A template for creating and sharing ground truth data in digital forensics.

Ground truth data (GTD) is used by those in the field of digital forensics (DF) for a variety of purposes including to evaluate the functionality of undocumented, new, or emerging technology and services and the digital traces left behind following their usage. Most accepted and reliable trace interpretations must be derived from an examination of relevant GTD, yet despite the importance of it to the DF community, there is little formal guidance available for supporting those who create it, to do so in a way that ensures any data is of good quality, reliable, and therefore usable. In an attempt to address this issue, this work proposes a minimum standard of documentation that must accompany the production of any GTD, particularly when it is intended for use in the process of discovering new knowledge, proposing original interpretations of a digital trace, or determining the functionality of any technology or service. A template structure is discussed and provided in Appendix S1 which sets out a minimum standard for metadata describing any GTD's production process and content. It is suggested that such an approach can support the maintenance of trust in any GTD and improve the shareability of it.

Interpreting digital traces:- 8 foundational pillars to support the formation of opinion in digital forensics.

The field of digital forensics (DF) is facing increasing scrutiny of the quality of the work it produces. Fundamental to it is the need for its practitioners to be able to accurately determine the meaning of potentially relevant digital traces found during an examination of a device. As the reliance on digital evidence continues to grow, so does the importance of digital trace-interpretation. It is therefore imperative that this task is conducted robustly, where this work describes 'eight pillars' that should underpin how a practitioner has gone about interpreting any given digital trace.

Automation for digital forensics: Towards a definition for the community.

Automation is crucial for managing the increasing volume of digital evidence. However, the absence of a clear foundation comprising a definition, classification, and common terminology has led to a fragmented landscape where diverse interpretations of automation exist. This resembles the wild west: some consider keyword searches or file carving as automation while others do not. We, therefore, reviewed automation literature (in the domain of digital forensics and other domains), performed three practitioner interviews, and discussed the topic with domain experts from academia. On this basis, we propose a definition and then showcase several considerations concerning automation for digital forensics, e.g., what we classify as no/basic automation or full automation (autonomous). We conclude that it requires these foundational discussions to promote and progress the discipline through a common understanding.

Digital evidence strategies for digital forensic science examinations.

Given the size and complexity of many digital forensic science device examinations, there is a need for practitioners to formally and strategically determine a course of conduct which allows them to undertake the most robust and efficient examination possible. This work outlines both the need for practitioners to have a digital evidence strategy (DES) when tackling any given examination scenario, how to construct one and the concerns which exist when no formal DES is in place. Approaches to DES development are examined and the context to which they should be deployed are analysed, with focus being on the use of DESs at the examination/processing stage of the investigative workflow. Finally, a 'DES skeleton' is offered to guide practitioners as they seek to create their own DES.

That tool is rubbish! or is it?

Digital forensic practitioners often utilise a range of tools throughout their casework in order to access, identify and analyse relevant data, making them a vital part of conducting thorough, efficient and accurate digital examinations of device content and datasets. Whilst their importance cannot be understated, there is also no guarantee that their functionality is free from error, where similarly, no practitioner can 100% assure that their performance is flawless. Should an error occur during an investigation, assuming that it has been identified, then determining the cause of it is important for the purposes of ensuring quality control in both the immediate investigation and for longer-term practice improvements. Perhaps anecdotally, a starting position in any postmortem review of an error may be to suspect that any tools used may be at fault, where recent narratives and initiatives have enforced the need to evaluate all tools prior to them being used in any live investigation. Yet, in addition, an error may occur as a result of a practitioner's investigative conduct. This work discusses the concept of 'fault-attribution', focusing on the roles of the forensic tool and practitioner, and proposes a series of principles for determining responsibility for an investigative error.

The Hierarchy of Case Priority (HiCaP):- A proposed method for case prioritisation in digital forensic laboratories.

The need for digital forensic science (DFS) services has grown due to widespread and consistent engagement with technology by members of society. Whilst digital evidence often plays an important role in many inquiries, available investigative resources have failed to keep pace with such demand for them. As a result, the use case prioritisation models for backlog/workload management are of increasing importance to ensure the effective deployment of laboratory resources. This work focuses on the concept of ​​case prioritisation in a digital forensic laboratory setting, following the submission of exhibits for examination, where this workflow is described. The challenges of case management and prioritisation in laboratories are discussed, with both 'case acceptance' and 'case prioritisation' procedures explained. Finally, the 'Hierarchy of Case Priority' (HiCaP) - a transparent, risk-based approach for the prioritisation of cases for examination, is proposed and described using examples.

Technical reporting in digital forensics.

One of the primary roles of a practitioner in the field of digital forensics (DF) is to conduct the examination of any lawfully seized digital device content and report upon any findings that may support an inquiry being conducted. While there are many intricacies to this task, in some cases, an inquiry will commence with a practitioner carrying out the necessary examination work required to report any findings at a "technical level." Such technical reports are often used for intelligence gathering purposes in an attempt to establish the potential evidential value of a device or data set and are often a precursor to, and catalyst for, further and often more extensive forensic work being commissioned. Therefore, the ability to report at a technical level should be considered a fundamental skill required of all practitioners in this discipline and any attempts to provide guidance and support for conducting this task effectively should be encouraged. This work explores the role of technical reporting, where a series of reporting examples are presented that explore the intricacies involved with conveying digital forensic findings at a technical level. Procedural and linguistic challenges are investigated and evaluated in order to acknowledge the pitfalls that practitioners may encounter and to identify potential technical reporting best practices.

