SHANG Shi-ze,KONG Xiang-wei,YOU Xin-gang

DOI: https://doi.org/10.3969/j.issn.1671-1122.2015.04.011

2015-01-01

Abstract:The examination of forged and altered document is an important part in judicial expertise. The traditional examination methods need professional testers and devices, the disadvantages include high cost, long testing time, damage on the documents, etc. In recent years, the digital passive lossless forensics on forged and altered document has been developed which only uses scanner and computer. In this paper, we first introduce the life-cycle of document and its forging and altering methods. Then, we summarize the passive lossless forensics on forged and altered document, and describe the technologies on device identiifcation, copy paper identiifcation and authenticity detection, respectively. We give a detailed description on the characteristics introduced by devices and altering methods, and their forensics methods. Finally, we describe the questions and challenges on digital passive lossless forensics on documents.

Yushi Cheng,Xiaoyu Ji,Lixu Wang,Qi Pang,Yi-Chao Chen,Wenyuan Xu

2021-01-01

Abstract:Cyber-theft of trade secrets has become a serious business threat. Digital watermarking is a popular technique to assist in identifying the source of the file leakage, whereby a unique watermark for each insider is hidden in sensitive files. However, malicious insiders may use their smartphones to photograph the secret file displayed on screens to remove the embedded hidden digital watermarks due to the optical noises introduced during photographing. To identify the leakage source despite such screen-photo-based leakage attacks, we leverage Moire pattern, an optical phenomenon resulted from the optical interaction between electronic screens and cameras. As such, we present mID, a new watermark-like technique that can create a carefully crafted Moire pattern on the photo when it is taken towards the screen. We design patterns that appear to be natural yet can be linked to the identity of the leaker. We implemented mID and evaluate it with 5 display devices and 6 smartphones from various manufacturers and models. The results demonstrate that mID can achieve an average bit error rate (BER) of 0:6% and can successfully identify an ID with an average accuracy of 96%, with little influence from the type of display devices, cameras, IDs, and ambient lights.

Claudinei Morin da Silveira,Rafael T. de Sousa,Robson de Oliveira Albuquerque,Georges D. Amvame Nze,Gildásio Antonio de Oliveira Júnior,Ana Lucila Sandoval Orozco,Luis Javier García Villalba,Rafael T. de Sousa Jr

DOI: https://doi.org/10.3390/app10124231

2020-06-20

Applied Sciences

Abstract:This paper proposes a new forensic analysis methodology that combines processes, techniques, and tools for physical and logical data acquisition from mobile devices. The proposed methodology allows an overview of the use of the In-System Programming (ISP) technique with the usage of Combination Firmware, aligned with specific collection and analysis processes. The carried out experiments show that the proposed methodology is convenient and practical and provides new possibilities for data acquisition on devices that run the Android Operating System with advanced protection mechanisms. The methodology is also feasible in devices compatible with the usage of Joint Test Action Group (JTAG) techniques and which use Embedded Multimedia Card (eMMC) or Embedded Multi-Chip Package (eMCP) as main memory. The techniques included in the methodology are effective on encrypted devices, in which the JTAG and Chip-Off techniques prove to be ineffective, especially on those that have an unauthorized access protection mechanism enabled, such as lock screen password, blocked bootloader, and Factory Reset Protection (FRP) active. Studies also demonstrate that data preservation and integrity are maintained, which is critical to a digital forensic process.

Wenyuan Xu,Yushi Cheng,Xiaoyu Ji,Yi-Chao Chen

DOI: https://doi.org/10.1109/tdsc.2023.3299983

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Cyber-theft of trade secrets has become a serious business threat. Digital watermarking is a popular technique to help identify the source of the file leakage, whereby a unique watermark for each insider is hidden in sensitive files. However, malicious insiders may use smartphones to photograph the secret file displayed on screens to remove the embedded hidden digital watermarks due to the optical noises introduced during photographing. To identify the leakage source despite such screen-photo-based leakage attacks , we leverage Moiré pattern, an optical phenomenon resulted from the optical interaction between electronic screens and cameras. As such, we present mID , a new watermark-like technique that can create a carefully crafted Moiré pattern on the photo when it is taken towards the screen. We design patterns that appear to be natural yet can be linked to the identity of the leaker. We implemented mID and evaluated it with 7 display devices and 6 smartphones from various manufacturers and models. The results demonstrate that mID can achieve an average bit error rate (BER) of $0.2\%$ and can successfully identify an ID with an average accuracy of $98\%$ , with little influence from the type of display devices, cameras, IDs, and ambient lights.

