Typing one-handed isn't easy. I had a wee "accident" during a workout at my local Krav Maga gym. No one's fault - just working hard and having fun. Surgery's next Wednesday. I'll be out for a while as the doc re-arranges my wrist and hand.
The blog will return to it's regularly scheduled programming sometime in mid-September.
Thanks for your continued support.
This blog is no longer active and is maintained for archival purposes. It served as a resource and platform for sharing insights into forensic multimedia and digital forensics. Whilst the content remains accessible for historical reference, please note that methods, tools, and perspectives may have evolved since publication. For my current thoughts, writings, and projects, visit AutSide.Substack.com. Thank you for visiting and exploring this archive.
Featured Post
Welcome to the Forensic Multimedia Analysis blog (formerly the Forensic Photoshop blog). With the latest developments in the analysis of m...
Thursday, August 22, 2013
Monday, August 19, 2013
The Language of Statistics
You may be asked to express the results of your work on a case in the language of statistics. What was your hypothesis? How did you test your hypothesis? You are offering an opinion. On what is your opinion grounded? If you believe that the man in the picture is the defendant, how do you express this belief? Would you enter into the discussion with some variation of Null = not the defendant / Alternative = the defendant? If you go down this road, be prepared to talk in the language of statistics.
 
Can We Accept the Null Hypothesis?
Some researchers say that a hypothesis test can have one of two outcomes: you accept the null hypothesis or you reject the null hypothesis. Many statisticians, however, take issue with the notion of "accepting the null hypothesis." Instead, they say: you reject the null hypothesis or you fail to reject the null hypothesis.
Why the distinction between "acceptance" and "failure to reject?" Acceptance implies that the null hypothesis is true. Failure to reject implies that the data are not sufficiently persuasive for us to prefer the alternative hypothesis over the null hypothesis.
How did you conduct your hypothesis tests?
Statisticians follow a formal process to determine whether to reject a null hypothesis, based on sample data. This process, called hypothesis testing, consists of four steps.
State the hypotheses. This involves stating the null and alternative hypotheses. The hypotheses are stated in such a way that they are mutually exclusive. That is, if one is true, the other must be false.
Formulate an analysis plan. The analysis plan describes how to use sample data to evaluate the null hypothesis. The evaluation often focuses around a single test statistic.
Analyze sample data. Find the value of the test statistic (mean score, proportion, t-score, z-score, etc.) described in the analysis plan.
Interpret results. Apply the decision rule described in the analysis plan. If the value of the test statistic is unlikely, based on the null hypothesis, reject the null hypothesis.
If you're not prepared to go down this road - DON'T. Simply explain your workflow and present your findings: this is what I did and this is what I found. If you are clarifying / enhancing images and video - don't talk in the language of stats about your results. You didn't conduct an experiment, you simply made the image / video more clear and usable for the trier of fact. In doing this, you didn't analyze the file, you just cleaned it up.
Can We Accept the Null Hypothesis?
Some researchers say that a hypothesis test can have one of two outcomes: you accept the null hypothesis or you reject the null hypothesis. Many statisticians, however, take issue with the notion of "accepting the null hypothesis." Instead, they say: you reject the null hypothesis or you fail to reject the null hypothesis.
Why the distinction between "acceptance" and "failure to reject?" Acceptance implies that the null hypothesis is true. Failure to reject implies that the data are not sufficiently persuasive for us to prefer the alternative hypothesis over the null hypothesis.
How did you conduct your hypothesis tests?
Statisticians follow a formal process to determine whether to reject a null hypothesis, based on sample data. This process, called hypothesis testing, consists of four steps.
State the hypotheses. This involves stating the null and alternative hypotheses. The hypotheses are stated in such a way that they are mutually exclusive. That is, if one is true, the other must be false.
Formulate an analysis plan. The analysis plan describes how to use sample data to evaluate the null hypothesis. The evaluation often focuses around a single test statistic.
Analyze sample data. Find the value of the test statistic (mean score, proportion, t-score, z-score, etc.) described in the analysis plan.
Interpret results. Apply the decision rule described in the analysis plan. If the value of the test statistic is unlikely, based on the null hypothesis, reject the null hypothesis.
If you're not prepared to go down this road - DON'T. Simply explain your workflow and present your findings: this is what I did and this is what I found. If you are clarifying / enhancing images and video - don't talk in the language of stats about your results. You didn't conduct an experiment, you simply made the image / video more clear and usable for the trier of fact. In doing this, you didn't analyze the file, you just cleaned it up.
Friday, August 16, 2013
Game changer
Amped Software offered a hint at the future of the industry in their latest blog post. I've seen what they're talking about when they hint at new products on offer. Whilst I've been sworn to secrecy, I will say that one of these new products will change the industry, as disruptive technologies always do.
