Digital evidence from mobile telephone applications

In this paper we examine the legal aspects of the forensic investigation of mobile telephone applications. Mobile telephone applications might be involved with a variety of types of computer misuse including fraud, theft, money laundering, dissemination of copyrighted materials or indecent images, or instances where mobile telephone applications have been involved in the transmission of malware for malicious or criminal purposes. In this paper we examine the process of the forensic investigation of mobile telephone applications, and the issues relating to obtaining digital evidence from mobile telephone applications.     

File Marshal: Automatic extraction of peer-to-peer data

Digital forensic investigators often find peer-to-peer, or file sharing, software present on the computers, or the images of the disks, that they examine. Investigators must first determine what P2P software is present and where the associated information is stored, retrieve the information from the appropriate directories, and then analyze the results. File Marshal is a tool that will automatically detect and analyze peer-to-peer client use on a disk. The tool automates what is currently a manual and labor intensive process. It will determine what clients currently are or have been installed on a machine, and then extracts per-user usage information, specifically a list of peer servers contacted, and files that were shared and downloaded. The tool was designed to perform its actions in a forensically sound way, including maintaining a detailed audit trail of all actions performed. File Marshal is extensible, using a configuration file to specify details about specific peer-to-peer clients (e.g., location of log files and registry keys indicating installation). This paper describes the general design and features of File Marshal, its current status, and the plans for continued development and release. When complete, File Marshal, a National Institute of Justice funded effort, will be disseminated to law enforcement at no cost.     

iCOP: Live forensics to reveal previously unknown criminal media on P2P networks

The increasing levels of criminal media being shared in peer-to-peer (P2P) networks pose a significant challenge to law enforcement agencies. One of the main priorities for P2P investigators is to identify cases where a user is actively engaged in the production of child sexual abuse (CSA) media – they can be indicators of recent or on-going child abuse. Although a number of P2P monitoring tools exist to detect paedophile activity in such networks, they typically rely on hash value databases of known CSA media. As a result, these tools are not able to adequately triage the thousands of results they retrieve, nor can they identify new child abuse media that are being released on to a network. In this paper, we present a new intelligent forensics approach that incorporates the advantages of artificial intelligence and machine learning theory to automatically flag new/previously unseen CSA media to investigators. Additionally, the research was extensively discussed with law enforcement cybercrime specialists from different European countries and Interpol. The approach has been implemented into the iCOP toolkit, a software package that is designed to perform live forensic analysis on a P2P network environment. In addition, the system offers secondary features, such as showing on-line sharers of known CSA files and the ability to see other files shared by the same GUID or other IP addresses used by the same P2P client. Finally, our evaluation on real CSA case data shows high degrees of accuracy, while hands-on trials with law enforcement officers demonstrate the toolkit's complementarity to extant investigative workflows.     

The legal aspects of corporate e-mail investigations

The undertaking of e-mail investigations was previously limited mainly to law enforcement agencies. However, UK organisations are increasingly undertaking e-mail investigation activities for incidents such as fraud, accessing or distributing indecent images and harassment amongst others. Organisations are also increasingly using computer forensic analysts to search through e-mail archives in order to gather evidence relating to e-mail misuse. In this paper we examine the legal aspects of UK corporate e-mail investigations.     

Effective use of forensic science in volume crime investigations: Identifying recurring themes in the literature

New scientific, technological and legal developments, particularly the introduction of national databases for DNA and fingerprints, have led to increased use of forensic science in the investigation of crime. There is an assumption, and in some instances specific assertions, that such developments bring improvements either in broad criminal justice terms or more narrowly in terms of economic or practical efficiencies. The underlying presumption is that the new technological opportunities will be understood and effectively implemented. This research investigates whether such increases in activity have also been accompanied by improvements in the effective use of forensic science. A systematic review of thirty-six reports published (predominantly in England and Wales) since the 1980s, which have considered the use of forensic science in the investigation of volume crimes, was carried out. These reports have identified a number of recurrent themes that influenced how effectively forensic science was used in investigations. The themes identified included forensic knowledge and training of investigators, communication and information exchange between specialists and investigators, timeliness of forensic results, interagency relationships and deployment of crime scene examiner resources. The research findings suggest that these factors continue to hinder the effective use of forensic science despite technological advances and this paper considers their potential causes.     

Digital evidence in cloud computing systems

Cloud computing systems provide a new paradigm to the distributed processing of digital data. Digital forensic investigations involving such systems are likely to involve more complex digital evidence acquisition and analysis. Some public cloud computing systems may involve the storage and processing of digital data in different jurisdictions, and some organisations may choose to encrypt their data before it enters the cloud. Both of these factors in conjunction with cloud architectures may make forensic investigation of such systems more complex and time consuming. There are no established digital forensic guidelines that specifically address the investigation of cloud computing systems. In this paper we examine the legal aspects of digital forensic investigations of cloud computing systems.     

动物DNA分析在法庭科学中的应用

近年来,在法庭科学领域中,遇到越来越多的非人类DNA分型的问题,特别是来源于动物本身或者是动物的分泌物。作为证据,通过对犯罪现场非人类DNA的分型,不但可以知道在何地对何人或何物实施犯罪,而且,如果犯罪的实施方是动物,也可以知道其来自哪里。目前,在法医学领域,有关动物DNA分析方法的标准较少。根据国际法医遗传学会最新的研究成果,综述动物DNA在法庭科学中的应用现状和相关建议。     

Automatic forensic face recognition from digital images.

Digital image evidence is now widely available from criminal investigations and surveillance operations, often captured by security and surveillance CCTV. This has resulted in a growing demand from law enforcement agencies for automatic person-recognition based on image data. In forensic science, a fundamental requirement for such automatic face recognition is to evaluate the weight that can justifiably be attached to this recognition evidence in a scientific framework. This paper describes a pilot study carried out by the Forensic Science Service (UK) which explores the use of digital facial images in forensic investigation. For the purpose of the experiment a specific software package was chosen (Image Metrics Optasia). The paper does not describe the techniques used by the software to reach its decision of probabilistic matches to facial images, but accepts the output of the software as though it were a 'black box'. In this way, the paper lays a foundation for how face recognition systems can be compared in a forensic framework. The aim of the paper is to explore how reliably and under what conditions digital facial images can be presented in evidence.     

Likelihood Ratios for Deep Neural Networks in Face Comparison

In this study, we aim to compare the performance of systems and forensic facial comparison experts in terms of likelihood ratio computation to assess the potential of the machine to support the human expert in the courtroom. In forensics, transparency in the methods is essential. Consequently, state-of-the-art free software was preferred over commercial software. Three different open-source automated systems chosen for their availability and clarity were as follows: OpenFace, SeetaFace, and FaceNet; all three based on convolutional neural networks that return a distance (OpenFace, FaceNet) or similarity (SeetaFace). The returned distance or similarity is converted to a likelihood ratio using three different distribution fits: parametric fit Weibull distribution, nonparametric fit kernel density estimation, and isotonic regression with pool adjacent violators algorithm. The results show that with low-quality frontal images, automated systems have better performance to detect nonmatches than investigators: 100% of precision and specificity in confusion matrix against 89% and 86% obtained by investigators, but with good quality images forensic experts have better results. The rank correlation between investigators and software is around 80%. We conclude that the software can assist in reporting officers as it can do faster and more reliable comparisons with full-frontal images, which can help the forensic expert in casework.     

Forensic analysis of smart TV: A current issue and call to arms

A number of new entertainment systems have appeared on the market that have embedded computing capabilities. Smart Televisions have the ability to connect to networks, browse the web, purchase applications and play games. Early versions were based on proprietary operating systems; newer versions released from 2012 are based on existing operating systems such as Linux and Android. The question arises as to what sort of challenges and opportunities they present to the forensics examiner. Are these new platforms or simply new varieties of existing forms of devices? What data do they retain and how easy is it to access this data? This paper explores this as a future forensic need and asks if we are missing potential sources of forensic data and to what degree we are ready to process these systems as part of an investigation.     

A framework for post-event timeline reconstruction using neural networks

Post-event timeline reconstruction plays a critical role in forensic investigation and serves as a means of identifying evidence of the digital crime. We present an artificial neural networks based approach for post-event timeline reconstruction using the file system activities. A variety of digital forensic tools have been developed during the past two decades to assist computer forensic investigators undertaking digital timeline analysis, but most of the tools cannot handle large volumes of data efficiently. This paper looks at the effectiveness of employing neural network methodology for computer forensic analysis by preparing a timeline of relevant events occurring on a computing machine by tracing the previous file system activities. Our approach consists of monitoring the file system manipulations, capturing file system snapshots at discrete intervals of time to characterise the use of different software applications, and then using this captured data to train a neural network to recognise execution patterns of the application programs. The trained version of the network may then be used to generate a post-event timeline of a seized hard disk to verify the execution of different applications at different time intervals to assist in the identification of available evidence.     

Computer-assisted systems for forensic pathology and forensic toxicology

A computer software, R?ttsBASE (RB), was developed for all forensic pathology units in Sweden and introduced in 1992. Simultaneously, a corresponding software, ToxBASE (TB), was developed for the Department of Forensic Toxicology, where all forensic toxicology in Sweden is managed. Both of the databases were created using dBASE IV, and the programming was carried out according to specifications from the staff at the forensic toxicology and forensic pathology units. since the development or RB and TB was coordinated, the systems can run together smoothly. The purpose of both systems was to automate the offices and to enable compilation of detailed statistics. Installation of Novell Netware and ISDN-connections (Integrated Service Digital Network) has enabled rapid communication between the units and easy compilation of nationwide statistics of forensic pathology and forensic toxicology. the systems offer a wide spectrum of reports and include a simple module for evaluation of the importance of the forensic efforts for th whole death investigation. The configuration of the softwares has also enabled processing of a large amount of related toxicological and autopsy data that in turn has yielded a base for compilation of toxicology interpretation lists. This article includes a summary of the features of the software and a discussion of its benefits and limitations.     

