Featured Post

Welcome to the Forensic Multimedia Analysis blog (formerly the Forensic Photoshop blog). With the latest developments in the analysis of m...

Wednesday, December 31, 2014

Happy New Year

Wishing you and yours a healthy and happy new year (free from the Y2K hysteria of years past :) ).

Monday, December 29, 2014

A rebuttal to the case against encryption

In an article over on SC Magazine UK, a senior Met investigator argues against the use of encryption.

"In any democratic society we need to provide law enforcement with a right to obtain information authorised by a judge, based on a clear suspicion, in cases involving serious crime or terrorism. This applies to the offline world and should also apply to the online world."

“Full encryption of communication and storage online will make life very easy for the criminals and terrorists and very difficult for law enforcement and law abiding citizens. We have to find the right balance between security and freedom - and this balance has to be set by citizens in a political and ethical discussion on the trade-offs.”

Remember, of course, that in the UK there's a completely different legal system than here in the US.

In the US, you have the right to remain silent, including the right not to present evidence which may incriminate you (5th Amendment).

"The Fifth Amendment creates a number of rights relevant to both criminal and civil legal proceedings. In criminal cases, the Fifth Amendment guarantees the right to a grand jury, forbids “double jeopardy,” and protects against self-incrimination. It also requires that “due process of law” be part of any proceeding that denies a citizen “life, liberty or property” and requires the government to compensate citizens when it takes private property for public use."

We also enjoy protection against unreasonable searches and seizures (4th Amendment).

"The Fourth Amendment originally enforced the notion that “each man’s home is his castle”, secure from unreasonable searches and seizures of property by the government. It protects against arbitrary arrests, and is the basis of the law regarding search warrants, stop-and-frisk, safety inspections, wiretaps, and other forms of surveillance, as well as being central to many other criminal law topics and to privacy law."

Put these two together.

You have the right to remain silent and to protect yourself from self-incrimination. Encryption can be seen as a digital affirmation of that right.

You have the right to be protected against unreasonable searches and seizures. The problem with setting up weak protection schemes, or "trap doors" that law enforcement can open when it deems necessary is that it is simply weak protection. Hackers can and do exploit weak protection.

"Now just as then, the FBI is trying to convince the world that some fantasy version of security is possible—where "good guys" can have a back door or extra key to your home but bad guys could never use it. Anyone with even a rudimentary understanding of security can tell you that's just not true. So the "debate" Comey calls for is phony, and we suspect he knows it. Instead, Comey wants everybody to have weak security, so that when the FBI decides somebody is a "bad guy," it has no problem collecting personal data.

That's bad science, it's bad law, it's bad for companies serving a global marketplace that may not think the FBI is always a "good guy," and it's bad for every person who wants to be sure that their data is as protected as possible—whether from ordinary criminals hacking into their email provider, rogue governments tracking them for politically organizing, or competing companies looking for their trade secrets."

If you run a business, you must keep your customer data private and protected from being distributed against your customers' wishes. Think about the data breaches that happened to Target, Home Depot, and Sony for an example of how weak physical and digital security combined to negatively affect millions of people's lives.

So where does that leave us? Here's an analogy. California passed a law recently created a "civil right to clean drinkable water." Many believed that this meant they'd never have to pay their water bills again. After all, water was now a human right. But, the law mandates that water delivered must be clean and safe. The law did not create a civil right to "water pressure." The law did not mandate that water be delivered to you, just that if it was delivered that it be safe and clean.

Courts may order that data be seized. So take it. Use it as is. If you can crack the encryption, great. If not, (for the time being) the US Constitution sill allows me to remain silent and to choose to not incriminate myself. Given that we in the US are innocent until proven guilty, once you remove the 5th Amendment's protections you might as well be done the concept of freedom as we know it. Without the 5th Amendment's protections, we will be living in a "police state." I'm not about to go down that road willingly.

Just like you can't be a little bit pregnant, you can't encrypt a file just a little bit. Thus, I say full encryption is great. Encryption protects freedom of communication. Encryption protects property. Encryption was a proper response to government and industry's mishandling of private data.

Tuesday, December 23, 2014

Hackers and Conspiracies

A few people have asked me about my opinion of the Sony hack, the Interview, and the prospect that we may be in the beginning stages of a Cyber War with North Korea. I don't really have an opinion, as such. So, I'll offer my version of a conspiracy theory as a response.

Here it is:

It is no secret that Sony has a history of being hacked. It is no secret that the bilge that Hollywood is generating isn't putting butts in seats like it used to. It's no secret that the big movie stars make a ton of money. So, if you were the CEO of Sony (the one in Japan, not the one here who made inappropriate e-mail comments about our President), what would you do if you were hemorrhaging money, had a horribly sophomoric/moronic movie that would likely not break even, and wanted to cut a few stars loose? Blame North Korea.

Maybe someone hacked Sony, maybe they didn't. Blaming North Korea means no one will know for sure. That's beside the point now. With the on-again / off-again release notices about the Interview, the media has assured us that it's our patriotic duty to go out and see this film ("up yours Kim!"). With this duty in mind, Sony will reap much better revenues on this film that it ever would have with a "normal" release. Win - Sony.

The "hard to work with" hollywood stars will also have their incomes readjusted. They'll also get to cut a bit of dead weight at the top of Sony US corporate with the release of a few e-mails to the media. Win - Sony.

There'll be a few settlements of law suits, but now Sony is the "victim" of the dreaded North Koreans.  How can you blame the victim? Win - Sony.

I'm sorry if this seems like a B-Movie screenplay, but it all seems too convenient.

Monday, December 22, 2014

PhotoDetective - first look

A few weeks ago, I alerted you to a Kickstarter campaign around a new image authentication product called PhotoDetective. Well, I've put my copy through a few tests and it's time to share the results.

The program is quite simple to use. It has a very clean/lean interface - almost too lean. It has a few of the basic authentication algorithms that you've come to expect. But, nothing fancy. No reporting. What you see is what you get.

Your basic Exif tools are there. You can export the info to a text file.

It's all menu driven.

Some of the filters are self explanatory, some aren't (if you're unfamiliar with the science of authentication). There's no title to the results - if you want to screen capture your resulting images.

There's also no comparative function. Sure, it gives you a basic look at the QT - but you'll have to do the work to make sure it's right.

Now, the results:
  • For my cut/delete/paint over tests - it found the problems rather easily as long as they were blatant. For my more subtly changed images, I found what I was looking for only because I knew where I was looking. I could probably fool the average user into a false negative (a false conclusion of no evidence of tampering).
  • For my cut/paste tests - again, it did well with the blatant examples and not so well with the subtle ones.
To be sure, there's nothing wrong (per se) with the program. It's very basic in its functionality. The problem will come when people buy this as their only tool. As I noted above, it could lead to a lot of false negatives when wielded by an untrained user.

In all, limited but not bad for $30 when used by a trained analyst. In untrained hands ... OMG.

Friday, December 19, 2014

Restoring stripped EXIF data

There's an interesting discussion happening over on Forensic Focus. It deals with the recoverability of stripped EXIF data. I get this type of question often, can stripped EXIF data be recovered? Here's a good explanation to add to your arsenal:

"If data are stripped, they are stripped, and gone to the heaven of bytes, wherever it is, forever, may they R.I.P.

Seriously, you can consider the JPEG format as a sort of "zip archive" with inside it a number of files, of which some are mandatory and some are optional:

  • the actual image compressed data is mandatory
  • the thumbnail preview is optional (and can be stripped)
  • the EXIF data is optional and contains in itself any number of (still optional) metadata fields (can be stripped selectively or "as a whole")

Typically an EXIF stripper does remove the actual bytes containing the data (if you prefer after having gone through an EXIF stripper usually the filesize becomes smaller, so there is no way that they can be recovered).

BUT there are tens or maybe hundreds of tools that are said to "strip metadata" and the "some sort of EXIF stripper" is way too vague to allow for an actual answer, it is entirely possible that the one or the other tool "leaves behind" some data, and as well it is possible to add to an image "custom" metadata and one (or the other) tool may simply miss them."

Thursday, December 18, 2014

OSAC Subcommittee on Imaging Technologies

The OSAC subcommittees have announced their membership rosters. The Imaging Technologies Subcommittee's list can be found here. It's my privilege and quite the honor to be selected to serve on this subcommittee. I'm sure that there'll be a ton of work to do.

Wednesday, December 17, 2014

NIST Forensic Science Standards Inventory Now Available Online

This just in from NIST: "NIST’s Organization of Scientific Area Committees (OSAC) is taking the first steps toward developing an OSAC Registry of Approved Standards and an OSAC Registry of Approved Guidelines.

Independent scientific working groups, standards development organizations, professional organizations and government entities have developed many standards and guidelines for use by the forensic science community. In order to capture and build upon this work, NIST Forensic Science Program staff members have compiled an inventory of these existing documents. The inventory is available to download from the OSAC Catalog of Standards and Guidelines web page as a sortable Excel spreadsheet file. It contains the titles and source information for 730 standards, guidelines and related documents. The inventory also lists web addresses for documents that are available online.

This inventory is intended to serve as a resource to the forensic science community and a foundation for the future work of the Organization and Scientific Area Committees. The current version is the result of a scan of all known forensic science organizations, associations and standards development organizations, in addition to the results of a data call to each of the 21 independent forensic science scientific working groups. The catalog contains all applicable forensic science standards, guidelines, best practices, protocols and policies.

OSAC subcommittees will review each document's relevance and validity to its forensic science discipline. The subcommittees will make recommendations on which of the existing documents should be adopted, in part or whole, by OSAC. They will also identify gaps for which new standards and guidelines should be developed.

Subcommittee recommendations will be discussed during the first public meetings of OSAC's five Scientific Area Committees, to be held Feb. 16 and 17, 2015, during the annual meeting of the American Academy of Forensic Sciences, in Orlando, Fla.
Go to the OSAC Catalog of Standards and Guidelines web page for more information and to download the spreadsheet file.

Tuesday, December 16, 2014

BPG - a New Image Format

This just in from Petapixel.com: "JPEG is a remarkably resilient file format. Despite having many upstart formats attempt to dethrone it over the years — including JPEG 2000 and Google’s WebP — the JPEG is still used by nearly 70% of websites and is holding strong in popularity.

Now there’s a new competitor in the ring. It’s called BPG (Better Portable Graphics), and it’s a format designed and advocated by notable French programmer Fabrice Bellard (creator of FFmpeg and QEMU).

One of the big advantages BPG has over JPEG is its ability to deliver similar image quality as JPEG at about half the file size.

Bellard created BPG after a Mozilla study concluded that the video encoding standard HEVC (i.e. H.265) outperformed other technologies. BPG is based on a subset of HEVC technologies.

One of the challenges with introducing new formats is getting browser developers on board with built-in support. So far, developers interested in using the .bpg format will need to use some special Javascript code to load the images.

If Bellard has his way, we may one day be opting for BPG when saving our files, just like PNG is now the preferred format for certain static graphics rather than GIF."

Click here to see the examples and comparisons of this new format.

Monday, December 15, 2014

Nothing can be created from nothing

The folks at Amped Software just posted this awesome article over on their blog about the myths vs. science of video enhancement. Check it out by clicking here.

Friday, December 12, 2014

The dubious fitness of photographic evidence

Forensically Fit presents this interesting article on photographic evidence.

"For decades the admission of imagery as exhibits has been practically rote.

Within the last 10 years the accession and propagation of digital, optical, and color sciences has generated more informed and exhaustive analysis of visual artifacts, but those disciplines are yet in their infancy within the legal industry.

The chilling component of these developments is that each of the underlying sciences are monstrously complex and esoteric. The stimulant is that there are prodigious advantages available for early adopters.

Vision is our dominant sense, but human vision and cognition are wildly variable-even in a specific individual at barely distinguishable moments in time. Since we don't intimately participate in each other's visual experiences we only presume common conclusions, but that is a preposterous expectation.

No less problematic is the eminently clever but wholly synthetic production of digital imagery. The apparatuses and conventions of the digital realm do not replicate human visual experiences: they simply attempt to produce believable artifacts. In honoring digital protocols, images are systematized and manipulated in ways that devastate the actual scene to accommodate computational restraints, even to the point of discarding color, luminance, and spatial information generalized to be below a threshold noticeable by a "Standard Observer."

They are illusory.

Because we are not typically trained to recognize its various corruptions and liabilities, we habitually accept imagery as definite and proper. Because of the incredible complexity and technical depth of imagery's underlying sciences, we honor an overwhelming sentiment to ignore those issues and simply consume whatever makes the fewest and lightest demands on our reasoning.

All of those predispositions are profoundly counterproductive and contrary to our appetite for justice and fidelity."

Continue reading the article by clicking here.

Thursday, December 11, 2014

Consider a Career in Forensic Photography

f/stop spot recently interviewed George Reis about careers in Forensic Photography. Click here to read the interview.

Wednesday, December 10, 2014

Why Does Every Camera Put Photos in a DCIM Folder?

The How-To-Geek answers the question, why does every camera put photos in a DCIM folder?

"Every camera — whether it’s a dedicated digital camera or the Camera app on Android or iPhone — places the photos you take in a DCIM folder. DCIM stands for “Digital Camera Images.”

The DCIM folder and its layout come from DCF, a standard created back in 2003. DCF is so valuable because it provides a standard layout.

Meet DCF, or “Design rule for Camera File system”

DCF is a specification created by JEITA, the Japan Electronics and Information Technology Industries Association. It’s technically standard CP-3461, and you can dig up the arcane standards document and read it online. The first version of this standard was issued in 2003, and it was last updated in 2010.

The DCF specification lists many different requirements with a goal to guarantee interoperability. The file system of an appropriately formatted devics — for example, an SD card plugged into a digital camera — must be FAT12, FAT16, FAT32, or exFAT. Media with 2 GB or larger of space must be formatted with FAT32 or exFAT. The goal is for digital cameras and their memory cards to be compatible with each other.

The DCIM Directory and Its Subfolders

Among other things, the DCF specification mandates that a digital camera must store its photos in a “DCIM”directory. DCIM stands for “Digital Camera Images.”

The DCIM directory can — and usually does — contain multiple subdirectories. The subdirectories each consist of a unique three-digit number — from 100 to 999 — and five alphanumeric characters. The alphanumeric characters aren’t important, and each camera maker is free to choose their own. For example, Apple is lucky enough to have a five-digit name, so their code is APPLE. On an iPhone, the DCIM directory contains folders like “100APPLE,” “101APPLE,” and so on.

So Why Does Everyone Follow This Specification?

DCF is a “de facto” standard, which means that enough digital camera and smartphone makers have adopted it that it’s become a consistent standard in the real world. The standardized DCIM format means digital camera picture-transfer software can automatically identify photos on a digital camera or SD card when you connect it to your computer, transferring them over.

The DCIM folders on smartphones serve the same purpose. When you connect an iPhone or Android phone to your computer, the computer or photo-library software can notice the DCIM folder, notice there are photos that can be transferred, and offer to do this automatically."

Click here to read the whole article over on How-To-Geek.

Tuesday, December 9, 2014

Image Conscious Investigations

In the first edition of the new The Forensic Investigator publication, Amped Software looks at the growing world of digital multimedia evidence and the challenges investigators face in gathering evidence.

"Everywhere we go, we see people taking photos or recording videos on their mobile phones. There is an increased use of surveillance cameras by governments, businesses and private house owners. The use of drones and satellite video is expanding. There is also an increase in the number of officers wearing body-worn cameras. Car manufacturers are also participating in this digital multimedia world by installing video cameras in vehicles. The positive effects of this is that there is a high probability that someone caught a crime on camera so investigators have a lot of evidence to work with. The bad thing is that many times that evidence cannot immediately be analyzed and used. Keeping aside the privacy and social issues that evidence coming from these devices may cause, there are often several technical issues that do not permit investigators to use the photo or video evidence immediately."

Read the full article here.

Monday, December 8, 2014

Deciding to Use Body Worn Video

With the recent troubles around the country, many agencies are declaring their intent to purchase body worn video cameras for their officers. While this might quiet down some folks cries for transparency, the devil's always in the details.

Prices for good recorders range from $300 - $1500 per unit for the initial purchase. If the agency has 100 officers on patrol at any one time, do the math. Then, do you only equip patrol units, or do detectives and other police representatives need units? What about those who want a camera on every police employee? The point - each camera costs money to buy and deploy. That money has to come from somewhere. For agencies with a lot of "risk management problems," these cameras will help the agency save money initially. For those with good community relations - where will the money come from for the purchase?

Remember that technology has a life span. Thus, the tech will need to replaced/refreshed every 3 to 5 years. This means that the initial purchase price will likely be due every 3 to 5 years.

For every piece of police equipment, there's an associated maintenance cost. There's the actual work of repairing/replacing defective units and there's the fee that the manufacturer charges for "maintenance" - usually somewhere between 5% and 20% of the original purchase price - for the life of the program. This is where agencies usually skimp. This is why camera programs tend to have a three year life span - no money for maintenance. The sad fact is that there's always money somewhere to initiate a program - it looks good for the voters. No one ever got re-elected for paying for a maintenance program.

Every minute of recorded video has to be stored somewhere. That too has a cost. Some agencies have policies prohibiting the use of cloud services. These agencies will need to store the video locally. Some have questions about the ability to access evidence stored with could-based providers if the agency decides to change providers. Servers, discs, cloud storage - they all have a cost. The agency's retention policy + the amount of units in the field + the quality settings for the video will dictate the annual storage costs.

If the agency decides to skimp on recording quality, then the requests for "enhancement" will be increased. If the agency has forensic video analysts, their workload will increase significantly. The agency, facing backlogs, will either have to accept the backlogs or spend money on overtime and/or more staff.

Agencies will need to deal with requests for copies of the recordings from the public, internally, and from the courts. Again, this is not without cost - even for small agencies. Remember, staff and salary costs are recurring. Adding staff in tough economic times can be a tough sell.

But, as agencies rush to purchase equipment, there needs to be a rational policy behind the use of these recorders. When to record. What to record. Who gets cameras. Who doesn't. Recording quality. Storage policy. Retention policy. Release policy. As the above linked story from Tyler, Tx, illustrates, the City Council approved the purchase before a policy is in place. That might quiet the public, but it puts the police in a bind down the road. Without a policy, how does the agency know if the initial purchase is enough? What about allocating money for the other parts of the puzzle?

The final piece of the police side of this complex issue is a stable funding source. Agencies like Omaha (see above link) that choose to fund cameras with "asset forfeiture funds" may run into trouble if those funds run low. It's better to fund these types of programs from a regular budget item - but that might not be possible politically in many cities.

So, the bottom line will be - how much are the taxpayers willing to spend and what will they get for that "investment?" As with everything, you get what you pay for.

Friday, December 5, 2014

PhotoDetective Kickstarter

The other day, I received a nice email from a doctoral student about a project he's working on.

I am a doctoral student and researcher at the University of Illinois. I am a very passionate about digital forensics, and I follow your blog regularly and am glad someone is covering the literature and news as you are in this field, because there would be a depsrate shortage without it.

I have recently made a forensics computer program that might be of interest to you.

The software can provide insight into whether or not an image has been manipulated or altered. It does so through a simple graphic interface and uses over a dozen algorithms from the digital forensic literature (many of which you are probably already aware of).

If you are interested in seeing what the program and results look like, here is a link to a Kickstarter page that gives more detail and contains screenshots.


Well, of course I'm interested. You might be too. From the looks of the Kickstarter page, the program will offer some of the basic tests for image authentication. He'll also ship an instruction manual to describe each test. Not a bad deal.

