• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
File000153
 

File000153

on

  • 41 views

 

Statistics

Views

Total Views
41
Views on SlideShare
41
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    File000153 File000153 Presentation Transcript

    • Module XL - Printer Forensics
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Inkjet Research Could Aid Forensics Source: http://www.pcworld.com/
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Particulate Emissions From Laser Printers Source: http://www.sciencedaily.com/
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Introduction to Printer Forensics • Different Printing Modes • Methods of Image Creation • Printer Forensics Process • Digital Image Analysis • Document Examination • Phidelity • Cryptoglyph Digital Security Solutions • DocuColor Tracking Dot Decoding This module will familiarize you with:
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Introduction to Printer Forensics Printer Forensics Process Methods of Image Creation Cryptoglyph Digital Security Solutions Phidelity Document ExaminationDigital Image Analysis Different Printing Modes
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Printer Forensics
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Introduction to Printer Forensics Printer forensics refer to the investigation done on any printed document or the printer used to print the document Investigation of the documents and printers will provide valuable information of crime to the law enforcement agencies and intelligence agencies • Examples include forgery or alteration of documents used for purposes of identity, security, or recording transactions • Printed material may be used in the course of conducting illicit or terrorist activities In several cases, printed material is a direct accessory to criminal acts • Examples include instruction manuals, team rosters, meeting notes, and correspondence
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Different Printing Modes • A monochrome printer can only produce an image consisting of one color, usually black Monochrome: • A color printer can produce images of multiple colors Color printer: • A photo printer is a color printer that can produce images that mimic the color range and resolution of photographic methods of printing Photo printer:
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Methods of Image Creation • Toner based printers adhere toners to a light sensitive print drum • It uses static electricity to transfer the toner to the printing medium to which it is fused with heat and pressure • Different toner based printers are: • Laser printers uses precise lasers to cause adherence • LED printer uses an array of LEDs to cause toner adhesion Toner-based printers: • Inkjet printers spray small, precise amounts of ink onto the media Inkjet printers:
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Methods of Image Creation (cont’d) • Impact printers rely on a forcible impact to transfer ink to the media, similar to typewriters, that are typically limited to the reproducing text • A daisy wheel printer is a specific type of impact printer where the type is molded around the edge of a wheel Impact printers: • Printers rely on a matrix of pixels, or dots, that together form the larger image • It is specifically used for impact printers that use a matrix of small pins to create precise dots • It can produce graphical images in addition to text Dot-matrix printers:
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Methods of Image Creation (cont’d) Line printers print an entire line of text at a time The two principle designs of Line printers: • Drum printers: A drum carries the entire character set of the printer repeated in each column that is to be printed • Chain printers or train printers: The character set is arranged multiple times around a chain that travels horizontally past the print line
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Methods of Image Creation (cont’d) • A digital minilab is a computer printer that uses traditional chemical photographic processes to make prints of digital images • Photographs are input to the digital minilab using a built-in film scanner that captures images from negative and positive photographic films Digital Minilab:
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Methods of Image Creation (cont’d) • Dye-sublimation printer uses heat to transfer dye to the medium such as poster paper, plastic card, etc. • It lays one color at a time with the help of a ribbon which has color panels Dye-sublimation printer: • A spark printer uses a special paper coated with a layer of aluminum over a black backing, which is printed on by using a pulsing current onto the paper via two styli that move across on a moving belt at high speed Spark printer:
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Printers with Toner Levels Make/Model Toner HP LaserJet 4300 72% HP LaserJet 4350 72% HP LaserJet 4350 72% Xerox Phaser 5500DN 94% Xerox Phaser 5500DN 31% Xerox Phaser 5500DN 60% Xerox Phaser 8550DP -
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Parts of a Printer • A print head with a print head connector • A carriage with a carriage connector, which can detach the print head from the print head connector • A driver for driving the print head • A microprocessor for controlling the driver in accordance with an N-bit print head identification signal, wherein N is a positive integer • A plurality of signal lines for connecting the microprocessor to the carriage connector • A parallel-to-serial converter, which is disposed on the print head, for converting N parallel inputs into an N-bit print head identification signal A printer is comprised of:
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Printer Identification Strategy • Passive strategy involves characterizing the printer by finding intrinsic features in the printed document that are characteristic of that particular printer, model, or manufacturer's products • This is referred as intrinsic signature Passive: • In active strategy, extrinsic signature is embedded in a printed page • The extrinsic signature is obtained by modulating the process parameters in the printer mechanism to encode identifying information such as the printer serial number and date of printing Active: Two strategies to identify a printer that was used to print a document:
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Printer Identification Unknown Document Extra Characters Extra Features Variance/ Entropy GLCM Features SVM Classifier Majority Vote Output class Individual Characters Feature Vector per Character
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Printer Forensics Process Pre-processing Printer Profile Forensics Ballistics
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Pre-Processing A printed document is first digitally scanned and saved in an uncompressed format In the first stage, multiple copies of the same character are located in a scanned document A user first selects a bounding box around a character of interest to serve as a template To minimize the effect of luminance variations across printers, the intensity histograms of the characters are matched as follows: • Select a random set of characters and average their intensity histograms to create a reference histogram so that the luminance variations across printers is minimized • Each character’s intensity histogram is then matched to this reference histogram
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Printer Profile Once the characters are aligned properly, a profile is constructed based on the degradation introduced by the printer Based on the complex nature of degradation, a data driven approach is used to characterize the degradation A principal components analysis is applied to the aligned characters to create a new linear basis that embodies the printer degradation
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Forensics • Splicing in portions from a different document • Digitally editing a previously printed and scanned document and then printing the result In a forensics setting, determine if a part of the document has been manipulated:
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Ballistics In a ballistics setting, determine if a document was printed from a specific printer A printer profile is generated from a printer to determine if the document in question was printed from this printer Assume that the printer profile is constructed from the same font family and size as the document to be analyzed
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited A Clustering Result of a Printed Page HP LaserJet Xerox Phaser The printed page shows a clustered result of the HP LaserJet and Xerox Phaser The top part of the page is printed with HP LaserJet 4350 and the bottom half was printed on a Xerox Phaser 5500DN These documents are scanned, combined and printed on a HP LaserJet 4300 printer A printer profile was created from 200 copies of the letter ‘a’ Printer profile is effective in detecting fakes composed of parts initially printed on different printers
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Digital Image Analysis Digital Image Analysis technique is used to analyze patterns generated in the printed document due to irregular movements by the print engine The irregular movement cause lines to be printed across a page instead of solid smooth print which is known as banding Banding effect has been attributed to two causes: • Fine banding is due to the imbalance of the rotor component of the polygon mirror or mechanical weaknesses of the laser scanning unit • Rough banding caused by unsteady motion of the photoconductor drum or the fuser unit This banding can be used to link a document to the printer that produced it
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Printout Bins Printout Bins are a staging area after a document has been printed Each printout consists the information of the related project and the user who printed the document The bin consists of the information that uniquely identifies the user by name, PIN number, the user project number, and the date and/or time the printout was prepared, etc. The bin access is allowed only if: • Acceptable confidential user identification is presented • Atleast one printout for that user is presently contained in the locked bin
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Document Examination • Find genuine or counterfeit of the document • Determine the way document is generated • Examine the machines used to print the document Printed documents can be examined to: • The paper type (physical properties, optical properties) • Security features of the paper (e.g. watermark) • Printing process used • Verifying of other digital evidence such as perforations • Microscopic analysis reveal tiny imperfections which links documents from one to another The various factors considered by the document examiner: Document examination is an important aspect in printer forensics to analyze the documents
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Document Examination (cont’d) • The presence of physical alterations or obliterated writing can sometimes be determined, and the writing can sometimes be deciphered • The manufacturer can sometimes be determined if a watermark is present Altered or Obliterated Writing: • Paper examination - the letterheads and watermarks of business or personal stationery will be modified from time to time by the manufacturer • Typescript - comparison of typewritten documents produced by an organization over a period of time Examining date of document: The different aspects of examination:
