A framework for the forensic investigation of unstructured email relationship data

Our continued reliance on email communications ensures that it remains a major source of evidence during a digital investigation. Emails comprise both structured and unstructured data. Structured data provides qualitative information to the forensics examiner and is typically viewed through existing tools. Unstructured data is more complex as it comprises information associated with social networks, such as relationships within the network, identification of key actors and power relations, and there are currently no standardised tools for its forensic analysis. Moreover, email investigations may involve many hundreds of actors and thousands of messages. This paper posits a framework for the forensic investigation of email data. In particular, it focuses on the triage and analysis of unstructured data to identify key actors and relationships within an email network. This paper demonstrates the applicability of the approach by applying relevant stages of the framework to the Enron email corpus. The paper illustrates the advantage of triaging this data to identify (and discount) actors and potential sources of further evidence. It then applies social network analysis techniques to key actors within the data set. This paper posits that visualisation of unstructured data can greatly aid the examiner in their analysis of evidence discovered during an investigation

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material

For those investigating cases of Child Sexual Abuse Material (CSAM), there is the potential harm of experiencing trauma after illicit content exposure over a period of time. Research has shown that those working on such cases can experience psychological distress. As a result, there has been a greater effort to create and implement technologies that reduce exposure to CSAM. However, not much work has explored gathering insight regarding the functionality, effectiveness, accuracy, and importance of digital forensic tools and data science technologies from practitioners who use them. This study focused specifically on examining the value practitioners give to the tools and technologies they utilize to investigate CSAM cases. General findings indicated that implementing filtering technologies is more important than safe-viewing technologies; false positives are a greater concern than false negatives; resources such as time, personnel, and money continue to be a concern; and an improved workflow is highly desirable. Results also showed that practitioners are not well-versed in data science and Artificial Intelligence (AI), which is alarming given that tools already implement these techniques and that practitioners face large amounts of data during investigations. Finally, the data exemplified that practitioners are generally not taking advantage of tools that implement data science techniques, and that the biggest need for them is in automated child nudity detection, age estimation and skin tone detection

Digital forensic readiness intelligence crime repository

It may not always be possible to conduct a digital (forensic) investigation post-event if there is no process in place to preserve potential digital evidence. This study posits the importance of digital forensic readiness, or forensic-by-design, and presents an approach that can be used to construct a Digital Forensic Readiness Intelligence Repository (DFRIR). Based on the concept of knowledge sharing, the authors leverage this premise to suggest an intelligence repository. Such a repository can be used to cross-reference potential digital evidence (PDE) sources that may help digital investigators during the process. This approach employs a technique of capturing PDE from different sources and creating a DFR repository that can be able to be shared across diverse jurisdictions among digital forensic experts and law enforcement agencies (LEAs), in the form of intelligence. To validate the approach, the study has employed a qualitative approach based on a number of metrics and an analysis of experts\u27 opinion has been incorporated. The DFRIR seeks to maximize the collection of PDE, and reducing the time needed to conduct forensic investigation (e.g., by reducing the time for learning). This study then explains how such an approach can be employed in conjunction with ISO/IEC 27043: 2015

Quantifying Relevance of Mobile Digital Evidence as They Relate to Case Types: A Survey and a Guide for Best Practices

In this work, a survey was conducted to help quantify the relevance of nineteen types of evidence (such as SMS) to seven types of digital investigations associated with mobile devices (MD) (such as child pornography). 97 % of the respondents agreed that every type of digital evidence has a different level of relevance to further or solve a particular investigation. From 55 serious participants, a data set of 5,772 responses regarding the relevance of nineteen types of digital evidence for all the seven types of digital investigations was obtained. The results showed that (i) SMS belongs to the most relevant type of digital evidence for all the seven types of investigations, (ii) MMS belongs to the most relevant type of digital evidence for all the types of digital investigations except espionage and eavesdropping where it is the second most relevant type of digital evidence, (iii) Phonebook and Contacts is the most relevant type of digital evidence for all types of digital investigations except child pornography, (iv) Audio Calls is the most relevant type of digital evidence for all types of digital investigations except credit card fraud and child pornography and (v) Standalone Files are the least relevant type of digital evidence for most of the digital investigations. The size of the response data set was fairly reasonable to analyze and then define; by generalization, relevance based best practices for mobile device forensics, which can supplement any forensics process model, including digital triage. For the reliability of these best practices, the impact of responses from the participants with more than five years of experience was analyzed by using one hundred and thirty three (133) instances of One-Way ANOVA tests. The results of this research can help investigators concentrate on the relevant types of digital evidence when investigating a specific case, consequently saving time and effort

Effects of the Factory Reset on Mobile Devices

Mobile devices usually provide a “factory-reset” tool to erase user-specific data from the main secondary storage. 9 Apple iPhones, 10 Android devices, and 2 BlackBerry devices were tested in the first systematic evaluation of the effectiveness of factory resets. Tests used the Cellebrite UME-36 Pro with the UFED Physical Analyzer, the Bulk Extractor open-source tool, and our own programs for extracting metadata, classifying file paths, and comparing them between images. Two phones were subjected to more detailed analysis. Results showed that many kinds of data were removed by the resets, but much user-specific configuration data was left. Android devices did poorly at removing user documents and media, and occasional surprising user data was left on all devices including photo images, audio, documents, phone numbers, email addresses, geolocation data, configuration data, and keys. A conclusion is that reset devices can still provide some useful information to a forensic investigation

