74 lines
16 KiB
TeX
74 lines
16 KiB
TeX
%
|
|
% For each work, add a \subsection with its title, followed by the abstract and keywords, copied from the work
|
|
%
|
|
|
|
|
|
\subsection{WARNE: Orodje za zbiranje dokazov o zalezovalski programski opremi}
|
|
Intimnopartnersko nasilje pogosto vključuje uporabo zalezovalskih aplikacij, katere storilci namestijo na žrtvino mobilno napravo in s tem posegajo v njeno zasebnost. V članku opišemo delovanje programske opreme WARNE. To je forenzično orodje za prepoznavo takšnih aplikacij in zbiranje dokazov o identiteti zalezovalca. Orodje je uspešno odkrilo pomanjkljivosti pri 20 od 30 testiranih zalezovalskih aplikacijah in s tem pokazalo velik potencial za pomoč žrtvam in preiskovalcem.
|
|
|
|
\textbf{Ključne besede:} zalezovalske aplikacije, digitalna forenzika, varnost mobilnih naprav, intimnopartnersko nasilje, IPN
|
|
|
|
\subsection{How to detect cryptocurrency miners? By traffic forensics!}
|
|
The paper by Veselý and Žádník presents a hybrid approach for detecting cryptocurrency mining traffic in large-scale network environments. Using flow-level features extracted from data collected in a national academic network, a labeled dataset was constructed through a semi-automated annotation process involving both passive analysis and active probing, enhanced by leveraging the sMaSheD catalog of known mining pool addresses. Two classifiers were developed and evaluated: a manually tuned rule-based classifier and a supervised machine learning model. The manual classifier serves as an interpretable baseline, relying on heuristic feature thresholds, while the machine learning model demonstrates superior accuracy and generalization. Evaluation results show a significant reduction in false positives and false negatives with the ML-based detector. A two-step detection schema, combining statistical classification with behavioral confirmation via active probes, further enhances precision and reliability. The findings confirm that mining traffic exhibits distinct, detectable characteristics, and that combining machine learning with domain knowledge, along with up-to-date mining pool information, provides an effective solution for real-world deployment.
|
|
|
|
\textbf{Keywords:} Traffic forensics, Cryptocurrency, Cryptojacking, Mining pool
|
|
|
|
\subsection{Was the clock correct? Timestamps and time anchors across operating systems}
|
|
Accurate event reconstruction in digital forensics depends on the integrity of system-generated timestamps, yet operating-system clocks are often misaligned with real time because of drift, battery failure or deliberate tampering. The authors formalise this problem by introducing time anchors: artefacts that embed both a local timestamp supplied by the device and an external timestamp issued by an independent source. By comparing the two we can quantify clock skew at the moment an artefact is created and label events as anchoring (verifiable) or non-anchoring. The authors also define time anomalies — inconsistent skews or impossible temporal sequences — that signal manipulation or hardware faults. Two controlled Windows 10 experiments validate the approach. First, Google-search artefacts (browser history, cache entries and server logs) were collected with the system clock set correctly and then shifted three hours behind real time. The skew measured in each anchoring artefact precisely matched the imposed offset and exposed the unreliability of non-anchoring events. A second experiment repeated the procedure for local file creation, demonstrating how non-anchoring events can be corrected once neighbouring anchors establish the true skew. Our addition is a review of methods of timestamp manipulations on Linux system, in which we review how to spot a faked timestamp using the touch command, extended file attributes, and journal history.
|
|
|
|
\textbf{Keywords:} timestamp, time shift, time anchor, OS forensics
|
|
|
|
\subsection{Enhancing speaker identification in criminal investigations through clusterization and rank-based scoring}
|
|
Speaker identification is a crucial task in criminal investigations, but analyzing large volumes of noisy audio and comparing them with extensive databases often leads to a high rate of false positives when using standard methods. This paper presents an approach to improve the identification of forensic speakers by combining state-of-the-art speaker embeddings with clustering and a rank-based scoring mechanism. The method extracts embeddings using an ECAPA-TDNN model, groups audio segments using HDBSCAN, and applies a rank-adjusted scoring system. Experiments demonstrate that this approach significantly reduces the number of potential candidates requiring manual review compared to baseline methods, making the investigation process more efficient and manageable in real-world forensic scenarios.
