Upload
lambao
View
266
Download
1
Embed Size (px)
Citation preview
Multimedia Forensics is notComputer Forensics
Rainer Bohme†, Felix Freiling‡, Thomas Gloe†, Matthias Kirchner†
†Technische Universitat Dresden ‡Universitat Mannheim
International Workshop on Computational Forensics 2009 (IWCF’09)
The Hague · 2009/8/14
Outline
1 Multimedia forensics and computer forensics
2 Multimedia forensics is not computer forensics
3 Counter-forensics
4 And how does this all relate to practice?
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 2 of 24
Multimedia forensicsA science to assess the authenticity of digital media objects
manipulation detection and source device identification based on
I artifacts of processing operationsresampling · copy & paste · inconsistent lightning · double compression
I characteristics of the source devicee. g. digital camera
scene
len
s
filt
er R
G
G
B
sensorcolor
interpolation
post
processing
digital imagelens
distortionCFA layout
hot pixels,
sensor noise
interpolation
scheme
quantization
table
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 3 of 24
Multimedia forensics: Examples
I digital camera identificationbased on sensor noise
I copy & paste detection
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 4 of 24
Multimedia forensics: Examples
I digital camera identificationbased on sensor noise
I copy & paste detection
?The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 4 of 24
Multimedia forensics: Examples
I digital camera identificationbased on sensor noise
I copy & paste detection
?The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 4 of 24
Multimedia forensics: Examples
I digital camera identificationbased on sensor noise
I copy & paste detection
≈
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 4 of 24
Multimedia forensics: Examples
I digital camera identificationbased on sensor noise
I copy & paste detection
≈
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 4 of 24
Multimedia forensics: Examples
I digital camera identificationbased on sensor noise
I copy & paste detection
≈
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 4 of 24
By the way,what is computer forensics?
Computer forensics
1001
00 1
110 0 1
52 51 51 51 49
49 40 36 34 33
55 48 40 33 23
62 58 45 33 22
66 62 53 34 22
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 6 of 24
Computer forensics
0111
01 0
111 1 1
52 51 51 51 49
49 40 36 34 33
55 48 40 33 23
62 58 45 33 22
66 62 53 34 22
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 6 of 24
Computer forensics
1100
00 0
101 1 1
52 51 51 51 49
49 40 36 34 33
55 48 40 33 23
62 58 45 33 22
66 62 53 34 22
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 6 of 24
Computer forensics
1000
01 0
110 1 0
52 51 51 51 49
49 40 36 34 33
55 48 40 33 23
62 58 45 33 22
66 62 53 34 22
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 6 of 24
Outline
1 Multimedia forensics and computer forensics
2 Multimedia forensics is not computer forensics
3 Counter-forensics
4 And how does this all relate to practice?
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 7 of 24
Digital forensics: proposed ontology
forensics
digital forensics
computerforensics
multimediaforensics
analog forensics
digital evidence physical evidence
0 1 1 0 1 1 0 0 0 1 0
0 0 0 1 1 1 0 1 0 0 0
0 0 1 0 0 0 1 0 1 1 0
0 0 1 1 1 1 0 0 0 0 0
0 1 1 1 0 0 1 0 0 1 0
0 1 1 0 1 0 0 1 0 0 0
0 1 0 0 0 1 0 0 1 0 0
1 1 1 0 1 0 1 0 0 1 0
0 1 1 0 1 1 0 0 0 1 1
1 1 1 1 0 1 0 1 1 1 1
perfect crimepossible
compete forthe best model
perfect crimeimpossible
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 8 of 24
Digital forensics: proposed ontology
forensics
digital forensics
computerforensics
multimediaforensics
analog forensics
digital evidence physical evidence
1 1 1 1 1 1 0 0 0 0 1
1 1 0 1 1 1 0 0 0 0 1
1 1 1 0 1 0 0 0 0 0 0
0 1 0 0 1 0 0 1 1 1 1
0 0 1 0 0 0 1 1 1 1 1
1 0 1 1 1 0 0 1 0 0 0
0 0 0 1 0 1 0 0 0 1 0
0 0 0 1 0 1 1 0 0 1 1
1 1 1 0 1 0 0 0 1 1 0
0 1 0 0 1 1 0 0 1 0 1
finite sequence of discrete andperfectly observable symbols
perfect crimepossible
compete forthe best model
perfect crimeimpossible
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 8 of 24
The following slidesintentionally draw a very
black-and-whitepicture
WARNING!
