179 34 3MB
English Pages 240 [242] Year 2021
Gulshan Shrivastava, Deepak Gupta, Kavita Sharma (Eds.) Cyber Crime and Forensic Computing
De Gruyter Frontiers in Computational Intelligence
Edited by Siddhartha Bhattacharyya
Volume 11
Cyber Crime and Forensic Computing Modern Principles, Practices, and Algorithms Edited by Gulshan Shrivastava, Deepak Gupta, Kavita Sharma
Editors Gulshan Shrivastava Department of Computer Science and Engineering Sharda University Greater Noida, U.P., India [email protected] Deepak Gupta Department of Computer Science and Engineering Maharaja Agrasen Institute of Technology Delhi, India [email protected] Kavita Sharma Department of Computer Science and Engineering G.L. Bajaj Institute of Technology & Management Greater Noida, U.P., India [email protected]
ISBN 978-3-11-067737-9 e-ISBN (PDF) 978-3-11-067747-8 e-ISBN (EPUB) 978-3-11-067754-6 ISSN 2512-8868 Library of Congress Control Number: 2021942528 Bibliographic information published by the Deutsche Nationalbibliothek The Deutsche Nationalbibliothek lists this publication in the Deutsche Nationalbibliografie; detailed bibliographic data are available on the Internet at http://dnb.dnb.de. © 2021 Walter de Gruyter GmbH, Berlin/Boston Cover image: shulz/E+/getty images Typesetting: Integra Software Services Pvt. Ltd. Printing and binding: CPI books GmbH, Leck www.degruyter.com
Dedicated to our friends and families for their constant support during the course of this book
Contents About the editors
IX
Shefali Arora, Ruchi Mittal, M. P. S. Bhatia A survey of popular digital forensic tools
1
Swati Gupta, Puneet Garg An insight review on multimedia forensics technology
27
Meet Kumari An overview on advanced multimedia forensic techniques and future direction 49 Anand Sharma Computer forensics and Cyber Crimes: COVID-19 perspective Sachil Kumar, Geetika Saxena Biometric forensic tools for criminal investigation
71
85
K. Hariharan, K. Rajkumar, R. Manikandan, Ambeshwar Kumar, Deepak Gupta Deep learning for optimization of e-evidence 111 N. Sivasankari, R. Shantha Selvakumari Electronic voting machine security issues and solution protocol by physical unclonable function 137 Meenakshi, Puneet Garg, Pranav Shrivastava Machine learning for mobile malware analysis
151
Prashant Kumar, Gaurav Purohit, Pramod Tanwar, Kota Solomon Raju Mobile platform security: issues and countermeasures 179 Pranav Shrivastava, Prerna Agarwal, Kavita Sharma, Puneet Garg Data leakage detection in Wi-Fi networks 215 Index
229
About the editors Dr. Gulshan Shrivastava is working as an Assistant Professor in the Department of Computer Science and Engineering at Sharda University, Greater Noida, Uttar Pradesh (U.P.), India. Prior to his current role, he was associated with Galgotias University and Dronacharya Group of Institutions, Greater Noida, U.P., India. He also visited at Datec Ltd., Papua New Guinea (PNG) as a technical trainer and researcher. He received his Ph.D. (CSE) from the NIT Patna, M.Tech. (Information Security) from Guru Gobind Singh Indraprastha University (GGSIPU), Delhi, and MBA (IT & Finance) from I. K. Gujral Punjab Technical University (IKGPTU) and B.E. (Computer Science & Engineering) from the Maharshi Dayanand University (MDU) Rohtak, Haryana. He also earned numerous international certifications from Coursera, NPTEL, Sun Microsystem, etc. in Security and Machine Learning. He has 5 patents (1 Granted, 4 Published), an editor/author of more than 7 books, author of more than 10 book chapters and 34 articles and editorials in international journals and conferences of high importance. He is Associate Editor of IJ-ICT (Scopus Indexed); served as Associate Editor of JGIM (SCIE Indexed) and IJDCF (Scopus Indexed), IGI Global; and Section Editor of Scalable Computing (SCPE) (Scopus Indexed). He is also serving many reputed journals as guest editor, editorial board member, international advisory board member, and reviewer board member. Moreover, Dr. Shrivastava has also delivered the expert talk, guest lectures in international conferences and serving as the reviewer for journals of IEEE, Springer, Inderscience, etc. He is Convener in ICICC 2021, ICICC 2020, and ICICC-2019; Organizing Chair in 5th IEEE ICCCIS-2021 and ICCIDA-2018; and Publication Chair in MARC-2018. He is the life member of ISTE; senior member of IEEE; and professional member of ACM, SIGCOMM, and many professional bodies. He has an ardent inclination toward the field of Data Analytics and Security. His research interests include Information Security, Digital Forensic, Data Analytics, Machine Learning, and Malware Detection and Analysis. Dr. Deepak Gupta received a B.Tech. in 2006 from the Guru Gobind Singh Indraprastha University, India. He received M.E. in 2010 from Delhi Technological University, India, and Ph.D. in 2017 from Dr. APJ Abdul Kalam Technical University, India. He has completed his Post-Doc from Inatel, Brazil. With 13 years of rich expertise in teaching and 2 years in the industry, he focuses on rational and practical learning. He has contributed massive literature in the fields of Intelligent Data Analysis, BioMedical Engineering, Artificial Intelligence, and Soft Computing. He has served as Editor-in-Chief, Guest Editor, Associate Editor in SCI and various other reputed journals (IEEE, Elsevier, Springer, and Wiley). He has actively been an organizing end of various reputed international conferences. He has authored/edited 50 books with national/international-level publishers (IEEE, Elsevier, Springer, Wiley, Katson). He has published 184 scientific research publications in reputed international journals and conferences, including 96 SCI Indexed Journals of IEEE, Elsevier, Springer, Wiley, and many more.
https://doi.org/10.1515/9783110677478-203
X
About the editors
Dr. Kavita Sharma is Associate Professor in the Department of CSE at G. L. Bajaj Institute of Technology and Management, Greater Noida, India. She received her Ph.D. in Computer Engineering from National Institute of Technology, Kurukshetra (Institution of National Importance), India, and M.Tech. in Information Security from GGSIPU, Delhi, India. She has also completed her B.Tech. in IT from UPTU, Lucknow, India. In addition, she is also awarded research fellowship from Ministry of Electronics and Information Technology, Government of India. She has worked as an Assistant Professor in Dronacharya College of Engineering, Greater Noida, India. She has 4 patents (2 granted and 2 published), published 6 books, and published 47 research articles in international journals and conferences of high repute. She has also served as Section Editor of Scalable Computing (SCPE). She is also serving many reputed journals as guest editor, as editorial board member, and as a member of international advisory board. Moreover, Dr. Sharma has also delivered expert talks and guest lectures in international conference, and serving as a reviewer for journals of IEEE, Springer, Inderscience, Wiley, etc. She is the Senior Member of IEEE; Professional Member of ACM; Life Member of CSI, ISTE, IAENG, and Institute of Nanotechnology; and Member of SDIWC, Internet Society, IACSIT, CSTA, IAOE, etc. She has actively participated and organized several international conferences, Faculty Development Programs, and various national and international workshops. Her area of interest includes Information and Cyber Security, Mobile Computing, IoT Security, Data Analytics, and Machine Learning.
Shefali Arora, Ruchi Mittal, M. P. S. Bhatia
A survey of popular digital forensic tools Abstract: Digital forensics is a process of interpreting electronic or digital data to preserve any kind of evidence. Forensic investigation is done by storing, categorizing, and authenticating information to understand a sequence of events. The objective of acquiring this information is to get empirical evidence against hackers and intruders. For example, in forensics involving operating systems, we can swap pages or scan deleted files to obtain useful information. This chapter reviews the work being done in various domains of digital forensics, highlighting the need for these forensic tools to investigate and interpret evidence. Authors review many open-source forensic tools that can help professionals and experts to perform forensic investigations on data obtained from operating systems, networks, computers, and other devices. This is further highlighted with a case study, which makes use of two forensic tools – Autopsy and Wireshark – to analyze files and network traffic, respectively. Finally, this chapter focuses on future directions and research work being carried out in forensic investigations. Keywords: tools, Autopsy, investigation, digital forensics, Wireshark, security, network forensics
1 Introduction Digital forensic investigation is the part of measurable learning that incorporates the ID, recuperation, examination, approval, and introduction of realities regarding advanced proof found on PCs or comparable advanced stockpiling media gadgets. Probably the most significant danger confronting organizations and enterprises today is cyber-assaults and risks [1]. It could even be considered as a demonstration of cyber psychological oppression, in which a remarkable effect can be felt in both concerning cost and human feeling [2]. At whatever point something like this happens, two of the most widely recognized inquiries that get posed are: How could it occur? And by what means could this be prevented from happening again later? There are no straightfor-
Shefali Arora, Division of Computer Engineering, Netaji Subhas Institute of Technology, Delhi, India, e-mail: [email protected] Ruchi Mittal, Department of Computer Science, Ganga Institute of Technology and Management, Haryana, India, e-mail: [email protected] M. P. S. Bhatia, Division of Computer Engineering, Netaji Subhas Institute of Technology, Delhi, India, e-mail: [email protected] https://doi.org/10.1515/9783110677478-001
2
Shefali Arora, Ruchi Mittal, M. P. S. Bhatia
ward responses to this, and relying upon the seriousness of the cyber-assault, it could take weeks and even longer time to decide the reactions to these two inquiries.
1.1 Learn digital forensics The awareness of digital forensics evolved into manufacturing an establishment of information and abilities around PC criminology. The main points of focus are email and program crime scene examination, network crime site analysis ideas, and many more [3]. The task of crime scene investigation becomes possibly the most critical factor in today’s world. For instance, any leftovers of the cyber-assault and any evidence collected at the site should be gathered and investigated [4]. It is important to remember that the area of crime scene investigation, particularly as it categorizes with Information Technology, is exceptionally expansive and contains many sub-strengths [5]. These encompass advanced legal sciences, portable crime scene investigation, database criminology, intelligent access legal sciences, and so forth, to simply name a few. This chapter gives an outline of the field of PC crime scene investigation. The focus is basically on what it is about, its significance, and the general advances that are associated with leading a PC criminology case [6].
1.2 Definition of digital forensics The term “legal sciences” means applying a type of reasonable process for the collection, investigation, and introduction of gathered proofs. All evidence is meaningful when a cyber-assault has occurred [7]. When a cyber-assault happens, gathering all significant proof is of extreme significance to address the inquiries which were raised in the above statement [8]. It is important to remember that the legal sciences inspector/specialist is exceedingly intrigued by a specific bit of proof, which is referred to explicitly as “idle information.” In the cybersecurity world, these sorts of information (otherwise called “encompassing information”) is not effortlessly observed or open upon first look at the location of a cyber-assault. It takes a much different degree of examination by the PC crime scene investigation master to uncover them [9]. This information has numerous utilizations; however, access to it is very restricted.
1.3 Need for forensic sciences The significance of PC legal sciences to a business or an organization is enormous [10]. For example, there is regular reasoning that the use of safeguard devices like
A survey of popular digital forensic tools
3
firewalls and switches is enough to impede any cyber-assault. To the security expert, the person in question realizes this is false, given the amazingly refined nature of the present cyber programmer. This reason is additionally false from the viewpoint of PC legal sciences. While these bits of equipment do give data in a specific way concerning what is unfolded in a cyber-assault, they don’t have that more profound layer of information needed to give those insights concerning what precisely occurred [11]. This underscores the requirement for the association additionally to execute those security components (alongside equipment above), which can give these bits of information (instances of this are security gadgets that utilize humanmade consciousness, AI, business examination, and so on.). Along these lines, conveying this sort of security model in which the standards of PC crime scene investigation are likewise embraced is additionally alluded to as “Barrier in Depth.” With some information, there is a lot more significant likelihood that the proof introduced will be considered acceptable in an official courtroom, consequently bringing the culprits who propelled cyber-assault to equity [12]. Likewise, by joining the principles of a “Resistance in Depth,” the business or organization can come into consistency promptly with the government enactments and orders (for example, those of HIPAA, Sarbanes-Oxley). They necessitate that numerous types and sorts of information (even inactive information) be filed and put away for review purposes. On the off chance that an element flops any consistent measures, they can confront severe budgetary punishments [13].
1.4 Expertise in digital forensics To fill in as a scientific science expert, a competitor ought to have, at any rate, a four-year college education in criminological science or a characteristic science. Measurable science programs offer different regions of specialization, and advanced science is one of them. Even though four-year college education programs are the base, numerous businesses lean toward people who have ace degrees [14, 15]. Students with understudies in a measurable science program with a computerized legal accentuation may finish courses in cybersecurity, computerized criminological innovation, and practices, propelled criminology, and critical thinking in cybersecurity, among others. Numerous schools and colleges offer scientific science programs through distance learning [16]. Most measurable experts are required to finish hands-on preparation before really beginning their professions. This is where people get an advantage, from actual work understanding at work. As significant for what it is worth to have a degree right now, reports suggest that probably not enough. What is more, the competitor ought to have the accompanying abilities.
4
Shefali Arora, Ruchi Mittal, M. P. S. Bhatia
– Analytical abilities: The applicant must have the right stuff expected to dissect and take care of an issue. – Computer/tech abilities: Because most of the advanced scientific work is based around PCs, the up-and-comer must be comfortable with PCs, PC programming, and comparable fields. – Knowledge of cybersecurity: Digital or criminological science is tied in with unravelling Cyber Crimes, so, significantly, the individual knows about settling wrongdoings as well as how to forestall them. – Organizational aptitudes: The scientific professional must be sorted out genuinely and intellectually so the person in question can compose information and present it to other people. – Communication aptitudes: The competitor must have the option to convey unreservedly because the person in question will most likely be a piece of a group. – The longing to learn: Technology keeps on developing, and the computerized tech must be willing and ready to stay aware of preparing to vary.
1.5 History of digital forensics It is difficult to pinpoint when the PC wrongdoing scene examination began. Most authorities agree that the field of PC criminology began to progress more than 30 years back. The region began in the United States, in gigantic part when law usage and military operators started seeing culprits get specific. In the end, the fields of information security, which base on guaranteeing information and assets, and PC lawful sciences started to interlace [17]. All through the next decades, and up to today, the field has exploded. The law prerequisites and the military continue having tremendous vicinity in information security and the PC logical field at the area, state, and government level. Private affiliations and ventures have gone with a similar example – using inner information security and PC criminological specialists or employing such specialists or firms, subordinate upon the circumstance. The private legal industry has watched the prerequisite for PC quantifiable evaluations in like manner authentic discussions, causing an impact in the e-disclosure field [18]. The PC criminological field keeps on developing regularly. An ever-increasing number of substantial legal firms, boutique firms, and private agents are picking up information and involvement with the ground. Programming organizations keep on creating more up-to-date and progressively vigorous scientific programming programs [19]. Also, law requirements and the military proceed to distinguish and prepare increasingly more of their workforce in the reaction to violations, including innovation [20].
A survey of popular digital forensic tools
5
2 Objectives of digital forensics There are many objectives of digital forensics, some of which are the following: – It helps with suggesting the objective behind the crime and personality of the principal criminal. – Planning strategies at a speculated crime site helps you to guarantee that the evidence obtained is not defiled. – To professionalize and propel the study of digital security, computerized and PC crime scene investigation, and different territories of criminology. – To give a reasonable, positive procedure for confirming the competency of digital security, advanced and PC legal sciences inspectors. – To set high legal sciences and moral principles for digital security, computerized and PC crime scene investigation, analysts. – To direct innovative work into new and developing advances and techniques in the different fields of legal sciences. – To give digital security, computerized and PC crime scene investigation also prepare program (formal preparing, enrolment, courses, workshops, and gatherings) that will provide individuals with the competency to know about the present and create standards and to ensure digital security. – Providing a comprehension of the specialized ability of programmers and the countermeasures against such malevolent assaults help the federal, state, and local governments, the private area, budgetary organizations, law requirement offices, the judiciary, and people in the anticipation and discovery of digital security. – To distribute articles in the print and electronic media on computerized and PC legal sciences.
3 Types of forensics and related work Digital forensics needs the following steps: – Identification – Preservation – Analysis – Documentation – Presentation Identification involves finding the presence of evidence, where and how it is stored. Storage could be on mobile phones, PDAs, and computers. Preservation is the isolation and preservation of data, also the prevention of tampering with the digital evidence and storage media. This is followed by the reconstruction of data fragments to conclude what has been found.
6
Shefali Arora, Ruchi Mittal, M. P. S. Bhatia
Here, the investigation agents redesign the piece of data and get inferences based on evidence found. It takes much time to identify the evidence and affirm the proprietors of crime. Next, a record is created for all the data collected. The involvement of proper documentation and the use of sketching and crime scene mapping can help to recreate the crime scene. At last, the process of documentation and presentation of inferences is made. Digital forensics into various types: – Disk forensics: In this type of forensics, data is extracted from storage media by searching for deleted, archived, and modified files. This can help in the identification and collection of evidence. – Network forensics: In this type of forensics, computer network traffic is monitored and analyzed to collect evidence [21, 22]. This is used for gathering information, evidence, and detection of intruders. Authors describe the OSCAR [23] methodology for network forensics, which is an acronym, where O stands for Obtaining information (getting general data about the incident and the situation it occurred in including the date and time). The main tasks should be written down, and priority should be assigned. S stands for Strategize, which deals with the planning part. Prioritization should be done once evidence is acquired. This is done by giving the explosiveness of sources and their value to the process of search. C stands for Collect Evidence, which involves gathering evidence based on the planning done in the previous stage. D stands for Documentation, as it is necessary to safely guard and log the accesses made to systems as well as the actions taken. The last letter R stands for the report, in which the results of the investigation are conveyed to the client. The report should be understandable by even non-technical people. – Wireless forensics: This comes under network forensics, and it aims to make use of tools to capture and analyze information and traffic from wireless networks [24]. – Database forensics: It concerns the research and analysis of databases and their related metadata. – Email forensics: It involves the recovery of emails, including the deleted ones from the inbox, contacts [25], etc. With the growth in e-commerce and digitalization, it is essential to protect ourselves from fraudulent emails. Emails have become a primary means of communication among people. Thus, it is essential to have email forensics to analyze what is going on. The different types of crimes in emails are as follows: – Phishing [26]: It is an attempt to obtain an individual’s information such as usernames and passwords, by disguising oneself as a trustworthy identity. Emails usually contain links that can redirect a user to a suspicious website. Thus, the redirection of traffic is a malicious intent to steal a user’s sensitive data.
A survey of popular digital forensic tools
7
– Pharming: Done using counterfeit emails that redirect the receiver to anonymous websites. – Spoofing- In this, the user gets a mail, and he/she believes it is from a reliable source. But it is from an unknown user who uses a forged address to mail the user. – Memory forensics: It works by gathering information from system memory (system registers, cache, RAM) so that raw dump can be used to analyze the data [27]. This sort of examination comes in handy when the intruder does not write data to a non-volatile storage of the system during the attack as it can help to recover encrypted keys of hard drive and network connections. It can also help to trace previous network connections in parts of memory that are free but not overwritten or check if network interfaces are being used in promiscuous mode. Figure 1 shows the different kinds of forensic techniques available today.
Network Forensics
System Forensics
Web Forensics
Digital Forensics
Computer Forensics
Cyber Forensics
Enterprise Forensics
Data Forensics
Proactive Forensics E-mail Forensics
Fig. 1: Categories of forensics.
Thus, it is an essential branch of digital forensics, complementing other methods such as network forensics [26] as it can help to recover encrypted keys of hard drive and network connections. It can also help to trace previous network connections in parts of memory that are free but not overwritten or check if network interfaces are being used in promiscuous mode. – Mobile phone forensics: It, for the most part, manages the assessment and examination of mobile phones [27]. Utilizing this, we can get hold of contacts, call logs, sent messages, recordings, and so on. Mobile phone crime scene investigation is a part of computerized criminology that assists with gathering advanced information from a portable under forensically stable conditions. Portable can
8
Shefali Arora, Ruchi Mittal, M. P. S. Bhatia
refer to different gadgets, too, for example, workstations and tablets. Mobile phone legal sciences can be trying for a few reasons: It might be hard to isolate a gadget from the system. Most cell phones can associate utilizing GSM, Bluetooth, and so forth. They may reconnect progressively on the off chance that essential availability comes up short. Batteries might be non-removable, or encryption may prompt challenges in obtaining information. Standard interface devices, for example, console or screen, may not be available. In this way, a wide assortment of apparatuses is expected to burrow information from mobile phones. – Cloud forensics: Cloud forensics includes the use of digital forensics with cloud computing [28]. Thus, various tools can be used to investigate crimes committed over the cloud. As data is spread between various data centers to ease loadbalancing and scalability issues, data needs to be indexed efficiently. This would help to prevent duplication and improve performance. Thus, examination becomes easier as pieces of evidence left by attackers are difficult to destroy [29]. – Cyber forensics: It involves the analysis of any kind of crime committed over the internet. Cyber Crimes can be committed against a person or property. It can also be done against a government. Thus, cyber forensics helps to counteract any such activities. – Operating system forensics: An OS is present in all computers as well as handheld devices. Thus, it is essential to have such tools that can monitor any kind of activities going on [30]. This ensures that no malicious acts take place and, thus, no data loss. Nowadays, digital evidence is required to trace any kind of illegal activities like phishing, espionage, and illegal downloads. Various tools [31–35] are being used to incorporate IT systems with the facility of tracing the footsteps of intruders. Security measures applied to computers as well as handheld devices can help to protect from any cyber-attacks [36]. Autopsy [37] is one of the software tools used by law firms and the military to gather digital proofs against any attack. It has a GUI named Sleuth Kit, a Unix and Window library for forensic investigation. It becomes more comfortable as the results of the analysis and examination are displayed on the GUI. An Autopsy is commonly used when multiple files and machines are being worked upon, and a central location is used for storing data. Software like SQL can be further used for accessing such stored information. The integrity of evidence can be maintained by performing hashing. It is available free of cost and has a simple GUI to operate. The use of the MD5 hash function for each file makes sure that the integrity of evidence is maintained [38]. This would also make search faster on the disk. While data can be previewed dynamically, recovered files can also be deleted. The networks become complicated with time, and many assaults become active to take data and seize machines. In the case of network forensics [65], it is essential to capture packets across the network. Therefore, tools like Wireshark come in handy. Wireshark helps to capture such packets and analyze them so that any attack can be
A survey of popular digital forensic tools
9
detected. It plays an essential role in network forensics. It can monitor the IP and MAC addresses across the network. TShark is the GUI of Wireshark used to see the caught packets. It has become a popular sniffing tool [31]. Sometimes, investigators re unable to find relevant data when undercover investigations are going on. Section 4 describes some other popular forensic tools commonly used by forensic experts in investigations [61, 62].
4 Popular forensic tools used for investigations 4.1 X-ways forensics [34] It is a propelled stage for computerized legal sciences inspectors. It runs on all accessible renditions of Windows. It professes not to be very asset hungry and to work productively. If we talk about the highlights, locate the key highlights are capacity to peruse record framework structures inside different picture documents, programmed location of erased or lost hard plate segment, different information recuperation systems, and ground-breaking record cutting, information validity, memory, and RAM examination and more [63].
4.2 Library recon [39] It is a well-known vault investigation device. It extracts the library data from the proof and afterwards reconstructs the vault portrayal. It can reconstruct libraries from both present and past Windows establishments.