|
|
|
|
\textbf{Keywords:} Digital forensic, Speker identification, Clusterization, Audio analysis, Scoring
|
|
|
|
\subsection{Oblačna forenzična analiza Amazon iRobot Roomba sesalca}
|
|
Članek predstavlja možnost uporabe avtonomnih naprav, kot je Amazonov-ova iRobot Roomba, za preiskovanje zločinov. Kot mnogo drugo IoT naprav tudi Roomba zbira in hrani kup podatkov o uporabi, lokaciji, sobah in pohištvu v stanovanju, časovne žige, metapodatke in drugo. Ti podatki bi lahko bili zelo koristni pri raziskavi zločinov, saj nam bi lahko podali dragocene informacije o poteku dogodkov. Avtorji so najprej analizirali vse API dostopne točke, preko katerimh Roomba komunicira s strežnikom, nato pa jih uporabili za razvoj nove odprtokodne aplikacije PyRoomba, ki izboljša uradno Roombino aplikacijo, tako da doda več podrobnosti in izriše bolj natančne 2D zemljevide prostorov, v katerih je sesalec aktiven. Aplikacija je bila nato testirana v več različnih prostorih z različno velikostjo in številom objektov, nato pa je bila še simulirana scena umora, kjer so na tla položili truplo in več nožev, ter testirali, ali jih bo Roomba zaznala. Preizkusi so se izkazali za uspešne, saj je sesalec identificiral dodatne ovire, ki se povezane z umorom.
|
|
|
|
\textbf{Ključne besede:} Digitalna forenzika, Forenzika interneta stvari, Oblačna forenzika, Amazon iRobot Roomba
|
|
|
|
\subsection{Hit and run: Forensic vehicle event reconstruction through driver-based cloud data from Progressive's snapshot application}
|
|
This paper provides a summary and critical analysis of a pioneering study by Onik et al. (2024) on the forensic analysis of the Snapshot application from Progressive Insurance. Driving Insurance Applications (DIAs) gather extensive data on driver behavior, yet their cloud-based data repositories remain a largely untapped resource for forensic investigations. The original study developed PyShot—an open-source Python tool—to extract granular data from the Progressive cloud, much of which is inaccessible via the standard user interface. It investigated the accuracy of Snapshot's location and speed data, its resilience against GPS spoofing, and its ability to provide detailed event information for reconstructing a simulated hit-and-run scenario. This seminar paper evaluates the methodology and findings of that work, contextualizes it within the broader field of vehicle and cloud forensics, and discusses its implications. The findings confirm that telematics cloud data offers a robust and reliable new avenue for investigating traffic incidents and crimes, even when faced with user tampering.
|
|
|
|
\textbf{Keywords:} Driving insurance application (DIA), Vehicle forensics, Digital forensics, Snapshot, Driving patterns, Cloud forensics
|
|
|
|
\subsection{Grand Theft API: A Forensic Analysis Of Vehicle Cloud Data}
|
|
Modern cars collect and send meaningful amount of data to manufacturer cloud systems. This situation creates new possibilities for modern digital forensic investigations. In this paper, we look at how investigators can get vehicle cloud data directly through manufacturer APIs, using login details taken from suspects' mobile devices. We explain the basics of vehicle forensics, look at current methods for getting vehicle cloud data, and show how API-based methods work in practice. After analyzing 23 different vehicle apps and manually testing with Mercedes-Benz and BMW cars, we found that a significant amount of vehicle data can be accessed through these APIs. This includes current car status, location, and personal info. Our research shows that using APIs to get vehicle cloud data gives valuable information for forensic investigations. This approach could change how evidence is collected from modern vehicles. It represents a step forward in digital vehicle forensics and allows access to both real-time and historical vehicle data while following proper forensic principles.
