
Digital forensics: What you need to know
Matt Burns & Dave Ranner
6 March, 2020
Matt Burns
Digital image forensics is a branch of digital forensics. Also known as forensic image analysis, the discipline focuses on image authenticity and image content. This helps law enforcement leverage relevant data for prosecution in a wide range of criminal cases, not limited to cybercrime.
Digital image forensics is performed on local machines and can be used in both open and closed source investigations. It’s a highly sophisticated field of investigation which requires several software applications and specialist training.
The scope of digital image forensics is so wide-reaching because digital imagery is data-rich, by comparison to film photography. Using a variety of techniques, digital image forensics investigators can mine everything from camera properties to individual pixels for information.
Bellingcat’s investigation considered granular evidence to reveal the image’s exact location. This included topographical evidence including grassland weeds as well as dimensional analysis of bell and altar towers.
UK police were alerted to Tetley’s crimes after explicit images were discovered on a victim’s phone.
A huge variety of digital evidence can be gleaned from a single image. These evidence forms can be split into two main groups which are used to complement one another:
Two common uses of digital image forensics techniques are:
A) When a suspect denies their presence in an image
B) When a suspect claims that an incriminating image has been faked
In these different examples, law enforcement use digital image forensics techniques flexibly to reach a conclusion:
If identities are somehow obscured, deconvolution can be applied to reverse image blurring. Geolocation, metadata and exif data can also help to either prove or disprove a defendant’s presence at a crime scene.
In the age of deep fakes, image authentication is crucial. Reviewing colour space and colour level anomalies would help to assess the digital photo’s authenticity. Landmarks could also be used to help prove or disprove the suspect’s whereabouts.
The pros of digital forensics far outweigh the cons. However, both are important to consider when setting expectations for criminal investigations.
Digital image lifecycle is essentially the history of the image, including the various steps taken to create it. For example, a photo could be taken with a digital camera, uploaded into a graphics program, and then edited. The final product isn’t the original image – it’s been through several stages of the image’s lifecycle.
An investigator’s aim is to uncover the source image. The closer to the original image they can get, the better. At this stage in the lifecycle its more likely to contain pertinent information and clues that could help further an investigation. For example, the device’s serial number or the location where the image was taken.
Following the lifecycle of a digital image online is more complicated than it used to be. An image can travel further faster, and more platforms are available where images can be easily altered.
Generally, when an image is taken, a JPEG is created. But this could go on to be resized, shared, impregnated with extra tags, mutated and so on. The more these images get passed around and edited, the more lifecycle is generated. These mutations not only make the image quality worse, but they add extra data, making it more difficult for investigators to find the information they need.
What’s an increasingly relevant focus for digital imaging forensics is the de facto standard file format for photos. Until recently, JPEG has probably been the most common and expected format for images, but now we’re seeing this change. Because of different networks, performance, and quality reasons, some devices or platforms are defaulting to other formats.
Apple is instead using HEIC as a new format which doesn’t store JPEGs. Whereas Google is preferring WebP for smaller image sizes. Both of these formats do affect the quality of an image, but as of yet, it’s unknown whether this is better or worse for the image forensics process.
The CameraForensics platform helps LEAs, NGOs, investigators and other organisations tackle this issue. Through innovation and collaboration, we are continually adding to our capabilities to help users rise to the challenge.
YOU MAY ALSO LIKE: Open source intelligence: What social media can tell us
Counter forensics (or anti-forensics) is the cyber equivalent of a thief wearing gloves to cover their tracks. It describes techniques that are used to disguise their online activity and erase personal information from digital material.
Of course, this is commonly exploited by criminals online, but it also has valid use cases. For example, if a political dissident or a whistle-blower wants to remain anonymous.
COMBATTING COUNTERFORENSICS
There are also techniques and tools that work against counter forensics. They can analyse images and identify clues left behind by anti-forensics tools.
EXAMPLE
A bug was discovered in a version of Tor, made for anonymity, which leaked user’s real-world IP addresses. This flaw meant that when a user clicked a specially crafted link, the request would be fetched from their normal connection rather than an encrypted one.
These kinds of bugs can be infiltrated by offenders to conduct a zero day exploit. This is when hackers take advantage of weaknesses or mistakes before they can be fixed. But they can also be used by law enforcement. In fact, ethical hackers, who test systems by trying to hack them, will often receive a bonus for finding bugs.
EXAMPLE
Authorities in San Bernardino, US, were able to decrypt and unlock a suspect’s iPhone during a mass-shooting investigation in order to try and uncover their identity. Using a bug, the law enforcement agents were able to access the phone without assistance from Apple and examine the contents for clues.
The purpose of image forensics software is to analyse images for data. In the case of CameraForensics, the tools we provide help authorities build a case in a criminal investigation.
There are three core functionalities of image forensics software that help do this:
Many digital image forensics tools are on the market, each with strength and weaknesses. CameraForensics offer a very lightweight tool called ExifExtractor for free which is developed alongside global agencies, helping users access the right information at the right time.
If you’d like to explore our digital image forensics platform further, arrange a demo.