A study on the forensic mechanisms of VoIP attacks: Analysis and digital evidence

This paper discusses the use of communication technology to commit crimes, including crime facts and crime techniques. The analysis focuses on the security of voice over Internet protocol (VoIP), a prevention method against VoIP call attack and the attention points for setting up an Internet phone. The importance of digital evidence and digital forensics are emphasised. This paper provides the VoIP digital evidence forensics standard operating procedures (DEFSOP) to help police organisations and establishes an experimental platform to simulate phone calls, hacker attacks and forensic data. Finally, this paper provides a general discussion of a digital evidence strategy that includes VoIP for crime investigators who are interested in digital evidence forensics.     

The Hierarchy of Case Priority (HiCaP):- A proposed method for case prioritisation in digital forensic laboratories

The need for digital forensic science (DFS) services has grown due to widespread and consistent engagement with technology by members of society. Whilst digital evidence often plays an important role in many inquiries, available investigative resources have failed to keep pace with such demand for them. As a result, the use case prioritisation models for backlog/workload management are of increasing importance to ensure the effective deployment of laboratory resources. This work focuses on the concept of ​​case prioritisation in a digital forensic laboratory setting, following the submission of exhibits for examination, where this workflow is described. The challenges of case management and prioritisation in laboratories are discussed, with both ‘case acceptance’ and ‘case prioritisation’ procedures explained. Finally, the ‘Hierarchy of Case Priority’ (HiCaP) - a transparent, risk-based approach for the prioritisation of cases for examination, is proposed and described using examples.     

USB Storage Device Forensics for Windows 10

Significantly increased use of USB devices due to their user‐friendliness and large storage capacities poses various threats for many users/companies in terms of data theft that becomes easier due to their efficient mobility. Investigations for such data theft activities would require gathering critical digital information capable of recovering digital forensics artifacts like date, time, and device information. This research gathers three sets of registry and logs data: first, before insertion; second, during insertion; and the third, after removal of a USB device. These sets are analyzed to gather evidentiary information from Registry and Windows Event log that helps in tracking a USB device. This research furthers the prior research on earlier versions of Microsoft Windows and compares it with latest Windows 10 system. Comparison of Windows 8 and Windows 10 does not show much difference except for new subkey under USB Key in registry. However, comparison of Windows 7 with latest version indicates significant variances.     

A social graph based text mining framework for chat log investigation

This paper presents a unified social graph based text mining framework to identify digital evidences from chat logs data. It considers both users' conversation and interaction data in group-chats to discover overlapping users' interests and their social ties. The proposed framework applies n-gram technique in association with a self-customized hyperlink-induced topic search (HITS) algorithm to identify key-terms representing users' interests, key-users, and key-sessions. We propose a social graph generation technique to model users' interactions, where ties (edges) between a pair of users (nodes) are established only if they participate in at least one common group-chat session, and weights are assigned to the ties based on the degree of overlap in users' interests and interactions. Finally, we present three possible cyber-crime investigation scenarios and a user-group identification method for each of them. We present our experimental results on a data set comprising 1100 chat logs of 11,143 chat sessions continued over a period of 29 months from January 2010 to May 2012. Experimental results suggest that the proposed framework is able to identify key-terms, key-users, key-sessions, and user-groups from chat logs data, all of which are crucial for cyber-crime investigation. Though the chat logs are recovered from a single computer, it is very likely that the logs are collected from multiple computers in real scenario. In this case, logs collected from multiple computers can be combined together to generate more enriched social graph. However, our experiments show that the objectives can be achieved even with logs recovered from a single computer by using group-chats data to draw relationships between every pair of users.     

