Collections

电子数据恢复与提取
Sort by Default Latest Most read  
Please wait a minute...
  • Select all
    |
  • Research Articles
    REN Fengkai
    Forensic Science and Technology. 2023, 48(2): 196-200. https://doi.org/10.16467/j.1008-3650.2022.0031

    Immobile phone is presently of less attention for electronic evidence collection because it is commonly thought to be no storage function, leaving it little significance for evidence obtainment. However, the fact is that not all immobile phones aren’t able to store information. For immobile phones equipped with storage chip, some valuable information (e.g., calling details) can still be extracted from them. Actually, immobile phones are among the criminal tools widely utilized by culprits in current telecom network crime. Therefore, the relevant calling information recorded in the case-involved immobile phones will play an important role for the case to solve. Here, electronic forensics were carried out about extracting and analyzing the calling information recorded in storage chip of the case-involving immobile phone. From the disassembled immobile phone, the memory chip was taken out to have the physical image ghosted so that the calling information data were capable of being extracted out of the ghosted image with WinHex software. The program was written by Python to sort out and display the original data about the ghosted image, together with deep excavation into the potential calling rules, calling duration and other information. Consequently, immobile phone should not be ignored in investigation of telecom network crimes, and the Python program is indeed a good helper for extracting electronic evidential data out from immobile phone.

  • Topic: Video Detection Technology
    CHI Jiyi, SUN Peng
    Forensic Science And Technology. 2022, 47(6): 551-557. https://doi.org/10.16467/j.1008-3650.2022.0018
    Currently, fraud cases often occur with the form of intelligence, mainly appearing as those telecom network swindles. For such cases, police investigation usually renders the presumable yet not clear evidence about which the relevant evaluation is mostly rooted on the investigators’ experience and knowledge. Obviously, this manipulation exists with certain human subjectivity capable of dwelling into some extent of fuzzinesss. Therefore, it is valuable to introduce the linguistic-fuzzy set into the operation course of quantifying the involving evidential data so as to reduce the impact of human subjectivity on the obtained results. Here, the linguistic-fuzzy Pythagorean multi-attribute decision-making approach was tried to construct on the basis of WOWA-operator soft likelihood function, purposed to both effectively handle the essential weight of each attribute relating to those case-involved people described with equivocal language and get rid of the influence of extreme data and subjective decision-makers. First of all, the case-involved people and relating attribute information were determined according to the existing clues. Secondly, the qualitative linguistic terms were adopted to express the fuzzy information with linguistic Pythagorean fuzzy setting, having the uncertain attribute information uniformly described. Finally, the multi-attribute decision-making approach was put into the linguistic Pythagorean fuzzy environment through WOWA-operator soft likelihood function so that the value of each attribute was effectively defined and aggregated, consequently having the ranked comprehensive scores delivered about those case-involved people. The results showed that the qualitative linguistic-term evaluation excelled to the quantitative one, more suitable for application into investigating actual telecom fraud cases. Meanwhile, the results also revealed that it was the WOWA-operator multi-attribute decision-making manner adopted in this assay not the OWA-operator one that was able to get rid of the influence of extreme data to some extent and better smoothen the weighted value, making the change of soft likelihood value more fluent. The multi-attribute decision-making approach proposed here can assist the police to associate the case-related attribute information, reduce the screening scope about case and get ranking of suspects while weakening the subjectivity of decision-makers, hence demonstrating practical significance for identification of suspects committing telecom fraud crime.
