Wednesday, January 27, 2010

Forensic Photoshop WorkflowLab

I've put the Adobe WorkflowLab Forensic Photoshop file up on the secure site. Click here to access it. Remember, the user name and password are in the book.


Tuesday, January 26, 2010

Adobe WorkflowLab

I've been having a bit of fun with the Adobe WorkflowLab beta. I've created a Forensic Photoshop workflow in WorkflowLab and will be updating the book's secure site in the next few days to include the Forensic Photoshop wfx file. You'll need to click here to get the WorkflowLab Air app in order to use it.





Use it as a guide to keep you on track ... use it as a check-list ... or use it in some other way. If you find another use for it, let me know.


Enjoy.

Getting images out of PDF files

Stephen Nichols has a brilliant post over on Adobe blogs about getting text and images out of PDF files that are sent to you.


"Another useful function of Acrobat is the ability to export all images from a PDF, in combination with the text retrieval very handy for those times when major changes need to be applied to a PDF where the original artwork is not available."


To read the full article, click here.


Enjoy.

Monday, January 25, 2010

A reader's response

"Tiffany" writes in response to my piece on sub-disciplines. Rather than just post it as a comment, I decided to feature it as a new post - with my comments included.


Tiffany: "I don't feel that the federal government is pushing toward ownerships of local/regional labs. In fact, I just the opposite. Reading the author's intentions in that way, in my opinion, is a misunderstanding of what recent government watchdogs are attempting to do in the field of Forensics. Scientific working groups and advisory boards are not trying to excercize ownership or control over regional and local labs at all, in my opinion. "


Response: First, let me start by saying that "Tiffany" doesn't identify herself. So her opinions and feelings are nice, but it's hard to get a sense of who she is and where she's coming from - there's no "expert power" in her note when it comes in anonymously. Next, I didn't say that the feds want to "own" things ... just that they are using their power to influence at the expense of the privateer and the state and local, who don't have the "weight" or "juice" that the feds have. Having sat in a SWG as a local, I've got a bit on insight to back this opinion up.


"I will agree that the federal government is making a push for standardization. I'm sure we can both agree this goal is important and completely necessary, if not long overdue. I believe, in the interest of the integrity of the profession, the federal government is stepping in as a means of creating some type of uniformity from state to state and lab to lab. Although it's beneficial, these state and local do not have to perform testing in disciplines in which they are not accredited and can opt to send material out to other accredited labs. Or they can choose to sufficiently train analysts and bring their own analysts into compliance."


Notice the tone here ... they don't have to ... they can choose to ... very paternalistic. State/Local/Privateer want to be free to choose for them selves. I have every confidence that a professional will choose wisely. That being said, budget issues are real and have to be considered.


The purpose of this is not for the federal government to control these labs, but to ensure a minimum level of analyst ability has been acheived at each lab. The profession can no longer afford to have underqualified analysts and laboratories performing tests and issuing results with such important implications without first ensuring the accuracy and ability of the analysts and labs to perform testing in those areas.


Interesting that "Tiffany" now speaks for "the profession." I really wish she would have introduced herself. Often readers write in and ask that their name be withheld ... it's never a problem.


The information contained in the NAS can not be ignored. I feel the argument about shrinking funds is weak. I understand that local LE agencies that rely on one analyst to process across several disciplines is still acceptable, provided that analyst has demonstrated proficiency compared not only to the other analysts within that lab, but also compared to the rest of the labs in the country. Why should the standards of education and proficiency be lower because a lab is smaller? Or because they have a smaller budget? Uniformity in analysis, reporting methods and analyst education levels should be maintained to ensure the quality of the work product. Should that not be the most important goal?


The argument about shrinking funds is real ... just ask the furloughed employees in the state of California, and elsewhere. The "standards for education" don't exist as such. There are no degrees in video forensics yet. There are only training programs from groups like LEVA and NaTIA. Uniformity in process can be achieved without an unfunded mandate towards uniformity in "education."


If one analyst demonstrates capability across disciplines consistent with the professional standards that would be perfectly acceptable with federal governmental regulations. So, no... you do not have to choose a specialty. However, you should have the requisite experience, course work and continuing education to ensure the quality of the work is on par with the rest of the country in each discipline.


