Taxonomy of Challenges for Digital Forensics

Since its inception, over a decade ago, the field of digital forensics has faced numerous challenges. Despite different researchers and digital forensic practitioners having studied and analysed various known digital forensic challenges, as of 2013, there still exists a need for a formal classification of these challenges. This article therefore reviews existing research literature and highlights the various challenges that digital forensics has faced for the last 10 years. In conducting this research study, however, it was difficult for the authors to review all the existing research literature in the digital forensic domain; hence, sampling and randomization techniques were employed to facilitate the review of the gathered literature. Taxonomy of the various challenges is subsequently proposed in this paper based on our review of the literature. The taxonomy classifies the large number of digital forensic challenges into four well‐defined and easily understood categories. The proposed taxonomy can be useful, for example, in future developments of automated digital forensic tools by explicitly describing processes and procedures that focus on addressing specific challenges identified in this paper. However, it should also be noted that the purpose of this paper was not to propose any solutions to the individual challenges that digital forensics face, but to serve as a survey of the state of the art of the research area.     

The COLLECTORS ranking scale for ‘at‐scene’ digital device triage

As digital evidence now features prominently in many criminal investigations, such large volumes of requests for the forensic examination of devices has led to well publicized backlogs and delays. In an effort to cope, triage policies are frequently implemented in order to reduce the number of digital devices which are seized unnecessarily. Often first responders are tasked with performing triage at scene in order to decide whether any identified devices should be seized and submitted for forensic examination. In some cases, this is done with the assistance of software which allows device content to be “previewed”; however, in some cases, a first responder will triage devices using their judgment and experience alone, absent of knowledge of the devices content, referred to as “decision‐based device triage” (DBDT). This work provides a discussion of the challenges first responders face when carrying out DBDT at scene. In response, the COLLECTORS ranking scale is proposed to help first responders carry out DBDT and to formalize this process in an effort to support quality control of this practice. The COLLECTORS ranking scale consists of 10 categories which first responders should rank a given device against. Each devices cumulative score should be queried against the defined “seizure thresholds” which offer support to first responders in assessing when to seize a device. To offer clarify, an example use‐case involving the COLLECTORS ranking scale is included, highlighting its application when faced with multiple digital devices at scene.     

Toward a General Ontology for Digital Forensic Disciplines

Ontologies are widely used in different disciplines as a technique for representing and reasoning about domain knowledge. However, despite the widespread ontology‐related research activities and applications in different disciplines, the development of ontologies and ontology research activities is still wanting in digital forensics. This paper therefore presents the case for establishing an ontology for digital forensic disciplines. Such an ontology would enable better categorization of the digital forensic disciplines, as well as assist in the development of methodologies and specifications that can offer direction in different areas of digital forensics. This includes such areas as professional specialization, certifications, development of digital forensic tools, curricula, and educational materials. In addition, the ontology presented in this paper can be used, for example, to better organize the digital forensic domain knowledge and explicitly describe the discipline's semantics in a common way. Finally, this paper is meant to spark discussions and further research on an internationally agreed ontological distinction of the digital forensic disciplines. Digital forensic disciplines ontology is a novel approach toward organizing the digital forensic domain knowledge and constitutes the main contribution of this paper.     

A New Anti‐forensic Scheme—Hiding the Single JPEG Compression Trace for Digital Image

To prevent image forgeries, a number of forensic techniques for digital image have been developed that can detect an image's origin, trace its processing history, and can also locate the position of tampering. Especially, the statistical footprint left by JPEG compression operation can be a valuable source of information for the forensic analyst, and some image forensic algorithm have been raised based on the image statistics in the DCT domain. Recently, it has been shown that footprints can be removed by adding a suitable anti‐forensic dithering signal to the image in the DCT domain, this results in invalid for some image forensic algorithms. In this paper, a novel anti‐forensic algorithm is proposed, which is capable of concealing the quantization artifacts that left in the single JPEG compressed image. In the scheme, a chaos‐based dither is added to an image's DCT coefficients to remove such artifacts. Effectiveness of both the scheme and the loss of image quality are evaluated through the experiments. The simulation results show that the proposed anti‐forensic scheme can verify the reliability of the JPEG forensic tools.     

