Browsing by Author "Horsman, Graeme"
Now showing 1 - 20 of 23
Results Per Page
Sort Options
Item Open Access Automation for digital forensics: towards a definition for the community(Elsevier, 2023-07-04) Michelet, Gaëtan; Breitinger, Frank; Horsman, GraemeWith the increasing amount of digital evidence per case, the automation of investigative tasks is of utmost importance to the digital forensics community. Consequently, tools are published, frameworks are released, and artificial intelligence is explored. However, as the foundation, i.e., a definition, classification, and common terminology, is missing, this resembles the wild west: some consider keyword searches or file carving as automation while others do not. We, therefore, reviewed automation literature (in the domain of digital forensics as well as other domains), performed three practitioner interviews, and discussed the topic with domain experts from academia. On this basis, we propose a definition and then showcase several considerations with respect to automation for digital forensics, e.g., what we classify as no/basic automation as well as full automation (autonomous). We conclude that it requires these foundational discussions to promote and progress the discipline through a common understanding.Item Open Access Can signs of digital coercive control be evidenced in mobile operating system settings? - A guide for first responders(Elsevier, 2022-12-09) Horsman, GraemePerpetrators of domestic abuse are now frequently utilising technology to survey and regulate the conduct of their victims. Of all digital devices, mobile phones are considered one of the most common to be misused by perpetrators, with reports of their use to track victims via spyware or a device's location services, and to send abusive communications often seen. As a result, any support services and first responders involved in such investigations must ensure they are in a position to identify and understand any signs of technology-facilitated abuse on a mobile device if an investigative opportunity presents itself. In regards to a victim's phone, attention is often placed upon identifying the presence of unwanted applications or being in receipt of communications showing abuse. However, evidence of abuse can be more subtle, where this work seeks to identify and describe a series of proprietary settings that exist on the mobile operating systems iOS and Android that can be used to exert control, provide oversight of, or, manipulate the way in which a device itself is operated by its user. The intention here is to offer support to those involved in responding to or investigating incidents of abuse to identify and understand the impact of these potentially relevant digital traces.Item Open Access Commentary:- Can I use that tool?(Elsevier, 2024-12-01) Horsman, GraemeThe decision as to whether a given tool can be used for the purposes of conducting a digital forensic examination of a device and its data may seem straightforward, but it is not. As part of their work, practitioners must always seek to identify and use tools that are appropriate for their investigative tasks, deploy them reliably within an applicable scenario, and be able to trust and understand the results that they provide. Before they can begin to do this, they must first ask themselves the question - ‘can I use that tool?‘, where this work considers how a practitioner may begin to formulate an answer. By unpacking the hidden complexity of this question, it is suggested that five sub-questions must be explored by any practitioner when seeking to use a tool, namely - (1) ‘what does that tool do?‘; (2) ‘how do I use that tool?‘; (3) ‘how does the tool do it?‘; (4) ‘does the tool do it properly?’ and (5) ‘should I use the tool?‘. This work discusses each in turn and the risks they pose to a practitioner.Item Open Access Considering ‘technically possible’ alternative meanings for data traces found during a digital forensic examination(Taylor and Francis, 2022-05-09) Horsman, GraemeAs part of a digital forensic examination, a practitioner may identify data traces that they believe to be relevant to their inquiry and seek to interpret their meaning, forming a primary investigative hypothesis. In addition, practitioners should also consider whether any traces could mean something else. This work discusses the need for practitioners to consider ‘technically possible’ alternative meanings (TPAMs) as a standard component of their interpretive process. It is proposed that, when considering whether any TPAMs exist in addition to the practitioner’s primary investigative hypothesis regarding a data trace, the practitioner’s position may be expressed in one of six ways – ‘the six categories of TPAM’, based upon the available objective support related to or present within their case, from which the TPAM is derived. These six categories are proposed in order to help a practitioner effectively communicate their reasoning for offering a TPAM in regards to any data trace found during an investigation and are defined and discussed.Item Open Access The CSI effect(s no one?)