Forensic Image Analysis

Introduction

Digital photography’s popularity has increased in recent years, allowing for new and imaginative ways to create photographs. When photographs are manipulated by forgeries, the observer’s perspective of the depicted scene is influenced, which might have negative implications if done maliciously. In the absence of any prior digital watermarking or authentication procedure, it is necessary to check the authenticity of photographs originating from unknown sources. The capacity to detect image forgeries made utilizing numerous image sources. It has also specialized approaches tailored to the common JPEG image format is investigated. Four strategies for detecting picture tampering based on fundamental image properties common to all forgeries are provided.

Discrepancies include the:

  1. Level of lighting,
  2. Level of brightness,
  3. Underlying edge inconsistencies, and
  4. Anomalies in JPEG compression blocks are among them. In a completely blind trial with a mixture of 15 original and forged photos, these approaches detected image forgeries with an observed accuracy of 60%.

A subset of digital forensics is digital image forensics. The discipline, sometimes known as forensic image analysis, focuses on image authenticity and content. This enables law enforcement to use relevant data for prosecution in a variety of criminal offenses, including cybercrime.

How is digital image forensics performed?

Digital picture forensics is done locally on computers and can be utilized in both open and closed source investigations. It’s a highly technical subject that involves the usage of a variety of software programmes as well as specific training.

Because digital imaging is data-rich in comparison to film photography, the scope of digital image forensics is so broad. Digital image forensics experts can mine everything from camera attributes to individual pixels for information using several approaches.

Types of digital image evidence

A single image can yield a large amount of digital evidence. These evidence formats can be divided into two categories that are utilized in conjunction with one another:

Image Authenticity evidence

  • Pixel data (e.g. color information)
  • Metadata (e.g. descriptive, structural, administrative, reference, statistical)
  • Exif data (e.g. digital camera model, shutter speed, focal length)

Image content evidence

  • Landmarks (e.g. apartment blocks, churches, schools)
  • Visible languages (e.g. shops, road signs, road markings)
  • Topography (e.g. hills, mountains, waterfalls)
  • Street furniture (e.g. bollards, benches, bins)

Digital image forensics techniques

The following are two examples of how digital image forensics techniques are used:

  • When a suspect argues that an incriminating photograph was fabricated or when a suspect denies their presence in an image
  • In each of these cases, law enforcement employs a variety of digital picture forensics techniques to conclude:

Example A: digital image forensics techniques

Deconvolution can be used to reverse image blurring if identities are obscured in some way. Geolocation, metadata, and Exif data can also be used to prove or disprove the presence of a defendant at a crime scene.

Example B: digital image forensics techniques

Image authentication is critical in the age of deep fakes. Color space and color level anomalies can be used to determine the validity of a digital photo. Landmarks could potentially be utilized to confirm or deny the location of the suspect.

Pros and Cons of digital image forensics

The benefits of digital forensics vastly outweigh the disadvantages. Both are, nonetheless, crucial factors to consider when planning criminal investigations.

PROS

  • There’s a lot of granular info here. Law enforcement has a better possibility of digitally identifying a suspect’s unlawful activities if there is more data available to them.
  • Flexible use cases
  • Techniques for digital picture forensics can be applied in both open and closed source investigations.
  • Approaches and algorithms that have been proven to work. Because of the discipline’s scientific foundations, it is extremely exact and dependable.

CONS

It takes a lot of time and effort. From a single and frequently insignificant clue, open-source digital image forensics investigations can be developed. It can take months to paint a thorough picture of a case.

Digital image lifecycle

The lifecycle of a digital image is essentially the image’s history, encompassing the different stages taken to make it. A photograph, for example, could be captured with a digital camera, then transferred to a graphics application and modified. The final output isn’t the original image; it’s gone through various phases in its existence.

The goal of an investigator is to find the source image. The closer they can come to the original image, the better. It’s more likely to include relevant information and clues at this point in the lifecycle, which could aid in the inquiry. For instance, the serial number of the equipment or the location where the image was taken.

