Digital forensic practitioners face two key challenges when investigating Internet of Things devices. One is the need to reverse engineer a plethora of different devices and the other is the volatility of device data, including deleted data. This chapter attempts to address these challenges by focusing on the extraction of Internet of Things device data from the cloud by leveraging private application programming interfaces, an area that is relatively understudied in digital forensics. Specifically, this chapter presents the results of a study of decrypted traffic between six Android mobile apps (not the Internet of Things devices) and their respective cloud systems. The study results point to the feasibility of the approach and highlight the challenge involved in discovering additional application programming interface endpoints in a non-intrusive manner.

It is generally agreed that logs are necessary for understanding cyberattacks post-incident. However, little is known about what specific information logs should contain to be forensically helpful. This uncertainty, combined with the fact that conventional logs are often not designed with security in mind, often results in logs with too much or too little information. Events in one log are also often challenging to correlate with events in other logs. Most previous research has focused on preserving, filtering, and interpreting logs, rather than addressing what should be logged in the first place. This paper explores logging sufficiency through the lens of Digital Forensic Readiness, and highlights the absence of causal information in conventional logs. To address this gap, we propose a novel logging system leveraging “gretel numbers” to track causal information—such as attacker movement—across multiple applications in a tamper-resistant manner. A prototype, implemented using the Extended Berkeley Packet Filter (EBPF) and an Nginx web server, shows that causality tracking imposes minimal resource overhead, though log size management remains critical for scalability.

Threat actors conduct offensive cyberspace operations for many purposes, such as espionage, to destroy information assets, and cybercrime. These operations are possible thanks to the innovation and development of information and communications technologies (ICT). Interconnected information systems have transformed societies positively. However, specific states exploit these systems' vulnerabilities to advance their strategic national interests. Therefore, it is important to know how a state can organise itself to defend against threat actors. The purpose of this research is to present how the smart state Sweden can through a whole-of-society approach organise for Offensive Cyberspace Operations. The intent is to conduct an active and independent foreign-, security- and defence policy, but also as a base for deterrence and defence. This article is based on a mixed methods approach. It uses the case study research strategy to discover new information. Fourteen men and women participated in individual semi-structured interviews. The respondents ranged in age from 40 to 65 with more than 20 years of experience in cyberspace operations, intelligence operations, military operations, special forces operations, and knowledge and understanding about information warfare and information operations. The analytic strategies include thematic analysis and quantitative methods to interpret the data. The results show many themes, but the article is especially focused on the themes of Operations, Capability, Policy & Governance, and Legal Frameworks. Finally, a conceptual map of a whole-of-society approach to organise for offensive cyberspace operations is presented inferred from the themes, codes, and content, and mapped to each responsible agency based on the interviews and codes. The answer to the research question is that Sweden should have a whole-of-society approach to organise for Offensive Cyberspace Operations to project power in and through cyberspace with the intent to conduct an active and independent foreign, security and defence policy and for deterrence, as described in Figure 2. 

Digital forensic investigations require that file metadata are interpreted correctly. In this paper we focus on the timestamps of the exFAT file system. How these timestamps are written may depend on the implementation of the file system. We have performed experiments using Windows, MacOS and Linux to examine whether the respective file system drivers for exFAT use timestamps in the same manner, and whether they take the directory entry UTCOffset fields into account. We have also studied whether the forensic tools: Autopsy, X-Ways Forensics, EnCase Examiner, and FTK Imager interpret the timestamps consistently.

The results show that there are substantial inconsistencies both in the file system implementations and in how forensic tools handle these inconsistencies. For the unwary forensic examiner, there is a clear risk of interpreting timestamps incorrectly by a substantial margin.

We conclude that timestamp interpretation during criminal investigations should not be based on the assumption that the file system specifications are followed flawlessly by the file system driver developers or necessarily interpreted and displayed correctly by the digital forensic tools.

Reverse engineering of file systems is indispensable for tool testing, accurate evidence ac-quisition, and correct interpretation of data structures by law enforcement in criminal inves-tigations. This position paper examines emerging techno-legal challenges from the practice of reverse engineering for law enforcement purposes. We demonstrate that this new context creates uncertainties about the legality of tools and methods used for evidence acquisition and the compliance of law enforcement with obligations to protect intellectual property and confidential information. Further identified are gaps between legal provisions and practice related to disclosure and peer-review of sensitive digital forensic methodology, trade se-crets in investigations, and governmental vulnerability disclosure. It is demonstrated that reverse engineering of file systems is insufficiently addressed by legislators, which results in a lack of file system interpretation and validation information for law enforcement and their dependence on tools. Outlined are recommendations for further developments of dig-ital forensic regulation.