4.3 The sleuth kit (Autopsy) [40] It is a Unix- and Windows-based tool which helps in the criminological assessment of PCs. It goes with various mechanical assemblies, which helps in crime scene examination. These devices help in analyzing circle pictures, acting start to finish assessment of record systems, and various things. An Autopsy is not hard to use, a GUI-based program that grants us to stall hard drives and PDAs gainfully. It has a module plan that makes us find add-on modules or make custom modules in Java or Python.
4.4 Xplico [41] Xplico is a system crime scene investigation examination instrument, which is programming that reproduces the substance of acquisitions performed with a bundle
10
Shefali Arora, Ruchi Mittal, M. P. S. Bhatia
sniffer (for example, Wireshark, tcpdump, Netsniff-ng). Xplico can remove and remake all the Web pages and substance (pictures, records, treats, etc.). It is an opensource arrange scientific examination device. It is fundamentally used to separate valuable information from applications that use the Internet and system conventions. It bolsters the more significant part of the well-known conventions of internet protocols. Yield information of the apparatus is put away in the SQLite database of the MySQL database. It additionally underpins IPv4 and IPv6.
4.5 Volatility framework This was introduced by the BlackHat and used for memory examination and crime scene investigation. Its structure of unpredictability acquaints individuals with the intensity of breaking down the runtime condition of a framework by utilizing the information found in unstable capacity (RAM). It additionally gave a cross-stage, secluded, and extensible stage to empower further work in this region of research. It has become a necessary computerized examination apparatus dependent upon law implementation, military, scholarly world, and business specialists all through the world.
4.6 Coroner’s toolkit [42] This is likewise a decent advanced legal examination apparatus. It runs under a few Unix-related working frameworks. It very well may be utilized to help the investigation of PC catastrophes and information recuperation.
4.7 Oxygen forensic suite [43] It is terrific programming to gather confirmation from a mobile phone to help in cases. This apparatus helps in procuring device information (tallying creator, OS, IMEI number, consecutive number) and contacts (messages, SMS, MMS), and recover deleted messages, call logs, and calendar information. It is like a manner that permits you to get to and analyze mobile phone data and files. It makes direct reports for superior comprehension.
4.8 Mass extractor [44] It is additionally a significant and well-known advanced legal sciences apparatus. It filters the circle pictures, records, or catalogue of documents to remove valuable
A survey of popular digital forensic tools
11
data. Right now, it overlooks the record framework structure, so it is quicker than other accessible, comparable sorts of apparatuses. It is fundamentally utilized by insight and law organizations in comprehending digital wrongdoings.
4.9 Mandiant redline [45] It is a famous tool for memory and document examination. It gathers data about running procedures on a host, drivers from memory, and accumulates other information like meta information, vault information, assignments, administrations, organizes data, and internet history to construct an appropriate report.
4.10 PC online forensic evidence extractor (COFEE) [46] This tool is created for PC scientific specialists. This tool was created by Microsoft to accumulate proof from Windows frameworks. It very well may be introduced on a USB pen drive or hard outer circle. Plugin the USB gadget in the objective PC, and it begins a live investigation. It accompanies 150 different apparatuses with a GUIbased interface to order the tools. It is quick and can carry out the entire investigation in as not many as 20 min. To law authorization offices, Microsoft offers free specialized help for the apparatus.
4.11 P2 eXplorer [47] It is a measurable picture mounting device that expects to help research officials with an assessment of a case. With this picture, you can mount criminological pictures as a read-just neighborhood and physical circle and afterward investigate the substance of the picture with document explorer. You can view erased information and the unallocated space of the picture. It can mount a few pictures one after another. It works on the more significant part of the picture groups, including EnCasem, safe back, PFR, FTK DD, WinImage, Raw pictures from Linux DD, and VMWare pictures. It underpins both coherent and physical picture types.
4.12 Cellebrite UFED [48] Its arrangements present a bound together work process to permit analysts, examiners, and specialists on call for gathering information, and ensure and act definitively on portable information with speed and precision – while never trading off
12
Shefali Arora, Ruchi Mittal, M. P. S. Bhatia
one for the other. The UFED Pro Series is intended for measurable inspectors and agents who require the most extensive, state-of-the-art portable information extraction and the unravelling of new information sources. The UFED Field Series is intended to bring together work processes across the field and lab, creating it conceivable to view, retrieve, and offer versatile information using in-vehicle workstations, PCs, tablets, or a protected, self-administration stand situated at a station.
4.13 XRY [49] It is the versatile criminology tool created by Micro Systemin. It is utilized to dissect and recoup critical data from cell phones. This tool accompanies an equipment gadget and programming. It acts as an interface between cell phones and PCs for the purpose of investigation and extraction of information. It is intended to recuperate information for the criminological investigation.
4.14 HELIX3 [50] It is the advanced criminological suite made to be utilized in episode reaction. It accompanies many open-source advanced crime scene investigation tools, including hex editors, information cutting, and secret key splitting devices. This tool can collect data from memory, client accounts, logs, Windows Registry, applications, drivers as well as Internet records.
5 Utilizations for computer forensic tools After exploring your framework, you are going to need to make sense of how the intrusion was done so you can keep it from happening once again. On the off chance, you figured out how to move beyond your current electronic guards. At that point, there is a loophole or opening in your security shield someplace [48]. It may not quickly be evident where this opening is, mainly if it is acceptable about concealing tracks. Criminological tools can assist you with backtracking their computerized strides and discover the gaps so you can fix them up [64].
A survey of popular digital forensic tools
13
5.1 Tidying up and rebuilding You must make sense of precisely what the assailants did, so you know how broad the harm is and can take reasonable action. You would prefer not to miss any hacked servers or secondary passage accounts. Utilizing criminological apparatuses can assist you with making sense of where the bodies are covered, as it were. On the off chance that the assailant erased documents, you might have the option to recuperate some of them utilizing scientific devices [51].
5.2 Criminal investigation If the harm done by an assailant is sufficiently extreme, you might need to think about squeezing criminal allegations. Straightforward Web defacing or interruptions, for the most part, do not merit seeking after because of the significant expenses included. In any case, if your foundation or corporate notoriety was substantially harmed, at that point, you might need to document criminal accusations against your aggressor. Your insurance agency may necessitate that you record a police report to make a case. Legal devices assist you with recognizing your assailants so you can report them and give the proof to indict them [52]. There are a couple of things you ought to consider before continuing down this way. For little harm, you can record a report with your neighborhood police division. Know that they frequently do not have the assets to seek after PC wrongdoing at the nearby level appropriately, and you may wind up doing the more significant part of the analytical work. You can utilize the apparatuses right now to help with the exertion. Simply be cautious that you do not defile the proof with the goal that it is not helpful in an official courtroom (see the sidebar on PC crime scene investigation). If the harms are sufficiently massive or include a felony (for example, interstate or universal trade), you can take your case to the FBI. You can discover contact data for your nearby FBI field office in your phone directory or on the web at www.fbi. gov. On the off chance that the case includes the infringement of government law or real dollar harms of over $25,000, they will most likely take your case. Else, they may allude you to nearby law specialists. If you can give some inclusion with fearmongering, interstate misrepresentation, you may get them required for lesser sums. Commonplace hacking assaults will presumably not be explored intensely; there are an excessive number of episodes announced day by day for the FBI to focus on whatever is certifiably not a critical case [53]. About having criminal accusations documented against your assailant, appropriate scientific examination turns into even more significant. There is an overwhelming weight of confirmation in PC criminal cases. Tying a specific demonstration that was performed by a client ID to an individual is very troublesome in an official courtroom. Typically, examiners need to demonstrate that the individual was really at their
14
Shefali Arora, Ruchi Mittal, M. P. S. Bhatia
console utilizing that account while the assault was occurring. Something else, there are numerous safeguards accessible to the charged, for example, “Another person utilized my secret word,” “I was hacked.” There is additionally close consideration paid to the chain of authority of any proof gathered [54]. This alludes to who has approached the information and could have changed or modified it en route. For a situation like this, concede to the specialists, who might need to utilize their information assortment methods. You may likewise need to use an outsider who does this expertly to aid your connection with law requirements.
5.3 Common action If you locate that seeking after criminal allegations is outlandish, you may at present need to record a universal claim to rebuff your programmer. At times this is the primary way you can get somebody to stop their assaults. In case the attacker is originating from another organization, on account of secret corporate activities, or unsanctioned, on account of a wayward representative, you may have cause to document a claim and gather critical harms. The fact that the weight of verification is less in the ordinary courts despite everything, you must have the option to prove your case. The devices right now help you to do as such. Be that as it may, if the case is sufficiently large and the stake enormous enough, you should even now likely recruit a PC scientific master as opposed to attempt to do it without anyone else’s help [27].
5.4 Inward investigations If you speculate your interruption might be from an inner source, you must track down this immense wellspring of business obligation. An inside programmer can do volumes more harm than an outcast since they regularly know the workforce, frameworks, and data that could make the most damage to an organization whenever uncovered or traded off. By utilizing these criminological apparatuses, you can follow them down. If disciplinary activity is justified, you have the proof to back it up. Right now, you would prefer not to get sued by a previous worker for the wrong end [55].
5.5 ISP complaints If you choose not to seek the individual ambushing your system and is yet doing it, we need to document an objection with his ISP and attempt to shut him down. Frequently, this is the original main plan of action that does not cost a ton of cash for organizations hit by a programmer assault. Utilizing the legal tools right now can follow the culprit’s path, at any rate, like their ISP. When you have followed the
A survey of popular digital forensic tools
15
assailant this far, you can submit a general question with the ISP, requesting that they make a further move. Most ISPs have adequate use arrangements for their clients, which do exclude hacking. On the off chance that you can show them satisfactory proof, they will, for the most part, make a move, extending a notice to remove that client’s record. Considering protection concerns, they will not, as a rule, unveil any close to home data about the client except if required, yet some ISPs are more useful than others right now. Most of the significant suppliers have an uncommon maltreatment email address that you can send your messages [56]. You should ensure you have assembled adequate data so they can discover your attacker. This would incorporate IP delivers attached to explicit occasions. Most ISPs gives out powerful IP addresses, which change each time somebody signs. Without time data to match to their logs, they presumably will not have the option to support you. If conceivable, give them different access times so they can relate to the client from a few information perspectives, as their log records may be out of adjustment with yours, and the occasions will not coordinate. Likewise, incorporate some other information you may have, for example, logs of orders utilized, places they duplicated documents to, etc. The ISP might be a casualty as well and will need this information to examine further [57].
6 Case studies using forensic tools 6.1 Autopsy There are many tools for forensic analysis these days, including ones making use of machine learning and other technique [58–60]. The first case study makes use of Autopsy to examine the files stored on the system. While using Autopsy, the investigator analyzes the deleted files, which would help in forensic investigations. Deleted files stay on the storage until they are overwritten. Thus, it is possible to recover deleted evidence from a system until the document software overwrites them. In this case study, Autopsy is used for distinguishing and recovering erased records. The Sleuth Kit was first designed for Linux, but later been designed for Windows as well. The steps are as follows: – Install Autopsy on your system. – Create a new case and add it to a base directory. – Click on Add Data Source. – Select a Logical File Set or image you want to analyze. Figures 2–4 depict the GUI of Autopsy. Figures 5 and 6 illustrate how forensic investigations are performed.
16
Shefali Arora, Ruchi Mittal, M. P. S. Bhatia
Fig. 2: Selection of data.
Fig. 3: Selection of source.
Fig. 4: Configure ingest modules.
A survey of popular digital forensic tools
17
18
Shefali Arora, Ruchi Mittal, M. P. S. Bhatia
Fig. 5: Flow of data in the tool.
6.2 Wireshark Network forensic tools are the call of the hour as networks are becoming involved, with hackers launching attacks to steal the identities of people [66–68]. These threats affect users, administrators as well as forensic investigators [69–70]. Analyzing the network related attacks, it is essential to understand the origin of attacks and analyze packets. This can help administrators to restore systems. Wireshark is a forensic tool that is used to analyze incoming and outgoing packets so that any kind of network problems can be a trouble-shooter by identifying anomalies and suspicious patterns of packets. This forensic tool is a free and open-source packet analyzer used to capture, analyze, and filter packets. It can help the system administrator to analyze network packets. This can be visualized in the following figures. The captured packets can be analyzed along with their protocols, source, and destination address. The hex dump of these packets can be visualized in the bottom section. Figure 7 depicts the monitoring of packets in Wireshark. Figure 8 shows how this information can be monitored using different sections. Using Wireshark, filters are used to analyze packets selectively, as shown in Fig. 9. It is also used to check the total number of packets, queries, and responses in the network according to a specific protocol.
Fig. 6: Final results of the tool.
A survey of popular digital forensic tools
19
Fig. 7: Monitoring the IP and protocols of information.
20 Shefali Arora, Ruchi Mittal, M. P. S. Bhatia
21
Fig. 8: Monitoring information flow in tool.
A survey of popular digital forensic tools
22
Shefali Arora, Ruchi Mittal, M. P. S. Bhatia
Fig. 9: Detailed information on a specific protocol.
7 Conclusion and future work The utilization of forensic tools is essential as a great deal of individual information is accessible on the web, be it on online interpersonal organizations or internetbased life. Unfortunately, gathering data to recreate and establish an assault can seriously damage security and is connected to different obstacles when distributed computing is included. This chapter is a review of the use of digital forensics in the investigation of Cyber Crimes to gather evidence. The use of forensic tools is essential to analyze any kind of data, which could range from text to videos, to deal with intrusion in operating systems, networks, etc. Much work is being done in the domain of forensic investigations as there are multiple issues related to the storage and retrieval of large data. As digital information is being marketed on a large scale, digital evidence is needed to analyze what kind of tampering was done with essential data. This is further illustrated by the analysis of files stored on the Windows operating system using the Sleuth Kit interface of the Autopsy forensics tool. In the future, authors will work on more aspects of privacy preservation using forensic tools.
A survey of popular digital forensic tools
23
References [1] [2] [3] [4] [5] [6] [7]
[8] [9] [10] [11] [12]
[13] [14]
[15] [16] [17] [18] [19]
[20] [21]
Richard III, G. G., Roussev, V. 2006. Next-generation digital forensics. Communications of the ACM, 49(2), 76–80. Casey, E. 2009. Handbook of Digital Forensics and Investigation, Academic Press, Elsevier, United States. Nance, K., Hay, B., Bishop, M., 2009, January. Digital forensics: defining a research agenda. In 2009 42nd Hawaii International Conference on System Sciences, 1–6, IEEE. Holt, T. J., Bossler, A. M., Seigfried-Spellar, K. C. 2015. Cybercrime and Digital Forensics: An Introduction, Routledge, Taylor and Francis, United Kingdom. Taylor, R. W., Fritsch, E. J., Liederbach, J. 2014. Digital Crime and Digital Terrorism, Prentice Hall Press, One Lake Street Upper Saddle River, NJ; United States. Nance, K., Bishop, M., 2017. Deception, Digital Forensics, and Malware Minitrack (Introduction). Nance, K., Bishop, M., 2017, January. Introduction to deception, digital forensics, and malware minitrack. In Proceedings of the 50th Hawaii International Conference on System Sciences. Kävrestad, J. 2017. Guide to Digital Forensics: A Concise and Practical Introduction, Springer, Switzerland. Hassan, N. A. 2019. Introduction: Understanding Digital Forensics. In: Nihad A. Hassan (ed.) Digital Forensics Basics. Apress, Berkeley, CA, 1–33. Chen, L., Takabi, H., Le-Khac, N. A. eds. 2019. Security, Privacy, and Digital Forensics in the Cloud, John Wiley & Sons, United States. Casey, E. 2011. Digital Evidence and Computer Crime: Forensic Science, Computers, and the internet, Academic press, United States. Stallard, T., Levitt, K., 2003, December. Automated analysis for digital forensic science: Semantic integrity checking. In 19th Annual Computer Security Applications Conference, 2003. Proceedings, 160–167, IEEE. Vincze, E. A. 2016. Challenges in digital forensics. Police Practice and Research, 17(2), 183–194. Parvez, M. M., Hossain, S. A., Ali, S. M. R., 2017, March. Design and implementation of low cost digital forensic laboratory for university. In 2017 International Conference on Wireless Communications, Signal Processing and Networking (WiSPNET), 1524–1528, IEEE. Khalaf, R. S., Varol, A., 2019, June. Digital forensics: Focusing on image forensics. In 2019 7th International Symposium on Digital Forensics and Security (ISDFS), 1–5, IEEE. Ozel, M., Bulbul, H. I., Yavuzcan, H. G., Bay, O. F. 2018. An analytical analysis of Turkish digital forensics. Digital Investigation, 25, 55–69. Pollitt, M., 2010, January. A history of digital forensics. In IFIP International Conference on Digital Forensics, 3–15, Springer, Berlin, Heidelberg. Scientific Working Group on Digital Evidence (SWGDE) and United States of America, 2000. Digital Evidence: Standards and Principles. Blyth, T. 2013. Narratives in the History of Computing: Constructing the Information Age Gallery at the Science Museum. In: Tatnall A., Blyth T., Johnson R. (eds) Making the History of Computing Relevant. HC 2013. IFIP Advances in Information and Communication Technology Making the History of Computing Relevant. Springer, Berlin, Heidelberg, 25–34. Whitcomb, C. M. 2002. An historical perspective of digital evidence: A forensic scientist’s view. International Journal of Digital Evidence, 1(1), 7–15. Shrivastava, G. 2017. Approaches of network forensic model for investigation. International Journal of Forensic Engineering, 3(3), 195–215.
24
Shefali Arora, Ruchi Mittal, M. P. S. Bhatia
[22] Shrivastava, G., 2016. Network forensics: Methodical literature review. In 2016 3rd International Conference on Computing for Sustainable Global Development (INDIACom), 2203–2208, IEEE. [23] Karresand, M., Shahmehri, N., 2006, May. Oscar – file type identification of binary data in disk clusters and ram pages. In IFIP International Information Security Conference, 413–424, Springer, Boston, MA. [24] Ma, W., Li, R. 2019. Digital Forensics for Frame Rate Up-Conversion in Wireless Sensor Network. In: Al-Turjman F. (eds). Artificial Intelligence in IoT. Transactions on Computational Science and Computational Intelligence. Springer, Cham, 151–166. [25] Khan, M. Z., Husain, M. S., Shoaib, M. 2020. Introduction to Email, Web, and Message Forensics. In: Mohammad Shahid Husain and Mohammad Zunnun Khan (eds.) Critical Concepts, Standards, and Techniques in Cyber Forensics. IGI Global, Ministry of Higher Education, Oman, Integral University, India, 174–186. [26] Morovati, K., Kadam, S. S. 2019. Detection of phishing emails with email forensic analysis and machine learning techniques. International Journal of Cyber-Security and Digital Forensics, 8(2), 98–108. [27] Case, A., Richard III, G. G. 2017. Memory forensics: The path forward. Digital Investigation, 20, 23–33. [28] Joseph, P., Norman, J. 2020. Systematic memory forensic analysis of ransomware using digital forensic tools. International Journal of Natural Computing Research (IJNCR), 9(2), 61–81. [29] Su, Q., Xi, B., 2017, March. Key technologies for mobile phone forensics and application. In 2017 2nd International Conference on Multimedia and Image Processing (ICMIP), 335–340, IEEE. [30] Manral, B., Somani, G., Choo, K. K. R., Conti, M., Gaur, M. S. 2019. A systematic survey on cloud forensics challenges, solutions, and future directions. ACM Computing Surveys (CSUR), 52(6), 1–38. [31] Cameron, L., 2018. Future of digital forensics faces six security challenges in fighting borderless cybercrime and dark web tools. [32] Roussev, V. 2009. Hashing and data fingerprinting in digital forensics. IEEE Security & Privacy, 7(2), 49–55. [33] Banerjee, U., Vashishtha, A., Saxena, M. 2010. Evaluation of the capabilities of wireshark as a tool for intrusion detection. International Journal of computer applications, 6(7), 1–5. [34] Wu, W., Zhao, G., Lai, W., Lan, J., 2016, May. Research on NTFS file anti-delete forensic technology. In 2016 2nd Workshop on Advanced Research and Technology in Industry Applications (WARTIA-16). Atlantis Press. [35] Malan, D. F., Van Der Walt, S. J., Raidou, R. G., Van Den Berg, B., Stoel, B. C., Botha, C. P., . . . Valstar, E. R. 2016. A fluoroscopy-based planning and guidance software tool for minimally invasive hip refixation by cement injection. International journal of computer assisted radiology and surgery, 11(2), 281–296. [36] Montasari, R., Hill, R., 2019, January. Next-generation digital forensics: Challenges and future paradigms. In 2019 IEEE 12th International Conference on Global Security, Safety and Sustainability (ICGS3), 205–212, IEEE. [37] Sindhu, K. K., Meshram, B. B. 2012. Digital forensic investigation tools and procedures. International Journal of Computer Network and Information Security, 4(4), 39. [38] Truong, J., 2017. File survival on USB drive. [39] Recon, A., 2014. Arsenal image mounter. [40] Carrier, B., 2011. The sleuth kits. TSK–sleuthkit. org.
A survey of popular digital forensic tools
25
[41] Al-Hadadi, M., AlShidhani, A. 2013. Smartphone forensics analysis: A case study. International Journal of Computer and Electrical Engineering, 5(6), 576. [42] Garfinkel, S. L. 2013. Digital media triage with bulk data analysis and bulk_extractor. Computers & Security, 32, 56–72. [43] Van De Wiel, E., Scanlon, M., Le-Khac, N. A., 2018, January. Enabling non-expert analysis of large volumes of intercepted network traffic. In IFIP International Conference on Digital Forensics, 183–197, Springer, Cham. [44] Neware, R. 2017. Computer forensics for private web browsing of UC browser. IOSR Journal of Computer Engineering (IOSR-JCE), 19(4), 56–60. [45] Cohen, C. L. 2007. Growing challenge of computer forensics. Police Chief, 74(3), 24. [46] Liu, H., Azadegan, S., Yu, W., Acharya, S., Sistani, A. 2012. Are we Relying too much on Forensics Tools? In: Lee R. (ed.) Software Engineering Research, Management and Applications 2011. Springer, Berlin, Heidelberg, 145–156. [47] Taylor, T., Araujo, F., Kohlbrenner, A., Stoecklin, M. P., 2018, June. Hidden in plain sight: Filesystem view separation for data integrity and deception. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, 256–278, Springer, Cham. [48] Savoldi, A., Gubian, P., Echizen, I., 2010, January. Uncertainty in live forensics. In IFIP International Conference on Digital Forensics, 171–184, Springer, Berlin, Heidelberg. [49] Wang, P., Rosenberg, M., D’Cruze, H. 2018. Integration of Mobile Forensic Tool Capabilities. In: Shahram Latifi (ed.) Information Technology-New Generations. Springer, Cham, 81–87. [50] Davidoff, S., Ham, J. 2012. Network Forensics: Tracking Hackers Through Cyberspace, Vol. 2014, Prentice hall, Upper Saddle River. [51] Umair, A., Nanda, P., He, X., 2017. Online social network information forensics: A survey on use of various tools and determining how cautious facebook users are? In 2017 IEEE Trustcom/BigDataSE/ICESS, 1139–1144, IEEE. [52] Meghanathan, N., Allam, S. R., Moore, L. A., 2010. Tools and techniques for network forensics. arXiv preprint arXiv:1004.0570. [53] Azadegan, S., Yu, W., Liu, H., Sistani, M., Acharya, S., 2012, January. Novel anti-forensics approaches for smart phones. In 2012 45th Hawaii International Conference on System Sciences, 5424–5431, IEEE. [54] Talib, M. A., Alnanih, R., Khelifi, A. 2020. Application of quality in use model to assess the user experience of open source digital forensics tools. International Journal of Electronic Security and Digital Forensics, 12(1), 43–76. [55] Umar, R., Riadi, I., Zamroni, G. M. 2018. Mobile forensic tools evaluation for digital crime investigation. International Journal of Advance Science Engineering Information Technology, 8(3), 949. [56] Li, S., Choo, K. K. R., Sun, Q., Buchanan, W. J., Cao, J. 2019. IoT forensics: Amazon Echo as a use case. IEEE Internet of Things Journal, 6(4), 6487–6497. [57] Ogden, R. 2008. Fisheries forensics: the use of DNA tools for improving compliance, traceability, and enforcement in the fishing industry. Fish and Fisheries, 9(4), 462–472. [58] Shrivastava, G., Sharma, K., Khari, M., Zohora, S. E. 2018. Role of Cyber Security and Cyber Forensics in India. In: Gulshan Shrivastava, Prabhat Kumar, B. B. Gupta, Suman Bala and Nilanjan Dey (eds.) Handbook of Research on Network Forensics and Analysis Techniques. IGI Global, 143–161. [59] Shrivastava, G., Peng, S. L., Bansal, H., Sharma, K., Sharma, M. eds. 2020. New Age Analytics: Transforming the Internet through Machine Learning, IoT, and Trust Modeling, Apple Academic Press, New York.
26
Shefali Arora, Ruchi Mittal, M. P. S. Bhatia
[60] Sharma, K., Makino, M., Shrivastava, G., Agarwal, B. eds. 2019. Forensic Investigations and Risk Management in Mobile and Wireless Communications, IGI Global, USA. [61] Casey, E. ed. 2001. Handbook of Computer Crime Investigation: Forensic Tools and Technology, Elsevier, USA. [62] Wazid, M., Katal, A., Goudar, R. H., Rao, S., 2013, April. Hacktivism trends, digital forensic tools, and challenges: A survey. In 2013 IEEE Conference on Information & Communication Technologies, 138–144, IEEE. [63] Gadgil, P., Nagpure, S., 2019. Analysis of Advanced Volatile Threats Using Memory Forensics. Available at SSRN 3358798. [64] Garfinkel, S. L. 2010. Digital forensics research: The next 10 years. Digital Investigation, 7, S64–S73. [65] Shrivastava, G., Kumar, P., Gupta, B. B., Bala, S., Dey, N. eds. 2018. Handbook of Research on Network Forensics and Analysis Techniques, IGI Global. [66] Kotsiuba, I., Skarga-Bandurova, I., Giannakoulias, A., Bulda, O., 2019, December. Basic forensic procedures for cyber crime investigation in smart grid networks. In 2019 IEEE International Conference on Big Data (Big Data), 4255–4264, IEEE. [67] Khari, M., Shrivastava, G., Gupta, S., Gupta, R. 2017. Role of Cyber Security in Today’s SCENARIO. In: Raghavendra Kumar, Prasant Kumar Pattnaik, Priyanka Pandey (eds.) Detecting and Mitigating Robotic Cyber Security Risks. IGI Global, 177–191. [68] Raghavan, S., Raghavan, S. V., 2013, November. A study of forensic & analysis tools. In 2013 8th International Workshop on Systematic Approaches to Digital Forensics Engineering (SADFE), 1–5, IEEE. [69] White, J., Charlton, W. S., Solodov, A., Tobin, S. J., 2010, July. Applications of X-Ray Fluorescence and Fission Product Correlations for Nuclear Forensics. In Proceedings of the 51st Annual Meeting for the Institute of Nuclear Materials Management, Baltimore, Maryland, 11–15. [70] Garfinkel, S., Farrell, P., Roussev, V., Dinolt, G. 2009. Bringing science to digital forensics with standardized forensic corpora. Digital Investigation, 6, S2–S11.
Swati Gupta, Puneet Garg
An insight review on multimedia forensics technology Abstract: Crime will turn into the principle issue step by step of our general public so it is important to find a few ways to beat the issue; that is the reason the expression “media legal” is presented. Mixed media measurable can be characterized as a science by which breaking down of an advanced resource for an appraisal for some particular reason to extricate some significant data and in some sort of examination for computerized narrative. Multimedia forensics provides the path to test the digital data from a source that may be an authorized image, order, or any other document that is used to identify in the forensic. In the multimedia forensics images, video, audio, etc. are covered. In multimedia forensic techniques, the focus is to identify the source of the digital device, which may be a mobile phone, digital camera, etc., with the help of media; similarly, the forensic media detects the evidence by which it is obtained. For preventing false detection lens are used with the characteristics of dust spots. All results depend on the lens detection, even under heavy compression and downsampling. Investigation of a crime is a complex process that starts at the crime scene, continues in the lab for in-depth investigation, and ends in the courtroom, where the final judgment is made. Investigators need support in all these steps to make their jobs as effective and efficient as possible. Now the question arises as to why multimedia forensics is required. A few answers are to gather the proof before it is lost and obliterated, utilizing some integral assets for altering. Keywords: digital forensic, multimedia forensic, forensic investigation, cyber forensic, database forensic, network forensic
1 Introduction In criminal and civil legal actions, evidence of digital type helps us in unbounded times. Digital evidence plays an especially important role in the investigation of cases. However, both are dependent on the government and legal agencies. In digital forensics, the process is like a collection of data, how to present the data, how to analyze the results and in the end how to present the evidence in the court with the
Swati Gupta, Vaish College of Engineering, Rohtak, Haryana, India, e-mail:swati.mangla. [email protected] Puneet Garg, J. C. Bose University of Science and Technology YMCA, Faridabad, Haryana, India, e-mail: [email protected] https://doi.org/10.1515/9783110677478-002
28
Swati Gupta, Puneet Garg
help of digital sources. Multimedia information system manages the communication, multimedia data, images, video, and audio; it also manages the text data. It is necessary to ensure that the data is protected from unauthorized access so that various techniques are used for the investigation, but it depends only on the crime which technique is going to be used on the multimedia data. Before applying the technique, the user will go through the various techniques and then discuss the access control policy; after the study of all the things the user will be able to decide which machine is suitable for what data; this is the first step. Then the user will find out the availability of digital libraries that are used as a helping hand in the investigation; this will become the second step of the whole process. The third step is to find out the security in multimedia communication for securing our data. And the last step is the data is handed over to the national security analysis for monitoring. Multimedia is not only to represent the things or our views; it is also information about production and thinking. On account of the effectiveness in accessibility, less expense, and straightforwardness to work with the goal that confirmation of computerized information gets troublesome in the present time. So it is easy to manipulate and process the image and video any number of times from different users. Digital forensics is a subtype of forensics science. Definition of digital forensics was given in the first workshop of digital forensics. Due to digital sensors, it becomes more complex. Sensors can easily capture every part of reality and transform it into a digital representation. To test the source of the digital sensor data multimedia provides a better technique; it covers the content of audio, video, and images. Image forensics analyzes an image by using image processing techniques.
2 History The first digital forensic evidence came in the 1970s and was started by the federal government (US); after that real investigation started in the 1980s when agents started to take computers in the work of searching for evidence. The process continued in the 1990s and researchers started to find out the problems with the investigation process. In forensics, the scenario becomes more complex because of the wider use of sensors. Since sensors catch the pictures, sounds record all the more obviously for portrayal in digital. Digital representation gives better results from an investigation point of view. According to the report of DFRWS (Digital Forensic Research Workshop) in August 2001 Utica New York, “The use of scientifically derived and proven methods towards the presentation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from digital sources to facilitate or further the reconstruction of events found to be criminal or helping to anticipate unauthorized actions shown to be disruptive to planned operations.”
29
An insight review on multimedia forensics technology
For the last couple of years, forensics has grown dynamically and brought researchers together with different communities like multimedia security, computer forensics, signal, and image processing. Multimedia forensics gives a tested source of digital sensors data to authenticate an image and to test the integrity of that image. Multimedia data contains the images, audio, video, and those images are processed and reconstructed by the experts by the using of an image processing system [1]. Because of the availability of multimedia editing tools falsifying images and videos has become widespread in the last few years. According to the discussion on all of the previous details and overview of the details, it is clear that multimedia forensics becomes an important and authenticated tool for investigation. Computerized furthermore, mixed media crime scene investigation drives the method of three strings. According to the Digital Forensic Research Workshop three types of communities have a conflict of interest in computer forensic. The “homegrown” bottom-up approach started in the 1990s when labs and security researchers were started. Figure 1 describes the social media investigation for law enforcement. Source (possibly untraceable)
Original Forgery
Publications in web platforms
Altered & resaved versions
Forensic Analysis
Fig. 1: Social media investigation for law enforcement.
3 Taxonomy Analog forensics was used earlier; nowadays it is not in use for investigations as mainly the digital forensics is used; which method is used depends on the crime. The taxonomy of digital forensics is shown in Fig. 2. The main aim of digital forensics is to produce legal evidence in court. Digital forensic evaluation should be controlled and supervised to ensure forensic durability for every step of the chain [2]. The digital forensic approach will represent the clear and true picture of privacy and protection. Digital evidence plays an important role in civil cases. Digital forensics is also used to trace and track terrorists. It helps soldiers as well, in the form of electronic devices [3]. In Fig. 3: how the process of digital forensics can be done is defined. The various parts of multimedia forensics technology taxonomies are as follows:
3.1 Live forensics Live forensics is a subfield of digital forensics and it is the process of searching memory in real time. This technique is controlled to address the issue of evaporative
30
Swati Gupta, Puneet Garg
Multimedia Forensics
Cyber Forensics
Live FOrensics
Digital Forensics Database Forensics
Network Forensics
Mobile Forensics
Fig. 2: Taxonomy of digital forensics.
Possession
Recognition
Physical Context
Logical Context
Legal Context
Evaluation
Admission as evidence
Fig. 3: Investigation process of digital forensics.
evidence. This technique is also used in the enterprise field when media is not nearby to collect the data for the investigation and the investigation is possible by the amount of data [4]. This technique is used to improve efficiency and obtain volatile data. But it is too difficult to deal with virtual machines. But virtualization is on the boom and its popularity is increasing day by day [5]. It is based on active connections, processes, fragments, and memories. It is used to collect volatile data. It is a tool that can be used to collect intercepts, gather information, and spread the results to the authorities of the relevant member states that have requested the investigation. Three questions that must be answered before the investigation and the questions are: (a) Is live forensic investigation mandatory in this case? (b) If yes, then what data is needed to collect for the investigation? (c) How can the collection of the data be possible and ensure its authenticity?
An insight review on multimedia forensics technology
31
To answer the first question, it is necessary to check the necessity of live investigation. To complete the second question user needs to find the places or area from where data is collected. And to answer the third question it requires an authentic person or machine for the verification and the person or machine must be verified.
3.2 Database forensics Database forensics is another subfield of digital forensics. This is a forensic study of database and their metadata. It is not based upon database recovery. The main aim of this technique is to rebuild metadata from the failed database. The following database scenarios are required in the investigation: (i) Failure of a database (ii) Deletion of information from the database (iii) Inconsistencies of the data in the database (iv) Detection of suspicious behavior of users Specialists utilize as a rule read the solitary strategy while interfacing with the information so that no bargain with the information. Methodologies of the database are shown in Fig. 4; the reconstruction process is followed only when the expert wants some very essential information from the database. There are two research areas: (a) Reactive approach (b) Proactive approach
Investigation Preparedness
Incident Verification
Artifact Collection
Artifact Analysis
Fig. 4: Database forensics methodologies.
3.3 Network forensics Network forensic is also a type of digital forensics. Network forensics is a new field of digital forensics. Network forensics works on dynamic data. This is the continuous process in which an investigator continuously analyzes the events to find security issues [6]. There are two uses of network traffic. The first relates to security and the second relates to the law of enforcement. The first involves monitoring of the network and finding out the intrusion; the second involves reassembling the files to be transferred. In the investigation phase the following rules must be followed: (a) Identification (b) Preservation (c) Collection
32
(d) (e) (f) (g)
Swati Gupta, Puneet Garg
Examination Analysis Presentation Decision
3.4 Cyber forensics Computers are machines that form some reality physically. The principle of exchange is applied to cyber forensics. The evaluation of electronic data is carried out scientifically so that information can be used in the court as a piece of evidence [7]. Cyber forensic uses the process of DFS. Many organizations use cyber forensic for the investigation purpose. But it is used only while they have the highest understanding of the standards. The focus of cyber forensic is on the three levels: acquire, authenticate, analyze. Ever, digital scientific was a space of law requirement. Digital legal incorporates investigation of gadgets and information from a registering gadget. Portrays the utilization of logical techniques to get benefit and truth of the wrongdoing with the assistance of PCs [7]. (a) It works as an important tool in the real world to find out the crime. (b) It assists with discovering the wrongdoing from the central matter. (c) Memory forensic and network forensics also come under this type of forensics.
3.5 Mobile forensics Mobile device resides in between the three modes: IoT, cloud computing, big data. The main aim is to retrieve digital evidence or related data from a mobile device. Mobile forensics needs to fix exact rules to analyze and to present digital evidence from the device. In versatile criminology cell phones explores inside memory and communication capacity [6]. In Fig. 5: mobile forensic classifications are shown with the help of a pyramid. There are two problems in the mobile forensics process. (i) lock activation and (ii) network connection. Mobile forensics have some features like being more invasive, requiring more training, having longer analysis times, and being more technical.
Micro read Chip Off Hex Dump / JTAG Logical Extraction Manual Extraction Fig. 5: Mobile forensics classification.
An insight review on multimedia forensics technology
33
3.6 Multimedia forensics Multimedia forensics is an important class of digital data. When media comes into daily life in a high manner then it is not so easy to hide anything from multimedia. Because of the enhancement of multimedia technology people enjoy and spread their thoughts over the world. But with benefits, there are some drawbacks in this as anybody can easily be manipulated with voice, image, as well as video, so it becomes a complex hurdle in the investigation process for the investigation group. Interactive media legal sciences has seen in mid 2001. For the last few years, its usage has been increasing sprightly. In digital media, the first step is seizure. Multimedia forensics technology is helpful in daily communication and for interaction or sharing content [7]. In this type of forensics, digital image and digital audio/video forensics are also covered: Mobile devices come under this type of technique. It is not about scrutinizing the exegetics of digital media. Like cyber forensics, multimedia forensics depends on digital evidence. Multimedia forensics is growing day by day and brings researchers from different locations like security, imaging, and signal processing [8]. There are two approaches to multimedia forensics: (a) manipulation detection (b) identification discretely. These methods are used to investigate things with authenticity. Figure 6 shows the approach of multimedia forensics. Multimedia forensics involves two approaches: (i) passive approach (ii) active approach as shown in Fig. 6. The passive approach contains video, image, and audio data, and the active approach contains the techniques of digital fingerprinting and digital watermarking. There are so many ways to divulge multimedia. In multimedia forensics it is considered that the investigator does not know how to deduce productively and the technique is called “Blind” [9] and the main focus is on two main sources: – Attributes of increase gadgets can be analyzed for their quality or uniform. – Heirloom of last processing work can be discovered in the manipulation detection. Multimedia Forensics
Passive Approach
Video
Image
Active Approach
Audio
Fig. 6: Multimedia forensics approach.
Digital Finger print
Digital Watermark
34
Swati Gupta, Puneet Garg
4 Applications Various applications of multimedia forensics technologies are as follows:
4.1 Prototype multimedia systems and platforms Prototype multimedia system works for multimedia forensics. It is likewise called multi- media on data expressway it very well might be characterized as it can guarantee to create another industry. This term has been popular since 1990 to refer to the digital communication system and internet telecommunication network. At the focal point of the interstate is mixed media innovation so it can only walk, yet it is being pushed to unwind the duct of data heaven. Presently the program is broadcast on TV and the timetable is pre-settled.
4.2 Home Multimedia forensics is a helpful technique in homes for video on demand, interactive TV, online shopping, remote home care, electronic album, etc. All of these are helpful in multimedia forensics and are also beneficial for the home. Multimedia forensics also helps in our daily life. (i) Video-on-demand: When there is a requirement for some endorser lines and have a few watchers to get the video through those correspondence lines and access the TV by the telephone to demand a program or video. This process is known as video on demand. In this way teleshopping, tele-traveling, and tele-education can be established. Some years back optical fiber links were utilized for correspondence, yet now computerized endorser lines are utilized for information transmission. (ii) Interactive TV: These TV services are attached to data services. The main goal of interactive TV is to provide an attractive experience to the viewer. It is an approach to TV advertising and programming that allows the viewers to communicate with the advertisers and the executives of the program. It is a twoway cable channel that permits a user to interact and to send feedback in the form of commands. The set-top box is part of an interactive television and can be used by the user to select programs. (iii) Home shopping: It is also known as e-shopping. In this privacy remains the same it allows a customer to purchase goods. Home mail delivery systems are television, phone, and internet. In home shopping, online shopping plays an important role in today’s life. In the online shopping concept products can be directly delivered to the customer’s address. It saves physical energy, time, and cost of travelling. However, in this type of shopping bargaining is not possible
An insight review on multimedia forensics technology
35
and a fixed-price system is followed. But if the comparison technique is used by the user then the money can be saved. Home shopping is much better than physical shopping. Accommodation to the client, Variety of things, the comparison is simple, web based following is conceivable, yet haggling is preposterous, Quality isn’t item not judged. (iv) Remote home care: It is also known as remote medical care. It is a telemedicine service. In this technique patients can be monitored and treated remotely. This service is performed at the patient’s home. This technique becomes possible by mobile devices and then results are transmitted to remote medical care and with the help of results they can analyze and detect the symptoms and start to treat the patient. Benefits of home care are quick recovery and reduction of pain level. The main benefit for patients is that they feel comfortable with the familiar environment so that the recovery speed increases. (v) Electronic album: It is the music that engages electronic instruments and digital music–based technology. In this, a sound can be produced by any of the musical instruments which must be electronic. These instruments are also known as electromechanical because they use some mechanical device to produce a sound like loudspeakers, power amplifiers, and pickups. Its request increment step by step and innovation develops itself in the nineteenth century the size of the instrument was huge and these days the thing goes change and the size decreases, and the things become better. (vi) Personalized electronic journal: Electronic journals will change the future of the research in both their function and in the result. For example, browsing and searching are far better than the print environment. Personalized means by customizing the user interface things will be provided according to the need of the user. But for this, it is necessary to give personal details to maintain the record. Personalization implies getting the client data for this entryway is made like yahoo and gmail. In the personalized e-journal, it is mandatory to fill the required details in the form and then only the user can access the journal.
4.3 Education and training Nowadays multimedia plays an important role in education it helps in distance learning, CAI, encyclopedia of multimedia, helpful in interactive training because communication is especially useful for collecting information. (i) Computer-aided instruction: Computer-aided instruction becomes important because with every program will become easy and fast in every field. This course was recorded by the server and daily correlate with the content. This technology is based on hypermedia and hypertext mechanism. This technique evaluates how humans learn from multimedia.
36
Swati Gupta, Puneet Garg
(ii) Distance and interactive training: It is a medium of course delivery. Distance education is an instructional delivery method for students of different locations. In this both the student and instructor are from different locations. In this technique, communication is established when any of the students need some data, video, and audio data becomes the bridge to fill this gap. In this learning, understudies go to the class however not on the fundamental grounds. This technique minimizes the limitations of the classroom approach. In this classroom comes to the student rather than the student coming in the classroom. This type of study is also known as an offline study or classroom. (iii) Encyclopedia of multimedia:It is also known as a book of multimedia because it contains both multimedia and an encyclopedia. It contains the details of the related topic. It contains a brief description of multimedia, so it is known as the encyclopedia of multimedia. (iv) Interactive training on the web: All the online courses come under this technique. This is helpful when the client can’t go to do a portion of the courses or preparing then clients utilize the mode, and that mode is known as on the web preparing in light of the fact that in this sort understudies can ask their inquiries from the teacher furthermore, the correspondence can be handily settled through the web. In the interactive training both learner and tutor are online at the same time and they can communicate with each other. This is different from distance learning because in distance learning both may not be online at the same time but in interactive learning both must be online at the same time.
4.4 Operations Multimedia helps in some of the basic operations like online monitoring, air traffic control, CAD/CAM, process control and command and control, and multimedia security control. The methods of applying these are given below: (i) Command and control: It is the combination of organizational and technical attributes and information resources that are used to solve the problem. In this political position order by tolerating a law to achieve conduct and use apparatus to get individuals to comply with the standards. Command and control are cost-ineffective, inflexible, and have limited efficiency [10]. (ii) Process control: It is a continuous process of production in the field of engineering. Process control technology allows the manufacturers to run the operations within the limits, to get the maximum profit and better quality with safety. This term is seen in five steps: (i) standard establishment (ii) performance measurement (iii) comparison of actual performance with the standards (iv) determining the reasons for deviations of the result (v) taking the correct action as required.
An insight review on multimedia forensics technology
37
(iii) CAD/CAM: In the analysis of 3D documentation CAD is used to scan the photography. CAD technology is used for identification and confirmation [11]. Advantages: Provides law enforcement, produces scaled diagrams used in the court, seamless integration, making digitized data for the investigation, rotation of the object becomes possible [12–14]. (iv) Air traffic control: The air traffic control system must provide the capability to schedule the traveling between airports landing and taking off time. To manage all things a center is created by the committee and from the center, all things are monitored from source to destination [15]. Airport regulation pinnacles deal with the obligation of taking offs, taking care of, the development of an air terminal. So that if any plane crash due to any reason then the managing team can easily find the reason. (v) Online monitoring: Online monitoring and analysis requires developing an open-source architecture known as All Packet monitors. It attaches the highexecution parcel screen and promptly moveable the basic equipment. AMON screens all the parcel travel in the rush hour gridlock at that point processes by the fast hashing and figures the continuous of the product. AMON has been moved in the web traffic. It is extensible and permits the expansion and channel modules for real forensics [14]. It is clear to all that internet is the biggest resource for business and society. (vi) Multimedia security systems: Multimedia encryption is the method that aphandles to computerized sight and sound to ensure the privacy of the media substance to forestall unapproved get to and give the entrance power to the approved the entirety of this will be done due to security [16].
4.5 Public Multimedia provides benefits in digital libraries, electronic museums, and networked system processing as described in detail here. The demand for multimedia increases day by day [17]. (i) Digital libraries: It is difficult to collect evidence against Cyber Crime. The technique of reproduction of the complete hard disk is not a solution and easy. Secrecy is main part in the process of investigation. The problem is how to collect information without the knowledge of the investigator and other irrelevant data while the server administrator does not know what the investigator is searching [18]. To resolve the problem of secrecy different ways are used and encrypt the data[19, 20]. While the schemes are theoretical efficiency is a concern. Data integrity and authenticity are not concerned; re-encryption is required for the investigator. The investigator does not have any right for accessing the data and then the solution is to ask the administrator to retrieve the information.
38
Swati Gupta, Puneet Garg
(ii) Electronic museums: There are a variety of places to work in the investigation of crime. Forensic teamwork with the police the security in a financial institution and IT company who have specialization in security services. With the help of the investigating team, the analyst tries to search the evidence of a crime. (iii) Networked systems: Intelligent banking provides a cost-effective and better solution for rural areas. The principle point of the ATM is to gather money and check to deal with it. But many of the services cannot be provided by the ATM. Network systems help in medicine, banking, shopping, and tourism.