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Document Examination (cont’d) • Signature examinations generally involve the comparison of signatures which are specimen (provable) against questioned (disputed) signatures • In signature comparison, the features of the questioned signature(s) - construction, shape, proportions and fluency - are assessed and then compared with the same features in the specimen signatures Signature Examination • Spur marks are tool marks created by the spur gears in the paper conveyance system of many inkjet printers • The spur marks on the printed document is compared with the spur marks of known printers to know the relationship between them • The comparison of two spur marks is based on the characteristics: pitch and mutual distance Examining spur marks found on inkjet-printed documents
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Services of a Document Examiner The document examiner examines the document for any alterations, counterfeiting of document, and substitutions The examiner conducts research related to the document • The research includes finding of comparable documents to verify authenticity, paper used, type of printer, etc. Examiner conducts tests on the documents to find the conclusions Examiner prepares a review based on the outcome of the tested documents
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tamper-Proofing of Electronic and Printed Text Documents Text document should be tamper-proofed and authenticated to distribute them in electronic or printed forms A text document authentication system aims at deciding whether a given text document is authentic or not Text document tamper-proofing system aims at verifying the authenticity of a text document and indicating the local modifications, if the document is suspected to be a fake
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tamper-Proofing of Electronic and Printed Text Documents (cont’d) There are three approaches to hash-based document authentication based on where the hash is stored: • Hash storage in an electronic database • Hash storage onto the document itself using auxiliary special means such as 2D bar codes, special inks or crystals, magnetic stripes, memory chips, etc. • Hash storage onto the document's content itself using data-hiding techniques
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Phidelity Phidelity is a technology used to enhance the security of printed documents by providing layers of protection Phidelity's Optical Watermark makes innovative use of normal printers to print visual covert and overt watermarks It generates secure optical watermarks against various types of possible attacks while only using common desktop printers, eliminating the need of special inks or papers Phidelity's Microprint is the creative use of printer capabilities to print small fonts By printing important document information as Microprint, any casual copying of the original document will result in highly distorted text in the duplicates
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Zebra Printer Labels to Fight Against Crime Law enforcement agencies rely on Zebra printer labels for accurate and confidential printing needs when collecting important criminal evidence Zebra printer labels help to identify criminal evidence more quickly with Zebra bar code printers The labels can also produce ID badges (both for criminals and law enforcement) and keep track of criminal records confidentially and safely
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cryptoglyph Digital Security Solution Cryptoglyph security process provides an invisible marking with standard ink and standard printing processes It can be easily integrated into any current packaging production line or any document processing workflow before printing Embed the invisible Cryptoglyph file in the prepress digital packaging image file or generate it before printing it with your document processing system Cryptoglyph requires no packaging design or any page template modification
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Case Study: Dutch Track Counterfeits via Printer Serial Numbers Wilbert de Vries (WebWereld Netherlands) 26/10/2004 08:39:31 It appears that although consumers aren't aware of the hidden code on their color prints, government agencies are. And they are using this knowledge in their battle against counterfeiters -- with help from well-known printer manufacturers. Security Sources familiar with the printer industry confirm this built-in security is in fact a unique number that is printed on every color page. The code, in yellow, can be printed on a line as thin as 0.1 millimeter. With help from manufacturers like Canon, authorities can gather information about the printer used in counterfeit crimes. The number tells them in which country a specific printer has been delivered, and to what dealer. The dealer then can lead them to the local computer store where the printer was sold. Success "We are familiar with this research method," said Ed Kraszewski of the Dutch national police agency KLPD. "We are using it in our research and it has proven to be successful in the past." Even though the spokesman cannot detail what kind of successes or in what cases the agency is using this method now, anonymous sources confirm that the Dutch Railway Police, part of the KLPD, is investigating a gang that could be counterfeiting tickets on a large scale. As part of the research in this case, officers have tracked down the printer used to print the fake tickets. They are now trying to get the name of the person who bought the printer. A local distributor in the Netherlands was visited by two officers with specific questions about the printer. "Their research led them to our company," said the director of the big Dutch distributor, who wants to remain anonymous. "It concerned an investigation about counterfeit tickets. With the number they apparently found, they could see what engine was used. They knew exactly what printer was used and wanted to know to whom I had sold that specific printer." The company's records only revealed in what batch the printer had arrived. The police left the building with specific sales information about that batch, which contained about a hundred printers. The investigation is still running, according to a spokesman for the team investigating this matter.
