A Springboard To Digital Forensics Research In 2021

The end of 2020 could not come fast enough for most of us, and yet, as the year wound down, some things — such as the digital forensics research recapped in this article — were worth slowing down for. This article offers an overview of research published between November and December.

This month we start with DigitalCorpora’s news that they’ve joined the AWS Open Data Sponsorship Program. Corpus downloads have moved from their previous downloads server at George Mason University to storage in Amazon S3.

“This means that the download server will be more stable moving forward,” reads the blog on DigitalCorpora’s website. “It will also make it much easier (and faster) to analyze the corpus from the Amazon Cloud—and all forensics should be done in the cloud, right?”

The http://downloads.digitalcorpora.org/corpora/ gateway will remain, but will redirect users to an AWS S3 download. TTS for downloads is another addition.

New research from the EU’s FORMOBILE initiative

The Automated Android Analysis Lab of ZITiS (Z-A3L) was highlighted at November’s virtual Research Institute Cyber Defence Meeting, as PhD candidate Christopher Lenk presented “Analysis of suspicious applications from evidence-relevant Android devices under real reconstructed conditions.”


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

The result of 18 months of work as part of the FORMOBILE initiative, Lenk’s presentation offered a brief overview of Android malware, followed by a discussion of automated analysis for applications from Android devices — in a way that adheres to forensic process regulations, including evidence preservation.

Lenk walked through the Z-A3L prototype created through FORMOBILE, including its web access interface, static and dynamic techniques for its hardware-based analysis, and its reporting of app behavior both during execution and on analysis after the fact — helping to determine the likelihood of it being malicious.

Future functionality will include more applications and Android versions, as well as advanced program analysis and realistic Android system simulation.

4 posts — and lots of research opportunities — at DFIR Review

DFIR Review published a number of articles at the end of the year on the following topics:

  • The trustworthiness of Google Takeout location data
  • Two Bluetooth-oriented pieces of research
  • Tracking Windows 10 processes by their access to camera and microphone

As with all DFIR Review articles, future work is spelled out for other researchers who want to pick up a ball and run with it. Follow the links to the individual articles for more details!

Cloud-based data like Google Takeout is often held up as a way to verify data acquired from mobile devices or provider search warrant returns. However, in his article “Can Google Takeout Location Data Be Trusted?” Ross Donnelly, Digital Team Leader for Keith Borer Consultants, questions:

“As the data is downloaded directly from Google, there is a temptation to blindly trust this data. This leads to an important question: could a user alter the location data held by Google in order to mislead an investigator?”

The short answer: yes. Donnelly’s research revealed that Google’s own Location History tool indeed allows users to easily remove and add locations. By comparing two sources of location data within the Takeout — the alterable Semantic Location History, with the (so far) unalterable raw-data in Location History.json — Donnelly demonstrated indicators that can be used to identify data manipulation.

Cellebrite’s Heather Mahalik, Senior Director of Digital Intelligence, contributed to two DFIR Review pieces. “How Android Bluetooth Connections Can Determine if a Driver had Their Hands on the Wheel During an Accident” and “How to Use iOS Bluetooth Connections to Solve Crimes Faster” both relied on Josh Hickman’s public images and test documentation, as well as building on her own previous research.

For her Android Bluetooth article, Mahalik focused on determining first, if Bluetooth devices were paired to an Android device; and second, actual connection times. Relying on parsed Bluetooth data from Cellebrite’s Physical Analyzer — which reviewers made sure to mention was verifiable using various open source tools — Mahalik showed where and how to find timestamp data needed to “put a person in a car, connected to Android Auto, when an activity occurs.”

The iOS Bluetooth article, which Mahalik coauthored with Matt Goeckel, a Cellebrite solutions engineer, built on both examiners’ independent iOS Bluetooth research. Of note, she wrote: “Oddly enough, our research stemmed from a question asked by an IACIS colleague of ours…. Matt and I could have worked on this together in 2018, but we weren’t aware we were both researching the same thing, which is a common theme in DFIR.”

Similar to the Android research, the question here revolved around Bluetooth timestamps, which as it turned out, are not stored in UTC as most iOS database and plist timestamps are. Instead, the file stores timestamps “in UTC with an adjustment to the user’s ‘base’ time zone” — even if they connect in a different geographic location altogether.

Finally, Zachary Stanford’s “Can You Track Processes Accessing the Camera and Microphone on Windows 10?” shows how to determine when and how long a process had access to resources such as the microphone, webcam, Bluetooth, location, contacts, etc. with a focus on the first two. In particular, he wanted to test how malicious activity could be tracked this way, though the method is also useful for determining the length of, say, a conversation.

Based on sheer curiosity after coming across a page in Windows settings, Stanford’s research relied on registry keys’ LastUsedTimeStart and LastUsedTimeStop values to demonstrate, for example, “Zoom.exe had access to my webcam for 27.2 minutes.”

Visual-based geolocalization for forensics; cryptomarket transaction patterns

Also in December, two scholarly papers on digital forensics were made available at Forensic Science International: Digital Investigation:

Yokota, et al. from Japan’s National Research Institute of Police Science published “A revisited visual-based geolocalization framework for forensic investigation support tools.” Defined as a “given a photo, where was it taken?” problem by Cornell University’s SE(3) Computer Vision Group, visual-based geolocalization studies “have not mainly focused on forensic purposes,” wrote Yokota et al.

Their paper aims to fill that gap for machine learning around investigation support tools, with particular emphasis on “maintainability that results from the ease of replacing the implemented algorithms with more appropriate algorithms [and] the interpretability of bottlenecks in the current system,” which they called advantages that are “specific and essential to forensic science where practicality is important.”

At Tohoku University and the Tokyo University of Science, meanwhile, researchers Yoichi Tsuchiya and Naoki Hiramoto, published “Dark web in the dark: Investigating when transactions take place on cryptomarkets.”

Seeking to fill a gap between cryptomarket characteristics — product categories, sale volumes, and the number of listings and vendors — and patterns of activity around illegal drug transactions, specifically times of day and days of the week, Tsuchiya and Hiramoto traced Bitcoin addresses associated with the six previously leading and most active cryptomarkets.

Doing this identified clear activity patterns:

  • Transactions more often take place at night in European countries, the United States, and Canada.
  • More transactions take place on Mondays, Tuesdays, and Wednesdays, and fewer on Saturdays and Sundays. 

The research also determined that Operation Onymous, a cryptomarket policing effort, “only displaced users among these marketplaces and did not deter their activity, even in the short-term…. [nor] alter users’ transaction patterns.”

Christa Miller is a Content Manager at Forensic Focus. She specializes in writing about technology and criminal justice, with particular interest in issues related to digital evidence and cyber law.

Leave a Comment

Latest Videos

Digital Forensics News Round-Up, February 21 2024 #digitalforensics #dfir

Forensic Focus 21st February 2024 6:19 pm

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts. 

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director 
43:45 – Privacy of user data

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts.

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director
43:45 – Privacy of user data

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_ifoHVkjJtRc

How MSAB Is Managing The Digital Forensics Challenges Of Frontline Policing

Forensic Focus 21st February 2024 3:07 pm

Podcast Ep. 80 Recap: Empowering Law Enforcement With Nick Harvey From Cellebrite

Forensic Focus 20th February 2024 11:49 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles