IMF 2025 - Two Papers accepted

Our articles on "Metrics Matter - Source Camera Forensics for Large-Scale Investigations" and "From IaC to IoC—Using Infrastructure as Code (IaC) to Generate Synthetic Datasets of Compromised (IoC) Linux Systems for Use in Digital Forensics" were accepted at IMF 2025. The papers will be presented at the "14th International Conference on IT Security Incident Management & IT Forensics 2025" in September 2025 in Albstadt-Sigmaringen, Germany.

Metrics Matter - Source Camera Forensics for Large-Scale Investigations

Authors: Samantha Klier and Harald Baier

Abstract:
Source Camera Forensics (SCF) techniques play a crucial role in digital investigations, particularly for attributing the origin of
incriminating content. While traditional SCF methods, such as Sensor Pattern Noise (SPN), perform well in verification tasks, they
often fall short for large-scale screening scenarios. This paper proposes a shift in evaluation focus, from verification-oriented metrics (e.g., False Positive Rate), which aim to prevent false convictions, to investigation-oriented metrics (e.g., Recall), which prioritize minimizing evidence loss. To this end, we evaluate three approaches: the classic SPN method; CompaRe, an efficient SPN-based variant; and the Media Source Similarity Hash (MSSH), a non-SPN approach that leverages JPEG structural metadata. On a contemporary dataset, MSSH achieves perfect Recall (1.0), albeit with a lower Precision (0.25). In contrast, the classic SPN and the CompaRe approach reach higher Precision values (up to 0.6 and 0.7, respectively), but their Precision drops below 0.1 for Recall values exceeding 0.7, rendering them unsuitable for the given use case in which evidence preservation is critical. Additionally, MSSH offers a speedup of over 500× compared to SPN-based methods and demonstrates its suitability for large-scale investigations.

From IaC to IoC—Using Infrastructure as Code (IaC) to Generate Synthetic Datasets of Compromised (IoC) Linux Systems for Use in Digital Forensics

Authors: Thomas Göbel and Harald Baier

Abstract: Due to the increasing number of cyber attacks, there is a growing need for incident responders who are able to reconstruct events and assess the actual damage caused by an incident using Digital Forensics (DF). For this reason, DF datasets are crucial for education, training and tool testing. Currently, such datasets are available either as statically prepared images via one of the publicly available dataset repositories. Alternatively, a dataset generation framework can be used to synthesise individually configurable datasets. In this article, we use the second approach and extend an established framework for our purposes. Our extension applies to both the target operating system and the framework traces induced by the data generation framework. More specifically, we take the existing data synthesis framework ForTrace as a baseline and integrate our concept of a Linux module that can perform (semi-)automatic attacks on Linux systems in order to create appropriate Indicators of Compromise (IoC) within the generated image. In doing so, we evaluate the suitability of Infrastructure as Code (IaC) for configuring vulnerable target systems and assess the effectiveness of our approach to avoiding undesirable artefacts caused by the data generation framework. To evaluate our framework extension, we generate synthetic datasets from two types of compromised systems as proof of concept using our new approach and then compare the actual traces generated with the expected traces based on the respective scenario.