Browsing by Author "Horsman, Graeme"
Now showing 1 - 17 of 17
Results Per Page
Sort Options
Item Open Access Automation for digital forensics: towards a definition for the community(Elsevier, 2023-07-04) Michelet, Gaëtan; Breitinger, Frank; Horsman, GraemeWith the increasing amount of digital evidence per case, the automation of investigative tasks is of utmost importance to the digital forensics community. Consequently, tools are published, frameworks are released, and artificial intelligence is explored. However, as the foundation, i.e., a definition, classification, and common terminology, is missing, this resembles the wild west: some consider keyword searches or file carving as automation while others do not. We, therefore, reviewed automation literature (in the domain of digital forensics as well as other domains), performed three practitioner interviews, and discussed the topic with domain experts from academia. On this basis, we propose a definition and then showcase several considerations with respect to automation for digital forensics, e.g., what we classify as no/basic automation as well as full automation (autonomous). We conclude that it requires these foundational discussions to promote and progress the discipline through a common understanding.Item Open Access Can signs of digital coercive control be evidenced in mobile operating system settings? - A guide for first responders(Elsevier, 2022-12-09) Horsman, GraemePerpetrators of domestic abuse are now frequently utilising technology to survey and regulate the conduct of their victims. Of all digital devices, mobile phones are considered one of the most common to be misused by perpetrators, with reports of their use to track victims via spyware or a device's location services, and to send abusive communications often seen. As a result, any support services and first responders involved in such investigations must ensure they are in a position to identify and understand any signs of technology-facilitated abuse on a mobile device if an investigative opportunity presents itself. In regards to a victim's phone, attention is often placed upon identifying the presence of unwanted applications or being in receipt of communications showing abuse. However, evidence of abuse can be more subtle, where this work seeks to identify and describe a series of proprietary settings that exist on the mobile operating systems iOS and Android that can be used to exert control, provide oversight of, or, manipulate the way in which a device itself is operated by its user. The intention here is to offer support to those involved in responding to or investigating incidents of abuse to identify and understand the impact of these potentially relevant digital traces.Item Open Access Considering ‘technically possible’ alternative meanings for data traces found during a digital forensic examination(Taylor and Francis, 2022-05-09) Horsman, GraemeAs part of a digital forensic examination, a practitioner may identify data traces that they believe to be relevant to their inquiry and seek to interpret their meaning, forming a primary investigative hypothesis. In addition, practitioners should also consider whether any traces could mean something else. This work discusses the need for practitioners to consider ‘technically possible’ alternative meanings (TPAMs) as a standard component of their interpretive process. It is proposed that, when considering whether any TPAMs exist in addition to the practitioner’s primary investigative hypothesis regarding a data trace, the practitioner’s position may be expressed in one of six ways – ‘the six categories of TPAM’, based upon the available objective support related to or present within their case, from which the TPAM is derived. These six categories are proposed in order to help a practitioner effectively communicate their reasoning for offering a TPAM in regards to any data trace found during an investigation and are defined and discussed.Item Open Access The CSI effect(s no one?)(Elsevier, 2019-06-04) Errickson, David; Giles, Stephanie; Horsman, GraemeItem Open Access Forming an investigative opinion in digital forensics(Wiley, 2022-05-09) Horsman, GraemeAs we now see digital evidence play a role in many investigative scenarios, it is imperative that those seeking to rely upon it as part of criminal justice processes can do so, absent any concern regarding its validity. Interpreting the meaning of digital data and its potential value to a criminal inquiry as part of a digital forensic examination is a complex and multifaceted process requiring the practitioner to possess the relevant knowledge, experience, and insight needed to determine the case-significance of a given data trace accurately. Erroneously interpreted data that is communicated to a client and subsequently relied upon can have far-reaching consequences for all those involved in the investigative process. This work discusses the process of forming investigative opinions in digital forensic science examinations, what this means in practice, and the ways in which it can be achieved. Focus will be given to the process of forming an investigative opinion when underpinned through the reconstruction and testing of a suspect system/setup, with a formal three-stage methodology for doing this outlined.Item Open Access Fostering an “investigating mindset”: Why is it important in digital forensic science education?(Wiley, 2023-12-10) Horsman, Graeme; Ryser, Elenore; Shavers, BrettThe importance of the field of digital forensics (DF) is growing, where digital evidence is increasingly recognized as a crucial part of many investigations. As a result, criminal justice systems rely on DF practitioners to conduct robust investigations of digital devices and their data, and interpret and present these results in a way that can be relied upon. Undertaking this task appropriately requires a practitioner to have a range of skills; however, focus is often placed on the need for and importance of technical competency. Technical skills are vital in this role, that cannot be in dispute; however, this work discusses the need for practitioners to also have an “investigative mindset.”Item Open Access The Hierarchy of Case Priority (HiCaP):- A proposed method for case prioritisation in digital forensic laboratories(Elsevier, 2022-09-10) Horsman, GraemeThe need for digital forensic science (DFS) services