Biblio

Digital forensics is essential when performing in-depth crime investigations and evidence extraction, especially in the field of the Internet of Things, where there is a ton of information every second boosted with latest and smartest technological devices. However, the enormous growth of data and the nature of its complexity could constrain the data examination process since traditional data acquisition techniques are not applicable nowadays. Therefore, if the knowledge gap between digital forensics and the Internet of Things is not bridged, investigators will jeopardize the loss of a possible rich source of evidence that otherwise could act as a lead in solving open cases. The work aims to introduce examples of employing the latest Internet of Things forensics approaches as a panacea in this regard. The paper covers a variety of articles presenting the new Blockchain, fog, and video-based applications that can aid in easing the process of digital forensics investigation with a focus on the Internet of Things. The results of the review indicated that the above current trends are very promising procedures in the field of Internet of Things digital forensics and need to be explored and applied more actively.

Access control includes authorization of security administrators and access of users. Aiming at the problems of log information storage difficulty and easy tampering faced by auditing and traceability forensics of authorization and access in cross-domain scenarios, we propose an access control auditing and traceability forensics method based on Blockchain, whose core is Ethereum Blockchain and IPFS interstellar mail system, and its main function is to store access control log information and trace forensics. Due to the technical characteristics of blockchain, such as openness, transparency and collective maintenance, the log information metadata storage based on Blockchain meets the requirements of distribution and trustworthiness, and the exit of any node will not affect the operation of the whole system. At the same time, by storing log information in the blockchain structure and using mapping, it is easy to locate suspicious authorization or judgment that lead to permission leakage, so that security administrators can quickly grasp the causes of permission leakage. Using this distributed storage structure for security audit has stronger anti-attack and anti-risk.

With the inundation of more cost effective and improved flight performance Unmanned Aerial Vehicles (UAVs) into the consumer market, we have seen more uses of these for both leisure and business purposes. As such, demand for digital forensic examination on these devices has seen an increase as well. This research will explore and discuss the forensic examination process on one of the more popular brands of UAV in Singapore, namely DJI. The findings are from the examination of the exposed File Transfer Protocol (FTP) channel and the extraction of the Data-at-Rest on the memory chip of the drone. The extraction was done using the Chip-Off and Chip-On technique.

With large advancements in image display technology, recapturing high-quality images from high-fidelity LCD screens becomes much easier. Such recaptured images can be used to hide image tampering traces and fool some intelligent identification systems. In order to prevent such a security loophole, we propose a recaptured image detection approach based on generalized central difference convolution (GCDC) network. Specifically, by using GCDC instead of vanilla convolution, more detailed features can be extracted from both intensity and gradient information from an image. Meanwhile, we concatenate the feature maps from multiple GCDC modules to fuse low-, mid-, and high-level features for higher performance. Extensive experiments on three public recaptured image databases demonstrate the superior of our proposed method when compared with the state-of-the-art approaches.

Frame deletion forensics has been a major area of video forensics in recent years. The detection effect of current deep neural network-based methods outperforms previous traditional detection methods. Recently, researchers have used residual features as input to the network to detect frame deletion and have achieved promising results. We propose an IReF (Improved Residual Feature) by analyzing the effect of residual features on frame deletion traces. IReF preserves the main motion features and edge information by denoising and enhancing the residual features, making it easier for the network to identify the tampered features. And the sparse noise reduction reduces the storage requirement. Experiments show that under the 2D convolutional neural network, the accuracy of IReF compared with residual features is increased by 3.81 %, and the storage space requirement is reduced by 78%. In the 3D convolutional neural network with video clips as feature input, the accuracy of IReF features is increased by 5.63%, and the inference efficiency is increased by 18%.

There are a large number of illegal websites on the Internet, such as pornographic websites, gambling websites, online fraud websites, online pyramid selling websites, etc. This paper studies the use of crawler technology for digital forensics on illegal websites. First, a crawler based illegal website forensics program is designed and developed, which can detect the peripheral information of illegal websites, such as domain name, IP address, network topology, and crawl key information such as website text, pictures, and scripts. Then, through comprehensive analysis such as word cloud analysis, word frequency analysis and statistics on the obtained data, it can help judge whether a website is illegal.

