document

Digital Photograph as Forensic Evidence

www.assignmentwritingindia.com

2 | P a g e


AbstractThis paper gives an impression of the forensic significance as well as legal implications of digital

photography. Digital photography serves as influential, resourceful tools for law enforcement.

Law enforcements groups have recognized the benefits of photography in criminal

investigations for many years. Photography is incorporated in crime prevention activities

through surveillance and security cameras during investigations for documentation of physical

evidence, which is the integral part of the case for prosecution. Photographs can be extremely

valuable evidence. The appropriate assessment as well as precise documentation of crime

prospect is the mainly imperative preliminary pace in every investigation. The notes, photos,

and sketches produced headed for the text the picture and the revealed proof present as an aid

and set orientation throughout the investigation. Images that are intended for utilization in a

court of law must acquired and processed by means of cautiously documented measures if they

are to be acceptable as evidence. Digital photography plays a key role as a part of legal

evidence but there are some reasons to challenge the digital photography as evidence. There

are some flaws in digital photography which are to be detected carefully and the evidence can’t

be taken as the appropriate one. We will discuss about some of the issues that are came into

existence in the real time and also some of the tools who are used to detect the details from

the digital photographs.

3 | P a g e


Table of Contents1 INTRODUCTION.........................................................................3

1.1 Digital photography........................................................................4

1.2 Advantages of Digital Photography.................................................4

1.3 Altering of digital image..................................................................4

2 OVERVIEW OF DIGITAL IMAGE FORENSICS.................................5

2.1 Problems associated with the Photographs....................................7

2.2 Manipulation of Evidence...............................................................7

2.3 EXIF..................................................................................................8

3 RELEVANT FORENSIC TECHNIQUES..........................................20

3.1 Imaging..........................................................................................20

3.2 Hashing..........................................................................................21

3.3 Carving..........................................................................................21

3.4 Identity Resolution........................................................................22

4 CURRENT TOOLS......................................................................23

4.1 EnCase...........................................................................................23

4.2 FTK.................................................................................................24

4.3 Sleuth kit.......................................................................................24

4.4 PyFlag............................................................................................24

CONCLUSION..............................................................................25

Bibliography...............................................................................26

4 | P a g e


1 INTRODUCTION

Pictures influence inhabitants effectively. Photos converse additionally realistic than words do

unaccompanied with bringing to mind an exciting and cognitive provocation with the intention

of the similar information, lacking the pictures, does not. This paper will explore the use of

photography by forensics examiners as a means of identification.

1.1 Digital photography

Digital photographs are present merely as digital data. They possibly will eventually be

presented in an on paper type; there is no necessity to do in that way, with no trouble be

exhibited by using a monitor screen or, it’s not necessary for a requirement that in no way exist

as an analog symbol of the scene or image. Other than predictable photographs, there doesn’t

consist of film or paper. However there is a chance to exhibit in a paper form. (Farid, 2004)

1.2 Advantages of Digital Photography

There are innumerable advantages in the direction of by means of digital photographs since it is

conflicting to conventional 35 mm film. Digital cameras help in developing and generate instant

images, authorizing the photographer in order to see the images as well as immediately

approach to a choice so that the photographs are satisfactory devoid, the holdup of waiting for

the processing of film and prints. Most of the Digital photography is not completely to

necessitate external emerging otherwise reproduction. Moreover, digital photographs are

effortlessly maintained, it’s not necessary to take up extra physical space and can be extensively

distributed by electronic means with virtually no time delay. (Farid, 2004)

5 | P a g e


1.3 Altering of digital image

Most of the photographers compose use of digital imaging technology particularly for the

reason that the image is manipulable; for instance NASA scientists developing pictures

broadcasted starting from satellites, or a profit-making photographer eliminating unnecessary

essentials as of an announcement. Since digital information comprise of merely numerical data,

data can directly be included, detached, or restored. Such type of alters of the actual data is

probable on the way to take place in any or one of three contexts: the things may happen

unintentionally, or that can be deceptive. Unintentional variation may effect as of an array of

origins. The consequences of unintentional modifications are probably on the way to be

disastrous, as well as it is complicated to visualize the types of evidentiary issues that can go

after away from those usually augmented by destroyed documents. (Farid, 2004)

Purposely altered images, conversely, is a different issue. Various software packages are

available which make the users to eradicate basics as of an image, reorganizing the essentials

which are important for an image, or else including essentials headed for an image. However

delicate information like color, contrast, light, and shadow may possibly adjusted. A

photographer or editor prefers to manage an image on behalf of a blameless cause; only some

evidentiary issues comes into existence through on purposely altered images, therefore a

eyewitness is presented moreover eager to be a witness so as to the scene that has been

edited. On the other hand, a significant individual be to purposely influence an image used for

falsified reasons, the similar tools exploited through the reliable photographer might be

concerned to the task of committing that deception in addition to that there is no effortless

technique of detection. (Farid, 2004)

6 | P a g e


2 OVERVIEW OF DIGITAL IMAGE FORENSICS

Digital image forensic techniques exploit either traces of image processing algorithms or

characteristics introduced during the image acquisition process. The former are applicable

without knowledge about the used digitization device.

To illustrate some characteristics typically introduced during image acquisition, below Figure

shows a simplified image processing pipeline of a digital camera. The main components are the

lens, the sensor with a color filter array (CFA) and the signal processing unit. The CFA is needed

for color images as typical sensors are only sensitive to the intensity of incoming light. A true

color RGB-image is obtained from interpolating intensity values of pixels in a close

neighborhood.

The captured image data is further processed in the signal processing unit and afterwards

stored in a data storage unit. Other digital image input devices, such as digital camcorders or

digital flatbed scanners, use similar image processing pipelines and thus introduce similar

statistical patterns in the image data.

Forensic algorithms may exploit specific characteristics of image statistics, which were

introduced by components of the image processing pipeline. Starting with the lens, chromatic

aberration and radial distortions are adequate features. Furthermore, defect sensor elements,

7 | P a g e


sensor noise and dependencies between adjacent pixels due to color interpolation form typical

ingredients for forensic methods. On the other hand, it is moreover possible to reflect on the

whole image acquisition process as a black box and analyze the camera response function or

macroscopic features of acquired images.

2.1 Problems associated with the Photographs

A picture‘s characteristics to influence cannot be exaggerated. The vital principle intended

for every test is generally to influence the discoverers of truth. If the truth discoverers are

available to provide excessive influence to pictures just since they can be capable of seeing

them, this issues a panoply of issues since the crucial principle of a test is to decide the

truth. (Farid, 2004)

Dye-sublimate digital printers be capable of even to puzzle imaging experts. The high

resolution images are cannot be produce as the film does, excluding their images that

appear to be photographs. They produce color and negative prints on photographic style

paper that mimics the look and feel of photographs.

Conversely simple image improvements are able to provide a number of crime scene

particulars as well as fingerprint details as offensive. Dodge-and-burn, the top superior

lighting as well as diminishing of regions contained within an image, be capable of placing

particulars outer of the entry of a digital printer’s choice of light as well as dark printing

capabilities.

2.2 Manipulation of Evidence

Photography has many applications in forensic science. There are several applications of

photography in forensic science. Initially, it is used to shoot the crime picture. Later,

photographs are in use of person objects of proof, with the fingerprints and bloodstains, lying

on a dead body together by the side of the prospect along with the moment in time of an

autopsy. Focused methodologies like microphotography and infrared photography are mostly

useful in specific settings. (Bassi, An automated acquisition system for media exploitation. , June

2008)

8 | P a g e


As early as possible, it is imperative to take the photographs of photographing evidence that

could easily be damaged or lost, such as fingerprints, shoeprints, tire tracks, and tool marks.

Fingerprints may need to be made detectable, by exposing to laser or ultraviolet light, or by

applying special powders before they can be photographed at the scene. Similarly, shoeprints

also may need treatment before they can be visualized, even though those in mud or blood can

in general be captured on film without special preparation. It is essential to take photographs of

shoeprints at a 90-degree angle to its surface and centered in the camera lens. This prevents

deformation in the image and makes comparison with control shoeprints more consistent. Tire

track photographs need to be taken both as part of a general scene photograph, so that their

location can be accurately concluded, and also close up, to determine the pattern detail on the

tire for easy identification. Photographs of tool marks should at least give you an idea about the

location of this essential source of proof. On the other hand, even macro photography may not

disclose enough detail to allow the photographs to be used for laboratory comparison with

suspect tools. Each item of evidence is photographed individually before being touched if at all

possible, and several shots of each item are taken. (Garfinkel., 2007)

The primary requirements to confess a photograph into evidence are relevance and validation.