Control systems/SCADA forensics,what's the difference?

Immature IT security, increasing network connectivity and unwavering media attention is causing an increase in the number of control system cyber security incidents. For forensic examinations in these environments, knowledge and skills are needed in the field of hardware, networks and data analysis. For forensic examiners, this paper is meant to be a crash course on control systems and their forensic opportunities, focussing on the differences compared to regular IT systems. Assistance from experienced field engineers during forensic acquisition of control systems seems inevitable in order to guarantee process safety, business continuity and examination efficiency. For people working in the control system community, this paper may be helpful to get an idea about specific forensic issues about which they would normally not bother, but may be crucial as soon as their systems are under attack or become part of a law enforcement investigation. For analysis of acquired data, existing tools for network security monitoring have useful functionality for forensic applications but are designed for real-time acquisition and often not directly usable for post-mortem analysis of acquired data in a forensically sound way. The constant and predictable way in which control systems normally behave makes forensic application of anomaly-based threat detection an interesting topic for further research.     

The evaluation of evidence in the forensic investigation of fire incidents. Part II. Practical examples of the use of Bayesian networks

This paper extends a previous discussion of the use of Bayesian networks for evaluating evidence in the forensic investigation of fire incidents. Bayesian networks are proposed for two casework examples and the practical implications studied in detail. Such networks were found to provide precious support in addressing some of the wide range of issues that affect the coherent evaluation of evidence.     

Live memory forensics of mobile phones

In this paper, we proposed an automated system to perform a live memory forensic analysis for mobile phones. We investigated the dynamic behavior of the mobile phone’s volatile memory, and the analysis is useful in real-time evidence acquisition analysis of communication based applications. Different communication scenarios with varying parameters were investigated. Our experimental results showed that outgoing messages (from the phone) have a higher persistency than the incoming messages. In our experiments, we consistently achieved a 100% evidence acquisition rate with the outgoing messages. For the incoming messages, the acquisition rates ranged from 75.6% to 100%, considering a wide range of varying parameters in different scenarios. Hence, in a more realistic scenario where the parties may occasionally take turns to send messages and consecutively send a few messages, our acquisition can capture most of the data to facilitate further detailed forensic investigation.     

法证披露模型:应当向法证专家披露什么和法证专家应当披露什么?

法律上的披露问题主要集中在检控方向辩护方提供或者隐瞒了哪些证据。在本文中,我们将披露的概念扩展到更广泛的情境下,在这种情境下,披露失误可能导致误判。我们引入了一个概念模型,即“法证信息披露”,它涉及哪些信息应该披露给法证检验人员,以及法证检验人员应当披露哪些信息。本文全面概述了四类利益相关者的动态交互:法证服务、调查、法律和外部利益相关者。我们通过五个问题讨论了法证信息披露模式的有效实施,即如果要向法证检验人员或者由法证检验人员提供最好的信息,以提高法证决策质素,并尽量减少偏差,则什么时候进行披露?披露什么?如何披露?向谁披露?为什么披露?     

论司法鉴定机构的公益性建设

从属性上分析。司法鉴定应当是政府着力提供的一种公共服务,具有公益属性,作为司法鉴定依托的司法鉴定机构应该以公益性建设为主导的价值方向。为侦查服务的侦查机关内设鉴定机构具有天然的公益性,但实践中出现的一系列问题也使其公益性出现偏位．从而引起人们对其公益性的质疑。在全国人大常委会《关于司法鉴定管理问题的决定》指引下的司法鉴定机构建设过程中,应该避免社会司法鉴定机构走向市场化的竞争域,从而保障鉴定意见这一法定证据的公正性、客观性和中立性。从现行鉴定体制出发,以建设国立司法鉴定机构为向导,使司法鉴定机构走向公益性的良性发展道路．是所要探讨的一个核心问题。国家级司法鉴定机构的公布,标志着我国司法鉴定机构公益性建设的开端．以此为契机,应认真思考公益性建设的进路。     

Placing the suspect at a PC: A preliminary study involving fingerprints on keyboards and mice

Digital devices now play an important role in the lives of many in society. Whilst they are used predominantly for legitimate purposes, instances of digital crime are witnessed, where determining their usage is important to any criminal investigation. Typically, when determining who has used a digital device, digital forensic analysis is utilised, however, biological trace evidence or fingerprints residing on its surfaces may also be of value. This work provides a preliminary study which examines the potential for fingerprint recovery from computer peripherals, namely keyboards and mice. Our implementation methodology is outlined, and results discussed which indicate that print recovery is possible. Findings are intended to support those operating at-scene in an evidence collection capacity.     

The legal aspects of corporate computer forensic investigations

The use of computer forensics was previously limited mainly to law enforcement agencies. However, UK organisations are increasingly undertaking computer forensics activities for incidents such as fraud, money laundering, accessing or distributing indecent images, harassment, industrial spying and identity theft amongst others. In this paper we examine the legal aspects of UK corporate computer forensic investigations.