Speech Watermarking: An Approach for the Forensic Analysis of Digital Telephonic Recordings*

Abstract: In this article, the authors discuss the problem of forensic authentication of digital audio recordings. Although forensic audio has been addressed in several articles, the existing approaches are focused on analog magnetic recordings, which are less prevalent because of the large amount of digital recorders available on the market (optical, solid state, hard disks, etc.). An approach based on digital signal processing that consists of spread spectrum techniques for speech watermarking is presented. This approach presents the advantage that the authentication is based on the signal itself rather than the recording format. Thus, it is valid for usual recording devices in police‐controlled telephone intercepts. In addition, our proposal allows for the introduction of relevant information such as the recording date and time and all the relevant data (this is not always possible with classical systems). Our experimental results reveal that the speech watermarking procedure does not interfere in a significant way with the posterior forensic speaker identification.     

An inconclusive digital audio authenticity examination: a unique case

This case report sets forth an authenticity examination of 35 encrypted, proprietary-format digital audio files containing recorded telephone conversations between two codefendants in a criminal matter. The codefendant who recorded the conversations did so on a recording system he developed; additionally, he was both a forensic audio authenticity examiner, who had published and presented in the field, and was the head of a professional audio society's writing group for authenticity standards. The authors conducted the examination of the recordings following nine laboratory steps of the peer-reviewed and published 11-step digital audio authenticity protocol. Based considerably on the codefendant's direct involvement with the development of the encrypted audio format, his experience in the field of forensic audio authenticity analysis, and the ease with which the audio files could be accessed, converted, edited in the gap areas, and reconstructed in such a way that the processes were undetected, the authors concluded that the recordings could not be scientifically authenticated through accepted forensic practices.     

An Evidence‐Based Forensic Taxonomy of Windows Phone Communication Apps

Communication apps can be an important source of evidence in a forensic investigation (e.g., in the investigation of a drug trafficking or terrorism case where the communications apps were used by the accused persons during the transactions or planning activities). This study presents the first evidence‐based forensic taxonomy of Windows Phone communication apps, using an existing two‐dimensional Android forensic taxonomy as a baseline. Specifically, 30 Windows Phone communication apps, including Instant Messaging (IM) and Voice over IP (VoIP) apps, are examined. Artifacts extracted using physical acquisition are analyzed, and seven digital evidence objects of forensic interest are identified, namely: Call Log, Chats, Contacts, Locations, Installed Applications, SMSs and User Accounts. Findings from this study would help to facilitate timely and effective forensic investigations involving Windows Phone communication apps.     

A formal model for event reconstruction in digital forensic investigation

Event reconstruction is an important phase in digital forensic investigation, which determines what happened during the incident. The digital investigator uses the findings of this phase to prepare reports for the court. Since the results must be reproducible and verifiable, it is necessary that the event reconstruction methods be rigorous and strict. In order to fulfill the legal requirements, this study proposes an event reconstruction framework which is based on the formal mathematical methods. In particular, it uses the temporal logic model checking that is an automatic verification technique. The idea is that the system under investigation is modeled as a transition system. Then the digital forensic property is specified using the modal μ-calculus. Finally, a model checking algorithm verifies whether the transition system meets the property. In order to demonstrate the proposed formal event reconstruction framework, an abstract model of the FAT file system is presented and some digital forensic properties are formulated. A big problem in model checking is the so-called state space explosion. This study addresses this problem and suggests some solutions to it. Finally, the proposed framework is applied to a case study to demonstrate how some hypotheses can be proved or refuted.     

Policing and Crime Act 2017: Changes to pre-charge bail and the impact on digital forensic analysis

Following the enactment of the Police and Crime Act 2017, subsequent amendments to the Police and Criminal Evidence Act 1984 have seen a ‘cap’ placed on the length of time a suspect can be released on bail; a process commonly referred to as ‘police bail’ or ‘pre-charge bail’. Whilst designed to instil consistency and certainty into bail processes to prevent individuals being subject to lengthy periods of regulation and uncertainty, it places additional pressures on forensic services. With a focus on digital forensics, examination of digital media is a complex and time-consuming process, with existing backlogs well documented. The need for timely completion of investigations to adhere to pre-charge bail rules places additional stress on an already stretched service. This comment submission provides an initial analysis of new pre-charge bail regulations, assessing their impact on digital forensic services.     

Study on the standard components of digital forensics laboratory

Recently, digital forensics has become increasingly important as it is used by investigation agencies, corporate, and private sector. To supplement the limitations of evidence capacity and be recognized in court, it is essential to establish an environment that ensures the integrity of the entire process ranging from collecting and analyzing to submitting digital evidence to court. In this study, common elements were extracted by comparing and analyzing ISO/IEC 17025, 27001 standards and Interpol and Council of Europe (CoE) guidelines to derive the necessary components for building a digital forensic laboratory. Subsequently, based on 21 digital forensic experts in the field, Delphi survey and verifications were conducted in three rounds. As a result, 40 components from seven areas were derived. The research results are based on the establishment, operation, management, and authentication of a digital forensics laboratory suitable for the domestic environment, with added credibility through collection of the opinions of 21 experts in the field of digital forensics in Korea. This study can be referred to in establishing digital forensic laboratories in national, public, and private digital forensic organizations as well as for employing as competency measurement criteria in courts to evaluate the reliability of the analysis results.     

A hierarchical,objectives-based framework for the digital investigations process

Digital investigations, whether forensic in nature or not, require scientific rigor and are facilitated through the use of standard processes. Such processes can be complex in nature. A more comprehensive, generally accepted digital investigation process framework is therefore sought to enhance scientific rigor and facilitate education, application, and research. Previously proposed frameworks are predominantly single-tier, higher order process models that focus on the abstract, rather than the more concrete principles of the investigation. We contend that these frameworks, although useful in explaining overarching concepts, fail to support the inclusion of additional layers of detail needed by various framework users. We therefore propose a multi-tier, hierarchical framework to guide digital investigations. Our framework includes objectives-based phases and sub-phases that are applicable to various layers of abstraction, and to which additional layers of detail can easily be added as needed. Our framework also includes principles that are applicable in varied ways to all phases. The data analysis function intended to identify and recover digital evidence is used as an example of how the framework might be further populated and used. The framework is then applied using two different case scenarios. At its highest level, the proposed framework provides a simplified view and conceptual understanding of the overall process. At lower levels, the proposed framework provides the granularity needed to achieve practicality and specificity goals set by practitioners and researchers alike.     

数字录音真实性司法鉴定研究现状

随着数字录音设备的普及,以及音频编辑技术的大众化趋势,传统的检验方法和技术在当前数字录音真实性司法鉴定实践中面临着极大的挑战。模式识别和人工智能等领域的最新进展为数字录音真实性鉴定提供了有效的检验角度。通过分析和总结当前机器学习和模式识别等研究领域在数字录音真实性研究方面的前沿探索性成果,结合对当前录音真实性司法鉴定实践应用中的关键技术和方法的论述,分析和探讨数字录音真实性司法鉴定领域研究所面临的问题、挑战及未来发展趋势。指出专家经验判断分析技术和统计量化检验方法的协作并存是数字录音真实性鉴定的必然趋势和高效解决方案。     

政府数字化转型影响因素分析

我国正处于推进国家治理现代化和新一代信息技术革命的交汇期,推动政府数字化转型是实现国家治理体系和治理能力现代化的必然要求.本文借鉴既有研究,借助TOE框架,运用层次分析法和模糊综合评价法,从技术、组织以及环境层面对我国政府数字化转型的影响因素进行了分析和评价.结果 显示,政府数字化转型战略规划是推动政府数字化转型进程最...     

Quantitative evaluation of the results of digital forensic investigations: a review of progress

Unlike conventional forensics, digital forensics does not at present generally quantify the results of its investigations. It is suggested that digital forensics should aim to catch up with other forensic disciplines by using Bayesian and other numerical methodologies to quantify its investigations’ results. Assessing the plausibility of alternative hypotheses (or propositions, or claims) which explain how recovered digital evidence came to exist on a device could assist both the prosecution and the defence sides in criminal proceedings: helping the prosecution to decide whether to proceed to trial and helping defence lawyers to advise a defendant how to plead. This paper reviews some numerical approaches to the goal of quantifying the relative weights of individual items of digital evidence and the plausibility of hypotheses based on that evidence. The potential advantages enabling the construction of cost-effective digital forensic triage schemas are also outlined.

Key points

• The absence of quantified results from digital forensic investigations, unlike those of conventional forensics, is highlighted.
• A number of approaches towards quantitative evaluation of the results of digital forensic investigations are reviewed.
• The significant potential benefits accruing from such approaches are discussed.

     

Digital behavioral-fingerprint for user attribution in digital forensics: Are we there yet?

the need for a reliable and complementary identifier mechanism in a digital forensic analysis is the focus of this study. Mouse dynamics have been applied in information security studies, particularly, continuous authentication and authorization. However, the method applied in security is void of specific behavioral signature of a user, which inhibits its applicability in digital forensic science. This study investigated the likelihood of the observation of a unique signature from mouse dynamics of a computer user. An initial mouse path model was developed using non-finite automata. Thereafter, a set-theory based adaptive two-stage hash function and a multi-stage rule-based semantic algorithm were developed to observe the feasibility of a unique signature for forensic usage. An experimental process which comprises three existing mouse dynamics datasets were used to evaluate the applicability of the developed mechanism. The result showed a low likelihood of extracting unique behavioral signature which can be used in a user attribution process. Whilst digital forensic readiness mechanism could be a potential approach that can be used to achieve a reliable behavioral biometrics modality, the lack of unique signature presents a limitation. In addition, the result supports the logic that the current state of behavioral biometric modality, particularly mouse dynamics, is not suitable for forensic usage. Hence, the study concluded that whilst mouse dynamics-based behavioral biometrics may be a complementary modality in security studies, more will be required to adopt it as a forensic modality in litigation. Furthermore, the result from this study finds relevance in other human attributional studies such as user identification in recommender systems, e-commerce, and online profiling systems, where the degree of accuracy is not relatively high.     

电子数据司法鉴定工具可靠性评估研究

探讨建立对电子数据司法鉴定工具进行科学性及可靠性的评估方法。在已有的国内外取证工具评测方法的基础上,借鉴国家强制认证认可和可靠性工程等因素,对电子数据司法鉴定工具可靠性评估体系中的工具基本认可和定性评估二阶段进行详细分析,为保证司法鉴定实践的科学性和准确性提供理论依据。     

A simple and effective image-statistics-based approach to detecting recaptured images from LCD screens

It is now extremely easy to recapture high-resolution and high-quality images from LCD (Liquid Crystal Display) screens. Recaptured image detection is an important digital forensic problem, as image recapture is often involved in the creation of a fake image in an attempt to increase its visual plausibility. State-of-the-art image recapture forensic methods make use of strong prior knowledge about the recapturing process and are based on either the combination of a group of ad-hoc features or a specific and somehow complicated dictionary learning procedure. By contrast, we propose a conceptually simple yet effective method for recaptured image detection which is built upon simple image statistics and a very loose assumption about the recapturing process. The adopted features are pixel-wise correlation coefficients in image differential domains. Experimental results on two large databases of high-resolution, high-quality recaptured images and comparisons with existing methods demonstrate the forensic accuracy and the computational efficiency of the proposed method.     

录音设备识别司法鉴定技术研究

目标随着手机和录音笔等数字录音设备的普及,数字录音已基本取代传统的模拟录音,成为录音司法鉴定主导性检材类型。数字录音资料作为视听资料的重要组成部分,其真实性司法鉴定新技术新方法的研究具有重要的理论意义和实际应用价值。方法研究基于录音设备识别的数字录音真实性鉴定技术,通过数字录音背景噪声片段的提取,计算录音设备相关的关键统计特征,包括采样直方图分布特征和平均频谱统计特征,并使用机器学习和模式分类方法对数字录音的载体即录音设备进行准确分类。结果实验中最高的分类准确性达到97.09%。在录音设备可分性研究成果基础上,提出应用于数字录音设备司法鉴定的可行实施方案。结论研究结果表明了基于信号统计特征分析的录音设备识别方法的可行性和准确性。     

Advanced Framework for Digital Forensic Technologies and Procedures*

Abstract: Recent trends in global networks are leading toward service‐oriented architectures and sensor networks. On one hand of the spectrum, this means deployment of services from numerous providers to form new service composites, and on the other hand this means emergence of Internet of things. Both these kinds belong to a plethora of realms and can be deployed in many ways, which will pose serious problems in cases of abuse. Consequently, both trends increase the need for new approaches to digital forensics that would furnish admissible evidence for litigation. Because technology alone is clearly not sufficient, it has to be adequately supported by appropriate investigative procedures, which have yet become a subject of an international consensus. This paper therefore provides appropriate a holistic framework to foster an internationally agreed upon approach in digital forensics along with necessary improvements. It is based on a top‐down approach, starting with legal, continuing with organizational, and ending with technical issues. More precisely, the paper presents a new architectural technological solution that addresses the core forensic principles at its roots. It deploys so‐called leveled message authentication codes and digital signatures to provide data integrity in a way that significantly eases forensic investigations into attacked systems in their operational state. Further, using a top‐down approach a conceptual framework for forensics readiness is given, which provides levels of abstraction and procedural guides embellished with a process model that allow investigators perform routine investigations, without becoming overwhelmed by low‐level details. As low‐level details should not be left out, the framework is further evaluated to include these details to allow organizations to configure their systems for proactive collection and preservation of potential digital evidence in a structured manner. The main reason behind this approach is to stimulate efforts on an internationally agreed “template legislation,” similarly to model law in the area of electronic commerce, which would enable harmonized national implementations in the area of digital forensics.