Featured Post

Welcome to the Forensic Multimedia Analysis blog (formerly the Forensic Photoshop blog). With the latest developments in the analysis of m...

Wednesday, November 27, 2013

Authenticate's Global Launch

Amped Software just announced the global release of Authenticate. "After years of hard work we are finally glad to announce the immediate global availability of Amped Authenticate, the world’s most complete and advanced tool for analyzing the authenticity of an image. We are just at the first release and there is so much more we are working on, but there is no other tool on the market with all of Authenticate’s features, including:

  • More than 20 different filters to analyze different aspect of a digital image file, both for forgery detection and camera ballistics
  • Most of the filters allows advanced comparison of the output between two images
  • Batch tools to automatically analyze large numbers of images
  • Integration with Flickr, Google Images, Google Maps and TinEye
I've been working with the limited release version and it's an amazing program. But, don't take my word for it. Request a demo and take it for a spin yourself.

Tuesday, November 26, 2013

Photoshop Photography Program at a great price

Adobe recently announced that for a limited time, you can join a special Creative Cloud plan. It includes access to Photoshop CC and Lightroom 5, plus feature updates and upgrades as they are available, 20GB of cloud storage for file sharing and collaboration, and a Behance ProSite. And it's just US $9.99/month when you sign up for a one-year plan, but you need to join by December 2, 2013.

Monday, November 25, 2013

Image Authentication experts wanted - in China

The South China Morning Post recently reported that as more and more Chinese officials are being blackmailed using faked digital photographs, the government is asking scientists for help."Research teams at major universities have received funding from the central government to come up with ways to help the authorities quickly determine whether an image has been manipulated by photo-editing software such as Photoshop."

It's a worldwide problem - forgeries of photographs. With this news, I'll bet the folks at Amped Software are working on a Chinese language version of Authenticate.

Friday, November 22, 2013

Creative Cloud Status Monitor

From time to time, as with any service, the Adobe Creative Cloud experiences problems. The easiest way to see if your service issues are on Adobe's side is to check their Status Monitor. Here's the link.

Thursday, November 21, 2013

NightThief Forensic Imaging Technology

I received the usual PoliceOne.com spam announcing a new company in the forensic imaging marketplace, FRP Forensic Imaging’s new NightThief forensic imaging technology.

The OCD in me was alerted by the specific use of several words in the piece - like technology vs. software or product and "restoration" vs clarification or enhancement. The OCD went into overdrive with this bit, "NightThief imaging is available as a controlled service built around uncompromising ethics and usage frameworks. FRP Imaging’s commitment to responsible forensic imaging includes strict submission requirements, chain of custody prerequisites, and a no-nonsense licensing model designed to facilitate smarter criminal investigations while protecting the privacy and liberties of innocent individuals." What's a "controlled service?" Submission requirements?

But then, the issue was laid to rest, "Because NightThief imaging is a service, there are no upfront costs, investments in time, equipment, training, or commitments required. More importantly, NightThief is built for speed with processing times rarely exceeding three days – and critical cases much faster! Dynamic all-inclusive per-event pricing based on senior agency involvement and community population provides simple, predictable, and affordable world-class forensic imaging to organizations and communities of all sizes." It's a service with per-event pricing. Ok. First question, who's going to come to Los Angeles to testify about the work done on the images?

So, I went to the web site - FRP Imaging. It seems that FRP stands for Forensic Reverse Pixelation. I couldn't find out what they mean by the term, but it seems that they're a tech start-up coming out of the movie special effects industry.

Judging from their FAQ page, they may run into significant resistance over a few of their policies.

  • "Does any other company perform FRP Imaging or use NightThief™ technology? No. FRP Forensic Imaging™ and NightThief™ technologies are exclusive services of FRP Imaging."
How will they handle the reliability/repeatability questions if they don't share their technology? What happens if they're compelled to release their tech to opposing counsel? What happens when their technicians are cross-examined about how their technology works?
  • "Who owns FRP-processed images? We do. To control the application or FRP images, we license copyrighted FRP-processed images to acquiring agencies. Agencies may use them freely within departments, and publicize them in association with their case specific law enforcement efforts in perpetuity."
I'm not sure how the "we license the results back to you - but we now own the file" policy is going to fly with LE agencies and the courts.
  • "Are FRP images admissible in courts? Generally, yes. However, it’s important to remember FRP Imaging products are designed as investigatory tools."
An investigatory tool that's generally admissible in court - at an "affordable price."

Back to the who's going to come to your court and testify about the work and be cross examined, as is the defendant's right? No one, it seems. 
  • "Each FRP processed image includes a notarized sworn statement made under penalty of perjury certifying the image was not modified, original enhanced, created, edited, or manipulated in any way that adds or removes any element from the image, or portrays any suspect in an unfavorable light beyond the actual image provided. If enhancement(s) were made, it is noted along with its purpose (scale, proximity, detail, etc.) ."
How do you cross examine a "notarized sworn statement?"

