Digital forensic text string searching: Improving information retrieval effectiveness by thematically clustering search results

Current digital forensic text string search tools use match and/or indexing algorithms to search digital evidence at the physical level to locate specific text strings. They are designed to achieve 100% query recall (i.e. find all instances of the text strings). Given the nature of the data set, this leads to an extremely high incidence of hits that are not relevant to investigative objectives. Although Internet search engines suffer similarly, they employ ranking algorithms to present the search results in a more effective and efficient manner from the user's perspective. Current digital forensic text string search tools fail to group and/or order search hits in a manner that appreciably improves the investigator's ability to get to the relevant hits first (or at least more quickly). This research proposes and empirically tests the feasibility and utility of post-retrieval clustering of digital forensic text string search results – specifically by using Kohonen Self-Organizing Maps, a self-organizing neural network approach.This paper is presented as a work-in-progress. A working tool has been developed and experimentation has begun. Findings regarding the feasibility and utility of the proposed approach will be presented at DFRWS 2007, as well as suggestions for follow-on research.     

Performance of the supervised learning algorithms in sex estimation of the proximal femur: A comparative study in contemporary Egyptian and Turkish samples

Sex estimation standards are population specific however, we argue that machine learning techniques (ML) may enhance the biological sex determination on trans-population application. Linear discriminant analysis (LDA) versus nine ML including quadratic discriminant analysis (QDA), support vector machine (SVM), Decision Tree (DT), Gaussian process (GPC), Naïve Bayesian (NBC), K-Nearest Neighbor (KNN), Random Forest (RFM) and Adaptive boosting (Adaboost) were compared. The experiments involve two contemporary populations: Turkish (n = 300) and Egyptian populations (n = 100) for training and validation, respectively. Base models were calibrated using isotonic and sigmoid calibration schemes. Results were analyzed at posterior probabilities (pp) thresholds >0.95 and >0.80. At pp = 0.5, ML algorithms yielded comparable accuracies in the training (90% to 97%) and test sets (81% to 88%) which are not modified after employing the calibration techniques. At pp >0.95, the raw RFM, LDA, QDA, and SVM models have shown the best performance however, calibration techniques improved the performance of various classifier especially NBC and Adaboost. By contrast, the performance of GPC, KNN, QDA models worsened by calibration. RFM has shown the best performance among all models at both thresholds whereas LDA benefited the best from using both calibration methods at pp >0.80. Complex ML models are not necessarily achieving better performance metrics. LDA and QDA remain the fastest and simplest classifiers. We demonstrated the capability of enhancing sex estimation using ML on an independent population sample however, differences in the underlying probability distribution generated by models were detected which warranted more cautious application by forensic practitioners.     

Evaluating detection error trade-offs for bytewise approximate matching algorithms

Bytewise approximate matching is a relatively new area within digital forensics, but its importance is growing quickly as practitioners are looking for fast methods to analyze the increasing amounts of data in forensic investigations. The essential idea is to complement the use of cryptographic hash functions to detect data objects with bytewise identical representation with the capability to find objects with bytewise similar representations.Unlike cryptographic hash functions, which have been studied and tested for a long time, approximate matching ones are still in their early development stages, and have been evaluated in a somewhat ad-hoc manner. Recently, the FRASH testing framework has been proposed as a vehicle for developing a set of standardized tests for approximate matching algorithms; the aim is to provide a useful guide for understanding and comparing the absolute and relative performance of different algorithms.The contribution of this work is twofold: a) expand FRASH with automated tests for quantifying approximate matching algorithm behavior with respect to precision and recall; and b) present a case study of two algorithms already in use–sdhash and ssdeep.     

The use of self-organising maps for anomalous behaviour detection in a digital investigation

The dramatic increase in crime relating to the Internet and computers has caused a growing need for digital forensics. Digital forensic tools have been developed to assist investigators in conducting a proper investigation into digital crimes. In general, the bulk of the digital forensic tools available on the market permit investigators to analyse data that has been gathered from a computer system. However, current state-of-the-art digital forensic tools simply cannot handle large volumes of data in an efficient manner. With the advent of the Internet, many employees have been given access to new and more interesting possibilities via their desktop. Consequently, excessive Internet usage for non-job purposes and even blatant misuse of the Internet have become a problem in many organisations. Since storage media are steadily growing in size, the process of analysing multiple computer systems during a digital investigation can easily consume an enormous amount of time. Identifying a single suspicious computer from a set of candidates can therefore reduce human processing time and monetary costs involved in gathering evidence. The focus of this paper is to demonstrate how, in a digital investigation, digital forensic tools and the self-organising map (SOM)--an unsupervised neural network model--can aid investigators to determine anomalous behaviours (or activities) among employees (or computer systems) in a far more efficient manner. By analysing the different SOMs (one for each computer system), anomalous behaviours are identified and investigators are assisted to conduct the analysis more efficiently. The paper will demonstrate how the easy visualisation of the SOM enhances the ability of the investigators to interpret and explore the data generated by digital forensic tools so as to determine anomalous behaviours.     

Extended reality (XR) virtual practical and educational eGaming to provide effective immersive environments for learning and teaching in forensic science

Online virtual learning resources have been available for learning and teaching in forensic science for some years now, but the recent global COVID-19 related periods of irregular lockdown have necessitated the rapid development of these for teaching, learning and CPD activities. However, these resources do need to be carefully constructed and grounded in pedagogic theory to be effective. This article details eXtended Reality (XR) learning and teaching environments to facilitate effective online teaching and learning for forensic geoscientists. The first two case studies discussed in this article make use of Thinglink software to produce virtual learning and teaching XR resources through an internet system, which was delivered to undergraduate students in 2021. Case one details a range of XR virtual laboratory-based equipment resources, providing a consistent, reliable and asynchronous learning and teaching experience, whilst the second case study presents an XR virtual learning applied geophysics resource developed for a 12-week CPD training programme. This programme involves recorded equipment video resources, accompanying datasets and worksheets for users to work through. Both case studies were positively received by learners, but there were issues encountered by learners with poor internet connections or computer skills, or who do not engage well with online learning. A third case study showcases an XR educational forensic geoscience eGame that was developed to take the user through a cold case search investigation, from desktop study through to field reconnaissance and multi-staged site investigations. Pedagogic research was undertaken with user questionnaires and interviews, providing evidence that the eGame was an effective learning and teaching tool. eGame users highly rated the eGame and reported that they raised awareness and understanding of the use of geophysics equipment and best practice of forensic geoscience search phased investigations. These types of XR virtual learning digital resources, whilst costly to produce in terms of development time and staff resource, provide a complementary virtual learning experience to in-situ practical sessions, and allow learners to asynchronously familiarise themselves with equipment, environments and techniques resulting in more efficient use of in situ time. The XR resources also allow learners to reinforce learning post in-situ sessions. Finally, XR resources can provide a more inclusive and authentic experience for learners who cannot attend or complete work synchronously.     

Taxonomy of Challenges for Digital Forensics

Since its inception, over a decade ago, the field of digital forensics has faced numerous challenges. Despite different researchers and digital forensic practitioners having studied and analysed various known digital forensic challenges, as of 2013, there still exists a need for a formal classification of these challenges. This article therefore reviews existing research literature and highlights the various challenges that digital forensics has faced for the last 10 years. In conducting this research study, however, it was difficult for the authors to review all the existing research literature in the digital forensic domain; hence, sampling and randomization techniques were employed to facilitate the review of the gathered literature. Taxonomy of the various challenges is subsequently proposed in this paper based on our review of the literature. The taxonomy classifies the large number of digital forensic challenges into four well‐defined and easily understood categories. The proposed taxonomy can be useful, for example, in future developments of automated digital forensic tools by explicitly describing processes and procedures that focus on addressing specific challenges identified in this paper. However, it should also be noted that the purpose of this paper was not to propose any solutions to the individual challenges that digital forensics face, but to serve as a survey of the state of the art of the research area.     

Forensic DNA laboratory automation – Principles and guidelines

There is a lack of clear guidelines for project managers, laboratory managers and forensic scientists on strategies for the automation of forensic DNA laboratory processes and operational implementation of new technologies. This is reflected in the failure rate of projects in the forensic DNA testing environment. We present a set of guidelines and concepts important for forensic laboratory automation. Some case studies from past projects are presented. These consist of partial (or modular) automation (n = 2) and full automated robotically integrated systems (n = 2).Technology Management principles and concepts are crucial to prevent failure of projects, e.g. early adoption of untried technologies, and organizational factors. The future of laboratory automation is modular until such time as new discontinuous technologies will replace the need of the traditional manual laboratory configuration in totality.     