has grown due to widespread and consistent engagement with technology by members of society. Whilst digital evidence often plays an important role in many inquiries, available investigative resources have failed to keep pace with such demand for them. As a result, the use case prioritisation models for backlog/workload management are of increasing importance to ensure the effective deployment of laboratory resources. This work focuses on the concept of case prioritisation in a digital forensic laboratory setting, following the submission of exhibits for examination, where this workflow is described. The challenges of case management and prioritisation in laboratories are discussed, with both ‘case acceptance’ and ‘case prioritisation’ procedures explained. Finally, the ‘Hierarchy of Case Priority’ (HiCaP) - a transparent, risk-based approach for the prioritisation of cases for examination, is proposed and described using examples.Item Open Access Identifying fake vs. real communication records: a case study(Elsevier, 2023-12-08) Horsman, GraemeRecords of communication often play an important role in many criminal inquiries giving insight into existing and alleged relationships. The forensic analysis of digital devices can provide such information, however in some cases, screen captured records may be all that is available. In these instances, it is necessary to evaluate the authenticity of this information given the availability of free to use communication record mockup services that can be used to create realistic looking, but fictitious communication records. This work seeks to ascertain whether freely available communication record mockup services pose a threat to law enforcement officers in terms of not being able to distinguish a communication record mockup from a genuine communication record screen capture. An evaluation of communication record mockup services for creating WhatsApp, iMessage and Twitter mockups are identified and their ability to create realistic communication record mockups is evaluated. The results of these tests are provided and discussed, and 41 communication record mockups are supplied forming one of the first datasets to support those conducting communication record authenticity checks.Item Open Access The importance of digital evidence strategies(Wiley, 2023-10-28) Horsman, GraemeAs the complexity of digital forensic work continues to grow, and the demands and pressures placed on practitioners to complete their investigatory commitments remain, methods for conducting effective and efficient work are of paramount importance. To combat examination challenges any investigating team requires two fundamental and linked components; those conducting DF examinations should develop (1) a digital evidence strategy (DES) that outlines an effective investigative approach, and, (2) deploy it using appropriate tools and techniques. While these should be considered as a pair, arguably as tools have become more comprehensive and more akin to “suites,” there is a real risk that tools themselves are being considered an “examination strategy,” bypassing the need for investigative forethought. Given this concern, through the vehicle of an example deconstructed hypothetical forensic examination process, this work discusses the relationship between DESs and digital forensic tools, and the importance of both.Item Embargo Interpreting digital traces:- 8 foundational pillars to support the formation of opinion in digital forensics(Elsevier, 2023-12-03) Horsman, GraemeThe field of digital forensics (DF) is facing increasing scrutiny of the quality of the work it produces. Fundamental to it is the need for its practitioners to be able to accurately determine the meaning of potentially relevant digital traces found during an examination of a device. As the reliance on digital evidence continues to grow, so does the importance of digital trace-interpretation. It is therefore imperative that this task is conducted robustly, where this work describes ‘eight pillars’ that should underpin how a practitioner has gone about interpreting any given digital trace.Item Open Access Investigative opportunities from smart heating technology: a preliminary evaluation(Taylor and Francis, 2024-03-27) Horsman, GraemeThis work provides a case study documenting one of the first digital forensic examinations of a smart home heat system – Hive. The case study tries to address the forensic questions that law enforcement are likely to have in regards to smart home heating systems as well as highlighting relevant digital investigative opportunities. Data extracted from the Hive smart heating app (v. 10.54.2 (3)) when used on iOS v. 14.2 is presented and evaluated in order to determine whether it is possible to understand who has control over a heating system and what their controlling actions look like in regard to operating the system. Findings show that user information, pincode details and records of how the heating and water functionality can be acquired.Item Open Access Reviewing the devices of those subject to Sexual Harm Prevention Orders (SHPOs): iOS opportunities, limitations and strategies(Taylor & Francis, 2023-09-05) Horsman, GraemeIn England and Wales, Management of Sexual or Violent Offenders (MOSOVO) teams are often tasked with managing offenders that are subject to Sexual Harm Prevention Orders SHPOs. These orders are put in place to protect the public and contain a series of prohibitions that allow for an offender’s conduct to be regulated and reviewed. SHPOs can be used to govern how offenders use their digital devices, particularly with regard to accessing the internet and the sending of electronic communications. To ensure SHPO compliance, officers frequently conduct reviews of any offender’s devices, sometimes manually by traversing a device’s menus and screens. These device manual reviews are not easy to conduct, often done under time pressures and in the knowledge that any missed evidence of misconduct may facilitate an offender to continue any wrongdoing and potentially increase the risk of harm to members of the public. Further, it is not always technical specialists undertaking this role. This work outlines a manual review strategy for devices running the operating system iOS (Apple products) to support officers in this role. Guided by commonly included SHPO prohibitions, relevant digital traces for evaluating