Digital Evidence is considered as an important type of evidence in many legal cases. Many legislations have dedicated laws to the collection, handling and admissibility of digital evidence. New technologies and new devices are rapidly being developed, which creates new sources of digital evidence. This presents a challenge to law enforcement agencies and digital investigators to stay up to date with the rapid development in the digital field. This paper discusses a relatively new source of digital evidence which is the evidence extracted from Wearable devices. A Fitbit fitness tracker is one of the most common wearable devices used by many people today. This paper presents a case study whereby data extracted from a Fitbit was used as a digital evidence. The admissibility and the challenges of using Wearables as digital evidence is also discussed.

In the field of forensic imaging, it is important to be able to extract a “camera fingerprint” from one or a small set of images known to have been taken by the same camera (image sensor). Ideally, that fingerprint would be used to identify an individual source camera. Camera fingerprint is based on certain kind of random noise present in all image sensors that is due to manufacturing imperfections and thus unique and impossible to avoid. PRNU (Photo-Response Non-Uniformity) has become the most widely used method for SCI (Source Camera Identification). In this paper, we design a set of “attacks” to a PRNU based SCI system and we measure the success of each method. We understand an attack method as any processing that alters minimally image quality and that is designed to fool PRNU detectors (or, generalizing, any camera fingerprint detector). The PRNU based SCI system was taken from an outstanding reference that is publicly available.

A hand-held laser-induced breakdown spectroscopy device was used to acquire spectral emission data from laser-induced plasmas created on the surface of cerium-gallium alloy samples with Ga concentrations ranging from 0 to 3 weight percent. Ionic and neutral emission lines of the two constituent elements were then extracted and used to generate calibration curves relating the emission line intensity ratios to the gallium concentration of the alloy. The Ga I 287.4 nm emission line was determined to be superior for the purposes of Ga detection and concentration determination.A limit of detection below 0.25% was achieved using a multivariate regression model of the Ga I287.4 nm line ratio versus two separate Ce II emission lines. This LOD is considered a conservative estimation of technique’s capability given the type of the calibration samples available and low power( 5 mJ per 1 ns pulse) and resolving power (λ/∆λ= 4000) of this handheld device. Nonetheless, the utility of the technique is demonstrated via a detailed mapping analysis of the surface Ga distribution of a Ce-Ga sample which reveals significant heterogeneity resulting from the sample production process.

This research proposed in this paper focuses on gathering evidence from devices with Windows 10 operating systems in order to discover and collect artifacts left by cloud storage applications that suggest their use even after the deletion of the Google client application. We show where and what type of data remnants can be found using our analysis which can be used as evidence in a digital forensic investigations.

As the geolocation capabilities of smartphones continue to improve, developers have continued to create more innovative applications that rely on this location information for their primary function. This can be seen with Niantic's release of Pokémon GO, which is a massively multiplayer online role playing and augmented reality game. This game became immensely popular within just a few days of its release. However, it also had the propensity to be a distraction to drivers resulting in numerous accidents, and was used to as a tool by armed robbers to lure unsuspecting users into secluded areas. This facilitates a need for forensic investigators to be able to analyze the data within the application in order to determine if it may have been involved in these incidents. Because this application is new, limited research has been conducted regarding the artifacts that can be recovered from the application. In this paper, we aim to fill the gaps within the current research by assessing what forensically relevant information may be recovered from the application, and understanding the circumstances behind the creation of this information. Our research focuses primarily on the artifacts generated by the Upsight analytics platform, those contained within the bundles directory, and the Pokémon Go Plus accessory. Moreover, we present our new application specific analysis tool that is capable of extracting forensic artifacts from a backup of the Android application, and presenting them to an investigator in an easily readable format. This analysis tool exceeds the capabilities of UFED Physical Analyzer in processing Pokémon GO application data.

Hyper spectral imaging (HSI) is a technique that is used to obtain the spectrum for each pixel in the image. It helps in finding objects and identifying materials etc. Such an identification is very difficult using other imaging techniques. It allows the researchers to investigate the documents without any physical contact. Nowadays detection of unequal Ink mismatch based on HSI has shown vast improvement in distinguishing the inks. Detection of unequal Ink mismatch is an unbalanced clustering problem. This paper used K-means Clustering for ink mismatch detection. K-means Clustering find same subgroups in the data based on Euclidean distance. This paper demonstrates performance in unequal Ink mismatch based on HSI.

