Handbook of Digital Forensics of Multimedia Data and Devices

Digital forensics and multimedia forensics are rapidly growing disciplines whereby electronic information is extracted and interpreted for use in a court of law. These two fields are finding increasing importance in law enforcement and the investigation of cybercrime as the ubiquity of personal computing and the internet becomes ever–more apparent. Digital forensics involves investigating computer systems and digital artefacts in general, while multimedia forensics is a sub–topic of digital forensics focusing on evidence extracted from both normal computer systems and special multimedia devices, such as digital cameras. 

This book focuses on the interface between digital forensics and multimedia forensics, bringing two closely related fields of forensic expertise together to identify and understand the current state–of–the–art in digital forensic investigation. Both fields are expertly attended to by contributions from researchers and forensic practitioners specializing in diverse topics such as forensic authentication, forensic triage, forensic photogrammetry, biometric forensics, multimedia device identification, and image forgery detection among many others.
Key features:

– Brings digital and multimedia forensics together with contributions from academia, law enforcement, and the digital forensics industry for extensive coverage of all the major aspects of digital forensics of multimedia data and devices
– Provides comprehensive and authoritative coverage of digital forensics of multimedia data and devices
– Offers not only explanations of techniques but also real–world and simulated case studies to illustrate how digital and multimedia forensics techniques work
– Includes a companion website hosting continually updated supplementary materials ranging from extended and updated coverage of standards to best practice guides, test datasets and more case studies

List of Contributors

Foreword

Preface

Acknowledgements

PART ONE MULTIMEDIA EVIDENCE HANDLING

1 Digital Forensics Laboratories in Operation: How Are Multimedia

Data and Devices Handled?

1.1 Introduction

1.2 Digital and Electronics Forensic Service, Metropolitan Police

Service, UK

1.2.1 Background: Metropolitan Police Service

1.2.2 Digital and Electronics Forensic Service

1.2.3 AV Lab: Operational and Procedural Aspects

1.2.4 Selected Forensic Techniques Used by AV Lab

1.2.5 Acknowledgements

1.3 Digital Forensics Team (Including Affiliated AV Team), Surrey

Police, UK

1.3.1 Background: Surrey Police

1.3.2 Structure of Surrey Police s Digital Forensics Team and AV

Team

1.3.3 Training and Certification

1.3.4 Standard Procedure

1.3.5 Routine Tasks Involving Multimedia Data and Devices

1.3.6 Submission Formats

1.3.7 Triage

1.3.8 Software and Hardware Tools Used for Handling

Multimedia Data

1.3.9 Cases Involving Encryption and Child Pornography

1.3.10 Cases Involving Source Device Identification

1.3.11 Challenges

1.3.12 Acknowledgements

1.4 Shanghai Stars Digital Forensic Centre, Third Research Institute of

China s Ministry of Public Security

1.4.1 Background: Third Research Institute of China s Ministry

of Public Security

1.4.2 Background: Related Legislations and Regulations

1.4.3 Overview of SSDFC

1.4.4 Services Provided

1.4.5 Procedure

1.4.6 Workload and Typical Cases

1.4.7 Software and Hardware Tools Used

1.4.8 Challenges

1.4.9 Acknowledgements

1.5 Discussions

1.6 Summary

1.A Appendix: Questionnaires for Interviewing Surrey Police

and Shanghai Stars Digital Forensic Centre

References

2 Standards and Best Practices in Digital and Multimedia Forensics

2.1 Introduction

2.2 Overview

2.2.1 ISO Standards

2.2.2 Other International/Regional Standards and Guides

2.2.3 US Standards and Best Practice Guides

2.2.4 UK Standards and Best Practice Guides

2.3 Electronic Evidence and Digital Forensics

2.3.1 International Standards

2.3.2 National Standards

2.3.3 Best Practice Guides

2.3.4 US Guides

2.3.5 European Guides

2.4 Multimedia Evidence and Multimedia Forensics

2.4.1 ASTM E2825–12 Standard Guide for Forensic Digital

Image Processing (2012)

