counter forensics multimedia investigations darren chaker

8/6/2019 Counter Forensics Multimedia Investigations Darren Chaker

1/62

Multimedia Forensics is notComputer Forensics

Rainer Bohme, Felix Freiling, Thomas Gloe, Matthias Kirchner

Technische Universitat Dresden Universitat Mannheim

International Workshop on Computational Forensics 2009 (IWCF09)

The Hague 2009/8/14
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]


2/62

Outline

1 Multimedia forensics and computer forensics

2Multimedia forensics is not computer forensics

3 Counter-forensics

4 And how does this all relate to practice?

The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 2 of 24


3/62

Multimedia forensicsA science to assess the authenticity of digital media objects

manipulation detection and source device identification based on

artifacts of processing operations

resampling copy & paste inconsistent lightning double compression

characteristics of the source devicee. g. digital camera

scene

lens

filter R

G

G

B

sensorcolor

interpolation

postprocessing

digital imagelens

distortionCFA layout

hot pixels,sensor noise

interpolationscheme

quantizationtable



4/62

Multimedia forensics: Examples

digital camera identification

based on sensor noise



5/62


digital camera identificationbased on sensor noise



6/62





7/62





8/62



copy & paste detection



9/62



copy & paste detection



10/62

By the way,what is computer forensics?


11/62

Computer forensics



12/62

Computer forensics

01



13/62

Computer forensics

11

52 51 51 51 49

49 40 36 34 33

55 48 40 33 23

62 58 45 33 22

66 62 53 34 22

The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensicsslide 6 of 24


14/62

Computer forensics

10

52 51 51 51 49

49 40 36 34 33

55 48 40 33 23

62 58 45 33 22

66 62 53 34 22



15/62

Outline


2 Multimedia forensics is not computer forensics

3 Counter-forensics




16/62

Digital forensics: proposed ontology

forensics

digital forensics

computerforensics

multimediaforensics

analog forensics

digital evidence physical evidence

0 1 1 0 1 1 0 0 0 1 00 0 0 1 1 1 0 1 0 0 00 0 1 0 0 0 1 0 1 1 00 0 1 1 1 1 0 0 0 0 00 1 1 1 0 0 1 0 0 1 00 1 1 0 1 0 0 1 0 0 00 1 0 0 0 1 0 0 1 0 01 1 1 0 1 0 1 0 0 1 00 1 1 0 1 1 0 0 0 1 11 1 1 1 0 1 0 1 1 1 1



17/62


forensics

digital forensics

computerforensics

multimediaforensics

analog forensics


1 1 1 1 1 1 0 0 0 0 11 1 0 1 1 1 0 0 0 0 11 1 1 0 1 0 0 0 0 0 00 1 0 0 1 0 0 1 1 1 10 0 1 0 0 0 1 1 1 1 11 0 1 1 1 0 0 1 0 0 00 0 0 1 0 1 0 0 0 1 00 0 0 1 0 1 1 0 0 1 11 1 1 0 1 0 0 0 1 1 00 1 0 0 1 1 0 0 1 0 1

finite sequence of discrete andperfectly observable symbols



18/62

The following slides

intentionally draw a veryblack-and-white

picture

WARNING!

ing slides

draw a veryd-white

ure

ING!


19/62

Computer forensics = Multimedia forensics

computer forensics multimedia forensicsphysical evidence

WWW

10111 0 0 1

digital evidence

physical evidence

10111 0 0 1

digital evidence



20/62



WWW

WWW

10111 0 0 1

digital evidence

physical evidence

10111 0 0 1

digital evidence



21/62



WWW

WWW

10111 0 0 1

digital evidence

physical evidence

10111 0 0 1

digital evidence

digital evidence is not linkedto the outside world



22/62



WWW

WWW

10111 0 0 1

digital evidence

physical evidence

10111 0 0 1

digital evidence




23/62



WWW

WWW

10111 0 0 1

digital evidence

physical evidence

10111 0 0 1

digital evidence


digital evidence is linkedto the outside world



24/62

Computer forensics: A closer look

digital

data

processing



25/62


digital

data

processingsuspicious

traces?



26/62


reality

digital

data


traces?

digital evidence is stored in the

finite automaton each computer

represents

number of states in a closed

system is finite



27/62


reality

digital

data


traces?



represents


system is finite



28/62


reality

digital

data


traces?



represents


system is finite

non-negligible chance that a

computer is left in a state which

perfectly erases all traces



29/62

Multimedia forensics: A closer look

digital media

object

processing



30/62


digital media

object

processingoriginal?

source

(device) ?



31/62


digital media

object

processing

sensor

original?

source

(device) ?

sensors capture parts of the reality and

transform them into digital representations



32/62


digital media

object

processing

sensor

original?

source

(device) ?



reality is incognizable: ultimate knowledge

whether a piece of digital media reflectsreality or not cannot exist



33/62


digital media

object

processing

sensor

original?

source

(device) ?



reality is incognizable: ultimate knowledge

whether a piece of digital media reflectsreality or not cannot exist

multimedia forensics = empirical science



34/62

Sensors: A source of uncertainty

projection of reality to discrete symbols means a dimensionality reduction



35/62


projection of reality to discrete symbols means a dimensionality reduction multimedia forensics has to cope with an additional source of uncertainty

degrees of freedom



36/62


projection of reality to discrete symbols means a dimensionality reduction multimedia forensics has to cope with an additional source of uncertainty

what kind of common

post-processing is

legitimate / tolerable?

?



37/62

Models: Yet another dimensionality reduction

models make projection of reality todiscrete symbols tractable with formal

methods

typical models in multimedia forensics:

sensor noise follows a Gaussian distribution connected regions of identical pixel values are

unlikely to occur in original images



38/62



methods




p



39/62



methods




p

projection to a1-dimensionalvariable

models of reality function as yet another dimensionality reduction

quality of forensic methods depends on the quality of the employed model!



40/62



methods




p

projection to a1-dimensionalvariable

models of reality function as yet another dimensionality reduction

quality of forensic methods depends on the quality of the employed model!



41/62

Outline



3 Counter-forensics




42/62


forensics

digital forensics

computerforensics multimediaforensics

analog forensics


0 0 0 1 0 0 1 1 0 0 01 0 1 1 0 0 1 0 1 1 00 0 1 1 0 1 1 0 0 0 10 1 1 0 0 1 0 1 0 0 11 1 1 0 0 0 1 0 0 1 00 0 1 0 0 0 1 0 0 1 01 1 0 1 1 1 0 1 0 1 11 1 0 0 0 1 0 1 1 0 00 0 1 1 1 1 1 0 0 1 01 1 0 1 1 0 1 0 1 0 1

forgeability

counter-forensics

b=



43/62


forensics

digital forensics

computerforensics multimediaforensics

analog forensics


0 1 1 0 0 1 1 1 1 1 01 1 1 0 0 0 0 1 1 1 10 0 1 0 1 0 1 0 0 1 00 1 0 1 0 1 1 1 0 0 01 0 0 1 0 0 0 0 0 0 10 1 1 1 1 0 0 0 0 0 01 1 1 0 0 1 1 1 0 1 10 1 0 1 1 0 0 0 1 0 10 0 0 0 0 1 1 0 1 0 00 0 0 0 1 1 0 0 0 1 0

forgeability

counter-forensics

b=

physical evidence cannot be wrong,

it cannot perjure itself,

it cannot be wholly absent

Kirk (1953)


C f i C f i


44/62

Counter-forensics: Computer forensics

leavetraces

valid state invalid state

C f i C f i


45/62


leavetraces

eliminatetraces

valid state invalid state valid state

C t f i C t f i


46/62


leavetraces

eliminatetraces


valid states are perfectly known

or can be recorded before

C t f i C t f i


47/62


leavetraces

eliminatetraces

preemptivelyavoid traces




C t f i C t f i


48/62


leavetraces

eliminatetraces





virtualization in a larger system

Counter forensics: Multimedia forensics


49/62

Counter-forensics: Multimedia forensics

leavetraces

eliminatetraces





virtualization in a larger system

invalidity depends on

the model of reality

Counter forensics: Multimedia forensics


50/62

Counter-forensics: Multimedia forensics

leavetraces

eliminatetraces



valid states are not perfectly known


and cannot be recorded before

virtualization in a larger system is not possible

invalidity depends on

the model of reality




51/62


forensics

digital forensics

computer

forensicsmultimedia

forensics

analog forensics

0 0 0 1 1 0 1 1 0 0 11 1 0 0 1 0 0 1 0 1 00 0 1 1 0 0 0 1 1 1 11 0 0 0 0 0 1 0 0 1 00 0 1 1 0 1 0 0 0 1 10 1 0 1 1 1 0 0 1 1 11 1 0 1 1 1 0 0 1 0 11 0 1 0 1 1 1 1 0 0 10 1 1 1 1 0 1 1 0 0 01 0 1 1 1 1 0 0 0 0 0