I would encourage you to check out the Kickstarter page, and if you're so inclined, help with a small contribution towards its development.

As always, when I get my copy I'll put it through its paces and let you know what I think.


Thursday, December 4, 2014

Police Uses of Force

With yesterday's ruling in Staten Island related to the in-custody death of Eric Garner, I've received quite a few requests for comment on the video from various media outlets and bloggers. I've declined them all.

Here are just a couple of reasons why I've decided to decline their requests.
  • Most requests suffered from presuppositional bias. Use of the words "chokehold death," presupposes a cause of death that is not in evidence. I'm not a lawyer, but I've been around these types of investigations for quite some time and they're usually called either an "arrest related death" or an "in custody death."  The reason this is important is the need for consistency in terms. (The Deaths in Custody Reporting Program (DCRP) collects data on deaths that occur in the process of arrest, or while inmates are in the custody of local jails or state prisons.) This is how the federal government terms what happened, and how they track in custody deaths nationwide. Depending on when the death occurred in the custody process determines if it's an "arrest related death" or an "in custody death."
  • Most requests referred me to a link to view a redacted or otherwise edited copy of the video. As you know, from reading this blog over the years, we analysts generally only work on first generation video. 
I have my own opinions on the death of Mr. Garner. I keep those to myself. If asked questions about the video, I would conduct the appropriate scientific tests and report the results. As a scientist, I go where the evidence takes me.

Wednesday, December 3, 2014

Police Body Camera Videos in San Diego Will Stay Private — at Least for Now

With all the news about police use of force, it's important to discus the use of body worn video in the context of the individual agency's policy. As a San Diego news outlet recently found out, just because there's video doesn't mean you'll ever get to see it.

"We filed a public records request for the videos. The department declined to release them, saying they were part of an investigation. The department said it didn’t have to release them even after the investigations ended, and gave no indication the footage would become public.

That raises a significant question: How useful could the cameras be at reassuring the community about serious police incidents when no one’s allowed to see what they capture?"

That was several months ago. In recent days, the policy hasn't changed. SDPD says, affirmatively, that the cameras are for evidence and not for transparency. This is consistent with SDPD's policy.

It seems, from the news reports, that the folks down there sold the public and the politicians on the concept of body worn cameras as a transparency tool.

"Indeed, transparency was a major argument when Zimmerman’s predecessor, William Lansdowne, began his public push for the cameras.

“What the camera does is a visual and verbal recording of contacts between the Police Department,” Lansdowne said in January. “Everybody gets to look at them and find out if they’re acting correctly and properly. It protects the officers as well as the citizens.”

The public wanted a transparency tool. They got an evidence recording device. As always, the devil's in the details.

Tuesday, December 2, 2014

FIVE gets updated again

Amped Software announced some really cool additions to their flagship program, FIVE.

Build 6636 includes the following new stuff and fixes:

  • New filter. Correct Aspect Ratio: doubles the height of an image which appears vertically squeezed because of an incomplete deinterlacing process or other issues in the decoding. Only one line every two will be interpolated, while the others will be kept at the original pixel values. (this was done with the Deinterlace filter before. This change makes it easier to explain your work)
  • New filter. Add Text: adds textual annotations including dynamic project variables which are automatically printed as (frame number, file name, filter name, video length...) As with any other filter, you can use this many times over. Thus, you can tag and track multiple objects with ease.
  • New filter. Add Shape: adds geometric shapes to the image, such as rectangles, circles, lines and arrows. They can change across the video, for example to track a moving target. Again, you can use this filter as many times as necessary to track objects.
  • New Filter. Change Frame Rate: changes the frame rate of a video, for example when set incorrectly in the original file.
  • Deinterlace: now the frame rate of the player is automatically updated when doubling the number of frames.
  • Remove Duplicates: now the frame rate can be changed, either manually or automatically, depending on the number of frames which have been discarded.
  • GUI: when commands that require at least a filter are called on an empty project, an error message is displayed.
  • GUI: current frame and total number of frames displayed on the status bar.
In all, this is great news. The annotation features will certainly help on a case I have active right now.