Digital behavioral-fingerprint for user attribution in digital forensics: Are we there yet?

the need for a reliable and complementary identifier mechanism in a digital forensic analysis is the focus of this study. Mouse dynamics have been applied in information security studies, particularly, continuous authentication and authorization. However, the method applied in security is void of specific behavioral signature of a user, which inhibits its applicability in digital forensic science. This study investigated the likelihood of the observation of a unique signature from mouse dynamics of a computer user. An initial mouse path model was developed using non-finite automata. Thereafter, a set-theory based adaptive two-stage hash function and a multi-stage rule-based semantic algorithm were developed to observe the feasibility of a unique signature for forensic usage. An experimental process which comprises three existing mouse dynamics datasets were used to evaluate the applicability of the developed mechanism. The result showed a low likelihood of extracting unique behavioral signature which can be used in a user attribution process. Whilst digital forensic readiness mechanism could be a potential approach that can be used to achieve a reliable behavioral biometrics modality, the lack of unique signature presents a limitation. In addition, the result supports the logic that the current state of behavioral biometric modality, particularly mouse dynamics, is not suitable for forensic usage. Hence, the study concluded that whilst mouse dynamics-based behavioral biometrics may be a complementary modality in security studies, more will be required to adopt it as a forensic modality in litigation. Furthermore, the result from this study finds relevance in other human attributional studies such as user identification in recommender systems, e-commerce, and online profiling systems, where the degree of accuracy is not relatively high.     

On the database lookup problem of approximate matching

Investigating seized devices within digital forensics gets more and more difficult due to the increasing amount of data. Hence, a common procedure uses automated file identification which reduces the amount of data an investigator has to look at by hand. Besides identifying exact duplicates, which is mostly solved using cryptographic hash functions, it is also helpful to detect similar data by applying approximate matching.Let x denote the number of digests in a database, then the lookup for a single similarity digest has the complexity of O(x). In other words, the digest has to be compared against all digests in the database. In contrast, cryptographic hash values are stored within binary trees or hash tables and hence the lookup complexity of a single digest is O(log₂(x)) or O(1), respectively.In this paper we present and evaluate a concept to extend existing approximate matching algorithms, which reduces the lookup complexity from O(x) to O(1). Therefore, instead of using multiple small Bloom filters (which is the common procedure), we demonstrate that a single, huge Bloom filter has a far better performance. Our evaluation demonstrates that current approximate matching algorithms are too slow (e.g., over 21 min to compare 4457 digests of a common file corpus against each other) while the improved version solves this challenge within seconds. Studying the precision and recall rates shows that our approach works as reliably as the original implementations. We obtain this benefit by accuracy–the comparison is now a file-against-set comparison and thus it is not possible to see which file in the database is matched.     

Forensic analysis of Telegram Messenger for Windows Phone

This article presents a forensic analysis methodology for obtaining the digital evidence generated by one of today's many instant messaging applications, namely “Telegram Messenger” for “Windows Phone”, paying particular attention to the digital forensic artifacts produced. The paper provides an overview of this forensic analysis, while focusing particularly on how the information is structured and the user, chat and conversation data generated by the application are organised, with the goal of extracting related data from the information. The application has several other features (e.g. games, bots, stickers) besides those of an instant messaging application (e.g. messages, images, videos, files). It is therefore necessary to decode and interpret the information, which may relate to criminal offences, and establish the relation of different types of user, chat and conversation.     

If error rate is such a simple concept,why don’t I have one for my forensic tool yet?

The Daubert decision motivates attempts to establish error rates for digital forensic tools. Many scientific procedures have been devised that can answer simple questions. For example, does a soil sample contain component X? A procedure can be followed that gives an answer with known rates of error. Usually the error rate of a process that tries to detect something is associated with a random component of some measurement. Typically there are two types of error, type I, also called a false positive (detecting it when it is not really there), and type II, also called a false negative (missing it when it really is there). At first thought, an error rate for a forensic acquisition tool or a write blocking tool is a simple concept. An obvious possibility for the error rate of an acquisition is k/n, where n is the total number of bits acquired and k is the number of incorrectly acquired bits. However, the kinds of errors in the soil test and in digital acquisition are fundamentally different. The errors in the soil test can be modeled with a random distribution that can be treated statistically, but the errors that occur in a digital acquisition are systematic and triggered by specific conditions. The purpose of this paper is not to define any error rates for forensic tools, but identification of some of the basic issues to stimulate discussion and further work on the topic.     

A general strategy for differential forensic analysis

The dramatic growth of storage capacity and network bandwidth is making it increasingly difficult for forensic examiners to report what is present on a piece of subject media. Instead, analysts are focusing on what characteristics of the media have changed between two snapshots in time. To date different algorithms have been implemented for performing differential analysis of computer media, memory, digital documents, network traces, and other kinds of digital evidence. This paper presents an abstract differencing strategy and applies it to all of these problem domains. Use of an abstract strategy allows the lessons gleaned in one problem domain to be directly applied to others.     

Development of a nanoplate-based digital PCR assay for species identification with mixture deconvolution

In crime scenes, not all biological stains are human in origin. Some exhibits can be from pets living on the premises or from animal products used in food consumption. In addition, it could be necessary to test animal carcasses for other forensic purposes. Often such stains can include mixtures involving humans or other species. Thus, identifying and deconvoluting mixtures of species commonly found in and around a household can be crucial in forensic casework. Different molecular techniques have been employed for species identification such as immunoprecipitation, qPCR, and DNA sequencing.In this project, a nanoplate-based digital PCR assay for species identification was developed, targeting Homo sapiens, canine, feline, bovine swine, pisces, and gallus in two multiplexes. An internal positive control was included in the design. The assay is simple, rapid, and can determine a wide variety of different vertebrates from biological exhibits, as well as in mixtures. Because the assay utilizes digital PCR, the procedure shows sensitivity down to a few copies, even in the presence of larger amounts of a major contributor, making the assay particularly useful in mixture deconvolution. Overall, this assay presents the forensic community with a novel application in which digital PCR can provide a sensitive and specific determination of species.     

An evaluation of forensic similarity hashes

The fast growth of the average size of digital forensic targets demands new automated means to quickly, accurately and reliably correlate digital artifacts. Such tools need to offer more flexibility than the routine known-file filtering based on crypto hashes. Currently, there are two tools for which NIST has produced reference hash sets–ssdeep and sdhash. The former provides a fixed-sized fuzzy hash based on random polynomials, whereas the latter produces a variable-length similarity digest based on statistically-identified features packed into Bloom filters.This study provides a baseline evaluation of the capabilities of these tools both in a controlled environment and on real-world data. The results show that the similarity digest approach significantly outperforms in terms of recall and precision in all tested scenarios and demonstrates robust and scalable behavior.     

Relevance analysis using revision identifier in MS word

Electronic documents often contain personal or confidential information, which can be used as valuable evidence in criminal investigations. In the digital investigation, special techniques are required for grouping and screening electronic documents, because it is challenging to analyze relationships between numerous documents in storage devices manually. To this end, although techniques such as keyword search, similarity search, topic modeling, metadata analysis, and document clustering are continually being studied, there are still limitations for revealing the relevance of documents. Specifically, metadata used in previous research are not always values present in the documents, and clustering methods with specific keywords may be incomplete because text‐based contents (including metadata) can be easily modified or deleted by users. In this work, we propose a novel method to efficiently group Microsoft Office Word 2007+ (MS Word) files by using revision identifier (RSID). Through a thorough understanding of the RSID, examiners can predict organizations to which a specific user belongs, and further, it is likely to discover unexpected interpersonal relationships. An experiment with a public dataset (GovDocs) provides that it is possible to categorize documents more effectively by combining our proposal with previously studied methods. Furthermore, we introduce a new document tracking method to understand the editing history and movement of a file, and then demonstrate its usefulness through an experiment with documents from a real case.     

