Ronald Prine CSC 589 - Digital Forensics New Mexico Institute of Mining and Technology October 17, 2006 Digital Cameras Executive Summary An evaluation of the collection, preservation and evaluation of data collected from digital image recorders (digital cameras). Preservation includes the protection of the data from outside sources like WiFi, Bluetooth and cell phone connections. A perspective on the gaps in current forensic techniques. Two examples of current research that involves user and device identification from digital images. An example of a future device that could aid in the collection and preservation of digital camera data. Digital Forensic Purpose The purpose of forensic work in relation to digital cameras and other digital recording devices like digital camcorders is to control, collect, preserve and evaluate the evidence. Control of the evidence is ensuring that the data is not changed or lost prior to collection. The collection process is to gather all data in a forensically sound fashion. This collection, in the case of digital cameras, would involve volatile and non-volatile data. The volatile data would be memory internal to the camera that a suspect may have used for their own purposes. The non-volatile data would be the data stored on removable media or flash memory built into the camera. The
evaluation of collected data will involve many tools with the intention to prove or disprove that crimes have occurred. State of Practice When a digital camera is involved in a forensic investigation many aspects of this technology need to be taken into consideration while seeking evidence of a crime. An electronic imaging device in its simplest form is the combination of an image recorder and a method of storing that data. The storage and capture of images is the main goal of a digital camera, but any electronic data can be stored on this device. Forensically this means that the digital camera needs to be treated like any data storage device. Digital cameras have used internal memory, floppy disk, flash memory, CDs, DVDs and hard drives as a storage mediums. In addition to the collection of data from the digital camera there is a new technology that has been integrated into many of these devices. This technology is wireless communications. Cameras now can contain WiFi, Bluetooth and cell phone technology. The initial intent of this addition was to facilitate the transfer of data from the camera to computers or to other cameras. The manufactures of these devices have now made it possible to control the digital camera remotely. This means that forensically the data on a camera can be erased or modified remotely. With this knowledge the forensic investigator must protect the evidence by collecting the data quickly and by shielding the device from any network connections. This shielding can be done in many ways, but should not include removing the camera s internal power source due to the possible loss of volatile memory within the device. Data collection from the removable media is achieved by mounting the media in a read only mode on a computer. This data would then be imaged or cloned using the tool dd. The goal is to collect all data from the storage device, including allocated, unallocated, slack and all parts Digital Forensics New Mexico Tech R Prine 2
of the storage medium. Allocated data would be the files that are currently on the media, unallocated would be parts of files that were previously deleted. The slack data is the parts of old data that are contained in the last block of an allocated or unallocated file. The remaining parts of the storage media could contain data that has been hidden or partitions that have been deleted. In general most media from digital cameras will only have one partition, but the newer cameras no can use hard drives as their storage media. Because of the use of hard drives the ability to hide data within a digital camera has a higher possibility. Additional data collection can be done on the physical hardware of the camera. With the ability to flash the working internal memory of the camera, additional storage is available to hide data. Flash files for most digital cameras are available from the manufactures and could be reverse engineered to free up large amounts of non-volatile memory. By removing most of the features that a camera has built into it, the camera could still function as a camera and yet could be used primarily as a storage device. In addition to re-writing the flash memory, there is internal memory that may be accessible for additional storage. This data should be investigated and collected. An additional concern about this data is that some of it may be lost if the batteries fail or are removed prior to investigating the data. Other data of interest within the digital device may be time stamps, GPS location, phone numbers, access history and photo logs. With the practice of expanding the uses of digital devices, digital cameras will become more comparable to phones or PDAs and thus will have to have the same forensic techniques of phones and PDAs applied to them. After all data is collected, standard file and memory forensic tools can be used to evaluate the data. Some of the tools that can be used are Sleuthkit, Autopsy, Retriever, and Digital Forensics New Mexico Tech R Prine 3
Scalpel. The tools will be used to recover and document files and other data from the camera. The use of file carving and steganalysis may also be needed in the collection of data. Gaps in Technology With the speed that new technology is produced the hardware and storage methods used for digital cameras is always changing. The addition of wireless communications into the cameras has increased the need for better forensic techniques. A standardized method of collecting all data on a digital camera is of concern and should be rectified immediately. Currently the method of working with the internals of a digital camera would involve the cooperation of the hardware manufactures to provide methods and possible software to evaluate the device. A second gap in technology is the practice of shielding and providing additional power to digital devices prior to storing evidence. This would prevent the loss of uncollected data. State of Research The State University of New York (SUNY) at Binghamton has two recent advancements in research involving digital cameras. The first involves storing a biometric of the person who took the picture with the camera. The second involves digitally fingerprinting which device produced the digital image. In 2004 Paul Blythe and Jessica Fridrich conducted research in watermarking all images produced by a camera with a unique hidden identifier of the person that took the picture 1. The method involves using and infrared imager inside the view finder of the Digital Forensics New Mexico Tech R Prine 4
camera to produce an image of the iris of the eye looking into the viewfinder. This image is embedded into the image of the scene that the camera was taking. This embedded image would not be visible and the embedded image would contain additional information concerning the device that took the photo. This biometric information can be retrieved and processed from a digital image at a future date. This information could be used to prove or disprove who was using a camera. The second research topic was done at SUNY Binghamton in 2006 by Jessica Fridrich 2. This research involved finding which digital device produced and image. This was done by finding the unique characteristics caused by pixel non-uniformity of the CCD array that took the original image. It was found that the cheaper the CCD array was the more data was available to collect from an image. After processing an image through a denoising filter the denoised image can be compared with another image produced by the device in question. The research says this data can also be collected from processed images such as post JPEG processing. What Should Be Done Now The process of collecting and securing data from digital cameras has not been formally defined currently. Without forensically sound techniques to collect data from devices that have the potential of deleting the data within them either from remote access or from loss of internal power warrants further investigation of a standardized technique. Crime investigation units should evaluate their methods of managing incoming digital evidence. After this evaluation they need to set formalized practices to ensure that data is not lost or damaged during the collection and preservation process. Digital Forensics New Mexico Tech R Prine 5
Future of Practice The protection of digital data should be on the mind of all forensic investigators at all times. A hardware device that shields a camera from outside networking sources and also supplies power to the camera at all times would ensure that data would not be lost. In addition the thought that the suspect may not of used this camera in a standard way needs to be a constant concern. Failing to realize that a digital camera is a mobile storage device, and that it has many areas to store information in could lead to the loss of valuable data. Future of Research An area of future research would be to design a device that is used only for the collection of forensic data from a digital camera. This device would provide power to the device, download all data from the device and would store the data in a forensically sound fashion. For the cell phone industry there is a device already in existence. This device is from Logicube and is called the CellDEK. This cell phone forensics tool kit contains 40 adapters to connect to over 200 types of cell phones. Inside of this kit is a data unit that will download all information for a phone without damaging any of the data. This unit does not block outside signals but this can be accomplished with a foil pouch or Faraday cage. A device like this could be produced for the camera industry. LogiCube s CellDEK unit 3 Digital Forensics New Mexico Tech R Prine 6
Bibliography 1. Secure Digital Camera, Paul Blythe and Jessica Fridrich, 2004, http://www.dfrws.org/2004/bios/day3/d3-blyth_secure_digital_camera.pdf 2. Research at Binghamton, SUNY Binghamton, Jessica Fridrich, April 2006, http://research.binghamton.edu/tt/rb218.htm 3. Logicube, http://www.logicubeforensics.com/products/hd_duplication/celldek.asp Digital Forensics New Mexico Tech R Prine 7