Data attack of the cybercriminal: Investigating the digital currency of cybercrime

It is increasingly argued that the primary motive of the cybercriminal and the major reason for the continued growth in cyber attacks is financial gain. In addition to the direct financial impact of cybercrime, it can also be argued that the digital data and the information it represents that can be communicated through the Internet, can have additional intrinsic value to the cybercriminal. In response to the perceived value and subsequent demand for illicit data, a sophisticated and self-sufficient underground digital economy has emerged. The aim of this paper is to extend the author’s earlier research that first introduced the concept of the Cybercrime Execution Stack by examining in detail the underlying data objectives of the cybercriminal. Both technical and non-technical law enforcement investigators need the ability to contextualise and structure the illicit activities of the cybercriminal, in order to communicate this understanding amongst the wider law enforcement community. By identifying the potential value of electronic data to the cybercriminal, and discussing this data in the context of data collection, data supply and distribution, and data use, demonstrates the relevance and advantages of utilising an objective data perspective when investigating cybercrime.     

The COLLECTORS ranking scale for ‘at‐scene’ digital device triage

As digital evidence now features prominently in many criminal investigations, such large volumes of requests for the forensic examination of devices has led to well publicized backlogs and delays. In an effort to cope, triage policies are frequently implemented in order to reduce the number of digital devices which are seized unnecessarily. Often first responders are tasked with performing triage at scene in order to decide whether any identified devices should be seized and submitted for forensic examination. In some cases, this is done with the assistance of software which allows device content to be “previewed”; however, in some cases, a first responder will triage devices using their judgment and experience alone, absent of knowledge of the devices content, referred to as “decision‐based device triage” (DBDT). This work provides a discussion of the challenges first responders face when carrying out DBDT at scene. In response, the COLLECTORS ranking scale is proposed to help first responders carry out DBDT and to formalize this process in an effort to support quality control of this practice. The COLLECTORS ranking scale consists of 10 categories which first responders should rank a given device against. Each devices cumulative score should be queried against the defined “seizure thresholds” which offer support to first responders in assessing when to seize a device. To offer clarify, an example use‐case involving the COLLECTORS ranking scale is included, highlighting its application when faced with multiple digital devices at scene.     

A comprehensive micro unmanned aerial vehicle (UAV/Drone) forensic framework

In the early 1990s, unmanned aerial vehicles (UAV) were used exclusively in military applications by various developed countries. Now with its ease of availability and affordability in the electronic device market, this aerial vehicular technology has augmented its familiarity in public and has expanded its usage to countries all over the world. However, expanded use of UAVs, colloquially known as drones, is raising understandable security concerns. With the increasing possibility of drones' misuse and their abilities to get close to critical targets, drones are prone to potentially committing crimes and, therefore, investigation of such activities is a much-needed facet. This motivated us to devise a comprehensive drone forensic framework that includes hardware/physical and digital forensics, proficient enough for the post-flight investigation of drone's activity. For hardware/physical forensics, we propose a model for investigating drone components at the crime scene. Additionally, we propose a robust digital drone forensic application with a primary focus on analyzing the essential log parameters of drones through a graphical user interface (GUI) developed using JavaFX 8.0. This application interface would allow users to extract and examine onboard flight information. It also includes a file converter created for easy and effective 3D flight trajectory visualization. We used two popular drones for conducting this research; namely, DJI Phantom 4 and Yuneec Typhoon H. The interface also provides a visual representation of the sensor recordings from which pieces of evidence could be acquired. Our research is intended to offer the forensic science community a powerful approach for investigating drone-related crimes effectively.     

Factors affecting likelihood of hiring private investigators (PI): Citizens' traits and attitudes toward police and PI

The aim of this study is to identify factors affecting citizens' likelihood of hiring private investigators (PI) for resolving their criminal and/or civil matters. Limited research has been conducted to investigate factors relevant to private investigators, but none of prior studies have studied citizens' characteristics and attitudes toward police and PI in this regard. To fill the void of the literature, this study utilized data collected from 225 Korean citizens. Factors examined include citizens' demographics, desire for personalized justice, attitudes toward PI's investigation, fear of crime, and attitudes toward public police. Findings indicate that citizens' desire for personalized justice was the most significant factor affecting likelihood of hiring PI for different types of cases. Results of the finding also showed that citizen's satisfaction with police work was negatively related with likelihood of hiring PIs for their criminal and/or civil cases. Based on results, policy implications for law enforcement were discussed.     

Introduction to Social Network Analysis (SNA) as an investigative tool

Social behavior is brought about mainly through social ties and connections. Our contacts with other people shape our view of the world, reinforce our identity, and the interactions provide us with all kinds of opportunities and resources to get things done. The social capital associated with networks is also one of the primary ways facilitating crime. Therefore, the systematic analysis of criminal networks is considered a viable means to gain a more thorough understanding of criminal behavior. This paper is a general introduction to social network analysis (SNA) as an analytical tool for the study of adversary networks. The paper reviews some theoretical and key concepts, highlights functional applications, and presents a tentative protocol for data handling and coding. The discussion deals with some methodological issues, challenges and future developments in the field.

Development of the Observation Scale for Aggressive Behavior (OSAB) for Dutch forensic psychiatric inpatients with an antisocial personality disorder

The Observation Scale for Aggressive Behavior (OSAB) has been developed to evaluate inpatient treatment programs designed to reduce aggressive behavior in Dutch forensic psychiatric patients with an antisocial personality disorder, who are "placed at the disposal of the government". The scale should have the sensitivity to measure changes in the possible determinants of aggressive behavior, such as limited control of displayed negative emotions (irritation, anger or rage) and a general deficiency of social skills. In developing the OSAB 40 items were selected from a pool of 82 and distributed among the following a priori scales: Irritation/anger, Anxiety/gloominess, Aggressive behavior, Antecedent (to aggressive behavior), Sanction (for aggressive behavior) and Social behavior. The internal consistency of these subscales was good, the inter-rater reliability was moderate to good, and the test-retest reliability over a two to three week period was moderate to good. The correlation between the subscales Irritation/anger, Anxiety/gloominess, Aggressive behavior, Antecedent, Sanction was substantial and significant, but the anticipated negative correlation between these subscales and the Social behavior subscale could not be shown. Relationships between the corresponding subscales of the OSAB and the FIOS, used to calculate concurrent validity, yielded relatively high correlations. The validity of the various OSAB subscales could be further supported by significant correlations with the PCL-R and by significant but weak correlations with corresponding subscales of the self-report questionnaires. The Observation Scale for Aggressive Behavior (OSAB) seems to measure aggressive behavior in Dutch forensic psychiatric inpatients with an antisocial personality disorder reliably and validly. Contrary to expectations, a negative relationship was not found between aggressive and social behavior in either the OSAB or FIOS, which were used for calculating concurrent validity.     

A DNA-based approach for the forensic identification of Asiatic black bear (Ursus thibetanus) in a traditional Asian medicine

Attempts to prevent illegal trade in bile and gallbladders from Asiatic black bears, Ursus thibetanus, are hampered by difficulties associated with identifying such items. We extracted DNA from bile crystals of unknown species origin and generated partial cytochrome b (cyt b) sequences using either universal primers (positioned in conserved regions of cyt b), or primers designed on existing U. thibetanus sequences (UT). Species origin was determined by aligning resolved sequences to reference sequence data. The universal primers were unsuitable for U. thibetanus identification when multiple species templates were present in the samples. The UT primers amplified U. thibetanus DNA from all sample extracts, including those containing mixed species templates. The amplified fragment can distinguish U. thibetanus from the most closely related species, U. americanus, a distinct advantage of DNA sequencing over the methods currently used to analyze suspected U. thibetanus bile.     

Population data for six X-chromosome STR loci in a Rio de Janeiro (Brazil) sample: Usefulness in forensic casework

This study presents data for the X-chromosome STR loci DXS7133, DXS7424, DXS8378, DXS6807, DXS7423 and DXS8377. In order to establish a database, unrelated individuals (males and females) from Rio de Janeiro were typed for the above loci. No significant differences were observed between allele frequencies in male and female samples (non-differentiation exact P values ≥ 0.156). Hardy-Weinberg equilibrium was tested in the female sample and no significant deviations were found. All six markers have shown to be highly polymorphic in our sample with gene diversities varying between 0.6797 for DXS7133, and 0.9260 for DXS8377. Pairwise linkage disequilibrium analysis did not allow discharging a possible association between DXS7133 and DXS7424 alleles in Rio de Janeiro population. Parameters of forensic interest, like PD_M, PD_F, Het_obs, Het_exp, were calculated for each locus. The high discrimination power estimated in both males and females, as well as mean exclusion chance in father/daughter duos and in father/mother/daughter trios, demonstrates the usefulness of these six markers in forensic investigation.     