Unboxing the digital forensic investigation process.

As digital forensics continues to play an important role in criminal investigations, its investigative work must be underpinned with well-defined and robust methodologies. Over the last 20 years, a substantial body of research has been produced to define and codify the digital forensic investigation process and the stages/sub-processes involved. Whilst current digital forensic investigation process models provide a solid foundation, it is argued that existing attempts often only focus on those physical tasks, which a practitioner must carry out at any given stage of an examination, omitting to identify those core thought processes, decisions and behaviours that form part of effective investigative practices. This work presents the Digital Forensic Workflow Model (DFWM), a novel approach to the structuring and definition of the procedures and tasks involved in the digital forensic investigation process starting from the initial 'Review of Client Requirements & Planning' stage, right through to the 'Evaluation of Deployed Workflow' stage. The DFWM contributes to the digital forensic management toolbox, where it enables the identification and management of risk and supports error mitigation at each stage of the workflow. The paper demonstrates how the DFWM functions as a framework for unboxing the digital forensic investigation process based on the investigative strategy of the particular case, providing a detailed structure and depiction of the physical and investigative tasks and decisions. From a research perspective, DFWM is a descriptive starting point, and future empirical studies may expand and provide further detail to the various physical and cognitive tasks and associated risks during the DF workflow.

An "order of data acquisition" for digital forensic investigations.

Data acquisition is a fundamental stage of the digital forensic workflow, where without it, it may not be possible to conduct many criminal inquiries effectively. While any investigative team may want access to all digital data available, it is no longer an approach that is considered justifiable or proportionate in all cases. There is now an increasing narrative highlighting the invasiveness of digital data acquisition processes and their impact upon privacy, with calls to ensure greater scrutiny is placed upon their use. This work proposes the "Order of Data Acquisition" which defines 10 digital data acquisition methods that are available to practitioners as a part of a forensic examination, derived from a review of existing literature and best practice acquisition approaches, and arranged by their "invasiveness." Each method is discussed with examples provided in order to clarify and formalize the process of determining a suitable acquisition method in every case while acknowledging privacy invasion concerns. Finally, conclusions are drawn.

Triaging digital device content at-scene:- Formalising the decision-making process.

The prominence of technology usage in society has inevitably led to increasing numbers of digital devices being seized, where digital evidence often features in criminal investigations. Such demand has led to well documented backlogs placing pressure on digital forensic labs, where in an effort to combat this issue, the 'at-scene triage' of devices has been touted as a solution. Yet such triage approaches are not straightforward to implement with multiple technical and procedural issues existing, including determining when it is actually appropriate to triage the contents of a device at-scene. This work remains focused on this point due to the complexities associated with it, and to support first responders a nine-stage triage decision model is offered which is designed to promote consistent and transparent practice when determining if a device should be triaged.

Digital evidence and the crime scene.

Many criminal investigations maintain an element of digital evidence, where it is the role of the first responder in many cases to both identify its presence at any crime scene, and assess its worth. Whilst in some instances the existence and role of a digital device at-scene may be obvious, in others, the first responder will be required to evaluate whether any 'digital opportunities' exist which could support their inquiry, and if so, where these are. This work discusses the potential presence of digital evidence at crime scenes, approaches to identifying it and the contexts in which it may exist, focusing on the investigative opportunities that devices may offer. The concept of digital devices acting as 'digital witnesses' is proposed, followed by an examination of potential 'digital crime scene' scenarios and strategies for processing them.

The different types of reports produced in digital forensic investigations.

The importance of ensuring the results of any digital forensic (DF) examination are effectively communicated cannot be understated. In most cases, this communication will be done via written report, yet despite this there is arguably limited best practice guidance available which is specific for this field in regards to report construction. Poor reporting practices in DF are likely to undermine the reliability of evidence provided across this field, where there is a need for formalised guidance regarding the requirements for effective DF report construction; this should not be a task left solely to each individual practitioner to determine without instruction. For this, the field of DF should look to the wider forensic community and the existing work in this area for support. In line with many other 'traditional' forensic science types, a DF practitioner can be commissioned to report in one of three ways - 'technical', 'investigative' or 'evaluative', where each reporting type maintains a specific purpose and interpretative-context, determined by the examination workflow undertaken by a practitioner following client instruction. This work draws upon guidance set out in fundamental forensic science reporting literature in order to describe each reporting type in turn, outlining their scope, content and construction requirements in an attempt to provide support for the DF field.

Dataset construction challenges for digital forensics.