  • Topic: Video Detection Technology
    YANG Yang, HAN Xingzhou, HAO Zhe, ZHANG Shubin, QIN Da, YANG Qiufeng
    Forensic Science And Technology. 2022, 47(6): 558-565. https://doi.org/10.16467/j.1008-3650.2022.0039
    Smart phone and digital camera are now universal for people to possess and utilize, therewith bringing in enormous electronic data (e.g., digital images and/or photos) that are potential to provide important clues for relevant cases to detect and solve. Here, an exploration was carried out about the changes of resolution into WeChat-transmitted photos previously taken by mobile phones, purposed to determine the traceability of WeChat-transmitted photo files through their steadily-preserved characteristics. The photos were collected from 18 mobile phones commonly available in the market, and transmitted via WeChat in three different ways of the original, compressed and shared image so that the relationship was sought between the resolution of the original image and the highest pixel of the mobile phone’s lens or the resolution of the compressed image, with a discovery intended to obtain about the changing resolutions brought by different photo-transmitting ways. The results showed that the photos didn’t alter their files but retain the same attribute as the original and keep their primordial resolution when sent via WeChat in the way of original image for single or multiple times by the mobile phones equipping with Android or Harmony system, contrasting to iPhone mobiles demonstrating of photo’s format being changed though the resolution remained unchanged with the photo sent of multiple times. For the compressed and shared ways to send photos via WeChat from mobile phones, none of the attribute information was left with the photos which to have their resolutions compressed under a certain regularity although subtle differences may be present in actual performance, with the photos being observed of no change into their resolutions when sent for many times. Therefore, the resolution of photos can provide a basis for inference about the way of transmission adopted, the pixels of the lens of the phone’s camera and the possible brand and model of the mobile phone used to transmit the photos through WeChat.
  • Topic: Video Detection Technology
    REN Fengkai, ZHANG Dong, ZHANG Ying, GUO Jian, GONG Fangzhi
    Forensic Science And Technology. 2022, 47(6): 566-572. https://doi.org/10.16467/j.1008-3650.2022.0043
    For fighting against the network-related crimes, the re-entry/reconstruction of the involved websites is crucial to collect the evidence. In practice, it is found that almost every telecom-network fraud involves with the website-ecological server showing: in one case directly sending the victim the domain name of an investment website that allows the suspect to log in via the browser, or in other case having the mobile-phone-adapted apps encapsulated with the portal of the targeted website where to let the culprit enter by mobile devices, and/or any other tricking ways alike. Obviously, it is the server that stores the core background data of those fraud-involved websites. At present, the criminal investigators can generally analyze the entry domain name of the involved website, and/or obtain the website source code and relevant database through the network security department, yet are usually difficult to rebuild/re-enter the targeted website locally. The novel debug-relied stratagem enabling re-entry/reconstruction into the dynamic websites relating to network crimes can effectively solve the above problems. Such a stratagem described in this paper utilizes a variety of technologies comprehensively, placing its core at applying the debugging operation into modulating for reconstruction/re-entry of the targeted website so as to quickly find out the problems encountered and locate the relevant source codes. Thus, some source codes can be repaired or changed to have the involved website rebuilt/re-entered when the technicians have solved the breakpoints at any position of related code, and/or explored the website program running about its correlating global and local variables to ascertain the specified ones so that the logic and process of related code execution have been grasped clearly. For the technicians having the required knowledge and competence, they can master this debug-relied stratagem skillfully after short-term training and technical tutoring. In terms of applicable scenarios, this stratagem is adapted not only to the websites developed in PHP language but also to those in Java, just coincidentally meeting with the current situation that the two types of website are the main dynamic ones involving with network-related crimes. Conducively, the requirements for the stratagem to deploy, e.g., the plug-ins, IDE development tools and extensions, are free and open of source, hence no grounds to purchase any charging software at all but tending to high scalability for use.
  • Topic: Video Detection Technology
    ZENG Jinhua, QIU Xiulian, BIAN Xinwei, SHI Shaopei
    Forensic Science And Technology. 2022, 47(6): 573-578. https://doi.org/10.16467/j.1008-3650.2022.0038
    Mobile smart devices, e.g., the mobile phones, are always built with the acoustic and optical sensors representing their rapid developing and wide applying mainstream technologies so that the relevant image authentication has got to comparatively mature and comprehensive solutions about those involving metadata, imaging artifices, processing signs and image signals. However, the ever-personalized camera programs are available and popular in mobile phones, bringing in problems occurring for forensic authentication of images taken under related handling. Here, forensic authentication was put into the images imposed by watermarking camera programs set up with mobile phones. Two popular watermarking camera programs (developed by Shanghai-based Tencent Technology Co., Ltd. and Beijing Xiaohei Technology Co., Ltd.) were used to explore the feasible examination materials and methods for the purpsoe of forensic authentication. Through scrutiny into the features of the original images imposed by watermarking cameras and the conditions of watermarking, an exampling case was carried out on how to undertake the concrete examination process of such the kind of forensic image authentication and have the effectiveness verified. Evidently, the file attributes and metadata information did play an important role for such an authentication although some differences were present from the traditional examination materials. For example, the “Photoshop” information in the metadata of images hints the existence of editing operation traditionally, yet being taken as a normal phenomenon and reasonable presence for the images imposed by watermarking camera programs. Therefore, in order to achieve the objective and scientific opinions with examination, much attention should be paid to the characteristics of mobile phones’ operating systems and watermarking camera programs, the two key materials for forensic authentication of images imposed by personalized camera programs built in mobile phones.