Core functionalities of image forensics software

Image forensics software is used to search for data in photographs. The tools we give at Camera Forensics assist authorities in building a case in a criminal investigation.

Image forensics software has three basic features that assist with this:

  • Identifying areas with alterations
  • highlighting essential intelligence displaying areas with an identifier
  • highlighting key intelligence

Digital image forensics tools

There are numerous digital picture forensics tools on the market, each with its own set of strengths and disadvantages. Camera Forensics provides a free program called Exif Extractor that was developed in collaboration with global organizations to assist users to obtain the correct information at the right time.

There are four steps in the forensic analysis process:

1. Use a write-blocker to prevent the drive’s evidentiary value from being harmed.

2. Use forensics software to mount and/or process the picture.

3. Conduct forensic analysis by looking for any viruses, proof, or violations of business policy in common sections of the disc image.

4. If potential evidence is discovered, conduct more investigation to ascertain the cause and define the event’s timeframe.

·         Using a Write-blocker

A write-blocker is a device that allows for the capture of information on a drive while also preventing the disk’s contents from being mistakenly damaged and losing their evidentiary value. Read commands flow through the write-blocker, but write commands are blocked.

It puts into doubt the image’s integrity (a legal term is “spoliation”) and can easily lead to evidence being dismissed in court. A single-byte alteration will cause the image’s cryptographic hash, which is commonly MD5 or SHA-1, to change, potentially rendering the image inadmissible in court. As a result, businesses seek to outsource forensic services to trustworthy professionals to prevent making costly mistakes.

·         Mounting/Processing the Image

An analyst can access the data in the image created after ensuring that the drive is write-protected. The picture is usually mounted by or ‘loaded into’ forensics software, such as Access Data’s FTK Imager, for analysis, which often entails examining various locations on the disc for signs of malicious activity or the existence of malware.

Once the image has been mounted, you will be able to manually traverse around the image’s directories and inspect files, logs, executables, deleted files, and so on. Manually perusing the image can be dangerous for a variety of reasons, the most important of which is that you’re assessing data with your naked eye. When someone requires qualitative information rapidly, this is usually the only time this is done.

The image can also be processed using a professional forensics package like FTK, X-Way Forensics, EnCase, Oxygen Forensics, and so on. The categorization of the various types of files stored on the image will be automated by these apps. The main disadvantage is that it takes a long time and requires a lot of resources, depending on the size of the image. However, this is the preferable way since it allows the investigator to carefully and thoroughly slice into the image. It’s a lot easier to locate file paths now.

·         Logical Locations to Analyze

We may begin viewing the contents of the picture now that the drive has been write-protected and mounted for analysis, but there are so many places to examine.

Common spots like the desktop, downloads folder and documents folder are usually good places to start just to make sure there aren’t any visible executables put there. Other critical sites include the Downloads storage location and common libraries (DLLs for Windows systems). The browsing history files can also provide a lot of information if the hacker hasn’t erased them. Each browser maintains its cache/history in its directory, depending on which browser was used.

·         Sandboxing Malware

If malware is discovered in one of the areas we’ve investigated, it must be thoroughly examined to fully comprehend its purpose and scope. Sandboxing is an excellent way of analyzing malware activities and seeing outbound connections, background processes, registry changes, and other payloads downloaded, among other things. A sandbox, as seen in Next-Generation firewalls, is a mechanism that can be used to prevent system failures or software vulnerabilities from propagating by watching software activity.

We utilize a sandbox for forensic purposes to ‘explode’ malware, or execute it in an isolated environment, where we can document the behavior and perhaps identify the malware. At the absolute least, we’ll be able to track the malware’s actions. To be sure, malware authors have become considerably more sophisticated in their creations, adding new features to evade sandbox detection and identification.

Typically, after the sandboxing phase, a report is generated that explains everything discovered about the malware’s behavior. This can greatly aid an investigator in analyzing the behavior and providing extra direction for subsequent research.

error: Content is protected !!

Discover more from Forensic's blog

Subscribe now to keep reading and get access to the full archive.

Continue reading