Encouraging Different Perspectives in Digital Forensics: September Research

The discussion about how to mitigate human bias in forensic science continued in September. Inclusiveness is a key part of this, not just in terms of racial, gender, ability, or other identity, but also in terms of expertise. This month we explore four papers and an opportunity for collaborative research that could help to promote inclusion and, thus, less bias among digital forensic practitioners.

Technical papers also feature this month, with papers on mobile devices, the internet of things (IoT), multimedia, and files and file systems described.

Overcoming bias in forensic science

The debate on bias in forensic sciences continued in September, mainly with an emphasis on the discipline as a whole, but the authors’ insights are valuable for digital forensics as well. For instance:

“Forensic scientists have long held that objectivity is a core tenet of our analyses and the expert-witness statements that can result,” write the University of West Florida’s Allysha Powanda Winburn and Texas State University’s Chaunesey M.J. Clemmons in their paper, “Objectivity is a myth that harms the practice and diversity of forensic science.”

“However,” they continue, “our faith in objectivity is complicated by the facts that: 1.) pure scientific objectivity does not exist; and 2.) espousing the myth of objectivity is neither neutral nor benign.” Their argument: diverse perspectives can serve as a bulwark against bias, relying on “mitigated objectivity” via quality control to acknowledge and constrain implicit bias.

True justice was also the foundation for “Re: Letter to the Editor re: Dror and Kukucka, Linear Sequential Unmasking–Expanded (LSU-E): A general approach for improving decision making as well as minimizing noise and bias.”

Dr. Michael Freeman and Ellen Strömmer, MPH, both of Maastricht University, describe how “sequential unmasking of some information may actually impede an investigation” and propose “an approach that combines elements of LSU-E and counterfactual reasoning as a means of identifying and neutralizing elements leading to artifactual bias as a potential next step in advancing the methods described by Dror and Kukucka in their intriguing paper.”

Although the paper focuses on death investigation, Dror’s research has extended to exploring bias in digital forensics as well. Given Winburn and Clemmons’ arguments in their paper, applying these principles to digital forensics may be a worthwhile exercise for practitioners seeking to reduce their own biases.

Finally, Winburn and Clemmons were additionally part of a panel of authors “Responding to the American Academy of Forensic Sciences vision, mission, and values statements: Comments, revisions, and proposed actions.” Together with California State University’s Thomas A.Delgado, SNA International’s Stephanie Hartley, the University of Indianapolis’ Krista E. Latham, the University of Nevada’s Marin A. Pilloud, and Boston University’s Sean D. Tallman, they called for revisions that could “meaningfully engage with issues of diversity and equity” towards pursuing justice within the practitioner community as well as the broader community.

Another way to achieve diversity of perspective is by bringing in other disciplines. In “The trace in the technique: Forensic science and the Connoisseur’s gaze,” Michelle D. Miranda of Farmingdale State College at the State University of New York, observes: “The forensic scientist and the art connoisseur evaluate the whole—a crime scene or work of art, respectively—and draw meaning from the often-overlooked details, or traces, contained therein.”

Miranda’s focus is on physical forensic sciences, but the parallels in digital forensics are unmistakable. For instance: “Connoisseurship is the endeavor to identify artworks by time, culture and authorship… identifying facts (who, when, where), and determining whether other circumstances of production including motive (why) may contribute evidence toward the essential goals of identification.”

Incident response — in particular post mortem forensic investigation — is one example of this activity in the digital realm, attributing attacks to specific threat actors. Parallels exist, as well, in criminal investigations, as interest in authenticating digital evidence via patterns of life. To that end, Miranda’s paper may be an enjoyable read for practitioners who appreciate exploring different facets of their work.

An opportunity for cross-border collaborative research comes from the Journal of Digital Forensics, Security, and Law, where Dr Paweł Olber of Szczytno, Poland’s Police Academy, offered “The survey on cross-border collection of digital evidence by representatives from Polish prosecutors’ offices and judicial authorities.”

Exploring digital evidence collection practices across multiple jurisdictions within Poland, Olber seeks to begin “an open discussion with practitioners about existing challenges,” which are reflected in his survey as “time-consuming and ineffective international cooperation, the voluntary nature of cooperation between foreign cloud service providers, lack of harmonized procedures and guidelines, the diversity of legal systems, and the lack of knowledge held by law enforcement officials and the judiciary.” The goal: to invite additional research with a larger sample size and improve current processes.