  • Topic: Video Detection Technology
    ZHAO Lu, KANG Yanrong, GUO Lili, LONG Yuan, WANG Bo, ZHANG Qian, BAO Menghu, ZHANG Yaoguo
    Forensic Science And Technology. 2022, 47(6): 579-586. https://doi.org/10.16467/j.1008-3650.2022.0034
    Mobile phones, as the necessary electronic products for almost all hands today, not only bring a lot of convenience to people’s work and life but also record a good deal of data information. Digital forensics commonly relate to analysis and utilization of the information stored in suspects’ mobile phones. At present, the analysis of mobile-phone-stored data is mainly targeting to those that can be checked directly, including contact records, photos and videos, yet rare to the log files generated from various mobile phone applications in actual cases. This paper relates about a case dealing with the basic method and approach being applied into log analysis. Through in-depth parsing into the suspect’s mobile-phone-stored QQ app logs, the investigators extracted the internet connecting time, contextual network-switching information, active operation records and other useful information, having revived the suspect’s behavioral track during the crime occurring, thus providing an important reference for inferring the probability about the suspect’s committing crime and a clue for further investigation of the case.
  • Experience Exchange
    LIU Wanpeng, ZOU Bo, WAN Minggang
    Forensic Science And Technology. 2022, 47(4): 437-440. https://doi.org/10.16467/j.1008-3650.2022.04.006
    The modern payment methods are sometimes available for robbers to commit their crimes, e.g., looting money by QR codes scanning or third-party-payment transfer. Fortunately, the legal requirements of online real-name transaction make such cases have clue to detect. Here, a case of robbery was discussed that the heister had transferred money from the victim’s Alipay account using other person’s mobile phone to the accounts on gambling website where he gambled and realized “money laundering”. The heister took a relatively rare way to commit his crime, exerted himself to evade the existing investigative devices, indeed leaving difficulty into the case investigation and solving. Nevertheless, the police investigators adopted electronic forensic technology to collect and examine several suspects’ mobile phones, having found one suspect’s logging-in history on gambling website from his mobile phone. Through interrogation, the suspect confessed the process of his committing crime and the mobile phone he stole of other person to gain his illegal money and then discarded. From the seized mobile phone the suspect discarded, the screenshots were successfully extracted about both the information of victim’s bank card plus the transferred money sums and that connecting to the suspect’s gains. Eventually, the evidence chain had been completely linked up to have the suspect identified.
  • Research and Discussion
    ZHOU Juan, WANG Jun, YI Shuang, YUAN Hongzhao
    Forensic Science And Technology. 2022, 47(2): 211-215. https://doi.org/10.16467/j.1008-3650.2021.0115
    iPhone furnishes the functional APPs of “Voice Memo”, “WeChat” and “File”, facilitating users to forward and dump audio files across them. Usually, either forwarding or dumping can remain the audio file unchanged of its size and recorded content, yet making it changed of the metadata information and electronic data. Therefore, the audio files stored in “Voice Memo” should be authenticated with not only the routine analyses of their metadata, signal, semantics and electronic data but also source-tracing into their systemic and applicative log files resulted throughout the entire course of generation and transformation from the audio files. With a real case, an introduction was here made on how to trace into the transferring process of audio files through iPhone-stored “WeChat” log files and accordingly judge the authenticity of the relevant audio recordings synthetically.