forgeability

counter-forensics

b=

perfect crime

possiblecompete for

the best model

perfect crime

impossible


Outline


52/62

Outline



3 Counter-forensics




53/62

Computer forensics in a broader sense


54/62


computers interact with their environment

physical evidence

WWW

WWW

10111 0 0 1

digital evidenceWWW

WWW

WWW

WWW

WWW

WWW

computers can be part of a network




55/62



physical evidence

WWW

WWW

10111 0 0 1

digital evidenceWWW

WWW

WWW

WWW

WWW

WWW


computers can be sensors itself




56/62



physical evidence

WWW

WWW

10111 0 0 1

digital evidenceWWW

WWW

WWW

WWW

WWW

WWW


computers can be sensors itself

computers leave physical evidence


(Finally) A more practical view


57/62

(Finally) A more practical view

2

2

IWCF 09

2A

3

3

IWCF 09

3A

4

4

IWCF 09

4A

5

5

IWCF 09

5A

6

6

IWCF 09

6A7

7

IWCF 09

7A

8

8

IWCF 09

8A

9

9

IWCF 09

9A

10

10

IWCF 09

10A

11

11

IWCF 09

11A


Concluding remarks


58/62

Concluding remarks

forensic examinations include techniques from a variety of forensic sciences

important differences in the underlying assumptions between different methods are

blurred by practice

in particular: digital evidence = digital evidence (= physical evidence):

digital evidence in computer forensics is not linked to the outside world whereas

in multimedia forensics it is effects the reliability of forensic methods

furture work: rigorous probabilistic modeling


Concluding remarks


59/62

Co c ud g e a s



blurred by practice





reality is ultimately incognizable, but


Concluding remarks


60/62

g



blurred by practice





reality is ultimately incognizable, but

your comments will help to gain a more comprehensive view on it



61/62

Thanks for your attention

Questions?

Rainer Bohme, Felix Freiling, Thomas Gloe, Matthias Kirchner

Technische Universitat Dresden Universitat Mannheim

Matthias Kirchner gratefully receives a doctorate scholarship fromDeutsche Telekom Stiftung, Bonn, Germany.

Image sources
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]


62/62

Iranian missile test (4) http://www.spiegel.de

hard drive (6) http://commons.wikimedia.org/wiki/File:Open_hard-drive.jpg

floppy disk (11,17) http://commons.wikimedia.org/wiki/GNOME_Desktop_icons

core memory (11) http://commons.wikimedia.org/wiki/File:KL_CoreMemory.jpg

multimedia (12,18) http://commons.wikimedia.org/wiki/GNOME_Desktop_icons

fingerprints (22) https://reader009.{domain}/reader009/html5/0515/5afa059577e25/5afa05b6f045e.jpg

handcuffs (22) http://commons.wikimedia.org/wiki/File:Handcuffs01_2003-06-02.jpg
http://www.spiegel.de/http://commons.wikimedia.org/wiki/File:Open_hard-drive.jpghttp://commons.wikimedia.org/wiki/GNOME_Desktop_iconshttp://commons.wikimedia.org/wiki/File:KL_CoreMemory.jpghttp://commons.wikimedia.org/wiki/GNOME_Desktop_iconshttp://www.lanl.gov/news/albums/chemistry/fingerprint.jpghttp://commons.wikimedia.org/wiki/File:Handcuffs01_2003-06-02.jpghttp://commons.wikimedia.org/wiki/File:Handcuffs01_2003-06-02.jpghttp://www.lanl.gov/news/albums/chemistry/fingerprint.jpghttp://commons.wikimedia.org/wiki/GNOME_Desktop_iconshttp://commons.wikimedia.org/wiki/File:KL_CoreMemory.jpghttp://commons.wikimedia.org/wiki/GNOME_Desktop_iconshttp://commons.wikimedia.org/wiki/File:Open_hard-drive.jpghttp://www.spiegel.de/

counter forensics multimedia investigations darren chaker

Documents