• Save
LCI - MICC Seminario-Forensics
Upcoming SlideShare
Loading in...5
×
 

LCI - MICC Seminario-Forensics

on

  • 1,740 views

Amerini Irene Seminario Digital Forensics - MICC LCI - Firenze Università degli Studi

Amerini Irene Seminario Digital Forensics - MICC LCI - Firenze Università degli Studi

Statistics

Views

Total Views
1,740
Views on SlideShare
1,350
Embed Views
390

Actions

Likes
2
Downloads
0
Comments
0

3 Embeds 390

http://lci.micc.unifi.it 383
http://translate.googleusercontent.com 6
http://webcache.googleusercontent.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Casi di pirateria nelle copisterie: dati 2 file pdf (copie dello stesso docuemtno carteceo) si vuole sapere se sono state scannerizzate dallo stesso scanner e quinid dalla stessa copisteria o da due scanner diversi
  • AREE Valgono gli stessi principi generali della digital forensics per la trattazione dei reperti digitali: -preservazione dell’originale -acquisizione integra e non ripudiabile -utilizzo di copie di lavoro -documentazione e ripetibilità Data recovery da qualsiasi dispositivo di supporto digitale In primis la computer forensics si occupa del trattamento, della raccolta e della preservazione delle prove digitali Network forensic: Accesso abusivo ad un sistema informatico o telematico Esistenza di sistemi e supporti per la connessione che possono essere interessati (hub, switch, proxy, ecc.). Analizzare file di LOG, software di monitoring, report di IDS, ecc Intercettazione del traffico(sniffing) raccolta del traffico e sua ricostruzione Prouezione occultamento dei dati: accesso ai dati remoti
  • Parallelo pistola e bossolo Tampering: img digitale oggetto per accusare una persona (macchina di sangue rimossa) Spostare la decisione Ottenere un vantaggio Applicazioni per la sanità (radiografia contraffatta soldi dall’assicurazione)
  • Classi di prblemi che vengono investigati: -distinguere tipo di marca e modello di un tipo di device (Digital camera, scanner, cell-phone, camcorder) -date 2 img dire se appartengono allo stesso dispositivo -distinguere tra tipi di device: DC vs Scanner DC vs CG DC vc CG vs Scanner
  • Crypto: il digest è legato strettamente al contenuto e viene definito un particolare formato e non è possibile usarne altri; per ogni midifca fatta sull’immagine il digest cambia.
  • Lens system: concave e convesse per prevenire aberrazione cromatica e sferica oppure lenti asferiche Auto-esposimetro Auto-focus Unità di stabilizzazione Filtri infrarossi; anti-aliasing filter CFA per produrre un’immagine a colori Sensor: matrice di fotodiodi; quando la luce colpisce il sensore ciascun pixel del sensore generano un segnale proprorzionale all’intensità luminosa che è poi convertita in un segnale digitale con un convertitore analogico-digitale DIP Digital Image Processor
  • Identificare digital camera Ma anche scanner e computer graphics
  • Template deterministoco impresso sopra l’immagine PNU (pixel non uniformity) Low frequency defects : rifrazione della luce, particelle di polvere
  • Y intensità della luce incidente Sigma fattore di guadagno per ottenere il corretto bilanciamento del bianco Gamma gamma correction Video: PRNU fingerprint from a video segment; Scanner: row noise reference pattern
  • Tutte le righe del pattern noise bidimensionale uguali Segnale viene costruito concatenando queste righe questo degnale è un segnale periodico di periodo M (numero colonne) Ora il segnale così costruito ha N ripetizioni quindi in frequenza avrà dei picchi collocati in NxM/M =N. Qunadi la maggior parte dell’energia di questo segnale sarà posizionata in questi picchi
  • Lens system: concave e convesse per prevenire aberrazione cromatica e sferica oppure lenti asferiche Auto-esposimetro Auto-focus Unità di stabilizzazione Filtri infrarossi; anti-aliasing filter CFA per produrre un’immagine a colori Sensor: matrice di fotodiodi; quando la luce colpisce il sensore ciascun pixel del sensore generano un segnale proprorzionale all’intensità luminosa che è poi convertita in un segnale digitale con un convertitore analogico-digitale DIP Digital Image Processor

LCI - MICC Seminario-Forensics LCI - MICC Seminario-Forensics Presentation Transcript