The following slidesintentionally draw a very
black-and-whitepicture
WARNING!
Computer forensics 6= Multimedia forensics
computer forensics multimedia forensicsphysical evidence
WWW
WWWWWW
10111 0 0 1
digital evidence
physical evidence
10111 0 0 1
digital evidence
I digital evidence is not linkedto the outside world
I digital evidence is linkedto the outside world
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 10 of 24
Computer forensics 6= Multimedia forensics
computer forensics multimedia forensicsphysical evidence
WWW
WWW
WWW
10111 0 0 1
digital evidence
physical evidence
10111 0 0 1
digital evidence
I digital evidence is not linkedto the outside world
I digital evidence is linkedto the outside world
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 10 of 24
Computer forensics 6= Multimedia forensics
computer forensics multimedia forensicsphysical evidence
WWW
WWW
WWW10111 0 0 1
digital evidence
physical evidence
10111 0 0 1
digital evidence
I digital evidence is not linkedto the outside world
I digital evidence is linkedto the outside world
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 10 of 24
Computer forensics 6= Multimedia forensics
computer forensics multimedia forensicsphysical evidence
WWW
WWW
WWW10111 0 0 1
digital evidence
physical evidence
10111 0 0 1
digital evidence
I digital evidence is not linkedto the outside world
I digital evidence is linkedto the outside world
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 10 of 24
Computer forensics 6= Multimedia forensics
computer forensics multimedia forensicsphysical evidence
WWW
WWW
WWW10111 0 0 1
digital evidence
physical evidence
10111 0 0 1
digital evidence
I digital evidence is not linkedto the outside world
I digital evidence is linkedto the outside world
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 10 of 24
Computer forensics: A closer look
reality
digitaldata
processing
suspicioustraces?
I digital evidence is stored in thefinite automaton each computerrepresents
I number of states in a closedsystem is finite
I non-negligible chance that acomputer is left in a state whichperfectly erases all traces
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 11 of 24
Computer forensics: A closer look
reality
digitaldata
processingsuspicioustraces?
I digital evidence is stored in thefinite automaton each computerrepresents
I number of states in a closedsystem is finite
I non-negligible chance that acomputer is left in a state whichperfectly erases all traces
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 11 of 24
Computer forensics: A closer look
reality
digitaldata
processingsuspicioustraces?
I digital evidence is stored in thefinite automaton each computerrepresents
I number of states in a closedsystem is finite
I non-negligible chance that acomputer is left in a state whichperfectly erases all traces
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 11 of 24
Computer forensics: A closer look
reality
digitaldata
processingsuspicioustraces?
I digital evidence is stored in thefinite automaton each computerrepresents
I number of states in a closedsystem is finite
I non-negligible chance that acomputer is left in a state whichperfectly erases all traces
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 11 of 24
Computer forensics: A closer look
reality
digitaldata
processingsuspicioustraces?
I digital evidence is stored in thefinite automaton each computerrepresents
I number of states in a closedsystem is finite
I non-negligible chance that acomputer is left in a state whichperfectly erases all traces
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 11 of 24
Multimedia forensics: A closer look
digital mediaobject
processing
sensor
original?
source(device) ?
I sensors capture parts of the reality andtransform them into digital representations
I reality is incognizable: ultimate knowledgewhether a piece of digital media reflectsreality or not cannot exist
I multimedia forensics = empirical science
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 12 of 24
Multimedia forensics: A closer look
digital mediaobject
processing
sensor
original?
source(device) ?
I sensors capture parts of the reality andtransform them into digital representations
I reality is incognizable: ultimate knowledgewhether a piece of digital media reflectsreality or not cannot exist
I multimedia forensics = empirical science
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 12 of 24
Multimedia forensics: A closer look
digital mediaobject
processing
sensor
original?
source(device) ?
