March’s Spread of Digital Forensics Research Examines Implementation

Apart from the papers presented at the Digital Forensics Research Workshop (DFRWS), March also saw additional work from around the globe. This month’s roundup takes a look at:

  • Integrating cognitive psychology into forensic practice
  • Research exploring how digital forensic evidence is used in cases
  • Three papers discussing cryptocurrency and the dark web
  • Explorations of browser artifacts, deepfake detection, solving for cloud-related data storage challenges, and applying humanitarian law to cyberwarfare

Celebrating women’s contributions to tech

Just as they did for Black History Month, the Leahy Center for Digital Forensics & Cybersecurity blog celebrated Women’s History Month by “highlighting five pioneering women and their accomplishments in the fields of computer science and information technology,” including accessibility and understandability:

  • Ada Lovelace, the world’s first programmer, who referred to herself as a “poetical scientist” who “highlighted the importance of intuition and imagination in mathematics and science.”
  • “Amazing Grace” Hopper, computer engineer, software developer, and U.S. Navy admiral
  • Mary Allen Wilkes, a programmer-become-attorney whose work “stemmed from a desire to simplify the processes that would allow technology to be brought to the masses.”
  • “Mother of the Internet” Radia Perlman, who focused on “simplifying the complicated and letting the machines do the work themselves.”
  • Elizabeth “Jake” Feinler, whose work as one of the major contributors to the design and creation of ARPANET “laid the foundation for the modern internet.”

Human factors in forensic workspaces

Of course, as we discussed in a recent podcast about women’s contributions in Bletchley Park during World War II, the right work environment is crucial. Forensic Science International: Synergy published a special issue around human factors in forensic science.

The five-article issue constitutes a “practice sourcebook,” an interdisciplinary look at “the understanding and adoption of insights from cognitive psychology into forensic practice.”

With the intent to encourage lab managers to consider human factors in improving their practices, as well as to identify research gaps for future exploration, the guide covers:


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

  • Initial personnel selection and assessment.
  • Initial training and also the administration of assessments through a scientist’s career.
  • The psychology underlying the everyday tasks done by feature-comparison and process analysts.
  • Various ways in which a laboratory’s culture and policies can affect an analyst’s reactions to stressors for better or worse.
  • The communication of forensic science information down the pipeline, from the time it is collected to when it may be testified to in court.

Exploring how digital evidence is used in cases

In “Reliability assessment of digital forensic investigations in the Norwegian police,” authors from the Norwegian University of Science and Technology explored to what extent international standards are implemented and followed by law enforcement in their casework.

The result: based on 124 reports related to the acquisition, examination, and analysis of 187 computers, mobile phones and storage devices from 21 randomly sampled criminal cases, none were found to comply with digital forensic methodology.* The insufficiently documented reports left no pathway to trace forensic acquisition, examination, or analysis on each item, or link the digital evidence to its source.

Meanwhile, researchers at University College London described “Investigating the uses of mobile phone evidence in China criminal proceedings” to fill two gaps: first, the analysis of human factors and the implementation of forensic tools in investigations, and second, a paucity of research on the uses of forensic evidence in eastern countries such as China.

The research, an automated content analysis of court sentencing documents between 2013-2018, showed that mobile phone evidence – largely consisting of call records and instant messaging – was used in just 3.3% of criminal proceedings in that country and, in fact, “a large amount of mobile phone evidence is transformed into other evidence formats or filtered out directly before court proceedings.”

Not only how the courts perceive different forms of digital evidence, but also how the public perceives it, was the topic of  “Attitudes towards police use of consumer/private DNA databases in investigations,” a study conducted by Australian researchers from the University of Canberra and the Australian Federal Police.

Citing a need to understand how ethical concerns regarding privacy and consent affected moral alignment, the international survey of 438 adults found higher levels of public support for third-party data usage in the most serious case types explored (sexual assault and homicide) and lower levels of support for DNA database usage in robbery and illicit drug related cases.

These studies carry implications for the relevance and proportionality of digital evidence, and thus, the obligation for forensic practitioners to carry out “all reasonable lines of inquiry” in their examinations. To that end, Cranfield University’s Graeme Horsman asked, “When is a line of inquiry ‘reasonable’? – a focus on digital devices” at the Australian Journal of Forensic Sciences. 

Observing that “determining ‘reasonableness’ [of lines of inquiry] is not straightforward where unfettered access to all available data should not be a default position in all cases and a suspect’s right to privacy respected,” Horsman offered a framework to help “support the production of transparent, robust and defensible decisions regarding the assessment of reasonableness.”

Addressing cryptocurrency and dark web challenges

In March, three papers focused on issues related to “dark web” usage including transactions.

First, “Vision: An empirical framework for examiners to accessing password-protected resources for on-the-scene digital investigations” addressed “anonymous services such as data in remote areas without authentication information, data encryption, device locks, and cryptocurrencies.”

Authored by academic and law enforcement researchers in South Korea, this paper presented a framework for field practitioners need to be able to access the evidence consistently, both in the present and as new services and digital devices appear in the future.

Researchers in Italy and the Netherlands, meanwhile, wanted to learn more about “The shift of DarkNet illegal drug trade preferences in cryptocurrency: The question of traceability and deterrence” towards understanding the influences on darknet consumers’ choices.

By running temporal topic models and sentiment analysis on ClearNet forum data over eight years, the authors were able to ascertain that the shift in darknet markets from Bitcoin to Monero happened only as a result of Monero’s 2017 privacy updates – not, as previously thought, the 2015 announcement of Bitcoin’s traceability.

Ensuring that dark web transactions and other activity are forensically sound was the topic of “The Digital Detective’s Discourse – A toolset for forensically sound collaborative dark web content annotation and collection,” devised by researchers at Sweden’s Stockholm University to enable law enforcement investigators to annotate and store specific dark web content.

Implemented as a plugin for the Tor browser, this new tool features a central storage management server for the annotated data, which can then be used to train machine learning algorithms. In turn, given more complete and accurate data, the algorithms can more effectively analyze large quantities of dark web data relevant to criminal investigations.

Technical studies: browsers, deepfakes, privacy, and policy

The remaining papers published in March covered a range of technical topics from the micro to macro levels.

In “A critical comparison of Brave browser and Google Chrome forensic artefacts,” researchers at the United Kingdom’s Cranfield University found that the Chromium-based Brave and Chrome share almost identical data structures. This made the successful recovery of both available and deleted data possible.

In turn, the findings encourage best practices for both practitioners and software developers, “respectively responsible with the examination of Chromium artefacts for use in evidence production, and development of new forensic tools and techniques.”

Differentiating deepfake from authentic video content is one of the most urgent needs of our modern age, yet manipulation models can’t easily be generalized from known to new techniques. That problem is what drove “Deepfake forensics: Cross-manipulation robustness of feedforward- and recurrent convolutional forgery detection methods.”

The authors, a Netherlands research team, sought to explore “the critical factors that guide cross-manipulation detection performance.” Although the team found that none of the detection model types they evaluated performed universally better, detection accuracy remained “problematic,” and the models aren’t ready to be applied in the real world, the research provides some important groundwork from which to move forward.

To mitigate the risks of unauthorized access and theft of confidential “unordered, unsafe, and uncertain” data stored in the cloud, researchers at India’s Shri Rawatpura Sarkar University offered a “Proposed L-Shape Pattern on UFS ACM For Risk Analysis.” Their research designed a Unix file system (UFS) access control mechanism (ACM) model around Read, Write and Execute (RWX) to normalize the data at scale and minimize access while maximizing data safety and availability.

Finally, Humna Sohail, of Pakistan’s International Islamic University, discussed “Fault Lines In The Application Of International Humanitarian Law To Cyberwarfare.” Because armed conflicts in cyberspace differ from kinetic warfare in a variety of ways, and the international community hasn’t yet reached consensus on how the otherwise flexible Law of Armed Conflict (LOAC) can be applied to cyberwarfare, violations of humanitarian law are increasingly likely. Thus, Sohail wrote, “existing treaty law is sufficient in many aspects yet in some areas treaty-making is also needed” to evolve the law.

*Correction: An earlier version of this article erroneously stated, “…21 randomly sampled cases out of 124 were shown to comply with digital forensic methodology, justify the methods and tools used, or validate tool results and error rates.” The text has been corrected with an accurate statement.

Christa Miller is a Content Manager at Forensic Focus. She specializes in writing about technology and criminal justice, with particular interest in issues related to digital evidence and cyber law.

Leave a Comment

Latest Videos

Latest Articles