WhatsApp is one of the rare applications that has managed to become one of the most popular instant messaging applications all over the world. While inherently designed for simple and fast communication, privacy features such as end-to-end encryption have made confidential communication easy for criminals aiming to commit illegal acts. However, as it meets many daily communication and communication needs, it has a great potential to be digital evidence in interpersonal disputes. In this study, in parallel with the potential of WhatsApp application to contain digital evidence, the abuse of this situation and the manipulation method of multimedia files, which may cause wrong decisions by the judicial authorities, are discussed. The dangerous side of this method, which makes the analysis difficult, is that it can be applied by anyone without the need for high-level root authority or any other application on these devices. In addition, it is difficult to detect as no changes can be made in the database during the analysis phase. In this study, a controlled experimental environment was prepared on the example scenario, the manipulation was carried out and the prepared system analysis was included. The results obtained showed that the evidence at the forensic analysis stage is open to misinterpretation.

As an important branch of computer forensics, network forensics technology, whether abroad or at home, is in its infancy. It mainly focuses on the research on the framework of some forensics systems or some local problems, and has not formed a systematic theory, method and system. In order to improve the network forensics sys-tem, have a relatively stable and correct model for refer-ence, ensure the authenticity and credibility of network fo-rensics from the forensics steps, provide professional and non professional personnel with a standard to measure the availability of computer network crime investigation, guide the current network forensics process, and promote the gradual maturity of network forensics theories and methods, This paper presents a fuzzy decision tree reason-ing method for network forensics analysis.

With the advent of information and communication technology, the digital space is becoming a playing ground for criminal activities. Criminals typically prefer darkness or a hidden place to perform their illegal activities in a real-world while sometimes covering their face to avoid being exposed and getting caught. The same applies in a digital world where criminals prefer features which provide anonymity or hidden features to perform illegal activities. It is from this spirit the Darkweb is attracting all kinds of criminal activities conducted over the Internet such as selling drugs, illegal weapons, child pornography, assassination for hire, hackers for hire, and selling of malicious exploits, to mention a few. Although the anonymity offered by Darkweb can be exploited as a tool to arrest criminals involved in cybercrime, an in-depth research is needed to advance criminal investigation on Darkweb. Analysis of illegal activities conducted in Darkweb is in its infancy and faces several challenges like lack of standard operating procedures. This study proposes progressive standard operating procedures (SOPs) for Darkweb forensics investigation. We provide the four stages of SOP for Darkweb investigation. The proposed SOP consists of the following stages; identification and profiling, discovery, acquisition and preservation, and the last stage is analysis and reporting. In each stage, we consider the objectives, tools and expected results of that particular stage. Careful consideration of this SOP revealed promising results in the Darkweb investigation.

Cyber threat information can be utilized to investigate incidents by leveraging threat-related knowledge from prior incidents with digital forensic techniques and tools. However, the actionability of cyber threat information in digital forensics has not yet been evaluated. Such evaluation is important to ascertain that cyber threat information is as actionable as it can be and to reveal areas of improvement. In this study, a dataset of cyber threat information products was created from well-known cyber threat information sources and its actionability in digital forensics was evaluated. The evaluation results showed a high level of cyber threat information actionability that still needs enhancements in supporting some widely present types of attacks. To further enhance the provision of actionable cyber threat information, the development of the new TREVItoSTIX Autopsy module is presented. TREVItoSTIX allows the expression of the findings of an incident investigation in the structured threat information expression format in order to be easily shared and reused in future digital forensics investigations.

Mathematical morphology provides a large set of powerful non-linear image operators, widely used for feature extraction, noise removal or image enhancement. Although morphological filters might be used to remove artifacts produced by image manipulations, both on binary and gray level documents, little effort has been spent towards their forensic identification. In this paper we propose a non-trivial extension of a deterministic approach originally detecting erosion and dilation of binary images. The proposed approach operates on grayscale images and is robust to image compression and other typical attacks. When the image is attacked the method looses its deterministic nature and uses a properly trained SVM classifier, using the original detector as a feature extractor. Extensive tests demonstrate that the proposed method guarantees very high accuracy in filtering detection, providing 100% accuracy in discriminating the presence and the type of morphological filter in raw images of three different datasets. The achieved accuracy is also good after JPEG compression, equal or above 76.8% on all datasets for quality factors above 80. The proposed approach is also able to determine the adopted structuring element for moderate compression factors. Finally, it is robust against noise addition and it can distinguish morphological filter from other filters.