4.6 Business office Nowadays every person does their business and manage and operate the business in a better way; multimedia plays an important role in this, which is explained in detail as follows: (i) Executive information systems: It is an executive support system; it also provides easy access to information that may be internal or external. There are different types of information systems (i) Knowledge management (ii) Transaction processing system (iii) Learning management system (iv) decision support system (v) DBMS (vi) Office information system. It is real-time representative information for high-level management. Components of Information system: hardware, software, telecommunication, database, human resource. It is a particularly important and workable resource executive. (ii) Remote consulting systems: It is used when complete, meaning full written, permission is not required to do some work. It works for the following situations (a) When a consultant advises someone for the improvement. (b) When anybody wants to change any management and is not interested in the interference of others. (c) When the process of hiring is in continuation. (iii) Video conferencing: It is a visual communication between two or more than users but the locations of all are different. Video conferencing is of various types: telepresence, desktop, etc. This technology is successful only with multimedia devices. (iv) Multimedia mail: If the mail contains data rather than text then it is called multimedia mail. To manage this sort of mail utilize a standard known as MIME (sight and sound Internet mail Extension), it is the augmentation used to characterize the different sorts of mail. Emulate has been of various kinds of encoding however generally, it utilizes base 64 documents it is a double record for encoding. (v) Multimedia document: Multimedia document contains files in the form of text or images. This type of document is in digital form and contain both verbal and pictorial data. Because of the different advantages happen like: Education, account, business, Gaming, expressions, and so on.
An insight review on multimedia forensics technology
39
(vi) Advertising: It is the medium to the client of an item or administration; these are the messages to pay for the individuals who send the things. With the assistance of sight and sound, notice turns out to be simple, sell, buy, or keep up our record, so multimedia assumes a significant part in publicizing. (vii) Collaborative work: It resembles the association working, in these at least two organizations or perhaps individuals cooperate. There are various types of collaborative working: (i) Separate organization but working jointly. (ii) Two organizations work within the small areas. (iii) The new association works mutually in light of the fact that it needs to more readily begin and information. (iv) A parent organization having more subgroups. Collaborative work is required for growing the business or organization speedy. Collaborative working may be with the life of business or with a proper agreement. (viii) Electronic publishing: Electronic distributing is a technique that is utilized by the distributer to distribute books, articles, and with this paper, the arrangement is given that E-book or E-paper. This publishing is a new arm of publishing houses. It is like desktop publishing. This is also known as e-publishing. Due to this cost of the publishing has reduced.
4.7 Visual information systems In this methodology attempt to deal with our responsibility with the assistance of some inventive thoughts, in Fig. 7: completely define that by which how to manage critical situations furthermore, control the information without any problem. The main aim of this technology is the management may of any type: Workload management, Warehouse inventory control management, government HRM, legal case tracking, and caseload management [21].
Text database
Image + text daatabse
Client1 Client 2
Video database
Image database
Client 3
Meta Database
Fig. 7: Distribution of visual information system.
Client 4
40
Swati Gupta, Puneet Garg
5 Technology There are numerous technologies used to investigate multimedia forensics technology as described below:
5.1 Tamper detection via cryptographic hash function The cryptographic hash function is a tool and tamper detection is also a technique used to support the secure delivery of contents after investigation. In tamper detection two basic approaches are used: (i) Online Processing: In these transactions are run and hash values are digitally endorsed and affirmation, in which the hash values are evaluated again and compared with the previously endorsed. The two execution phases inaugurate together the normal processing phase as opposed to the forensic analysis phase [22]. (ii) Audit log validation: Audit log is a log file that maintains the database in which all the activities of users are stored. In the first attempt audit log file is maintained in the background by specified relation as a transaction timetable. It follows some standards for data security. Figure 8(a) and (b) focus on the techniques of tamper detection via a cryptographic hash function. In its survey report, it found that 70% of intruders are internal users or DBA who tampered with data [23].
Bank Application
Digital Notarzer service
DBMS
Audit Log Database
Fig. 8(a): Normal operation.
Validator
Digital Notarzer service
DBMS
Fig. 8(b): Audit log operation.
Audit Log Database
An insight review on multimedia forensics technology
41
5.2 Video finger printing These techniques differ from the cryptographic hashing technique. In this technique, robust hashing is used. In this technology, metadata is used routinely to deprive of perception and filter the copyrighted data on the user’s generated content platform. Video fingerprint is stored in the database. Any of the videos can be compared with the fingerprint to see the matches. In this, any information cannot be added but it analyzes the media to identify the uniqueness [24]. This technique is used in movie protection: (i) to provide monitoring service at the time of production, (ii) to identify copyrighted content, and (iii) to aggregate near-duplicate corsair copies to detach unique corsair items. It is a two-step process: (i) keyframes extraction and (ii) keyframes characterization [25]. At the point when the worldwide descriptor shifts pointedly really at that time the keyframes extricated once the casings distinguished they are portrayed utilizing cutting edge. Assume there is a client created site and client needs to send and receive the original file or image. These fingerprints are compared with the database of the fingerprint to recognize the actual data. Applications of fingerprinting easy to monitor, control in copyright, data about data. In the finger-printing technique analyze the uncompressed audio and video frames and create a fingerprint file of that after that user can receive the original file or image. These fingerprints are compared with the database of the fingerprint to recognize the actual data.
5.3 Digital watermarking In this technique, a unique identifier is created and embedded on a file or image to prove that file or image. It differs from digital signature and fingerprints. It is the combination of two words – water and mark – rather than a confidential or hidden communication. It is an active process that requires modifying contents before distribution [25]. This is the process of hiding the message in the signals. Two types of content are considered digital watermarking. (i) visible watermark (ii) invisible watermark. A visible watermark on a file or an image is like the letterhead. It is similar to the logo that is used to represent the ownership of any firm. In the invisible watermark images are hidden and only the owner has the power of verification. To apply these two components are used: (i) encoder (ii) decoder. The encoder is used in the visible watermarking and the decoder is applied in the invisible watermarking. In the encoding an authority takes the signature and after the encoding process applies those on the covered document. Two figures are there Fig. 9(a) shows the embedding of watermark in original image and Fig. 9(b) shows generic water mark detecting scheme. To complete the whole process an embedding and detection algorithm is used. When an image is embedded in the document then users call it image watermarking and if the text is embedded then
42
Swati Gupta, Puneet Garg
the users call it digital watermarking [1]. Watermark is useful for tracking, helps in identifying the creator of the content, and easily determines the content is authenticated or not. Advantages of the computerized watermarking content controls are simple, Digital camera to gather the information, Distinguish the substance. Watermarking adds some information and then embeds that in a video or audio signal.
Watermark
key
Original image
Embedded Algorithm
Watermarked Image Fig. 9(a): Embedding of watermark in original image.
Watermark Image
key
Original image
Embedded Algorithm
Water Image Fig. 9(b): Generic watermark detecting scheme.
5.4 Digital tampering Tampering means a change in the original characteristics. It is a powerful technique used to find the solution in a natural image. Digital tampering covers audio, video, image, etc. Researchers have come up with different techniques of detection. The proposed method is the hash technique [27]. In audio tampering common editing is performed in the original audio. Editing may be detected by the disturbance in the signals. In the image tampering changes are performed in the format of an image and the alteration done by some open-source software like Analogexis. This software can easily alter the metadata of JPG and TIFF files. Image tampering techniques are as follows: (i) Copy –move (ii) Image splicing (iii) Resize
An insight review on multimedia forensics technology
(iv) (v) (vi) (vii) (viii)
43
Cropping Nosing Apply luminance nonlinearities Resaving Double JPEG compression [28].
In the video editing technique compression and decompression guide the system on how to store or reconstruct the video. After compression and decompression video must be saved and at the time of decompression compared with both videos. This type of test is called VELA; it can be applied to any of the videos easily. Interactive media altering location assumes a significant part in examination to apply this large numbers of the strategies are utilized to discover the outcomes [29]. Detection can be done with two types: active forensic and passive forensic. In active forensics advanced watermarks and fingerprints can be easily verified. However, in uninvolved legal sciences, any sort of crime scene investigation didn’t use for approval with the goal that it is otherwise called dazzle criminology [30].
5.5 Digital source identification Digital videos can be used to define their responsibilities. Forensic analysis of digital video becomes applicable to find the center and authenticity of the video. Forensic techniques are used to identify the information of the source. In Fig. 10 the identification method of the source through digital image forensics is explained. Generated multimedia content is divided into two approaches: (i) In this verification of the multimedia contents is done. (ii) The source inconsistencies are detected [31]. Different identification techniques use different algorithms to find the source of the image. In the identification of the source there are two techniques: (i) Open Scenario: In this forensic analyst does not know the set of devices to be used to identify the source in the initial state. (ii) Closed Scenario: In this forensic analyst finds the set of devices to be used to identify the source in the first step [32]. To perform the source identification source classification and device linking comes under the origin identification and process history, recovery, and anomaly detection come under the tampering detection; with the help of these steps the source of a camera can easily be detected for the investigation.
44
Swati Gupta, Puneet Garg
Source classification
Device Linking
Digital Image Forensics
Process History Recovery
Anomaly detection
Fig. 10: Method of identification of the source through the digital image forensics.
5.6 Digital counter forensics It is the process to identify, preserve, analyze, and present digital evidence in a manner that is easily accepted. It is clear to all that computer evidence can be easily modified and easily deleted. But there are many tools available to investigate the alteration in the evidence and with the help of those users we can easily find the deleted data. But this is done by the great knowledgeable person of the computer [33]. This activity needs a highly skilled specialist. There are four counter forensic techniques areas: (i) Data disrupting: In this cycle obliterating the put away information then information might be any sort. (ii) File deletion: This process removes the duplicate data from the computer, especially on the hard disk. (iii) Re-formatting: This technique formats the file again. This is used when the user found the alteration in the file. (iv) Defragmentation: It is the process to reduce the degree of fragmentation. It is the process of the data fragments noncontiguous way into which a file may divide into which they are stored in the hard disk. This process reduces access time and increases storage efficiency.
6 Approving the method The sketch is a process by which a user can trace the evidence for the investigation. There are some methods of sketching, as follows:
An insight review on multimedia forensics technology
45
6.1 Type of sketch There are three types of sketching: (i) Physical sketch: In this sort of sketch finger impression, impression, DNA kind of things are utilized for the life systems. (ii) Digital sketch: This depends on PCs in this organization traffic, filenames and web access are made for the investigation. (iii) Sensory sketch: In this kind of camera, amplifiers are utilized as a detecting gadget and with the assistance of these gatherings examines. With these advances numerous quantities of methods are utilized in the investigation [34].
6.2 Anatomy of sketch Digitalization has changed the method of investigation or users can say changed the way to handle some crimes. Physical sketching is a way to investigate crimes [35]. Now users can see that 3D graphics are used to sketch the crime and for designing 3D graphics computer systems are used because 3D is a reliable method for sketch something. When users talk about digitization then automatically the computer is a resource and for sketching the technique used is known as an image processing system. All these technologies come under digital watermarking. In this method real-time processing is not necessary. Face and fingerprint recognition is also done by the biometric machine. But users can say that these techniques are helpful in the investigation as they are extremely helpful in data collection and investigation.
6.3 Intramural pillar of the method Digital forensic is an intramural pillar of the method in forensic science because it is important that without multimedia digitization is not possible or users can say both digitization and multimedia are dependent on each other. Digital forensics is used for both criminal investigation and private investigation. Then evidence is collected with the help of the multimedia and with the collaboration of all these the investigation process completes, and the group of investigators collects the evidence for the court.
7 Challenges For the most part, specialists feel a few difficulties during the act of ongoing technology. Media legal sciences innovation isn’t an exemption in this field as it has a few challenges, which are listed below:
46
(i)
(ii)
(iii)
(iv)
(v) (vi)
Swati Gupta, Puneet Garg
High speed and volume: The data speed is available in gigabits but sometimes data require more speed for collecting the evidence, so the network will become a challenge here. The explosion of complexity: More experts and tools are required for the reconstruction of the evidence because the host will never maintain the evidence for a long time and so due to this reason the quality of the investigation decreases. Development of standards: Research community has tried to get more success with the standard formats, but they don’t achieve it because of enhancement in technology, so it is also a challenge in multimedia forensics. Privacy-preserving investigation: People bring cyberspace to collect information but through social media sites attackers attack the user’s privacy and generate hurdles in working and so it becomes a challenge. Legitimacy: The major challenge is in forensics to investigate the case without breaking the laws and rules. Rise of anti-forensic techniques: There is a booming population in the attacker’s field. The assailant realizes how the examination should be possible by the group by utilizing a few techniques they follow them clients are in the race where the country starts things out and now the thing that matters is the preparation. It will become a major challenge in forensics.
8 Conclusion Multimedia forensics is a fast technique for investigation. While many of the international guides introduce different standards for the hegemony, the maximum number of groups use more common and simple techniques for the investigation. The standards used here are ISO certified. It is a helpful tool for digital content. In some cases, annotators want enhancement in the evidence to identify the main criminal behind a crime. The overall aim is to get the best knowledge of multimedia forensics. Enhancement is done timely in the field of multimedia and by the workshops, users can only get better knowledge about the latest techniques. Digital recording dominates the field clearly and new technologies must arise. The criminological sight and sound instruments support scientific to shield from the wrongdoing and to catch the reasons wrongdoing and research Digitization is quick it gives a preferred outcome over the past. Criminology financial backers introduction duce the new innovation that is a virtual study hall.
An insight review on multimedia forensics technology
47
References [1] [2]
[3] [4]
[5]
[6]
[7] [8] [9]
[10] [11] [12]
[13]
[14]
[15] [16] [17]
[18]
Saxena, A., Shrivastava, G., Sharma, K. 2012. Forensic investigation in cloud computing environment. The International Journal of forensic computer science, 2, 64–74. Snodgrass, R. T., Yao, S. S., Collberg, C. 2004, August. Tamper detection in audit logs. In Proceedings of the Thirtieth international conference on Very large data bases-Volume, 30, 504–515. Pavlou, K. E., Snodgrass, R. T. 2008. Forensic analysis of database tampering. ACM Transactions on Database Systems (TODS), 33(4), 1–47. Shrivastava, G., Peng, S. L., Bansal, H., Sharma, K., Sharma, M. 2020. New Age Analytics: Transforming the Internet through Machine Learning, IoT, and Trust Modeling, Apple Academic Press, USA. Kaur, S., Kushwaha, A. K. S., 2018, December. A Comparative study of various Video Tampering detection methods. In 2018 First International Conference on Secure Cyber Computing and Communication (ICSCCC), 418–423, IEEE. Mall, V., Roy, A. K., Mitra, S. K. 2013, December. Digital image tampering detection and localization using singular value decomposition technique. In 2013 Fourth National Conference on Computer Vision, Pattern Recognition, Image Processing and Graphics (NCVPRIPG), 1–4. IEEE. Rogers, M. K., Hoboken, New Jersey, 2008. Cyber Forensics. In Wiley Handbook of Science and Technology for Homeland Security. 1–14. Lian, S., Kanellopoulos, D., Ruffo, G. 2009. Recent advances in multimedia information system security. Informatica, 33, 1. Boll, S., Aizawa, K., Briasouli, A., Gurrin, C., Jalali, L., Meyer, J. 2016, October. Multimedia for personal health and health care. In Proceedings of the 24th ACM international conference on Multimedia, 1491–1492. Skoudis, E., Upper Saddle River, N.J, 2001. Counter Hack: A Step-By-Step Guide to Computer Attacks and Effective Defenses, Prentice Hall PTR. Johnson, A., Jani, G., Pandey, A., Patel, N. 2019. Digital tooth reconstruction: An innovative approach in forensic odontology. Journal of Forensic Odonto-Stomatology, 37, 3. Hou, S., Yiu, S. M., Uehara, T., Sasaki, R. 2013. A privacy-preserving approach for collecting evidence in forensic investigation. International Journal of Cyber-Security and Digital Forensics (IJCSDF), 2(1), 70–78. Hou, S., Uehara, T., Yiu, S. M., Hui, L. C., Chow, K. P. (2011, October). Privacy preserving confidential forensic investigation for shared or remote servers. In 2011 Seventh International Conference on Intelligent Information Hiding and Multimedia Signal Processing (pp. 378–383). IEEE.Hou, S., Uehara, T., Yiu, S. M., Hui, L. C., & Chow, K. P. 2011, November. Hou, S., Uehara, T., Yiu, S. M., Hui, L. C., Chow, K. P. 2011, November. Privacy preserving multiple keyword search for confidential investigation of remote forensics. In 2011 Third International Conference on Multimedia Information Networking and Security, 595–599. IEEE. Shinder, D. L., Cross, M. ,Berkely CA US ,2008. Scene of the Cybercrime, Elsevier. Shrivastava, G. 2017. Approaches of network forensic model for investigation. International Journal of Forensic Engineering, 3(3), 195–215. Böhme, R., Freiling, F. C., Gloe, T., Kirchner, M. 2009, August. Multimedia Forensics is not Computer Forensics. In International Workshop on Computational Forensics, Springer, Berlin, Heidelberg, 90–103. Hsu, C. Y., Kang, L. W., Liao, H. Y. M. 2013, July. Cross-camera vehicle tracking via affine invariant object matching for video forensics applications. In 2013 IEEE International Conference on Multimedia and Expo (ICME), 1–6. IEEE.
48
Swati Gupta, Puneet Garg
[19] Schultz, E., Shumway, R. ,2001. Incident Response: A Strategic Guide to Handling System and Network Security Breaches, Sams, Carmel, Indiana. [20] Palmer, G. 2001, August. A road map for digital forensic research. In First digital forensic research workshop, utica, new york, 27–30. [21] Parveen, S. S., Palanikkumar, D. 2015. A novel approach for inter frame copy move forgery detection. International Journal of Applied Information Communications Engineer, 1, 60–62. [22] Zhang, L., Zhang, D., Wang, L. 2010, October. Live digital forensics in a virtual machine. In 2010 International Conference on Computer Application and System Modeling (ICCASM 2010), 4, V4–328. IEEE. [23] Hoelz, B., Ralha, C., Mesquita, F. 2011, January. Case-based reasoning in live forensics. In IFIP International Conference on Digital Forensics, 77–88. Springer, Berlin, Heidelberg. [24] Shrivastava, G., Sharma, K., Khari, M., & Zohora, S. E. (2018). Role of cyber security and cyber forensics in India. In Handbook of Research on Network Forensics and Analysis Techniques (pp. 143-161). IGI Global. [25] Sharma, K., Makino, M., Shrivastava, G., Agarwal, B. Eds. 2019.Forensic Investigations and Risk Management in Mobile and Wireless Communications, IGI Global, USA. [26] Shrivastava, G., Gupta, B. B. 2014, October. An encapsulated approach of forensic model for digital investigation. In 2014 IEEE 3rd Global Conference on Consumer Electronics (GCCE), 280–284. IEEE. [27] Al-Athamneh, M., Kurugollu, F., Crookes, D., Farid, M. 2016. Digital video source identification based on green-channel photo response non-uniformity (G-PRNU). [28] Kallitsis, M., Stoev, S. A., Bhattacharya, S., Michailidis, G. 2016. AMON: An open source architecture for online monitoring, statistical analysis, and forensics of multi-gigabit streams. IEEE Journal on Selected Areas in Communications, 34(6), 1834–1848. [29] Wolfe, H. B. (2002, June). Encountering encrypted evidence (potential). In Proceedings of the 4th Conference on Information Technology Curriculum. [30] Li, S., Dhami, M. K., Ho, A. T. ,India, 2015. Standards and Best Practices in Digital and Multimedia Forensics. In Handbook of Digital Forensics of Multimedia Data and Devices. 38– 93, Wiley Online Library. [31] Baker, D. W., Brothers, S. I., Geradts, Z. J., Lacey, D. S., Nance, K. L., Ryan, D. J., … Stephenson, P. 1988. Digital Evolution: History, Challenges and Future Directions for the Digital and Multimedia Sciences Section. In: Forensic science: Current issues, future directions. 252–291. [32] Ng, T. T., Chang, S. F., Lin, C. Y., Sun, Q., Wyman Street, Waltham, Massachusetts, 2006. Passive-blind Image Forensics. In: Multimedia Security Technologies for Digital Rights Management. Academic Press, 383–412. [33] Shrivastava, G., Kumar, P., Gupta, B. B., Bala, S., Dey, N. Eds., 2018. Handbook of Research on Network Forensics and Analysis Techniques, IGI Global, Hershey, Pennsylvania. [34] Franke, K., Srihari, S. N. 2007, August. Computational forensics: Towards hybrid-intelligent crime investigation. In Third International Symposium on Information Assurance and Security, 383–386, IEEE. [35] Khari, M., Shrivastava, G., Gupta, S., & Gupta, R. , Hershey, Pennsylvania, USA ,(2017). Role of Cyber Security in Today’s Scenario. In Detecting and Mitigating Robotic Cyber Security Risks (pp. 177–191). IGI Global, USA
Meet Kumari
An overview on advanced multimedia forensic techniques and future direction Abstract: Nowadays, with the ever-increasing worldwide connectivity, on the whole, the planet helps the people to share a continuously large amount of text, images, audios, and videos regularly. Due to this globalization connectivity, computer crimes are growing through the Internet these days. The media content lifecycle is becoming complex constantly due to an increase in exchanging, adapting, modifying, accessing, and repetitive use of digital information. Further, due to the easy access and coupling with user-friendly multimedia editing software, this constitutes several challenges related to the trustworthiness and reliability of digital content. For this, forensics techniques for multimedia applications play a significant role to minimize their unchecked and rampant usage. Multimedia forensics techniques are used to find out the evidence or proof through different methods or tools which is an extremely tough and complex task. In the previous years, the field of multimedia forensics has undergone nonstop expansion, drawing increasing attention among researchers. The growing requirement of multimedia’s content authentication techniques without deductive information has led researchers to grow various forensic approaches designed for passive work. Again, these designed forensic approaches face issues such as forgery detection, source identification, and content discrimination. The fact is that in multimedia data the inherent traces left during content creation and successive processing. Thus, in this book chapter, various potential and advanced multimedia (image, audio, and videos) forensic techniques have been presented and discussed. Specifically, the comprehensive wide range of multimedia forensic techniques to identify multimedia distortions have been studied with powerful features useful in multimedia forensic investigations. Besides, the significant solutions to different open challenges and issues in multimedia forensic techniques have been described. Also, the potential application and advanced feasible future directions are discussed. Keywords: multimedia forensics, authentication, forensic dataset, forensics techniques, audio, video, image
Meet Kumari, Department of Electronics and Communication Engineering, Chandigarh University, Punjab, India, e-mail: [email protected] https://doi.org/10.1515/9783110677478-003
50
Meet Kumari
1 Introduction Multimedia information like audio, video, and text is frequently used in various applications like military, defense, legal proceedings evidence, and criminal investigations. As this sensitive information can be edited, there are a wide variety of forensic methods, developed by forensics researchers to find out the multimedia data source and authenticity. The various earlier forensic methods were developed through heuristically or theoretically identifying the set of images’ traces left by a specific source device or processing operation [1, 2]. Audio forensics is defined as the evaluation as well as analysis of recorded audio. It is used for authenticity and integrity confirmation in the court of law’s evidence. It helps to establish integrity and authenticity, to enhance speech transparency, audio recording, audibility of lower sounds, interpreting audio evidence like clarifying dialogue, rebuilding crime as well as accident scenes and identifying speakers [3, 4].