Generally, a photograph will be admitted into evidence at the judgment of the trial judge. In

exceptional cases a chain of custody (including custody of the undeveloped film) will be

required, or the best evidence rule may be raised if the photograph is offered for its truth and is

the source of a controlling issue in the case. The most significant of these requirements is

validation. Unless the photograph is admitted by judicial admission of the parties, the party

seeking to introduce the photograph into evidence must be prepared to present testimony that

the photograph is truthful and accurate. In most cases, the testimony need not be from the

photographer; any witness qualified to testify that a photograph accurately depicts a scene well

known to that witness will be sufficient. Some courts will rule that a photograph is self-

validating, or presumably genuine. If the genuineness of a photograph is challenged, it is usually

a question for the trier of fact to settle. (Wright FD, 2001)

9 | P a g e


2.3 EXIF

It is an file format for image file called as Exchangeable image file format(EXIF),which are mostly

used by Digital camera .It is been known that there are specification for file JPEG,TIFF and RIFF

formats having an additional tags. In EXIF tag there always standard interpretation like cover

data and camera setting, previewing thumbnail and copyright information. There has been

additional plug-in called as the geolocation as part of standard EXIF format. In Present

advancement in cameras which come with built in GPS receiver and stores lot of information in

EXIF header .In near future there is a possibility of GPS receiver embedded. (Simson L.

Garfinkel, 2006)

In an image file EXIF data is included; presently there many programs on manipulation of image

and can recognize safeguarded EXIF data when rewritten in modified image. Many image

gallery programs can identify EXIF data and provide it information alongside with the image.

Libraries of software such as the libexif and Exiv2 for C or read EXIF data () function for PHP and

file for read/write EXIF tag values for parse EXIF. (Garfinkel., 2007)

It has been noted that JPEG file always starts with “FFD8” and can be defined as the SOI (start

of image) and ends up with “FFD9”, which is termed as EOI (End of Image) marker. Between

two markers data can be divided into segments of various levels having a specified marker.

Each segment can be identified with possibility of providing flexibility and application can

separately each segment .By having this structure which are flexible allow us for creation of

standard format such as JFIF and EXIF, which add up specific markers and store data and in

compliance to JPEG format. Below diagram shows structure of the format

10 | P a g e


In this JPEG specification are defined by a set of markers called as the application markers

having a range of FFEO to FFEF, which allow information of additional application. This added

information can be used for specific purpose, instead of decoding JPEG image .It is been noted

that JFIF employ these markers and use APP0 marker (FFE0) to identify segment ,which have

information and can be added to JFIF. With latest EXIF use of specification and APP1 marker for

taking up additional marker metadata information, possible added to a file.SOI marker is

followed by APP1. The file format for EXIF approximately is as follows:

11 | P a g e


12 | P a g e


ExIF Tag Information

The real benefit to the investigator of the ExIF standard is the information that may be provided

in the Tags fields. The tables below list the Tags defined by the ExIF standard for the IFD0, ExIF

sub IDF fields as well as the miscellaneous ExIF Tags. Investigators should note, Tag fields may

or may not have meaningful information stored in them. Tag field use is implementation

dependant and varies from manufacturer to manufacture.

13 | P a g e


14 | P a g e


15 | P a g e


16 | P a g e


17 | P a g e


18 | P a g e


The above tables show the vast amount of data that can be stored in ExIF Metadata. whilst

quite a lot of data, such as formulate and representation of the camera utilized, day as well as

point in time of original, copyright, user comments, Artist, Time Zone offset, GPS Information,

Image History, and Subject Location encompass understandable advantages in the direction of

an researcher if present, additional fields could be cooperative in evaluating many images in

19 | P a g e


use at otherwise in close proximity to the similar occasion in the direction of setting up to

facilitate that they were in use in the company of the same camera. This might permit single

picture by means of recognizing information on the way to tie back to one more picture and

more prominently the images to the tool.

20 | P a g e


3 RELEVANT FORENSIC TECHNIQUES

Digital forensic is the profession which is most challenging and very much in demand and as

such requires mastering different types of specialized skills. Although the skills used here are

found to be difficult, there has always been constant and firm change in skills according to the

changing industry.

3.1 Imaging

It is important to study about basic forensic investigation and primary skill used to take a file of

media or a picture. It is learnt from modern level of OS procedures of taking up system file

providing journal resolution and clear indexing, which are easy to understand and appears as

easy option. There can be maximum possible alteration can be made in providing an integrative

evidence. By taking an example of OS having index files, which can be altered and can modify

file at access time and indexed on basis of even function, which can be done through inserting a

disk and likely cause data in journal to overwrite to other files. There need due care taken by an

skill individual in taking up changes, when using OS as there may be issues of overwriting

remaining data. There needs to be a joint permission for not changing the drive image context.

It is mostly considered that, there has been specific steps, which needs to be followed t protect

media and be imaged. By using the mounting service and access permission of raw device can

be freeze. To safeguard OS and media for getting alteration, there needs to be definite

hardware solutions. The white blockers are very common for hard drives consequently

providing several variations while implementation of skills. (Englberger, An SNR Estimation

algorithm using Fourth-Order Moments, 1994)

If the investigator is more certain of source disk, which can be customized and data needs to be

copied above the disk for investigation. It’s been an easy procedure to have significant details

21 | P a g e


which needs to be considered for. It is been known that a physical media is made up of blocks

which are addressable and can be made out in a partitions as per each device. The partitions

are arranged in file systems having definite blocks and have accounted metadata and control

data for file system. It is been known that a physical device is generally made of blocks which

can be stored. There needs to be process of multiple partitions per device and maintain

potential gaps. These partitions are arranged into file systems having definite blocks containing

Meta data and control data for file systems. It can be known that information from media can

be imaged at block level. It is to be considered that damaged present input or output can be

erroneous and can account for error. (Palmer, 2001)

3.2 Hashing

To identify a file and to provide a clear legitimacy for an image to be a customize look, forensic

community taken up cryptographic hashing. There always one way policy of taking up

cryptography functions to maintain a hash, and mostly dependent on these functions. In 1991

MD5 was formulated by Ron Rivets and later carried on by the forensic community. There’s

always a MD5 tools because of it fastness and production of shorter hash. There have been

dissimilar results for change of 1 bit, which the research is underway. There has been better

State of art technique in Multi-Resolution Similarity Hashing .It triggered piecewise hashing;

taking up all the hashing similarities to form edit distances between files. (Garfinkel, 2006)

3.3 Carving

File carver are considered one of the category toolkits which are digital. These tools allow

scanning of all the blocks of discs that are no longer having the files of current when deleted.

These toolkits use their own header or footer and can have signature, which can combine and

format the original files which are deleted. It is been noted that not all overwritten files are

cached for media.

22 | P a g e


There have been recent advancements for having carving permit in a fragmented files and can

recover more accurate steps. There greater level of advancement in permit of fragmented file,

which recover with an accuracy. Garfinkel demonstrated file carving with object validation,

showing it was possible to validate whether blocks belonged to certain files as they are carved

out, permitting fragmented files to be recovered cleverly. (Carrier, 2006)

3.4 Identity Resolution

There has been a greater problem in identifying information to an owner resolve it into

individual pieces. There is always a complex and multiple users which could co exist for a single

machine or network. The best two techniques, which can be helpful for having a commonsense

on resolution, are like of Joan’s work for IBM and learning techniques of probable machine. It

has been developed by the law enforcement commissioner. The data can be inter-related and

have resources which are pointed out for an entity meant for a person. If there is more data

accumulated which might gain an extra piece of data for having better resolution and provide

information which can arise for an entity to have a split for separate entities .The piece of data

which an entity can own up for a symbolize communication for other entities and social

networks can be confirmed. (Garfinkel, 2006)

23 | P a g e


4 CURRENT TOOLS

It is known that basic forensic have created lot of opportunities for a commercial venture and

can be regarded in factor of open source alternatives. There have been standalone tools which

have a clear extraction of EXIF data from JPEG and continuously developed for a distributed

academic and open source community. The basic level of function can be easily integrated and

analyzed in suites .These suites are generally called as the GIU based Programs having a permit

of forensic analyst to have a clear search on data for a hard drive.

4.1 EnCase

It is an forensic suite which is been sold by an software company named as Guidance ,having a

license of NIST CFTT and several other law enforcement agencies throughout United states. It

has a powerful and network enabled and different platform specific investigation solution. It

also provides an answer to all computer related incidents and forensic analysis. It has the

capability of taking up all volatile and static data for servers and workstations anywhere for

distracting operations. (Palmer, 2001; Farid, 2004)

There has been a clear case of fill format for storing images in opens source library, it has the

permit of all other forensic tools and use images .It is a complex interface having all the

necessary steps for having a clear operations and intelligence which are actionable and can be

overturned. In other way Encase is a clear scripting language having the entire basic common

task for taking operations automatically. The use of this scripting language helps us in carving

and taking up report for a restricted use of an encase viewer. It doesn’t have a clear reference

for other cases. The main source can be stopped and can be added up for an extension to a

program. (Palmer, 2001; Farid, 2004).