|
|
|
|
\textbf{Keywords:} Vehicle Forensics, API-based Acquisition, Digital Forensics, Telemetry Data, Cloud Forensics
|
|
|
|
\subsection{Applying digital stratigraphy to the problem of recycled storage media}
|
|
This report provides an overview of a study by Schneider et al. (2024) that applied digital stratigraphy to recycled storage media in a forensic context. The main goal of that research was to determine whether this technique can distinguish older residual data from new data on a reused device, especially when such fragments are found in unallocated space without metadata. The methodology relies on the concept of digital stratigraphy – adapted from geology – to analyze how file fragments are layered on disk over time. Schneider et al. implemented an automated file system simulation framework that systematically creates, modifies, and deletes files using real file system drivers, generating realistic layers of data for analysis. Experiments showed that examining these data layers and observing file system behavior can reveal stratigraphic markers indicating a fragment's likely origin. These markers help investigators infer whether a recovered file fragment originated from the device's previous usage or the current user's activities. While the digital stratigraphy approach cannot definitively attribute every fragment, it significantly improves data provenance assessment on recycled storage media when conventional file metadata is absent.
|
|
|
|
\textbf{Keywords:} Digital stratigraphy, File System Upper Bound (FSUB), Data layering, Recycled Storage Media, Forensic analysis
|
|
|
|
\subsection{Forenzični vidiki zloženih datotečnih sistemov}
|
|
Članek obravnava izzive forenzične analize zloženih datotečnih sistemov, ki so postali bolj kompleksni zaradi večslojnih arhitektur in naprednih funkcij, kot je npr. šifriranje. Tradicionalne forenzične tehnike niso primerne za te sisteme, saj zahtevajo analizo tako zgornjih kot spodnjih slojev datotek. Predlagan je nov model, ki vključuje fazo za prepoznavanje indikatorjev in analizo časovnih žigov. Za preverjanje učinkovitosti modela so avtorji izvedli študijo primerov na sistemih MooseFS, GlusterFS in eCryptfs, pri čemer so prepoznali ključne forenzične izzive teh sistemov, kot sta fragmentacija in prisotnost skritih podatkov. Model omogoča izboljšanje forenzične preiskave z obnovo izbrisanih datotek in celovitejšo analizo datotečnih sistemov.
|
|
|
|
\textbf{Ključne besede:} Zloženi datotečni sistemi, Forenzična analiza, Digitalna forenzika
|
|
|
|
\subsection{Forenzična analiza naprave Steam Deck: Predstavitev in razširitev članka Well Played, Suspect!}
|
|
V članku analiziramo področje digitalne forenzike na igralnih konzolah in igrah. Osredotočamo se predvsem na članek Well Played, Suspect!, ki je bil osnova za našo raziskavo. V prvem delu predstavimo postopek diferencialne forenzike in opišemo napravo Steam Deck ter operacijski sistem SteamOS, ki sta glavno področje naše raziskave. V drugem delu naredimo pregled področja, kjer opišemo sorodne članke ter njihove ugotovitve, poleg tega še podrobneje predstavimo članek, ki je osnova za naše delo. Nato opišemo praktični del našega članka, kjer pridobimo slike fizične in virtualne naprave in na njih preverimo delovanje dodatka oziroma razširitve za orodje Autopsy, ki so jo napisali avtorji predhodnega članka. Razširitev tudi popravimo. Na koncu predstavimo rezultate in primerjamo delovanje razširitve na obeh napravah.
