Digital Forensics Flashcards
What is the job of the lens?
To focus light/image onto centre
What is the job of the filter?
Reduce the sensitivity to infrared light
What is the job of the sensor?
Turns light into a recordable image
What does the DSP unit do?
Performs some basic image processing before the image is saved
What is the focal point?
A point on the optic axis where parallel light rays converge
What is the optic axis?
A line which runs perpendicular to the lens and directly through the middle
What does CMOS stand for? And what is its use?
Complementary metal oxide semiconductor
It helps the light sensitive sensor chip to record all of the data in a very short space of time
What does DSLR stand for?
Digital single lens reflex
What are pixels?
Individual light sensitive cells which measure the amount of light that fall on them. They cover the cameras sensor
How are coloured images produced?
The light seen by the camera is split in to the three primary colours which can than be used to create an accurate image through the use of a Bayer filter
What is a Bayer filter?
A grid of coloured filters that sit over the sensor with red, green, and blue elements over individual pixels which will only allow their respective light colours through. It looks at pixels surrounding others to formulate an informed guess of what the true colour of that pixel is
What is the job of the colour filter array?
It allows the digital camera to ‘see’ colours as it is colourblind without this and can only determine light intensity
What are the two common configurations of the colour filter array? Can you describe them?
The Bayer pattern - checkered
The Stripe pattern - stripes
What are photo sites?
Each square on the sensor element is a single photo site
Why are there two times more green elements on the colour filter array compared to red and blue?
Due to the human eye being more sensitive to green light
What are the two main types of sensors in the camera?
CCD (charge coupled device) and CMOS (complementary metal oxide semiconductor)
Define photodiodes
Semiconductor devices that generate an electrical charge in proportion to the number of photons which reach them
Where are photodiodes typically found?
They are tightly packed on a silicone wafer in CCDs and CMOSs
What are the advantages of CCD sensors?
- Proven record of technologies and commercialization
- Low noise, high S/N because the surface is almost entirely photosensitive (compared to 1/4 in CMOS)
What are the disadvantages of CCD sensors?
- High power consumption, slower speed
- on-chip peripheral circuits difficult to manufacture
What are the advantages of CMOS sensors?
- Manufacture can be simpler and less expensive
- Use less power than CCD
- Physical size of detector is smaller
What are the disadvantages of CMOS sensors?
- Relatively high noise
Where are CMOS sensors and CCD sensors typically used?
CMOS - modern consumer cameras (phones)
CCD - scientific applications
What is the job of the DSP (digital signal processors) molecule?
To read out the voltages from the image sensor which are then fed into an onboard image processing module which contains proprietary algorithms for improving the perceived quality, demosaicing, and compression
Define spacial sampling
The average light intensity per pixel
How many values per pixel to monochrome images have?
One
Why does the image appear blurry when the light intensity pattern is continuous?
Each pixel only record the average light intensity
Define resolution
The dimensions by which you can measure how many pixels are on a screen
Why are sharper images shown on a phone compared to a laptop?
They both have the same number of pixels, but they are in a denser space on the phone
What is a byte?
8 bits
How do we make an image darker?
By subtracting a fixed constant from each of the RGB values
Define point processing
The process of adjusting a pixels value according to a transformation function
What is an image histogram?
A graph which records the number of pixels in an image, and the light intensity of each of these pixels, and displays this as a bar chart
Why is a 4-bit image sometimes used instead of an 8-bit image?
It makes the image histogram clearer due to there being less values
What is the function of a look-up table (LUT)?
It implements a functional mapping of pixel intensity values
What are the seven methods for detecting photo forgery?
- Reverse image search
- EXIF data check
- Specular reflection
- Photogrammetry
- Inconsistencies in shadows/reflections
- Grey level resampling
- JPEG signatures
What is image processing?
The technique of applying a relevant mathematical operation on a digitised image to generate an enhanced image or extract some useful features such as edge, shape, and colour
What are the six purposes of spatial filtering?
- Image smoothing
- Noise removal
- Image sharpening
- Edge detection
- Inpainting
- Pre-processing
How does image enhancement work?
It alters each pixel by the same amount in order to change the appearance of the image
Give three applications of image processing
Medical imaging
Self-driving cars
Satellite imaging
Which edges does a vertical difference mask highlight?
The horizontal edges
Which edges does a horizontal difference mask highlight?
The vertical edges
Define median filter
The output pixel value is determined as the neighbourhood median
Define correlated noise
There is some sort of structure or pattern in the noise
Define uncorrelated noise
No structure or pattern in the noise
Why does correlated noise appear?
Electrical interference, source/sensor interference
What effect does shutter speed have on noise?
Slower shutter speed can result in higher noise levels
What is Gaussian noise?
Noise where the majority of the pixels have the same value of 127. There is a normal distribution around this number
What is uniform noise?
Where the probability of getting any light intensity for a pixel is the same, meaning the distribution is flat
What is salt and pepper noise?
The pixels have either a value of 0 or 255
Why might salt and pepper noise appear?
Due to errors in transmission, dead pixels in a display, or photodiode leakage
What are the advantages of removing salt and pepper noise with a median filter?
- Returns the median value of the pixels in the neighbourhood
- Is non-linear
- Is similar to a uniform blurring filter which returns the mean value of the pixels in a neighbourhood of a pixel
- Unlike a mean value filter, the median tends to preserve steep edges
Why does shot noise occur?
Due to the random fluctuations in photon energy captured by the image sensor
What is readout noise?
Electrical charge built up within the camera from the different onboard processes
What are the two main types of pattern noise?
Photo response non-uniformity (PRNU) and dark signal non-uniformity (DSNU)
What is PRNU?
The variation in pixel sensitivity cause by manufacturing defects and the natural non-uniformity of the silicon used in the image sensor
What is DSNU?
fixed pattern noise due to ‘dark currents’ that occur in the sensor even when no light is incident upon it
How do you obtain the fingerprint for a specific device?
- Take at least 50 natural scene images using the suspected source camera
- Individually filter each image using a wavelet denoising filter
- Average together the filtered images to produce a unique fingerprint for the camera
Why is the denoised image only an estimate?
Impossible to remove all noise
Define latent fingerprint in terms of digital forensics
Pattern noise extracted from an evidential image
Define exemplar fingerprint in terms of digital forensics
Average pattern noise extracted from a sample of images known to have originated from a specific imaging device
Define steganograohy
The art/science of communicating by hiding secret messages in innocuous ‘cover’ objects
Define acrostic
A text, usually a poem, in which particular letters, such as the first of each line, spell a word or phrase
Define cover object
A message that can be transmitted without suspicion, such as an image file, digital sound, or written text
Define stego-object
A cover object containing an embedded secret object
Why should the same cover never be used more than once?
As two versions of one cover could easily be detected and possibly decoded
Define stego-key
Used to encrypt the secret message
Define pure steganography
Does not require the exchange of prior information such as a stego-key
Define secret key steganography
A secret stego-key is exchanged prior to communicating using a stego-object
Define binary image
Images whose pixels only have two possible intensity values
What is the random interval method in steganography?
Where elements of the cover are chosen at random for hiding data. The ‘seed’ for the random places, typically a random number generator, must be available to both parties in the communication
Define visual attack
A means of detecting embedded information, such as by visual inspection of the least significant bits only of a digital image
Define statistical attack
Referring to non-visual methods for determining embedding
Define image histogram
The frequency distribution of grey-levels within a digital image
What does embedding in the least significant bits to do the image histogram?
Tends to average out pairs of values in the image histogram
What statistical technique is used to determine the probability of embedding?
Chi-squared
What do the observed values refer to in the Chi-squared equation?
The observed values are every other column in the image histogram
What does a low chi-squared value imply?
That embedding has taken place
What is the purpose of an image compression algorithm?
In order to reduce the storage requirements, sometimes at the expense of the image quality
Define non-lossy (loseless) compression
Original image can be recovered exactly from compressed image file, such as portable network graphics (.png)
Define lossy compression
Information lost when a file is compressed. Therefore, only an approximation to the original image is possible, such as joint experts photographic group JPEG (.jpg)
Define coding redundancy
Caused by sub-optimal code words for encoding, a symbol typically represents a grey-level
Define inter-pixel redundancy
Due to grey-level correlations between neighbouring pixels
Define psycho-visual redundancy
Information contained within an image that is superfluous to the interpretation or aesthetics of an image
In psycho-visual redundancy, what does clarity depend on?
- Spacial frequency
- Amplitude
A measure of the compactness of a compressed image file is the compression raito Cr, but how is it defined?
b1/b2, where b1 is the number of bits in the original image and b2 is the number of bits in the encoded image
Define symbol
A general term that can refer to pixel values or transformation coefficient values
What is the first component of the image coder?
An image transformation (aka mapper)
What does an image transformation do?
Converts the input image into a format that is better suited to encoding
How does an image transformation convert the image into a format better suited to encoding?
It transforms pixels into coefficients. The coefficients that have a negligible magnitude can be discarded and the remaining can be coarsely quantised, thereby reducing the number of bits required to encode them
What does the quantizer do?
Reduces the number of bits needed to store the coefficients that result from an image compression
What does symbol coding do?
Compresses the image by exploiting the fact that in natural images some grey levels occur more frequently than others
What is the JPEG image compression ‘recipe’?
- Split into 8x8 blocks and treat each separately
- Apply Discrete Cosine Transformation (DCT) to each image block
- Quantise the DCT coefficients
- Apply Huffman coding scheme to quantised coefficients
Describe the process of Huffman encoding
- Determine the image histogram of symbol values
- Order the symbols by increasing probability of occurrence
- Combine the two symbols with lowest probability
- The above two steps are repeated until only the most probable symbol of the original image and the combined symbol remains
- Assign the code word 1 to the most probable symbol in the image and 0 to the combined symbol
- Efficient code words can now be assigned to the remaining symbols by reversing steps 2-4 and appending a 1 or 0 to the code word
Define cryptosystem
Disguises messages, allowing only selected people to see through the disguise
Define cryptography
The science of designing, building, and using cryptosystems
Define cryptanalysis
The science of breaking a cryptosystem
Define cryptology
The study of cryptogrpahy and cryptanalysis
Define plaintext
The thing we want to keep private
What is a key used for?
To ‘access’ the algorithm. Without it the cyphertext would not make sense
What are the two basic methods for disguising messages?
Transposition and Substitution
Describe the process of transposition encryption
- Write the key horizontally as the heading for columns
- Assign numerical values to each letter based on the letters order of appearance in the alphabet
- Align plaintext message across each column
- Read down each column according to ordinal value
Describe the process of substitution encryption
- Write the alphabet splitting it across two rows in the middle
- Substitute each letter in the plaintext message with the letter above or below it to come up with the cyphertext
Define symmetric key cryptography
Same key used to encrypt and decrypt the message
Define asymmetric cryptogrpahy
Key for encryption is not the same as the key for decryption
Define a hash
A transformation of data (message) into a distilled form (message digest) that is unique to the data and not reversible
What is a hash used for?
To verify the integrity of the data
What is the procedure for digital signing?
- Arrange for the intended recipient to obtain a copy of your public key
- Compute message digest for data
- Encrypt digest using private key and append it to the original message before sending it to the intended recipient
- Recipient uses sender’s public key to check the message has come from the sender and hasn’t been altered
Define platter - hard disk drive structure
on which the information is stored
define head - hard disk drive structure
writes to the platters
what are tracks, sectors, and clusters?
tracks - a complete circuit
sectors - the smallest region
clusters - clusters of sectors
how many sectors are typically in a cluster?
4
define non-contiguous/fragmented files
operating system saves a file in fragmented sections so parts are placed in different locations to maximise the space on the hard disk
define defragmentation
optimising the space on the hard disk by organising the parts of the files and allocating them more effectively
two sectors of a cluster are used and two are not. what happens to the two that are not used?
they are file slack - they contain whatever was there before, such as partially overwritten, deleted files
what is the best way to permanently delete something?
to overwrite it completely
what is the handling system?
the part of the operating system which controls where the files are on the hard disk
how are files generally identified?
by their three character extensions, such as .doc, .ppt
what are file signatures and why are they important?
they are a known and recognisable header. they are important as they are a definite indicator of content as they cannot be changed, but extensions can
give some examples of digital crime
hacking, trojans, grooming, viruses, blackmail, trafficking
what is a worm?
a type of virus which can self-replicate without the user intervening. this can lead to a denial of service account (DOS)
define principle 1 (data preservation)
no action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may be relied on in court
define principle 2 (competence)
in circumstances where a person finds it necessary to access original data held on a computer or storage media, that person must be competent to do so and be able to give evidence explaining the relevance and implications of their actions
define principle 3 (audit trial)
an audit trial or other record of all processes applied to computer-based electronic evidence should be created and preserved. an independent third party should be able to examine those processes and achieve the same result
define principe 4 (responsibility)
the person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to
why should you always remove the end attached the computer and not the end attached to the socket?
to avoid any data being written to the hard drive is an uninterruptible power protection device is fitted
what should be seized for reconstruction of the system?
main unit
monitor
keyboard and mouse
all leads
power supply units
hard disks
dongles - small connectors plugged into the back of the machine
In the forensic process, what does acquisition entail?
- Correct consents, legal documents, and procedures must be in place
- Pictures, video, written descriptions of where everything was found
- Don’t alter anything
In the forensic process, what does identification entail?
- Physical identification of digital equipment, bagged and tagged
- Where, logically, did the evidence come from?
- What kind of evidence is it?
In the forensic process, what does evaluation entail?
- How was the data produced?
- Who produced it?
- When was it produced?
- Is the evidence relevant to the investigation?
- Are there any signs of foul play?
In the forensic process, what does presentation entail?
- Interpretation of data recovered
- Write/present for non-experts
- Technically correct
- Defence of findings in the witness box
Computer misuse act (1990)
Section 1 - unauthorised access to computer material
Section 2 - unauthorised access with intent to commit or facilitate the commission of a further offence
Section 3 - unauthorised modification of computer material
Protection of children act (POCA) (1978)
Section 1:
a. taking, making, or possessing…
b. distributing…
c. possessing with a view to distributing…
an indecent photograph of a child
Criminal justice and public order act (1994)
amended S(1) of POCA to include pseudo-photographs
sexual offences act (2003)
amended POCA further:
- increase age of child from 16 to 18
- added a defence where an indecent photograph of a child over the age of 16 was created by the child’s long term partner
- added a defence where it is necessary to create an indecent image of a child for criminal investigation
what are the two things which must be proven to prove a crime has been committed?
- actus reus - from the latin guilty act:
- pictures found - mens rea - from the latin guilty mind
- pictures saved
- pictures renamed
- searching for pictures
- browsing multiple pages
- access to pictures
define facial composite system
tool for creating a likeness to a suspect’s face based on an eyewitness’ description
what were the four steps of the initial Fisher and Geiselman Original Cognitive Interview?
- reinstate the context - surrounding environment and how you were feeling
- report everything
- recall the events in different orders
- change perspectives
what are the steps of the enhanced cognitive interview?
- rapport building
- recreate the context of the event
- open ended narration
- questioning
- closure
why was perspective change removed from the cognitive interview?
traumatic for the victim and could lead to false memories
what is the acronym for the reliability of eyewitness evidence?
Amount of time under observation
Distance
Visibility
Obstruction
Known or seen before
Any reasons to remember
Time lapse
Error or material discrepancy
ADVOKATE