How to detect cryptocurrency miners? By traffic forensics! (2024)

Crafting and executing the best cryptocurrency mining strategy is vital to succeeding in cryptocurrency market investments. This study aims to identify the best cryptocurrency mining strategy based on service providers' performance for cryptocurrency mining using a hybrid analytics approach, which integrates the Analytic Hierarchy Process (AHP) and Fuzzy-TOPSIS techniques, along with sensitivity analysis. The results show that hosted mining is the overall best cryptocurrency mining strategy, followed by home mining and cloud mining, based on both total cost of operations and cryptocurrency payout criteria. The empirical findings also suggest that the critical features of the highest performing service providers (i.e., hosted mining strategies and cloud mining) were their flexibility of contracts and the superior efficiency in terms of the daily payout. Finally, of the three location alternatives for home mining, Turkey ranks first compared to the U.S. and Europe.

Digital Investigation, Volume 29, 2019, pp. 91-100

Photo Response Non-Uniformity (PRNU) is a camera imaging sensor imperfection which has earned a great interest for source device attribution of digital videos. A majority of recent researches about PRNU-based source device attribution for digital videos do not take into consideration the effects of video compression on the PRNU noise in video frames, but rather consider video frames as isolated images of equal importance. As a result, these methods perform poorly on re-compressed or low bit-rate videos. This paper proposes a novel method for PRNU fingerprint estimation from video frames taking into account the effects of video compression on the PRNU noise in these frames. With this method, we aim to determine whether two videos from unknown sources originate from the same device or not. Experimental results on a large set of videos show that the method we propose is more effective than existing frame-based methods that use either only I frames or all (I-B-P) frames, especially on YouTube videos.

Digital Investigation, Volume 31, 2019, Article 200889

This empirical study aims to determine whether online media coverage can be used to gather intelligence on specific crimes worldwide. The quality of online news is evaluated as an indicator of the worldwide distribution of jewelry store robberies. This phenomenon was selected because evaluating the risk of criminal events at the global level is a challenge for private companies, who need to settle and prioritize protection strategies to determine the actual risk within each country. Online media coverage is thus scrutinized for its ability to reveal spatiotemporal trends of this phenomenon. Based upon a dataset of online news gathered between 2015 and 2017 from the news aggregator website EMM (Europa Media Monitor – NewsBrief), the results show that online news may be a cost-effective method to analyze risks worldwide — though a cross-check with different data sources is still necessary to validate its accuracy. The developed approach shows that (1) while a multilingual approach is required, (2) cases can be detected and automatically classified with good accuracy; (3) moreover, dates and countries of published news articles are generally reliable indicators of the actual times and places of the events, which reduce the need for complex text analysis methods. This study demonstrates how a simple monitoring approach can be used to support the worldwide spatiotemporal analysis of serious crimes such as jewelry store robberies.

Digital Investigation, Volume 30, 2019, p. 173

Digital Investigation, Volume 30, 2019, pp. 73-89

the need for a reliable and complementary identifier mechanism in a digital forensic analysis is the focus of this study. Mouse dynamics have been applied in information security studies, particularly, continuous authentication and authorization. However, the method applied in security is void of specific behavioral signature of a user, which inhibits its applicability in digital forensic science. This study investigated the likelihood of the observation of a unique signature from mouse dynamics of a computer user. An initial mouse path model was developed using non-finite automata. Thereafter, a set-theory based adaptive two-stage hash function and a multi-stage rule-based semantic algorithm were developed to observe the feasibility of a unique signature for forensic usage. An experimental process which comprises three existing mouse dynamics datasets were used to evaluate the applicability of the developed mechanism. The result showed a low likelihood of extracting unique behavioral signature which can be used in a user attribution process. Whilst digital forensic readiness mechanism could be a potential approach that can be used to achieve a reliable behavioral biometrics modality, the lack of unique signature presents a limitation. In addition, the result supports the logic that the current state of behavioral biometric modality, particularly mouse dynamics, is not suitable for forensic usage. Hence, the study concluded that whilst mouse dynamics-based behavioral biometrics may be a complementary modality in security studies, more will be required to adopt it as a forensic modality in litigation. Furthermore, the result from this study finds relevance in other human attributional studies such as user identification in recommender systems, e-commerce, and online profiling systems, where the degree of accuracy is not relatively high.

Digital Investigation, Volume 31, 2019, Article 200898

Digital Investigation, Volume 30, 2019, pp. 32-42

Your Phone is a Microsoft system that comprises two applications: a smartphone app for Android 7+smartphones and a desktop application for Windows 10/18.03+. It allows users to access their most recent smartphone-stored photos/screenshots and send/receive short message service (SMS) and multimedia messaging service (MMS) within their Your Phone-linked Windows 10 personal computers. In this paper, we analyze the digital forensic artifacts created at Windows 10 personal computers whose users have the Your Phone system installed and activated. Our results show that besides the most recent 25 photos/screenshots and the content of the last 30-day of sent/received SMS/MMS, the contact database of the linked smartphone(s) is available in a accessible SQLite3 database kept at the Windows 10 system. This way, when the linked smartphone cannot be forensically analyzed, data gathered through the Your Phone artifacts may constitute a valuable digital forensic asset. Furthermore, to explore and export the main data of the Your Phone database as well as recoverable deleted data, a set of python scripts – Your Phone Analyzer (YPA) – is presented. YPA is available wrapped within an Autopsy module to assist digital practitioners to extract the main artifacts from the Your Phone system.