A case study on anonymised sharing platforms and digital traces left by their usage

Non-local forms of file storage and transfer provide investigatory concerns. Whilst mainstream cloud providers offer a well-established challenge to those involved in criminal enquiries, there are also a host of services offering non-account based ‘anonymous’ online temporary file storage and transfer. From the context of a digital forensic investigation, the practitioner examining a suspect device must detect when such services have been utilised by a user, as offending files may not be resident on local storage media. In addition, identifying the use of a service may also expose networks of illegal file distribution, supporting wider investigations into criminal activity. This work examines 16 anonymous file transfer services and identifies and interprets the digital traces left behind on a device following their use to support law enforcement investigations.     

Who are the most highly cited forensic scientists in the United States?

The most highly cited forensic practitioners in the United States were identified using a publicly available citation database that used six different citation metrics to calculate each person's composite citation score. The publication and citation data were gleaned from Elsevier's SCOPUS database, which contained information about ~7 million scientist each of whom had at least five entries in the database. Each individual was categorized into 22 scientific fields and 176 subfields, one of which was legal and forensic medicine (LFM). The database contained citation records for 13,388 individuals having LFM as their primary research discipline and 282 of these (2%) were classified as being highly cited. Another 99 individuals in the database had LFM as their secondary discipline, making a total of 381 highly cited forensic practitioners from 35 different countries. The career-long publication records of each individual were compared using their composite citation scores. Of the 381 highly cited scientists, 93 (24%) had an address somewhere in the United States. The various branches of forensics they specialized in were anthropology, criminalistics, DNA/genetics, odontology, pathology, statistics/epidemiology, and toxicology. The two most highly cited scientists, according to their composite citation score, were both specialists in DNA/genetics. Bibliometric methods are widely used for evaluating research performance in academia and a similar approach might be useful in jurisprudence, such as when an expert witness is instructed to testify in court and explain the meaning of scientific evidence.     

Popular post-separation parenting smartphone apps: An evaluation

In recent years a bewildering array of smartphone applications (“apps”) has emerged to support separated parents' communication. Post-separation parenting apps vary in cost and features; they typically comprise a messaging tool, shared calendar, expense tracker and a means to export records for legal purposes. A key challenge for separated parents and family law practitioners alike is knowing which apps or app feature(s) can work well for different family contexts, needs and budgets. The present study sought to evaluate nine popular post-separation parenting apps and their features using small-n Human–Computer Interaction methods. Mediators role-played high conflict ex-couples while completing a set of five common post-separation communication or organizational tasks. A cross-case analysis of ratings was conducted. We found that (a) many of the mediators changed their apparent enthusiasm for co-parenting apps once they had used the apps themselves; (b) all nine apps were rated somewhere between “Poor” to Fair’; and (c) features of some of the best-known apps were not rated as highly as some of the features of more recent, lesser-known apps.     

论映射与反演模式下的现代侦查

计算机取证实质是一个反演的过程,而映射的内容充当了这一反演过程的前提。映射与反演的模式系统不仅能很好地诠释计算机取证技术的运行机理,而且可以从该模式中获得新思维以更新侦查理论,这也是实现技术与侦查结合的必要途径之一。映射与反演模式下的现代侦查,不但能够从容地应对各种不同的侦查情况,而且能在保证刑事诉讼正当程序运行的前提下,最大限度地发挥侦查活动的惩治犯罪和保障人权的效能。     

Windows 7 Antiforensics: A Review and a Novel Approach

In this paper, we review literature on antiforensics published between 2010 and 2016 and reveal the surprising lack of up‐to‐date research on this topic. This research aims to contribute to this knowledge gap by investigating different antiforensic techniques for devices running Windows 7, one of the most popular operating systems. An approach which allows for removal or obfuscation of most forensic evidence is then presented. Using the Trojan software DarkComet RAT as a case study, we demonstrate the utility of our approach and that a Trojan Horse infection may be a legitimate possibility, even if there is no evidence of an infection on a seized computer's hard drive. Up‐to‐date information regarding how forensic artifacts can be compromised will allow relevant stakeholders to make informed decisions when deciding the outcome of legal cases involving digital evidence.     

