Research Roundup: New Digital Forensic Insights And Opportunities

February’s research in digital forensics isn’t just about the papers presented at the American Academy of Forensic Sciences (AAFS)’ annual meeting, or those published in the various journals. Last month also saw new research opportunities, either for an impact study of training or simply by taking advantage of some new resources.

Call for survey respondents

PhD candidate Charlene Coon seeks practitioners to respond to her Digital Forensics Support study, which seeks to identify:

• Any relationship between digital forensics training and capable guardianship (as defined by Routine Activity Theory) of potential targets and victims in communities. 
• Any significant differences in learning comprehension and outcomes between three digital forensic training delivery methods: live online, recorded online, and no training options.

The twofold goal: to explore post-pandemic training effectiveness, as well as to help inform budget priorities for digital forensics training.

The idea, Coon said in an interview, is to deter bad actors in a community — be it on or offline — by raising their risk profile for getting caught. The way to do that, she believes, is through more skilled forensic examiners who are trained not just to effectively identify evidence, but also to better present it — to tell its story — to prosecutors, either inside or outside of court.

New research & test resources

Forensic Focus has been covering Digital Corpora’s move to a new webserver and browser that relies on Amazon Web Services S3. Having transitioned their downloads from George Mason University to Amazon S3, Digital Corpora has also moved to a new browser running on the digitalcorpora web server.

Find the downloads at https://downloads.digitalcorpora.org/corpora/ and the new browser at https://app.digitalcorpora.org/corpora/. Comments and requests can be submitted to https://github.com/digitalcorpora/app/issues.

Over at The Binary Hick, Joshua Hickman has released an iOS 14 image, with documentation, containing 42 third-party apps. The list newly includes Garmin, GroupMe, Microsoft Teams, Slack, and Threema, as well as some health data. An associated encrypted iTunes backup, a set of SysDiagnose logs for the device are also included, together with an accompanying macOS Big Sur image using the same iCloud account as the iOS device.

For additional comparisons, Hickman is further offering an image of the same iPhone both prior to being updated to iOS 14, and after being updated to iOS 14.2.

AAFS’ annual conference covers technology & jurisprudence

The 73rd annual scientific meeting of the American Academy of Forensic Sciences (AAFS) took place the week of February 15. The meeting covers the entire range of forensic sciences; some of the selected papers from its digital and multimedia section include:

• “A Study of Video Conferencing Software From an Authentication Perspective” (Whitecotton, Lomboy & Zjalic)
• “Houston, We Have a Problem: Deepfake Is the Word! (Battiato, Giudice & Guarnera)
• “The Recreation and Visualization of Runtime Objects Relationship From Process Memory Images” (Ali-Gombe, Richard)
• “Performing Mac® Memory Analysis Using Objective -C and Swift Data Structures” (Manna, Case & Richard)
• “AI-Based Audio Enhancement May Cause False Evidence: (Brixen)
• “Connected Objects (Internet of Things [IoT]) as Crime Witnesses” (Fischer)
• “Enhancing Child Pornography Offender Risk Assessment Using Digital Forensics Artifacts” (Rogers, Seigfried-Spellar, Bates & Rux)
• “New in Computer Forensics Tool Testing’s (CFTT’s) Mobile Forensics—SQLite, SQLite Recovery, and a New Federated Testing Tool” (Reyes-Rodriguez, Guttman & Ayers)
• “An Initial Forensic Analysis of Sailfish OS” (Tzvetanov & Karabiyik)
• “An Analysis of Audio Recordings Made Using the Voice Recorder Application on Android™ Phones” (DeAngelis, Smith, Grigoras & Rogers)
• “A Forensic Analysis of Digital Speech Standard (DSS) Files” (Grigoras, Whitecotton, Smith, Lacey, Koenig & Zjalic)
• “Data Decryption of Android™ Third-Party Private Messaging Apps: A Case Study” (Haak & Brunty)
• “A Forensic Analysis of Joker-Enabled Android™ Malware Apps” (Shi, Cheng & Guan)
• “Examining the Impact of Garbage Collection and Process States in Userland Memory Forensics” (Sudhakaran, Ali-Gombe & Richard)
• “An Analysis of Acquisition Methods of Ring Video Doorbell Files” (Epstein, Lyons & Bruehs)
• “A Study on Unmanned Aircraft Systems Forensics Framework (UAS FFWK)” (Mei)
• “A Response to the Threat of Stegware” (Lin, Martin, Chen, Pierre, Guan & Newman)
• “The Organization of Scientific Area Committees (OSAC) Digital/Multimedia Scientific Area Committee Standards Work — Part 1: Digital Evidence and Speaker Recognition” (Nguyen, Marks & Bruegge)
• “The Organization of Scientific Area Committees (OSAC) Digital/Multimedia Scientific Area Committee Standards Work — Part 2: Video/Imaging Technology & Analysis (VITAL) and Facial Identification” (Carroll, Sims, Carnes, Bruegge)
• “Computer Forensics Reference Data Sets (CFReDSv2.0) for Digital Evidence” (Ayers & Shahid)
• “Using Rapid Differential Forensics Algorithm to Speed Transmission of Large Files Around the World” (Guido, Schmicker, Adler & Fletcher)
• “Comparative Analysis of Mobile Forensic Tools: Reliability and Accuracy Related to iOS® 13 Notes App Forensic Evidence Recognition and Classification” (Gandhi & Rogers)
• “A Holistic Framework for Investigating Geospatial Data in Cyber Forensics” (Mirza & Karabiyik)
• “Crowdsourcing Forensics: Generating a Digital Artifact Catalog (Nguyen & Casey)
• A poster session, “File Structure Analysis of Media Files Transmitted and Received Over WhatsApp” (Risemberg, Grigoras & Smith)