Mobile device, IoT, and multimedia forensics

Shahid Alam, of Adana Alparslan Turkes Science and Technology University, offered a similarity index model (SIMP) based on natural language processing (NLP) to find malicious patterns in Android apps via semantic similarities. Tested against both real malware and benign Android apps using different validation methods, the proposed model  achieved a high success rate, described in “Applying Natural Language Processing for detecting malicious patterns in Android applications” in Forensic Science International: Digital Investigation.

In “A study on LG content lock and data acquisition from apps based on content lock function,” Kookmin University’s Giyoon Kim, Myungseo Park, and Jongsung Kim focused on the LG smartphone’s Content Lock, a system application that protects user memo and multimedia files. By reverse engineering the Content Lock app, the researchers identified the password verification process to acquire the protected data.

A “Digital Forensic Readiness Framework Based on Honeypot and Honeynet for BYOD” proposed by Audrey Asante and Vincent Amankona, of the Catholic University of Ghana, relies on five components “to comply with ISO/IEC 27043, detect security incidents/threats and collect potential digital evidence using low- and high-level interaction honeypots.” The components — BYOD devices, Management, People, Technology and Digital Forensic Readiness itself — are part of a proactive framework that can be embedded in BYOD policy and practice to mitigate security incidents.

On another side of that coin, authors Junsik Sim, Moonho Joo, and Junghee Lee of Korea University describe, at WIREs Forensic Science, the need to mitigate privacy infringement during forensic investigation. Their paper, “Argus: A centralized control system for preserving privacy during digital forensics investigations,” is a proposed means for this mitigation.

IoT forensics are now where mobile forensics once was. Research from the University of Alabama explores “Internet of Things Software and Hardware Architectures and Their Impacts on Forensic Investigations: Current Approaches and Challenges” at JDFSL, where Abel Alex Boozer, Arun John, and Tathagata Mukherjee explore “some of the architectures, current frameworks, and methods available to perform forensic analysis of IoT devices to provide a roadmap for investigators and researchers to form the basis of an investigation” notwithstanding the lack of agreed-upon standards or proven forensic methods.

Multimedia forensics and digital forensics are becoming more and more intertwined, apparent in the FSI:DI paper “Energy-based linear PCM audio recovery method of impaired MP4 file stored in dashboard camera memory.” Authors Nam In Park Ji, Woo Lee Seong, Ho Lim Jun, Seok Byun, Gi-Hyun Na, Oc-Yeub Jeon, and Jung Hwan Lee, all of the Republic of Korea’s National Forensic Service, proposed a method for recovering the linear pulse code modulation (PCM) audio.

Designed to address incompletely stored digital video due to the power interruptions caused by auto collisions, this method extracts an audio signal using the energy of each frame in the “pseudo audio.” The tested method “can recover significantly better the linear PCM audio signal than the conventional methods from an impaired MP4 file.”

File and file system forensics

Minji Um, Jaehyeok Han, and Sangjin Lee of Korea University’s Institute of Cyber Security & Privacy (ICSP), in “File fingerprinting of the ZIP format for identifying and tracking provenance,” observed that these files’ detailed structure, as well as their decompression time values, can help to determine the environment — the operating system and application — the file was created in.

In “A novel file carving algorithm for docker container logs recorded by json-file logging driver,” Song Ge, Ming Xu, Tong Qiao, and Ning Zheng of Hangzhou Dianzi University’s School of Cyberspace proposed a novel carving algorithm to recover container logs in the JSON file format.

Using the log files’ intrinsic structure and where they are stored, the algorithm reassembles the data based on its knowledge of the JSON file format and the similarity between log contents. This way, the authors said, their algorithm can recover more JSON file log lines than other carving tools.

At Cranfield University’s Centre for Electronic Warfare, Information, and Cyber, authors Matt Jarrett and Sarah Morris examine the file systems in the “modular, capability-based” Fuchsia operating system currently in development by Google. “Purple dawn: Dead disk forensics on Google’s Fuchsia operating system” describes the content and structure of the unique volume manager and other partitions, as well as “how the zxcrypt encryption subsystem may inhibit the ability of practitioners to carry out an investigation of the MinFS partition.”

The authors stress that in addition to unanswered questions, the unfinished operating system may yet undergo significant changes that could affect their findings. Nonetheless, with speculation that Fuchsia could replace Android or other operating systems, their work is worth delving into.

Christa Miller is a Content Manager at Forensic Focus. She specializes in writing about technology and criminal justice, with particular interest in issues related to digital evidence and cyber law.

Leave a Comment