  • Research Articles
    SHEN Xiaohu, JIN Tian, WANG Lei, HAN Chaoyang
    Forensic Science And Technology. 2021, 46(6): 587-593. https://doi.org/10.16467/j.1008-3650.2021.0158
    Objective To provide a theoretical basis for examination of mobile phone's recording quality that is important for correct opinion to deliver in the forensic voiceprint identification of voice samples from the ubiquitous mobile phone calls. Methods A quantitative standard was proposed for evaluation of the recorded samples that were obtained from the tested mobile phones and generation-various telecom networks. The standard, rooting on the basis of mainstream identification equipment, was analyzed into the quantity and digital values of formant in voiceprint spectrogram, fundamental frequency parameters, regional average spectrum and implemented voiceprint comparison test. Results The test results showed that certain differences existed with the recording quality under different conditions, having caused definite influence on voiceprint identification, yet at a non-essential extent. Conclusion For voice identity authentication, the influence should be considered of recording quality differences on identification of the recorded samples from different mobile phones and telecom networks, therewith evaluated and overcome during identification.
  • Research and Discussion
    ZHOU Juan, YI Shuang
    Forensic Science And Technology. 2021, 46(6): 642-646. https://doi.org/10.16467/j.1008-3650.2021.0109
    Objective To explore the procreation ways of audio files stored with “voice memo” APP under IOS of iPhone or iPad. Methods Experiments were tried on the “voice memo” functions from model-various iPhone or iPad devices, having been undertaken of such functional operations as recording, clipping, sharing, saving, replacing and modifying file names so that the relevant metadata and tail information were generated into the resultant audio files. Comparisons were carried out among the resulted information so as to seek their procreation ways. Through contrasting both the metadata and tail information from the audio files that were transferred and dumped between the apps of “voice memo” and “wechat” and “file”, how these information contents were conveyed and delivered was explored. Results Both the metadata and tail information showed regular discrepancy among the resultant audio files if different functional operations of “voice memo” were adopted into an audio file. Similar regularity of alteration was also found when audio files were transferred and dumped between the apps of “voice memo” and “wechat” and “file”. Conclusion An audio file can be judged of its procreation way with examination into its metadata and tail information from the “voice memo”.
  • Research and Discussion
    YE Fangjian, LU Xilong, LONG Yuan, LIU Guanhua, LIN Min, JIANG Xuemei, DOU Xiuchao, PAN Jiecai, LAN Xinkang
    Forensic Science And Technology. 2021, 46(4): 408-413. https://doi.org/10.16467/j.1008-3650.2021.0101
    Objective To scrutinize the electronic data changing with its related smart lock which to unlock through Tesla coil so that the key points of crime scene investigation and suggestions are thereby to put forward. Methods A smart lock was disassembled to explore its both fingerprint/password storage chip (MCU: micro control unit or EEPROM: electrically-erasable programmable read-only memory) and mode, consequently having undergone repeatedly to unlock with a Tesla coil such that the data in the lock’s chip were recorded for comparison before and after the unlocking. The hardware-circuit communication of the lock was examined to ascertain which communication mode had been interfered with the Tesla coil. An arbitrary waveform generator was adopted to simulate the interfered communication mode from which the resulting changes were recorded and compared against those caused through Tesla coil disturbing. Consequently, the reason why Tesla coil can unlock the smart lock was to discover. Results The fingerprint and password are found of being stored in EEPROM of the selected smart lock, with the password being kept in the storage mode of plaintext. There are three communication modes of IRQ (interrupt request line), SCL (system clock line) and SDA (static data authentication) between the smart lock’s panel board and MCU. When a Tesla coil opens the smart lock, the communication signal has changed, causing the IRQ program unable to get through and/or being disordered so that all the stored data of password and fingerprint have been completely erased from EEPROM, leaving the door open. Conclusions Tesla coil can interfere the communication signals of smart lock, resulting in the lock’s stored data of password and fingerprint being completely erased from EEPROM and the lock being opened automatically. For crime scene investigation, whether a smart lock has been opened with Tesla coil can be inferred through checking if there is occurrence to changing with the data stored in EEPROM of the lock.