Additional topics of interest to digital forensics practitioners come from the general and jurisprudence sections. The general section included (among other papers):

• “Dating Apps and Their Implications on Child Sexual Abuse: A Discussion of One Such Case” (Hinnawi and Patil)
• “Feeling Stress at Work? Stress, Support, and Decision-Making of Forensic Examiners” (Almazrouei, Dror, & Morgan)
• “Data-Driven Support for Optimal Forensic Laboratory Staffing” (Speaker)

In the jurisprudence section:

• “Science, Technology, and Jurors: An Update” (Shelton)
• “Digital Evidence in Criminal Cases Before the United States Courts of Appeal: A Follow-Up Study on Trends and Issues for Consideration” (Novak)
• “The Need for Ethical, Legal, and Social Implications (ELSI) Evaluations in Forensic Science Methods and Police Investigative Technologies” (Chu)
• “Cell Phones Are the New DNA: The Emerging Role of Mobile Device Forensics in Wrongful Conviction Exonerations” (Carney)

Abstracts for these and other papers are available in the conference’s proceedings, available at the AAFS website.

A series of eight workshops additionally presented “The Look of Modern Criminal Investigations,” an overview of “topical and fundamental work taking place in multiple digital forensic technical areas”: social media, geolocation, audio, video, cloud acquisitions, and software validation.

iOS keychain, photo, and encrypted app research

At DFIR Review, Vladimir Katalov published “Extracting and Decrypting iOS Keychain: Physical, Logical and Cloud Options Explored,” going beyond logins, passwords and payment card information to Certificate, Key, and Trust Services used by iOS apps and their developers. Largely inaccessible from the iOS GUI, this data includes authentication tokens, shared secrets tied to authenticator apps, certificates and identities, and encryption keys.

Katalov also discussed the iCloud Keychain used to synchronize keychain records across devices; keychain protection classes that assign keychain item availability based on device lock state; which device and backup keychain items are available before first unlock (BFU); and as a bonus, the macOS keychain.

Reviewers reflected the need for further research to show how to use keychain information, to access protected data especially, and to investigate the keychain across different Apple devices.

In “Using Photos.sqlite to Show the Relationships Between Photos and the Application they were Created with?” also at DFIR Review, Scott Koenig shared the results of some research that answered the questions:

• What happens when a photo / live photo is captured (com.apple.camera.CameraMessagesApp) within the native iOS messenger (com.apple.MobileSMS) and sent as an attachment?
• What happens when a photo is captured within native iOS messenger, sent as an attachment message and the message that contained the attachment is later deleted from the conversation thread (/private/var/mobile/Library/SMS/Attachments/)?
• What happens when a photo is captured within native iOS messenger, sent as an attachment message and the photo sent as an attachment is later deleted from the Photos Application (/private/var/mobile/Media/DCIM/)?