I sensors capture parts of the reality andtransform them into digital representations
I reality is incognizable: ultimate knowledgewhether a piece of digital media reflectsreality or not cannot exist
I multimedia forensics = empirical science
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 12 of 24
Multimedia forensics: A closer look
digital mediaobject
processing
sensor
original?
source(device) ?
I sensors capture parts of the reality andtransform them into digital representations
I reality is incognizable: ultimate knowledgewhether a piece of digital media reflectsreality or not cannot exist
I multimedia forensics = empirical science
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 12 of 24
Multimedia forensics: A closer look
digital mediaobject
processing
sensor
original?
source(device) ?
I sensors capture parts of the reality andtransform them into digital representations
I reality is incognizable: ultimate knowledgewhether a piece of digital media reflectsreality or not cannot exist
I multimedia forensics = empirical science
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 12 of 24
Sensors: A source of uncertainty
I projection of reality to discrete symbols means a dimensionality reduction
I multimedia forensics has to cope with an additional source of uncertainty
I what kind of commonpost-processing islegitimate / tolerable?
?
degrees of freedom
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 13 of 24
Sensors: A source of uncertainty
I projection of reality to discrete symbols means a dimensionality reductionI multimedia forensics has to cope with an additional source of uncertainty
I what kind of commonpost-processing islegitimate / tolerable?
?
degrees of freedom
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 13 of 24
Sensors: A source of uncertainty
I projection of reality to discrete symbols means a dimensionality reductionI multimedia forensics has to cope with an additional source of uncertainty
I what kind of commonpost-processing islegitimate / tolerable?
?
degrees of freedom
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 13 of 24
Models: Yet another dimensionality reduction
I models make projection of reality todiscrete symbols tractable with formalmethods
I typical models in multimedia forensics:. sensor noise follows a Gaussian distribution. connected regions of identical pixel values are
unlikely to occur in original images
p
projection to a1-dimensionalvariable
I models of reality function as yet another dimensionality reductionI quality of forensic methods depends on the quality of the employed model!
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 14 of 24
Models: Yet another dimensionality reduction
I models make projection of reality todiscrete symbols tractable with formalmethods
I typical models in multimedia forensics:. sensor noise follows a Gaussian distribution. connected regions of identical pixel values are
unlikely to occur in original images
p
projection to a1-dimensionalvariable
I models of reality function as yet another dimensionality reductionI quality of forensic methods depends on the quality of the employed model!
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 14 of 24
Models: Yet another dimensionality reduction
I models make projection of reality todiscrete symbols tractable with formalmethods
I typical models in multimedia forensics:. sensor noise follows a Gaussian distribution. connected regions of identical pixel values are
unlikely to occur in original images
p
projection to a1-dimensionalvariable
I models of reality function as yet another dimensionality reductionI quality of forensic methods depends on the quality of the employed model!
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 14 of 24
Models: Yet another dimensionality reduction
I models make projection of reality todiscrete symbols tractable with formalmethods
I typical models in multimedia forensics:. sensor noise follows a Gaussian distribution. connected regions of identical pixel values are
unlikely to occur in original images
p
projection to a1-dimensionalvariable
I models of reality function as yet another dimensionality reductionI quality of forensic methods depends on the quality of the employed model!
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 14 of 24
Outline
1 Multimedia forensics and computer forensics
2 Multimedia forensics is not computer forensics
3 Counter-forensics
4 And how does this all relate to practice?
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 15 of 24
Digital forensics: proposed ontology
forensics
digital forensics
computerforensics
multimediaforensics
analog forensics
digital evidence physical evidence
0 0 0 1 0 0 1 1 0 0 0
1 0 1 1 0 0 1 0 1 1 0
0 0 1 1 0 1 1 0 0 0 1
0 1 1 0 0 1 0 1 0 0 1
1 1 1 0 0 0 1 0 0 1 0
0 0 1 0 0 0 1 0 0 1 0
1 1 0 1 1 1 0 1 0 1 1
1 1 0 0 0 1 0 1 1 0 0
0 0 1 1 1 1 1 0 0 1 0
1 1 0 1 1 0 1 0 1 0 1
forgeability
counter-forensics
b=
perfect crimepossible
compete forthe best model
perfect crimeimpossible
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 16 of 24
Digital forensics: proposed ontology
forensics
digital forensics
computerforensics
multimediaforensics
analog forensics
digital evidence physical evidence
0 1 1 0 0 1 1 1 1 1 0
1 1 1 0 0 0 0 1 1 1 1
0 0 1 0 1 0 1 0 0 1 0
0 1 0 1 0 1 1 1 0 0 0
1 0 0 1 0 0 0 0 0 0 1
0 1 1 1 1 0 0 0 0 0 0
1 1 1 0 0 1 1 1 0 1 1
0 1 0 1 1 0 0 0 1 0 1
0 0 0 0 0 1 1 0 1 0 0
0 0 0 0 1 1 0 0 0 1 0
forgeability
counter-forensics
b=
”physical evidence cannot be wrong,it cannot perjure itself,it cannot be wholly absent”
Kirk (1953)
perfect crimepossible
compete forthe best model
perfect crimeimpossible
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 16 of 24
Counter-forensics: Computer forensics
leavetraces
eliminatetraces
preemptivelyavoid traces
valid state invalid state
valid state
valid states are perfectly knownor can be recorded before
and cannot be recorded before
virtualization in a larger system
invalidity depends onthe model of reality
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 17 of 24
Counter-forensics: Computer forensics
leavetraces
eliminatetraces
preemptivelyavoid traces
valid state invalid state valid state
valid states are perfectly knownor can be recorded before
and cannot be recorded before
virtualization in a larger system
invalidity depends onthe model of reality
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 17 of 24
Counter-forensics: Computer forensics
leavetraces
eliminatetraces
preemptivelyavoid traces
valid state invalid state valid state
valid states are perfectly knownor can be recorded before
and cannot be recorded before
virtualization in a larger system
invalidity depends onthe model of reality
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 17 of 24
Counter-forensics: Computer forensics
leavetraces
eliminatetraces
preemptivelyavoid traces
valid state invalid state valid state
valid states are perfectly knownor can be recorded before
and cannot be recorded before
virtualization in a larger system
invalidity depends onthe model of reality
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 17 of 24
Counter-forensics: Computer forensics
leavetraces
eliminatetraces
preemptivelyavoid traces
valid state invalid state valid state
valid states are perfectly knownor can be recorded before
and cannot be recorded before
virtualization in a larger system
invalidity depends onthe model of reality
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 17 of 24
Counter-forensics: Multimedia forensics
leavetraces
eliminatetraces
preemptivelyavoid traces
valid state invalid state valid state
valid states are perfectly knownor can be recorded before
and cannot be recorded before
virtualization in a larger system
invalidity depends onthe model of reality
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 18 of 24
Counter-forensics: Multimedia forensics
leavetraces
eliminatetraces
preemptivelyavoid traces
valid state invalid state valid state
valid states are not perfectly knownor can be recorded before
and cannot be recorded before
virtualization in a larger system is not possible
invalidity depends onthe model of reality
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 18 of 24
Digital forensics: proposed ontology
forensics
digital forensics
computerforensics
multimediaforensics
analog forensics
digital evidence physical evidence
0 0 0 1 1 0 1 1 0 0 1
1 1 0 0 1 0 0 1 0 1 0
0 0 1 1 0 0 0 1 1 1 1
1 0 0 0 0 0 1 0 0 1 0
0 0 1 1 0 1 0 0 0 1 1
0 1 0 1 1 1 0 0 1 1 1
1 1 0 1 1 1 0 0 1 0 1
1 0 1 0 1 1 1 1 0 0 1
0 1 1 1 1 0 1 1 0 0 0
1 0 1 1 1 1 0 0 0 0 0
forgeability
counter-forensics
b=
perfect crimepossible
compete forthe best model
perfect crimeimpossible
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 19 of 24
Outline
1 Multimedia forensics and computer forensics
2 Multimedia forensics is not computer forensics
3 Counter-forensics
4 And how does this all relate to practice?
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 20 of 24
Computer forensics in a broader sense
I computers interact with their environment
physical evidence
WWW
WWW10111 0 0 1
digital evidence
WWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
I computers can be part of a networkI computers can be sensors itselfI computers leave physical evidence
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 21 of 24
Computer forensics in a broader sense
I computers interact with their environment
physical evidence
WWW
WWW10111 0 0 1
digital evidenceWWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
I computers can be part of a network
I computers can be sensors itselfI computers leave physical evidence
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 21 of 24
Computer forensics in a broader sense
I computers interact with their environment
physical evidence
WWW
WWW10111 0 0 1
digital evidence
WWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
I computers can be part of a networkI computers can be sensors itself
I computers leave physical evidence
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 21 of 24
Computer forensics in a broader sense
I computers interact with their environment
physical evidence
WWW
WWW10111 0 0 1
digital evidence
WWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
I computers can be part of a networkI computers can be sensors itselfI computers leave physical evidence
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 21 of 24
(Finally) A more practical view
2
2
IWCF ’09
2A
3
3
IWCF ’09
3A
4
4
IWCF ’09
4A
5
5
IWCF ’09
5A
6
6
IWCF ’09
6A
7
7
IWCF ’09
7A
8
8
IWCF ’09
8A
9
9
IWCF ’09
9A
10
10
IWCF ’09
10A
11
11
IWCF ’09
11A
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 22 of 24
Concluding remarks
I forensic examinations include techniques from a variety of forensic sciencesI important differences in the underlying assumptions between different methods are
blurred by practiceI in particular: digital evidence 6= digital evidence (6= physical evidence):
. digital evidence in computer forensics is not linked to the outside world whereasin multimedia forensics it is
. effects the reliability of forensic methods
I furture work: rigorous probabilistic modeling
reality is ultimately incognizable, butyour comments will help to gain a more comprehensive view on it
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 23 of 24
Concluding remarks
I forensic examinations include techniques from a variety of forensic sciencesI important differences in the underlying assumptions between different methods are
blurred by practiceI in particular: digital evidence 6= digital evidence (6= physical evidence):
. digital evidence in computer forensics is not linked to the outside world whereasin multimedia forensics it is
. effects the reliability of forensic methods
I furture work: rigorous probabilistic modeling
reality is ultimately incognizable, but
your comments will help to gain a more comprehensive view on it
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 23 of 24
Concluding remarks
I forensic examinations include techniques from a variety of forensic sciencesI important differences in the underlying assumptions between different methods are
blurred by practiceI in particular: digital evidence 6= digital evidence (6= physical evidence):
. digital evidence in computer forensics is not linked to the outside world whereasin multimedia forensics it is
. effects the reliability of forensic methods
I furture work: rigorous probabilistic modeling
reality is ultimately incognizable, butyour comments will help to gain a more comprehensive view on it
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 23 of 24
Thanks for your attention
Questions?
Rainer Bohme†, Felix Freiling‡, Thomas Gloe†, Matthias Kirchner†
†Technische Universitat Dresden ‡Universitat Mannheim
Matthias Kirchner gratefully receives a doctorate scholarship fromDeutsche Telekom Stiftung, Bonn, Germany.
Image sources
I Iranian missile test (4) http://www.spiegel.de
I hard drive (6) http://commons.wikimedia.org/wiki/File:Open_hard-drive.jpg
I floppy disk (11,17) http://commons.wikimedia.org/wiki/GNOME_Desktop_icons
I core memory (11) http://commons.wikimedia.org/wiki/File:KL_CoreMemory.jpg
I multimedia (12,18) http://commons.wikimedia.org/wiki/GNOME_Desktop_icons
I fingerprints (22) http://www.lanl.gov/news/albums/chemistry/fingerprint.jpg
I handcuffs (22) http://commons.wikimedia.org/wiki/File:Handcuffs01_2003-06-02.jpg