1.1 Multimedia forensics operations There are lot of operations that can modify multimedia data such as video, audio, or images.
1.1.1 Removing It is described as a process that eliminates the parts from given digital multimedia information. These operations such as cutting and wiping are appealed in temporal or spatial mode, e.g., segment cutting from a sequence of voice and deleting a moving vehicle from the picture. Moreover, it is combined with others to acquire the desired quality of the information [5, 6].
1.1.2 Replacement This group includes a process that replaces some parts of digital multimedia content with parts taken from other data. Some examples are replacing a person’s face in a picture with one from another picture, replacing apart from an audio sequence with one from another sequence, and replacing an active car in a video sequence with another. Generally, these replacements are gained by combining several operations, such as wiping, pasting, and smoothing [5].
An overview on advanced multimedia forensic techniques and future direction
51
1.1.3 Replication This group consists of operations that enhance the number of objects in the content by copying and pasting them from one place to another, e.g., copying a photo of an airplane and pasting it into other places in the photo increases the number of airplanes. The replication is attained by combining various operations, such as copying, pasting, and smoothing [5].
1.1.4 Photomontage This group comprises operations that integrate several pictures, producing a new one of high quality that is typically a collage. The photomontage is achieved by performing various additional operations like cutting, splicing, pasting, and smoothing and filtering [5].
1.1.5 Computer produces media It consists of media information produced by computers such as computer graphs, computer-aided drawing, and speech synthesis. The resulted media information is not the same as the natural simulated scene. The examples are carbonization drawing technique which converts natural videos or images into cartoon, i.e., animated media information. It is different from natural information visually [5].
1.2 Basic forensics process The forensics process consists of the following phases [7, 8]: 1. Preparation: it consists of proper preparation concerning a specific investigation ahead of such an investigation analyzed. 2. Collection: it consists of collecting data from all the applicable sources. This approach must provide integral data capability. 3. Examination: it consists of utilizing manual and automated approaches to examine the data that were collected to assess and extract information for a specific situation. Here, the data’s integrity should be maintained. 4. Analysis: After data collection and examination, the analysis of results processed through effectively documented approaches and techniques to gain the information which is useful in questions’ addressing. 5. Reporting: At last, the report is written after the result analysis. The report should include challenges such as methods used, why these methods used, the
52
Meet Kumari
outcomes from these methods, and further enhancement recommendations like guidelines, policies, and others. Figure 1 shows the basic forensics process.
Preparation
Collection
Reporting
Examination
Analysis
Fig. 1: The basic forensics process [7].
1.3 Forensics analysis and modeling The basic forensics analysis and modeling are shown in Figs. 2 and 3, respectively.
Forensics Analysis
Design Modeling of Case Domain
Forensics Cyber Ontology
Evidence Graphs
Finite Reconstruction
Correlation Framework Fig. 2: Taxonomy of forensics analysis [9].
From Fig. 2 forensics analysis taxonomy is subdivided into two types: modeling of case domain and forensics cyber ontology.
An overview on advanced multimedia forensic techniques and future direction
53
Forensics Process Modeling
History
Hierarchical
Spaf’s and Carrier History
Krings and Leigh land Hierarchical Elements
Lessons’ and Gerber Computer IO
Hierarchical Objective
DF Compensation
Pollitt Comparison
Abstraction
Carrier Abstraction Tools
Event Investigation
Standard process of Myers and Rogers
DE Reproductively
Fig. 3: Taxonomy of forensics process modeling [9].
From Fig. 3 it is clear that forensics process modeling taxonomy is subdivided into four types: history, hierarchical, DF compression, and abstraction. It helps in understanding the forensics process in detail.
1.4 Types of forensics The major types of forensics are categorized as follows [10, 11]: 1. Image forensics 2. Mobile devices forensics 3. Volatile memories forensics 4. Networks forensics
54
Meet Kumari
5. Applications forensics 6. File Systems forensics 7. Multimedia forensics Here, multimedia forensics is further divided into three main parts: image, audio, and video forensics.
1.4.1 Image forensics The availability of both digital image processing methods and a digital image captured device with the Internet has enhanced the digital images’ authenticity. Digital signature has been utilized as passive and active methods. The active methods are utilized to restore the forgotten trust in images [12]. These are embedded in selfauthenticating data in image multimedia having the aim of integrity and authenticity, e.g., image watermarking. The image is unobtainable against various intended attacks such as compression, cropping, equalization, filtering, and noise. The major demerits of active forensics are that it needs manipulation of source information during storage or capturing. Thus, these are not mostly used.
Watermark Embedding Signature
Watermark Recovery Signature
Image
Image Recovered
Image signature (Digital) Identity Measure
Original Authentication
Tempering Observation
Fig. 4: Block diagram of image active forensics [13].
The block diagram of image active and forensics is shown in Figs. 4 and 5 respectively. However, passive image forensics has been taken having the basic objective of authenticity validation of images by recovering information or detecting tampering
An overview on advanced multimedia forensic techniques and future direction
55
about their past. It is blind as it does not require the source image knowledge, but it is based on image processing and capturing image devices referred to as fingerprints. Properties of Features
Identity Measure
Image Feature Extraction Image
Original Authentication
Tempering Observation
Fig. 5: Block diagram of image passive forensics [13].
1.4.2 Audio forensics Audio forensics analysis can be classified into two types of authentication: contentbased and container-based. Container-based consists of audio file metadata and file structure along with its description. While content-based consists of audio file bytes and actual bits. The quality of the file does not affect the remaining files, but it can diminish the wrapper and media support. It can arise authenticity doubts with some inconclusive analysis types. It can be further divided into two branches as local and global [14, 15]. The classification of audio forensics is shown in Fig. 6. 1. Container forensics analysis: It consists of an audio file and experts work on container analysis. Again it consists of file format, HASH calculations, and MAC. These are defined as follows: a. HASH forensics analysis: Firstly, as the received audio file for lab examination has been taken after checking the history to ensure that audio file has not been tampered. Some measures have been taken after checking the hash history to ensure that audio files have not tampered. Thus, a specific derived string from bits of the file measured through a mathematical hash function. Again, these are useful to verify no further modification needed in the audio file from the HASH function [14]
56
Meet Kumari
Audio Forensics
Container Based
Content Based
Compression
ENF
Frequency Time
Enhancement
Environment
Stamps time
Header
HASH
File Format
Hex Data
Fig. 6: Classification of audio forensics [14].
b. Timestamps (MAC): The time and date to create the audio file along with its modifications and access time detected through time stamps of MAC. The xinterlock digital system is utilized for generating the real MAC of time stamps. Also, it can be changed by copying and pasting operations by editing [14, 16] c. File format: The illustration of the audio file must be documented for further reference in the future and a review procedure must be performed with appropriate information in the future. It consists of a sample rate, file format, bit depth, byte depth, etc. As, this is an easy task but care should betaken for some files such as .WAV file extension, Microsoft ADPCM, and ADPCM DVI/IMA compressions [14] d. Header forensics analysis: Here, the expert detects the changes in the audio file from real to further extended version by header information and hexadecimal reader of audio file format. The audio file must be matched with the name of a file having an extension such as RIFF, MP3, and WMA. Depends on the brand and device, the model information may be firmware version, serial number, length of the audio recording, and date of the audio recording. It must be utilized the MAC time stamps and compared with the time and date claimed through the recordists when the audio file was created [14] e. Hex data: Here the raw information of the audio file must contain important data that may be examined in the form of ASCII character hexadecimal reader. The audio data block information, external software titles, post-processing work, and other functional data can be displayed [14]. 2. Electronic network frequency (ENF): It is one of the major robust and reliable forensics methods for audio analysis. It consists of ENF traces present in audio recording [14]. Figure 7 shows the ENF extraction process.
An overview on advanced multimedia forensic techniques and future direction
Decimation
57
Filter with ENF
Input Signal
Split Frame Data
Observe shape through interpolating the high values
Frame Subjected into FFT operation
ENF vector estimator Fig. 7: Block diagram of the ENF extraction process [14].
3. Content forensics analysis: It is a digital core forensic analysis of core and it depends on the real audio information recording for detecting tampering traces, anti-forensic processing, and post-processing operations. The large numbers of audio forensic approaches use the real content of audio test recording for integrity verification and authentication. The present traditional content-based forensics may be divided into the following [14]:
1.4.3 Video forensics The video forensics technique broadly classified into passive and active depends on the availability of source video data as a reference [17]. The video forensics is subdivided into active and passive approaches as shown in Fig. 8. 1. Active approach: It uses some reverences amount of information, which can exist in digital watermark form, hash value, or digital signatures. The video or source camera for the camera property such as sensor noise for using the identical source camera allows learning forensics analysis [19]. a. Reference material: It is classified into reduced reference, full reference, and no reference. b. Full references: In this, tampered video and actual video are present for a forensic expert. It consists of cases such as copyright infringement and suspect video authentication. c. Reduced references: They consist of digital signatures or digital watermarks as an inactive approach. But they are limited to less number of users [20]. 2. Passive approach: The passive video forensic approach uses information present in the suspected video, also called no references. The most important thing
58
Meet Kumari
Video Forensics
Active
Passive
Reduced Reference
Full Reference
None Reference
As per Original Video
As per Learning, watermarking signature
As per Feature Analysis e.g. pixel, compression etc.
Fig. 8: Video forensic approaches [17, 18].
Video Forensics
Evidence/Recovery Collection
Enhancement Forensics
Authentication Evidence
Identification or Interpretation
Fig. 9: Basic tasks in video forensics analysis [21].
about this approach is that it gains importance in the past recently, the live crime scenarios, and offers fewer forensics experts assistance in adding data besides the hand evidence. The basic tasks in video forensics are shown in Fig. 9.
1.4.4 Multimedia forensics tools The major advanced multimedia forensics tools are shown in Tab. 1 as follows [22, 23]:
An overview on advanced multimedia forensic techniques and future direction
59
Tab. 1: Advanced multimedia forensics tools. Name of the Tool
Merits
Writing-style and classification factures techniques
Ability to identify the author through experiment Utilizes three classification approaches Applicable for multiple languages.
Stylometry and support vector machine Working principle: structural minimization Gives the systematic method for determining the raw style effective market. AutoMiner
Provides accuracy of up to % Provides a robust way for authorship determination Specific authorship identifier
Integrated forensic E-mail analysis
Localization of geographical E-mail Systematically analyze theoretical analysis such as text mining.
ProDiscover IR .
Encryption as well as password protection optional Gives information that provides complete verifiably.
EnCase Edition Enterprise .a
Data extract more than PDIR. Provides information such as opened files. . MB/s data acquisition Integration with the intrusion system for detection
2 Literature review The recent literature review of multimedia forensics tools is presented in Table 2 as follows:
Tab. 2: Literature review of various forensics. S. No. Author Name
Summary
.
In this paper, CNN-based experiments for forensic applications have been examined that can perform image manipulations identification and detection of the camera model. It shows that the various CNN design options should be implemented for various forensics applications to identifying design options for obtaining maximum performance of CNNs for identification and manipulations of camera model [].
B. Bayar, and M.C. Stamm
60
Meet Kumari
Tab. 2 (continued) S. No. Author Name
Summary
.
M.K. Khan, M. Zakariah, H. Malik, and K.K.R. Choo
This paper described the digital forensic audio dataset which is designed to provide audio forensics approaches evaluation facilities. It also presents the data-collection microphones, settings, speakers, notations, and languages. The results show that the chosen algorithms gained promising [].
.
D. Quick, and K.K.R. Choo
In this paper, the Digital Forensic Analysis methodology is described quickly to review the Data Reduction Digital Forensic subsets to group applicable relevant evidence from distributed heterogeneous systems on time. It is shown that applying the methodology that is proposed for real-world information from a police agency of Australia signifies a timely process that results in an enhancement in processing patterns as compared to the whole forensic image. Also, it has the capability for locating intelligence and evidence in a timely process [].
.
J. Haggerty, and M. Taylor
In this paper, a significant method for the storage media automated analysis for digital files and images of desired for forensic signatures is proposed. It first defines the potential multimedia pictures or files of given and compares the information with file signatures for discovering a resident malicious file in the computer system. It also demonstrates the bearing of the method for retrieval and identification of malicious multimedia data [].
.
S.A. Mokhov
In this paper, the biometric evidence has been summarized along with “exported” evidence extraction as a file type Forensic Lucid language method for event reconstruction and claim verification. The exported Modular Audio Recognition Framework (MARF) of digital evidence works on biometric voice data comprising sets in terms of gender, speaker, etc., using pattern recognition and signal processing approaches. The main aim is the translation aspect into Forensic Lucid expressions extraction analysis [].
.
U. Greveler, B. Justus, and D. Loehr
In this paper, the household’s electricity utilization analysis at a sample rate of . per second has been shown for the identification of video and audio information. The collected forensic results show unique household meter data for a single month. It is shown that this leads to the not obstructing through electric appliance in a smart meterbased household [].
An overview on advanced multimedia forensic techniques and future direction
61
Tab. 2 (continued) S. No. Author Name
Summary
.
M.C. Stamm, W.S. Lin, and K.J.R. Liu
In this paper, the approaches to find out the anti-forensic algorithms’ performance for analyzing game framework theoretic between anti-forensics and forensics have been proposed. Also, an innovative automatic video detection technique and video anti-forensics detection have been proposed. It is evaluated these techniques with the proposed methods [].
.
G. Cao, Y. Zhao, R. Ni, L. Yu, and H. Tian
In this paper, median filtering (MF) detected forensic blind algorithm applied largely for signal and image enhancement has been proposed. It is shown that zero values probability on the difference first order mapping in regions texture can distribute as fingerprint MF statistical to differentiate the given MF from another one. As the antiforensic approaches enjoy using MF to linearity assumption attack of the given existing forensics algorithms, thus nonlinear MF blind detection becomes significant. It is also shown that the experimental results confirm the proposed MF forensics technique effectively [].
.
M.C. Stamm, W.S. Lin, and K.J.R. Liu
The interactivity between the forensic investigator and a forger has been analyzed by the authenticating problem of digital videos by examination. Especially, the new techniques for anti-forensic evaluation and development of game framework theoretic for analysis between a forger and a forensic has been investigated. These techniques help in optimal actions identification of both investigator and the forger [].
.
Chang-Tsun Li, and R. Satta
The SPN components for the distorted image periphery for source camera identification have been observed that cause high false-positive judgment. The presented empirical evidence shows that SPN quality locationdependent degradation causes a powerful connection having an outlining effect to establish the common type of dependency of location. It is endorsed that if the image blocks are utilized for analysis of forensic, they must be taken the image center before SPN extraction performance to minimize the positive false rate [].
62
Meet Kumari
Tab. 2 (continued) S. No. Author Name
Summary
.
R. Hegarty, M. Merabti, Q. Shi, and B. Askwith
A novel method for processing distributed and fragmented data in Distributed Service Orientated Computing (DSOC) platform has been discussed. It provides the ability and scalability to analyze the process for utilizing as well as providing data undergoing hardware and evidence contamination, respectively. Further, to minimize the software interdependency and complexity, an Aspect Orientated Software Development method has been used. It provides the functional cohesive areas to support, segregate, and allowing modification without producing unwanted behavior in a system [].
.
H. Jin, and J. Lotspiech
The three major piracy attacks in a distribution system have been shown, namely, digitalization, DeCSS, and anonymous attacks. Also, a potential forensic corresponding approach has been presented for detecting privacy. A systematic method for anonymous and digitalization attacks have been presented to assign the classic error variations correcting codes. It is shown that it is suitable for the real world that requires large populations, lower extra bandwidth and traced big coalitions [].
.
M. Barni, and B. Tondi
A theoretical framework to cast the identification problem has been introduced. Here, the equilibrium payoff has been analyzed to derive the situations through which forensic Analysis successfully possible along with false-negative error exponent probability [].
.
M. Mansourvar, M.A. Ismail
Here, a computer-based intelligent forensic system (IFS) has been for analyzing and mining crime data utilizing physical evidence in the wide databases that have been studied. It is shown that using computers for crime data analysis provides fewer errors as compared to human [].
.
C. Fillion, and G. Sharma
A pattern recognition method in a set of images’ features is adopted to extract the test picture and again a classifier namely Support Vector Machine trained for a set of images. It is studied that detecting the seam-carving intuitively motivated features play an important role. It is demonstrated that the adopted method helps in the detection of seam-carving having high accuracy of up to % [].
An overview on advanced multimedia forensic techniques and future direction
63
Tab. 2 (continued) S. No. Author Name
Summary
.
Here, the detection method based on convolutional neural networks (CNNs) median filtering has been proposed which automatically learns and provides images features forensics directly. The first layer provides the filtering that accepts input and outputs in the form of images. It is shown that the proposed scheme provides significant performance enhancements in cutting and pasting forgery detection [].
Chen, X. Kang, Y. Liu, and Z.J. Wang
Pawan et al. present the study that focuses on the analysis of documents like a Driving License, Employment Card, and passport which is extensively created for utilizing as proof of uniqueness for several benefits. The main aim is to assist the digital forensics record expert in utilizing digital image processing schemes to realize record detection, analysis procedure, and segmentation [37]. Sundar et al. illustrate the limitations, challenges, and issues faced when utilizing a forensics smartphone device and accompanied forensic schemes. The main goal is to study consciousness-raising despite suggesting excellent practices to forensic work challenges [38]. Paul Joseph and Jasmine Norman present the information about the data reduction schemes that could be beneficial in forensic analysis. It is shown that eliminating uninteresting and unwanted forensic files is the best technique to minimize time. The work minimizes the current study’s corpus to 29.8 million by utilizing the propped technique [39]. Clare Johnson and Ross Davies present a project based on the academic Cyber Security department. In this, they illustrate the learning and teaching as well as a lecture on multimedia forensics and it is investigated the feasibility of forensics investigations by presenting a witness statement in court [40].
3 Challenges While working with today’s digital world data such as images, audio, and videos for examination and analysis lead to various challenges in multimedia forensics techniques. These are summarized as follows [2, 41–44]: 1. High-speed transmission: High-speed network data transmission generates complexities for multimedia forensics in preserving and capturing various network packets. A large amount of data is transmitted over the network in minimum time, which passes through lots of interconnected forensics devices. Such
64
Meet Kumari
a device act as proof for forensics to analyze susceptibilities by investigating data flow over the network. These susceptibilities in high-speed data require recording of all transmission without any loss of information which is an incredibly challenging job. It can be overcome by a solution that can index, analyze, capture, and preserve data in real-time situations. For this, there are three solutions, namely, software-based, hardware-based, and distributed based solutions [45]. 2. Data storage on multimedia devices: A large amount of data is passed on the network which is analyzed for investigation. This data makes a complex multimedia forensic situation to get evidence from the network. Thus, the captured and investigated data requires being stored on multimedia devices with huge storage capacity, but this storage capacity is restricted. Therefore, time machine data capturing can be utilized to reduce the storage problem. It works extremely fast based on data flow, reduces the storage requirements, and improves the querying operations. It has a maximum capacity of 185 million records per second [45]. 3. Data integrity: It plays an important role in the multimedia forensics process. It can maintain consistency, accuracy, and completeness in the network. But the data size, scope, and velocity make it a critical challenge for forensics investigators to maintain data integrity. Also, deficiency of data integrity trust makes the data system uncertain which again increases the difficulties for multimedia investigators. It is affected by software and hardware, malfunctions, frequent mobility, etc., which affect the multimedia forensics process if the data integrity is not preserved. Thus, data integrity includes reliability, security as well as consistency which are significant factors in forensics applications. It can be solved with both software and hardware end-to-end mode [46] 4. Data privacy: It is a significant factor in the analysis process of multimedia forensics. It is proposed to solve the challenge related to consumer privacy. A multimedia forensics analyzer can see the interesting data by verifying the signature to enforce multimedia forensics attribution in the system. It can be attained by utilizing tools such as group signatures. Nonetheless, accessing private data in the system of an organization might spoil its privacy policies. Thus the organization must not prefer to allow any third-party analyzer to view the data record [47] 5. Despite this multimedia, forensics has various other challenges such as Minimum ability to prosecute and find the criminal data, Acceptable legal tools and laws utilized for the examination and investigation, Adapting appropriate architecture and scaling technologies, Certification in Forensics Programs adoption, Evidence size, Anti-forensics and malicious adversary, Problem in complexity, Problem in diversity, Time-lining unified problem, Anti-forensics and Validation, and testing.
An overview on advanced multimedia forensic techniques and future direction
65
4 Applications of multimedia forensics To handle information technology cases, forensics techniques are utilized. It helps in establishing criminal facts and investigations as well as other legal issues. It has the following application areas [48]: 1. Network: The networking technologies advancement has made the world far more connected as compared to before, but the growing connectivity has led to lots of opportunities for external malicious attackers who discover several methods to launch cyber-attacks, botnets, phishing attacks, and network worms. Network forensics is a sub-branch of multimedia forensics that relates to the recording, capturing, and investigating of network events. This can be utilized in various countries for capturing the required information for future analysis [44]. 2. Database: While evaluating the crimes that are connected to the metadata and database, database forensics is used. Using several databases depending on organizations for their daily operations, there is a requirement to analyze these databases for crime investigation. Also, it can be applied in various fields such as bank accounts, health, database fraud cases, and any data storage organization. It deals with open challenges such as what exactly wrong in the database, address issues, and unauthorized access in any specific database [44]. 3. Food: Here the forensics is concerned with how what and when of quality- and food safety–related issues. The foodstuff constituents of raw food products are not exactly known to users. This could constitute a serious threat to users of food products if the foodstuff labeling is not accurately shown to users. The treads include such as healthy style disruption, religious beliefs violation, dangerous disease exposure, and early death. On the advantages of using multimedia, forensics is that it can help in examining and detecting the food product ingredients using multimedia investigation tools [44]. 4. Nursing: It focuses on caring for victims and offenders both dead and living that encompasses the legal and health systems. This is a unique field that its practitioners serve provides as anti-violence resources. Multimedia forensics jobs include child abuse investigation using multimedia devices. Moreover, it also includes investigating occurrence of mass disasters. 5. Biochemistry: Because of the DNA uniqueness in everyone, cases such as maternity testing, disaster victim, criminal cases, and rape cases are solved using this field. Using medical forensics in biochemistry includes biochemistry techniques applications for investigation which are centered around systematic pathophysiological variation. Also, it helps in understanding pathophysiological mechanisms that generated a specific death.
66
Meet Kumari
5 Future scope The future scope of multimedia forensics is described as follows [49]: 1. Distributed digital forensics: Distributed forensics has been presented less interval of time, but it has a large scope in particle work. It provides high processing speed for the latest-generation forensic tools. The proposed programs are validated using the new scheme to target accession that provides file-centric processing except disrupting suitable data through the raw devices. Their investigation of core digital forensic processing works analogously to the processing rate. It shows the intrinsic demerits in both server and desktop scenarios [49] 2. High-performance computing (HPC): Despite the restriction of various forensic operations being read disk speed, there are phases in the operations that are not restricted by the speed of the cache device. For instance, the investigation step can consume a huge amount of time by humans and computers. HPC merits should be utilized wherever possible to minimize time, and in reducing the computation time needed by humans. Conventional HPS schemes usually use some steps of parallelism as well as to date have been unexercised through the forensic community. It has lots of applications, e.g., storage, reporting, analysis, and pre-processing [49]. 3. GPU-powered multi-threading: GPUs out vie at single instruction, multiple data computations with extending numbers of general-purpose processors (stream) to execute massively threaded programs for many practices and does lots of theory forensics requirements. Conventionally, GPUs have been programmed difficult and targeted at definite issues. Recently, multicore CPUs joined with accelerators of GPU have been extensively utilized in excellent performance computing because of nice power efficiency as well as a minimum price. Moreover, there is integrated GPUs multimedia applications which are processed on CPU at high efficiency. The latest programming models and heterogeneous architectures like an efficient and powerful computer can be looked at in workstations with transparent access to CPU addresses and low computation offloading overhead along with power. These requirements are suitable for various multimedia forensics applications. 4. Digital Forensics as a Service (DFaaS): DFaaS is an advanced extension of the conventional multimedia forensic process. To combat the volume of the backlogged case a DFaaS solution has been implemented. It helps in storing, automating, and investigate inquiries in the managed cases. It has the merits of resource management, highly efficient, enable detectives to query the data, enhancing the time around among a process, and easier collaboration between working detectives on a single case by shared knowledge and annotation. It also enhances the latest process, latest indexing capabilities, and case detectives’ functionality.
An overview on advanced multimedia forensic techniques and future direction
5.
67
Field-programmable gate arrays: The integrated circuits, FPGAs can be arranged after manufacture. They can realize any application-specific function and provides various merits over conventional CPUs. Also, FPGAs can utilize inherent algorithmic parallelism and attain results in shorter logic operations compared to conventional CPUs which result in high-speed processing time. They can be used in cryptography applications.
6 Conclusion This book chapter described the various multimedia basics forensics techniques in detail. The three major multimedia techniques – image, audio, and video – are studied along with the aim of their evidence integrity, reliability, and visualization. It shows that multimedia forensics plays a vital role in recording, identifying, analyzing, and capturing multimedia-based devices. Also, in this chapter various latest open challenges in the multimedia forensics field have been described. Each of these open challenges in separation can obstruct the pertinent information discovery for multimedia investigators and detectives entailed in different cases multitude requiring multimedia forensic analysis. Integrating these challenges with negative effects can be highly amplified. These challenges along with restricted expertise and large workloads have resulted in the multimedia evidence backlog growing for various law enforcement agencies globally. Although it has various open issues and challenges its future scope helps in further research in multimedia forensics techniques. With regard to future research directions, implements in place in several computer science disciplines hold potential for addressing these open challenges. These research directions can be used in the conventional multimedia process to help the backlog using highly efficient precious forensic allocation expert time by the enhancement and expedition of the forensics process.
References [1]
[2]
[3]
Bayar, B., Stamm, M. C. 2017. Design principles of convolutional neural networks for multimedia forensics. IS T International Symposium Electronic Imaging Science Technology, 77–86, https://doi.org/10.2352/ISSN.2470-1173.2017.7.MWSF-328. Kim, D., Jang, H. U., Mun, S. M., Choi, S., Lee, H. K. 2018. Median filtered image restoration and anti-forensics using adversarial networks. IEEE Signal Processing Letters, 25(2), 278–282. https://doi.org/10.1109/LSP.2017.2782363. Khan, M. K., Zakariah, M., Malik, H., Choo, K. K. R. 2018. A novel audio forensic data-set for digital multimedia forensics. Australian Journal of Forensic Sciences, 50(5), 525–542. https:// doi.org/10.1080/00450618.2017.1296186.
68
[4]
[5] [6]
[7] [8]
[9] [10] [11]
[12]
[13] [14]
[15] [16]
[17]
[18]
[19]
[20] [21] [22]
Meet Kumari
Dube, S. , Sharma, K. 2019. Hybrid approach to enhance contrast of image for forensic investigation using segmented histogram. International Journal of Advanced Intelligence Paradigms, 13(1–2), 43–66. Shrivastava, G. , Sharma, K., Dwivedi, A. 2012. Forensic computing models: Technical overview. CCSEA, SEA, CLOUD, DKMP, CS & IT, 207–216, 10.5121/csit.2012.2222. Kong, H.; Undetectable image tampering through jpeg compression anti-forensics. In Proceedings of 2010 IEEE 17th International Conference on Image Processing ANTI-FORENSICS, 2010, 2109–2112. Iorliam, A. Subdivisions of Forensic Science, 2018, 3–16. https://doi.org/10.1007/978-3-31994499-9; Zeng, J., Lu, W., Yang, R., Qiu, X. 2016. Practical tools for digital image forensic authentication. Lecture Notes Electrical Engineering, 393, 453–459, https://doi.org/10.1007/ 978-981-10-1536-6_59. Raghavan, S. 2013. Digital forensic research: Current state of the art. CSI Transactions ICT, 1 (1), 91–114. https://doi.org/10.1007/s40012-012-0008-7. Kruchten, P. A survey on digital forensics trends 1mohsen. IEEE Software. 2010, 27(3), 92–94, https://doi.org/10.1109/MS.2010.70. Mikkilineni, A. K., Chiang, P.-J., Ali, G. N., Chiu, G. T. C., Allebach, J. P., Delp III, E. J. 2005. Printer identification based on graylevel co-occurrence features for security and forensic applications. Security Steganography, Watermarking Multimed. Contents VII, 5681(0219893), 430, https://doi.org/10.1117/12.593796. Xidonas, P., Kountzakis, C. E., Hassapis, C., Staikouras, C. 2016. A use of black-scholes model in market risk. International Journal of Financial Engineering Risk Management, 2(3), 200, https://doi.org/10.1504/ijferm.2016.082983. Singh, N., Joshi, S. Digital Image Forensics: Progress and Challenges. 2015, No. March, 8 Zakariah, M., Khan, M. K., Malik, H. 2018. Digital multimedia audio forensics: Past, present and future. Multimedia Tools Application, 77(1), 1009–1040, https://doi.org/10.1007/s11042016-4277-2. Battiato, S., Emmanuel, S., Ulges, A., Worring, M. 2012. Multimedia in forensics, security, and intelligence. IEEE Multimedia, 19(1), 17–19, https://doi.org/10.1109/MMUL.2012.10. Shrivastava, G.; Network forensics: Methodical literature review. In Proceedings of the 10th INDIACom; 2016 3rd International Conference on Computing for Sustainable Global Development, INDIACom 2016; 2016, 2203–2208. Sharma, S., Dhavale, S. V.; A review of passive forensic techniques for detection of copymove attacks on digital videos. ICACCS 2016-3rd International Conference Advance Computer Communication System Bringing to Table, Future Technology from Arround Globe, 2016, https://doi.org/10.1109/ICACCS.2016.7586396. Van Lanh, T., Sen, C. K., Emmanuel, S., Kankanhalli, M. S. A survey on digital camera image forensic methods. Proceeding 2007 IEEE International Conference Multimedia Expo, ICME 2007, 2007, No. May 2015, 16–19, https://doi.org/10.1109/ICME.2007.4284575. Shrivastava, G., Sharma, K., Khari, M., Zohora, S. E. Role of cyber security and cyber forensics in India. In Cyber Law, Privacy, and Security, 2019, 1349–1368, https://doi.org/10.4018/9781-5225-8897-9.ch067. Description, B. New Age Analytics: Transforming the Internet through Machine Learning, IoT, and Trust Modeling, 2020. Singh, R. D. 2018. The art and science of digital visual media forensics. Forensic Legal Investigations Science, 4(June), 1–6, https://doi.org/10.24966/flis-733x/100021. Lalla, H., Flowerday, S. Towards a standardised digital forensic process: E-Mail forensics. Issa, 2010, June 2014. https://doi.org/CFP1066I-CDR.
An overview on advanced multimedia forensic techniques and future direction
69
[23] Cao, G., Zhao, Y., Ni, R., Ou, B., Wang, Y. 2014. Forensic detection of noise addition in digital images. Journal of Electronic Imaging, 23(2), 023004. https://doi.org/10.1117/1. jei.23.2.023004. [24] Quick, D., Choo, K. K. R. 2017. Big forensic data management in heterogeneous distributed systems: quick analysis of multimedia forensic data. Software Practise Experimental, 47(8), 1095–1109, https://doi.org/10.1002/spe.2429. [25] Haggerty, J., Taylor, M. 2007. FORSIGS: Forensic signature analysis of the hard drive for multimedia file fingerprints. IFIP International Federal Information Processing, 232, 1–12, https://doi.org/10.1007/978-0-387-72367-9_1. [26] Mokhov, S. A. 2010. Encoding forensic multimedia evidence from marf applications as forensic lucid expressions. November Algorithms Technical Telecommunication Network, 413–416, https://doi.org/10.1007/978-90-481-3662-9-71. [27] Greveler, U., Justus, B., Loehr, D.; Forensic content detection through power consumption. IEEE International Conference Communication, 2012, 6759–6763, https://doi.org/10.1109/ ICC.2012.6364822. [28] Stamm, M. C., Lin, W. S., Liu, K. J. R. Forensics vs. anti-forensics: A decision and game theoretic framework. ICASSP, IEEE International Conference Acoustics Speech Signal Process. – Proceeding, 2012, 1749–1752. https://doi.org/10.1109/ICASSP.2012.6288237; [29] Cao, G., Zhao, Y., Ni, R., Yu, L., Tian, H. Forensic detection of median filtering in digital images. IEEE Int. Conf. Multimed. Expo, ICME 2010, 2010, No. August, 89–94. https://doi. org/10.1109/ICME.2010.5583869. [30] Chang-Tsun, L., Satta, R. 2012. On the location-dependent quality of the sensor pattern noise and its implication in multimedia forensics. 4th International Conference on Imaging for Crime Detection and Prevention 2011 (ICDP 2011). No. January P37–P37. https://doi.org/10. 1049/ic.2011.0134. [31] Hegarty, R., Merabti, M., Shi, Q., Askwith, B. Forensic analysis of distributed data in a service oriented computing platform. Proceeding Convergence Telecommunication Network Broadcast. PG Net, 10th Annual Postgraduate Symptoms, 2009, No. May 2014. [32] Jin, H., Lotspiech, J. June 2015. Attacks and forensic analysis for multimedia content protection. IEEE International Conference Multimedia Exposure, ICME 2005, 2005(2005), 1392–1395, https://doi.org/10.1109/ICME.2005.1521690. [33] Barni, M., Tondi, B. 2013. The source identification game: an information-theoretic perspective. IEEE Transactions on Information Forensics and Security, 8(3), 450–463, https://doi.org/10.1109/TIFS.2012.2237397. [34] Mansourvar, M., Ismail, M. A., Kareem, S. A., Raj, R. G., Nassaruddin, F. H., Mahmud, R., . . . Idris, N.; A computer-based system to support intelligent forensic study. Proceeding International Conference Computer Intelligent Model Simulation, 2012, 117–119, https://doi.org/10.1109/CIMSim.2012.33. [35] Fillion, C., Sharma, G. 2010. Detecting content adaptive scaling of images for forensic applications. Media Forensics Security II, 7541, 75410Z, https://doi.org/10.1117/12.838647. [36] Chen, J., Kang, X., Liu, Y., Wang, Z. J.; Median filtering forensics based on convolutional neural networks. IEEE Signal Processing Letter, 2015, 22(11), 1849–1853, https://doi.org/10.1109/LSP.2015.2438008. [37] Othman, P. S., Ihsan, R. R., Marqas, R. B., Almufti, S. M. 2020. Image processing techniques for identifying impostor documents through digital forensic examination. Image Processing Techniques. 62(04), 1781–1794. [38] Krishnan, S., Zhou, B., An, M. K. 2019. Smartphone forensic challenges. International Journal of Computer Science Security, 13(5), 183–200.
70
Meet Kumari
[39] Joseph, P., Norman, J. 2019. Forensic corpus data reduction techniques for faster analysis by eliminating tedious files. Information Security Journal, 28(4–5), 136–147. https://doi.org/10. 1080/19393555.2019.1689319. [40] Johnson, C., Davies, R. 2020. Using digital forensic techniques to identify contract cheating: a case study. Journal of Academy Ethics, https://doi.org/10.1007/s10805-019-09358-w. [41] Chu, X., Stamm, M. C., Chen, Y., Liu, K. J. R. 2015. On antiforensic concealability with rate-distortion tradeoff. IEEE Transactions on Image Processing, 24(3), 1087–1100. https://doi.org/10.1109/TIP.2015.2390137. [42] Mahmood, T., Nawaz, T., Irtaza, A., Ashraf, R., Shah, M., Mahmood, M. T. 2016. Copy-Move forgery detection technique for forensic analysis in digital images. Mathematical Problems in Engineering, https://doi.org/10.1155/2016/8713202. [43] Mahmood, T., Mehmood, Z., Shah, M., Khan, Z. 2018. An efficient forensic technique for exposing region duplication forgery in digital images. Applied Intelligent, 48(7), 1791–1801. https://doi.org/10.1007/s10489-017-1038-5. [44] Rahim, N., Wahab, A. W. A., Idris, M. Y. I., Kiah, L. M.; Digital Forensics: An Overview of the Current Trends. Conference Proceeding – Cryptol. 2014 Proceedings 4th International Cryptology IInformation Security Conference 2014, 2014, No. August 2015, 236–244. [45] Khan, S., Gani, A., Wahab, A. W. A., Shiraz, M., Ahmad, I. 2016. Network forensics: Review, taxonomy, and open challenges. Journal of Networks Computer Applications, 66, 214–235, https://doi.org/10.1016/j.jnca.2016.03.005. [46] Paula, L. C. M. D., Informática, I. D. 2020. Forensic Investigations and Risk Management in Mobile and Wireless Communications, Advances in Wireless Technologies and Telecommunication, 00, https://doi.org/10.4018/ijncr.2014010103. [47] Shrivastava, G., Kumar, P., Gupta, B. B., Bala, S., Dey, N. 2018. Handbook of Research on Network Forensics and Analysis Techniques, IGI Global, USA. 00, https://doi.org/10.4018/ 978-1-5225-4100-4. [48] Putra Justicia, A. 2018. Analysis of forensic video in storage data using tampering method. International Journal of Cyber-Security Digital Forensics, 7(3), 328–335. https://doi.org/10. 17781/p002471. [49] Lillis, D., Becker, B., O’Sullivan, T., Scanlon, M. Current challenges and future research areas for digital forensic investigation. In 11th ADFSL Conference on Digital Forensics, Security and Law (CDFSL 2016), 2016, 1–11, https://doi.org/10.13140/RG.2.2.34898.76489
Anand Sharma
Computer forensics and Cyber Crimes: COVID-19 perspective Abstract: Civilization, as we probably aware, is encountering the most exceedingly awful pandemic of this era. The coronavirus COVID-19 outbreak had an enormous effect on the planet and has crushed a few nations to a stop as of now. This pandemic renders people and society incredibly defenseless in all regards. There is a proof that malicious persons are misusing those vulnerabilities to further their own potential benefit. During this emergency, we as a whole depend like never before on computers, mobile phones, and Internet for working, transmission, sharing, shopping, and getting informed and in any case alleviate the effect of social distancing. During this critical time cyber security is of considerably more significance, as nature is perfect for Cyber Criminals to strike. Cyber Criminals are exploiting the dread and vulnerability encompassing the coronavirus outbreak. COVID-19 keeps spreading over the globe and Cyber Crime graph has been ascending with it. Attackers are utilizing COVID 19 as impulse to imitate the phishing attacks, mail-spams and ransomware attacks. Cyber Crime is a developing issue, yet the legal systems to investigate and effectively prosecute criminals are unclear. Legal authorities need to collaborate fully to identify, detect, examine, investigate, and prosecute the offenders and punish those who exploit the coronavirus outbreak for their personal criminal purposes. This study talks about Cyber Crime, explanations behind leading a computer forensic investigation, different features of computer forensics in detail, potential source of advanced proof, standard working strategy for cyber evidence, and the role of computer forensics in this COVID-19 pandemic. Keywords: Cyber Crimes, computer forensics, coronavirus, COVID-19
1 Introduction The world as we know it will never be the same. The start of the year 2020 brought along discussions about the coronavirus family of viruses and how they are impacting our daily lives [1]. COVID-19 had a massive impact on society as a whole at the start of 2020. The virus was first identified in Wuhan, Hubei, China, in December 2019 [2].
Anand Sharma, CSE Department, School of Engineering and Technology, Mody University of Science and Technology, Sikar, Rajasthan, India, e-mail: [email protected] https://doi.org/10.1515/9783110677478-004
72
Anand Sharma
Subsequently, on the 11th of March 2020, the virus was classified as a pandemic by the WHO (World Health Organization) [3]. It is the task of cyber security specialists to do their best for the protection of general public in this pandemic [4]. There is recently a massive influx of Cyber Crime being launched on a daily basis against the general public. Something needs to be done about it; however, it might already be too late. Criminal gatherings are exploiting the COVID-19 pandemic to target healthcare systems and basic IT infrastructure everywhere throughout the world. The COVID-19 Cyber Threat Coalition has made a platform to collect, survey, and offer threat insight data to viably forestall (prevent), distinguish (detect), and react (respond) to threat. Cybercriminals are utilizing highly developed and versatile tools to penetrate client privacy, and they are getting results. Cyber Crime is the unsurpassed risk to each organization on the Earth, and probably the most serious issue with humankind. Cyber Criminals have been among the most adroit at exploiting the COVID-19 pandemic for the different tricks and attacks they complete. As the people are utilizing web benefits and using the Internet for their daily work during this pandemic the Cyber Criminals are trying to exploit multiple vulnerabilities. As several articles in the past have mentioned, education is the key but cyber security vigilance is still massively lacking in the general public [5]. One can also argue, though, whether the world was really prepared for the “human” virus, and quite frankly in the current situation it does honestly seem like we were never prepared for the COVID-19 [6, 7]. The FBI has their primary ingest point as Internet Crime Complaint Center (IC3). Unfortunately the IC3 has been unfathomably occupied in the course of recent months. They truly run the extent. Everything from setting up deceitful web spaces, individuals setting up false COVID noble cause, guarantee conveyance of masks and other equipment, and afterward convey fake advances, blackmail, extortion and so on. So basically, tragically, anything you can consider. Cyber Criminals are very innovative, on the country state side, as one can envision, nations have an exception- ally high want for information, and how different nations are reacting yet in addition about things like research on immunizations and vaccines, what’s going on in the their healthcare sector, and their research institutes. As per IntSights, a cyber intelligence firm in New York, “coronavirus-themed phishing, malware infections, network intrusions, scams, and disinformation campaigns have become rampant across the clear, deep, and dark web.” Beware of miracle coronavirus cures and testing kits being peddled on the dark web, the vast underground online market. Cybersecurity experts warn that scammers are out preying on panic-stricken people looking for safeguards against COVID-19 across encrypted platforms.
Computer forensics and Cyber Crimes: COVID-19 perspective
73
2 Cyber Crime in COVID-19 outbreak The coronavirus is spreading exponentially over the word, It has been seen that this time of social distancing and deception likewise allowed a chance to the dark elements of the general public. Due to this the individuals, public authorities, and businesses are using online communication. As everyone is not so much familiar with these online communication technologies, the Cyber Criminals target those vulnerable sets to exploit. An increase in work-from-home concept shows the increase in users who are doing their work through online communication technologies. In this pandemic situation the numbers of phishing attacks have increased. Criminals forward some mails to online users to download the attachment for information regarding current situation of pandemic or any personal information stating that they are government agencies or hospital administrative members. Recently WHO warned that the criminals are even using the name WHO for that type of scam. There has been a convergence of fake applications, web domain names, and sites profiting by two realities: first, the dread among the overall population and their quest for data search with this pandemic and besides, the organizations all over the globe are going to “work from home” by means of the online medium. We will explore both the situations individually. As the organizations and industries are started working with online system and work from home without proper training, they are observing cyberattacks. Each organization, large scale or small scale, has been constrained to work remotely because of the lockdown. An expansion in the quantity of messages in Junk Folder has been seen, professing to an advisory identifying with COVID-19. These messages will lure the client to open the attachments, which are malevolent in nature, and the moment you open them, the malware creator will have the option to get to your complete framework. Once the malware has assaulted one of the frameworks, there is a potential risk of the security of the frameworks of your associates likewise being undermined. This can influence the entire network of systems with which the organization is associated and there can be a colossal loss of classified information. Consequently, this is increasing the Cyber Crimes around the world in this pandemic. Cyber Criminals are deploying ransomware attacks after taking advantage of vulnerabilities in the security system of organizations. Cyber Criminals are access personal/confidential data by using social engineering. As the number of Cyber Crimes is increasing, there is a big requirement for cyber security solutions. Cisco Systems, Barracuda Networks, McAfee, BAE Systems, Symantec, and Illusive Networks Ltd. are some organizations which provide such cyber security solutions.
74
Anand Sharma
Here, in this section, the various cyber attacks along with the process executed by the Cyber Criminals to do so are described. i. Developers of malwares are exploiting the isolation circumstance. Phishing efforts and malware distribution [8] through apparently veritable sites or reports giving data or exhortation on coronavirus are utilized to infect systems and concentrate client credentials [9, 10]. ii. Ransomware focuses on the mobile phones of people utilizing apps that guarantees to give real data on COVID-19 so as to extract payments. Indeed, even one such application which was accessible in Google Play Store was “corona live 1.1,” which professed to be a live tracker of instances of coronavirus. The individuals utilizing the application were of the view that they are monitoring the pandemic, yet the vindictive application was really attacking their security: gaining admittance to the gadget’s photographs, recordings, messages, locations, call logs, and camera. The data gathered can be utilized in numerous manners; they can be utilized to bargain your financial balances or even shake down the proprietor of the photos and recordings. iii. Cyber Criminals are also doing many attack like ransomware cyber attacks by closing down clinical, medical, healthcare, and research-related offices to get ransom. iv. Business email compromise [11] keeps utilizing social-engineering, improved by additional criticalness of the outbreak, to promote the fund transfer to a criminal bank or crypto-currency account or any foreign exchange. That could be utilized to access the personal and confidential data for criminal acts. v. The accomplishment of a phishing Cyber Crime are actually depends upon the density of infection [5], which shows a particular email account is compromised when the user clicks on a link or an attached document. It will give short-term as well as long-term access to the victims’ account. Notwithstanding gathering delicate data, the cyber criminal can ruin websites, alter the records, erase information, and spread misinformation. vi. Cyber Criminals are progressively going after individuals’ dread of the COVID19 infection: offering counterfeit remedies available to be purchased on the Internet and duping through the offer of dummy hand-sanitizer and clinical personal protective equipment (PPE), counterfeit prescriptions professing to cure coronavirus, drugs, or cleanliness items [12, 13]. vii. Cyber Criminals are spreading deception, misinformation, or counterfeit spread by fake media records and trolls to make, social delicacy and Governments or the action taken by their healthcare specialists [14, 15]. viii. Cyber Criminals have developed their culpability to misuse the social, lawful, and mental subtleties related to COVID-19. Young kids using the Internet are being focused by online sex offenders [16,17,18].
Computer forensics and Cyber Crimes: COVID-19 perspective
ix.
x.
xi.