  • Exchangeable Experience
    HU Ying, JIN Guohua
    Forensic Science And Technology. 2021, 46(3): 328-330. https://doi.org/10.16467/j.1008-3650.2021.0071
    In recent years, the new-type telecommunication network crimes have occasionally caused huge losses to the people's lives and properties, posing more workloads and challenges to both the law enforcement authorities and social public security. Here is a typical real case of infringing citizens' personal information by way of online lending platform. The investigators adopted the means of mobile application-data capture, APP decompilation, source code analysis, mirror-image file-format conversion and emulation, database backup and restoration, therewith having collected and fixed the evidence so that the suspects were successfully targeted. Focusing on the digital forensic process, this paper mainly demonstrated how to acquire hundreds of millions of data with which the key clues and evidence were managed to provide. The experience and practice conducted here would be useful and reliable for police digital forensic investigators to solve the similar telecommunication online crimes.
  • Research Articles
    YUAN Xinyu, ZHANG Xuan, PAN Guangcheng, JIANG Jiguo
    Forensic Science And Technology. 2020, 45(3): 278-283. https://doi.org/10.16467/j.1008-3650.2020.03.014
    SOHO (small office/home office) router, a common network device, is universally used in the household, company, enterprise and other scenarios so that it can provide clues for both the detection of traditional cases and the investigation of cybercrime. This article summarizes the SOHO router about its definition, functions, vendors, hardware architecture, software and the role in criminal investigation. Furthermore, two forensic methods, dynamic and static, are sorted out for investigation of such kinds of router. The dynamic handling involves with the information collection and authority acquisition when the SOHO routers are running while the static deals with the information gathering, connection methods, data extraction and firmware analysis from the SOHO routers that are riveted as evidence.
  • Research and Discussion
    LONG Yuan, XING Guidong, KANG Yanrong, GUO Lili, ZHAO Lu, ZHANG Yaoguo, BAO Menghu
    Forensic Science And Technology. 2019, 44(4): 347-350. https://doi.org/10.16467/j.1008-3650.2019.04.014
    With the popularity of smart phones, data extraction from smart phones has become an important issue for digital forensics. In this paper, a new data recovery method for smart phones is proposed to deal with one damaged SQLite database. Different from the traditional handling into the SQLite database file itself, the attempt here is an approach of data traversal based on the underlying data-storage structure of the SQLite database. Through the actual case for test, the eligibility of this method is not limited to the SQLite database but reaches to the image of Android smart phone, the damaged database file and the partition fragment, having all of them get the complete analytic results. Such a new attempt and idea proposed here extends the cognizance of digital forensics from computer to mobile phone, providing novel reference for data analysis/recovery of smart phones.
  • Research Articles
    ZHANG Yuqiang, GU Chen
    Forensic Science And Technology. 2018, 43(4): 259-264. https://doi.org/10.16467/j.1008-3650.2018.04.001
    Digital evidence collection (DEC) is one of the most important steps for digital forensics, affecting the efficiency and final investigation results of the involved cases. Traditionally, DEC lays the foundation upon the emerging technologies of digital forensics. However, Big Data context brings new challenges to DEC because of the large quantity of evidence, diversity of evidence sources, complex evidence types, inconsistent evidence, poor internal relations among evidences and overmuch invalid data. Hence, this paper presents a two-dimensional framework for DEC. Firstly, the framework reuses the known experience from already-solved cases to orient the digital evidence with case-based reasoning approach. Secondly, with the assistance of the expertise knowledgebase built from ontology, the diverse evidence sources can be settled. Helped with the inference engine from the knowledgebase, the inner-relationship can be dug out among various evidence and delimit the evidence’ content for collection. By combination of the two dimensions - the orientation and the content for DEC, the invalid data can be eliminated, the efficiency improved and the conflict avoided among evidence, thus providing an efficiency-high and solid analytic basis for the follow-up task.
  • Special for the 15th Five-Year Plan
    KANG Yanrong, ZHAO Lu, FAN Wei, ZHANG Zihua
    Forensic Science And Technology. 2018, 43(3): 187-192. https://doi.org/10.16467/j.1008-3650.2018.03.003
    Wechat, presently one of the most popular communication tools, is everyday generating huge quantity of data that can be used to profile people’s relationship. Therefore, it is becoming the research focal points, albeit also difficult to attain, that how to integrate and mine the massive data is about to provide intelligent source and knowledge service for criminal cases investigation. In this paper, the time information was taken as the studied subject that was extracted from the Wechat’s record so that the relationships of Wechat’s contractors can be classified through finding the correlative time characteristics by Hierarchical clustering and K-means clustering analyses. Thus, this research is potential of providing new resorts for quickly searching criminal gangs or key suspects during case investigation.
  • Special for the 14th Five-Year Plan
    KANG Yanrong, FAN Wei, ZHAO Lu, LIU Ya
    Forensic Science And Technology. 2018, 43(2): 92-96. https://doi.org/10.16467/j.1008-3650.2018.02.002
    Live memory can be extracted from Android phone when the sourcing kernel of Android phone is able to be successfully compiled with LiME tool. However, most of the sourcing kernel cannot be obtained during the actual electronic forensics because not all the open source codes of Android phone are offered publicly, and even many of them are difficult to find. In this paper, a method was proposed to use one similar kernel to extract live memory from Android phone by resolving the unknown symbol error. First, an analysis was conducted on the Linux-based ELF format and kernel symboling mechanism so as to find the function definition of unknown symbols from the relevant source codes, and thereby cancel the corresponding configuration. Second, one similar kernel was accordingly compiled to exclude those unknown symbol indexes. At last, the similar kernel has been successfully uploaded to Android phones, making the live memory acquired from most of the tested phones.
  • Research Articles
    ZHAO Lu, KANG Yanrong, GUO Lili, LONG Yuan
    Forensic Science And Technology. 2018, 43(1): 17-21. https://doi.org/10.16467/j.1008-3650.2018.01.003
    Smart watch, widely popular because of its convenient portability and rich functionality, can store plenty of information such as phone-call history, instant messages, GPS records and health data, all those important for digital forensic investigation to get key clues and strong evidence. In this paper, the present situation was summarized on smart watch at its digital forensic researches/applications home and abroad. The technical difficulties were followed to be analyzed according to the hardware architecture and software data structure of smart watches. Therefore, three practical methods were proposed on the basis of experiments that had been carried on extracting and analyzing the selected characteristics-different smart watches so that the practical digital forensic means were thus concluded for obtaining the data from those commonly-seen smart watches in market. Finally, the future direction was put forward on the digital forensic researches about smart watches, with purpose of providing references to relevant both researchers and technicians who are engaging in digital forensics.
  • Technical Notes
    ZHU Yanjun, GUO Chenyang
    Forensic Science And Technology. 2018, 43(1): 77-80. https://doi.org/10.16467/j.1008-3650.2018.01.016
    A digital forensic evidence collection was here introduced on a case of cyber-destruction against the industrial control system-based GPS remote monitoring network. Through the analysis of the structure and working principle about how the GPS remote monitoring system controls the engineering mechanical equipment, a discovery was attained on two illegal artifices by which the engineering mechanical equipment was unlocked from the GPS control. Moreover, the facilities involved in committing the crime were investigated so that the digital forensics were conducted on electronic data parsing, extraction and examination. Finally, a conclusion was achieved on the main points of digital forensics in the case.
  • Research Articles
    HU Ying
    Forensic Science And Technology. 2017, 42(5): 350-354. https://doi.org/10.16467/j.1008-3650.2017.05.002
    Pseudo-base station is frequently used by culprits to conduct telecommunication frauds. With a brief introduction of its operation principle, commonly-adopted forensic evidence collection choices and problems about pseudo-base station, this paper focuses on the data-storage structure that is utilized in the database of pseudo-base station. Through an example, the changed data were carefully compared and analyzed to the database-stored sent-records before and after deletion, demonstrating the feasibility to recover the deleted records, and finally making the unmasked sent-records recovered and extracted from the database file stored in the pseudo-base station. Therefore, such a methodology and experience could be applied into forensic evidence collection for most pseudo-base stations.