Assessing the Psychological Well-being and Coping Mechanisms of Law Enforcement Investigators vs. Digital Forensic Examiners of Child Pornography Investigations

Previous research indicates law enforcement investigators and digital forensic examiners working child exploitation cases are at an increased risk for experiencing psychological distress; however, the roles of digital forensic examiners and investigators often overlap substantially when working child pornography cases. Thus, the current study was the first to compare the psychological well-being, job satisfaction, coping mechanisms, and attitudes toward mental health services for individuals working as either digital forensic examiners and/or investigators of child pornography cases. Law enforcement officers were solicited from the Internet Crimes Against Children task force listserv, and based on their current self-reported duties, 20 were classified as digital forensic examiners-only, 71 as investigators-only, and 38 as both digital forensic examiners and investigators of cases involving Internet child pornography. Results showed significant differences between groups; individuals performing both duties scored significantly higher on secondary traumatic stress, higher on feelings of worthlessness, and lower on concentration compared to digital forensic examiners-only. Individuals performing both duties also reported significantly lower scores on job satisfaction compared to investigators-only. Finally, individuals working both duties were significantly more likely to know someone who sought counseling as a result of work-related stress. The study’s mental health implications and future research suggestions are discussed.     

New perspectives in the use of ink evidence in forensic science: Part III: Operational applications and evaluation

The research reported in this series of article aimed at (1) automating the search of questioned ink specimens in ink reference collections and (2) at evaluating the strength of ink evidence in a transparent and balanced manner. These aims require that ink samples are analysed in an accurate and reproducible way and that they are compared in an objective and automated way. This latter requirement is due to the large number of comparisons that are necessary in both scenarios. A research programme was designed to (a) develop a standard methodology for analysing ink samples in a reproducible way, (b) comparing automatically and objectively ink samples and (c) evaluate the proposed methodology in forensic contexts.This report focuses on the last of the three stages of the research programme. The calibration and acquisition process and the mathematical comparison algorithms were described in previous papers [C. Neumann, P. Margot, New perspectives in the use of ink evidence in forensic science—Part I: Development of a quality assurance process for forensic ink analysis by HPTLC, Forensic Sci. Int. 185 (2009) 29–37; C. Neumann, P. Margot, New perspectives in the use of ink evidence in forensic science—Part II: Development and testing of mathematical algorithms for the automatic comparison of ink samples analysed by HPTLC, Forensic Sci. Int. 185 (2009) 38–50].In this paper, the benefits and challenges of the proposed concepts are tested in two forensic contexts: (1) ink identification and (2) ink evidential value assessment. The results show that different algorithms are better suited for different tasks. This research shows that it is possible to build digital ink libraries using the most commonly used ink analytical technique, i.e. high-performance thin layer chromatography, despite its reputation of lacking reproducibility. More importantly, it is possible to assign evidential value to ink evidence in a transparent way using a probabilistic model. It is therefore possible to move away from the traditional subjective approach, which is entirely based on experts’ opinion, and which is usually not very informative.While there is room for the improvement, this report demonstrates the significant gains obtained over the traditional subjective approach for the search of ink specimens in ink databases, and the interpretation of their evidential value.     

A Forensic Exploration of the Microsoft Windows 10 Timeline

The Microsoft Windows operating system continues to dominate the desktop computing market. With such high levels of usage comes an inferred likelihood of digital forensic practitioners encountering this platform during their investigations. As part of any forensic examination of a digital device, operating system artifacts, which support the identification and understanding of how a user has behaved on their system provide a potential source of evidence. Now, following Microsoft's April 2018 build 1803 release with its incorporated “Timeline” feature, the potential for identifying and tracking user activity has increased. This work provides a timely examination of the Windows 10 Timeline feature demonstrating the ability to recover activity‐based content from within its stored database log files. Examination results and underpinning experimental methodologies are offered, demonstrating the ability to recover activity tile and process information in conjunction with the Windows Timeline. Further, an SQL query has been provided to support the interpretation of data stored within the ActivitiesCache.db .     

数字图像复原技术的原理及在刑事技术中的应用

目的介绍数字图像处理技术在刑事案件复原的应用,促进该技术的发展。方法利用数字算法、滤波、几何运算等计算机图像处理技术进行复原处理。结果对案件的隐含、残缺、微弱信息,模糊图像、变形物证复原及特征显现。结论刑事数字图像复原技术在刑事技术领域有了广阔的应用前景。