75
The emergence of e-cash or online payment attracted Cyber Criminals to make money. An e-cash or online payment is a method to transfer money over the internet. The rapid adoption of the internet as a commercial transaction has caused Cyber Criminals to infect any financial account or any banking system. Darknet firms keep selling compromised data – including that of prominent authorities and famous people. Crooks new to “Cyber Crime” are looking for counsel from others on the best way to exploit COVID-19 pandemic for benefit. Some Cyber Criminals have tried to focus on vaccine-testing laboratories and medical clinics from ransomware and DDoS (Distributed Denial of Service) attacks. Ruthless child sex offenders keep talking about which informal community and photograph sharing sites and social network are probably going to give them the most effortless access to kids to abuse. Cyber Criminals likewise keep discussing how to best recognize and defeat security system on the web. In expansion to conventional Cyber Criminals, APT (Advanced Persistent Threat) groups proceed to develop and misuse the pandemic. They keep focusing on critical national and international infrastructure and organizations, for example, World Health Organization, vaccine development labs, and medical clinics, with ransomware, malware, and DDoS attacks.
3 Computer forensics In contrast with other legal sciences, the field of computer forensics is generally youthful. Sadly, numerous individuals don’t comprehend what the term “computer forensics” implies and what strategies are included. Computer forensics is a part of forensic science which manages the utilization of analysis techniques on computers strategies on computer systems so as to recover and save proof in a manner that is legally permissible. The objective of computer forensics investigation is the exhibition of an organized examination on a processing gadget to discover either what occurred or who was liable for what occurred, while simultaneously keeping up an appropriately archived sequence of evidence in a formal report [19]. Computer forensics is the procedure that is applied by computer engineering and innovation to gather and examine evidence which is critical and permissible to cyber attack investigation. It is utilized to discover attackers’ practices and trace them by gathering and examining logs and status data.
76
Anand Sharma
This implies that a significant part of the study of computer forensics lies in the capacity of the forensic expert to introduce discoveries in a manner that is satisfactory and usable by a courtroom. The CCIPS-Cyber Crime Lab in the Computer Crime and Intellectual Property Section has built up the key terms depicting the computer forensic analysis methodology. The key components of computer forensics are as follows: – The use of scientific methods – Collection and preservation – Validation – Identification – Interpretation and analysis – Presentation and documentation A computer forensic investigation is an investigation in which the new or faulty exercises in the cyber space or advanced world. The examination procedure is done according to the National Institute of Standards and Technology. Figure 1 shows the total sections of a computer forensic investigation process.
Fig. 1: The computer forensic investigation processes.
i. Collection phase The initial phase of the procedure is to distinguish potential wellsprings of data and gain forensic-related data from that. Significant wellsprings of information are computer desktops, routers, digital media, mobile phones, digital camera, and so forth. An arrangement is created to get information as indicated by their significance, instability, and measure of exertion to collect.
Computer forensics and Cyber Crimes: COVID-19 perspective
77
ii. Examination Once information has been gathered, the following stage is to analyze it, which includes evaluating and extricating the significant snippets of data from the gathered information. iii. Analysis Extracted and pertinent information has been analyzed to make determinations or draw conclusion. In such cases where some extra information is required for detail investigation the inside and outside information is called. iv. Reporting This is the way toward getting prepared and presenting the result of the analysis phase [20]. The utilizations for computer forensics are different. They go from helping law enforcement authorities in the examination of child pornography, to researching misrepresentation, murder, espionage, rape, investigating fraud, assault, and cyberstalking even during the COVID-19 pandemic. In the private sector, computer forensics has been utilized by business associations to investigation a wide scope of cases, including industrial surveillance, misrepresentation, forgeries, intellectual property theft, fabrications, and questions with representatives, administrative consistence, liquidations, and for the improper utilization of a computer, Internet, and email in the workplace [21]. Computer forensics has an extremely wide extension with network forensic , cyber forensic, mobile forensic etc. Consequently it also has some specific branches to encourage more noteworthy information. The key terms associated with computer forensics are: – Disk – Network – Database – Mobile device – Printer – Digital music device – Scanner forensics – Personal digital assistant – Multimedia Computer forensics is essential for law enforcement and investigation, yet in addition has application in business, private, commercials or associations. All sharing of data led on person’s computer system just as on an organization arranging digital traces, which can go from internet browsing history, logs and cookies, right to record metadata, erased document parts, backup files, email headers reinforcement records.
78
Anand Sharma
4 Computer forensic investigation for Cyber Crime Cyber Crime has become broader with COVID-19. Cyber Criminals have various thought processes, yet they can order the assets to make assault vectors so as to accomplish the outcomes they need. They may submit misrepresentation, fraud, commit robbery, take cash, and burglary against enterprises, banks, countries, areas and even people in this COVID-19 pandemic. The COVID-19 pandemic represents a remarkable worldwide challenge to the entirety of society. Most of them have moved their physical system to online system. The economic and financial effect of COVID-19 includes a supplementary layer of intricacy for people and government. To stop this tempest we need have computer forensic investigation and backing of criminal justice authorities to bring criminals to justice [22]. Cyber Criminals use innovation to shroud their unlawful drills and to move assets across jurisdiction and globally. Their activities are intricate and they have critical assets to support them with avoiding locations. This implies that entrusted with investigation of Cyber Criminal actions are needed to keep pace. Presently there are a variety of computer forensic investigators who follow these crooks and their exercises. Technological innovations are being utilized by numerous administrations to evaluate, distinguish, and follow potential COVID-19 patients. This basic work must stay under audit, with comprehensible oversight, to guarantee that observation measures are pulled back once the point of outbreak control is accomplished. Right now there is an ideal opportunity to establish cyber-confidence with people in general, to collaborate to counter the most squeezing threat within recent memory and to built certainty and confidence universally with the computer forensics investigations. Nonsensically, Cyber Criminals may face more challenges online as they see that the probability of detection has diminished. Expert law authorization examinations must, in this manner, proceed at pace. The evidence gathered from a computer forensic analysis helps in episode reaction and remediation activities, when organization understands that a breach has occurred; furthermore information can be gathered on new threat vectors, and modern sorts of malware that probably won’t have been seen earlier. It is likely helpful in tracing the way of an APT (advanced persistent threat) which utilizes an mixture of tools and tricks to accomplish its finishes. APTs are exceptionally focused on, and as a rule remain unnoticed on, the victim’s network for a considerable length of time span, performing surveillance and penetrating information [23]. Computer forensics investigation sets out to categorized a lot of attributes that every practitioners completing an ought to depict for upgradation the legitimacy of the digital evidence. The framework has four core standards governing all sections (see Fig. 2). Each core area – legal, technical, ethical, and educational – is governed by a set of two core principles relevant to that area.
Computer forensics and Cyber Crimes: COVID-19 perspective
79
Such standards are created to be significant to the act of practice of digital forensics. The fundamental reasons in the field of digital forensics are to: – Inspire to reflect and maintaining the respectability of the of the profession – Guide ethical choices in the field – Specify ethical obligations – Promote confidence and trust
Fig. 2: Computer forensic investigation standards.
These standards are developed for practice by digital forensic expert: i. Ethical standards are the announcements of a specialist’s proficient credit that are required to be kept up all through their profession. ii. Educational standards gives the essential instructive foundation to digital forensics expert/practitioners at various levelst. They characterize the knowledge and abilities that professionals ought to have. They likewise support the most noteworthy capability conceivable in the field. There are certain things that digital forensics practitioners should know and have the option to do. iii. Legal standards demonstrate the investigation with a legal perspective. They insights the legal requirements of investigation as digital forensics. They explore the various laws a digital forensic experts must be aware of during an investigation iv. Technical standards outline the technical guidelines included in an advanced investigation. It specify the essential technical knowledge of an investigator. It explores the utilization of tools, techniques, and the methods which is related to digital forensics investigation.
80
Anand Sharma
5 Precautionary measures to be safe in COVID-19 You can protect yourself from such frauds and scams with the assistance of diligence and vigilance. Few point need to be follow to obtain such information. – Always focus on the kind of close to personal data you are approached to share. There is constantly a motivation behind this, thats why your own data is required. Under no circumstances there would be a requirement for your passwords. Be careful with requests for personal data through websites that you have reached by following a link contained in a message or email. Better, access directly the website of that organization. – Stay informed through official and reliable sources, going directly to the websites of the institutions or the media, never through a link provided in a message or in an email. Try not to open email attachments that you have not requested.On the off chance that you so get an attachments, it is constantly more secure to open the equivalent from WHO’s authentic site and not the attachment in the mail. – Verify the email address of the message and also the web link to which the message refers you. Once in a while it becomes evident that the web address isn’t genuine; however, on different occasions digital crooks can make connects that intently look like real locations. Try not to accept any messages that accompany a feeling of frenzy. – Avoid downloading applications from outsider stores and sites, and download the applications just accessible in App Store for Apple iOS clients and Google Play Store for Android clients. – Check the app subtleties on Play Store before downloading it; this incorporates subtleties of the developer, their site (if any), surveys, and appraisals given by different clients. – Use dependable portable and work area antivirus; these can forestall phony and malicious applications from being introduced. – Do not accept that WHO or some other association conducts lotteries or offer prizes, awards, or declarations through messages – Last but more important, in a risky situation, it is more important than ever to keep calm, reflect before acting or making hasty decisions and give proper information to authorities about the risk.
6 Conclusion COVID-19 will change our lives everlastingly with new work styles, new cybersecurity issues, new proposed strategies, individual cleanliness, etc. The battle against COVID19 isn’t only for the associations, worker, or client, but it is a joint exertion from everybody. The security principles have crumbled that the same number of associations
Computer forensics and Cyber Crimes: COVID-19 perspective
81
were not prepared to work remotely and an ascent has been observers in Cyber Crime due to this epidemic situation. With a little cautiousness and due tirelessness we can ensure our privacy and security. It is necessary to follow the safety protocols to remain safe in th case of Cyber Crime. It is fitting to lodge a complaint with the appropriate authority. As examined, computer forensics assumes a critical responsibility in the judiciary system as we keep fusing a scope of advancements into our regular, day-to-day existences. The connection between computer forensic investigators and criminal justice agencies will keep growing with the goal that the comprehension between the two can keep improving. As this occurs, the jurisdiction system will turn out to be increasingly knowledgeable with respect to evidentiary prerequisites. Which implies computer forensic investigators will be superior knowledgeable on the evidence and proof, at last diminishing the measure of data that must be broke down. Likewise, cyber security specialists regularly utilize various tools to examine network intrusions not to convict the attacker but to see how the offender got access and to plug the gap. Data recovery firms depend on comparable tools to restore documents from storage units that have been unintentionally damaged or reformatted. As this coronavirus pandemic and these related Cyber Crime attacks are affecting the people globally, the counter measure should also be global. Recent dataset of Cyber Crime and any new type of Cyber Crime, like cyber threat assessment and INTERPOL’s COVID-19 analysis, must essentially be circulated globally on time. A Advanced Persistent Threat APT is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period, 5, 9. C
Cyber Criminals Cyber Criminals are individuals or teams of people who use technology to commit malicious activities on digital systems or networks with the intention of stealing sensitive company information or personal data, and generating profit, 1, 2, 4, 5, 8.
D
DDoS DDoS attack is a malicious attempt to disrupt the normal traffic of a targeted server, service, or network, 5.
F
FBI Federal Bureau of Investigation, 2, 14.
I
INTERPOL International Criminal Police Organization, 13.
82
R
Anand Sharma
ransomware Ransomware is malicious software that infects your computer and displays messages demanding a fee to be paid in order for your system to work again, 1, 4, 5.
References [1] [2]
[3]
[4] [5] [6]
[7] [8] [9]
[10]
[11] [12]
[13] [14]
[15] [16]
World Health Organization. Coronavirus. Accessed: 20 March 2020. URL: https://www:who: int/health-topics/coronavirus Markotter, W. COVID-19: Why it matters that scientists continue their search for source of ‘patient zero’s’ infection Accessed: 19 March 2020. URL: https://www:up:ac:za/news/ post2880755-covid-19-why-it-matters-that-scientists-continue-their-search-for-source-of-pa tient-zeros-infectionWorld Health Organization. WHO Director-General’s opening remarks at the media briefing on COVID-19-11 March 2020. Accessed: 20 March 2020. URL: https://www:who:int/dg/ speeches/detail/who-director-general-s-opening-remarks-at-the-media-briefing-on-covid-1911-march–2020 BBC News. Coronavirus: Fake News purveyor to help fight misinformation. Accessed: 20 March 2020. URL: https://www:bbc:com/news/uk-england-essex–51929424 Hadnagy, C. 2018. Social Engineering The Science of Human Hacking, Wiley, US. Smit, S. This is what Bill Gates had to say about epidemics, back in 2015. Accessed: 20 March 2020. URL: https://www:weforum:org/agenda/2020/03/bill-gates-epidemic-pandemic-pre paredness-ebola-covid–19/ Gates, B. TED2015. March 2015. The next outbreak? We’re not ready. https://www:ted:com/ talks/billgatesthenextoutbreakwearenotready?language=en Grossman, J. Corono.com domains registered. Accessed: 20 March 2020. URL: https://twit ter:com/jeremiahg/status/1234612630880321537 Trend Micro. Developing Story: Coronavirus Used in Malicious Campaigns. Accessed: 20 March 2020. URL: https://www:trendmicro:com/vinfo/us/security/news/cybercrime-and-digi tal-threats/coronavirus-used-in-spam-malware-file-names-and-malicious-domains Fowler, H., Duncan, C. Hackers made their own coronavirus map to spread mal-ware, feds warn. Accessed: 20 March 2020. URL: https://www:miamiherald:com/news/nation-world/na tional/article241171546:html https://www.trendmicro.com/vinfo/us/security/definition/business-email-compromise-(bec) Ferre-Sadurni, L., McKinley, J. Alex Jones Is Told to Stop Selling Sham Anti-Coronavirus Toothpaste. Accessed: 20 March 2020. URL: https://www:nytimes:com/2020/03/13/nyre gion/alex-jones-coronavirus-cure:html BBC News. Coronavirus: US man who stockpiled hand sanitiser probed for price gouging. Accessed: 20 March 2020. URL: https://www:bbc:com/news/world-us-canada–51909045 Department of International Development. UK aid to tackle global spread of coronavirus `fake news’. Accessed: 20 March 2020. URL: https://www:gov:uk/government/news/uk-aid-totackle-global-spread-of-coronavirus-fake-news BBC News. Coronavirus: Italy sees rapid spread of fake news. Accessed: 20 March 2020. URL: https://www:bbc:com/news/world-europe–51819624 https://www.esafety.gov.au/parents/big-issues/unwanted-contact
Computer forensics and Cyber Crimes: COVID-19 perspective
83
[17] https://www.esafety.gov.au/key-issues/image-based-abuse/take-action/deal-withsextortion [18] Mercury News 2020, ‘Zoom-bombing’ on the rise: Hijackers invade video conferences for work, school, FBI says, accessible at https://www.mercurynews.com/2020/03/31/coronavi rus-zoom-bombing-hijackers-videoconferences/ [19] Chen, H., Chung, W., Qin, Y., Chau, M., Xu, J. J., Wang, G., Zheng, R., Atabakhsh, H. 2003. Crime data mining: An overview and case studies. Proceeding of ACM Inter-national Conference, 130, 1–5. [20] Brannon, S. K., Song, T. 2008. Computer forensics: Digital forensic analysis methodology. Computer Forensics Journal, 56(1), 1–8. [21] Klieiman, D., Timothy, K., Cross, M., The Official CHFI Study Guide for Forensic Investigators, 2007. [22] Shrivastava, G., Sharma, K., Khari, M., Zohora, S. E. 2018. Role of Cyber Security and Cyber Forensics in India. In: Gulshan Shrivastava, Prabhat Kumar, B.B. Gupta, Suman Bala, Nilanjan Dey (eds.) Handbook of Research on Network Forensics and Analysis Techniques. IGI Global, USA, 143–161. [23] Shrivastava, G., Kumar, P., Gupta, B. B., Bala, S., Dey, N., eds 2018. Handbook of Research on Network Forensics and Analysis Techniques, IGI Global, USA.
Sachil Kumar, Geetika Saxena
Biometric forensic tools for criminal investigation Abstract: In forensic science, biometrics has historically found its inevitable partner. From the development of Galton’s forensic dactyloscopy to the adoption of Automated Fingerprint Identification System (biometrics) in crime laboratories, forensic and biometric have been used in tandem as “Forensic Biometric” with alternative findings. Indeed, under the biometrics umbrella, several technologies have been developed that can be adapted to have a better impact on criminal investigations. Simultaneously, the implementation of the biometric algorithm can narrow down the list of problems and procedures faced in forensic science. Scientifically, combining of the two domains based on knowledge and technology can open the road for more possibilities in both areas, and significant benefit for the society. This chapter is designed to throw light on the wide applications of forensic biometrics tools within the criminal justice system. Keywords: biometric, biological, characteristic, multimodal, forensic, crime, justice, cyber, identification
1 Introduction The word “biometrics” is derived from the Greek terms “bios” (life) and “metrics” (to measure). Biometric simply means the “measurement of the human body.” It is a measure and match of biological characteristics related to human features. It is recorded and used as a method to verify one’s identity based on personal traits. Biometrics are generally classified into two main categories, i.e., behavioral and physiological [1, 2]. Any human behavioral or physiological characteristics could be accepted as biometrics unless they satisfy the criteria of [3]: universality, distinctiveness, persistence, collectable, consistency, acceptability, and circumvention. Biometrics is considered not only a more reliable way of authenticating and identifying a person but also a more convenient tool that does not require the person to carry a document like an identity card. As described by AFB (Association for Biometrics), biometrics is a “measurable, distinct physical or personal characteristic to recognize an
Sachil Kumar, Department of Forensic Sciences, College of Criminal Justice, Naif Arab University for Security Sciences, Riyadh, Saudi Arabia, e-mail: [email protected] Geetika Saxena, Department of Forensic Sciences, College of Paramedical Sciences, Teerthanker Mahaveer University, Moradabad, Uttar Pradesh, India, e-mail: [email protected] https://doi.org/10.1515/9783110677478-005
86
Sachil Kumar, Geetika Saxena
enrollee’s identity or to authenticate the claimed identity” [1]. In cybersecurity, biometric authentication (or realistic authentication) is a preferred channel to secure an individual’s personal information from hacker’s intent on fraud and identity theft. The magnitude of cybersecurity fluctuates from the straightforward data recovery to the authentication of an individual’s questioned identity. Biometric authentication is an extended version of cryptography to identify the vital information of an individual as well to validate the physical and behavioral credentials of any individual required by law enforcement. Inevitably, biometrics is used to explore an assortment of different civil and criminal wrongdoings, including cyber terrorism, voice identification, or digital registration for many countries [4]. The biometric analysis is often useful in those cases where identification of a person is required from a large group of people under surveillance. Biometrics is classified under two categories (Fig. 1) [2]: – Physiological biometrics Physiological biometrics is linked to the static features of a human body that remain unchanged throughout an individual’s life. They can be either morphological or biological. Morphological biometrics comprises primarily of fingerprint recognition (minutiae characteristics located on the surface of human fingertips), hand geometry recognition (unique pattern shapes of the hands, size of the palms, length and width of the fingers.), vein pattern (vein pattern in the wrist and back of the hand), the eye (recognition or retina and iris patterns are unique), and face recognition (analysis of facial features and patterns). Medical teams and police forensics can use blood, urine, DNA, or saliva for biological analyses. – Behavioral Biometrics Behavioral biometrics relates to the person’s behavioral patterns. Patterns are dynamic and can change over time. The most common examples are voice recognition, signature recognition (how we write, the examination of pen movement, pen accelerations, pen pressure, pen inclination), keystroke dynamics (how we type on a machine), the way we use objects, the way we walk (gait), and so forth. Both sets of biometrics are unique and independent of each other and in some instances, may be used in tandem to ensure more validity and accuracy for an identification process, e.g. hybrid or multimodal biometrics [5]. During hybrid biometrics, both physiological and behavioral characteristics are used simultaneously to increase the accuracy and validity of biometric identification. Voice recognition is an example of hybrid biometrics as it is based on the vocal cord’s size and shape, the shape of lips, nasal/oral cavities, etc., and the emotional status, age, illness (behavior) of the individual [6]. Recent findings have demonstrated that biometrics is not only limited to human identification since certain biological traits are often present in animals, known as animal biometrics. Automated applications of computer vision assist zoologists to
Biometric forensic tools for criminal investigation
87
Fig. 1: Types of biometrics.
identify individual African penguins and great white sharks, without the need for manual labeling. The most notable work is being conducted by Kühl and Burghardt of Bristol University who work in the area of assigning complex biological “fingerprints” to distinguish an animal from another, useful in wildlife forensics to aid conservation [7]. A slight advance came in 2006, with animal biometrics, when this technique was the first to identify individual African penguins on Robben Island, South Africa. Retinal vascular patterns, nose prints, and DNA, or whale tail flukes are examples of animals most widely used traits [8]. There is a close correlation between an individual and his/her biometric traits since the biometric characteristics are innate to an entity. The biometrics may be considered as “real-time” automated recognition systems that capture and stores a person’s biological data (for example, a fingerprint) utilizing a sensor. Biometric data is processed, and a series of distinctive specific characteristics are extracted (for example, minutiae patterns). Such features are then matched to the stored templates (databank) to identify or authenticate the individual (match scores). It is believed that features stored in a databank (templates) are connected to a particular entity through an attribute, like an ID number or a name. The distinction between both the extracted features and the stored templates resulted in a score showing the similarities between the two feature sets. The analysis of similarities of features can therefore be employed to identify or authenticate a person. In this chapter the first section provides a stunning view of the modern cyber-security age called “Biometric,” an automated recognition of people solely based on their distinctive biological traits. The next section addresses the pragmatic applications of
88
Sachil Kumar, Geetika Saxena
biometrics, which are expeditiously extending from border and immigration control to recognizing perpetrators to time and attendance in managing the workforce. Historical benchmarks in the line of evolution of biometrics from forensic science and their adoption in law enforcement as well as in other recognition applications are discussed in the context of the third section. The fourth section provides a practical approach to the acquisition and processing of biometric data in real-world forensic cases, as well as a small discussion about similarities and disparities between forensics and biometrics. The fifth section discusses certain applications where biometrics concepts are effectively used in forensics to address crucial law enforcement problems. Other sections explain the holistic perspective for understanding the in-depth imperative work of different unique biometric features and together with their potential need in forensic science.
2 Where are biometrics used? Biometric authentications (a higher security processes involved in human identity), human identification, and human identity verification through unique biometric traits are more secure than the traditional form of multifactor authentication [9]. Biometric usage is diversified worldwide by its multivariate uses. Previously, applications utilizing biometric technologies have been adopted by officials for military and government access management, civil or criminal identification under a tightly controlled technological and legal context. Numerous businesses consider biometrics to be applied only to governmental use, but will soon discover that biometrics usage goes well beyond government-only use. Biometrics are now almost everywhere. Biometrics, for example, are used in defense, airport security, border control, time attendance, law enforcement and public security, transaction authentication, single sign-on, civil identity and population registration, shopping, healthcare and subsidies, e-commerce, mobile, surveillance, and so on [10]. Commercially, and most notably, over the past seven years, the recognition and acceptance of biometrics have been revolutionized from when faces or fingerprints were first used as personal security by millions of smartphone users, e.g., apple iPhone [5]. As people in a highly networked environment are more interactive, the task of correct identification of people is becoming ever more crucial and demanding. Failure to properly identify people can have serious consequences in society, ranging from terror attacks to fraudulent activity, where people lose access to their financial accounts and other private details. The two main reasons behind the advent of biometric technologies are strengthened by national security and reducing financial crime. There has been rapid adoption of biometrics across a wide range of domain-specific applications over the last two decades. Biometric technology is, indubitably, now having a major impact on society. Biometrics, for instance, tend to
Biometric forensic tools for criminal investigation
89
play an important part in law enforcement, as an investigation tool for narrowing the long list of criminals and also as scientific evidence in courts. Biometrics is now a natural tool for identification systems across the globe, particularly in developed nations, where numerous individuals are without identification documents (also known as IDs, or a piece of identification, or informally as papers), to validate who they are. India’s first fingerprint enabled biometric marker program was introduced in 2010 by UIDAI (Unique Identification Authority of India) as a proof of identity for Indian citizens. Aadhaar is a 12-digit unique identification number generated using specific demographic data (such as name, age, sex, and residential address) and biometric markers (fingerprints and iris scan) details of a person. Aadhaar random number feature makes it unique from another national ID system in which a particular digit is assigned for gender, birthdates, and so on, and this biometric identification program is widely used in India almost by every sector from security to securing financial transactions [11]. Biometrics is transforming the way people travel by strengthening network security and efficient border-crossing technologies. The 9/11 terrorist attack was an eye-opener for the US government to introduce a non-breaching biometric-based national identity marker to secure its international border security and transportation system. For consumer electronics, every major manufacturer of mobile devices has already introduced or is in the process of implementing biometric-based identification and authentication for handset protection and mobile banking (includes mWallet and mobile financial services).
