January was a somewhat light month in the way of digital forensics research publication, though the introduction of an Asia-Pacific (APAC) installment of the Digital Forensics Research Workshop (DFRWS) conference more than made up for it. This month we feature short summaries of each:
Introducing DFRWS APAC
The inaugural DFRWS APAC conference, a virtual edition, welcomed speakers and attendees from all over the world. Following opening remarks by Dr Bradley Schatz and two keynote presentations: “Silent Failures in Automated Pipelines Involving Multiple Digital Forensic Tools” delivered by Eoghan Casey, and “Extracting Evidence from Damaged Devices” presented by Steven Watson. The three-day conference included:
Presentation of peer reviewed papers on IoT device analysis; management, training and education; interception, decloaking and traffic analysis; validation and file system analysis techniques; and classification techniques. Workshops were also offered all three days on Velociraptor, forensic email investigation, and beginner-level forensic audio clarification.
This DFRWS also included groupings of short (10- to 20-minute) papers in between the longer sessions, Birds of a Feather networking groups, and the Digital Forensics Rodeo sponsored by the University of New Haven’s Artifact Genome Project.
For a full program with links to abstracts and paper downloads, visit https://dfrws.org/apac-2021-program/.
Other notable research
The six papers we cover here are weighty in what they propose: from reexamining digital forensics labs’ processes and tools, to using AI to scale web browser and deepfake video analysis. Of course, some artifact analysis research — focusing on online platform artifacts — rounds out this month’s offerings.
Reconsidering “the way it’s done”
In Forensic Science International: Digital Investigations (FSI:DI), Nina Sunde of the Norwegian Police University College and Graeme Horsman of Teesside University described “Part 2: The Phase-oriented Advice and Review Structure (PARS) for digital forensic investigations.”
“Part 1: The need for peer review in digital forensics” was published in December, in response to an “arguably undervalued and under-researched” area “where little academic and industrial commentary can be found describing best practice approaches” to quality assurance. This piece reviews the gap between the need for peer review and existing mechanisms, and offers a seven-level “Peer Review Hierarchy.”
Part 2 continues the discussion by proposing the Phase-oriented Advice and Review Structure (PARS), a six-stage approach to investigative tasks, forensic activities and analysis processes designed for digital forensics. Horsman and Sunde describe practical implementation and offer three templates towards this end.
In the same issue, Heckmann, Souvignet, Sauveron, and Naccache, respectively of the Research Center of the French Gendarmerie Officers Academy (CREOGN), Forensic Sciences Institute of the French Gendamerie (FSIFG), Ecole normale supérieure, University of Lausanne, and the University of Limoges’ XLIM discussed “Medical Equipment Used for Forensic Data Extraction: A low-cost solution for forensic laboratories not provided with expensive diagnostic or advanced repair equipment.”
This creative method came about because the authors “believe that the autopsy of tomorrow will definitely have to be supplemented by analysis of the electronic components present in the body (pacemaker, bio-sensor).”
Their paper is one step in encouraging medical examiners and electronics experts to cooperate to envision and implement future legal medicine and forensic procedures. Focusing on the problems posed by both encryption and physical damage to evidentiary media, the paper describes digital forensic extraction methodology relying on four routinely used medical/autopsy materials and equipment.
Gap-filling and scale-friendly artificial intelligence solutions
Also in FSI:DI in January was “AIBFT: Artificial Intelligence Browser Forensic Toolkit” authored by Hyunmin Kim, InSeok Kim, and Kyounggon Kim of the School of Cybersecurity at Korea University and the Naif Arab University for Security Sciences’ Department of Forensic Sciences.
The authors sought a way to scale web browser investigation so as to discover malicious codes running through browsers to mine data. By combining digital forensics and artificial intelligence concepts, they developed a proof of concept visually effective toolkit — the AIBFT — for forensic analysts, implementing “a reliable AI model that reaches a classification accuracy of classification of web pages by 99.8.” It does this via AI models, analysis of malicious probability, and timeline visualization.
Researchers in Viet Nam described “Learning Spatio-temporal features to detect manipulated facial videos created by the Deepfake techniques.”Xuan Hau Nguyen and Thai Son Tran Van of the Mientrung University of Civil Engineering, Thinh Le of the Central Industrial and Commercial College, Kim Duy Nguyen of the Thu Dau Mot University, and Dinh-TuTruong of Ton Duc Thang University proposed a 3D “convolutional neural network model” that can fill a gap in forged video detection algorithms, which largely analyze or learn features in separate video frames versus spatio-temporal features from adjacent frame sequences.
Online platform artifact analysis
Horsman additionally published “A case study on anonymised sharing platforms and digital traces left by their usage” in Science & Justice, focusing on 16 anonymous file transfer services and the artifacts they leave behind.
Because suspicious files might not reside locally — and because illegal file distribution networks could be revealed — it’s incumbent on examiners to use these artifacts to identify whether this type of service has been used.
“Inevitable” digital forensic examinations of the Zoom platform — thanks to malicious activity and “Zoom bombings” exploiting the pandemic-related surge in its use — are the subject of “Zooming into the pandemic! A forensic analysis of the Zoom Application,” authored by Andrew Mahr, Meghan Cichon, Sophia Mateo, Cinthya Grajeda, and Ibrahim Baggili of the University of New Haven’s Cyber Forensics Research and Education Group (UNHcFREG).
They focused on using primary disk images, network captures, and memory forensic analysis to show how to find critical user information — including chat messages, names, email addresses, and even passwords — in plain and/or encrypted/encoded text, along with some “interesting anti-forensics techniques.”