A review of digital forensics methods for JPEG file carving

Digital forensics is an important field of cybersecurity and digital crimes investigation. It entails applying file recovery methods to analyze data from storage media and extract hidden, deleted or overwritten files. The recovery process might have accompanied with cases of unallocated partitions of blocks or clusters and the absence of file system metadata. These cases entail advance recovery methods that have carving abilities. The file carving methods include different types of techniques to identify, validate and reassemble the file. This paper presents a comprehensive study of data recovery, file carving, and file reassembling. It focuses on identifying and recovering JPEG Images as it is a wildly covered in the literature. It classifies the carving techniques into three types: signature-, structure-, and content-based carvers. Subsequently, the paper reviews seven advanced carving methods in the literature. Finally, the paper presents a number of research gaps and conclude a number of possible improvements. Generally, both the gaps and possible improvements are associated with the fragmentation problem of data files

Forensic research on detecting seam carving in digital images

Digital images have been playing an important role in our daily life for the last several decades. Naturally, image editing technologies have been tremendously developed due to the increasing demands. As a result, digital images can be easily manipulated on a personal computer or even a cellphone for many purposes nowadays, so that the authenticity of digital images becomes an important issue. In this dissertation research, four machine learning based forensic methods are presented to detect one of the popular image editing techniques, called ‘seam carving’. To reveal seam carving applied to uncompressed images from the perspective of energy distribution change, an energy based statistical model is proposed as the first work in this dissertation. Features measured global energy of images, remaining optimal seams, and noise level are extracted from four local derivative pattern (LDP) domains instead of from the original pixel domain to heighten the energy change caused by seam carving. A support vector machine (SVM) based classifier is employed to determine whether an image has been seam carved or not. In the second work, an advanced feature model is presented for seam carving detection by investigating the statistical variation among neighboring pixels. Comprised with three types of statistical features, i.e., LDP features, Markov features, and SPAM features, the powerful feature model significantly improved the state-of-the-art accuracy in detecting low carving rate seam carving. After the feature selection by utilizing SVM based recursive feature elimination (SVM-RFE), with a small amount of features selected from the proposed model the overall performance is further improved. Combining above mentioned two works, a hybrid feature model is then proposed as the third work to further boost the accuracy in detecting seam carving at low carving rate. The proposed model consists of two sets of features, which capture energy change and neighboring relationship variation respectively, achieves remarkable performance on revealing seam carving, especially low carving rate seam carving, in digital images. Besides these three hand crafted feature models, a deep convolutional neural network is designed for seam carving detection. It is the first work that successfully utilizes deep learning technology to solve this forensic problem. The experimental works demonstrate their much more improved performance in the cases where the amount of seam carving is not serious. Although these four pieces of work move the seam carving detection ahead substantially, future research works with more advanced statistical model or deep neural network along this line are expected

A user-oriented network forensic analyser: the design of a high-level protocol analyser

Network forensics is becoming an increasingly important tool in the investigation of cyber and computer-assisted crimes. Unfortunately, whilst much effort has been undertaken in developing computer forensic file system analysers (e.g. Encase and FTK), such focus has not been given to Network Forensic Analysis Tools (NFATs). The single biggest barrier to effective NFATs is the handling of large volumes of low-level traffic and being able to exact and interpret forensic artefacts and their context – for example, being able extract and render application-level objects (such as emails, web pages and documents) from the low-level TCP/IP traffic but also understand how these applications/artefacts are being used. Whilst some studies and tools are beginning to achieve object extraction, results to date are limited to basic objects. No research has focused upon analysing network traffic to understand the nature of its use – not simply looking at the fact a person requested a webpage, but how long they spend on the application and what interactions did they have with whilst using the service (e.g. posting an image, or engaging in an instant message chat). This additional layer of information can provide an investigator with a far more rich and complete understanding of a suspect’s activities. To this end, this paper presents an investigation into the ability to derive high-level application usage characteristics from low-level network traffic meta-data. The paper presents a three application scenarios – web surfing, communications and social networking and demonstrates it is possible to derive the user interactions (e.g. page loading, chatting and file sharing ) within these systems. The paper continues to present a framework that builds upon this capability to provide a robust, flexible and user-friendly NFAT that provides access to a greater range of forensic information in a far easier format

OpenForensics:a digital forensics GPU pattern matching approach for the 21st century

Pattern matching is a crucial component employed in many digital forensic (DF) analysis techniques, such as file-carving. The capacity of storage available on modern consumer devices has increased substantially in the past century, making pattern matching approaches of current generation DF tools increasingly ineffective in performing timely analyses on data seized in a DF investigation. As pattern matching is a trivally parallelisable problem, general purpose programming on graphic processing units (GPGPU) is a natural fit for this problem. This paper presents a pattern matching framework - OpenForensics - that demonstrates substantial performance improvements from the use of modern parallelisable algorithms and graphic processing units (GPUs) to search for patterns within forensic images and local storage devices

Carving Alaska Soapstone

Thesis (M.A.) University of Alaska Fairbanks, 196

A comparison of forensic evidence recovery techniques for a windows mobile smart phone

<p>Acquisition, decoding and presentation of information from mobile devices is complex and challenging. Device memory is usually integrated into the device, making isolation prior to recovery difficult. In addition, manufacturers have adopted a variety of file systems and formats complicating decoding and presentation.</p> <p>A variety of tools and methods have been developed (both commercially and in the open source community) to assist mobile forensics investigators. However, it is unclear to what extent these tools can present a complete view of the information held on a mobile device, or the extent the results produced by different tools are consistent.</p> <p>This paper investigates what information held on a Windows Mobile smart phone can be recovered using several different approaches to acquisition and decoding. The paper demonstrates that no one technique recovers all information of potential forensic interest from a Windows Mobile device; and that in some cases the information recovered is conflicting.</p&gt