|
|
|
|
\textbf{Ključne besede:} Digitalna forenzika, Diferencialna forenzika, SteamOS, Steam Deck, Nintendo 3DS, PlayStation 4, Autopsy
|
|
|
|
\subsection{Beyond the 3DS: A Cross-Platform Study Inspired by Nintendo 3DS Residual Data Analysis}
|
|
This paper presents an extended study inspired by a 2024 forensic case-study of secondhand Nintendo 3DS devices. The original work analyzed residual personal and technical data retrievable from these consoles and highlighted their potential forensic value. Building upon that research, we provide a broader contextual analysis by reviewing related studies on other gaming platforms such as the Xbox and PlayStation, offering a comparative perspective on cross-platform forensic readiness and privacy implications. We further investigate the limitations of existing forensic tools and propose enhancements to extract additional artifact types, such as deleted files and detailed game logs. Finally, we simulate a hypothetical forensic investigation involving a game console, analyzing how the extracted evidence might be handled in court with regard to legal admissibility, chain of custody, and ethical boundaries. Our findings highlight the role of game consoles in modern digital forensics and the need for standardized approaches to data recovery and privacy management across different hardware platforms.
|
|
|
|
\textbf{Keywords:} Digital Forensics, Game Consoles, Nintendo 3DS, Xbox, PlayStation, Cross-Platform Analysis, Data Recovery, Residual Data, NAND Forensics, Ethical Forensics, Tool Development
|
|
|
|
\subsection{Analyzing Deterministic and Heuristic Approaches to JPEG Fragmentation Detection}
|
|
JPEG files are commonly used because of their efficient compression. However, they are prone to fragmentation, which complicates data recovery in forensic. This paper reviews a newly proposed deterministic algorithm designed to detect fragmentation points in JPEG files by analyzing inconsistencies in the bitstream. Unlike traditional methods, this one uses Huffman code lookup errors and quantization array overflows to identify fragmentation. The algorithm was tested on a custom dataset of real-world images. The research contributes an open-source tool (algorithm) and a real-world dataset to support digital forensics.
|
|
|
|
\textbf{Keywords:} JPEG fragmentation, Digital forensics, Data recovery, Fragmentation point detection, Huffman code analysis, Quantization table overflow, Bitstream inconsistency, File carving
|
|
|
|
\subsection{Natančnost geolokacijskih metapodatkov slik pametnih telefonov}
|
|
Geolokacijski podatki, še posebej tisti v EXIF metapodatkih fotografij pametnih telefonov, predstavljajo pomemben dokaz v digitalni forenziki. Ključnega pomena za njihovo uporabo v pravnih postopkih je zanesljivost in natančnost teh podatkov. Ta članek obravnava natančnost geotagiranja fotografij, posnetih s pametnimi telefoni, z izvedbo empirične študije, ki temelji na metodologiji Ryserja in sod. (2024). Preučujemo vpliv različnih dejavnikov na natančnost lokacijskih podatkov, vključno z uporabljenimi viri lokacije (GNSS, Wi-Fi, mobilno omrežje), okoljem (urbano proti podeželskemu) in generacijo mobilnega omrežja (2G, 3G, 4G). Cilj raziskave je oceniti, v kolikšni meri ti dejavniki vplivajo na napake pri določitvi lokacije ter osvetliti zanesljivost lokacijskih metapodatkov fotografij kot forenzičnega dokaza.
|
|
|
|
\textbf{Ključne besede:} geolokacija, forenzika mobilnih naprav, zanesljivost metapodatkov, natančnost lociranja naprave, analiza napak pri pozicioniranju, statistična analiza
|
|
|
|
\subsection{Mobile Device Forensics: A Targeted Overview}
|
|
We summarize a findings from several papers, with the main focus being article Nyon unchained: Forensic analysis of bosch's ebike board computere, where a Bosch Nyon device is used to obtain user information. Besides the hardware components, the methodology used and the analysis is described. Additionally we look into papers linked to the main one. One of them explores the possibilities of using cars and their infotainment systems as sources of digital evidence, where a general approach is also outlined. Furthermore, we give attention to forensics of Internet of Things (IoT) devices, mainly the Amazon Echo Dot version 2. Lastly, we look into acquiring data from backups of smartphones.
|
|
|
|
\textbf{Keywords:} Digital forensics, e-bike, car, smartphone, Internet of Things
|