This case study presents a qualitative assessment of the reliability of digital forensic investigation in criminal cases in Norway. A reliability validation methodology based on international digital forensic standards was designed to assess to what extent those standards are implemented and followed by law enforcement in their casework. 124 reports related to the acquisition, examination, and analysis of three types of digital data sources - computers, mobile phones, and storage devices were examined. The reports were extracted from the criminal case management system used by the police and prosecution services. The reports were examined on technology, method, and application level in order to assess the reliability of digital evidence for criminal proceedings.

The study found that digital forensic investigation in 21 randomly sampled criminal cases in Norway were insufficiently documented to assess the reliability of the digital evidence. It was not possible to trace the digital forensic actions performed on each item or link the digital evidence to its source. None of the cases were shown to comply with digital forensic methodology, justify the methods and tools used, or validate tool results and error rates.

Performing mobile phone acquisition today requires breaking—often hardware assisted—security. In recent years, Embedded Secure Element (eSE) hardware has been introduced in mobile phones, with a view towards increasing the security of critical system features and encrypted user data. The idea being that the eSE should remain secure even if the rest of the system is compromised. The eSE is set to become crucial to modern mobile phone security, challenging Digital Forensics. The eSE is designed to withstand both logical and physical attacks, including side channel attacks, and to keep the attack surface towards the rest of the system/phone small, and complexity low to minimise the risk of implementation errors.

In this paper we adapt current state-of-the-art attacks to the eSE platform and present an attack on an eSE by Samsung, recently introduced in their premium mobile phones. We show how, with limited resources, our approach discovered a vulnerability that could be exploited, leading to a complete compromise of all the eSE security goals and a full loss of future eSE trust, as mitigation of our attack in already fielded devices is challenging. This eSE is Common Criteria EAL 5+ certified and our attack exposes the gap between intended and achieved security, undermining the implied trust in such certifications.

We explain the eSE security design, the details of our attack, and discuss how a single vulnerability can have such devastating security results. The ultimate result of our research facilitates acquisition of affected devices, demonstrating use of offensive methods in advanced Digital Forensic Acquisition.

The increasing complexity and security of consumer products pose major challenges to digital forensics. Gaining access to encrypted user data without user credentials is a very difficult task. Such situations may require law enforcement to leverage offensive techniques – such as vulnerability exploitation – to bypass security measures in order to retrieve data in digital forensic investigations. This chapter proposes a digital forensic acquisition kill chain to assist law enforcement in acquiring forensic data using offensive techniques. The concept is discussed and examples are provided to illustrate the various kill chain phases. The anticipated results of applying the kill chain include improvements in performance and success rates in short-term, case-motivated, digital forensic acquisition scenarios as well as in long-term, case-independent planning and research scenarios focused on identifying vulnerabilities and leveraging them in digital forensic acquisition methods and tools.

Modern consumer devices present major challenges in digital forensic investigations due to security mechanisms that protect user data. The entire physical attack surface of a seized device such as a mobile phone must be considered in an effort to acquire data of forensic value. Several USB protocols have been introduced in recent years, including Power Delivery, which enables negotiations of power delivery to or from attached devices. A key feature is that the protocol is handled by dedicated hardware that is beyond the control of the device operating systems. This self-contained design is a security liability with its own attack surface and undocumented trust relationships with other peripherals and the main system-on-chips. This chapter presents a methodology for vulnerability discovery in USB Power Delivery implementations for Apple devices. The protocol and Apple-specific communications are reverse engineered, along with the firmware of the dedicated USB Power Delivery hardware. The investigation of the attack surface and potential security vulnerabilities can facilitate data acquisition in digital forensic investigations.

This paper examines current best practices for Digital Forensic (DF) tool and method validation in the context of file system interpretation for digital evidence. In order to meet the legal and scientific requirements in criminal procedures file system (FS) reverse engineering (RE) is a necessity. Currently, there is no standard procedure for reliability testing of FS RE. Ideal validation requirements exist, but they are on high-level and practical implementation is missing. In this paper we propose a formal reliability validation procedure for file system reverse engineering, documenting the forensic process, including the tools used, ensuring reliability and reproducibility of the method and the results. The procedure is based on legal and scientific criteria and tested against file system reverse engineering methods. It is applicable to all types of reverse engineering methods in digital forensics.