As the storage capacity of smartphones increases, more user data such as call logs, SMS records, media data, and instant messages are stored in smartphones. Therefore, it is important in digital investigation to acquire smartphones containing the personal information of users. However, even when a prime suspect's smartphone is acquired, it is difficult to extract user data without obtaining root privilege

Bitcoin as a popular digital currency has been a target of theft and other illegal activities. Key to the forensic investigation is to identify bitcoin addresses involved in the bitcoin transfers. This paper presents a framework, FABT, for forensic analysis of bitcoin transactions by identifying suspicious bitcoin addresses. It formalizes the clues of a given case as transaction patterns defined over

In 2018, Horsman (2018a; 2018b) provided guidance for the reconstruction of cached stream remnants following use of the Periscope, Facebook Live and YouTube platforms. These works confirmed that video stream content can be cached to a local device when viewed via an Internet browser, and that following the provided methodology, video content can be rebuilt for subsequent viewing. This work provides

The problems faced with regulating social media platforms are well known and documented, where frequent abuses of these platforms occur. In addition to this issue, the use of gaming platforms and their inbuilt communication facilities to carry out malicious acts including hate crimes and grooming is now an increasing concern. The regulation of gaming applications is now arguably a necessity with acts

This empirical study aims to determine whether online media coverage can be used to gather intelligence on specific crimes worldwide. The quality of online news is evaluated as an indicator of the worldwide distribution of jewelry store robberies. This phenomenon was selected because evaluating the risk of criminal events at the global level is a challenge for private companies, who need to settle

Cryptocurrencies set a new trend for a financial interaction between people. In order to successfully meet this use-case, cryptocurrencies combine various advanced information technologies (e.g., blockchain as a replicated database, asymmetrical ciphers and hashes guaranteeing integrity properties, peer-to-peer networking providing fault-tolerant service). Mining process not only introduces new cryptocurrency

Event reconstruction is an important phase in digital forensic investigation, which determines what happened during the incident. The digital investigator uses the findings of this phase to prepare reports for the court. Since the results must be reproducible and verifiable, it is necessary that the event reconstruction methods be rigorous and strict. In order to fulfill the legal requirements, this

Considering today's challenges in digital forensics, for password cracking, distributed computing is a necessity. If we limit the selection of password-cracking tools strictly to open-source software, hashcat tool unambiguously wins in speed, repertory of supported hash formats, updates, and community support. Though hashcat itself is by design a single-machine solution, its interface makes it possible

While interest in using 3D scanning technology for crime scene investigation (CSI) has grown in recent years, a number of barriers still remain that prevent its wide adoption in the criminal justice system. One such barrier comes from the lack of tools that can validate a 3D scan and verify that it has not been manipulated. While a great deal of research has gone into the detection of manipulations

Facial landmarks are employed in many research areas, including facial recognition, craniofacial identification, age and sex estimation being the most important. In forensics, the focus is on the analysis of a particular set of facial landmarks, defined as cephalometric landmarks. Previous studies demonstrated that the descriptive adequacy of these anatomical references for indirect application (photo-anthropometric

In this paper, we propose two methods to recover damaged audio files using deep neural networks. The presented audio file recovery methods differ from the conventional file carving-based recovery method because the former restore lost data, which are difficult to recover with the latter method. This research suggests that recovery tasks, which are essential yet very difficult or very time consuming

File system forensics is an important part of Digital Forensics. Investigators of storage media have traditionally focused on the most commonly used file systems such as NTFS, FAT, ExFAT, Ext2-4, HFS+, APFS, etc. NTFS is the current file system used by Windows for the system volume, but this may change in the future. In this paper we will show the structure of the Resilient File System (ReFS), which

Cybercrime is considered an issue of both local and global concern. Therefore, this study focuses on the local experience in cybercrime control of different countries, including the Republic of Turkey. The article discusses issues in cybersecurity policy and analyzes the legislative framework of the Republic of Turkey on cybercrime issues. The findings underlie the continuing education policy for cybersecurity

the need for a reliable and complementary identifier mechanism in a digital forensic analysis is the focus of this study. Mouse dynamics have been applied in information security studies, particularly, continuous authentication and authorization. However, the method applied in security is void of specific behavioral signature of a user, which inhibits its applicability in digital forensic science.