This letter presents a novel median filtering forensics approach, based on a convolutional neural network (CNN) with an adaptive filtering layer (AFL), which is built in the discrete cosine transform (DCT) domain. Using the proposed AFL, the CNN can determine the main frequency range closely related with the operational traces. Then, to automatically learn the multi-scale manipulation features, a multi-scale convolutional block is developed, exploring a new multi-scale feature fusion strategy based on the maxout function. The resultant features are further processed by a convolutional stream with pooling and batch normalization operations, and finally fed into the classification layer with the Softmax function. Experimental results show that our proposed approach is able to accurately detect the median filtering manipulation and outperforms the state-of-the-art schemes, especially in the scenarios of low image resolution and serious compression loss.

In this paper, we introduce a new digital image forensics approach called forensic similarity, which determines whether two image patches contain the same forensic trace or different forensic traces. One benefit of this approach is that prior knowledge, e.g., training samples, of a forensic trace is not required to make a forensic similarity decision on it in the future. To do this, we propose a two-part deep-learning system composed of a convolutional neural network-based feature extractor and a three-layer neural network, called the similarity network. This system maps the pairs of image patches to a score indicating whether they contain the same or different forensic traces. We evaluated the system accuracy of determining whether two image patches were captured by the same or different camera model and manipulated by the same or a different editing operation and the same or a different manipulation parameter, given a particular editing operation. Experiments demonstrate applicability to a variety of forensic traces and importantly show efficacy on “unknown” forensic traces that were not used to train the system. Experiments also show that the proposed system significantly improves upon prior art, reducing error rates by more than half. Furthermore, we demonstrated the utility of the forensic similarity approach in two practical applications: forgery detection and localization, and database consistency verification.

In image forensics, to determine whether the image is impurely transformed, it extracts and examines the features included in the suspicious image. In general, the features extracted for the detection of forgery images are based on numerical values, so it is somewhat unreasonable to use in the CNN structure for image classification. In this paper, the extraction method of a feature vector is using a least-squares solution. Treat a suspicious image like a matrix and its solution to be coefficients as the feature vector. Get two solutions from two images of the original and its median filter residual (MFR). Subsequently, the two features were formed into a visualized pattern and then fed into CNN deep learning to classify the various transformed images. A new structure of the CNN net layer was also designed by hybrid with the inception module and the residual block to classify visualized feature vector patterns. The performance of the proposed image forensics detection (IFD) scheme was measured with the seven transformed types of image: average filtered (window size: 3 × 3), gaussian filtered (window size: 3 × 3), JPEG compressed (quality factor: 90, 70), median filtered (window size: 3 × 3, 5 × 5), and unaltered. The visualized patterns are fed into the image input layer of the designed CNN hybrid model. Throughout the experiment, the accuracy of median filtering detection was 98% over. Also, the area under the curve (AUC) by sensitivity (TP: true positive rate) and 1-specificity (FP: false positive rate) results of the proposed IFD scheme approached to `1' on the designed CNN hybrid model. Experimental results show high efficiency and performance to classify the various transformed images. Therefore, the grade evaluation of the proposed scheme is “Excellent (A)”.

Signal processing applications dealing with secure transmission are enjoying increasing attention lately. This paper provides some theoretical insights as well as a practical solution for transmitting a hash of an image to a central server to be compared with a reference image. The proposed solution employs a rigid image registration technique viewed in a distributed source coding perspective. In essence, it embodies a phase encoding framework to let the decoder estimate the transformation parameters using a very modest amount of information about the original image. The problem is first cast in an ideal setting and then it is solved in a realistic scenario, giving more prominence to low computational complexity in both the transmitter and receiver, minimal hash size, and hash security. Satisfactory experimental results are reported on a standard images set.