2.4.2 US SWGs (Scientific Working Groups)

2.4.3 ENFSI Working Groups

2.4.4 UK Law Enforcement

2.5 Digital Forensics Laboratory Accreditation

2.5.1 International Standards

2.6 General Quality Assurance (Management)

2.6.1 ISO 9001:2008 Quality Management Systems

Requirements

2.6.2 ISO/IEC 27001:2005 Information Security Management

Systems Requirements

2.6.3 ISO/IEC 27002:2013 Code of Practice for Information

Security Controls

2.7 Training, Education and Certification on Digital and Multimedia

Forensics

2.7.1 Standards and Best Practice Guides

2.7.2 Certification, Training and Educational Programs

2.8 Conclusions

References

3 A Machine Learning–Based Approach to Digital Triage

3.1 Introduction

3.1.1 Chapter Outline

3.2 Related Work on Digital Triage

3.2.1 Triage in the Medical Field

3.2.2 Early Digital Triage Models

3.2.3 Machine Learning–Based Digital Triage

3.2.4 Other Multimedia Source Classification Techniques

3.3 A Machine Learning–Based Digital Triage Framework

3.3.1 Machine Learning Terminology

3.3.2 The framework in Detail

3.3.3 Collection Data Extraction

3.3.4 Processing Feature Extraction, Dataset Creation and

Processing Algorithms

3.3.5 Presentation

3.3.6 Model validation

3.4 A Child Pornography Exchange Case Study

3.4.1 Definition of Child Pornography Exchange

3.4.2 Child Pornography Exchange State Vector

3.4.3 Data Corpus

3.4.4 Learning from Available Data

3.4.5 Experiment Setup, Results and Discussion

3.5 Conclusion

3.6 Challenges and Future Directions for the Digital

Forensics Community

References

4 Forensic Authentication of Digital Audio and Video Files

4.1 Introduction

4.2 Examination Requests and Submitted Evidence

4.2.1 Examination Requests

4.2.2 Submitted Evidence

4.2.3 Digital Recording Devices

4.2.4 Digital File Formats

4.3 Laboratory Space

4.4 Laboratory Software and Equipment

4.4.1 High–Speed Computers, Computer Peripherals, Media

Readers/Writers, Hardware/Software Write Blockers,

Professional Headphones, Amplifiers, Cables and

Connectors

4.4.2 Proprietary Audio and Video Playback Software

4.4.3 Digital Data Imaging and Analysis Software

4.4.4 High–Resolution Audio Waveform Analysis Software

4.4.5 FFT Analysers and Software

4.4.6 Spectrographic Analysis Software

4.4.7 Scientific Computing Software

4.4.8 Professional Audio and Non–linear Video Editing

and Playback Software

4.4.9 Media Conversion/Transcoding Software

4.4.10 Professional Image Measurement and Processing Software

4.5 Audio/Video Authentication Examinations

4.5.1 Overview of Examinations

4.5.2 Hashing and Imaging

4.5.3 Playback and Conversion Optimization

4.5.4 Digital Data Analysis

4.5.5 Audio Analyses

4.5.6 Video Analyses

4.6 Preparation of Work Notes and Laboratory Reports

4.7 Expert Testimony

4.8 Case Examples

4.8.1 Case Example Number 1

4.8.2 Case Example Number 2

4.9 Discussion

References

PART TWO DIGITAL EVIDENCE EXTRACTION

5 Photogrammetry in Digital Forensics

5.1 Introduction

5.1.1 Lens Distortion

5.2 Different Methods

5.2.1 Projective Geometry or Orthorectification

5.2.2 Space Resection and Multi–image Photogrammetry

5.2.3 Reverse Projection

5.3 Measurement Uncertainty

5.3.1 Difficulties in Creating Reference Recordings

5.4 Case Studies

5.4.1 Height Measurement

5.4.2 Speed Measurement

5.4.3 Determining the Absolute Position of an Object

5.5 3D Modelling/Scenario Testing

5.6 Summary

References

6 Advanced Multimedia File Carving

6.1 Introduction

6.2 Digtal Data Storage

6.2.1 Storage Devices

6.2.2 Logical Data Organization

6.2.3 Forensic Data Investigation

6.3 File Carving of Binary Data

6.4 Multimedia Data Structures

6.4.1 Digital Images

6.4.2 Audio Data

6.4.3 Video Data

6.5 File Carving of Multimedia Data

6.5.1 Image File Carving

6.5.2 Audio File Carving

6.5.3 Video File Carving

6.5.4 Special Considerations for Multimedia

6.6 Content Identification

6.6.1 Cryptographic Hashing

6.6.2 Fuzzy Hashing

6.6.3 Perceptual Hashing

6.6.4 Searching and Indexing of Hashes

6.7 File Carving Frameworks

6.7.1 Current Practice and Existing Solutions

6.7.2 Framework Requirements

6.7.3 An Example Framework

6.7.4 Case Study

6.8 Conclusions

References

7 On Forensic Use of Biometrics

7.1 Introduction

7.2 Biometrics Performance Metrics

7.3 Face: The Natural Means for Human Recognition

7.3.1 Forensic Face Recognition

7.3.2 Automatic Face Recognition Techniques

7.3.3 Challenges and Trends of Face Recognition

7.3.4 Summary

7.4 Ears as a Means of Forensic Identification

7.4.1 Earprints in Forensics

7.4.2 From Earprints to Ear Images

7.4.3 Ear Morphology Features

7.4.4 Summary

7.5 Conclusions

References

8 Multimedia Analytics for Image Collection Forensics

8.1 Introduction

8.2 Data and Tasks

8.3 Multimedia Analysis

8.4 Visual Analytics Processes

8.5 ChronoBrowser

8.5.1 Visualizations

8.5.2 Visual Analytics Processes

8.6 MediaTable

8.6.1 Visualizations

8.6.2 Visual Analytics Processes

8.7 An Example Scenario

8.8 Future Outlook

References

PART THREE MULTIMEDIA DEVICE AND SOURCE FORENSICS

9 Forensic Camera Model Identification

9.1 Introduction

9.2 Forensic Source Identification

9.2.1 Identification Granularity

9.2.2 Intra– and Inter–Class Similarity, Feature Space

Representation

9.2.3 Digital Camera Acquisition Characteristics

9.3 Digital Camera Model Identification

9.4 Benchmarking Camera Model Identification Algorithms

9.4.1 A Dataset Template for Camera Model Identification

Research

9.4.2 The Dresden Image Database

9.4.3 Benchmarking Procedure

9.5 Model–Specific Characteristics of Digital Camera Components

9.5.1 Compression Parameters, Metadata, and File Format

9.5.2 Lens Distortion

9.5.3 CFA and Demosaicing

9.5.4 Camera Response Function

9.5.5 Summary and Limitations

9.6 Black Box Camera Model Identification

9.6.1 General–Purpose Image Descriptors

9.6.2 Dresden Image Database Case Study: Closed–Set Camera

Model Identification

9.6.3 Summary

9.7 Camera Model Identification in Open Sets

9.7.1 Dresden Image Database Case Study: One–Class SVM

9.7.2 Summary and Outlook

9.8 Model–Specific Characteristics in Device–Level Identification

9.9 Open Challenges Towards Practical Applications

References

10 Printer and Scanner Forensics

10.1 Introduction

10.1.1 Comparison with Digital Image Forensics

10.1.2 Document Lifecycle

10.2 Printer Forensics

10.2.1 Working Principles of Laser Printers and Inkjet Printers

10.2.2 Flowchart of Printer Forensics

10.2.3 Laser Printer Forensics

10.2.4 Inkjet Printer Forensics

10.3 Scanner Forensics

10.3.1 Flowchart of Scanner Forensics

10.3.2 Sensor Noise

10.3.3 Dust and Scratches

10.4 Photocopier Identification

10.4.1 Contact Between Printer and photocopier

10.4.2 Character Signature

10.5 Forgery Detection for Printed and Scanned Documents

10.5.1 Flowchart of Forgery Detection

10.5.2 Forgery Detection for Printed Documents

10.5.3 Forgery Detection for Scanned Documents

10.6 Sample Algorithms with Case Studies

10.6.1 Printer Identification

10.6.2 Scanner Identification

10.6.3 Document Forgery Detection

