Digital Cameras. An evaluation of the collection, preservation and evaluation of data collected from digital

Similar documents
Digital Forensics Mobile Device Data Extraction. Crime Scene/Digital and Multimedia Division

Digital Forensics Lecture 01- Disk Forensics

Digital Forensics Lecture 02- Disk Forensics

MOBILE DEVICE FORENSICS

Guide to Computer Forensics and Investigations Fourth Edition. Chapter 2 Understanding Computer Investigations

Investigation of Non-traditional Equipment: Autos, Washers,

Windows Forensics Advanced

Introduction to Computer Forensics

Breaking the OutGuess

Running Head: IPHONE FORENSICS 1. iphone Forensics Jaclyn Sottilaro Monica Figueroa-Santos Antonina Spinella Saint Leo University

COMP116 Final Project. Shuyan Guo Advisor: Ming Chow

Android Forensics: Simplifying Cell Phone Examinations

Forensics on the Windows Platform, Part Two by Jamie Morris last updated February 11, 2003

Digital Forensics Lecture 7. Network Analysis

After the Attack. Business Continuity. Planning and Testing Steps. Disaster Recovery. Business Impact Analysis (BIA) Succession Planning

Computer Forensic Capabilities. Cybercrime Lab Computer Crime and Intellectual Property Section United States Department of Justice

Introduction to Volume Analysis, Part I: Foundations, The Sleuth Kit and Autopsy. Digital Forensics Course* Leonardo A. Martucci *based on the book:

A Study on Linux. Forensics By: Gustavo Amarchand, Keanu. Munn, and Samantha Renicker 11/1/2018

File Organization Sheet

Testing the Date Maintenance of the File Allocation Table File System

When Recognition Matters WHITEPAPER CLFE CERTIFIED LEAD FORENSIC EXAMINER.

DIGITAL FORENSICS FARADAY BAGS MISSION DARKNESS INTRODUCING. Securely disable ALL wireless connections in the field

Digital Forensics Lecture 5. DF Analysis Techniques

Chapter Two File Systems. CIS 4000 Intro. to Forensic Computing David McDonald, Ph.D.

Video and Audio Recordings Video and audio recordings of activities continue to

T.E. (Computer Engineering) Computer Forensic & Cyber Application

Digital Forensics UiO

Digital Forensics UiO. Digital Forensics in Incident Management. About Me. Outline. Incident Management. Finding Evidence.

Computer Forensics: Investigating Data and Image Files, 2nd Edition. Chapter 3 Forensic Investigations Using EnCase

Forensic Analysis Approach Based on Metadata and Hash Values for Digital Objects in the Cloud

Digital Forensics UiO

INSTITUTO SUPERIOR TÉCNICO

Course 832 EC-Council Computer Hacking Forensic Investigator (CHFI)

Digital Forensics UiO

A Road Map for Digital Forensic Research

COMPUTER HACKING FORENSIC INVESTIGATOR (CHFI) V9

USER MANUAL FOR BODY WORM CAMERA OT-T07

Image Steganography (cont.)

A Detailed look of Audio Steganography Techniques using LSB and Genetic Algorithm Approach

COMPUTER HACKING Forensic Investigator

CHALLENGES IN MOBILE FORENSICS TECHNOLOGY, METHODOLOGY, TRAINING, AND EXPENSE

Running head: FTK IMAGER 1

Digital Forensics Practicum CAINE 8.0. Review and User s Guide

Large Data Analysis. Vincent Urias November 20, 2006 CS 489- Digital Forensics

Topic 1: Analyzing Mobile Devices

DATA RECOVERY FROM PROPRIETARY- FORMATTED CCTV HARD DISKS

Instructions Usb Flash Drive Recovery Ware >>>CLICK HERE<<<

MFP: The Mobile Forensic Platform

COWLEY COLLEGE & Area Vocational Technical School

Flash Media A Forensics View. Barry Gavrich CS 589 Digital Forensics David Duggan, Bob Hutchinson, Dr. Lorie Liebrock 17 October 2006

What is Data Storage?