SHPO compliance are highlighted, and limitations surrounding determining user behaviour are also discussed.Item Open Access Sources of error in digital forensics(Elsevier, 2024-02-09) Horsman, GraemeThe occurrence of errors in forensic practice is inevitable, and whilst we may not feel comfortable with the idea, the truth of it must be acknowledged. At a time where forensic science is under intense scrutiny regarding the quality of its work, there has never been a greater need for it. In relation to the field of digital forensics (DF), the support it offers law enforcement is fundamental to many of its inquiries, and ensuring the reliability and accuracy of its services is vital. Errors in forensic practice can have far-reaching consequences for all those involved in an investigation, and practitioners and their organisations must take steps to identify, mitigate and manage them. This work focuses on the concept of error in relation to the field of DF. It first explores what an error is and the language used to describe one before mapping potential sources of error against the stages of the DF investigative process. This is done to assist those in the DF field to identify error sources, what they are and where they come from, and to facilitate the attribution of errors to a source, helping them to address them effectively.Item Open Access Technical reporting in digital forensics(Wiley, 2022-08-15) Horsman, GraemeOne of the primary roles of a practitioner in the field of digital forensics (DF) is to conduct the examination of any lawfully seized digital device content and report upon any findings that may support an inquiry being conducted. While there are many intricacies to this task, in some cases, an inquiry will commence with a practitioner carrying out the necessary examination work required to report any findings at a “technical level.” Such technical reports are often used for intelligence gathering purposes in an attempt to establish the potential evidential value of a device or data set and are often a precursor to, and catalyst for, further and often more extensive forensic work being commissioned. Therefore, the ability to report at a technical level should be considered a fundamental skill required of all practitioners in this discipline and any attempts to provide guidance and support for conducting this task effectively should be encouraged. This work explores the role of technical reporting, where a series of reporting examples are presented that explore the intricacies involved with conveying digital forensic findings at a technical level. Procedural and linguistic challenges are investigated and evaluated in order to acknowledge the pitfalls that practitioners may encounter and to identify potential technical reporting best practices.Item Open Access A template for creating and sharing ground truth data in digital forensics(Wiley, 2024-04-21) Horsman, GraemeGround truth data (GTD) is used by those in the field of digital forensics (DF) for a variety of purposes including to evaluate the functionality of undocumented, new, or emerging technology and services and the digital traces left behind following their usage. Most accepted and reliable trace interpretations must be derived from an examination of relevant GTD, yet despite the importance of it to the DF community, there is little formal guidance available for supporting those who create it, to do so in a way that ensures any data is of good quality, reliable, and therefore usable. In an attempt to address this issue, this work proposes a minimum standard of documentation that must accompany the production of any GTD, particularly when it is intended for use in the process of discovering new knowledge, proposing original interpretations of a digital trace, or determining the functionality of any technology or service. A template structure is discussed and provided in Appendix S1 which sets out a minimum standard for metadata describing any GTD's production process and content. It is suggested that such an approach can support the maintenance of trust in any GTD and improve the shareability of it.Item Open Access When finding nothing may be evidence of something: Anti-forensics and digital tool marks(Elsevier, 2019-06-03) Horsman, Graeme; Errickson, DavidThere are an abundance of measures available to the standard digital device users which provide the opportunity to act in an anti-forensic manner and conceal any potential digital evidence denoting a criminal act. Whilst there is a lack of empirical evidence which evaluates the scale of this threat to digital forensic investigations leaving the true extent of engagement with such tools unknown, arguably the field should take proactive steps to examine and record the capabilities of these measures. Whilst forensic science has long accepted the concept of toolmark analysis as part of criminal investigations, ‘digital tool marks’ (DTMs) are a notion rarely acknowledged and considered in digital investigations. DTMs are the traces left behind by a tool or process on a suspect system which can help to determine what malicious behaviour has occurred on a device. This article discusses and champions the need for DTM research in digital forensics highlighting the benefits of doing so.Item Open Access When is a line of inquiry ‘reasonable’? - a focus on digital devices(Taylor and Francis, 2022-03-18) Horsman, GraemeMany of the inquiries now made by law enforcement into suspected criminal conduct involve the interrogation of digital data generated by those parties subject to an investigation. This data often exists in large quantities where inquiry-irrelevant information is likely to be in abundance. When conducting an investigation that contains digital device/data, an investigatory team in England and Wales is under an obligation to pursue all reasonable lines of inquiry, however, determining ‘reasonableness’ is not straightforward where unfettered access to all available data should not be a default position in all cases and a suspect’s right to privacy respected. This work examines when a line of inquiry is ‘reasonable’ if it involves a digital device, with the ‘reasonable line of inquiry framework’ offered to support investigatory teams to determine this. This approach is designed to support the production of transparent, robust and defensible decisions regarding the assessment of reasonableness.