You can get your hands on it at the LEVA conference in Asheville in just a few weeks. If you're not among the fortunate few that was able to get a room at the venue, find a way to get there if at least for a day. You need to see this.
I've always said, the best comment you can make about a product is to spend your own hard earned money on it (as opposed to your agency cutting a PO). This product has so magnetized my money that I'll be first in line to buy it. Needless to say, once it's out of the box, I'll be featuring it here in a series of posts.
See you in Asheville!
You can get your hands on it at the LEVA conference in Asheville in just a few weeks. If you're not among the fortunate few that was able to get a room at the venue, find a way to get there if at least for a day. You need to see this.
I've always said, the best comment you can make about a product is to spend your own hard earned money on it (as opposed to your agency cutting a PO). This product has so magnetized my money that I'll be first in line to buy it. Needless to say, once it's out of the box, I'll be featuring it here in a series of posts.
See you in Asheville!
Thursday, August 15, 2013
Using JTAG to attack DVRs at the chip level?
We've had a ton of success using a "JTAG attack" to do physical dumps of mobile phones for later analysis with tools like FinalMobile and Cellebrite. The attack works like this, there are these IC debug ports on the phone's "mother board." Except for some of the very lowest end systems, essentially all embedded systems platforms have a JTAG port to support in-circuit debugging and firmware programming as well as for boundary scan testing. So, you connect to it, talk to it, and get it to spill its secrets. Like I said, we've been able to do this with phones when the handset was damaged, but the chips and board were still OK (smashed screen, etc.). When the board's damage, we can do a "chip-off" exam, but I digress.
So, I've been thinking. DVRs work the same way in terms of the motherboard having these test points. Why not talk with the encoders to find out what they're doing, then use this in my analysis of the dump of the DVR data. Whilst I've still got to run this by legal, I think I'm in the clear as I'm not "leaking" proprietary code to competitors, or publishing the code, or monetizing my findings - simply finding out what the chip says is going on and bouncing it off the dump of the hard drive. Essentially, I want to find out what the encoder is doing with the incoming signal - compression, file type, container, etc - after I parse the dump of the chip's info. I think it has practical applications for authentication in terms of getting a "fingerprint" from the chip as to how it encodes then testing a file against that fingerprint to see if it could have come from that encoder ... and so on. Challenging the provenance of files is the latest attack on evidence, so it would be nice to have a tool to deal with it.
There's a cool tool out there that I think is up to the job. It's called JTAGulator. Once my legal team signs off on the initial test protocols, it'll get fun. Eventually, once tested and validated, I'd like to be able to use this in actual casework (when necessary).
I don't know if I can pull it off, but I'm excited to try. As with all theories and scientific endeavors, it starts with an idea, moves on to testing, validation, peer review, and eventually to publication and implementation. So, I'm just at the idea phase on this. Stay tuned.
So, I've been thinking. DVRs work the same way in terms of the motherboard having these test points. Why not talk with the encoders to find out what they're doing, then use this in my analysis of the dump of the DVR data. Whilst I've still got to run this by legal, I think I'm in the clear as I'm not "leaking" proprietary code to competitors, or publishing the code, or monetizing my findings - simply finding out what the chip says is going on and bouncing it off the dump of the hard drive. Essentially, I want to find out what the encoder is doing with the incoming signal - compression, file type, container, etc - after I parse the dump of the chip's info. I think it has practical applications for authentication in terms of getting a "fingerprint" from the chip as to how it encodes then testing a file against that fingerprint to see if it could have come from that encoder ... and so on. Challenging the provenance of files is the latest attack on evidence, so it would be nice to have a tool to deal with it.
There's a cool tool out there that I think is up to the job. It's called JTAGulator. Once my legal team signs off on the initial test protocols, it'll get fun. Eventually, once tested and validated, I'd like to be able to use this in actual casework (when necessary).
I don't know if I can pull it off, but I'm excited to try. As with all theories and scientific endeavors, it starts with an idea, moves on to testing, validation, peer review, and eventually to publication and implementation. So, I'm just at the idea phase on this. Stay tuned.
Wednesday, August 14, 2013
Google: Gmail users ‘have no legitimate expectation of privacy’
This just in from RT.com: "... Consumer Watchdog has unearthed a July 13, 2013 motion filed by Google’s attorneys with regards to ongoing litigation challenging how the Silicon Valley giant operates its highly popular free email service.
The motion, penned in hopes of having the United States District Court for the Northern District of California dismiss a class action complaint against the company, says Gmail users should assume that any electronic correspondence that's passed through Google’s servers can be accessed and used for an array of options, such as selling ads to customers.
"Just as a sender of a letter to a business colleague cannot be surprised that the recipient's assistant opens the letter, people who use Web-based email today cannot be surprised if their emails are processed by the recipient's [email provider] in the course of delivery,” the motion reads in part. “Indeed, 'a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.’"
Privacy issues aside, if you have your government / sensitive e-mail with Google, this presents some interesting issues. Take a closer look at the privacy policy and see what it says for your account.
In the end, Google is free ... but it's not. They're getting theirs.
The motion, penned in hopes of having the United States District Court for the Northern District of California dismiss a class action complaint against the company, says Gmail users should assume that any electronic correspondence that's passed through Google’s servers can be accessed and used for an array of options, such as selling ads to customers.
"Just as a sender of a letter to a business colleague cannot be surprised that the recipient's assistant opens the letter, people who use Web-based email today cannot be surprised if their emails are processed by the recipient's [email provider] in the course of delivery,” the motion reads in part. “Indeed, 'a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.’"
Privacy issues aside, if you have your government / sensitive e-mail with Google, this presents some interesting issues. Take a closer look at the privacy policy and see what it says for your account.
In the end, Google is free ... but it's not. They're getting theirs.
Tuesday, August 13, 2013
See you in Asheville!!!
All of the logistics are now solved. So, I'll see y'all in Asheville for the LEVA Conference. I'll be teaching the Forensic Image & Video Analysis with Amped FIVE class.
I'm looking forward to seeing everyone again, and to seeing what's so special about Asheville. Hopefully, you have your room and I'll see you there.
Enjoy.
I'm looking forward to seeing everyone again, and to seeing what's so special about Asheville. Hopefully, you have your room and I'll see you there.
Enjoy.
Can 1fps represent a scene?
Let me preface this by saying, I'm not a lawyer ... and I'm not your lawyer. So, with that said, here's today's question: can a one frame per second CCTV recording represent a scene accurately?
Years ago, I testified in a case where the action occurred outside of the motion trigger zone, so the recording wasn't activated. The video presented to the jury did not match the witness statements due to large chunks of time missing. The witnesses testified that the defendant came into the business, had a brief conversation with the victim, smacked her hard in the face, then was taken down forcefully by two security guards. The defendant testified that he came in, placed his order, and was attacked by the security guards. The video, with chunks of time missing, seemingly supported the defendant's view of the incident and lead to a hung jury.
But, that was a case involving motion triggers. What about a system with a setting of only 1fps/camera? I've come across systems with eight 4-channel boards running on an old WinME system so overburdened that it could barely manage 1 frame every 10 or so seconds per camera, in spite of the settings.
I think that I would argue that for each frame, it represents what the system saw at that specific second in time. But for the rest, it wasn't captured and I could thus offer no opinion.
What say you?
Years ago, I testified in a case where the action occurred outside of the motion trigger zone, so the recording wasn't activated. The video presented to the jury did not match the witness statements due to large chunks of time missing. The witnesses testified that the defendant came into the business, had a brief conversation with the victim, smacked her hard in the face, then was taken down forcefully by two security guards. The defendant testified that he came in, placed his order, and was attacked by the security guards. The video, with chunks of time missing, seemingly supported the defendant's view of the incident and lead to a hung jury.
But, that was a case involving motion triggers. What about a system with a setting of only 1fps/camera? I've come across systems with eight 4-channel boards running on an old WinME system so overburdened that it could barely manage 1 frame every 10 or so seconds per camera, in spite of the settings.
I think that I would argue that for each frame, it represents what the system saw at that specific second in time. But for the rest, it wasn't captured and I could thus offer no opinion.
What say you?
Monday, August 12, 2013
the LEVA saga continues
I called the resort to confirm that a reservation had been made in my name. As of this morning (EST), there was no confirmation in my name ... and no available rooms. Another call and a more frank reservation attendant noted that the site managers often keeps a few rooms in reserve, and that there might be some room to move. But that I'd have to call and speak with the local manager and plead my case. Also, those rare rooms wouldn't be going for the LEVA rate, for certain. 
Given that the room was supposed to be booked for me, I'm a wee bit concerned. I was told that this would be taken care of for me ... as I'm a volunteer instructor. But, as of this morning, no room and no flight. I've got calls and e-mails out to the appropriate people.
To be continued ...
Given that the room was supposed to be booked for me, I'm a wee bit concerned. I was told that this would be taken care of for me ... as I'm a volunteer instructor. But, as of this morning, no room and no flight. I've got calls and e-mails out to the appropriate people.
To be continued ...
Friday, August 9, 2013
LEVA Conference Update
I sure hope that, if you're planning on attending next month's LEVA Conference, you've booked your room. The LEVA web site notes that the cut-off is the 12th of August. But, as you can see, there are no more rooms left at the resort, ummm ... conference location.
A quick search of the local hotels shows that there's a few rooms left at the one star establishments. There really aren't any rooms at the same rate at a comparable hotel, close to the conference. Hopefully, Chris is building a bunkhouse on his property. :)
Enjoy.
Thursday, August 8, 2013
MotionTracking objects in videos using Premiere Pro CC & After Affects CC
If you're looking for a solution for tracking, check out Richard Curtis' piece on leveraging Premiere Pro and After Affects. If you already have a CC subscription, then you can do this. I plan on checking this next week vs. ADS' mjpeg avi outputs.
Wednesday, August 7, 2013
Why what happens next in Houston is important
Houston's Forensic Science Local Government Corporation (LGC) has selected a nine-member team of experts to help put its forensic lab back together. One of the stars of the team, Dr. Clifford Spiegelman, is a distinguished professor at Texas A&M who has written papers that have changed the way investigators look at evidence. 
Spiegelman said the team wants to change the way things are done. "Right now, the standard testimony is when there's a match, they testify that, to a practical certainty, this is the only weapon that could have fired the bullet," said Spiegelman. "The experiments don't support that. And what we're going to be looking at is error rates."
Error rates? Statistics in forensic science? Where have I heard that before?
According to the City of Houston website, The Houston Forensic Science LGC was established by Mayor Annise Parker and the Houston City Council as an independent city-chartered organization to assume the operations of the current Houston Police Department Forensic Division. Could this be just a one-off thing, happening only in Houston as a reaction to local events? Or, could this be the beginning of a nationwide trend - a response to the NAS Report?
Only time will tell.
Spiegelman said the team wants to change the way things are done. "Right now, the standard testimony is when there's a match, they testify that, to a practical certainty, this is the only weapon that could have fired the bullet," said Spiegelman. "The experiments don't support that. And what we're going to be looking at is error rates."
Error rates? Statistics in forensic science? Where have I heard that before?
According to the City of Houston website, The Houston Forensic Science LGC was established by Mayor Annise Parker and the Houston City Council as an independent city-chartered organization to assume the operations of the current Houston Police Department Forensic Division. Could this be just a one-off thing, happening only in Houston as a reaction to local events? Or, could this be the beginning of a nationwide trend - a response to the NAS Report?
Only time will tell.
Tuesday, August 6, 2013
Lens Profile Correction for GoPro Hero 3 Cameras
I've heard that a lot of the motor units are using GoPro cameras to record traffic stops. If that's the case, you'll want to correct for the lens issues before trying to do any sort of ID from the video. With that in mind, these new profiles are available in Adobe Camera Raw 8.2 and Lightroom 5.2. If you want to know more about lens correction, check out this cool video tutorial from Adobe's Russell Brown.
Monday, August 5, 2013
DefCon21 recap
I've just about recovered from the awesome time at DefCon21 in Las Vegas. If you've never been, you owe it to yourself to go at least once. You'll find, like me, that you'll want to return each year as it just keeps getting better.
Here's a list of some of the sessions at this year's event, at least the ones I attended:
Here's a list of some of the sessions at this year's event, at least the ones I attended:
- Hacker Law School - what can you legally do as a white hat hacker?
- Oil & Gas Infosec 101 - do you know how many oil wells there are in Texas? Who's watching them?
- Wireless Pen Testing 101 - you'll never pay for WiFi again. :)
- I Can Hear You Now - how easy it is to clone phones with a compromised FemtoCell.
- The Secret Lives of SIM Cards - how to program and install apps on SIM Cards, and why you'd want to.
- The Next Crypto War - how to scare the crap out of 2k people at once.
- ACL Steganography - new places to hide stuff in your PC.
- DIY Cellular IDS - great for agencies on small budgets.
- RFID Hacking - is your employee badge really safe?
- Pwn the PwnPlug - that power supply isn't what you think it is.
- JTAGulator - if you're trying to figure out how to get data off of throw away phones, this is the best tool to start your quest.
These are just some of the classes available. Each was well presented, entertaining, and quite informative. Aside from the classes, the networking opportunities were priceless.
Friday, August 2, 2013
Greetings from DefCon21
Spending the weekend at DefCon21 in Las Vegas. Lots going on. If you've never been, you need to come at least once.
Thursday, August 1, 2013
Last month for special pricing on Adobe Creative Cloud
Browse through the Creative Cloud membership special offers before they end on 8/31. Click here for more information.
Subscribe to:
Comments (Atom)
 
 