3 Historical development of biometrics Owing to the substantial developments in the area of computer processing, automated biometric technologies have only been possible in recent years. However, all these technologies are centered on theories which were first developed hundreds of years before [11]. Face Recognition is one of the first and most popular examples of a biometric feature that is used to identify individuals. This simple task became exceedingly difficult as numbers grew, and as more accessible transportation strategies brought many more individuals into previously small societies. In a cave that is projected to be not less than 31,000 years of age, the walls are decorated with drawings assumed to have been crafted by ancient people living there. Encircling such works are many fingerprints that are believed to have “served as an iconic trademark” by its maker. Also, there is proof that the fingerprints were utilized as an individual’s label as early as 500 BC in the Babylonian empire. Babylonians utilized their fingerprints to register in clay tablets for their business financial records. Since the second century BC friction ridge impressions were already used as a means of authenticating seals with a fingerprint as well as for an individual’s identity
90
Sachil Kumar, Geetika Saxena
and business transactions by the Chinese emperor Ts’In [12]. In the early history of Egypt, merchants were recognized by their physical descriptors to distinguish between trustworthy traders with proven credibility and prior successful payments as well as those new to the business. Unsurprisingly, the emergence of biometric identification systems correlated with advances in many other closely relevant fields, such as artificial intelligence, image processing, and pattern recognition in the 1960s, that significantly contributed to the identification and analysis of biometric patterns [13]. Nevertheless, the incident that just really caused the widespread usage of biometric attributes was the promulgation of the habitual offender legislation in the United Kingdom in 1869 [14]. According to this statute, it was mandatory to register the entry of all the convicts with their detailed personal and offence history so that repeated offenders with a high degree of punishments can be differentiated with first-time offenders. The Home Office Committee of UK further explained the need of such differentiation are as follows [15]: to classify the records of habitual criminals on the data received related to prisoner’s personality (measurements, marks, or photographs) and, if such particulars are registered previously, to ascertain an idea of identification. The first comprehensive study of handprints as a signature was undertaken in 1858 by British India civil servant Sir William Herschel, who made each local Indian businessman sign contracts with their fingerprints, making it easier to find them if local businessmen defaulted. Furthermore, numerous Indians were uneducated, and this practice enabled them to understand the contract’s binding nature [16]. Josh Ellenbogen and Nitzan Lebovic claimed that biometrics originally started in the criminal activity identification systems outlined by Alphonse Bertillon and from the fingerprint and physiognomy theory of Francis Galton [17]. However, the Bertillon method lacked precision, was difficult to apply consistently (making it vulnerable to error), and, even when applied accurately, the measured values were not sufficiently distinguishable to classify people in a specific way. It was then soon dropped in favor of a much easier and much more reliable approach involving manual human fingerprint comparison. This was achieved through the ground-breaking efforts of Henry Faulds, Francis Galton, and William Herschel, who studied the distinctive feature configurations in a fingerprint ridge pattern, like minutia points [18]. The fingerprint cataloguing goes back to 1881 when Juan Vucetich began collecting fingerprints from offenders in Argentina [16]. In 1905, fingerprints were admitted for the first time as proof of identity in a British court trial. In 1924, Congress approved the U.S. Department of Justice to acquire fingerprints of criminals with a detailed history of arrest, and this was the first step in the direction of developing a program for the recognition of fingerprints by the FBI (Federal Bureau of Investigation). Initially, fingerprints were collected using a 10-print card, which was later upgraded to a semi-automated fingerprint identification system (AFIS) in the late 1970s.
Biometric forensic tools for criminal investigation
91
Meanwhile, in 1936, the iris pattern was proposed as a unique pattern for personal identification by the ophthalmologist Frank Burch [19]. Although the development of an automated system for human identification goes back to as early 1960s, by the development of semi-automated facial recognition or “man-machine facial recognition” requiring administrators to analyze the process known as feature extraction. This system was constructed by Woody Bledsoe, a leader in automatic reasoning, later referred to as artificial intelligence. The very first model of acoustic speaker recognition was also produced in the subsequent year in 1960 by Gunnar Fan, a Swedish professor. He used his findings to understand the role of biological component of speech, a crucial concept of speaker recognition [20]. The very first known research paper on biometrics was published in Nature by Trauring [21] in 1963, although the papers refer only to “Automated Personal Identification” (API). But the use of word “biometric” in this sense began only in 1981 when an article was published with the reference term “biometric” in the New York Times. The very first signature recognition system was established by North American Aviation in 1965. In 1966 Luck presented a research paper in which he used “Cepstral Coefficient” as fundamental features in speaker recognition and this cepstral coefficient is still used in almost all speaker identification as a highly significant feature [22]. The FBI started its drive in 1969 to establish a method for automating its fingerprint identification process, which soon became daunting and requiring many man-hours. The University of Georgia in 1974 started to use hand geometry as automated biometrics for their dormitory food service areas. Furthermore, Dr. John Daugman of Cambridge University introduced iris recognition technology in 1980, and the first retinal scanning systems for safe access used by the U.S. Department of Defense in the Naval Postgraduate School in 1985 [20]. In the 1990s, the advent of digital signal processing in computer science led to a revolution in biometric technology. In 1998, the CODIS (Combined DNA Index System), a system of DNA profile indexes, was established by the FBI. The CODIS combines DNA and computer technologies into a powerful tool for linking crimes. This allows local and state forensic laboratories to digitally share and match profiles, linking violent crimes with each other and with-known perpetrators [23]. In 2001, Kelly A. Gates described 9/11 as a crucial discourse for the emergence of automatic facial recognition as a security technology [24]. In 2010, the U.S. national security apparatus used biometrics for terrorist recognition. The Guantánamo Bay detention camp (also known as GITMO) suspect was positively matched by the fingerprint from evidence collected at the alleged 9/11 planning site. Many fingerprints were collected from objects recovered at other sites connected with 9/11. In 2011, the Central Intelligence Agency utilized DNA alongside facial recognition technology (Biometrics) to recognize Osama bin Laden’s remains with 95% certainty. In 2013, Apple released its first “Touch ID” as an embedded fingerprint-enabled biometric recognition technology for its consumer-based targeted smartphones, such as iPhone 5s. In Touch ID, a contact sensor is used to search and evaluate sub-
92
Sachil Kumar, Geetika Saxena
epidermal layers of skin to identify the distinctive minutiae pattern of individual fingerprints and to enable users to protect their fingerprint details as well as safe online payment and purchasing of various applications from Apple digital media stores [23]. The above discussion illustrates that the history of biometric identification is embedded in domains of forensic science and law enforcement, where “recognition” includes the detection of suspects [25]. The theorist David Lyon has demonstrated that, in the last few years, biometric systems have not only taken control of commercial markets but also distorted the connection between the government and the corporate control structures [15].
4 Biometrics within forensic science The adjective “Forensic” is derived from the Latin term forēnsis, which means “of or before the forum.” During the Roman period, a criminal charge indicated that the issue had been debated in the forum before a jury of public persons. Both the individual accused of the offence and the defendant made statements on their version of the case. The result of the case would be decided by the person with the better claim and presentation. The individual with the strongest forensic knowledge and experience would effectively win. This origin is the source of the two modern uses of the term “forensic” – as a form of legal evidence and as a category of public presentation [26]. The modern meaning of forensics, which entered the English vocabulary in 1659, is now confined to the aspects of legal and police investigation. In a broad sense, the term “forensics science” is closely associated with those civil and criminal proceedings where evidence is scientifically evaluated and analyzed to solve the cases. Forensic science refers to those principles and the scientific interpretation of the technical methods used in the investigation of crime with the purpose to prove the committing of a crime, to expose the identity of the offender(s) and their modus operandi [27]. Forensics is based on Locard’s principle of exchange, which specifies that “a contract between two objects always leaves its footprint as a mutual exchange.” This principle was explained in detail in the book Crime Investigation: Physical Evidence and the Police Laboratory, which states [28]: “Wherever he goes, whatever he strikes, whatever he leaves, even unintentionally, works against him as a mute witness. Not just his footprints or his handprints, but also his hair, the fabric of his clothing, the glass that he breaks, the weapon that he uses, the paint that he scratches, the semen or blood that he scatters or gathers. All of this, and much more, bear silent witness against him. This is proof that has not been overlooked. It is not confused by the excitement of the moment. It is not absent as there are human witnesses. This is factual evidence. Physical proof cannot perjure itself, it cannot be completely missing. Only human inability to locate, test, and understand it will lessen its worth.”
Biometric forensic tools for criminal investigation
93
Forensic biometrics may be described as the scientific discipline in which biometric technologies are widely employed in the criminal justice system. Forensic science, coupled with robust biometric databases, is a valuable resource in the hands of law enforcement authorities. Several sources of impression evidence, like fingerprints, shoe-impressions, tool marks, tire marks, and handwriting [29], are frequently used as evidence in many notable forensic investigations along with other evidence like voice and face. One of the primary goals of the forensic examination is to link the evidence (e.g., the fingerprint) to the possible source (e.g., the individual). In the framework of an investigative purpose, if the finger mark is considered relevant to the criminality, the next query is: What is the origin of this evidence, that is, who or what created this finger mark? In the formal forensic examination, there were a minimum of three possible results based on the evidence analysis: a) Individualization: individualization states that with the entire earth’s population, no people have the same fingerprint even within identical twins; there is also uniqueness between their fingerprint patterns. b) Indecisive: to ascertain that questioned fingerprints have a same origin with the known person or not; and c) Exclusion: the finger mark is certainly not correlated with the identified person. However, the contemporary model relies on the evidence strength in favor of a pair of propositions [30]: a) H1: during the examination, suspected finger mark has the same source of origin (perpetrator); and b) H2: during the examination, suspected finger mark has another source of origin So, both forensic science and biometrics attempt to connect biological data (impression evidence) to a specific person. There have been many criminal cases that involve the use of biometrics. These cases may not have been solved solely based on forensic science but along with biometrics to profile, identify, and point the authorities in the right direction. Let us look at some famous criminal cases solved by forensic biometrics [24]: – Ted Bundy (serial killer): Bite mark as a biometric marker Ted Bundy, a well-known notorious serial murderer, was a charming, gregarious man charged with 30-plus murders between 1964 and 1978. Initially, at the time of his first arrest, no strong physical evidence was found against him, and during his first conviction in Utah in 1976 on charges of abduction, Bundy managed to flee after his deportation to Colorado on charges of murder and headed to Florida in 1978, where he murdered three more people. Bundy was finally arrested for driving a stolen vehicle. During this horrifying homicide investigation, investigators observed that one victim
94
Sachil Kumar, Geetika Saxena
had bite marks on her left buttock and breast. Matching these bite marks with the Bundy “Bite Pattern”, a conclusive correlation was established by Forensic Odontologists and then, for the first time, someone was found guilty and sentenced to death by electric chair on the grounds of forensic biometric analysis. – The Lindbergh kidnapping: Kidnapper’s handwriting as a biometric marker Charles Lindbergh Jr., the 20-month-old child of a renowned airman, was abducted for money on March 1, 1932. Despite paying the ransom amount, the child never returned home, and more than two months later his body was discovered with a smashed skull near Charles Lindbergh. Forensic reports said that the child had died two months earlier, probably on the same night when he was abducted. The offender left his threepiece, a wooden ladder, a chisel from his toolbox, and a $50,000 handwritten ransom note. Throughout the processing of the ransom bills, the officials were led to Bruno Hauptmann. Hauptmann was found guilty on the grounds of handwriting characteristics (comprising Germanic syntax and oddly misspelt words) left on the 14 ransom notes. Moreover, forensic investigators discovered that both the timber used in the Hauptmann attic and the timber used in the improvised ladder to access the victim’s bedroom window had the same plant origin. In 1936, Hauptmann was convicted and executed. From the early 1980s to the present, there are many incidents in which biometrics used with forensic science and aid with the accurate or appropriate detection of the perpetrator. Despite sharing the same objective, forensics and biometrics have differences as follows: – Forensic science is applied in the aftermath of criminal events and is usually used to reconstruct past crime scene incidents using a hypothetic-deductive approach. Contrarily, biometrics is used before an incident happens. – The sort of evidence that would be utilized to detain the offender cannot be determined in advance of a forensic investigation. It is opposed to biometric systems, where biological characteristics used for the identification of individuals are known beforehand. – In contrast to a fully automated biometric system, forensics involves, predominantly, the collection and examination of evidence manually. – The forensic investigation findings also must be conveyed verbally to a court. In forensics, therefore, verbal reasoning is key. Contrarily, there is no need for verbal justification as the result of the biometric recognition in the numerical “score” that is routinely used by the automated system to declare a match. – Erroneous decisions in forensic investigations mean that the evidence from the scene of the crime cannot be linked with confidence to a specific person. However, a biometric system can gather supplemental samples of a biometric trait (behavioral or physical characteristic) from a person to make a “match/no-match” decision.
Biometric forensic tools for criminal investigation
95
– In biometrics, recognition decisions are rendered in real time and, thus, computing efficiency is crucial in biometric apps. However, forensics does not require real-time recognition.
5 Biometrics for forensic science The biometric and forensic researchers have been independently engaged in their research over the last few years. Recently, however, there has been a growing curiosity in utilizing automated biometrics to tackle the issue experienced by forensic investigators. Two examples of this sort are described below: sketch-to-photo matching and automated tattoo image matching. In both instances, the biometric recognition may be employed as a method of investigation to effectively narrow down the list of offenders.
5.1 Face photo-sketch comparison Facial composites are commonly utilized by enforcement agencies to better recognize perpetrators involved in a crime where there is no visual picture of a suspect at the scene of the crime (e.g., due to lack of security cameras). If somebody witnesses a crime being committed, a forensic artist uses the visual image of the perpetrator given by the witness to create a sketch in most instances. Following the creation of a composite of a suspect’s face, the officials publicize the composite hoping that somebody will identify the person and furnish the relevant information leading to the capture or conviction as well. Many of the offenders have been detained when they are verified by residents based on these sketches [31]. Facial composites are especially meaningful when victim’s illustrations or eyewitness are the only forms of available evidence [29]. Sadly, this approach is ineffective and does not utilize all accessible resources, especially the Mugshot identification databanks managed by security services. Effective methods for automatically and efficiently matching face composites to police mugshot databases would make it easier to arrest criminals. This approach can also assist designers and witnesses to modify the design of sketch interactively [32]. There are three specific types of facial composites used in enforcement agencies: 1. Hand-drawn sketches: sketches created by forensic experts on the grounds of verbal descriptions given by witnesses or victims. 2. Software-generated sketches: sketches generated by forensic investigators utilizing software, like IDENTI-KIT and E-FIT based on verbal descriptions given by witnesses or victims. Such software kits enable the user to choose specific facial components [33].
96
3.
Sachil Kumar, Geetika Saxena
Surveillance sketches: sketches made by forensic experts based on low-resolution surveillance images. Those are employed in situations where commercialoff-the-shelf (COTS) face-recognition devices malfunction because of inadequate illumination, off-shelf images, occlusion, and so on.
Notwithstanding the method used to create the sketch, the quality of the resultant sketch relies primarily on the precision of the information given by the eyewitness or victim and the abilities of the operator/artist. Considering the apparent nature of the offences perpetrated by the offenders represented in forensic sketches – such as homicide, kidnapping, sexual harassment, and robbery – the inability to apprehend them effectively would have significant implications. Improving forensic sketch recognition would significantly enhance personal safety. Underneath the wide umbrella of biometrics, a modern example has become popular for the identification of perpetrators via forensic sketches. The drawing will be transformed into a digital image and automatically compared/matched to the Mugshot Gallery and other face images in the databank to determine the match. This automated approach can provide a vital tool for officials looking to capture criminals rapidly and accurately.
5.2 Automated tattoo image matching Among several soft biometric characteristics, tattoos, in particular, have been effectively used to help distinguish individuals in criminal examinations, as pigments are so deeply rooted in the skin that even serious burns or other injury do not often erase them. Tattoos are often used to mark victims of terror attacks like the 9/11 and catastrophes such as the 2004 Boxing Day tsunami [34, 35]. Thus, tattoo images, where accessible, may be used to recognize both victims and perpetrators. Although the tattoo is not a unique identifier, it also condenses the catalogue of potential perpetrators. For thousands of years, tattoos have been utilized by persons as a sign to differentiate oneself from others [36]. Tattoos may also include secret messages linked to the past background of the perpetrator, such as membership of a gang or a criminal organization, prior arrests, years spent in prison, and so on. As per the January 2012 Harris Poll, there has been a significant rise in the prevalence of tattoos among adults in the United States; more than one in five adults have at least one tattoo (21%) which is up from 16% when the same poll was done in 2003 [37]. Security agencies consistently capture and catalogue tattoo designs for the recognition of perpetrators and victims. The prevailing exercise of matching tattoos depends on matching keywords. For example, law enforcement officers typically adopt the ANSI/NIST-ITL1-2011 protocol to allocate a specific keyword to the tattoo picture in the databank. The ANSI/NIST-ITL1-2011 specification describes 8 major
Biometric forensic tools for criminal investigation
97
classes (i.e., animal, object, human, flag, plant, symbol, abstract, and other) and 70 subclasses (e.g., cat, male face, national symbols, American flag, narcotics, figure, wording, and fire) for the tattoos categorization [38]. A tattoo image-based search typically comprises matching a query tattoo’s class label with the levels for the tattoos in the databank. This approach of tattoos matching and retrieval (ANSI/NIST class labels), is vulnerable to inaccuracies owing to the limited vocabulary and the subjective nature of labelling [39]. These limitations in keyword-based tattoo image retrieval have contributed to the emergence of other methods to enhance the ability to identify and match tattoos. In the last few years, a variety of innovative approaches to computer vision and machine learning have contributed to remarkable success in fields such as image-based object recognition and facial recognition. Jain et al. introduced CBIR (content-based image retrieval) techniques to ease and enhance image retrieval efficiency. The purpose is to extract a tattoo’s visual content in terms of simple low-level attributes (like shape, texture, and color) using scale-invariant feature transform (SIFT). These features or attributes can then be used to represent and matching images, without the usage of any textual keywords [40]. Automated tattoo recognition technologies have been presented clearly in biometrics literature [39]. Such technologies illustrate how biometrics (i.e., “automated recognition”) can be incorporated into law enforcement and forensic investigations (that is, “investigation after the occurrence of the event”).
6 Biometric forensic tools for criminal investigation To strengthen society, the usage of biometric algorithms in forensic and law enforcement investigations is pertinent to automate the forensic analysis and also as to increase crime detection rates. Furthermore, the scientific validation of many forensic services (finger marks, tool marks, etc.) is a major challenge for forensic professionals. The 2009 report of the National Academy of Sciences focused on improving forensic science in the United States and mentioned that claimed explanations of forensic evidence are routinely and severely compromised by a lack of empirical research data and quality standards [41]. Report further points out: “Except DNA fingerprinting, other methods of forensic science have been rigorously lacking inconsistency, the high degree of certainty to establish a strong link between evidence and its source or particular offender”. There are many cases where the scientifically interpreted empirical evidence has been ruled out by an experienced forensic individual. Although professional expertise, commitment, and experience are essential when practicing forensic science, it must eventually be incorporated into a research context that balances “subject information” with “empirical facts.” Forensic science still lacks such a scientific ethos and there is insufficient observational evidence from systematic trials
98
Sachil Kumar, Geetika Saxena
that support the views of forensic scientists. In addition to DNA, other forensic evidence (e.g., bite marks and hair) has often proven consistent in the repetition of similar results, acting as scientific evidence, and these facts are also widely accepted by the Forensic community since additional supporting information is not required [41, 42]. Thornton & Peterson [43] narrowly indicated: “It is interesting that certain fields of forensic science which have clear underlying evidence provide more modest claims of individualization, whereas others restricted to descriptive or impressionistic evidence provide the strongest assertions, often of utter certainty.” This is a good chance for biometric specialists to develop a partnership with forensic scientists and data analysts to organize vast forensic databases (e.g., finger marks) and to check the efficiency and legitimacy of automated forensic analysis tools, to resolve the above-mentioned problems. Aside from this, there are strategic circumstances where the association of these two (biometrics and Forensic science) will collectively address problems associated with law enforcement issues of high significance. So, forensic biometrics can be understood as individual-based automated biometric methods used to evaluate and interpret biometric data related to various forensic applications. A few operational applications are discussed below.
6.1 DNA biometrics DNA is becoming rapidly useful for biometric purposes and is widely used in health care and forensics [44]. In recent years, the usage of DNA in criminal investigations has grown significantly. It has allowed law enforcement to identify the offenders and address serious crimes better. Current DNA identification technologies using short tandem repeats (STR) or simple sequences have been in usages in the criminal system since 1998. The sequences selected for STRs (usually 13 or more) are not related to any established genetic traits but differ from individual to individual. A feature of DNA identification, unique among the biometric characteristics, is the ability to infer familial relationships. By comparing STRs, DNA technologies can deny or confirm blood relationships – an incredibly useful method in contexts like missing-child and counter-human-trafficking, paternity testing, disaster victim identification, airport and border security, and military intelligence [45]. The United Kingdom National DNA Database (NDNAD) was established in 1995 utilizing the SGM (Second-Generation Multiplex) profiling method. Since 1998, the SGMPlus methodology is used for DNA profiling comprising of eight CODIS loci (TH01, D8S1179, FGA, D16S539, D3S1358, D18S51, VWA, or D21S11), together with two additional markers, D19S433 and D2S1338, and also the AMELX locus [29]. However, as of July 24, 2014, samples are profiled utilizing the DNA-17 profiling technique [kits of 17 STR loci (along with gender identifier)] [46]. The CODIS or Combined DNA Index
Biometric forensic tools for criminal investigation
99
System, a system of DNA profile indexes, was established by the FBI in 1990 [46]. The CODIS combines DNA and computational technology as a powerful tool for linking crimes. This allows local, and state forensic laboratories to digitally share and match profiles, linking violent crimes with each other and with known perpetrators. CODISbased identifications rely on STRs that are distributed in the human genome and on statistics that are utilized to measure the prevalence of that profile in the population. Similarly, CODIS requires data on mitochondrial DNA (mtDNA) to be added to missing person–related indexes. Forensic DNA databases are currently in operation in approximately 69 countries, although others are being extended or developed in a minimum of 34 new nations [47]. The biggest DNA databases are in China (approximately more than 8-million-person DNA profiles,