Files that can be analyzed from an iOS full file system (FFS) extraction, based on Koenig’s research, include the Photos.sqlite database, the Photos.sqlite creator bundle ID, and other items. Future research could explore similar dynamics with other types of messages sent using the native iOS messaging app, as well as comparing photos sent using third-party apps, such as Facebook Messenger.

At Forensic Science International: Digital Investigation, authors Alex Akinbi, of the Liverpool John Moores University, and Ehizojie Ojie, of the University of York, described “Forensic analysis of open-source XMPP multi-client social networking apps on iOS devices.”

Focusing on Monal and Siskin IM — two secure, open-source XMPP multi-client instant messaging iOS apps — Akinbi and Ojie discovered that forensic artifacts of interest, including user information and metadata, can be recovered from the main databases of both apps and the iOS filesystem.

“The results in this paper show a detailed analysis and correlation of data stored in each app’s database,” their abstract reads, “to identify the local user’s multiple IM accounts and contact list, contents of messages exchanged with contacts, and chronology of conversations.”

New frameworks for online investigations

Cranfield University’s Anne David, Sarah Morris, and Gareth Appleby-Thomas published “Social Media User Relationship Framework (SMURF)” at JDFSL. SMURF is a a proof of concept (PoC) framework for social media user attribution, or a way to go beyond communications content to contextualize and substantiate user activity in live triage investigations — important, the authors argue, for investigations involving exigency such as trolling, cyber bullying, grooming, and/or luring.

At Forensic Science International: Digital Investigation, authors C. H. Ngejane, J. H. P. Eloff, T. J. Sefara, and V. N. Marivate, all of the University of Pretoria in South Africa, propose “Digital forensics supported by machine learning for the detection of online sexual predatory chats.” Their digital forensic process model takes online detection a step further by organizing digital forensic investigative tasks to obtain useable results via machine learning.

Databases, steganography, and micro-jurisdictions

At the Journal of Digital Forensics, Security, and Law (JDFSL), researchers Karina Bohora, Amol Bothe, Damini Sheth, Rupali Chopade, & V. K. Pachghare, all of the College of Engineering, Pune (India) discussed “Backup and Recovery Mechanisms of Cassandra Database: A Review.”

Focusing on the Apache Cassandra NoSQL database, the researchers discuss the existing deletion mechanism in Cassandra. The paper also identifies some backup-and-recovery-related issues, including failure detection and handling as well as disasters, thereby addressing some key security- and recovery-related concerns.

Also at JDFSL, researchers Michael Pelosi and Chuck Easttom published “Identification of LSB image Steganography using Cover Image Comparisons.” Noting that steganography is becoming more widespread as an anti-forensics technique, the paper aims to provide digital forensics practitioners with a new software concept, CounterSteg.

This tool is designed specifically for the identification and attribution of least significant bit (LSB) steganography by comparing the original cover image side-by-side with a suspected steganographic payload image. This paper demonstrates usage and typical forensic analysis with eight commonly available steganographic programs.

At Forensic Science International: Synergy, “Forensic science in Seychelles: An example of a micro-jurisdiction forensic delivery system” describes the island nation of Seychelles’ current investment into capacity building of commonly utilised forensic services, the kinds of innovative solutions required for sustainable, effective, efficient forensic delivery, and the need for a transparent science culture needed to promote justice and create public confidence — all in the confines of a geographically remote location.

In the paper, authors Jemmy T. Bouzin, Georgina Sauzier, and Simon W. Lewis of Curtin University in Western Australia cover issues affecting a broad range of forensic science services that includes digital forensics, commissioned in 2015 under the European Union-funded framework of Interpol capacity building for Eastern African countries. Opportunities and risks of a centralized forensic services structure are discussed, along with the country’s legal framework, challenges to forensic services development, funding and management, and quality assurance and governance.