  • Research Articles
    Forensic Science And Technology. https://doi.org/10.16467/j.1008-3650.2003.04.001
    目的阐述电子物证检验技术的专业内容和组成,以及开展电子物证检验的作用和重要意义;方法研究美国、欧洲和国内电子证据及其检验鉴定的数据资料,结合国内物证检验技术发展现状和需求,论证电子物证检验技术;结果提出了电子物证检验定义、检验对象、技术方法、特点作用以及尽快在国内建立电子物证检验专业等观点;结论电子物证检验是关于识别、发现、提取、保存、恢复、展示、分析和鉴定电子设备中存在的电子信息(电子证据)的科学技术,其检验结果可以作案件侦查线索或法庭证据。开展电子物证检验可以有效提高犯罪侦查效率。
  • Research Articles
    SHANGGUAN Mengxuan, KANG Yanrong, FAN Wei, ZHANG Guochen, ZHAO Lu
    Forensic Science And Technology. 2017, 42(2): 93-97. https://doi.org/10.16467/j.1008-3650.2017.02.002
    The structure of suspect's social network is helpful to analyze the regularity of his/her information transmission, thus more clues about him/her can be obtained. However, most of the existing social network performers relating to correlativity ignore the attribute type of data. Therefore, an algorithm of two dimensional correlators was put forward with inclusion of the data attribute so as to improve the calculation of correlated data. A model was set up to describe the correlating extent between the owner of one mobile phone and the contacts kept in the phone when the data dimensions of both attribute and quantity were combined. This model can be used to orient real contacts through mobile-phone-storing data like short messages, callings and name list of communication. Finally, with the visualization devices introduced, a suspect’s social network can be visually revealed. Validity test showed that this manipulation can effectively measure the social intercourse between a suspect and his/her contacts by one intuitionistic social graph so that the implied information of the involved person will be further mined from his/her social network, more conducive for the following work to deploy. As a new idea to analyze suspect’s social network, the method attempted here certainly holds its practical significance.
  • Forum
    XU Lanchuan, LU Jianming, WANG Xinyu, XU Tao
    Forensic Science And Technology. 2017, 42(2): 151-156. https://doi.org/10.16467/j.1008-3650.2017.02.016
    With the advent of advanced hypervisors and other relevant internet technologies, the cloud storage and computing are becoming ubiquitous as one cutting-edge technology. This emerging technology is totally different with its nearly infinite data storage, powerful data processing ability, pervasive data sharing mode, constantly changing data status, on-demand self-service, rapid elasticity and broad network access from what has been still running in the traditional standalone computers of single user, relatively simple networks and comparatively small data storage, thereby challenging the traditional digital forensics in aspects of evidence collection, extraction, fixation and analysis. How to efficiently and effectively obtain the evidence or just its clue from the virtual, distributional memories of cloud computing environment is turning into a hot research topic because of the related multi-users and massive data resources. Based on the latest domestic and international researches of digital forensics in cloud computing environment, this paper begins with a retrospection of the history of digital forensics and the description of main features of traditional forensics, analyzing the characteristics of the cloud computing environment, discussing the forensic challenges in cloud computing, reviewing and categorizing both the significant and practical studies on models, process, analysis and tools for cloud computing forensics. This article should be very likely to provide the digital forensic practitioners with new pertinent perspectives and recommendations for their concerned investigations.
  • Technical Notes
    ZHOU Xiang
    Forensic Science And Technology. 2016, 41(6): 491-493. https://doi.org/10.16467/j.1008-3650.2016.06.014
    The telecommunication-and-internet fraud cases have occurred frequently in recent years. Offenders played volatile and tricky swindles to reach their goals. Some of the criminals pretended to be the official persons of public security, procuratorate and court to get trusted from the victims who were then instigated to log onto a specific website where a long-range control program or Trojan was to be introduced into the victims’ computers. Thus, the victims’ computers were able to be remotely operated and the accounts of these victims’ E-bank be broken into, resulting in their money in the bank to be stolen. It is really of certain difficulty to conduct the forensic electronic analysis about such cases because they are prone to be categorized into those implanted Trojan ones during the process of authentication which will be involved into a program decompiling, code tracking among the multiple tested links, thereby making the case analysis even more complex. In the case reported here, the dynamic simulation was recruited to imitate the victim’s computer, and then the time sequence was analyzed of the EEG (electroencephalography) operant behavior in the course of crime. With obtainment of the sequence of the event by the above implementation, the key evidence and clue of the case were dug up so that the case was truly restored and solved.