I like the "perfectly acceptable" part. This is the tone that scares most of us in the small cities. Someone out there is going to decide if we can keep our jobs vs. competing in the marketplace of ideas ... discussion, debate, proof of concept, etc.


In my opinion, the author of this article was just pointing out the difficulty of implementing guidelines and reccommendations for each laboratory due to the wide range of services being performed across the nation. How can standardization occur without first setting guidelines and making reccommendations? I do no believe the profession is being driven toward one vendor's practice, but rather a uniform practice. These SWG's and accreditation boards are comprised of analysts from many different state and local labs. This isn't just the FBI or the ATF going out and telling people how to perform testing.


Uniform practices are one thing. My point is: what the Federal government funds, it owns. In the case of the SWGs, a worthy effort mind you, the Federal government has ownership of the process ... as it controls the purse strings. Places like Hillsdale College refuse federal money because they don't want to be told how to run their business. SWGs are not as independent as they appear ... as the process is weighted towards the funding source. I'm not saying this in a conspiratorial way ... it's just a matter of fact. The feds pay and thus they control the process. It's not good or bad per se, it just is.


I feel the quality and integrity of the work being done should be the priority. I do not feel we have the ability to allow them to "rise to the top" in a "competitive way." In this model, there would still be some labs putting out unreliable work. This is unacceptable. The stakes are too high and potential for injustice too great. It almost seems like a gamble. Why take that unecessary chance that some lab practices would not be those 'best practices'? Why not take steps to ensure all labs just automatically use the 'best practices'? The purpose isn't to drive anyone out, but to bring them up to code with the rest of the country, budgets aside.


In a true competitive model, the best would not only be determined by price but in quality of service, reliability, and so forth.  And, again, "budgets  aside"? No, budgets are everything these days. Remember the golden rule ... he with the gold makes the rules. Right now, the states and cities are going broke. The last thing they need is another unfunded mandate from the Feds.


Thanks, "Tiffany," for writing in.


Enjoy.

Sunday, January 24, 2010

Authentication fun

Authentication has become more interesting with the invention of the iPhone and its associated apps.


A friend sent this picture to me for authentication. He mentioned that a friend of his had shot this during a training session, and that there was a ghost in the tree line. He wanted to know what I thought about it, if there was indeed a ghost in the tree line.





The short answer is, yes, there is a ghost of a soldier in the tree line.





The image was sent from one friend to another via iPhones. There was no use of Photoshop ... is the image authentic?





Well ... not really. The iPhone has a free app called Ghost Capture. It can add any number of ghost images to photos shot with your iPhone ... including the "Gettysburg Soldier."


My friend was suspicious of the image from the beginning. His suspicions were warranted.


Enjoy.

Friday, January 22, 2010

Cell Phone Camera Forensics

A fascinating paper came across my desk today ...


On the Reliability of Cell Phone Camera Fingerprint Recognition
Martin Steinebach, Mohamed El Ouariachi, Huajian Liu, and Stefan Katzenbeisser


"Abstract. Multiple multimedia forensic algorithms have been introduced allowing tracing back media copies back to its source by matching artifacts to fingerprint databases. While this offers new possibilities for investigating crimes, important questions arise: How reliable are these algorithms? Can a judge trust their results? How easy are they to manipulate? It has been shown that forensic fingerprints of digital cameras can be copied from one image to the next. Our aim is to develop new concepts for increasing the security of theses algorithms. In this work, we describe the state of our research work regarding attacks against forensics and provide an outlook on future approaches to in- crease their reliability."


"One research area deals with the origin of media data ..." "The other research area deals with identifying content manipulations within the media data." "In this work, we focus on the first area, aiming to identify digital cameras. Similar to the goal of matching bullets and guns, it is therefore also called camera ballistics."


To read more of this facinating paper, click here to order Digital Forensics and Cyber Crime: First International ICST Conference.


Enjoy.

Thursday, January 21, 2010

How to Take Screenshots on Android Devices

Here's an interesting post on taking screenshots on Android Devices. This could come in handy for cell phone forensic examiners. 


Enjoy.

Wednesday, January 20, 2010

Clearing a crop




A reader writes in to ask about an cropped image. He was having trouble finding out how to restore an image that he'd cropped in ACR. Aside from right-clicking on the image and choosing Develop Settings>Clear Settings - which clears everything ... the reader just wanted to clear the crop.


Click and hold the Crop tool and you'll find a hidden menu. Remember, whenever you see the downward pointing triangle, that's Photoshop's way of saying that there's a menu hidden under the button. At the bottom of the Crop tool's hidden menu, you'll find Clear Crop.


Clearing it using the Crop tool's menu preserves any adjustments that you've made - unlike Clear Settings.




Tuesday, January 19, 2010

Field kit tip

LA is under a storm warning. The weathermen are all in a tizzy ... they've actually got something to report. So in the spirit of the times, here's a tip to help keep your equipment field kit dry.

Take a handful of plain old rice and sew it into a cloth packet. The rice acts as a desiccant and works to rid your kit of moisture. Best of all, it shouldn't cost much at all. 

I've even heard of folks using this tip as a cure for dropping their cell phone in water. They've made a few specially shaped packets and filled them with rice. They then placed them in a bowl with the phone. In a few days, they were able to get enough of the moisture out of the phone to power it on safely.

Monday, January 18, 2010

Digital Forensics Links and Resources

In response to a reader's question about internet resources, here's some of my link lists:


Digital Forensics Guidelines


Integrated Publishing Web page regarding the issue of chain of custody: http://www.tpub.com/legalman/80.htm


Online version of Electronic Crime Scene Investigation – A Guide for First Responders: http://www.ncjrs.org/pdffiles1/nij/187736.pdf


Online version of Forensics Guide to Incident Response for Technical Staff: http://www.cert.org/archive/pdf/FRGCF_v1.3.pdf


Online version of Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations: http://www.cybercrime.gov/ssmanual/index.html


Other Online Computer / Digital Forensic Resources


Alexander Geschonneck’s Security Site: Forensic – IDS – Incident Response: http://www.geschonneck.com/security/forensic.html


An Explanation of Computer Forensics, by Judd Robbins: http://www.computerforensics.net/forensics.htm


Computer Forensics Laboratory and Tools: http://www.scribd.com/doc/136793/COMPUTER-FORENSICS-LABORATORY-AND-TOOLs


Computer Forensics, Cybercrime and Steganography Resources: http://www.forensics.nl/links


Computer forensics technology articles from Mares and Company: http://www.dmares.com/maresware/articles.htm


CyberSecurity Institute – Windows Forensics Essentials: http://www.cybersecurityinstitute.biz/training/wfe.htm


Computer Forensics World: http://www.computerforensicsworld.com


Computer Professionals for Social Responsibility Computer Crime Directory: http://www.cpsr.org/prevsite/cpsr/privacy/crime/crime.html/view?searchterm=computer%20crime%20directory


Digital forensics links: http://isis.poly.edu/kulesh/forensics/list.htm


Disklabs: http://www.disklabs.com/computer-forensics-software.asp


The Electronic Evidence Information Center: http://www.e-evidence.info/


Federal Rules of Evidence (Article I): http://expertpages.com/federal/a1.htm?PHPSESSID=a2d248b5ba83a082442876135682f3af


Forensic Acquisition Utilities: http://www.gmgsystemsinc.com/fau/


Forensic Focus – Computer Forensics Papers and Articles: http://www.forensicfocus.com/computer-forensics-papers


Fundamental Computer Investigation Guide for Windows Overview: http://www.microsoft.com/technet/security/guidance/disasterrecovery/computer_investigation/default.mspx


The Forensics Science Portal: http://www.forensics.ca/index.php


Global Digital Forensics, Computer Forensic Resources: http://www.evestigate.com/COMPUTER%20FORENSIC%20RESOURCES.htm


Internet Crime Complaint Center: http://www.ic3.gov/


Law enforcement reference links: http://www.computerforensics.net/links.htm


Linux LEO: http://www.linuxleo.com/


Linux forensics: http://tech.groups.yahoo.com/group/linux_forensics/


Mobile Forensics Central: http://www.mobileforensicscentral.com/mfc/


Mobile Phone Forensics and PDA Forensics: http://www.forensics.nl/mobile-pda-forensics


National White Collar Crime Center: http://www.nw3c.org/


Technical articles on data recovery: http://www.actionfront.com/ts_articles.aspx


The Open Computer Forensics Architecture: http://ocfa.sourceforge.net/


Ultimate Guide to Mac OS Forensics: http://homepage.mac.com/macbuddy/ForensicGuide.html


Zeno’s Forensic Science Site: http://www.forensic.to/forensic.html


Enjoy.

Sunday, January 17, 2010

Evidence defined

Evidence: "Testimony, writings, or material objects offered in proof of an alleged fact or proposition." - Black’s Law Dictionary

Saturday, January 16, 2010

Cybercrime Books

A friend of mine is looking at a career change and is considering digital forensics as his new career. He was looking for a few books to read ... in an effort to see if DF was in fact a good career move. I recommended the following books:


Scene of the Cybercrime by Debra Littlejohn Shinder and Michael Cross. Here's an excerpt:


"Most organizations and experts involved in computer forensics agree on some basic standards regarding the handling of digital evidence, which can be summarized as follows:


  • The original evidence should be preserved in a state as close as possible to the state it was in when found.
  • If at all possible, an exact copy (image) of the original should be made to be used for examination so as not to damage the integrity of the original.
  • Copies of data made for examination should be made on media that is forensically sterile—that is, there must be no preexisting data on the disk or other media; it should be completely “clean” and checked for freedom from viruses and defects.
  • All evidence should be properly tagged and documented and the chain of custody preserved, and each step of the forensic examination should be documented in detail.
I also recommended The Best Damn Cybercrime and Digital Forensics Book Period by Jack Wiles and Anthony Reyes. Here's an excerpt:


"Before we move into a discussion of digital forensic principles, it is important that we understand the difference between principles and procedures (methodologies). The Merriam-Webster online dictionary defines a principle as “a comprehensive and fundamental law, doctrine, assumption or rule” and a procedure as “a particular way of accomplishing something or of acting.” The difference between the two terms can appear to be minimal, but it is important: A principle is a fundamental truth that governs a specific endeavor; in contrast, a procedure is a method of accomplishing something."


Enjoy.

Friday, January 15, 2010

CD-ROM vs CD-R

A reader writes in to ask, "what's the difference between CD-ROM and CD-R? Or ... are they the same thing?" Good question. Here's the answer:


"CD-ROM optical discs differ from CD-R and CD-RW discs in that they do not have an organic dye recording layer between the polycarbonate substrate and the light reflective layer. It’s the organic dye recording layer that allows the laser in a CD-R or CD-RW device to be heated and thus create a pit, which is in turn read as digital data." - from Computer Evidence: Collection & Preservation by Christopher LT Brown


Keep the questions coming.


Enjoy.

Monday, January 11, 2010

The Digital Forensic Sub-Disciplines?

In the December 2009/January 2010 issue of Forensic Magazine, John J. Barbara posits the following question to begin his article on digital forensic sub-disciplines: "Can we clearly differentiate whether an examination falls under Computer Forensics, Forensic Audio, Image Analysis, or Video Analysis?"


To begin with, I was a little suspicious of the article - given the author's profession. It seemed to me that he is making a pitch here that will certainly help his business. What's his business, you ask? He runs a company that specialises in helping agencies set up and  comply with the ASCLD/LAB and ISO regulations. Is there a conflict here? Perhaps - but read the article for yourself before forming any conclusions.


One of the key points of the article (for me) was hidden about midway down the page. "Although the initiative toward gaining accreditation for the discipline was being driven primarily by the federal agencies ..." Why are federal agencies driving the initiative? Are state and local agencies participating in a meaningful way? What about privateers? How are their interests represented?


The author walks the reader through a hypothetical case where a single analyst processes a piece of digital multimedia evidence. Then he proceeds to illustrate that the analyst really was performing four functions (sub-disciplines) as part of the process. The sub-text hints that there is something inherently wrong with the single analyst model.


This article, for me, represents the latest in a worrisome trend in advocacy - away from the local / private lab toward a regional / nationally controlled lab. This, while good for the author of the article's business, it is certainly not good for the citizens of this country. Here's why ...