10.7 Open Problems and Challenges

10.8 Conclusions

References

11 Microphone Forensics

11.1 Introduction

11.2 Pattern Recognition for Microphone Forensics

11.2.1 Pattern Recognition and Its Sub–Disciplines

11.2.2 State–of–the–Art in Pattern Recognition–Based

Microphone Forensics

11.3 Guidelines for Microphone Registratio

11.4 Case Studies

11.4.1 Investigation Tasks

11.4.2 Implementation of the Statistical Pattern

Recognition Pipeline

11.4.3 Evaluation Setups

11.4.4 Evaluation Results

11.5 Chapter Summary

References

12 Forensic Identification of Printed Documents

12.1 Introduction

12.1.1 Hardware Considerations

12.1.2 Performance Characterization

12.2 Special Materials

12.3 Substrate Forensics

12.3.1 FiberFingerprint

12.3.2 Laser Speckle

12.3.3 Substrate Scanning

12.3.4 PaperSpeckle

12.3.5 Practical Considerations

12.4 Print Forensics

12.4.1 Authenticating Printed Glyphs

12.4.2 Model Based Authentication

12.4.3 Authenticating Printed Halftones

12.4.4 Authenticating Data–Bearing Halftones

12.5 Real World Example: Currency Protection

12.6 Summary and Ecosystem Considerations

References

PART FOUR MULTIMEDIA CONTENT FORENSICS

13 Digital Image Forensics with Statistical Analysis

13.1 Introduction

13.1.1 Digital Image Forensics

13.1.2 Background

13.2 Detecting Region Duplication

13.2.1 Problem Definition

13.2.2 Related Works

13.2.3 Proposed Method

13.2.4 Performance Analysis

13.3 Exposing Splicing Forgery

13.3.1 Problem Definition

13.3.2 Related Works

13.3.3 Proposed Method

13.3.4 Performance Analysis

13.4 Case Studies

13.4.1 Region Duplication Forgeries

13.4.2 Splicing Forgeries

13.5 Other Applications

13.5.1 Detecting Audio Splicing

13.5.2 Exposing Video Forgery

13.6 Summary

References

14 Camera–Based Image Forgery Detection

14.1 Introduction

14.2 Camera Structure

14.2.1 Optics

14.2.2 Sensors

14.2.3 Image Processing Pipeline

14.3 Camera–Based Forgery Detection Methods

14.3.1 Optics–Based Forgery Detection

14.3.2 Sensors–Based Forgery Detection

14.3.3 Image Processing Pipeline–Based Forgery Detection

14.4 Forgery Detection Based on PFA: A Case Study

14.4.1 Forgery Detection Based on PFA

14.4.2 Algorithm

14.4.3 Test Results

14.4.4 Discussion

14.5 Conclusion

References

15 Image and Video Processing History Recovery

15.1 Introduction

15.2 Coding Artifacts

15.2.1 JPEG Compression

15.2.2 Double JPEG Compression

15.2.3 Video Compression

15.2.4 Video Re–encoding

15.3 Editing Artifacts

15.3.1 Resampling

15.3.2 Image Enhancement

15.4 Estimation of Processing Parameters

15.4.1 Estimation of Coding Parameters

15.4.2 Estimation of Editing Parameters

15.4.3 Artifact Localization

15.5 Case Studies

15.5.1 Localization of Forgeries in JPEG Images

15.5.2 Localization of Forgeries in MPEG–2 Videos

15.6 Conclusions

References

16 Anti–Forensics of Multimedia Data and Countermeasures

16.1 Introduction

16.2 Anti–forensic Approaches Proposed in the Literature

16.2.1 Anti–forensics of Acquisition Fingerprints

16.2.2 Anti–forensic of Compression Fingerprints

16.2.3 Anti–forensic of Editing Fingerprints

16.3 Case Study: JPEG Image Forensics

16.3.1 JPEG Compression and JPEG Compression Footprints

16.3.2 JPEG Compression Anti–forensics

16.3.3 Analysis of Anti–forensic Dithering

16.3.4 Countering JPEG Compression Anti–forensics

16.4 Trade–off between Forensics and Anti–forensics

16.4.1 Performance Analysis of Anti–forensics

16.4.2 Interplay between Forger and Forensic Analyst Using

Game Theory

16.5 Conclusions

References

Index