Digital Forensics

Question 1

What is the job of the lens?

Answer 1

To focus light/image onto centre

Question 2

What is the job of the filter?

Answer 2

Reduce the sensitivity to infrared light

Question 3

What is the job of the sensor?

Answer 3

Turns light into a recordable image

Question 4

What does the DSP unit do?

Answer 4

Performs some basic image processing before the image is saved

Question 5

What is the focal point?

Answer 5

A point on the optic axis where parallel light rays converge

Question 6

What is the optic axis?

Answer 6

A line which runs perpendicular to the lens and directly through the middle

Question 7

What does CMOS stand for? And what is its use?

Answer 7

Complementary metal oxide semiconductor
It helps the light sensitive sensor chip to record all of the data in a very short space of time

Question 8

What does DSLR stand for?

Answer 8

Digital single lens reflex

Question 9

What are pixels?

Answer 9

Individual light sensitive cells which measure the amount of light that fall on them. They cover the cameras sensor

Question 10

How are coloured images produced?

Answer 10

The light seen by the camera is split in to the three primary colours which can than be used to create an accurate image through the use of a Bayer filter

Question 11

What is a Bayer filter?

Answer 11

A grid of coloured filters that sit over the sensor with red, green, and blue elements over individual pixels which will only allow their respective light colours through. It looks at pixels surrounding others to formulate an informed guess of what the true colour of that pixel is

Question 12

What is the job of the colour filter array?

Answer 12

It allows the digital camera to ‘see’ colours as it is colourblind without this and can only determine light intensity

Question 13

What are the two common configurations of the colour filter array? Can you describe them?

Answer 13

The Bayer pattern - checkered
The Stripe pattern - stripes

Question 14

What are photo sites?

Answer 14

Each square on the sensor element is a single photo site

Question 15

Why are there two times more green elements on the colour filter array compared to red and blue?

Answer 15

Due to the human eye being more sensitive to green light

Question 16

What are the two main types of sensors in the camera?

Answer 16

CCD (charge coupled device) and CMOS (complementary metal oxide semiconductor)

Question 17

Define photodiodes

Answer 17

Semiconductor devices that generate an electrical charge in proportion to the number of photons which reach them

Question 18

Where are photodiodes typically found?

Answer 18

They are tightly packed on a silicone wafer in CCDs and CMOSs

Question 19

What are the advantages of CCD sensors?

Answer 19

• Proven record of technologies and commercialization
• Low noise, high S/N because the surface is almost entirely photosensitive (compared to 1/4 in CMOS)

Question 20

What are the disadvantages of CCD sensors?

Answer 20

• High power consumption, slower speed
• on-chip peripheral circuits difficult to manufacture

Question 21

What are the advantages of CMOS sensors?

Answer 21

• Manufacture can be simpler and less expensive
• Use less power than CCD
• Physical size of detector is smaller

Question 22

What are the disadvantages of CMOS sensors?

Answer 22

• Relatively high noise

Question 23

Where are CMOS sensors and CCD sensors typically used?

Answer 23

CMOS - modern consumer cameras (phones)
CCD - scientific applications

Question 24

What is the job of the DSP (digital signal processors) molecule?

Answer 24

To read out the voltages from the image sensor which are then fed into an onboard image processing module which contains proprietary algorithms for improving the perceived quality, demosaicing, and compression

Question 25

Define spacial sampling

Answer 25

The average light intensity per pixel

Question 26

How many values per pixel to monochrome images have?

Answer 26

One

Question 27

Why does the image appear blurry when the light intensity pattern is continuous?

Answer 27

Each pixel only record the average light intensity

Question 28

Define resolution

Answer 28

The dimensions by which you can measure how many pixels are on a screen

Question 29

Why are sharper images shown on a phone compared to a laptop?

Answer 29

They both have the same number of pixels, but they are in a denser space on the phone

Question 30

What is a byte?

Answer 30

8 bits

Question 31

How do we make an image darker?

