Research Roundup: Micro Analysis To Macro Implications In Digital Forensics

Our brief roundup this month looks at seven recent papers, which look at improving malware detection and acquisition, analyzing instant messaging apps and the Zoom platform, the future of digital forensics tools and practice, and finally, a framework for forensic science.

Improving malware detection and acquisition

In Forensic Science International: Digital Investigation (FSI:DI), researchers in the United Kingdom and Thailand devised “Fuzzy-import hashing: A static analysis technique for malware detection.”

Nitin Naik, Paul Jenkins, Nick Savage, Longzhi Yang, Tossapon Boongoen, and NatthakanIam-On proposed a technique that integrates fuzzy hashing and import hashing to improve malware detection accuracy, as well as overall malware analysis performance, compared to each type of hashing on its own.

Tested on four different types of ransomware categories — WannaCry, Locky, Cerber and CryptoWall — along with goodware samples, and compared to established malware analysis technique YARA rules, the proposed hash technique addresses new malware types and their attack vectors.

Also at FSI: DI, the University of Jyväskylä (Finland)’s Raz Ben Yehuda, together with Erez Shlingbaum, Yuval Gershfeld, Shaked Tayouri, and Nezer Jacob Zaidenberg of Israel’s College of Management Academic Studies, wrote up “Hypervisor memory acquisition for ARM.”


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


Referring to the ARM architecture, the authors proposed a hypervisor based memory acquisition tool, which extends the Volatility memory forensics framework for advanced forensics and malware analysis tasks.

The paper offers benchmarks and evaluation of this implementation, showing how it mitigates the stress of acquisition on both network and disk. As well, it solves memory snapshots’ incoherency problem by reducing the processor’s consumption.

Platform/app analysis

A collaboration between academic researchers from South Korea’s Kookmin University and members of the Prosecutors’ Office Digital Investigations Division resulted in “Forensic analysis of instant messaging apps: Decrypting Wickr and private text messaging data,” also published in FSI:DI.

Giyoon Kim, Soram Kim, Myungseo Park, Younjai Park, Insoo Lee, and Jongsung Kim observed how different instant messenger apps manage personal information with an eye toward developing a decryption method for IM app data.

Focusing on both Android and iOS versions of Wickr as well as Private Text Messaging, the research presented how the database and main files of IM apps are stored and encrypted, as well as how the apps verify passwords. offered a decryption methodology for the apps’ databases and multimedia files.

At WIREs Forensic Science, authors Manoranjan Mohanty (University of Technology-Sydney), together with Riyanka Jena and Priyanka Singh of the Dhirubhai Ambani Institute of Information and Communication Technology, questioned: “Can Zoom video conferencing tool be misused for real‐time cybercrime?

Following research published in January, this paper focused on piracy and livestreamed pornography crimes, extensions of “Zoombombing,” and the way that Zoom’s and other platforms’ end‐to‐end encryption could additionally complicate these cybercrimes. New mechanisms, the paper concluded, are needed.

The future of digital forensics tools and practice

WIREs Forensic Science also published a paper by University of Texas-San Antonio researchers Aaron Jarrett and Kim‐Kwang Raymond Choo: “The impact of automation and artificial intelligence on digital forensics.”

Their paper looks at the way the integration of AI and automation can improve both efficiency and accuracy, as well as reduce costs, when it comes to digital forensics software, processes and operations.

“While there is still an on‐going cost associated with automation, the cost is typically many magnitudes smaller than the on‐going costs incurred to get the job done manually, which increases the likelihood of generating a high return on investment… enabling the resolution of more digital investigations,” the authors note in their abstract.

At the Journal of Digital Forensics, Security and Law, “Viability of Consumer Grade Hardware for Learning Computer Forensics Principles,” by Lazaro A. Herrera of Nova Southeastern University, proposed the use of budget consumer hardware and software to teach computer forensics principles and for non-case work, including technique testing, research, and development.

This could be particularly useful in developing markets, small forensics laboratories, or classroom settings, Herrera argued, owing to their accessibility. The goal: to test the viability of each piece of hardware, as well as these pieces in combination with one another, to see when forensics-grade hardware would become needed.

A framework for forensic science

At Science & Justice, “The distinction between discriminability and reliability in forensic science” explored the need for forensic scientists to maximize discriminability, leaving evidence reliability assessment to the criminal justice system.

Authors Andrew M. Smith, of Iowa State University, and Tess M.S. Neal, of Arizona State University, presented this distinction as “a critical framework,” they wrote in their abstract, “to guide future research on diagnostic-testing procedures in the forensic science domain,” thus improving “the empirical scrutiny that is expected in other scientific disciplines.”

Could digital forensics take something from this framework? That may be the subject of future research.

Christa Miller is a Content Manager at Forensic Focus. She specializes in writing about technology and criminal justice, with particular interest in issues related to digital evidence and cyber law.

Leave a Comment