With the increasing prevalent of digital devices and their abuse for digital content creation, forgeries of digital images and video footage are more rampant than ever. Digital forensics is challenged into seeking advanced technologies for forgery content detection and acquisition device identification. Unfortunately, existing solutions that address image tampering problems fail to identify the device that produces the images or footage while techniques that can identify the camera is incapable of locating the tampered content of its captured images. In this paper, a new perceptual data-device hash is proposed to locate maliciously tampered image regions and identify the source camera of the received image data as a non-repudiable attestation in digital forensics. The presented image may have been either tampered or gone through benign content preserving geometric transforms or image processing operations. The proposed image hash is generated by projecting the invariant image features into a physical unclonable function (PUF)-defined Bernoulli random space. The tamper-resistant random PUF response is unique for each camera and can only be generated upon triggered by a challenge, which is provided by the image acquisition timestamp. The proposed hash is evaluated on the modified CASIA database and CMOS image sensor-based PUF simulated using 180 nm TSMC technology. It achieves a high tamper detection rate of 95.42% with the regions of tampered content successfully located, a good authentication performance of above 98.5% against standard content-preserving manipulations, and 96.25% and 90.42%, respectively, for the more challenging geometric transformations of rotation (0 360°) and scaling (scale factor in each dimension: 0.5). It is demonstrated to be able to identify the source camera with 100% accuracy and is secure against attacks on PUF.

Mobile Forensics (MF) field uses prescribed scientific approaches with a focus on recovering Potential Digital Evidence (PDE) from mobile devices leveraging forensic techniques. Consequently, increased proliferation, mobile-based services, and the need for new requirements have led to the development of the MF field, which has in the recent past become an area of importance. In this article, the authors take a step to conduct a review on Mobile Forensics Investigation Process Models (MFIPMs) as a step towards uncovering the MF transitions as well as identifying open and future challenges. Based on the study conducted in this article, a review of the literature revealed that there are a few MFIPMs that are designed for solving certain mobile scenarios, with a variety of concepts, investigation processes, activities, and tasks. A total of 100 MFIPMs were reviewed, to present an inclusive and up-to-date background of MFIPMs. Also, this study proposes a Harmonized Mobile Forensic Investigation Process Model (HMFIPM) for the MF field to unify and structure whole redundant investigation processes of the MF field. The paper also goes the extra mile to discuss the state of the art of mobile forensic tools, open and future challenges from a generic standpoint. The results of this study find direct relevance to forensic practitioners and researchers who could leverage the comprehensiveness of the developed processes for investigation.

With the rapid progress in recent years, techniques that generate and manipulate multimedia content can now provide a very advanced level of realism. The boundary between real and synthetic media has become very thin. On the one hand, this opens the door to a series of exciting applications in different fields such as creative arts, advertising, film production, and video games. On the other hand, it poses enormous security threats. Software packages freely available on the web allow any individual, without special skills, to create very realistic fake images and videos. These can be used to manipulate public opinion during elections, commit fraud, discredit or blackmail people. Therefore, there is an urgent need for automated tools capable of detecting false multimedia content and avoiding the spread of dangerous false information. This review paper aims to present an analysis of the methods for visual media integrity verification, that is, the detection of manipulated images and videos. Special emphasis will be placed on the emerging phenomenon of deepfakes, fake media created through deep learning tools, and on modern data-driven forensic methods to fight them. The analysis will help highlight the limits of current forensic tools, the most relevant issues, the upcoming challenges, and suggest future directions for research.

We consider information leakage to the user in private information retrieval (PIR) systems. Information leakage can be measured in terms of individual message leakage or total leakage. Individual message leakage, or simply individual leakage, is defined as the amount of information that the user can obtain on any individual message that is not being requested, and the total leakage is defined as the amount of information that the user can obtain about all the other messages except the one being requested. In this work, we characterize the tradeoff between the minimum download cost and the individual leakage, and that for the total leakage, respectively. Coding schemes are proposed to achieve these optimal tradeoffs, which are also shown to be optimal in terms of the message size. We further characterize the optimal tradeoff between the minimum amount of common randomness and the total leakage. Moreover, we show that under individual leakage, common randomness is in fact unnecessary when there are more than two messages.

Database forensic investigation (DBFI) is an important area of research within digital forensics. It's importance is growing as digital data becomes more extensive and commonplace. The challenges associated with DBFI are numerous, and one of the challenges is the lack of a harmonized DBFI process for investigators to follow. In this paper, therefore, we conduct a survey of existing literature with the hope of understanding the body of work already accomplished. Furthermore, we build on the existing literature to present a harmonized DBFI process using design science research methodology. This harmonized DBFI process has been developed based on three key categories (i.e. planning, preparation and pre-response, acquisition and preservation, and analysis and reconstruction). Furthermore, the DBFI has been designed to avoid confusion or ambiguity, as well as providing practitioners with a systematic method of performing DBFI with a higher degree of certainty.

The pervasiveness of personalized collaborative recommender systems has shown the powerful capability in a wide range of E-commerce services such as Amazon, TripAdvisor, Yelp, etc. However, fundamental vulnerabilities of collaborative recommender systems leave space for malicious users to affect the recommendation results as the attackers desire. A vast majority of existing detection methods assume certain properties of malicious attacks are given in advance. In reality, improving the detection performance is usually constrained due to the challenging issues: (a) various types of malicious attacks coexist, (b) limited representations of malicious attack behaviors, and (c) practical evidences for exploring and spotting anomalies on real-world data are scarce. In this paper, we investigate a unified detection framework in an eye for an eye manner without being bothered by the details of the attacks. Firstly, co-visitation and co-rating graphs are constructed using association rules. Then, attribute representations of nodes are empirically developed from the perspectives of linkage pattern, structure-based property and inherent association of nodes. Finally, both attribute information and connective coherence of graph are combined in order to infer suspicious nodes. Extensive experiments on both synthetic and real-world data demonstrate the effectiveness of the proposed detection approach compared with competing benchmarks. Additionally, abnormality forensics metrics including distribution of rating intention, time aggregation of suspicious ratings, degree distributions before as well as after removing suspicious nodes and time series analysis of historical ratings, are provided so as to discover interesting findings such as suspicious nodes (items or ratings) on real-world data.

Nowadays, mobile devices have become one of the most popular instruments used by a person on its regular life, mainly due to the importance of their applications. In that context, mobile devices store user's personal information and even more data, becoming a personal tracker for daily activities that provides important information about the user. Derived from this gathering of information, many tools are available to use on mobile devices, with the restrain that each tool only provides isolated information about a specific application or activity. Therefore, the present work proposes a tool that allows investigators to obtain a complete report and timeline of the activities that were performed on the device. This report incorporates the information provided by many sources into a unique set of data. Also, by means of an example, it is presented the operation of the solution, which shows the feasibility in the use of this tool and shows the way in which investigators have to apply the tool.

Digital forensics is process of identifying, preserving, analyzing and preserving digital evidence. Due to increasing cybercrimes now a days, it is important for all organizations to have a well-managed digital forensics cell. So to overcome this, we propose a framework called digital forensics capability analyser. [1]The main advantage of developing digital analyzer is cost minimization. This tool will provide fundamental information for setting up a digital forensic cell and will also offer services like online sessions. [2] [3]It will help organizations by providing them with a perfect solution according to their requirements to start a digital forensic cell in their respective lnstitution.[4] [5].

The era of information technology has, unfortunately, contributed to the tremendous rise in the number of criminal activities. However, digital artifacts can be utilized in convicting cybercriminal and exposing their activities. The digital forensics science concerns about all aspects related to cybercrimes. It seeks digital evidence by following standard methodologies to be admitted in court rooms. This paper concerns about memory forensics for the unique artifacts it holds. Memory contains information about the current state of systems and applications. Moreover, an application's data explains how a criminal has been interacting the application just before the memory is acquired. Memory forensics at the application level is currently random and cumbersome. Targeting specific applications is what forensic researchers and practitioner are currently striving to provide. This paper suggests a general solution to investigate any application. Our solution aims to utilize an application's data structures and variables' information in the investigation process. This is because an application's data has to be stored and retrieved in the means of variables. Data structures and variables' information can be generated by compilers for debugging purposes. We show that an application's information is a valuable resource to the investigator.

The fundamental aim of digital forensics is to discover, investigate and protect an evidence, increasing cybercrime enforces digital forensics team to have more accurate evidence handling. This makes digital evidence as an important factor to link individual with criminal activity. In this procedure of forensics investigation, maintaining integrity of the evidence plays an important role. A chain of custody refers to a process of recording and preserving details of digital evidence from collection to presenting in court of law. It becomes a necessary objective to ensure that the evidence provided to the court remains original and authentic without tampering. Aim is to transfer these digital evidences securely using encryption techniques.