This month’s roundup features an eclectic assortment of research on mobile, IoT, and vehicular devices, as well as file forensics, image forensics, and threat detection. Much of this research explores novel acquisition techniques for newer technologies, although new methods for existing technology is also covered. Machine learning factors strongly in several of these papers.
In addition, Forensic Science International (FSI): Synergy published abstracts from the Proceedings of the American Society of Crime Laboratory Directors (ASCLD) meeting in a supplement to its third volume. The presentations focused on forensic lab and team management as well as legal matters. While they are relevant to forensic sciences broadly, digital forensics units or labs can benefit as well.
On the technical side: Novel tools and methods
Android app developers sometimes deploy obfuscation approaches to optimize code and/or prevent code theft and code tampering, but the same methods can be used to circumvent anti-malware products, and forensic responses are lacking. Obfuscation methods that are both adapted and targeted to the Android platform are discussed in “Android application forensics: A survey of obfuscation, obfuscation detection and deobfuscation techniques and their impact on investigations” at FSI:DI.
Electromagnetic side-channel analysis research continues (see our previous coverage from 2020 and 2018) with “Identifying Internet of Things software activities using deep learning-based electromagnetic side-channel analysis.” The research’s purpose: to investigate how applying machine learning can be part of a novel approach to “identify complex activities on IoT devices from their generated electromagnetic noises.” The paper demonstrates that “machine learning models trained on past data of complex software activities recognise these activities in future recordings,” with deep learning models the most accurate and precise of these.
Based on research conducted over three years of 250 newly manufactured vehicles from 43 manufacturers worldwide, “Digital vehicle identity – Digital VIN in forensic and technical practice” predicts that Digital VINs will become key identifiers in forensic examinations over time. Still, because DigitalVINs are still fairly new, they are not failproof in a forensic context. The authors describe both opportunities and challenges, recommending some processes to integrate their use in everyday forensic methodology.
Forensic image analysis is the subject of “A machine learning-based approach for picture acquisition timeslot prediction using defective pixels.” Defective pixels come from camera sensor defects, and their locations in the image are what can be used to predict the times in which they were created. These predictions inform the construction of accurate timelines for an investigation, but at the same time, images can exist in such large quantities that automation is important. The research proposed a system that has an estimated accuracy between 88 and 93 percent.
By analyzing the encryption method used in the latest version of Smart Switch in Windows and macOS environments, the researchers behind “Methods for decrypting the data encrypted by the latest Samsung smartphone backup programs in Windows and macOS” were able to decrypt all encrypted backup data among other results, including measuring the time and resources required to recover the PIN used for PIN-based backup.
In “NTFS Data Tracker: Tracking file data history based on $LogFile,” researchers developed “a technique that reproduces changes in the metadata within the $MFT on a file-by-file basis by using transaction data recorded in the $LogFile” to track all data on any given file’s history, from creation to deletion. The paper fills a research gap and includes an NTFS Data Tracker developed in conjunction with the new technique.
“Toward situational awareness in threat detection. A survey” bears in mind that standalone threat detection systems are rendered inadequate in the face of advanced network attacks’ spatial and temporal characteristics, including multi-stage attacks, stealthy techniques, and “adversarial learning.” To that end, the paper includes a comprehensive review of decision strategies, including their ability to support cyber situational awareness and system refinement.
“Digital evidence and the crime scene” describes how first responders are often required to evaluate whether a device they’ve identified is likely to contain case-relevant evidence. The paper includes identification approaches and investigative opportunities, proposing a concept of “digital devices acting as ‘digital witnesses’” and exploring potential ‘digital crime scene’ scenarios and strategies for processing them.
Another aspect of the field-to-lab forensic process involves quality management. “Forensic advisors: The missing link” between scientists, investigators, and others who collaborate to use science to solve crimes proposes: “The generalist forensic scientist, in the role of forensic advisor, helps bridge gaps and break down silos by facilitating communication between actors and overseeing the potential contribution of traces in investigatory efforts.” The paper describes how this works across an investigation’s stages, ultimately improving forensics’ standing and service delivery.
On the lab management side: ASCLD’s annual meeting
The managerial aspects of forensic work are a necessary perspective given how rapidly digital forensic science changes, even as the profession continues to push for standardization to demonstrate its credibility in courts of law.
Lab and team management
Lab management was the topic of two presentations by Paul Speaker and FSI: Synergy editor-in-chief Max Houck. Their workshops, “FORESIGHT 101: What Is It, How Do I Get Started, and What Will It Do For My Lab?” and “FORESIGHT Interpretation: What Do I Do With All This Data?” summed up how lab managers can “combine a review of mission, vision, and values to connect the budget allocation process to a feedback loop through which the laboratory uses the FORESIGHT metrics to evaluate performance and reformulate strategic plans.”
Another lab management workshop, “Big Bang For Your Buck: Effective Management Review,” focused specifically on annual management reviews in the context of ISO/IEC 17025:2017 or ISO/IEC 17020:2012 accreditation, asking participants to consider another, real-time management review process to maximize time and minimize redundancy.