Answer 31

By subtracting a fixed constant from each of the RGB values

Question 32

Define point processing

Answer 32

The process of adjusting a pixels value according to a transformation function

Question 33

What is an image histogram?

Answer 33

A graph which records the number of pixels in an image, and the light intensity of each of these pixels, and displays this as a bar chart

Question 34

Why is a 4-bit image sometimes used instead of an 8-bit image?

Answer 34

It makes the image histogram clearer due to there being less values

Question 35

What is the function of a look-up table (LUT)?

Answer 35

It implements a functional mapping of pixel intensity values

Question 36

What are the seven methods for detecting photo forgery?

Answer 36

• Reverse image search
• EXIF data check
• Specular reflection
• Photogrammetry
• Inconsistencies in shadows/reflections
• Grey level resampling
• JPEG signatures

Question 37

What is image processing?

Answer 37

The technique of applying a relevant mathematical operation on a digitised image to generate an enhanced image or extract some useful features such as edge, shape, and colour

Question 37

What are the six purposes of spatial filtering?

Answer 37

• Image smoothing
• Noise removal
• Image sharpening
• Edge detection
• Inpainting
• Pre-processing

Question 37

How does image enhancement work?

Answer 37

It alters each pixel by the same amount in order to change the appearance of the image

Question 38

Give three applications of image processing

Answer 38

Medical imaging
Self-driving cars
Satellite imaging

Question 39

Which edges does a vertical difference mask highlight?

Answer 39

The horizontal edges

Question 40

Which edges does a horizontal difference mask highlight?

Answer 40

The vertical edges

Question 41

Define median filter

Answer 41

The output pixel value is determined as the neighbourhood median

Question 42

Define correlated noise

Answer 42

There is some sort of structure or pattern in the noise

Question 43

Define uncorrelated noise

Answer 43

No structure or pattern in the noise

Question 44

Why does correlated noise appear?

Answer 44

Electrical interference, source/sensor interference

Question 45

What effect does shutter speed have on noise?

Answer 45

Slower shutter speed can result in higher noise levels

Question 46

What is Gaussian noise?

Answer 46

Noise where the majority of the pixels have the same value of 127. There is a normal distribution around this number

Question 47

What is uniform noise?

Answer 47

Where the probability of getting any light intensity for a pixel is the same, meaning the distribution is flat

Question 48

What is salt and pepper noise?

Answer 48

The pixels have either a value of 0 or 255

Question 49

Why might salt and pepper noise appear?

Answer 49

Due to errors in transmission, dead pixels in a display, or photodiode leakage

Question 50

What are the advantages of removing salt and pepper noise with a median filter?

Answer 50

• Returns the median value of the pixels in the neighbourhood
• Is non-linear
• Is similar to a uniform blurring filter which returns the mean value of the pixels in a neighbourhood of a pixel
• Unlike a mean value filter, the median tends to preserve steep edges

Question 51

Why does shot noise occur?

Answer 51

Due to the random fluctuations in photon energy captured by the image sensor

Question 52

What is readout noise?

Answer 52

Electrical charge built up within the camera from the different onboard processes

Question 53

What are the two main types of pattern noise?

Answer 53

Photo response non-uniformity (PRNU) and dark signal non-uniformity (DSNU)

Question 54

What is PRNU?

Answer 54

The variation in pixel sensitivity cause by manufacturing defects and the natural non-uniformity of the silicon used in the image sensor

Question 55

What is DSNU?

Answer 55

fixed pattern noise due to ‘dark currents’ that occur in the sensor even when no light is incident upon it

Question 56

How do you obtain the fingerprint for a specific device?

Answer 56

1. Take at least 50 natural scene images using the suspected source camera
2. Individually filter each image using a wavelet denoising filter
3. Average together the filtered images to produce a unique fingerprint for the camera

Question 57

Why is the denoised image only an estimate?

Answer 57

Impossible to remove all noise

Question 58

Define latent fingerprint in terms of digital forensics

Answer 58

Pattern noise extracted from an evidential image

Question 59

Define exemplar fingerprint in terms of digital forensics

Answer 59

Average pattern noise extracted from a sample of images known to have originated from a specific imaging device

Question 60

Define steganograohy

Answer 60

The art/science of communicating by hiding secret messages in innocuous ‘cover’ objects

Question 61

Define acrostic

Answer 61

A text, usually a poem, in which particular letters, such as the first of each line, spell a word or phrase

Question 62

Define cover object

Answer 62

A message that can be transmitted without suspicion, such as an image file, digital sound, or written text

Question 63

Define stego-object

Answer 63

A cover object containing an embedded secret object

Question 64

Why should the same cover never be used more than once?

Answer 64

As two versions of one cover could easily be detected and possibly decoded

Question 65

Define stego-key

Answer 65

Used to encrypt the secret message

Question 66

Define pure steganography

Answer 66

Does not require the exchange of prior information such as a stego-key

Question 67

Define secret key steganography

Answer 67

A secret stego-key is exchanged prior to communicating using a stego-object

Question 68

Define binary image

Answer 68

Images whose pixels only have two possible intensity values

Question 69

What is the random interval method in steganography?

Answer 69

Where elements of the cover are chosen at random for hiding data. The ‘seed’ for the random places, typically a random number generator, must be available to both parties in the communication

Question 70

Define visual attack

Answer 70

A means of detecting embedded information, such as by visual inspection of the least significant bits only of a digital image

Question 71

Define statistical attack

Answer 71

Referring to non-visual methods for determining embedding

Question 72

Define image histogram

Answer 72

The frequency distribution of grey-levels within a digital image

Question 73

What does embedding in the least significant bits to do the image histogram?

Answer 73

Tends to average out pairs of values in the image histogram

Question 74

What statistical technique is used to determine the probability of embedding?

Answer 74

Chi-squared

Question 75

What do the observed values refer to in the Chi-squared equation?

Answer 75

The observed values are every other column in the image histogram

Question 76

What does a low chi-squared value imply?

Answer 76

That embedding has taken place

Question 77

What is the purpose of an image compression algorithm?

Answer 77

In order to reduce the storage requirements, sometimes at the expense of the image quality

Question 78

Define non-lossy (loseless) compression

Answer 78

Original image can be recovered exactly from compressed image file, such as portable network graphics (.png)

Question 79

Define lossy compression

Answer 79

Information lost when a file is compressed. Therefore, only an approximation to the original image is possible, such as joint experts photographic group JPEG (.jpg)

Question 80

Define coding redundancy

Answer 80

Caused by sub-optimal code words for encoding, a symbol typically represents a grey-level

Question 81

Define inter-pixel redundancy

Answer 81

Due to grey-level correlations between neighbouring pixels

Question 82

Define psycho-visual redundancy

Answer 82

Information contained within an image that is superfluous to the interpretation or aesthetics of an image

Question 83

In psycho-visual redundancy, what does clarity depend on?

Answer 83

1. Spacial frequency
2. Amplitude

Question 84

A measure of the compactness of a compressed image file is the compression raito Cr, but how is it defined?

Answer 84

b1/b2, where b1 is the number of bits in the original image and b2 is the number of bits in the encoded image

Question 85

Define symbol

Answer 85

A general term that can refer to pixel values or transformation coefficient values

Question 86

What is the first component of the image coder?

Answer 86

An image transformation (aka mapper)

Question 87

What does an image transformation do?

Answer 87

Converts the input image into a format that is better suited to encoding

Question 88

How does an image transformation convert the image into a format better suited to encoding?

Answer 88

It transforms pixels into coefficients. The coefficients that have a negligible magnitude can be discarded and the remaining can be coarsely quantised, thereby reducing the number of bits required to encode them

Question 89

What does the quantizer do?

Answer 89

Reduces the number of bits needed to store the coefficients that result from an image compression

Question 90

What does symbol coding do?

Answer 90

Compresses the image by exploiting the fact that in natural images some grey levels occur more frequently than others

Question 91

What is the JPEG image compression ‘recipe’?

Answer 91

1. Split into 8x8 blocks and treat each separately
2. Apply Discrete Cosine Transformation (DCT) to each image block
3. Quantise the DCT coefficients
4. Apply Huffman coding scheme to quantised coefficients

Question 92

Describe the process of Huffman encoding

Answer 92

1. Determine the image histogram of symbol values
2. Order the symbols by increasing probability of occurrence
3. Combine the two symbols with lowest probability
4. The above two steps are repeated until only the most probable symbol of the original image and the combined symbol remains
5. Assign the code word 1 to the most probable symbol in the image and 0 to the combined symbol
6. Efficient code words can now be assigned to the remaining symbols by reversing steps 2-4 and appending a 1 or 0 to the code word

Question 93

Define cryptosystem

Answer 93

Disguises messages, allowing only selected people to see through the disguise

Question 94

Define cryptography

Answer 94

The science of designing, building, and using cryptosystems

Question 95

Define cryptanalysis

Answer 95

The science of breaking a cryptosystem

Question 96

Define cryptology

Answer 96

The study of cryptogrpahy and cryptanalysis

Question 97

Define plaintext

Answer 97

The thing we want to keep private

Question 98

What is a key used for?

Answer 98

To ‘access’ the algorithm. Without it the cyphertext would not make sense

Question 99

What are the two basic methods for disguising messages?

Answer 99

Transposition and Substitution

Question 100

Describe the process of transposition encryption

Answer 100

1. Write the key horizontally as the heading for columns
2. Assign numerical values to each letter based on the letters order of appearance in the alphabet
3. Align plaintext message across each column
4. Read down each column according to ordinal value

Question 101

Describe the process of substitution encryption

Answer 101

1. Write the alphabet splitting it across two rows in the middle
2. Substitute each letter in the plaintext message with the letter above or below it to come up with the cyphertext

Question 102

Define symmetric key cryptography

Answer 102

Same key used to encrypt and decrypt the message

Question 103

Define asymmetric cryptogrpahy

Answer 103

Key for encryption is not the same as the key for decryption

Question 104

Define a hash

Answer 104

A transformation of data (message) into a distilled form (message digest) that is unique to the data and not reversible

Question 105

What is a hash used for?

Answer 105

To verify the integrity of the data

Question 106

What is the procedure for digital signing?

Answer 106

1. Arrange for the intended recipient to obtain a copy of your public key
2. Compute message digest for data
3. Encrypt digest using private key and append it to the original message before sending it to the intended recipient
4. Recipient uses sender’s public key to check the message has come from the sender and hasn’t been altered

Question 107

Define platter - hard disk drive structure

Answer 107

on which the information is stored

Question 108

define head - hard disk drive structure

Answer 108

writes to the platters

Question 109

what are tracks, sectors, and clusters?

Answer 109

tracks - a complete circuit
sectors - the smallest region
clusters - clusters of sectors

Question 110

how many sectors are typically in a cluster?

Answer 110

4

Question 111

define non-contiguous/fragmented files

Answer 111

operating system saves a file in fragmented sections so parts are placed in different locations to maximise the space on the hard disk

Question 112

define defragmentation

Answer 112

optimising the space on the hard disk by organising the parts of the files and allocating them more effectively

Question 113

two sectors of a cluster are used and two are not. what happens to the two that are not used?

Answer 113

they are file slack - they contain whatever was there before, such as partially overwritten, deleted files

Question 114

what is the best way to permanently delete something?

Answer 114

to overwrite it completely

Question 115

what is the handling system?

Answer 115

the part of the operating system which controls where the files are on the hard disk

Question 116

how are files generally identified?

Answer 116

by their three character extensions, such as .doc, .ppt

Question 117

what are file signatures and why are they important?

Answer 117

they are a known and recognisable header. they are important as they are a definite indicator of content as they cannot be changed, but extensions can

Question 118

give some examples of digital crime

Answer 118

hacking, trojans, grooming, viruses, blackmail, trafficking

Question 119

what is a worm?

Answer 119

a type of virus which can self-replicate without the user intervening. this can lead to a denial of service account (DOS)

Question 120

define principle 1 (data preservation)

Answer 120

no action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may be relied on in court

Question 121

define principle 2 (competence)

Answer 121

in circumstances where a person finds it necessary to access original data held on a computer or storage media, that person must be competent to do so and be able to give evidence explaining the relevance and implications of their actions

Question 122

define principle 3 (audit trial)

Answer 122

an audit trial or other record of all processes applied to computer-based electronic evidence should be created and preserved. an independent third party should be able to examine those processes and achieve the same result

Question 123

define principe 4 (responsibility)

Answer 123

the person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to

Question 124

why should you always remove the end attached the computer and not the end attached to the socket?

Answer 124

to avoid any data being written to the hard drive is an uninterruptible power protection device is fitted

Question 125

what should be seized for reconstruction of the system?

Answer 125

main unit
monitor
keyboard and mouse
all leads
power supply units
hard disks
dongles - small connectors plugged into the back of the machine

Question 126

In the forensic process, what does acquisition entail?

Answer 126

• Correct consents, legal documents, and procedures must be in place
• Pictures, video, written descriptions of where everything was found
• Don’t alter anything

Question 127

In the forensic process, what does identification entail?

Answer 127

• Physical identification of digital equipment, bagged and tagged
• Where, logically, did the evidence come from?
• What kind of evidence is it?

Question 128

In the forensic process, what does evaluation entail?

Answer 128

• How was the data produced?
• Who produced it?
• When was it produced?
• Is the evidence relevant to the investigation?
• Are there any signs of foul play?

Question 129

In the forensic process, what does presentation entail?

Answer 129

• Interpretation of data recovered
• Write/present for non-experts
• Technically correct
• Defence of findings in the witness box

Question 130

Computer misuse act (1990)

Answer 130

Section 1 - unauthorised access to computer material
Section 2 - unauthorised access with intent to commit or facilitate the commission of a further offence
Section 3 - unauthorised modification of computer material

Question 131

Protection of children act (POCA) (1978)

Answer 131

Section 1:
a. taking, making, or possessing…
b. distributing…
c. possessing with a view to distributing…
an indecent photograph of a child

Question 132

Criminal justice and public order act (1994)

Answer 132

amended S(1) of POCA to include pseudo-photographs

Question 133

sexual offences act (2003)

Answer 133

amended POCA further:
- increase age of child from 16 to 18
- added a defence where an indecent photograph of a child over the age of 16 was created by the child’s long term partner
- added a defence where it is necessary to create an indecent image of a child for criminal investigation

Question 134

what are the two things which must be proven to prove a crime has been committed?

Answer 134

1. actus reus - from the latin guilty act:
   - pictures found
2. mens rea - from the latin guilty mind
   - pictures saved
   - pictures renamed
   - searching for pictures
   - browsing multiple pages
   - access to pictures

Question 135

define facial composite system

Answer 135

tool for creating a likeness to a suspect’s face based on an eyewitness’ description

Question 136

what were the four steps of the initial Fisher and Geiselman Original Cognitive Interview?

Answer 136

1. reinstate the context - surrounding environment and how you were feeling
2. report everything
3. recall the events in different orders
4. change perspectives

Question 137

what are the steps of the enhanced cognitive interview?

Answer 137

1. rapport building
2. recreate the context of the event
3. open ended narration
4. questioning
5. closure

Question 138

why was perspective change removed from the cognitive interview?

Answer 138

traumatic for the victim and could lead to false memories

Question 139

what is the acronym for the reliability of eyewitness evidence?

Answer 139

Amount of time under observation
Distance
Visibility
Obstruction
Known or seen before
Any reasons to remember
Time lapse
Error or material discrepancy
ADVOKATE