  • Forensic Science And Technology.
    本文结合近几年案件中电子物证检验的状况,对电子数据的现场获取中可能影响检验结果的因素进行了分析探讨,并给出了解决这些问题的技术措施和建议。
  • Forum
    Forensic Science And Technology.
  • Forum
    Forensic Science And Technology.
  • Reviews
    WU Chun-sheng,QIU Min
    Forensic Science And Technology.
    In this paper,the ASP website structure was analyzed.The method for obtaining IIS information,WEB LOG, website document and background database was introduced.
  • Technical Exchange
    LUO Wei-li,YANG Yong-chuan
    Forensic Science And Technology.
    In this paper,bases on analysis of existing tools evaluation methods,the writer offers a system for reliability assessment of digital forensic tools,the basic recognition,qualitative examination and operating procedures were included.
  • Focus: Digital Forensics
    LIU Ya, KANG Yanrong, ZHAO Lu, YU Wenhao, ZHANG Guochen
    Forensic Science And Technology. 2015, 40(6): 431-434. https://doi.org/10.16467/j.1008-3650.2015.06.001
    Volatile memory acquisition from cell phone has gained popularity in recent years, because its analysis yields a wealth of information not available in non-volatile storage. Such aspects as the executing and terminated processes, application data, network connections, some user names and passwords, are important for investigation storage in the volatile memory. In this paper, we introduce a novel idea for cell phone forensics by analyzing a set of kernel source of android phone, and establishing an acquisition method that could extract volatile memory from phones with different kernel version. On Linux, kernel modules must be compiled against the relevant version of kernel headers and configuration so that it can be executed on the target system. During the module installation, the kernel starts to analyze two special sections in the module of .modinfo and_versions, and will refuse to load if this module contains incompatible version magic. Aiming at different Android kernel versions for different mobile phone, we analyzed the kernel verification mechanism, and explained how to modify the kernel configuration mode and kernel source code, to compile the available memory extraction module. The results show that this method can successfully extract volatile memory from multiple brands and models of Android mobile phones.
  • Focus: Digital Forensics
    LI Zichuan, ZHANG Zuo
    Forensic Science And Technology. 2015, 40(6): 445-449. https://doi.org/10.16467/j.1008-3650.2015.06.004
    As surveillance video detection technology is playing an increasingly important role in almost all kinds of cases in the process of probing in recent years, the criminal suspects often use a variety of means to forge or tamper their surveillance videos. Thus, in the field of electronic evidence research, data recovery of non-universal video surveillance system is a hot issue. This paper analyzes a kind of video surveillance system with large market share. Firstly, the critical parameters were resolved, together with the obtainment of the size and arrangement of the video surveillance data block. Secondly, the video frame structure was analyzed in-depth in order to determine which channel a data block belongs to or to acquire video record starting time in the data block. Two corresponding algorithms were presented. Eventually, for the mistakenly formatted or partially covered data, the video surveillance data channel was separated and reorganized, leading to the restoration of the type of video surveillance data. Through the analysis of the data block of arbitrary selection, it confirmed that the key parameters were read out correctly. By comparison of the frame format of the readout channel number with the actual display of the channel number in the monitoring video, the correctness of the frame format was verified. Combined with actual case, the results of the two algorithms proposed in this paper were given and briefly analyzed of their implementation, showing the efficiency and accuracy of the technology, providing some reference for forensic work about electronic data of other non-universal video surveillance. For data search and recovery from non-universal video surveillance, the in-depth study is still necessary, in particular on data fragmentation.
  • Forensic Science And Technology.
  • Forensic Science And Technology.
  • Forensic Science And Technology. 2013, 38(6): 61-62.
  • Reviews
    DU Wei,PENG Jian‐xin,MAO Li
    Forensic Science And Technology.
    The conception ,characteristics and collecting techniques of internet digital evidence were reviewed in this paper .
  • Forensic Science And Technology. 2013, 38(4): 65-67.