(Elsevier, 2019-06-04) Errickson, David; Giles, Stephanie; Horsman, GraemeItem Open Access Data for "Digital forensic science peer review survey UK and Norway"(Cranfield University, 2024-10-28) Ryser, Elenore; Horsman, GraemeItem Open Access Digital evidence strategies for digital forensic science examinations(Elsevier, 2022-12-08) Horsman, GraemeGiven the size and complexity of many digital forensic science device examinations, there is a need for practitioners to formally and strategically determine a course of conduct which allows them to undertake the most robust and efficient examination possible. This work outlines both the need for practitioners to have a digital evidence strategy (DES) when tackling any given examination scenario, how to construct one and the concerns which exist when no formal DES is in place. Approaches to DES development are examined and the context to which they should be deployed are analysed, with focus being on the use of DESs at the examination/processing stage of the investigative workflow. Finally, a ‘DES skeleton’ is offered to guide practitioners as they seek to create their own DES.Item Open Access Forming an investigative opinion in digital forensics(Wiley, 2022-05-09) Horsman, GraemeAs we now see digital evidence play a role in many investigative scenarios, it is imperative that those seeking to rely upon it as part of criminal justice processes can do so, absent any concern regarding its validity. Interpreting the meaning of digital data and its potential value to a criminal inquiry as part of a digital forensic examination is a complex and multifaceted process requiring the practitioner to possess the relevant knowledge, experience, and insight needed to determine the case-significance of a given data trace accurately. Erroneously interpreted data that is communicated to a client and subsequently relied upon can have far-reaching consequences for all those involved in the investigative process. This work discusses the process of forming investigative opinions in digital forensic science examinations, what this means in practice, and the ways in which it can be achieved. Focus will be given to the process of forming an investigative opinion when underpinned through the reconstruction and testing of a suspect system/setup, with a formal three-stage methodology for doing this outlined.Item Open Access Fostering an “investigating mindset”: Why is it important in digital forensic science education?(Wiley, 2023-12-10) Horsman, Graeme; Ryser, Elenore; Shavers, BrettThe importance of the field of digital forensics (DF) is growing, where digital evidence is increasingly recognized as a crucial part of many investigations. As a result, criminal justice systems rely on DF practitioners to conduct robust investigations of digital devices and their data, and interpret and present these results in a way that can be relied upon. Undertaking this task appropriately requires a practitioner to have a range of skills; however, focus is often placed on the need for and importance of technical competency. Technical skills are vital in this role, that cannot be in dispute; however, this work discusses the need for practitioners to also have an “investigative mindset.”Item Open Access GAMEPLANS: a template for robust digital evidence strategy development(Wiley, 2025-01) Horsman, GraemeLaw enforcement officers should now expect to encounter forms of digital evidence at most of their inquiries, and as a result ensure they are prepared to effectively deal with it. This should involve the production of a digital evidence strategy (DES) which describes those actions required of any investigative team to effectively identify, collect, examine, and evaluate any digital devices/data, while also defining the circumstances for when it is appropriate to conduct such tasks. To help officers to produce robust DESs this work provides a DES template which utilizes the “GAMEPLANS” acrostic to identify nine fundamental components that are required of all DESs—“G”–Grounds for investigation; “A”–Authorization; “M”–Method of investigation; “E”–Evaluation of the meaning of any findings; “P”–Proportionality; “L”–Logic; “A”–Agreement; “N”–Necessity; “S”–Scrutiny. Each of these components are described including the sub‐tasks that are contained within each, which any officer constructing a robust and effective DES must address (and provide evidence of having addressed). To support this, a DES template file is also provided, which can be utilized by officers.Item Open Access The Hierarchy of Case Priority (HiCaP):- A proposed method for case prioritisation in digital forensic laboratories(Elsevier, 2022-09-10) Horsman, GraemeThe need for digital forensic science (DFS) services has grown due to widespread and consistent engagement with technology by members of society. Whilst digital evidence often plays an important role in many inquiries, available investigative resources have failed to keep pace with such demand for them. As a result, the use case prioritisation models for backlog/workload management are of increasing importance to ensure the effective deployment of laboratory resources. This work focuses on the concept of case prioritisation in a digital forensic laboratory setting, following the submission of exhibits for examination, where this workflow is described. The challenges of case management and prioritisation in laboratories are discussed, with both ‘case acceptance’ and ‘case prioritisation’ procedures explained. Finally, the ‘Hierarchy of Case Priority’ (HiCaP) - a transparent, risk-based approach for the prioritisation of cases for examination, is proposed and described using examples.Item Open Access Identifying fake vs. real communication records: a case study(Elsevier, 