Digital forensics or also IT forensics refers to the practice of using scientific techniques and methods to gather digital evidence in a way that can be used in court. It includes the examination of data stored on digital devices such as computers, cell phones, servers, memory cards and other digital storage media.

IT forensics has a high priority in today’s law enforcement. With increasing digitization, more and more evidence is being stored in digital form. IT forensics offers the possibility of collecting, analyzing and evaluating this digital evidence in such a way that it can be used in court. However, the importance of IT forensics goes far beyond law enforcement. Companies and organizations use IT forensics to investigate data breaches, fraud, privacy policy violations and other incidents. Image and document analysis is an important aspect of IT forensics because images and digital documents, respectively, can often be important evidence in cases of crime, copyright infringement and other litigation. When analyzing images and documents, various techniques and methods are used to verify integrity and authenticity and to extract information.

Preserving the Integrity of Digital Evidence

Before the analysis of digital evidence can begin, secure preservation must be performed. Secure preservation is necessary so that the integrity and authenticity of digital images and documents can be proven in court. In this process, the entire storage medium is physically read out and cloned either in the form of an image or a part in the form of logical files such as documents, emails from an email server, snippets from specific programs, databases or network drives (list not exhaustive). After cloning, a hash value of the backed up data files is calculated and stored. Hash algorithms such as MD5, SHA1 or SHA256 are usually applied. MD5 and SHA1 should no longer be used, as these hash functions are no longer considered collision-resistant. To ensure the integrity and authenticity of the originally secured evidence, the forensic analyses of the data take place exclusively on the clone. Working on a clone avoids potential alterations or tampering that could occur if the original were analyzed directly. The clone serves as a working copy to which various techniques and tools can be applied without affecting the original. This ensures that the results of the forensic analysis are reliable and usable in court, while the original evidence remains unchanged.

Image Analysis

Image analysis is an important part of IT forensics and requires specialized knowledge and skills. The use of various technologies such as metadata analysis, forensic image analysis, facial recognition, some of which is enhanced with deep learning, support evidence preservation in this regard. It is important to note that the use of images as evidence in IT forensics must follow certain guidelines and protocols to ensure that the integrity of the evidence is not compromised. This includes, in addition to the secure preservation mentioned above, ensuring the chain of custody of the evidence and following best practices for evidence preservation. Typically, authorities first secure electronic evidence in an appropriate form. This can be done by seizing devices, hard drives, USB sticks or other storage media. A protocol is created that contains detailed information about the discovery, the condition of the evidence, the location and the persons involved. This protocol serves as proof of proper seizure. The electronic evidence is then transported in a safe and controlled manner to prevent loss or damage. This can be done by using specialized means of transport or encrypted storage media. After seizure, the evidence is sealed to ensure that it is not tampered with during storage. This can be done through the use of seals, security labels, or digital sealing technology. When evidence is stored securely, measures are taken to prevent unauthorized access, damage, or loss.

Metadata Analysis

Metadata is information about a file that is stored in the file itself. By analyzing metadata, information such as the time of creation, the location depending on the file, and the device used can be retrieved. For example, if an image was edited after it was taken, this can also be seen in the file’s metadata, unless this information was purposefully removed. An introduction to EXIF tags can be found in the article Technical Image Forensics. The set EXIF tags are determined by the camera or device manufacturer. This depends on the camera’s capabilities and the user’s configuration. Analyzing an image shot with the iPhone revealed the following interesting EXIF tags:

Camera Model Name : iPhone 11 Pro 
Software : 16.3.1 
Lens Model : iPhone 11 Pro back triple camera 4.25mm f/1.8

A somewhat bizarre EXIF tag also came out, which was not expected:

Run Time Since Power Up : 13 days 17:06:35

Here, the device’s runtime since the last reboot, the so-called uptime, was written into the photo’s EXIF information at the time the photo was taken. We did not expect this information during our research on EXIF tags, as it is very different between cameras and smartphones. We could not think of any use cases other than additional information for a possible repair. A common tool for extracting EXIF information is the exiftool.

Forensic Image/Document Analysis

Forensic image or document analysis uses various techniques to verify the authenticity of an image or document and to detect manipulation or corruption of the content. Examples include pixel analysis, image compression detection, watermark analysis, and image color balance verification. To show different color balance in an image or document, it helps to use a histogram or other color representation to show, for example, the use of two different pens in a handwritten signature.

The left color plot shows the pen color of the letter “T”, which is clearly different from the pen color of the letter “e”, shown on the right color chart.

Face Recognition

Facial recognition technologies are increasingly used in the investigation of crimes. This technology makes it possible to compare faces in images with other images in order to determine the identity of persons. Existing images including a profile photo of the person being searched can be transmitted to a facial recognition tool. If no images are available but, for example, a video recording, this must first be divided into image sections (for example, one image every three seconds). The images extracted from the video can then be transmitted to a face recognition tool, where the images are grouped according to the faces recognizable on them. One possible photo platform where strong face recognition is enabled is Google Photos. The face recognition of Google Photos is mostly fully automatic. However, the exact details of how it works are not publicly known, as Google does not disclose detailed information about the internal algorithms and technologies. In order to use the face recognition feature of Google Photos, a Google account is required first. After installing the Google Photos application and successfully logging in with the Google account, access to the photos available on the device can be granted. After enabling face recognition in the settings, face recognition runs automatically. Depending on the number of photos and the speed of the Internet connection, this process may take some time. By adding a name or identity to recognized faces, the accuracy of face recognition can be improved.

Deep Learning Technology

The use of deep learning technologies in the form of trained artificial neural networks or approaches based on convolutional neural networks (CNNs) enable large amounts of data to be analyzed more effectively and patterns or faces in images to be recognized. By using large datasets with faces from different perspectives and with different lighting conditions, it is possible to identify faces faster and more accurately. By extending the training phase, expanding the training dataset or by changing the architecture of the neural network, the deep learning model used can be continuously improved.

Conclusion

IT forensics is constantly evolving to meet the needs of the ever-changing digital landscape. IT forensics professionals will need to adapt and develop new technologies, tools and methods to effectively collect and analyze evidence. For example, machine learning enables faster processing and analysis of large amounts of data. The use of machine learning algorithms can also identify patterns, anomalies and correlations in data that may indicate suspicious activity. This helps forensic scientists identify and analyze potentially relevant evidence more efficiently.

About the Authors

Michèle Trebo has a Bachelor of Information Technology at ZHAW and worked six years as a police officer in the field of cyber crime investigations. She is responsible for criminal research topics like darknet analysis, cyber threat intelligence, fraud investigation, and forensics. (ORCID 0000-0002-6968-8785)

Ralph Meier completed an apprenticeship as an application developer, with a focus on web development with Java, at a major Swiss bank and then completed a Bachelor of Science in Computer Science UAS Zurich at the ZHAW School of Engineering. His primary task is doing security-related analysis of web applications and services. (ORCID 0000-0002-3997-8482)

Links

• https://exiftool.org/
• https://www.itsec.techfak.fau.de/files/2019/07/Einfuehrung_Digitale_Forensik_Leseprobe.pdf