a Windows Mobile smart phone can be recovered using several different approaches to acquisition and decoding. The paper demonstrates that no one technique recovers all information of potential forensic interest from a Windows Mobile device; and that in some cases the information recovered is conflicting.     

Forensic analysis of video file formats

Video file format standards define only a limited number of mandatory features and leave room for interpretation. Design decisions of device manufacturers and software vendors are thus a fruitful resource for forensic video authentication. This paper explores AVI and MP4-like video streams of mobile phones and digital cameras in detail. We use customized parsers to extract all file format structures of videos from overall 19 digital camera models, 14 mobile phone models, and 6 video editing toolboxes. We report considerable differences in the choice of container formats, audio and video compression algorithms, acquisition parameters, and internal file structure. In combination, such characteristics can help to authenticate digital video files in forensic settings by distinguishing between original and post-processed videos, verifying the purported source of a file, or identifying the true acquisition device model or the processing software used for video processing.     

芯片移植法提取手机机身信息

目的证明在案发现场获得的损坏手机内部信息，在其自身存储芯片未被破坏的情况下，能够显现出来。方法将有明显数量差别的电话号码和短信，分别存储在2个同品牌同型号的手机内存上，然后将其内存取出互换，观察互换后所存信息是否仍能够完好显现出来。结果在存储芯片未损坏的情况下，内部信息能够通过互换芯片的方法完全显现出来。结论实验证明，通过同种型号手机芯片的互换，内部芯片未遭到破坏的情况下，其所存信息能够完整的进行提取。     

Forensic Inspection of Sensitive User Data and Artifacts from Smartwatch Wearable Devices

Wearable devices allow users the ability to leave mobile phones behind while remaining connected to the digital world; however, this creates challenges in the examination, acquisition, identification, and analysis of probative data. This preliminary research aims to provide an enhanced understanding of where sensitive user data and forensic artifacts are stored on smartwatch wearable devices, both through utilization as a connected and standalone device. It also provides a methodology for the forensically sound acquisition of data from a standalone smartwatch wearable device. The results identify significant amounts of data on the Samsung^? Gear S3 Frontier, greater than that stored on the companion mobile phone. An Apple Watch^® Series 3 manual examination method which produces native screenshots was identified; however, the companion mobile phone was found to store the greatest amount of data. As a result of this research, a data extraction tool for the Samsung^? Gear S3 Frontier was created.     

A study on the forensic mechanisms of VoIP attacks: Analysis and digital evidence

This paper discusses the use of communication technology to commit crimes, including crime facts and crime techniques. The analysis focuses on the security of voice over Internet protocol (VoIP), a prevention method against VoIP call attack and the attention points for setting up an Internet phone. The importance of digital evidence and digital forensics are emphasised. This paper provides the VoIP digital evidence forensics standard operating procedures (DEFSOP) to help police organisations and establishes an experimental platform to simulate phone calls, hacker attacks and forensic data. Finally, this paper provides a general discussion of a digital evidence strategy that includes VoIP for crime investigators who are interested in digital evidence forensics.     

论通信短信息的法律规制

在短信息的广泛使用中,不可避免地出现了许多新的法律问题,特别是出现了许多利用短信息进行违法犯罪的现象,对这些法律问题进行了分析,探讨了我国对短信息进行法律规制的现状,并提出应当加强对短信息的法律规制,以促进短信息业务的健康发展。     

Forensic carving of network packets and associated data structures

Using validated carving techniques, we show that popular operating systems (e.g. Windows, Linux, and OSX) frequently have residual IP packets, Ethernet frames, and associated data structures present in system memory from long-terminated network traffic. Such information is useful for many forensic purposes including establishment of prior connection activity and services used; identification of other systems present on the system’s LAN or WLAN; geolocation of the host computer system; and cross-drive analysis. We show that network structures can also be recovered from memory that is persisted onto a mass storage medium during the course of system swapping or hibernation. We present our network carving techniques, algorithms and tools, and validate these against both purpose-built memory images and a readily available forensic corpora. These techniques are valuable to both forensics tasks, particularly in analyzing mobile devices, and to cyber-security objectives such as malware analysis.     

Combination of Face Regions in Forensic Scenarios

This article presents an experimental analysis of the combination of different regions of the human face on various forensic scenarios to generate scientific knowledge useful for the forensic experts. Three scenarios of interest at different distances are considered comparing mugshot and CCTV face images using MORPH and SC face databases. One of the main findings is that inner facial regions combine better in mugshot and close CCTV scenarios and outer facial regions combine better in far CCTV scenarios. This means, that depending of the acquisition distance, the discriminative power of the facial regions change, having in some cases better performance than the full face. This effect can be exploited by considering the fusion of facial regions which results in a very significant improvement of the discriminative performance compared to just using the full face.     

The impact of Microsoft Windows pool allocation strategies on memory forensics

An image of a computer's physical memory can provide a forensic examiner with a wealth of information. A small area of system memory, the nonpaged pool, contains lots of information about currently and formerly active processes. As this paper shows, more than 90% of such information can be retrieved even 24 h after process termination under optimum conditions.Great care must be taken as the acquisition process usually affects the memory contents to be acquired. In order minimize the impact on volatile data, this paper for the first time analyzes the pool allocation mechanism of the Microsoft Windows operating system. It describes a test arrangement, which allows to obtain a time series of physical memory images, while it also reduces the effect on the observed operating system.Using this environment it was found that allocations from the nonpaged pool are reused based on their size and a last in-first out schedule. In addition, a passive memory compaction strategy may apply. So, the creation of a new object is likely to eradicate the evidence of an object of the same class that was destructed just before. The paper concludes with a discussion of the implications for incident response procedures, forensic examinations, and the creation of forensic tools.     

The impact of Microsoft Windows pool allocation strategies on memory forensics

An image of a computer's physical memory can provide a forensic examiner with a wealth of information. A small area of system memory, the nonpaged pool, contains lots of information about currently and formerly active processes. As this paper shows, more than 90% of such information can be retrieved even 24 h after process termination under optimum conditions.Great care must be taken as the acquisition process usually affects the memory contents to be acquired. In order minimize the impact on volatile data, this paper for the first time analyzes the pool allocation mechanism of the Microsoft Windows operating system. It describes a test arrangement, which allows to obtain a time series of physical memory images, while it also reduces the effect on the observed operating system.Using this environment it was found that allocations from the nonpaged pool are reused based on their size and a last in-first out schedule. In addition, a passive memory compaction strategy may apply. So, the creation of a new object is likely to eradicate the evidence of an object of the same class that was destructed just before. The paper concludes with a discussion of the implications for incident response procedures, forensic examinations, and the creation of forensic tools.     

Identification of Mobile Phone and Analysis of Original Version of Videos through a Delay Time Analysis of Sound Signals from Mobile Phone Videos

This study designs a method of identifying the camera model used to take videos that are distributed through mobile phones and determines the original version of the mobile phone video for use as legal evidence. For this analysis, an experiment was conducted to find the unique characteristics of each mobile phone. The videos recorded by mobile phones were analyzed to establish the delay time of sound signals, and the differences between the delay times of sound signals for different mobile phones were traced by classifying their characteristics. Furthermore, the sound input signals for mobile phone videos used as legal evidence were analyzed to ascertain whether they have the unique characteristics of the original version. The objective of this study was to find a method for validating the use of mobile phone videos as legal evidence using mobile phones through differences in the delay times of sound input signals.     

Forensic genetic value of 27 Y-STR loci (Y-Filer® Plus) in the South African population

South Africa has one of the highest rape statistics in the world, with an average of 117 rapes reported daily. Y-STR genotyping is becoming a popular tool in the analysis of DNA evidence collected after a crime of a sexual nature has been committed, but has yet to be implemented in South Africa’s forensic laboratories. This study aimed to investigate the forensic value of the 27 Yfiler™ Plus loci in the South African population. A total of 271 samples from the African, Asian/Indian, Mixed Ancestry¹, and Caucasian populations at the University of the Free State in Bloemfontein, South Africa were amplified and analysed using ThermoFisher Scientific’s Yfiler™ Plus PCR Amplification kit. Of the 271 samples, 261 were identified to be unique, with an overall discrimination capacity of 98.15%. Discrimination capacities ranged from 91.67% for the Asian/Indian population to 100% for the Mixed Ancestry population. The haplotype diversity across the four populations is 0.9999, with an average gene diversity across all loci of 0.717. The forensic parameters estimated in this study provide evidence for the potential use of the commercial Yfiler™ Plus PCR amplification kit in a forensic application in South Africa.     

Persistent systems techniques in forensic acquisition of memory

In this paper we discuss how operating system design and implementation influence the methodology for computer forensics investigations, with the focus on forensic acquisition of memory. In theory the operating system could support such investigations both in terms of tools for analysis of data and by making the system data readily accessible for analysis. Conventional operating systems such as Windows and UNIX derivatives offer some memory-related tools that are geared towards the analysis of system crashes, rather than forensic investigations. In this paper we demonstrate how techniques developed for persistent operating systems, where lifetime of data is independent of the method of its creation and storage, could support computer forensics investigations delivering higher efficiency and accuracy. It is proposed that some of the features offered by persistent systems could be built into conventional operating systems to make illicit activities easier to identify and analyse. We further propose a new technique for forensically sound acquisition of memory based on the persistence paradigm.