Several workshops oriented themselves on team management. “Play Well With Others: The Power of Collaboration” also focused on accreditation, which the presenters clarified as “not the limiting factor.” Quality managers, purchasing, technical review and/or verification personnel, and other roles were presented as examples for collaborative processes.
Perspectives that come from outside the lab can be valuable, and “The NFL Approach to Building Winning Teams” showed how top football teams, despite apparent differences on the surface, work in very similar ways to achieve sustained success.
For leaders, “Leading Through Dysfunction and Change to Achieve Lasting Results” explored “a three- pronged, practical approach for navigating through complexity to find professional and personal fulfillment,” while “Leading Outward” showed participants how “to lead in a way that accounts for others as people – with ideas, challenges, and needs of their own.”
Some presentations addressed burnout in particular. “Building Resilient Teams” reminded workshop participants that to adapt to change and stress, a systemic emphasis on individual, team, leadership, and organizational levels is the ideal way to build resilience.
“Assessment of Secondary Trauma, Burnout, and Job Satisfaction of Forensic Professionals,” meanwhile, noted a gap in research between forensic science professionals and others including first responders, law enforcement, legal professionals, and human services providers. Surveying forensic practitioners, the researchers identified ways that managers can identify levels of stress and intervene to address vicarious trauma through promoting health, wellness, and resilience.
“Implementing a Successful Career Progression System” looked at the West Virginia State Police Forensic Laboratory’s career progression system, in place since 2018, as a case study in how employee retention involves “workplace satisfaction and opportunities to advance and develop professionally” as much as competitive salary, and how the lab’s success in this area also improved metrics in other areas — including reduced backlog.
A more technical workshop, “The Impact of Digital Evidence in Forensic Laboratories,” described the evolution of digital evidence from the early 1990s to the present, including current challenges like work volumes and autonomy. The presentation also looked into the future, examining sustainability of digital evidence units, training, and growth needs as technology evolves.
Training was also the topic of “Redefining Success: The Collaborative Path to Impactful International Training.” This workshop took a broad look at the Global Forensic and Justice Center (GFJC), whose work fostering partnerships has led to better relationships, best practices, and even accreditations. In particular, its work guides “not only our subject matter experts in the classroom, but the effectiveness of our training efforts on the practitioner,” by relying on local experts to adapt training to a region and pave a path to accreditation success beyond the training period.
Another valuable aspect of career building in forensics is publication. “New Ways to Publish Research and Validations, Benefits of the ASCLD/Elsevier Partnership to Your Lab” looked at the three Elsevier open access journals considered “preferred journals of ASCLD” since 2019: Forensic Science International-Synergy, Forensic Science International-Reports, and the Journal of Forensic Chemistry. Validations and lab research are particularly valuable to these journals, and in addressing the benefits of publishing, the presenters encouraged attendees to submit.
New technology affects digital forensics at least as much, if not more, than for other forensic sciences. “Setting the Legal Precedent: Bringing New Forensic Technology to the Courtroom” addressed the admissibility of DNA instruments in particular, but offered insights on the difference between admissibility hearings and expert witness testimony, including “the opportunity for an analyst to expand their testimony experience” and what kinds of preparation are needed.
These issues could play into “Understanding Claims of False of Misleading Evidence: Revelations from the Analysis of Exoneration Cases and Implications for Forensic Science Testimony and Communications,” a presentation that looked at “the extent of errors related to forensic testing and methodology; the use of unreliable or unproven methods; the communication of probative value; and the interface of forensic scientists with investigative and legal practitioners.” The observation that “unproven innovations have introduced unreliable forensic results into criminal trials” may be particularly salient to digital forensic practitioners.
Part of the problem, posited “Together Toward Tomorrow: How to Avoid Becoming a Victim of Your Cases,” is a lack of education among media, press, judges, prosecutors and defense attorneys, whose misunderstandings — and misinterpretations or misrepresentations — of science “might impact the judicial system as to the testimony of forensic science experts.” The workshop offered suggestions on collaborating with these professionals while preparing to testify.
In a similar vein, “When Bad Things Happen Inside Crime Labs” examined a North Carolina case study around a 2010 exoneration on a first-degree murder charge. Extensive negative media coverage and a lab performance review, which focused particularly on reporting practices, drove “undue stress, low morale and a negative work environment that resulted in an exodus of employees,” yet the lab made it an opportunity to learn and improve “to become a thriving, high production Crime laboratory.”
Independence is a cornerstone of scientific objectivity in forensics, and “This is What Independence Looks Like” explored it with regard to the District of Columbia’s Department of Forensic Sciences (DFS)’s successful defense against a 2020 attack on its integrity. In particular, the case oriented on “lessons learned and process improvements made concerning case documentation, elimination factors, independent verifications and peer reviews” towards error mitigation and competency requirements.
Many labs are not independent, however, and “Meet the Newly-Formed National Association of Forensic Laboratory Counsel” described how “attorneys advising public forensic laboratories that primarily provide forensic services to government or law enforcement agencies” can play a pivotal role in overseeing the use, interpretation, and implications of forensic sciences in criminal cases, and how the new organization helps train the attorneys to stay abreast of new developments between law and science.