As the digital forensic field develops, taking steps towards ensuring a level of reliability in the processes implemented by its practitioners, emphasis on the need for effective testing has increased. In order to test, test datasets are required, but creating these is not a straightforward task. A poorly constructed and documented test dataset undermines any testing which has taken place using it, eroding the reliability of any subsequent test results. In essence, given the time, effort and knowledge required to generate datasets, the field must guide those carrying out this task to ensure that it is done right at the first instance without wasting resources. Yet, there are currently few standards and best practices defined for dataset creation in digital forensics. This work defines three categories of dataset which typically exist in digital forensic - tool/process evaluation datasets, actions datasets and scenario-based datasets, where the minimum requirements for their creation are outlined and discussed to support those creating them and to help ensure that where datasets are created, they offer maximum value to the field.

The COLLECTORS ranking scale for 'at-scene' digital device triage.

As digital evidence now features prominently in many criminal investigations, such large volumes of requests for the forensic examination of devices has led to well publicized backlogs and delays. In an effort to cope, triage policies are frequently implemented in order to reduce the number of digital devices which are seized unnecessarily. Often first responders are tasked with performing triage at scene in order to decide whether any identified devices should be seized and submitted for forensic examination. In some cases, this is done with the assistance of software which allows device content to be "previewed"; however, in some cases, a first responder will triage devices using their judgment and experience alone, absent of knowledge of the devices content, referred to as "decision-based device triage" (DBDT). This work provides a discussion of the challenges first responders face when carrying out DBDT at scene. In response, the COLLECTORS ranking scale is proposed to help first responders carry out DBDT and to formalize this process in an effort to support quality control of this practice. The COLLECTORS ranking scale consists of 10 categories which first responders should rank a given device against. Each devices cumulative score should be queried against the defined "seizure thresholds" which offer support to first responders in assessing when to seize a device. To offer clarify, an example use-case involving the COLLECTORS ranking scale is included, highlighting its application when faced with multiple digital devices at scene.

Placing the suspect at a PC: A preliminary study involving fingerprints on keyboards and mice.

Digital devices now play an important role in the lives of many in society. Whilst they are used predominantly for legitimate purposes, instances of digital crime are witnessed, where determining their usage is important to any criminal investigation. Typically, when determining who has used a digital device, digital forensic analysis is utilised, however, biological trace evidence or fingerprints residing on its surfaces may also be of value. This work provides a preliminary study which examines the potential for fingerprint recovery from computer peripherals, namely keyboards and mice. Our implementation methodology is outlined, and results discussed which indicate that print recovery is possible. Findings are intended to support those operating at-scene in an evidence collection capacity.

A case study on anonymised sharing platforms and digital traces left by their usage.

Non-local forms of file storage and transfer provide investigatory concerns. Whilst mainstream cloud providers offer a well-established challenge to those involved in criminal enquiries, there are also a host of services offering non-account based 'anonymous' online temporary file storage and transfer. From the context of a digital forensic investigation, the practitioner examining a suspect device must detect when such services have been utilised by a user, as offending files may not be resident on local storage media. In addition, identifying the use of a service may also expose networks of illegal file distribution, supporting wider investigations into criminal activity. This work examines 16 anonymous file transfer services and identifies and interprets the digital traces left behind on a device following their use to support law enforcement investigations.

Plain text passwords: A forensic RAM-raid.

Despite many academic studies in the last 15 years acknowledging the investigative value of physical memory due to the potential sensitive nature of data it may contain, it arguably remains rarely collected at-scene in most criminal investigations. Whilst this may be due to factors such as first responders lacking the technical skills to do this task, or simply that it is overlooked as an evidence source, this work seeks to emphasise the worth of this task by demonstrating the ability to recover plain-text login credentials from it. Through an examination of logins made to 15 popular online services carried out via the Chrome, Edge and Mozilla Firefox browsers, testing shows that plain-text credentials are present in RAM in every case. Here, a transparent test methodology is defined and the results of test cases are presented along with 'string markers' which allow a practitioner to search their RAM captures for the presence of unknown credential information for these services in future cases.

A glance at digital forensic academic research demographics.

Whilst the field of digital forensics is now well established, its research community can be considered relatively emerging in comparison to the associated areas of traditional forensic and computer sciences. As a result, this comment article takes a quick look at the demographics of digital forensics research over the last 20 years, with metadata from 6589 articles being extracted and analysed from Scopus in order to provide a brief insight into this field's research activity.

When finding nothing may be evidence of something: Anti-forensics and digital tool marks.

There are an abundance of measures available to the standard digital device users which provide the opportunity to act in an anti-forensic manner and conceal any potential digital evidence denoting a criminal act. Whilst there is a lack of empirical evidence which evaluates the scale of this threat to digital forensic investigations leaving the true extent of engagement with such tools unknown, arguably the field should take proactive steps to examine and record the capabilities of these measures. Whilst forensic science has long accepted the concept of toolmark analysis as part of criminal investigations, 'digital tool marks' (DTMs) are a notion rarely acknowledged and considered in digital investigations. DTMs are the traces left behind by a tool or process on a suspect system which can help to determine what malicious behaviour has occurred on a device. This article discusses and champions the need for DTM research in digital forensics highlighting the benefits of doing so.