24 | P a g e


4.2 FTK

It is a Forensics Tool Kit which is been y Access Data. It is other level of commercial tool having

all the steep learning curve and have users. As of encase these forensic tool kit can be made

used in courtrooms and other legal precedents. Forensic tool kit takes up an more data rich

reports and can have interface that can encase .Forensic tool kit doesn’t provide any other

scripting language and not allow users to add up other functionality. (Palmer, 2001)

4.3 Sleuth kit

In a world of open source for forensic there is another better and controlled method of Sleuth

kit .It is an primary tool which provides an open source suite of forensic tools and is based on

coroners Toolkit set. This coroner sleuth kit has all the necessary searching, time based building

and other browser setup. Sleuth tool kit have all have the basic command line and better

practitioner and other simplifies efforts for an graphical user interface. For an autopsy and

other PTK it is more than a graphical shell which can run on TSK commands for a child process

and present a web browser for better visualization and command in tools. (Palmer, 2001)

4.4 PyFlag

Python Forensic and log analysis GUI (PyFlag) was put forwarded by government of

Australia .This python forensic is another kind of open source forensic intended to have a clear

analysis of media and network. Python forensic have a case image of back end database have

clear constant clear information having a right use of web browser and other client work

stations.

In practice database can be on same system as client can allow for a mobile deployment on a

central server and make investigators to work same case at same time. Python forensic use

sleuth tool kit for underlying image access and builds individual file analysis, extraction and

reporting on top of sleuth tool kit. This forensic make up its own scripting language called

Python Flash and let users to write their own extensions to suite of python. (Bassi, An

automated acquisition system for media exploitation. , June 2008).

25 | P a g e


CONCLUSION

In this paper, we have depicted the significance of a standard, open format for digital evidence

attribution; both for description and comparison of particular pieces of evidence as well as for

tool interoperability and validation. In order to safeguard against better simplicity making the

observer assuage right of entry for counterfeit evidence, and taking method of validating

images can be followed. It is extensively acknowledged, and widely ignored, that digital images

are easy to generate, easy to influence but difficult to validate.

In an clear EXIF section of a JPEG file, there needs to be a remarkable amount for better use of

information There’s always an clear of misgiving in taking up the image data manually from a

file and the program exist today extract data in investigator. There’s been technology pathway

tool of forensic and other pro Discover tools having to make out a report for information to

investigators for a desired JPEG and TIFF files as marked for evidence.

There needs to be clear new investigator probable action for investigator to capture EXIF data

and be evidentiary quality manner to be used for a court at a later date. There is always a clear

methods which have a clear degree of reasonable and positivity and can be employed for a

photographs and helps court to determine truth for better management.

There’s always a possibility of designing a clear forensic mind for an expert these present a

clear financial option and provide a clear technical knowledge for extracting all image

knowledge to extract data media images. Tools presented can extract data in ineffectually

organized fashions that try to show user as much data as possible rather than prioritizing

information in accordance to relevance. This paper is intended to show some of the advantages

and tools used in imaging by the forensics community. It also gives clear techniques of image

forensic in digital photography making it contribution to a toolbox in this field.

26 | P a g e


BibliographyAnandabrata Pal, H. S. (2008.). Detecting file fragmentation point using sequential hypothesis

testing. In Digital Forensic Research Workshop .

Bassi, S. (June 2008). An automated acquisition system for media exploitation. .

Bassi, S. ( June 2008). An automated acquisition system for media exploitation. . Master’s thesis,

Naval Postgraduate School.

Carrier, B. ( 2006). A Hypothesis-Based Approach to Digital Forensic Investigations. . PhD thesis,

Purdue University.

Carrier., B. (2006). A Hypothesis-Based Approach to Digital Forensic Investigations.thesis.

Cohen., M. I. (2008). Advanced jpeg carving In e-Forensics ’08: . Proceedings of the 1st

international conference on Forensic applications and techniques in

telecommunications,information, and multimedia and workshop,, (pp. pages 1–6).

Englberger, R. M. (1994). “An SNR Estimation algorithm using Fourth-Order Moments.

Englberger, R. M. ( 1994). An SNR Estimation algorithm using Fourth-Order Moments.

Farid, A. C. (2004). Statistical tools for digital forensics.

Garfinkel, S. L. (2006). Forensic feature extraction and cross-drive analysis Digital Investigation .

Garfinkel., S. L. (2007). Carving contiguous and fragmented files with fast object validation,

Digital Investigation.

J. Fridrich, D. S. (2003). “Detection of Copy-move forgery in digital images.

Palmer, G. (2001). A Road Map for Digital Forensic Research: Technical Report DTR0010-01.

Pratt, W. K. ( 1987). Digital Image Processing. Third Edition, John Wiley and Sons,.

Pyflag, M. C. ( August 2008). An advanced network forensic framework. In Proceedings of the

2008 Digital Forensics Research Workshop. DFRWS.

Simson L. Garfinkel, D. J.-A. ( 2006). Disk imaging with the advanced forensic format, library and

tools.

Wright FD, D. J. ( 2001). Human bite marks in forensic dentistry. . Dental Clinics of North

America , 365-397.

document

Documents