Single-item predictive validity of the Short-Term Assessment of Risk and Treatability (START) for violent behaviour in outpatient forensic psychiatry

The single-item predictive validity of the Short-Term Assessment of Risk and Treatability (START) has not been thoroughly investigated, although this has great clinical relevance for the selection of treatment targets. Furthermore, it remains unclear whether the characteristic START additions of scoring strengths next to vulnerabilities and selecting key items, add incremental predictive validity. Finally, predictive validity has primarily been studied in inpatient settings and included mainly patients with a psychotic disorder. We analysed data from a mixed diagnostic sample of 195 forensic psychiatric outpatients with a 3-month and 170 patients with a 6-month follow-up period, using logistic regression analysis. The occurrence of violent or criminal behaviour was established based on the case manager’s recordings in the patient’s file. Only 5 of the 20 START items were found to have predictive validity: Impulse Control, Attitudes, Material Resources, Rule Adherence and Conduct. The last three were the only items for which incremental predictive validity was found with respect to scoring it as a strength and a vulnerability. Selection of key items did not add to the predictive validity. While possibly having therapeutic significance, the scoring of strength next to vulnerability and the selection of key items, may not be beneficial for risk assessment.     

Data for Y-chromosome haplotypes in Fang and Bubi populations from Bioko (Equatorial Guinea)

Haplotype frequencies for 16 Y-chromosomal short tandem repeat (DYS456, DYS389I, DYS390, DYS389II, DYS458, DYS19, DYS385a/b, DYS393, DYS391, DYS439, DYS635, DYS392, Y GATA H4, DYS437, DYS438 and DYS448) loci, included in the AmpFLSTR Yfiler PCR Amplification Kit, were analysed in 110 Fang and 133 Bubi individuals from Bioko Island, Equatorial Guinea. The diversity was higher in Fang population, probably since they were originally from the mainland, with which they maintain tribal village and family links, and to which they travel frequently. Comparisons were made with previously published haplotype data on European and African populations, and significant differences were found between them.     

Direct comparison of post-28-cycle PCR purification and modified capillary electrophoresis methods with the 34-cycle “low copy number” (LCN) method for analysis of trace forensic DNA samples

The investigation of samples with low amounts of template DNA remains at the forefront of forensic DNA research and technology as it becomes increasingly important to gain DNA profile information from exceedingly trace levels of DNA. Previous studies have demonstrated that it is possible to obtain short tandem repeat (STR) profiles from <100 pg of template DNA by increasing the number of amplification cycles from 28 to 34, a modification often referred to as “low copy number” or LCN analysis. In this study, we have optimised post-PCR purification techniques applied after only 28 cycles of PCR, as well as using modified capillary electrophoresis injection conditions and have investigated the progressive application of these enhanced approaches. This paper reviews the characteristics of the profiles obtained by these methods compared with those obtained on the same samples after 34-cycle PCR. We observed comparable sensitivity to 34-cycle PCR in terms of the number of profiles with evidence of DNA and the number of allelic peaks per profile and we noted improved peak height and area magnitude with some sample types. Certain parameters reported to be adversely affected in 34-cycle LCN investigations, such as non-donor allele peaks and increased stutter peak ratio, were reduced by this approach. There are a number of advantages for trace samples in progressing from the standard 28-cycle process to the post-PCR processing method as compared to 34-cycle PCR method, including reduced sample consumption, reduced number of PCR amplifications required, and a staged approach to sample processing and profile interpretation.