Applications for Preservation and Production in our Digital World

Forensic Analysis. The Treachery of Images. Alexandre Dulaunoy. February 5, Forensic Analysis Bibliography Use case Q and A

New Model for Cyber Crime Investigation Procedure

Introduction to Digital Photography (a MacSTAC four part Mini-series)

Digital Forensics. Also known as. General definition: Computer forensics or network forensics

FRAME BASED RECOVERY OF CORRUPTED VIDEO FILES

Certified Digital Forensics Examiner

Cyber Chain of Custody. Acquisition. Cyber Chain of Custody. Evidence Dynamics and the Introduction of Error. Must Be Proven!

Table Of Contents. Investigators 3 Android Phone Recovery Stick 4 Backpack Camera 5 Bag Camera (CCD Colour Camera) 6 Porn Detection Stick 7

SHAW ACADEMY NOTES. Diploma in Lightroom

Guide to Computer Forensics and Investigations Fourth Edition. Chapter 6 Working with Windows and DOS Systems

The UNIX file system! A gentle introduction"

The. Macro 5. Attachments NEW! 5X Non-Contact Close-up NEW! .67X Close-up. 5X (Contact) Close-up. Fluorescein Filter.

ProStalk PC2000. Nature Camera User Manual

Topic Data carving, as defined by Digital Forensic Research Workshop is the process of

The Computer Revolution. Chapter 1. The Processor Market. Classes of Computers. Morgan Kaufmann Publishers August 28, 2013

Forensic Image Capture. Digital Forensics NETS1032 Winter 2018

Certified Digital Forensics Examiner

MOBILedit Forensic Express

TomTom GPS Device Forensics

Incident Response Data Acquisition Guidelines for Investigation Purposes 1

MODULE No. 33: Digital Crime Scene Investigation

Forensic Analysis of ios Device Backups

8. Hidden Surface Elimination

VISUAL CORRELATION IN THE CONTEXT OF POST-MORTEM ANALYSIS

AUDIT: AUTOMATED DISK INVESTIGATION TOOLKIT

Mobile Forensics. Luis Rivera, Michael Zanchelli, Julio Poblete. Capstone: System Security IASP-470. Dr. John Yoon. Due 30 April, 2018

File Systems and Volumes

Hashing Techniques for Mobile Device Forensics

SMOKE DETECTOR SD HIDDEN CAMERA WITH NIGHTVISION

SSDD and SSDF Handset seizure Paraben * Seizure test SE K850, SE Xperia

Forensic Analysis of Windows 10 Volume Shadow Copy Service

Forensics for Cybersecurity. Pete Dedes, CCE, GCFA, GCIH

Interested in learning more? Global Information Assurance Certification Paper. Copyright SANS Institute Author Retains Full Rights

FORENSICS CYBER-SECURITY

Operating Systems. Designed and Presented by Dr. Ayman Elshenawy Elsefy

1. All of the following are examples of real security and privacy risks EXCEPT: A. hackers. B. spam. C. viruses. D. identity theft. 2.

CHAPTER 6 EFFICIENT TECHNIQUE TOWARDS THE AVOIDANCE OF REPLAY ATTACK USING LOW DISTORTION TRANSFORM

Camera. Mobile Camera Mobile Camera Precautions Camera Using Display as Viewfinder

Android Spybot. ECE Capstone Project

S23: You Have Been Hacked, But Where s the Evidence? A Quick Intro to Digital Forensics Bill Pankey, Tunitas Group

General Computing Concepts. Coding and Representation. General Computing Concepts. Computing Concepts: Review

VIDEO MONITORING SYSTEMS

Forensic and Log Analysis GUI

Institute for Advanced Studies 16 th June 2010 Digital Triage

Comptia RC CompTIA Security+ Recertification Exam. For More Information Visit link below: Version = Product

Jeff Hinson CS525, Spring 2010

Pharmacy college.. Assist.Prof. Dr. Abdullah A. Abdullah

Tape pictures. CSE 30341: Operating Systems Principles

Transcription:

Ronald Prine CSC 589 - Digital Forensics New Mexico Institute of Mining and Technology October 17, 2006 Digital Cameras Executive Summary An evaluation of the collection, preservation and evaluation of data collected from digital image recorders (digital cameras). Preservation includes the protection of the data from outside sources like WiFi, Bluetooth and cell phone connections. A perspective on the gaps in current forensic techniques. Two examples of current research that involves user and device identification from digital images. An example of a future device that could aid in the collection and preservation of digital camera data. Digital Forensic Purpose The purpose of forensic work in relation to digital cameras and other digital recording devices like digital camcorders is to control, collect, preserve and evaluate the evidence. Control of the evidence is ensuring that the data is not changed or lost prior to collection. The collection process is to gather all data in a forensically sound fashion. This collection, in the case of digital cameras, would involve volatile and non-volatile data. The volatile data would be memory internal to the camera that a suspect may have used for their own purposes. The non-volatile data would be the data stored on removable media or flash memory built into the camera. The

evaluation of collected data will involve many tools with the intention to prove or disprove that crimes have occurred. State of Practice When a digital camera is involved in a forensic investigation many aspects of this technology need to be taken into consideration while seeking evidence of a crime. An electronic imaging device in its simplest form is the combination of an image recorder and a method of storing that data. The storage and capture of images is the main goal of a digital camera, but any electronic data can be stored on this device. Forensically this means that the digital camera needs to be treated like any data storage device. Digital cameras have used internal memory, floppy disk, flash memory, CDs, DVDs and hard drives as a storage mediums. In addition to the collection of data from the digital camera there is a new technology that has been integrated into many of these devices. This technology is wireless communications. Cameras now can contain WiFi, Bluetooth and cell phone technology. The initial intent of this addition was to facilitate the transfer of data from the camera to computers or to other cameras. The manufactures of these devices have now made it possible to control the digital camera remotely. This means that forensically the data on a camera can be erased or modified remotely. With this knowledge the forensic investigator must protect the evidence by collecting the data quickly and by shielding the device from any network connections. This shielding can be done in many ways, but should not include removing the camera s internal power source due to the possible loss of volatile memory within the device. Data collection from the removable media is achieved by mounting the media in a read only mode on a computer. This data would then be imaged or cloned using the tool dd. The goal is to collect all data from the storage device, including allocated, unallocated, slack and all parts Digital Forensics New Mexico Tech R Prine 2

of the storage medium. Allocated data would be the files that are currently on the media, unallocated would be parts of files that were previously deleted. The slack data is the parts of old data that are contained in the last block of an allocated or unallocated file. The remaining parts of the storage media could contain data that has been hidden or partitions that have been deleted. In general most media from digital cameras will only have one partition, but the newer cameras no can use hard drives as their storage media. Because of the use of hard drives the ability to hide data within a digital camera has a higher possibility. Additional data collection can be done on the physical hardware of the camera. With the ability to flash the working internal memory of the camera, additional storage is available to hide data. Flash files for most digital cameras are available from the manufactures and could be reverse engineered to free up large amounts of non-volatile memory. By removing most of the features that a camera has built into it, the camera could still function as a camera and yet could be used primarily as a storage device. In addition to re-writing the flash memory, there is internal memory that may be accessible for additional storage. This data should be investigated and collected. An additional concern about this data is that some of it may be lost if the batteries fail or are removed prior to investigating the data. Other data of interest within the digital device may be time stamps, GPS location, phone numbers, access history and photo logs. With the practice of expanding the uses of digital devices, digital cameras will become more comparable to phones or PDAs and thus will have to have the same forensic techniques of phones and PDAs applied to them. After all data is collected, standard file and memory forensic tools can be used to evaluate the data. Some of the tools that can be used are Sleuthkit, Autopsy, Retriever, and Digital Forensics New Mexico Tech R Prine 3