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Is Your Printer Spying On You? Imagine that every time you printed a document, it automatically included a secret code that could be used to identify the printer - and potentially, the person who used it In a purported effort to identify currency counterfeiters, the US government has succeeded in persuading some color laser printer manufacturers to encode each page with identifying information For a list of printers with this tracking capability, please visit: • http://www.eff.org/Privacy/printers/list.php
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited DocuColor Tracking Dot Decoding The yellow dots are visible after the dot grid are magnified under 60x magnification
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited DocuColor Tracking Dot Decoding (cont’d) A computer graphics software is used to overlay the black dots in the microscope image with a larger yellow dots for clear visibility
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited DocuColor Tracking Dot Decoding (cont’d) The topmost row and the left column are the parity row and column for error correction It helps to verify the forensic information for correctness The rows and columns has odd parity
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited DocuColor Tracking Dot Decoding (cont’d) Columns are read from top to bottom as a single byte of seven bits, the bytes are then read from right-to-left. Columns from left to right have the following meanings: 15 Unknown (often zero; constant for each individual printer; may convey some non-user-visible fact about the printer's model or configuration) 14, 13, 12, 11 Printer serial number in binary-coded-decimal, two digits per byte (constant for each individual printer; see below) 10 Separator (typically all ones; does not appear to code information) 9 Unused 8 Year that page was printed (without century; 2005 is coded as 5)
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited DocuColor Tracking Dot Decoding (cont’d) Column are read from top to bottom as a single byte of seven bits, the bytes are then read from right-to-left. Columns from left to right have the following meanings: 7 Month that page was printed 6 Day that page was printed 5 Hour that page was printed (may be UTC time zone, or may be set inaccurately within printer) 4,3 Unused 2 Minute that page was printed 1 Row parity bit (set to guarantee an odd number of dots present per row)
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tools
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Print Spooler Software Print Spooler prints the document to the intended printer when the printer is ready It allows system resources to perform other tasks, where Line Printer Requester (LPR) print spooler performs the printing process It sends the job to print queue for processing It manages the printing process Spooling prepared a file for printing, emailing, and sending to a device or system which is presently being occupied by other tasks
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Investigating Print Spooler For each print job on Windows XP, the files found in C:WindowsSystem32spoolPrinters folder are: • .SPL – the spool file consists of print job’s spool data • .SHD - shadow file consists of job settings To view the metadata of the print job use PA Spool View tool To view the spooled pages , use EMF Spool View tool Enhanced metafiles provide true device independence Enhanced metafiles are standardized, that allows pictures stored in this format to copy from one application to other Check the spool folder location of a specific printer by opening the registry key: • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlPrintPrinters <printer>
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Printer Tools iDetector is an effective tool to visually compare inspected documents and products with genuine ones Print Inspector lets you manage the print jobs queued to any shared printer and provides easy access to the printer and print server settings
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: EpsonNet Job Tracker http://www.business-solutions.epson.co.uk/ • Monitors and analyzes network printer activity • Controls access to color, keep costs down • Manages print resources, improves network traffic • Defines printer activity, calculates, assigns and recovers costs • Sends reports automatically to departments and managers • Controls by time of day, type of printing, number of pages Benefits of Epson NetJob Tracker: EpsonNet Job Tracker is a web-based application software It gives a clear picture of what is being printed, where and by whom, thereby helping you control your printing costs
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Printer forensics refers to the investigation done on any printed document or the printer used to print the document Investigation of the documents and printers will provide valuable information for the law enforcement agencies and intelligence agencies Different Printing Modes are Monochrome , Color Printer, and Photo printer Methods used for Image Creation are: Toner-based printers, Inkjet printers, Impact printers, Dot- matrix printers, Line printers, Digital Minilab, Dye-sublimation printer, and Spark printer A printed document is first digitally scanned and saved in an uncompressed format Method and system for identifying and facilitating access to computer printouts contained in an array of printout bins
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited