Automated event and social network extraction from digital evidence sources with ontological mapping

The sharp rise in consumer computing, electronic and mobile devices and data volumes has resulted in increased workloads for digital forensic investigators and analysts. The number of crimes involving electronic devices is increasing, as is the amount of data for each job. This is becoming unscaleable and alternate methods to reduce the time trained analysts spend on each job are necessary.This work leverages standardised knowledge representations techniques and automated rule-based systems to encapsulate expert knowledge for forensic data. The implementation of this research can provide high-level analysis based on low-level digital artefacts in a way that allows an understanding of what decisions support the facts. Analysts can quickly make determinations as to which artefacts warrant further investigation and create high level case data without manually creating it from the low-level artefacts. Extraction and understanding of users and social networks and translating the state of file systems to sequences of events are the first uses for this work.A major goal of this work is to automatically derive ‘events’ from the base forensic artefacts. Events may be system events, representing logins, start-ups, shutdowns, or user events, such as web browsing, sending email. The same information fusion and homogenisation techniques are used to reconstruct social networks. There can be numerous social network data sources on a single computer; internet cache can locate Facebook, LinkedIn, Google Plus caches; email has address books and copies of emails sent and received; instant messenger has friend lists and call histories. Fusing these into a single graph allows a more complete, less fractured view for an investigator.Both event creation and social network creation are expected to assist investigator-led triage and other fast forensic analysis situations.     

Impacts of increasing volume of digital forensic data: A survey and future research challenges

A major challenge to digital forensic analysis is the ongoing growth in the volume of data seized and presented for analysis. This is a result of the continuing development of storage technology, including increased storage capacity in consumer devices and cloud storage services, and an increase in the number of devices seized per case. Consequently, this has led to increasing backlogs of evidence awaiting analysis, often many months to years, affecting even the largest digital forensic laboratories. Over the preceding years, there has been a variety of research undertaken in relation to the volume challenge. Solutions posed range from data mining, data reduction, increased processing power, distributed processing, artificial intelligence, and other innovative methods. This paper surveys the published research and the proposed solutions. It is concluded that there remains a need for further research with a focus on real world applicability of a method or methods to address the digital forensic data volume challenge.     

A study on the forensic mechanisms of VoIP attacks: Analysis and digital evidence

This paper discusses the use of communication technology to commit crimes, including crime facts and crime techniques. The analysis focuses on the security of voice over Internet protocol (VoIP), a prevention method against VoIP call attack and the attention points for setting up an Internet phone. The importance of digital evidence and digital forensics are emphasised. This paper provides the VoIP digital evidence forensics standard operating procedures (DEFSOP) to help police organisations and establishes an experimental platform to simulate phone calls, hacker attacks and forensic data. Finally, this paper provides a general discussion of a digital evidence strategy that includes VoIP for crime investigators who are interested in digital evidence forensics.     

人牙咬痕同一认定数字化分析的盲法评定

目的评定人牙咬痕同一认定数字化分析方法的精确性。方法 采用数字化分析法对人牙咬痕及8名“疑犯”牙列模型进行双盲法分析实验,用Photoshop 5.5将获得的咬痕扫描图像生成overlay,用AutoCAD Rl4工程测量软件分析各项参数,比较人牙咬痕和“疑犯”牙列参数的匹配性。结果人牙咬痕及“疑犯”牙列模型数据化分析的各项参数分析结果一致。结论对于试验性咬痕,数字化分析是一种可行的认定方法,对法医学实践具有可行性及良好的应用前景。     

Structure and application of IconCache.db files for digital forensics

Anti-forensics has developed to prevent digital forensic investigations, thus forensic investigations to prevent anti-forensic behaviors have been studied in various area. In the area of user activity analysis, “IconCache.db” files contain icon cache information related to applications, which can yield meaningful information for digital forensic investigations such as the traces of deleted files. A previous study investigated the general artifacts found in the IconCache.db file. In the present study, further features and structures of the IconCache.db file are described. We also propose methods for analyzing anti-forensic behaviors (e.g., time information related to the deletion of files). Finally, we introduce an analytical tool that was developed based on the file structure of IconCache.db. The tool parses out strings from the IconCache.db to assist an analyst. Therefore, an analyst can more easily analyze the IconCache.db file using the tool.     

牙齿异常者颌面数字全景片同一认定指标及其编码

目的系统筛选颌面影像法医学同一认定的识别指标，制定全口牙型识别指标编码。方法随机选取620例有牙齿治疗史者、150例牙齿有病变无治疗史者的数字全口牙位曲面体层片进行观测，根据牙齿的生理变异、病理改变和治疗特征筛选全口牙型识别指标，并按设计的编码标准和原则对其全口牙型逐一编码，最后分别统计两组全口牙型的多样性以评估其价值。结果620例牙齿有治疗史者中共有619种全口牙型编码，全口牙型多样性为99．84％；150例牙齿有病变无治疗史者中共有146种全口牙型编码，全口牙型多样性为97．33％。结论选出的全口牙型识别指标对牙齿异常者进行法医学同一认定具有实际应用价值。     

Journey history reconstruction from the soils and sediments on footwear: An empirical approach

The value of environmental evidence for reconstructing journey histories has significant potential given the high transferability of sediments and the interaction of footwear with the ground. The importance of empirical evidence bases to underpin the collection, analysis, interpretation and presentation of forensic trace materials is increasingly acknowledged. This paper presents two experimental studies designed to address the transfer and persistence of sediments on the soles of footwear in forensically relevant scenarios, by means of quartz grain surface texture analysis, a technique which has been demonstrated to be able to distinguish between samples of mixed provenance.It was identified that there is a consistent trend of transfer and persistence of sediments from hypothetical pre-, syn- and post-crime event locations across the sole of the shoe, with sediments from ‘older’ locations likely to be retained in small proportions. Furthermore, the arch of the shoe (the area of lowest foot pressure distribution) typically (but not exclusively) retained the highest proportion of grain types from previous locations including the crime scene. A lack of chronological layering of the retained sediments was observed indicating that techniques that can identify the components of mixed provenance samples are important for analysing footwear sediment samples. It was also identified that the type of footwear appeared to have an influence on what particles were retained, with high relief soles that incorporate recessed areas being more likely to retain sediments transferred from ‘older’ locations from the journey history. In addition, the inners of footwear were found to retain sediments from multiple locations from the journey history that are less susceptible to differential loss in comparison to the outer sole. These findings provide important data that can form the basis for the effective collection, analysis and interpretation of sediments recovered from both the outer soles and inners of footwear, building on the findings of previously published studies. These data offer insights that enable inferences to be made about mixed source sediments that are identified on footwear in casework, and provide the beginnings of an empirical basis for assessing the significance of such sediment particles for a specific forensic reconstruction.     

Inter-observer error for area of origin analysis using FARO Zone 3D

In a bloodletting incident, the area of origin (AO) of an impact bloodstain pattern is crucial when establishing the sequence of events. The use of laser scanners and other three-dimensional (3D) technologies to document and analyse bloodstains have been the subject of previous papers, especially where AO analysis is concerned. FARO Zone 3D (FZ3D) is a relatively new software programme that can be used for bloodstain AO analysis. FZ3D requires a greater understanding of inter-observer errors associated with AO. This study looked at the inter-observer variation between 21 examiners when repeatedly calculating the AO six times for a single impact pattern on a plain white wall. An impact rig which consisted of a spring tension arm was positioned and fixed 45 cm from the X wall (right wall), and 45 cm from the Y wall (left wall). This experimental design resembles an impact blow for a bloodletting event. The AO was unknown to all examiners, making it a blind study. The collected results were documented in a Microsoft Excel datasheet and later analysed. From previous literature, a 30 cm acceptable allowance was utilised for AO analysis; however, there is currently no accepted standard error for this type of analysis. The overall total 3D mean error for all examiners was 5.62 cm. The maximum error for any one impact analysis was 24.27 cm. The variation of the data, which was collected by all examiners, was documented as X = 1.14 cm, Y = 1.24 cm, Z = 1.68 cm, and the total 3D error = 2.28 cm. The total 3D error for any one examiner and the variance between examiners did not exceed the 30 cm acceptable allowance utilised in previous literature.     

An investigation of anonymous and spoof SMS resources used for the purposes of cyberstalking

In 2012, the United Kingdom actively sought to tackle acts of stalking through amendments to the Protection from Harassment Act 1997. Now, not only is stalking a recognised criminal offence, acts associated with stalking behaviour have finally been properly defined in legislation. Further, the role of technology in digital stalking offences, frequently termed as acts of cyberstalking, has been duly highlighted. The prosecution of such cyberstalking offences is reliant on the forensic analysis of devices capable of communication with a victim, in order to identify the offender and evidence the offending content for presentation to a court of law. However, with the recent proliferation of anonymous communication services, it is becoming increasingly difficult for digital forensic specialists to analyse and detect the origin of stalking messages, particularly those involving mobile devices. This article identifies the legal factors involved, along with a scenario-based investigation of sample anonymous and spoof SMS (Short Message Service) messages, documenting the evidence that remains on a victim's handset for the purpose of locating an offender, which often may be minimal or non-existent.     

Policing and Crime Act 2017: Changes to pre-charge bail and the impact on digital forensic analysis

Following the enactment of the Police and Crime Act 2017, subsequent amendments to the Police and Criminal Evidence Act 1984 have seen a ‘cap’ placed on the length of time a suspect can be released on bail; a process commonly referred to as ‘police bail’ or ‘pre-charge bail’. Whilst designed to instil consistency and certainty into bail processes to prevent individuals being subject to lengthy periods of regulation and uncertainty, it places additional pressures on forensic services. With a focus on digital forensics, examination of digital media is a complex and time-consuming process, with existing backlogs well documented. The need for timely completion of investigations to adhere to pre-charge bail rules places additional stress on an already stretched service. This comment submission provides an initial analysis of new pre-charge bail regulations, assessing their impact on digital forensic services.     

Design and implementation of FROST: Digital forensic tools for the OpenStack cloud computing platform

We describe the design, implementation, and evaluation of FROST—three new forensic tools for the OpenStack cloud platform. Our implementation for the OpenStack cloud platform supports an Infrastructure-as-a-Service (IaaS) cloud and provides trustworthy forensic acquisition of virtual disks, API logs, and guest firewall logs. Unlike traditional acquisition tools, FROST works at the cloud management plane rather than interacting with the operating system inside the guest virtual machines, thereby requiring no trust in the guest machine. We assume trust in the cloud provider, but FROST overcomes non-trivial challenges of remote evidence integrity by storing log data in hash trees and returning evidence with cryptographic hashes. Our tools are user-driven, allowing customers, forensic examiners, and law enforcement to conduct investigations without necessitating interaction with the cloud provider. We demonstrate how FROST's new features enable forensic investigators to obtain forensically-sound data from OpenStack clouds independent of provider interaction. Our preliminary evaluation indicates the ability of our approach to scale in a dynamic cloud environment. The design supports an extensible set of forensic objectives, including the future addition of other data preservation, discovery, real-time monitoring, metrics, auditing, and acquisition capabilities.     

A survey of main memory acquisition and analysis techniques for the windows operating system

Traditional, persistent data-oriented approaches in computer forensics face some limitations regarding a number of technological developments, e.g., rapidly increasing storage capabilities of hard drives, memory-resident malicious software applications, or the growing use of encryption routines, that make an in-time investigation more and more difficult. In order to cope with these issues, security professionals have started to examine alternative data sources and emphasize the value of volatile system information in RAM more recently. In this paper, we give an overview of the prevailing techniques and methods to collect and analyze a computer's memory. We describe the characteristics, benefits, and drawbacks of the individual solutions and outline opportunities for future research in this evolving field of IT security.     