Electronic text stylometry is a collection of forensics methods that analyze the writing styles of input electronic texts in order to extract information about authors of the input electronic texts. Such extracted information could be the identity of the authors, or aspects of the authors, such as their gender, age group, ethnicity, etc. This survey paper presents the following contributions: 1) A description of all stylometry problems in probability terms, under a unified notation. To the best of our knowledge, this is the most comprehensive definition to date. 2) A survey of key methods, with a particular attention to data representation (or feature extraction) methods. 3) An evaluation of 23,760 feature extraction methods, which is the most comprehensive evaluation of feature extraction methods in the literature of stylometry to date. The importance of this evaluation is two fold. First, identifying the relative effectiveness of the features (since, currently, many are not evaluated jointly; e.g. syntactic n-grams are not evaluated against k-skip n-grams, and so forth). Second, thanks to our generalizations, we could evaluate novel grams, such as what we name compound grams. 4) The release of our associated Python feature extraction library, namely Fextractor. Essentially, the library generalizes all existing n-gram based feature extraction methods under the "at least l-frequent, dir-directed, k-skipped n-grams'', and allows grams to be diversely defined, including definitions that are based on high-level grammatical aspects, such as POS tags, as well as lower-level ones, such as distribution of function words, word shapes, etc. This makes the library, by far, the most extensive in this domain to date. 5) The construction, evaluation, and release of the first dataset for Emirati social media text. This evaluation represents the first evaluation of author identification against Emirati social media texts. Interestingly, we find that, when using our models and feature extraction library (Fextractor), authors could be identified significantly more accurately than what is reported with similarly sized datasets. The dataset also contains sub-datasets that represent other languages (Dutch, English, Greek and Spanish), and our findings are consistent across them.

Biological events—including outbreaks and pandemics, biological weapons use, or accidental laboratory release—have the potential to be extremely disruptive. The ability to accurately investigate, identify origins of, and attribute these events is critical for deterring deliberate events and implementing interventions to prevent future natural or accidental events. However, historical examples of biological event attribution and origins investigations illustrate significant gaps in processes, from technical capabilities to communications, and have lacked conclusive consensus among decision makers, the public, and scientists. This study aimed to assess attitudes and expectations of a broad range of stakeholders regarding investigations and evidence generated for biological attribution. We interviewed 41 experts in disciplines related to attribution and investigations and analyzed interview content using a mixed-methods approach. Interviews generated a list of factors to consider when planning or conducting investigations, presented here. Opinions concerning the conduct and reporting of biological samples analyses and perceptions of feasibility of attribution varied among interviewees representing different fields of study. Participant opinions varied less in regard to requirements, protocols, and guidelines thought to be important to maintain confidence and trust in an investigation and evidence. Findings from this study can inform planning for future events.

Attackers are perpetually modifying their tactics to avoid detection and frequently leverage legitimate credentials with trusted tools already deployed in a network environment, making it difficult for organizations to proactively identify critical security risks. Network traffic analysis products have emerged in response to attackers’ relentless innovation, offering organizations a realistic path forward for combatting creative attackers. Additionally, thanks to the widespread adoption of cloud computing, Device Operators (DevOps) processes, and the Internet of Things (IoT), maintaining effective network visibility has become a highly complex and overwhelming process. What makes network traffic analysis technology particularly meaningful is its ability to combine its core capabilities to deliver malicious intent detection. In this paper, we propose a novel darknet traffic analysis and network management framework to real-time automating the malicious intent detection process, using a weight agnostic neural networks architecture. It is an effective and accurate computational intelligent forensics tool for network traffic analysis, the demystification of malware traffic, and encrypted traffic identification in real-time. Based on Weight Agnostic Neural Networks (WANNs) methodology, we propose an automated searching neural net architectures strategy that can perform various tasks such as identify zero-day attacks. By automating the malicious intent detection process from the darknet, the advanced proposed solution is reducing the skills and effort barrier that prevents many organizations from effectively protecting their most critical assets.