Microbiota Composition and Pulmonary Surfactant Protein Expression as Markers of Death by Drowning

Pathological diagnosis of drowning remains a challenge for forensic science, because of a lack of pathognomonic findings. We analyzed microbiota and surfactant protein in the lungs for a novel diagnosis of drowning. All rats were divided into drowning, postmortem submersion, and control groups. The water, lungs, closed organs (kidney and liver), and cardiac blood in rats were assayed by targeting 16S ribosomal RNA of Miseq sequencing. Lung samples were analyzed by immunohistochemical staining for surfactant protein A. The closed organs and cardiac blood of drowned group have a lot of aquatic microbes, which have not been detected in postmortem submersion group. Furthermore, intra‐alveolar granular staining of surfactant protein A (SP‐A) was severely observed in the drowned group than the postmortem submersion and control groups. The findings suggested that the presence of aquatic microbiota in the closed organs and increased expression of SP‐A could be markers for a diagnosis of drowning.     

Leveraging virtual machine introspection with memory forensics to detect and characterize unknown malware using machine learning techniques at hypervisor

The Virtual Machine Introspection (VMI) has emerged as a fine-grained, out-of-VM security solution that detects malware by introspecting and reconstructing the volatile memory state of the live guest Operating System (OS). Specifically, it functions by the Virtual Machine Monitor (VMM), or hypervisor. The reconstructed semantic details obtained by the VMI are available in a combination of benign and malicious states at the hypervisor. In order to distinguish between these two states, the existing out-of-VM security solutions require extensive manual analysis. In this paper, we propose an advanced VMM-based, guest-assisted Automated Internal-and-External (A-IntExt) introspection system by leveraging VMI, Memory Forensics Analysis (MFA), and machine learning techniques at the hypervisor. Further, we use the VMI-based technique to introspect digital artifacts of the live guest OS to obtain a semantic view of the processes details. We implemented an Intelligent Cross View Analyzer (ICVA) and implanted it into our proposed A-IntExt system, which examines the data supplied by the VMI to detect hidden, dead, and dubious processes, while also predicting early symptoms of malware execution on the introspected guest OS in a timely manner. Machine learning techniques are used to analyze the executables that are mined and extracted using MFA-based techniques and ascertain the malicious executables. The practicality of the A-IntExt system is evaluated by executing large real-world malware and benign executables onto the live guest OSs. The evaluation results achieved 99.55% accuracy and 0.004 False Positive Rate (FPR) on the 10-fold cross-validation to detect unknown malware on the generated dataset. Additionally, the proposed system was validated against other benchmarked malware datasets and the A-IntExt system outperforms the detection of real-world malware at the VMM with performance exceeding 6.3%.     

Obtaining forensic value from the cbWndExtra structures as used by Windows Common Controls,specifically for the Editbox control

The Windows Common Controls is a library which facilitates the construction of GUI controls commonly used by Windows applications. Each control is an extension of the basic ‘window’ class. The difference in the extension results in one control over another; for example, an Edit control as opposed to a Button control. The basic window class is documented by Microsoft and the generic information about a Window can be extracted, but this is of very limited use. There is no documentation and very little research into how these extensions are laid out in memory. This paper demonstrates how the extension bytes for the Edit control can be parsed leading to identification of previously unobtainable data which reveal information about the state of the control at runtime. Most notably, the undo buffer, that is, text that was previously present in the control can be recovered – an aspect which traditional disk forensics would simply not provide. The paper explains why previous attempts to achieve similar goals have failed, and how the technique could be applied to any control from the Windows Common Controls library.     

Windows系统存储区DPAPI的解密技术研究

目的 在电子数据取证过程中,数据的加解密经常是取证人员关注的重点.数据保护接口(DPAPI)作为Windows系统提供的数据保护接口被广泛使用,目前主要用于保护加密的数据.其特性主要表现在加密和解密必须在同一台计算机上操作,密钥的生成、使用和管理由Windows系统内部完成,如果更换计算机则无法解开DPAPI加密数据....     

基于数据挖掘的计算机动态取证技术

随着网络犯罪的日益猖獗,计算机取证正逐步成为人们研究与关注的焦点。为了能从海量的可疑数据中发现证据,数据挖掘技术的参与必不可少。文章在将数据挖掘技术应用于计算机动态取证的海量数据分析中,给出了基于数据挖掘的计算机动态取证系统模型,提高动态取证中数据分析的速度、分析的准确性和分析的智能性,解决动态取证中的实时性、有效性、可适应性和可扩展性问题。