Min-Hao Wu,Ting-Cheng Chang,Yi Li-Min

DOI: https://doi.org/10.13052/jwe1540-9589.20310

2021-06-09

Journal of Web Engineering

Abstract:With the rapid development of the Internet era, cell phones play an essential and indispensable role in nowadays life. Smartphones have profoundly influenced our social relationships and our daily lives. Generally speaking, the most common tools we hear about in our daily lives are QQ, WeChat, and other Internet communication services that allow users to send text messages, pictures, and documents, providing a more convenient and faster medium for people to communicate and chat. The popularity and convenience of mobile technology have changed people’s habits of communication. People no longer need to rely on computers to communicate, and computers cannot communicate anytime and anywhere. In the kernel of Linux and Windows, as long as the Message Hooker will install, it can monitor the messages of other programs, including WeChat and QQ, in this research. We can provide relevant law enforcement officers with effective evidence collection so that criminals will not be able to hide. The suspects often delete their WeChat or QQ records after committing the crime. It impossible for our law enforcement agencies to obtain evidence directly from the cell phone and the crime facts. Our research hopes to use some technology to help law enforcement units effectively obtain strong evidence in the iPhone not to hide the crime facts.

computer science, theory & methods, software engineering

Jennifer Bellizzi,Mark Vella,Christian Colombo,Julio Hernandez-Castro

DOI: https://doi.org/10.48550/arXiv.2105.05510

2021-05-12

Cryptography and Security

Abstract:Digital investigations of stealthy attacks on Android devices pose particular challenges to incident responders. Whereas consequential late detection demands accurate and comprehensive forensic timelines to reconstruct all malicious activities, reduced forensic footprints with minimal malware involvement, such as when Living-Off-the-Land (LOtL) tactics are adopted, leave investigators little evidence to work with. Volatile memory forensics can be an effective approach since app execution of any form is always bound to leave a trail of evidence in memory, even if perhaps ephemeral. Just-in-Time Memory Forensics (JIT-MF) is a recently proposed technique that describes a framework to process memory forensics on existing stock Android devices, without compromising their security by requiring them to be rooted. Within this framework, JIT-MF drivers are designed to promptly dump in-memory evidence related to app usage or misuse. In this work, we primarily introduce a conceptualized presentation of JIT-MF drivers. Subsequently, through a series of case studies involving the hijacking of widely-used messaging apps, we show that when the target apps are forensically enhanced with JIT-MF drivers, investigators can generate richer forensic timelines to support their investigation, which are on average 26% closer to ground truth.

Rob Witteman,Arjen Meijer,M-T. Kechadi,Nhien-An Le-Khac

DOI: https://doi.org/10.48550/arXiv.1609.02953

2016-09-09

Cryptography and Security

Abstract:Today, a mobile phone is not just a phone but it is a computer that you can also use for calling someone. Besides, in criminal investigations the importance of evidence from the mobile phone is increasing as more and more phones are seized at the Digital Forensic Department of the police. Indeed, the amount of memory cards of these mobile phones that need to be investigated separately is also increasing. Possible reasons are that the mobile phone investigation software does not support the specific mobile phone or the specific, for that investigation, artefacts. Sometimes the software investigates just the internal memory of the mobile phone and not the data which is written on the memory card. Fact is also that although the mobile phone was investigated by the dedicated software, the possibility that the associated memory card contains additional important information is evident. The current procedure to get all of the usable information from a memory card of a mobile phone is very time-consuming process and not user friendly. In this paper, we present a new single tool to simplify the investigation of a memory card from a mobile phone. We also test our tool with WhatsApp application installed on the memory card from different mobile phones.

Raffaele Cuomo,Davide D'Agostino,Mario Ianulardo

DOI: https://doi.org/10.3390/s22187096

2022-09-19

Abstract:This paper presents several scenarios where digital evidence can be collected from mobile devices, their legal value keeping untouched. The paper describes a robust methodology for mobile forensics developed through on-field experiences directly gained by the authors over the last 10 years and many real court cases. The results show that mobile forensics, digital analysis of smartphone Android or iOS can be obtained in two ways: on the one hand, data extraction must follow the best practice of the repeatability procedure; on the other hand, the extraction of the data must follow the best practice of the non-repeatability procedure. The laboratory study of the two methods for extracting digital data from mobile phones, for use as evidence in court trials, has shown that the same evidence can be obtained even when the procedure of unavailability of file mining activities has been adopted. Indeed, thanks to laboratory tests, the existence of multiple files frequently and continuously subjected to changes generated by the presence of several hashes found at forensic extractions conducted in very short moments of time (sometimes not exceeding 15 min) has been proven. If, on the other hand, the examination of a device is entrusted to a judicial police officer in order to conduct a forensic analysis to acquire data produced and managed by the user (such as images, audio, video, documents, SMS, MMS, chat conversations, address book content, etc.) we have sufficient grounds to believe that such examination can be organized according to the system of repeatable technical assessments.