  • Seminario Digital Forensics: “ Identificazione di dispositivi per l’acquisizione di immagini in ambito forense” Irene Amerini Firenze 7.11.2008
  • Outline
    • Scenario
    • Digital Forensic
    • Types of problems
    • Acquisition Device Identification
    • Methodology
    • Research Topics
  • Scenario Digital images every where ... as a result of a tremendous amount of growth in digital imaging technology
    • What technologies were employed?
      • Captured using a digital camera, cell phone camera, digital scanner, camcorder?
      • Generated by computer graphic ?
      • What type of sensor was used?
      • Given two images, are they acquired by devices with similar technologies?
    • Which camera brand took this picture?
      • What model ?
    • Any post-processing ? How?
      • Has it been tampered? manipulated?
    • Does it have any hidden info ?
  • Scenario Fake or Photo?
  • Scenario Problem : digital images or videos are not easily acceptable in a court because it is difficult to establish their integrity, origin, and authorship Solution : Digital Forensic Use : assisting human investigator by giving instruments for the authentication and the analysis of a digital clue turning it in a evidence. Evidence
  • Digital Forensic
    • Application fields :
      • Computer Forensic: data recovery
      • Network Forensic: information security
      • Multimedia Forensic :
        • image, video and audio
        • forensic image analysis is the application of image science and domain expertise to interpret the content of an image or the image itself in legal matters (SWGIT- www.fbi.gov )
    • Standard operation procedures (SOPs):
    • Acquisition of imagery
    • Production of working copies
    • Analysis
    • Documentation and repeatability
  • Multimedia Forensic
    • Application Scenarios :
      • Camera Ballistic : tracing the acquisition device finding the owner of the ”guilty” device.
        • Child pornography image or video
      • Illegal copy of a digital content: how was created (different types of devices)
        • Cinema recaptured video by a camcorder
        • Scanned book
      • Tampered data: how and where the picture has been forged
        • crime scene
        • biomedical image
  • Multimedia forensic: types of problems
    • Acquisition device identification
      • Kind of device
      • Brand
      • Specific device
    • Assessing image integrity
      • Copy-move
      • Splicing
      • Double JPEG compression
  • Digital Forensic Definition : “Use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis , interpretation , documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.” ( def. Digital Forensic Research Workshop 2001) Digital evidence or electronic evidence is any probative information stored or transmitted in digital form.
  • Source Identification: the road map
    • Dumb solution
      • metadata information but can be edited (EXIF JPEG format)
    • Active approach
      • watermark , digital signature but the commercial cameras don’t insert such content (Secure camera)
    • No external information at hand!!!
    • Passive approach
      • Only the digital content at disposal
      • Observation : acquisition process and post-processing operation leave a distinctive imprint on the data a digital fingerprint
      • Idea: fingerprint extraction and check intrinsic features present within the digital content
  • Acquisition Process
    • Digital camera
      • CFA: Bayer pattern (GRGB)
      • sensor: CCD, CMOS
      • Digital Image Processor: interpolation, white balancing, gamma correction, noise reduction
      • JPEG compression
  • Methodology - Lens
    • Lens Aberration
    • Lens Distortion used lens radial distortion, which deform the image by causing straight lines in object space to be render as curved lines.
      • Fingerprint: distortion parameters
    • Chromatic Aberration is the phenomenon where light of different wavelenghts fail to focus at the same position on the sensor causing misalignment between the RGB channels
      • Fingerprint: distorted parameters
  • Methodology - CFA
    • Color Filter Array and Demosaicking
    • CFA allows only one color to be measured at each pixel: the missing two color values must be estimated: demosaicking.
    demosaicking
    • Each manufacturer: different algorithm for color interpolation
    • Fingerprint :interpolation algorithm and CFA pattern
  • Methodology - Sensor
    • Sensor imperfections
    • defective pixels: hot/dead pixels (removed by post-processing)
  • Methodology - Sensor
    • Sensor imperfections
    • shot noise (random)
    • pattern noise (systematic)
    • Fixed Pattern Noise : dark current (exposure, temperature) suppressed subtracting dark frame from image.
    • Photo Response Non Uniformity : inhomogenities silicon wafer and imperfection imposed during sensor manufacturing process (flat fielding).
    PRNU as Fingerprint
  • Methodology - Sensor Noise responsible for PRNU
    • Assumption : camera available or other N images taken by the camera
    • Fingerprint estimate N smooth images
    F denoising filter (wavelet) fingerprint camera
    • Fingerprint detection : correlation
    • Given an image we calculate the noise pattern and then correlated with the known reference pattern from a set of cameras.
    • Decision : threshold
    Imaging Sensor Output Model:
  • Research Topics
    • Forensic framework based on PRNU method
      • image and video
      • different denoising filter and noise model
        • better estimate the PRNU (suppression of image content)
  • Research Topics Fuji Nikon Create a fingerprint FP Fuji FP Nikon
      • create fingerprint database (using real image)
    Set A Set B
  • Research Topics Test image Which camera: Fuji, Nikon model A or Nikon model B?
      • testing phase
  • Research Topics
      • result
    Fuji
    • Distinguishing between camera and scanned images
      • geometrical features of the sensor: bidimensional vs monodimensional CCD
      • find bidimensional PRNU
      • create a monodimensional signal
      • is it present a periodicity? (DFT)
        • YES Scanner (scanning direction)
        • NO Digital camera
      • is it possible to extend this approach to CG?
    Research Topics M N
  • Future Trends
    • New model for the acquisition process for better estimate the anomalies left by intrinsic disconformities in the manufacturing process of silicon sensor of a camera
    • Define new denoising filter
      • Suppression of image content
      • Different kind of sensor device
    • Information from manipulation detector may be used to fine-tune the process of source identification and vice-versa
    • Common dataset
    • Robustness: general conditions
  • Acquisition Process
    • Flat-bed Scanner
      • Tri-linear color filter array: no demosaicing
      • Mono dimensional sensor array
  • Decision
    • Chosen a set of features, we need a criterion to make a decision.
      • Estimation (threshold)
      • Classification (SVM)
  • Methodology - approaches
    • Others approaches
    • Color features ( deviation from gray, inter-band correlation, gamma factor )
    • BSM (binary similarity measures) correlations across adjacent bit-planes of an image
    • IQM (image quality metric), es. Laplacian Mean Square Error evaluated between an input image and its filtered version using a low-pass Gaussian filter
    • HOWS (Higher Order Wavelet Statistic), (mean, variance, kurtosis and skewness )
    • Decision : classification (SVM)
  • Research Topics
      • cam detection
    Test image PRNU FP Fuji FP Nikon Modello A correlation PRNU FP Nikon Modello B denoising
  • Identificazione di dispositivi per l’acquisizione di immagini in ambito forense Ing. Irene Amerini