The NucleoSpin DNA Clean-up XS kit for the concentration and purification of genomic DNA extracts: An alternative to microdialysis filtration

Traditionally, DNA extracts from biological evidence items have been concentrated and rinsed using microdialysis filtration units, including the Centricon^® and Microcon^® centrifugal filter devices. As an alternative to microdialysis filtration, we present an optimized method for using NucleoSpin^® XS silica columns to concentrate and clean-up aqueous extracts from the organic extraction of DNA from biological samples. The method can be used with standard organic extraction and dithiothreitol (DTT)-based differential extraction methods with no modifications to these methods prior to the concentration and clean-up step. Extracts from laboratory-prepared bloodstains, saliva and semen stains have been successfully amplified with both qPCR and STR assays. Finally, the total time to process a set of samples with the NucleoSpin^® XS column is approximately 30 min vs. approximately 1.5 h with the Centricon^® YM-100 filter device.     

尿中吗啡的氮磷检测——气相色谱分析法

目的建立尿中吗啡的简便快速、灵敏可靠的GC/NPD分析方法。方法样品尿加内标烯丙吗啡,酶或酸催化水解,氯仿-异丙醇(9:1)液液提取或GDX403树脂固相提取,BSA衍生化,HP-5柱和氮磷检测器进行分析。结果 提取率62％～85％,检出限1.2～3.1ng/ml,线性范围20～2000ng/ml,回收率(97％～99％)±(6％~9％)(Mean±cv,N=5)。结论 方法适合于实际案件中尿样的检验。     

Performance of forensic facial comparison by morphological analysis across optimal and suboptimal CCTV settings

Facial comparison is an important yet understudied discipline in forensics. The recommended method for facial comparison in a forensic setting involves morphological analysis (MA) with the use of a facial feature list. The performance of this approach has not been tested across various closed-circuit television (CCTV) conditions. This is of particular concern as video and image data available to law enforcement is often varied and of subpar conditions. The present study aimed at testing MA across two types of CCTV data, representing ideal and less than ideal settings, also assessing which particular shortcomings arose from less-than-ideal settings. The study was conducted on a subset of the Wits Face Database arranged in a total of 225 face pools. Each face pool consisted of a target image obtained from either a high-definition digital CCTV camera or a low-definition analogue CCTV camera in monochrome, contrasted to 10 possible matches. The face pools were analysed and scored using MA and confusion matrices were used to analyse the outcomes. A notably high chance corrected accuracy (CCA) (97.3%) and reliability (0.969) was identified across the digital CCTV sample, while in the analogue CCTV sample MA appeared to underperform both in accuracy (CCA: 33.1%) and reliability (0.529). The majority of the errors in scoring resulted in false negatives in the analogue sample (75.2%), while across both CCTV conditions false positives were low (digital: 0.3%; analogue: 1.2%). Even though hit rates appeared deceptively high in the analogue sample, the various measures of performance used and particularly the chance corrected accuracy highlighted its shortfalls. Overall, CCTV recording quality appears closely associated to MA performance, despite the favourable error rates when using the Facial Identification Scientific Working Group feature list.     

Haptics in forensics: The possibilities and advantages in using the haptic device for reconstruction approaches in forensic science

Non-invasive documentation methods such as surface scanning and radiological imaging are gaining in importance in the forensic field. These three-dimensional technologies provide digital 3D data, which are processed and handled in the computer. However, the sense of touch gets lost using the virtual approach. The haptic device enables the use of the sense of touch to handle and feel digital 3D data. The multifunctional application of a haptic device for forensic approaches is evaluated and illustrated in three different cases: the representation of bone fractures of the lower extremities, by traffic accidents, in a non-invasive manner; the comparison of bone injuries with the presumed injury-inflicting instrument; and in a gunshot case, the identification of the gun by the muzzle imprint, and the reconstruction of the holding position of the gun.The 3D models of the bones are generated from the Computed Tomography (CT) images. The 3D models of the exterior injuries, the injury-inflicting tools and the bone injuries, where a higher resolution is necessary, are created by the optical surface scan.The haptic device is used in combination with the software FreeForm Modelling Plus™ for touching the surface of the 3D models to feel the minute injuries and the surface of tools, to reposition displaced bone parts and to compare an injury-causing instrument with an injury.The repositioning of 3D models in a reconstruction is easier, faster and more precisely executed by means of using the sense of touch and with the user-friendly movement in the 3D space. For representation purposes, the fracture lines of bones are coloured. This work demonstrates that the haptic device is a suitable and efficient application in forensic science. The haptic device offers a new way in the handling of digital data in the virtual 3D space.     

Genetic analysis of the Amerindian Kichwas and Afroamerican descendents populations from Ecuador characterised by 15 STR-PCR polymorphisms

Allele frequency data for the 15 STR systems and Amelogenine were determined in a population sample of healthy Amerinidian Kichwas and Blacks individuals. All loci met Hardy–Weinberg expectations and the high discrimination power of combined system showed the forensic efficiency of these genetic markers.     

Application of 3D documentation and geometric reconstruction methods in traffic accident analysis: with high resolution surface scanning, radiological MSCT/MRI scanning and real data based animation

The examination of traffic accidents is daily routine in forensic medicine. An important question in the analysis of the victims of traffic accidents, for example in collisions between motor vehicles and pedestrians or cyclists, is the situation of the impact. Apart from forensic medical examinations (external examination and autopsy), three-dimensional technologies and methods are gaining importance in forensic investigations. Besides the post-mortem multi-slice computed tomography (MSCT) and magnetic resonance imaging (MRI) for the documentation and analysis of internal findings, highly precise 3D surface scanning is employed for the documentation of the external body findings and of injury-inflicting instruments. The correlation of injuries of the body to the injury-inflicting object and the accident mechanism are of great importance. The applied methods include documentation of the external and internal body and the involved vehicles and inflicting tools as well as the analysis of the acquired data. The body surface and the accident vehicles with their damages were digitized by 3D surface scanning. For the internal findings of the body, post-mortem MSCT and MRI were used. The analysis included the processing of the obtained data to 3D models, determination of the driving direction of the vehicle, correlation of injuries to the vehicle damages, geometric determination of the impact situation and evaluation of further findings of the accident. In the following article, the benefits of the 3D documentation and computer-assisted, drawn-to-scale 3D comparisons of the relevant injuries with the damages to the vehicle in the analysis of the course of accidents, especially with regard to the impact situation, are shown on two examined cases.     

The impact of force,time, and rotation on the transfer of ammonium nitrate: A reductionist approach to understanding evidence dynamics

Empirical studies evaluating the conditions under which the transfer of forensic materials occurs can provide contextual information and offer insight into how that material may have been transferred in a given scenario. Here, a reductionist approach was taken to assess the impact of force, time, and rotation on the transfer of an explosive compound. An Instron ElectroPuls E3000 material testing instrument was used to bring porous and non-porous surfaces adulterated with an ammonium nitrate into direct contact with a human skin analogue, controlling for the force of contact, duration of contact, and rotation applied during contact. Quantifiable amounts of ammonium nitrate were recovered from all of the recipient surfaces demonstrating that ammonium nitrate is readily transferred from one surface to another, even when contact occurs for a short duration with a relatively low force. More particulates were transferred from non-porous surfaces onto the human skin analogue, but the amount of ammonium nitrate transferred did not depend upon the force of contact, duration of contact, or the amount of rotation applied. However, when contact occurred and involved rotation, a greater transfer of ammonium nitrate was observed, compared to those contacts occurring without rotation being applied. This approach complements more commonly-used holistic experiments that test multiple interacting variables in a realistic setting by isolating these variables, allowing them to be examined individually. This can be utilised to better understand the individual impact that specific variables have on the transfer of trace evidence in relevant crime reconstruction contexts.