Digital forensics can no longer tolerate software that cannot be relied upon to perform specific functions such as file recovery. Indistinct and non-standardized results increase the risk of misinterpretation by digital forensic practitioners, and hinder automated correlation of file recovery results in forensic analysis and tool testing. Treating file recovery results in a clear, distinct manner helps

In the early 1990s, unmanned aerial vehicles (UAV) were used exclusively in military applications by various developed countries. Now with its ease of availability and affordability in the electronic device market, this aerial vehicular technology has augmented its familiarity in public and has expanded its usage to countries all over the world. However, expanded use of UAVs, colloquially known as

The rapidly expanding martial arts industry, which is presently unregulated within the United States, has seen multiple coaches convicted of sex offenses in recent years. However, there is currently no existing literature on sexual assault within the martial arts industry. We used major search platforms to collect media reports concerning martial arts coaches who were convicted of sex offenses within

Your Phone is a Microsoft system that comprises two applications: a smartphone app for Android 7 + smartphones and a desktop application for Windows 10/18.03+. It allows users to access their most recent smartphone-stored photos/screenshots and send/receive short message service (SMS) and multimedia messaging service (MMS) within their Your Phone-linked Windows 10 personal computers. In this paper

Patch-Match is an efficient algorithm used for structural image editing and available as a tool on popular commercial photo-editing software. The tool allows users to insert or remove objects from photos using information from similar scene content. Recently, a modified version of this algorithm was proposed as a counter-measure against Photo-Response Non-Uniformity (PRNU) based Source Camera Identification

In this paper, we propose an algorithm for detecting frame deletion in HEVC-coded video in the compressed domain. Specifically, we focus on the frame type changes occurring upon frame deletion, which cause slight differences between the coding patterns in original and forged video. Then, we identify discriminating coding patterns for use as features, which are classified by machine learning classifiers

One of the tasks Law Enforcement Agencies are responsible for is to find evidence of criminal activities in the Darknet. However, visiting thousands of domains to locate visual information containing illicit acts manually requires a considerable amount of time and human resources. To support this task, in this paper, we explore the automatic classification of images uploaded to Tor darknet. Unfortunately

A video can be manipulated using synthetic zooming without using the state-of-the-art video forgeries. Synthetic zooming is performed by upscaling individual frames of a video with varying scale factors followed by cropping them to the original frame size. These manipulated frames resemble genuine natural (optical) camera zoomed frames and hence may be misclassified as a pristine video by video forgery

In addition to traditional high temperature eutectic soldering, the use of underfill epoxy to glue the electronic components to the PCB (memory, CPU, cryptographic chips) has now become the norm among mobile phone manufacturers, e.g. Apple, BlackBerry and Samsung. Currently, this technique is the best solution to protect components against various mechanical stresses and improve reliability. Unfortunately

Polymeric adhesives are of interest in the digital forensics domain. They can be used to perform more or less complex repairs or even to realise advanced man-in-the-middle attacks in order to carry out reverse engineering of secure systems (Heckmann et al., 2017). The main aim of this paper is to develop a technique that makes polymeric adhesives sensitive to laser decapsulation attacks while decreasing

The database is at the heart of any digital application. With the increased use of high-tech applications, the database is used to store important and sensitive information. Sensitive information storage leads to crimes related to computer activities. Digital forensics is an investigation process to discover any un-trusted or malicious movement, which can be presented as testimony in a court of law

In recent years, examination of the social media networks has become an integral part of investigations. Law enforcement agencies and legal practitioners frequently utilize social networks to quickly access the information related to the participants of any illicit incident. However, the forensic process needs collection and analysis of the information which is immense, heterogeneous, and spread across

We present three case studies to illustrate a methodology for conducting forensics investigation on Microsoft Skype for Business. The proposed methodology helps to retrieve information on chat and audio communications made by any account who accessed the PC, to retrieve IP addresses and communication routes for all the participants of a call, and to retrieve forensics evidence to identify the end-user

The increasing use of encrypted data within file storage and in network communications leaves investigators with many challenges. One of the most challenging is the Tor protocol, as its main focus is to protect the privacy of the user, in both its local footprint within a host and over a network connection. The Tor browser, though, can leave behind digital artefacts which can be used by an investigator

Digital forensics is an important and growing forensic domain. Research on miscarriages of justice and misleading evidence, as well as various inquires in the UK and the US, have highlighted human error as an issue within forensic science. This has led to increased attention to the sources of cognitive bias and potential countermeasures within many forensic disciplines. However, the area of digital

Decrypting and inspecting encrypted malicious communications may assist crime detection and prevention. Access to client or server memory enables the discovery of artefacts required for decrypting secure communications. This paper develops the MemDecrypt framework to investigate the discovery of encrypted artefacts in memory and applies the methodology to decrypting the secure communications of virtual

Video tampering methods have witnessed considerable progress in recent years. This is partly due to the rapid development of advanced deep learning methods, and also due to the large volume of video footage that is now in the public domain. Historically, convincing video tampering has been too labour intensive to achieve on a large scale. However, recent developments in deep learning-based methods

Photo Response Non-Uniformity (PRNU) is a camera imaging sensor imperfection which has earned a great interest for source device attribution of digital videos. A majority of recent researches about PRNU-based source device attribution for digital videos do not take into consideration the effects of video compression on the PRNU noise in video frames, but rather consider video frames as isolated images

The use of call data records (CDRs) to establish links between suspects is well known and understood. In a number of major enquiries in the UK, however, it was found that CDRs contained apparently erroneous or nonsensical data which prevented the use of well-established techniques based on caller IDs contained within CDRs. Further analysis suggested that some form of number “spoofing” was being used

Source device identification has become a hot topic in multimedia forensics recently. In this paper, a novel method is proposed for source smartphone identification by using encoding characteristics as the intrinsic fingerprint of recording devices. The encoding characteristics for the smartphones of 24 popular models derived from 7 mainstream brands are investigated and statistical features of some

Embedded personal devices as smartwatches can be a valuable source of information for the investigation of criminal acts, as they can store contact data, call records, instant messages, multimedia files and so, without requiring access to the connected smartphone. This paper presents the acquisition and forensic analysis done on different non-android smartwatches equipped with a low-cost MTK chip.

The increasing prevalence of Internet of Things (IoT) devices has made it inevitable that their pertinence to digital forensic investigations will increase into the foreseeable future. These devices produced by various vendors often posses limited standard interfaces for communication, such as USB ports or WiFi/Bluetooth wireless interfaces. Meanwhile, with an increasing mainstream focus on the security

Tracking storage devices is one of the important fields in digital forensics. The existing methods and tools about registry, event log or IconCache analysis help solving cases on confidential leakage, illegal copying, and security incident cases. However, previous approach has drawback in tracking storage devices such as HDD, SSD, and etc since it was based on the good performance of USB device tracking

Event logs are one of the most important sources of digital evidence for forensic investigation because they record essential activities on the system. In this paper, we present a comprehensive literature survey of the forensic analysis on operating system logs. We present a taxonomy of various techniques used in this area. Additionally, we discuss the tools that support the examination of the event

In this work we present a primary account of frameup, an incriminatory attack made possible because of existing implementations in distributed peer to peer storage. The frameup attack shows that an adversary has the ability to store unencrypted data on the hard drives of people renting out their hard drive space. This is important to forensic examiners as it opens the door for possibly framing an innocent

Lens aberrations have previously been used to determine the provenance of an image. However, this is not necessarily unique to an image sensor, as lens systems are often interchanged. Photo-response non-uniformity noise was proposed in 2005 by Lukáš, Goljan and Fridrich as a stochastic signal which describes a sensor uniquely, akin to a “ballistic” fingerprint. This method, however, did not account

Social Media (SM) evidence is a new and rapidly emerging frontier in digital forensics. The trail of digital information on social media, if explored correctly, can offer remarkable support in criminal investigations. However, exploring social media for potential evidence and presenting these proofs in court is not a straightforward task. Social media evidence must be collected by a legally and scientifically

The digital forensic discipline is wholly reliant upon software applications and tools designed and marketed for the acquisition, display and interpretation of digital data. The results of any subsequent investigation using such tools must be reliable and repeatable whilst supporting the establishment of fact, allowing criminal justice proceedings the ability to digest any findings during the process

As the majority of dwellings now maintain some form of Internet connectivity, the examination of routers at crime scenes is an increasing requirement. Due to cost and resourcing constraints, police forces are looking to transfer responsibility for carrying out this task to front line crime scene investigators, despite such staff typically lacking specialist training for this type of examination. Such

Digital investigators sometimes obtain key evidence by extracting user data from the smartphones of suspects. However, it is becoming more difficult to extract user data from smartphones, due to continuous updates and the use of data encryption functions, such as Full Disk Encryption (FDE) and File Based Encryption (FBE). Backup data are usually stored in an encrypted form, in order to protect user

This research cared about clarifying the legal provisions of the unauthorized access crime contained in article 3 of the Jordanian Cybercrime act of 2015 and comparing it to other Arabic legislations and French law as well as clarifying the position of international conventions on this crime. The analysis of the crime included clarifying its elements, its sanction and the aggravating circumstances

In the field of digital forensics it is crucial for any practitioner to possess the ability to make reliable investigative decisions which result in the reporting of credible evidence. This competency should be considered a core attribute of a practitioner’s skill set and it is often taken for granted that all practitioners possess this ability; in reality this is not the case. A lack of dedicated

Index based desktop search tools have become the primary means for finding files or launching applications on desktop computer systems. Every major operating system ships with one. Spotlight is the default desktop search app on macOS (formerly OSX) that searches files based on metadata and content. This paper explores the format of the spotlight metadata cache database and opens up another avenue of

A binary packer has commonly been used to protect the original code inside the binary executables from being detected as malicious code by anti-malware software. Various methods of unpacking packed binary executables have been extensively studied, and several unpacking approaches have been proposed. Some of these solutions depend on various assumptions, which may limit their effectiveness. Here, a

The Amazon Fire TV Stick is a popular device that is the centre of entertainment for many homes. Its collection of functions and features generates a considerable amount of data, giving this device the potential to be included in a multiple investigations. Highlighting a clear requirement for a forensic analysis of the device. Previous research of smart entertainment devices focuses on the larger areas

Advancements in Information Technology landscape over the past two decades have made the collection, preservation, and analysis of digital evidence an extremely important tool for solving cybercrimes and preparing court cases. Digital evidence plays an important role in cybercrime investigation, as it is used to link individuals with criminal activities. Thus it is of utmost importance to guarantee

Main memory analysis plays an increasingly important role in today's digital forensic analysis. It can be used to retrieve encryption keys or to analyze malware that solely resides in RAM. Typically, the memory is acquired prior to analysis. As of today, there exist a large number of different techniques and tools to accomplish this task that all have their own advantages and disadvantages and appear

Crimes involving digital evidence are getting more complex due to the increasing storage capacities and utilization of devices. Event reconstruction (i.e., understanding the timeline) is an essential step for investigators to understand a case where a prominent tool is Log2Timeline (a tool that creates super timelines which is a combination of several log files and events throughout a system). While

The never-ending menace of botnet is causing many serious problems on the Internet. Although there are significant efforts on detecting botnet at the global level which rely heavily on finding failed queries and domain flux information for botnet detection, there are very few efforts being made to detect bot infection at an enterprise level. Detecting bot-infected machines is vital for any organization

The state-of-the-art and practice show an increased recognition, but limited adoption, of Behavioural Evidence Analysis (BEA) within the Digital Forensics (DF) investigation process. Yet, there is currently no BEA-driven process model and guidelines for DF investigators to follow in order to take advantage of such an approach. This paper proposes the Behavioural Digital Forensics Model to fill this

Uncovering attacks on data and computer systems and those responsible for them is one of the contemporary problems that the authorities involved in criminal proceedings have to deal with. Where this sort of cybercrime is concerned we can expect not only high levels of latency but also a low clear-up rate for crimes on file. This paper demonstrates this using the example of the Czech Republic, by providing

Today’s cybercrimes are much more difficult to detect and prosecute than traditional crimes. In the investigation of cybercrimes, law enforcement agencies follow similar techniques to traditional crimes that, however, have to be modified to meet the unique conditions and requirements of virtual space. This paper examines cybercrime profiling techniques prevalent today, and focuses on the feasibility

Mobile devices continue to feature heavily in criminal investigations and often bear multiple forms of potentially relevant evidence. In the context of identifying the owner of a device, both latent fingerprints and resident digital data may be crucial to investigations, yet each individual process may have a detrimental impact on the other. Fingerprint development techniques are known to impact device

Until now, researchers have been analyzing Android applications dynamically with the use of either emulators or real devices. Emulators are an option that testers currently have to achieve scalability. Besides, these approaches can also take snapshots which help to revert back to a known state in a matter of seconds. However, emulators are often slow in performance and contain heuristic emulation traces

Effective analysis of malware is of great significance in guaranteeing the reliability of the system operation. Malware can easily escape from existing dynamic analysis methods. Aiming at the deficiencies of current methods for detecting malware dynamically, a method of using hardware features is proposed, namely, a memory dump file is extracted and converted into a grayscale image, the image is converted

The Tor Darknet is a pseudo-anonymous place to host content online frequently used by criminals to sell narcotics and to distribute illicit material. Many studies have attempted to estimate the size of the darknet, but this paper will show that previous estimates on size are inaccurate due to hidden service lifecycle. The first examination of its kind will be presented on the differences between short-lived