2023-12-08) Horsman, GraemeRecords of communication often play an important role in many criminal inquiries giving insight into existing and alleged relationships. The forensic analysis of digital devices can provide such information, however in some cases, screen captured records may be all that is available. In these instances, it is necessary to evaluate the authenticity of this information given the availability of free to use communication record mockup services that can be used to create realistic looking, but fictitious communication records. This work seeks to ascertain whether freely available communication record mockup services pose a threat to law enforcement officers in terms of not being able to distinguish a communication record mockup from a genuine communication record screen capture. An evaluation of communication record mockup services for creating WhatsApp, iMessage and Twitter mockups are identified and their ability to create realistic communication record mockups is evaluated. The results of these tests are provided and discussed, and 41 communication record mockups are supplied forming one of the first datasets to support those conducting communication record authenticity checks.Item Open Access The importance of digital evidence strategies(Wiley, 2023-10-28) Horsman, GraemeAs the complexity of digital forensic work continues to grow, and the demands and pressures placed on practitioners to complete their investigatory commitments remain, methods for conducting effective and efficient work are of paramount importance. To combat examination challenges any investigating team requires two fundamental and linked components; those conducting DF examinations should develop (1) a digital evidence strategy (DES) that outlines an effective investigative approach, and, (2) deploy it using appropriate tools and techniques. While these should be considered as a pair, arguably as tools have become more comprehensive and more akin to “suites,” there is a real risk that tools themselves are being considered an “examination strategy,” bypassing the need for investigative forethought. Given this concern, through the vehicle of an example deconstructed hypothetical forensic examination process, this work discusses the relationship between DESs and digital forensic tools, and the importance of both.Item Open Access Interpreting digital traces:- 8 foundational pillars to support the formation of opinion in digital forensics(Elsevier, 2023-12-03) Horsman, GraemeThe field of digital forensics (DF) is facing increasing scrutiny of the quality of the work it produces. Fundamental to it is the need for its practitioners to be able to accurately determine the meaning of potentially relevant digital traces found during an examination of a device. As the reliance on digital evidence continues to grow, so does the importance of digital trace-interpretation. It is therefore imperative that this task is conducted robustly, where this work describes ‘eight pillars’ that should underpin how a practitioner has gone about interpreting any given digital trace.Item Open Access Investigative opportunities from smart heating technology: a preliminary evaluation(Taylor and Francis, 2024-03-27) Horsman, GraemeThis work provides a case study documenting one of the first digital forensic examinations of a smart home heat system – Hive. The case study tries to address the forensic questions that law enforcement are likely to have in regards to smart home heating systems as well as highlighting relevant digital investigative opportunities. Data extracted from the Hive smart heating app (v. 10.54.2 (3)) when used on iOS v. 14.2 is presented and evaluated in order to determine whether it is possible to understand who has control over a heating system and what their controlling actions look like in regard to operating the system. Findings show that user information, pincode details and records of how the heating and water functionality can be acquired.Item Open Access Reviewing the devices of those subject to Sexual Harm Prevention Orders (SHPOs): iOS opportunities, limitations and strategies(Taylor & Francis, 2025-01) Horsman, GraemeIn England and Wales, Management of Sexual or Violent Offenders (MOSOVO) teams are often tasked with managing offenders that are subject to Sexual Harm Prevention Orders SHPOs. These orders are put in place to protect the public and contain a series of prohibitions that allow for an offender’s conduct to be regulated and reviewed. SHPOs can be used to govern how offenders use their digital devices, particularly with regard to accessing the internet and the sending of electronic communications. To ensure SHPO compliance, officers frequently conduct reviews of any offender’s devices, sometimes manually by traversing a device’s menus and screens. These device manual reviews are not easy to conduct, often done under time pressures and in the knowledge that any missed evidence of misconduct may facilitate an offender to continue any wrongdoing and potentially increase the risk of harm to members of the public. Further, it is not always technical specialists undertaking this role. This work outlines a manual review strategy for devices running the operating system iOS (Apple products) to support officers in this role. Guided by commonly included SHPO prohibitions, relevant digital traces for evaluating SHPO compliance are highlighted, and limitations surrounding