Nhien-An Le-Khac,Mark Roeloffs,M-Tahar Kechadi

DOI: https://doi.org/10.48550/arXiv.1704.03524

2017-04-12

Abstract:In the forensic field of digital technology, there has been a great deal of investigation into the decoding of navigation systems of the brand TomTom. As TomTom is the market leader in navigation systems, a large number of these devices are investigated. These devices can hold an abundance of significant location information. Currently, it is possible with the use of multiple methods to make physical copies of mobile devices running Android. The next great forensic problem is all the various programs that can be installed on these devices. There is now an application available from the company TomTom in the Google Play Store. This application mimics a navigation system on your Android mobile device. Indeed, the TomTom application on Android can hold a great deal of information. In this paper, we present a process of forensic acquisition and analysis of the TomTom Android application. We focus on the following questions: Is there a possibility to find previously driven routes or GPS coordinates with timestamps in the memory of the mobile device? To investigate what is stored in these files, driving tests were performed. During these driving tests a copy was made of the most important file using a self-written program. The significant files were found and the data in these files was decoded. We show and analyse our results with Samsung mobile devices. We compare also these results with forensic acquisition from TomTom GPS devices.

Cryptography and Security

Asanka Sayakkara,Nhien-An Le-Khac,Mark Scanlon

DOI: https://doi.org/10.48550/arXiv.1904.02089

2019-04-04

Abstract:Internet of Things (IoT) devices have expanded the horizon of digital forensic investigations by providing a rich set of new evidence sources. IoT devices includes health implants, sports wearables, smart burglary alarms, smart thermostats, smart electrical appliances, and many more. Digital evidence from these IoT devices is often extracted from third party sources, e.g., paired smartphone applications or the devices' back-end cloud services. However vital digital evidence can still reside solely on the IoT device itself. The specifics of the IoT device's hardware is a black-box in many cases due to the lack of proven, established techniques to inspect IoT devices. This paper presents a novel methodology to inspect the internal software activities of IoT devices through their electromagnetic radiation emissions during live device investigation. When a running IoT device is identified at a crime scene, forensically important software activities can be revealed through an electromagnetic side-channel analysis (EM-SCA) attack. By using two representative IoT hardware platforms, this work demonstrates that cryptographic algorithms running on high-end IoT devices can be detected with over 82% accuracy, while minor software code differences in low-end IoT devices could be detected over 90% accuracy using a neural network-based classifier. Furthermore, it was experimentally demonstrated that malicious modification of the stock firmware of an IoT device can be detected through machine learning-assisted EM-SCA techniques. These techniques provide a new investigative vector for digital forensic investigators to inspect IoT devices.

Cryptography and Security

Milda Petraityte,Ali Dehghantanha,Gregory Epiphaniou

DOI: https://doi.org/10.48550/arXiv.1706.08048

2017-06-25

Abstract:This paper uses a scenario-based role-play experiment based on the usage of QR codes to detect how mobile users respond to social engineering attacks conducted via mobile devices. The results of this experiment outline a guided mobile phone forensics investigation method which could facilitate the work of digital forensics investigators while analysing the data from mobile devices. The behavioural response of users could be impacted by several aspects, such as impulsivity, smartphone usage and security or simply awareness that QR codes could contain malware. The findings indicate that the impulsivity of users is one of the key areas that determine the common mistakes of mobile device users. As a result, an investigative framework for mobile phone forensics is proposed based on the impulsivity and common mistakes of mobile device users. As a result, an investigative framework for mobile phone forensics is proposed based on the impulsivity and common mistakes of mobile device users. It could help the forensics investigators by potentially shortening the time spent on investigation of possible breach scenarios.

Cryptography and Security

Asanka P. Sayakkara,M. Scanlon,Muhammad Rusyaidi Zunaidi

DOI: https://doi.org/10.1109/ISDFS60797.2024.10527284

2024-04-29

Abstract:In an era where digital data security is becoming all-pervasive, and data encryption is baked in by default on many consumer-level and commercial-level devices, the encryption of Internet of Things (IoT) devices presents a significant obstacle for lawful digital forensic investigation. Towards addressing this issue, this paper introduces a novel digital forensic methodology that leverages electromagnetic side-channel analysis (EM-SCA) for the non-invasive recovery of encryption keys from black-box IoT devices, i.e., where little/nothing is known about the device's encryption in advance. By reducing the key space necessary for brute-force decryption and employing machine-learning techniques, the proposed approach enhances the digital forensic process - helping to mitigate investigative roadblocks and case backlogs. This automated, adaptable system not only preserves the integrity of forensic evidence, but also ensures wide applicability within the evolving IoT landscape. This practical methodology could prove invaluable for investigators facing the complexities of encrypted device analysis encountered during their cases.

Engineering,Computer Science

Ben Martini,Quang Do,Kim-Kwang Raymond Choo

DOI: https://doi.org/10.1016/B978-0-12-801595-7.00015-X

2015-06-18

Abstract:Using the evidence collection and analysis methodology for Android devices proposed by Martini, Do and Choo, we examined and analyzed seven popular Android cloud-based apps. Firstly, we analyzed each app in order to see what information could be obtained from their private app storage and SD card directories. We collated the information and used it to aid our investigation of each app database files and AccountManager data. To complete our understanding of the forensic artefacts stored by apps we analyzed, we performed further analysis on the apps to determine if the user authentication credentials could be collected for each app based on the information gained in the initial analysis stages. The contributions of this research include a detailed description of artefacts, which are of general forensic interest, for each app analyzed.

Computers and Society,Cryptography and Security

Na Young Ahn,Dong Hoon Lee

DOI: https://doi.org/10.1109/ACCESS.2022.3190957

2022-08-02

Abstract:NAND flash memory-based IoT device can potentially still leave behind original personal data in an invalid area even if the data has been deleted. In this paper, we raise the forensic issue of original data remaining in unmanaged blocks caused by NAND flash memory and introduce methods for secure deletion of such data in the invalid area. We also propose a verification technique for secure deletion that is performed based on cell count information, which refers to the difference in bits between personal data and data stored in the block. The pass/fail of the verification technique according to the cell count information is determined in consideration of error correction capabilities. With the forensic issue of de-identification being a vital theme in the big data industry, the threat of serious privacy breaches coupled with our proposal to prevent these attacks will prove to be critical technological necessities in the future.

Cryptography and Security,Hardware Architecture

Farkhund Iqbal,Aasia Jaffri,Zainab Khalid,Aine MacDermott,Qazi Ejaz Ali,Patrick C. K. Hung

DOI: https://doi.org/10.3389/frcmn.2023.1212743

2023-07-26

Frontiers in Communications and Networks

Abstract:Small-scale digital devices like smartphones, smart toys, drones, gaming consoles, tablets, and other personal data assistants have now become ingrained constituents in our daily lives. These devices store massive amounts of data related to individual traits of users, their routine operations, medical histories, and financial information. At the same time, with continuously evolving technology, the diversity in operating systems, client storage localities, remote/cloud storages and backups, and encryption practices renders the forensic analysis task multi-faceted. This makes forensic investigators having to deal with an array of novel challenges. This study reviews the forensic frameworks and procedures used in investigating small-scale digital devices. While highlighting the challenges faced by digital forensics, we explore how cutting-edge technologies like Blockchain, Artificial Intelligence, Machine Learning, and Data Science may play a role in remedying concerns. The review aims to accumulate state-of-the-art and identify a futuristic approach for investigating SSDDs.

George Grispos,William Bradley Glisson,Tim Storer

DOI: https://doi.org/10.1016/B978-0-12-801595-7.00016-1

2015-06-07

Abstract:There is a growing demand for cloud storage services such as Dropbox, Box, Syncplicity and SugarSync. These public cloud storage services can store gigabytes of corporate and personal data in remote data centres around the world, which can then be synchronized to multiple devices. This creates an environment which is potentially conducive to security incidents, data breaches and other malicious activities. The forensic investigation of public cloud environments presents a number of new challenges for the digital forensics community. However, it is anticipated that end-devices such as smartphones, will retain data from these cloud storage services. This research investigates how forensic tools that are currently available to practitioners can be used to provide a practical solution for the problems related to investigating cloud storage environments. The research contribution is threefold. First, the findings from this research support the idea that end-devices which have been used to access cloud storage services can be used to provide a partial view of the evidence stored in the cloud service. Second, the research provides a comparison of the number of files which can be recovered from different versions of cloud storage applications. In doing so, it also supports the idea that amalgamating the files recovered from more than one device can result in the recovery of a more complete dataset. Third, the chapter contributes to the documentation and evidentiary discussion of the artefacts created from specific cloud storage applications and different versions of these applications on iOS and Android smartphones.

Cryptography and Security

Sungbum Kim,Jewan Bang,Taeshik Shon

DOI: https://doi.org/10.3390/electronics13142827

IF: 2.9

2024-07-19

Electronics

Abstract:Various smart home companies are adding displays to smart home control devices and are also releasing smart home control functions for devices with displays. Since smart home management devices with displays are multifunctional, they can store more digital evidence than traditional management devices. Therefore, we propose a smart home environment forensic methodology focused on wallpads, which are smart home management devices with displays. And we validate the proposed methodology by building a smart home environment centered around wallpads and conducting tests with three vendors (Samsung, Kocom, and Commax). Following the proposed methodology, we identified the software and hardware specifications of devices within the testbed, particularly the wallpads. Based on this, we were able to extract network packets, disk images, and individual files stored internally using methods such as packet capture, vulnerability exploits, serial ports, and chip-off. Through analysis, we confirmed that significant user-related information and videos are stored in these control devices. The digital evidence obtained through the proposed methodology can be used as critical legal evidence, and this study contributes to efficiently analyzing important security issues and evidential data in various smart home IoT environments.

engineering, electrical & electronic,computer science, information systems,physics, applied

Muhammad Faheem,M-Tahar Kechadi,Nhien-An Le-Khac

DOI: https://doi.org/10.48550/arXiv.1611.09566

2016-11-29

Cryptography and Security

Abstract:Smartphones have become popular in recent days due to the accessibility of a wide range of applications. These sophisticated applications demand more computing resources in a resource constraint smartphone. Cloud computing is the motivating factor for the progress of these applications. The emerging mobile cloud computing introduces a new architecture to offload smartphone and utilize cloud computing technology to solve resource requirements. The popularity of mobile cloud computing is an opportunity for misuse and unlawful activities. Therefore, it is a challenging platform for digital forensic investigations due to the non-availability of methodologies, tools and techniques. The aim of this work is to analyze the forensic tools and methodologies for crime investigation in a mobile cloud platform as it poses challenges in proving the evidence. The advancement of forensic tools and methodologies are much slower than the current technology development in mobile cloud computing. Thus, forces the available tools, and techniques become increasingly obsolete. Therefore, it opens up the door for the new forensic tools and techniques to cope up with recent developments. Hence, this work presents a detailed survey of forensic methodology and corresponding issues in a mobile device, cloud environment, and mobile cloud applications. It mainly focuses on digital forensic issues related to mobile cloud applications and also analyze the scope, challenges and opportunities. Finally, this work reviewed the forensic procedures of two cloud storage services used for mobile cloud applications such as Dropbox and SkyDrive.

Juan Manuel Castelo Gómez,Javier Carrillo-Mondéjar,José Luis Martínez Martínez,Jorge Navarro García,Juan Manuel Castelo Gómez,Javier Carrillo-Mondéjar,José Luis Martínez Martínez,Jorge Navarro García

DOI: https://doi.org/10.1016/j.fsidi.2022.301451

2022-09-01

Abstract:Forensic investigations in the Internet of Things (IoT) are becoming ever more important as the number of cyberincidents that occur in it continues to rise. As a result, it has become necessary to determine how to proceed in performing examinations in this environment, as its novelty and new characteristics demand the development of new forensic solutions that can guarantee a complete and efficient analysis. The approach followed until now by the research community has been to examine the most popular IoT devices and systems with the aim of gaining an insight into what data can be extracted from them, how to extract these data, and what limitations an investigator may encounter in the process. Following this idea, this article, apart from studying the state of the art of IoT forensic investigations, details the examination process for the “Xiaomi Mi Smart Sensor Set” smart home kit, emphasizing the acquisition and analysis of the three main types of forensic evidence: non-volatile memory, volatile memory and network traffic. In particular, we extract and list the useful forensic artifacts that can be obtained from this kit, describing their purpose and location.

computer science, information systems, interdisciplinary applications

Hyunji Chung,Jungheum Park,Sangjin Lee,Chulhoon Kang

DOI: https://doi.org/10.48550/arXiv.1709.10395

2017-08-23

Abstract:The demand for cloud computing is increasing because of the popularity of digital devices and the wide use of the Internet. Among cloud computing services, most consumers use cloud storage services that provide mass storage. This is because these services give them various additional functions as well as storage. It is easy to access cloud storage services using smartphones. With increasing utilization, it is possible for malicious users to abuse cloud storage services. Therefore, a study on digital forensic investigation of cloud storage services is necessary. This paper proposes new procedure for investigating and analyzing the artifacts of all accessible devices, such as Windows, Mac, iPhone, and Android smartphone.

Cryptography and Security