This trend, the NAS report, the SWG's and so forth, has been moving forensic work in a certain direction. That direction is towards greater standardisation and control of the work. So far so good. But the next logical step is to say that agencies with a single analyst (like many local police agencies and privateers) should no longer be to allowed to work across sub-disciplines. I, for example, have received training and worked cases involving video, image, audio, cell phone, and small device forensics. I also image hard drives (computer forensics). Must I now choose a specialty? What does this do to the local agency, given today's economic mess? The only agencies that are currently hiring analysts in great numbers are federal. But are federal agencies going to handle the video when a car is broken into on my block? Hardly.


Information and standardisation are good when they are used as a guide toward mastery of a given subject. They are bad when they are used to drive the market towards a specific vendor's practice - even when that "vendor" is the government. I'd hate to see the state of justice in this country when hundreds or thousands of well meaning and quite capable privateers and local LE analysts are driven out of business in the face of these "mandates." The right to an vigorous defense will be in jeopardy when all forensic functions are dispensed at the federal or regional level - driven by cost controls and governed by shrinking budgets.


If "forensics" is discussion and debate ... let the best rise practices to the top - be them private, local, state, regional, or national - in an openly competitive atmosphere. When the federal government steps in and mandates these practices - thus driving out perfectly good practitioners - everyone loses. At this point, forensics, as such, is dead. There is no discussion or debate allowed. Everyone loses.


This is just one citizen's opinion. What say you?

Thursday, January 7, 2010

Check out the new Premiere Pro

The new Premiere Pro looks great. With GPU acceleration through the Mercury Playback Engine, you can do things like you've never done them before. They've also added support for native Canon 1D, 5D, 7D video as well as other DSLR video formats.


Watch the video from Digital Dave on Adobe TV for all the info.


Enjoy.

Wednesday, January 6, 2010

Flash comes to the DROID

As usual, CES is full of news of cool new toys ... as well as new features to old toys. One cool development is Flash Player 10.1 for the DROID.


Who knows ... hint, hint, .... you may see an app that allows you to serve up multimedia evidence from a secure site to your DROID, leveraging the power of the Creative Suite apps on the back end.


"Here you are, Mr./Ms. Attorney. I just sent you the link. This is the video from the robbery that we're talking about. Can we file the case now? Thanks."


Enjoy.

Snagit for Mac - beta

There's a beta release out for Snagit Mac. It requires an Intel Mac running at least 10.5.8.


I'm not sure how this one will be received. iShowU already has plenty of traction - and most like the Mac's built in screen capture.


Stay tuned ... we'll see how it goes.


Enjoy.

Tuesday, January 5, 2010

Updates are out

There are updates for Suitcase Fusion 2 (Mac) and Toast Titanium 10.


These are both maintenance fixes. As usual, back stuff up before updating software. You never know how your system will respond.


Enjoy.

Monday, January 4, 2010

Photoshop for LE classes scheduled

Photoshop for Law Enforcement at LA CLEAR - 8 hours (hands on) (skill level - basic/intermediate)


The next scheduled class is set for Thursday, February 4th, 2010 at LA CLEAR in Commerce, Ca.


This training is for LE and military personnel. ID will be verified.


If you are working with images in an LE setting, this class is for you.


Click on the link for more details. Click here to see all the offerings at LA HIDTA Training.


This class has been approved for 8 hours of credit towards your LEVA certification or continuing education requirement.

Sunday, January 3, 2010

32 Bit?




32 Bit? A reader wandered into this version of the Color Picker by accident. This is what the Color Picker looks like for 32 bit images. You now get the 32 bit values (top) (from 0-1 = zero is the absence of colour and 1 is that colour completely saturated) as well as the ability to make the colour in the picker directly relate to the document. I also like the fact that I can bump up / fade the intensity of colour by stops. So much more control ...


It never hurts to explore the program and try new things. Who knows, soon enough the hardware manufacturers will catch up and 32 bit will be all the rage.


Enjoy.

Saturday, January 2, 2010

ACR - what's the Clarity slider for?

A reader writes in to ask about the Clarity slider. "Hey Jim. What's the Clarity slider for?"


The Clarity slider is an easy to use but powerful way to add mid-tone contrast to an image. It's also great for carving details out of dull/flat mid-tone areas without resorting to over-sharpening.


Enjoy.

Friday, January 1, 2010

Happy New Year

Happy New Year.
Thanks for making this blog a smashing success.