determining user behaviour are also discussed.Item Open Access Sources of error in digital forensics(Elsevier, 2024-02-09) Horsman, GraemeThe occurrence of errors in forensic practice is inevitable, and whilst we may not feel comfortable with the idea, the truth of it must be acknowledged. At a time where forensic science is under intense scrutiny regarding the quality of its work, there has never been a greater need for it. In relation to the field of digital forensics (DF), the support it offers law enforcement is fundamental to many of its inquiries, and ensuring the reliability and accuracy of its services is vital. Errors in forensic practice can have far-reaching consequences for all those involved in an investigation, and practitioners and their organisations must take steps to identify, mitigate and manage them. This work focuses on the concept of error in relation to the field of DF. It first explores what an error is and the language used to describe one before mapping potential sources of error against the stages of the DF investigative process. This is done to assist those in the DF field to identify error sources, what they are and where they come from, and to facilitate the attribution of errors to a source, helping them to address them effectively.Item Open Access Technical reporting in digital forensics(Wiley, 2022-08-15) Horsman, GraemeOne of the primary roles of a practitioner in the field of digital forensics (DF) is to conduct the examination of any lawfully seized digital device content and report upon any findings that may support an inquiry being conducted. While there are many intricacies to this task, in some cases, an inquiry will commence with a practitioner carrying out the necessary examination work required to report any findings at a “technical level.” Such technical reports are often used for intelligence gathering purposes in an attempt to establish the potential evidential value of a device or data set and are often a precursor to, and catalyst for, further and often more extensive forensic work being commissioned. Therefore, the ability to report at a technical level should be considered a fundamental skill required of all practitioners in this discipline and any attempts to provide guidance and support for conducting this task effectively should be encouraged. This work explores the role of technical reporting, where a series of reporting examples are presented that explore the intricacies involved with conveying digital forensic findings at a technical level. Procedural and linguistic challenges are investigated and evaluated in order to acknowledge the pitfalls that practitioners may encounter and to identify potential technical reporting best practices.Item Open Access A template for creating and sharing ground truth data in digital forensics(Wiley, 2024-04-21) Horsman, GraemeGround truth data (GTD) is used by those in the field of digital forensics (DF) for a variety of purposes including to evaluate the functionality of undocumented, new, or emerging technology and services and the digital traces left behind following their usage. Most accepted and reliable trace interpretations must be derived from an examination of relevant GTD, yet despite the importance of it to the DF community, there is little formal guidance available for supporting those who create it, to do so in a way that ensures any data is of good quality, reliable, and therefore usable. In an attempt to address this issue, this work proposes a minimum standard of documentation that must accompany the production of any GTD, particularly when it is intended for use in the process of discovering new knowledge, proposing original interpretations of a digital trace, or determining the functionality of any technology or service. A template structure is discussed and provided in Appendix S1 which sets out a minimum standard for metadata describing any GTD's production process and content. It is suggested that such an approach can support the maintenance of trust in any GTD and improve the shareability of it.Item Open Access That tool is rubbish!...or is it?(Elsevier, 2022-08-05) Horsman, GraemeDigital forensic practitioners often utilise a range of tools throughout their casework in order to access, identify and analyse relevant data, making them a vital part of conducting thorough, efficient and accurate digital examinations of device content and datasets. Whilst their importance cannot be understated, there is also no guarantee that their functionality is free from error, where similarly, no practitioner can 100% assure that their performance is flawless. Should an error occur during an investigation, assuming that it has been identified, then determining the cause of it is important for the purposes of ensuring quality control in both the immediate investigation and for longer-term practice improvements. Perhaps anecdotally, a starting position in any postmortem review of an error may be to suspect that any tools used may be at fault, where recent narratives and initiatives have enforced the need to evaluate all tools prior to them being used in any live investigation. Yet, in addition, an error may occur as a result of a practitioner’s investigative conduct. This work discusses the concept of ‘fault-attribution’, focusing on the roles of the forensic tool and practitioner, and proposes a series of principles for determining responsibility for an investigative error.