Scalpel. The tools will be used to recover and document files and other data from the camera. The use of file carving and steganalysis may also be needed in the collection of data. Gaps in Technology With the speed that new technology is produced the hardware and storage methods used for digital cameras is always changing. The addition of wireless communications into the cameras has increased the need for better forensic techniques. A standardized method of collecting all data on a digital camera is of concern and should be rectified immediately. Currently the method of working with the internals of a digital camera would involve the cooperation of the hardware manufactures to provide methods and possible software to evaluate the device. A second gap in technology is the practice of shielding and providing additional power to digital devices prior to storing evidence. This would prevent the loss of uncollected data. State of Research The State University of New York (SUNY) at Binghamton has two recent advancements in research involving digital cameras. The first involves storing a biometric of the person who took the picture with the camera. The second involves digitally fingerprinting which device produced the digital image. In 2004 Paul Blythe and Jessica Fridrich conducted research in watermarking all images produced by a camera with a unique hidden identifier of the person that took the picture 1. The method involves using and infrared imager inside the view finder of the Digital Forensics New Mexico Tech R Prine 4

camera to produce an image of the iris of the eye looking into the viewfinder. This image is embedded into the image of the scene that the camera was taking. This embedded image would not be visible and the embedded image would contain additional information concerning the device that took the photo. This biometric information can be retrieved and processed from a digital image at a future date. This information could be used to prove or disprove who was using a camera. The second research topic was done at SUNY Binghamton in 2006 by Jessica Fridrich 2. This research involved finding which digital device produced and image. This was done by finding the unique characteristics caused by pixel non-uniformity of the CCD array that took the original image. It was found that the cheaper the CCD array was the more data was available to collect from an image. After processing an image through a denoising filter the denoised image can be compared with another image produced by the device in question. The research says this data can also be collected from processed images such as post JPEG processing. What Should Be Done Now The process of collecting and securing data from digital cameras has not been formally defined currently. Without forensically sound techniques to collect data from devices that have the potential of deleting the data within them either from remote access or from loss of internal power warrants further investigation of a standardized technique. Crime investigation units should evaluate their methods of managing incoming digital evidence. After this evaluation they need to set formalized practices to ensure that data is not lost or damaged during the collection and preservation process. Digital Forensics New Mexico Tech R Prine 5

Future of Practice The protection of digital data should be on the mind of all forensic investigators at all times. A hardware device that shields a camera from outside networking sources and also supplies power to the camera at all times would ensure that data would not be lost. In addition the thought that the suspect may not of used this camera in a standard way needs to be a constant concern. Failing to realize that a digital camera is a mobile storage device, and that it has many areas to store information in could lead to the loss of valuable data. Future of Research An area of future research would be to design a device that is used only for the collection of forensic data from a digital camera. This device would provide power to the device, download all data from the device and would store the data in a forensically sound fashion. For the cell phone industry there is a device already in existence. This device is from Logicube and is called the CellDEK. This cell phone forensics tool kit contains 40 adapters to connect to over 200 types of cell phones. Inside of this kit is a data unit that will download all information for a phone without damaging any of the data. This unit does not block outside signals but this can be accomplished with a foil pouch or Faraday cage. A device like this could be produced for the camera industry. LogiCube s CellDEK unit 3 Digital Forensics New Mexico Tech R Prine 6

Bibliography 1. Secure Digital Camera, Paul Blythe and Jessica Fridrich, 2004, http://www.dfrws.org/2004/bios/day3/d3-blyth_secure_digital_camera.pdf 2. Research at Binghamton, SUNY Binghamton, Jessica Fridrich, April 2006, http://research.binghamton.edu/tt/rb218.htm 3. Logicube, http://www.logicubeforensics.com/products/hd_duplication/celldek.asp Digital Forensics New Mexico Tech R Prine 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback