Beruflich Dokumente
Kultur Dokumente
Outline
1 2 3 4
Multimedia forensics and computer forensics Multimedia forensics is not computer forensics Counter-forensics And how does this all relate to practice?
slide 2 of 24
Multimedia forensics
A science to assess the authenticity of digital media objects
manipulation detection and source device identication based on artifacts of processing operations
resampling copy & paste inconsistent lightning double compression
lter
lens
R G
G sensor B
color interpolation
post processing
scene lens distortion CFA layout hot pixels, sensor noise interpolation scheme quantization table
digital image
slide 3 of 24
slide 4 of 24
?
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 4 of 24
?
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 4 of 24
slide 4 of 24
slide 4 of 24
slide 4 of 24
Computer forensics
slide 6 of 24
Computer forensics
01
11
1 1
10
11 0
slide 6 of 24
Computer forensics
52 49 55 62 66 51 40 48 58 62 51 51 36 34 40 33 45 33 53 34 49 33 23 22 22
01
01
1 1
00
01 1
slide 6 of 24
Computer forensics
52 49 55 62 66 51 40 48 58 62 51 51 36 34 40 33 45 33 53 34 49 33 23 22 22
01
10
1 0
10
00 1
slide 6 of 24
Outline
1 2 3 4
slide 7 of 24
analog forensics
physical evidence
slide 8 of 24
analog forensics
physical evidence
slide 8 of 24
multimedia forensics
physical evidence
WWW
slide 10 of 24
multimedia forensics
physical evidence
WWW
digital evidence
WWW
1001
slide 10 of 24
multimedia forensics
physical evidence
WWW
digital evidence
WWW
1001
slide 10 of 24
multimedia forensics
physical evidence
WWW
digital evidence
WWW
1001
slide 10 of 24
multimedia forensics
physical evidence
WWW
digital evidence
WWW
1001
slide 10 of 24
processing
digital data
slide 11 of 24
suspicious traces?
processing
digital data
slide 11 of 24
suspicious traces?
processing
digital evidence is stored in the nite automaton each computer represents number of states in a closed system is nite
digital data
reality
slide 11 of 24
suspicious traces?
processing
digital evidence is stored in the nite automaton each computer represents number of states in a closed system is nite
digital data
reality
slide 11 of 24
suspicious traces?
processing
digital evidence is stored in the nite automaton each computer represents number of states in a closed system is nite
digital data
non-negligible chance that a computer is left in a state which perfectly erases all traces
reality
slide 11 of 24
slide 12 of 24
source (device) ?
slide 12 of 24
sensors capture parts of the reality and transform them into digital representations
source (device) ?
sensor
slide 12 of 24
sensors capture parts of the reality and transform them into digital representations reality is incognizable: ultimate knowledge whether a piece of digital media reects reality or not cannot exist
source (device) ?
sensor
slide 12 of 24
sensors capture parts of the reality and transform them into digital representations reality is incognizable: ultimate knowledge whether a piece of digital media reects reality or not cannot exist multimedia forensics = empirical science
source (device) ?
sensor
slide 12 of 24
slide 13 of 24
slide 13 of 24
?
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 13 of 24
models make projection of reality to discrete symbols tractable with formal methods typical models in multimedia forensics:
sensor noise follows a Gaussian distribution connected regions of identical pixel values are unlikely to occur in original images
slide 14 of 24
models make projection of reality to discrete symbols tractable with formal methods typical models in multimedia forensics:
sensor noise follows a Gaussian distribution connected regions of identical pixel values are unlikely to occur in original images
slide 14 of 24
models make projection of reality to discrete symbols tractable with formal methods typical models in multimedia forensics:
sensor noise follows a Gaussian distribution connected regions of identical pixel values are unlikely to occur in original images
models of reality function as yet another dimensionality reduction quality of forensic methods depends on the quality of the employed model!
slide 14 of 24
models make projection of reality to discrete symbols tractable with formal methods typical models in multimedia forensics:
sensor noise follows a Gaussian distribution connected regions of identical pixel values are unlikely to occur in original images
models of reality function as yet another dimensionality reduction quality of forensic methods depends on the quality of the employed model!
slide 14 of 24
Outline
1 2 3 4
Multimedia forensics and computer forensics Multimedia forensics is not computer forensics
Counter-forensics
And how does this all relate to practice?
slide 15 of 24
analog forensics
physical evidence
forgeability
= b counter-forensics
slide 16 of 24
analog forensics
physical evidence cannot be wrong, it cannot perjure itself, it cannot be wholly absent Kirk (1953)
physical evidence
forgeability
= b counter-forensics
slide 16 of 24
leave traces
valid state
invalid state
leave traces
eliminate traces
valid state
invalid state
valid state
leave traces
eliminate traces
valid state
invalid state
valid state
leave traces
eliminate traces
valid state
invalid state
valid state
leave traces
eliminate traces
valid state
invalid state
valid state
leave traces
eliminate traces
valid state
invalid state
valid state
leave traces
eliminate traces
valid state
invalid state
valid state
valid states are not perfectly known or can be recorded before and cannot be recorded before
slide 18 of 24
analog forensics
= b counter-forensics
slide 19 of 24
Outline
1 2 3 4
Multimedia forensics and computer forensics Multimedia forensics is not computer forensics Counter-forensics
slide 20 of 24
WWW
digital evidence
WWW
1001
1101
slide 21 of 24
WWW
WWW
WWW WWW
digital evidence
WWW
1001
1101
WWW WWW
WWW
slide 21 of 24
WWW
WWW
WWW WWW
digital evidence
WWW
1001
1101
WWW WWW
WWW
slide 21 of 24
computers can be part of a network computers can be sensors itself computers leave physical evidence
WWW
WWW
WWW WWW
digital evidence
WWW
1001
1101
WWW WWW
WWW
slide 21 of 24
IWCF 09
IWCF 09
IWCF 09
IWCF 09
IWCF 09
2 7
2A IWCF 09
3 8
3A IWCF 09
4 9
4A IWCF 09
5 10
5A IWCF 09
6 11
6A IWCF 09
7A
8A
9A
10
10A
11
11A
slide 22 of 24
Concluding remarks
forensic examinations include techniques from a variety of forensic sciences important differences in the underlying assumptions between different methods are blurred by practice in particular: digital evidence = digital evidence (= physical evidence): digital evidence in computer forensics is not linked to the outside world whereas in multimedia forensics it is effects the reliability of forensic methods furture work: rigorous probabilistic modeling
slide 23 of 24
Concluding remarks
forensic examinations include techniques from a variety of forensic sciences important differences in the underlying assumptions between different methods are blurred by practice in particular: digital evidence = digital evidence (= physical evidence): digital evidence in computer forensics is not linked to the outside world whereas in multimedia forensics it is effects the reliability of forensic methods furture work: rigorous probabilistic modeling
slide 23 of 24
Concluding remarks
forensic examinations include techniques from a variety of forensic sciences important differences in the underlying assumptions between different methods are blurred by practice in particular: digital evidence = digital evidence (= physical evidence): digital evidence in computer forensics is not linked to the outside world whereas in multimedia forensics it is effects the reliability of forensic methods furture work: rigorous probabilistic modeling
reality is ultimately incognizable, but your comments will help to gain a more comprehensive view on it
slide 23 of 24
Matthias Kirchner gratefully receives a doctorate scholarship from Deutsche Telekom Stiftung, Bonn, Germany.
Image sources
Iranian missile test (4) hard drive (6) oppy disk (11,17) core memory (11) multimedia (12,18) ngerprints (22) handcuffs (22)
http://www.spiegel.de