Marketised forensic DNA-profiling in England & Wales

Previously held under moratorium from 20 March 2020 until 20 March 2022Forensic science provision in the United Kingdom has undergone significant, though uneven, development during the past decade. In England and Wales, forensic expertise is now delivered by way of a commercial market, whilst similar provision in Scotland, and Northern Ireland, remains within the public sector. As a result of marketisation, police forces (and other forensic ‘customers’) have become increasingly concerned with measuring economic value, whilst forensic science providers have been required to maintain an efficient, high-quality service that conforms to the overarching regulations. Early studies suggest that these structural, and regulatory, developments have had a marked impact upon the field of forensic DNA analysis, and may affect the way in which expert DNA evidence is constructed. This empirical research project seeks to assess the impact that these public policy, and organizational, developments, have had on the perspectives of forensic DNA-profiling experts. The project focuses on the perceived links between governance structures and the performance of forensic expertise, through the construction of analytical, and evaluative, reports. The study also considers the reported impacts of overarching regulatory incursions. The purpose of this unique study is to gain a clearer understanding of the ways in which forensic DNA profilers have responded to policy-driven structural changes, and to assess the perceived effects of resulting adaptations. The project has uncovered valuable data, demonstrating that respondents regard DNA reporting and evaluation in relation to serious crime as conforming to the highest scientific standards. However, the ways in which ‘volume’ crime cases are perceived to have been dealt with may raise more pressing questions. Indeed, certain trends are identified within the respondent’s testimony, based upon their experiences of the forensic market, which may raise concerns. Particular developments (such as the perception of case fragmentation and de-skilling, and concerns relating to the production of streamlined reports) could - if accurate - impact on the quality of expert opinion, and may potentially subvert the courts’ ability to arrive at sound determinations on questions of fact.Forensic science provision in the United Kingdom has undergone significant, though uneven, development during the past decade. In England and Wales, forensic expertise is now delivered by way of a commercial market, whilst similar provision in Scotland, and Northern Ireland, remains within the public sector. As a result of marketisation, police forces (and other forensic ‘customers’) have become increasingly concerned with measuring economic value, whilst forensic science providers have been required to maintain an efficient, high-quality service that conforms to the overarching regulations. Early studies suggest that these structural, and regulatory, developments have had a marked impact upon the field of forensic DNA analysis, and may affect the way in which expert DNA evidence is constructed. This empirical research project seeks to assess the impact that these public policy, and organizational, developments, have had on the perspectives of forensic DNA-profiling experts. The project focuses on the perceived links between governance structures and the performance of forensic expertise, through the construction of analytical, and evaluative, reports. The study also considers the reported impacts of overarching regulatory incursions. The purpose of this unique study is to gain a clearer understanding of the ways in which forensic DNA profilers have responded to policy-driven structural changes, and to assess the perceived effects of resulting adaptations. The project has uncovered valuable data, demonstrating that respondents regard DNA reporting and evaluation in relation to serious crime as conforming to the highest scientific standards. However, the ways in which ‘volume’ crime cases are perceived to have been dealt with may raise more pressing questions. Indeed, certain trends are identified within the respondent’s testimony, based upon their experiences of the forensic market, which may raise concerns. Particular developments (such as the perception of case fragmentation and de-skilling, and concerns relating to the production of streamlined reports) could - if accurate - impact on the quality of expert opinion, and may potentially subvert the courts’ ability to arrive at sound determinations on questions of fact

Similarity hash based scoring of portable executable files for efficient malware detection in IoT

YesThe current rise in malicious attacks shows that existing security systems are bypassed by malicious files. Similarity hashing has been adopted for sample triaging in malware analysis and detection. File similarity is used to cluster malware into families such that their common signature can be designed. This paper explores four hash types currently used in malware analysis for portable executable (PE) files. Although each hashing technique produces interesting results, when applied independently, they have high false detection rates. This paper investigates into a central issue of how different hashing techniques can be combined to provide a quantitative malware score and to achieve better detection rates. We design and develop a novel approach for malware scoring based on the hashes results. The proposed approach is evaluated through a number of experiments. Evaluation clearly demonstrates a significant improvement (> 90%) in true detection rates of malware

Portable gas chromatography–mass spectrometry method for the in‑feld screening of organic pollutants in soil and water at pollution incidents

Environmental pollution incidents generate an emergency response from regulatory agencies to ensure that the impact on the environment is minimised. Knowing what pollutants are present provides important intelligence to assist in determining how to respond to the incident. However, responders are limited in their in-feld capabilities to identify the pollutants present. This research has developed an in-feld, qualitative analytical approach to detect and identify organic pollutants that are commonly detected by regulatory environmental laboratories. A rapid, in-feld extraction method was used for water and soil matrices. A coiled microextraction (CME) device was utilised for the introduction of the extracted samples into a portable gas chromatography–mass spectrometry (GC–MS) for analysis. The total combined extraction and analysis time was approximately 6.5 min per sample. Results demonstrated that the in-feld extraction and analysis methods can screen for ffty-nine target organic contaminants, including polyaromatic hydrocarbons, monoaromatic hydrocarbons, phenols, phthalates, organophosphorus pesticides, and organochlorine pesticides. The method was also capable of tentatively identifying unknown compounds using library searches, signifcantly expanding the scope of the methods for the provision of intelligence at pollution incidents of an unknown nature, although a laboratory-based method was able to provide more information due to the higher sensitivity achievable. The methods were evaluated using authentic casework samples and were found to be ft-for-purpose for providing rapid in-feld intelligence at pollution incidents. The fact that the in-feld methods target the same compounds as the laboratory-based methods provides the added beneft that the in-feld results can assist in sample triaging upon submission to the laboratory for quantitation and confrmatory analysis