I'm interested to hear back from them to find out more about how they see this working.

Wednesday, November 20, 2013

Analysis of images from cell phones

Processing images from cell/mobile phones and tablets has been an increasingly larger part of my workday this year. Folks are capturing so much of their lives on their mobile devices. They post these pictures and videos to Facebook and other social media sites. They also send the pictures to their friends via text or MMS messages.

But what happens when a mobile device is received as evidence? What's the best way to get those pictures and videos (the evidence) out of the device and into your analysis software for processing?

Let's start with how not to do it (though many are using this method). Don't browse through the device to find the images/video - then send them as MMS messages to your own phone or e-mail address. The problems of mixing your e-mail or phone with the case files notwithstanding, sending the files via MMS adds compression, strips some vital metadata, and changes hash values.

This screen shot from Amped's Authenticate shows the many problems that can arise from using MMS to get images/video out of a phone. From top to bottom, here's what's changed:

  • The filename has been changed
  • The file's dimensions have been changed (reduced)
  • Exif Fields changed from 47 to 0
  • Exif Make and Model have been stripped
  • JPEG Quality settings are different
  • JPEG QT Hash values are different
  • Exif ModifyDate is missing
  • File size has been reduced
  • MD5 Hash is different (as are all the SHA hash values)

So, in my test, the physical dimensions have been reduced and the file recompressed at a lower setting for transport. What do you think will be the outcome if you're trying to discern fine details within the image?

Instead, use a purpose built solution for extracting data from mobile devices. Use Cellebrite, FinalMobile, MSAB's XRY, or any of the other tools that work best for your device. These will download the files without changing or recompressing them. These tools preserve the evidence and provide a report of the process utilized. These tools have been to courts across the world and are used daily by forensic teams in private and public service. Sending yourself a text from the suspect's phone? I'm guessing that you may have a problem with that one in court.


Tuesday, November 19, 2013

NMV player found - problem solved

Right before getting wracked with a massive head cold, I was trying to solve the NMV file puzzle. Well, I'm happy to say … it's solved.

I managed to track down the company that purchased the very old CCTV business. The card/software, RConTech DVR, was developed for Win95 / Win98. It was discontinued around 2004 and finally went out of support in 2009. 

The DVR saves the files in a proprietary format. When attempting to back-up, you're given the usual two choices - out to AVI or out to a "native file" type. In this case, the NMV file is a transcoded copy of the original. The software allows you to choose the compression type for its AVI export, but not the NMV.

So, running in compatibility mode as an administrator, the program is fairly stable. To get there, right click on the program's icon and then click on the Compatibility tab. Select the version of Windows that you need - in this case Win98 was stable enough.

Monday, November 18, 2013

Milipol 2013

The 18th Worldwide Exhibition of Internal State Security, also known as Milipol, is about to start in Paris. The list of exhibitors for forensic science services and law enforcement is pretty impressive.

Our friends at Amped Software are in Paris for the show. You can find them in Hall 5 (5 S 160).

If you're looking for something to do afterwards, head over to my absolute favorite Paris restaurant: Le Refuge des Fondues, 17 rue des Trois Frères, 75018, ☎ +33 1 42 55 22 65. It's a Fondue restaurant for fun people: menu for €17, including wine served in baby bottles, appetizers, the foundue itself (cheese or meat), and dessert. I remember that the queue for dinner formed a bit early and that once service began, the doors closed and that was it for the evening - if you were still in the queue you were out of luck. I remember getting there and having a great time - but thanks to many bottles of new wine, the getting back to the hotel part is still a bit hazy. :)


Monday, November 4, 2013

Avoid Epson Printers for air-gapped Macs

Like many of us, my "forensic workstations" are air-gapped. That is, they're not connected to the internet. Any software updates are first downloaded on a clean workstation, tested, then applied via SneakerNet.

I've got an Epson all-in-one that has suited my needs quite well. Then, something happened and I needed to update the driver. Fine, except that Epson now does all of its driver downloads through Apple's Software Update.

Apple's Software Update only works when you're connected to the internet.

I called Epson to see if there was a way around this (Apple's OS installers can be found on your hard drive and loaded onto a USB stick for transport). They said no. There are no work arounds and there are no links anywhere to download the updates. You must use Software Update.

The Artisan 710 that's sitting on my table is now just a copy machine. It no longer prints from the computer that sits next to it. Needless to say, it's my last Epson product.

Friday, November 1, 2013

Premiere Pro CC fails to update

So, I'm prompted to download the update to several CC apps. I get through most of them, but Premiere Pro CC and InDesign CC fail to update with the above error message. I go to the Adobe Forums and find a "resolution." But, it doesn't work. I find a user whose experience mirrors mine and use his "solution." It doesn't work either.

It seems that the error involves not being able to unpack the downloaded files. Hopefully, I'll find a solution soon.

Here's to progress.