One of the most important aspects of criminal justice is forensics science, or the practice of scientifically examining the physical evidence collected from the scene of a crime or a person of interest in a crime. Increase in the use of technology, it is now possible to forge once-upon-a-time concrete evidences like photographs. This talk will introduce you to concepts of picture forensics.
2. Myself
▪ Sumit Shrivastava – Security Analyst @ Network Intelligence India
Pvt. Ltd.
▪ 2+ years of work experience in the field of Digital Forensics and
Assessment
▪ Certifications
– Computer Hacking and Forensics Investigator v8, EC‐Council
– Certified Professional Forensics Analyst, IIS Mumbai
– Certified Professional Hacker NxG, IIS Mumbai
– Certified Information Security Consultant, IIS Mumbai
– Certified Information Security Expert – Level 1, Innobuzz Knowledge Solutions
5. Terminologies
▪ Digital Evidence – Digital Evidence is the digital data stored on the
digital medium in any form which can be used in the court of law
during trial
▪ Suspect – A person or a group of people thought of committing the
crime
▪ Accused – A person or a group of people who are charged with or on
a trial for committing a crime
▪ Digital Fingerprint – MD5 / SHA1 hashes of the hard disk.
6. ▪ Chain of Custody – A chronological document or paper trail,
highlighting the seizure, custody, control, and transfer of evidence
▪ Security Incident – A warning that expresses the threat to
information, computer security, or policies relating to computer
security. This warning could also be pointing up that the threat is
already occurred.
7. Steganography
▪ The practice of concealing messages or information within other
non‐secret text or data.
▪ Origin
– Steganos (Greek – covered)
– + graphy (English)
– = Steganographia (Modern Latin) ‐> Steganography (late 16th Century)
▪ The first recorded of this term was in 1499 by Johannes Trithemius in
his Steganographia, a treatise on cryptography and steganography,
disguised as the ‘book of magic’.
9. Ghiro Appliance
▪ Ghiro is a digital picture forensics tool
▪ Fully Automated
▪ Open Source
▪ Developed by ‐ Alessandro Tanasi & Marco Buoncristiano
▪ Current Version – 0.2.1
▪ Available as
– Package
– Virtual Appliance
10. Ghiro – Main Features
▪ Metadata Extraction – Metadata are divided in several categories
depending on standard they come from. For Example: EXIF, IPTC,
XMP.
▪ GPS Location – Some images contain the geotags in the metadata,
which defines the geo location where the image was shot
▪ MIME Format – It defines the type of image that is under
examination. For Example: image/jpeg, image/png, image/bmp.
▪ Error Level Analysis – ELA identifies the areas that are at different
compression levels. The entire picture should be roughly at same
compression level. If a difference is detected, then it likely indicates a
digital modification
11. ▪ Thumbnail Extraction – The thumbnails and data related to them are
extracted and stored for review.
▪ Thumbnail Consistency – Sometimes, when the original image is
edited, the thumbnail does not change. This detects the difference
between the thumbnail and the image in question
▪ Signature Engine – Over 120 signature provide evidence about most
critical data to highlight focal points and common exposures.
▪ Hash Matching – While looking for an image, where only hash is
provided, this feature is of great help. It searches for all the image
with that matches the provided hash.