Multimedia Forensics is not Computer...
Transcript of Multimedia Forensics is not Computer...
![Page 1: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/1.jpg)
Multimedia Forensics is notComputer Forensics
Rainer Bohme†, Felix Freiling‡, Thomas Gloe†, Matthias Kirchner†
†Technische Universitat Dresden ‡Universitat Mannheim
International Workshop on Computational Forensics 2009 (IWCF’09)
The Hague · 2009/8/14
![Page 2: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/2.jpg)
Outline
1 Multimedia forensics and computer forensics
2 Multimedia forensics is not computer forensics
3 Counter-forensics
4 And how does this all relate to practice?
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 2 of 24
![Page 3: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/3.jpg)
Multimedia forensicsA science to assess the authenticity of digital media objects
manipulation detection and source device identification based on
I artifacts of processing operationsresampling · copy & paste · inconsistent lightning · double compression
I characteristics of the source devicee. g. digital camera
scene
len
s
filt
er R
G
G
B
sensorcolor
interpolation
post
processing
digital imagelens
distortionCFA layout
hot pixels,
sensor noise
interpolation
scheme
quantization
table
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 3 of 24
![Page 4: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/4.jpg)
Multimedia forensics: Examples
I digital camera identificationbased on sensor noise
I copy & paste detection
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 4 of 24
![Page 5: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/5.jpg)
Multimedia forensics: Examples
I digital camera identificationbased on sensor noise
I copy & paste detection
?The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 4 of 24
![Page 6: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/6.jpg)
Multimedia forensics: Examples
I digital camera identificationbased on sensor noise
I copy & paste detection
?The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 4 of 24
![Page 7: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/7.jpg)
Multimedia forensics: Examples
I digital camera identificationbased on sensor noise
I copy & paste detection
≈
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 4 of 24
![Page 8: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/8.jpg)
Multimedia forensics: Examples
I digital camera identificationbased on sensor noise
I copy & paste detection
≈
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 4 of 24
![Page 9: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/9.jpg)
Multimedia forensics: Examples
I digital camera identificationbased on sensor noise
I copy & paste detection
≈
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 4 of 24
![Page 10: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/10.jpg)
By the way,what is computer forensics?
![Page 11: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/11.jpg)
Computer forensics
1001
00 1
110 0 1
52 51 51 51 49
49 40 36 34 33
55 48 40 33 23
62 58 45 33 22
66 62 53 34 22
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 6 of 24
![Page 12: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/12.jpg)
Computer forensics
0111
01 0
111 1 1
52 51 51 51 49
49 40 36 34 33
55 48 40 33 23
62 58 45 33 22
66 62 53 34 22
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 6 of 24
![Page 13: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/13.jpg)
Computer forensics
1100
00 0
101 1 1
52 51 51 51 49
49 40 36 34 33
55 48 40 33 23
62 58 45 33 22
66 62 53 34 22
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 6 of 24
![Page 14: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/14.jpg)
Computer forensics
1000
01 0
110 1 0
52 51 51 51 49
49 40 36 34 33
55 48 40 33 23
62 58 45 33 22
66 62 53 34 22
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 6 of 24
![Page 15: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/15.jpg)
Outline
1 Multimedia forensics and computer forensics
2 Multimedia forensics is not computer forensics
3 Counter-forensics
4 And how does this all relate to practice?
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 7 of 24
![Page 16: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/16.jpg)
Digital forensics: proposed ontology
forensics
digital forensics
computerforensics
multimediaforensics
analog forensics
digital evidence physical evidence
0 1 1 0 1 1 0 0 0 1 0
0 0 0 1 1 1 0 1 0 0 0
0 0 1 0 0 0 1 0 1 1 0
0 0 1 1 1 1 0 0 0 0 0
0 1 1 1 0 0 1 0 0 1 0
0 1 1 0 1 0 0 1 0 0 0
0 1 0 0 0 1 0 0 1 0 0
1 1 1 0 1 0 1 0 0 1 0
0 1 1 0 1 1 0 0 0 1 1
1 1 1 1 0 1 0 1 1 1 1
perfect crimepossible
compete forthe best model
perfect crimeimpossible
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 8 of 24
![Page 17: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/17.jpg)
Digital forensics: proposed ontology
forensics
digital forensics
computerforensics
multimediaforensics
analog forensics
digital evidence physical evidence
1 1 1 1 1 1 0 0 0 0 1
1 1 0 1 1 1 0 0 0 0 1
1 1 1 0 1 0 0 0 0 0 0
0 1 0 0 1 0 0 1 1 1 1
0 0 1 0 0 0 1 1 1 1 1
1 0 1 1 1 0 0 1 0 0 0
0 0 0 1 0 1 0 0 0 1 0
0 0 0 1 0 1 1 0 0 1 1
1 1 1 0 1 0 0 0 1 1 0
0 1 0 0 1 1 0 0 1 0 1
finite sequence of discrete andperfectly observable symbols
perfect crimepossible
compete forthe best model
perfect crimeimpossible
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 8 of 24
![Page 18: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/18.jpg)
The following slidesintentionally draw a very
black-and-whitepicture
WARNING!
The following slidesintentionally draw a very
black-and-whitepicture
WARNING!
![Page 19: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/19.jpg)
Computer forensics 6= Multimedia forensics
computer forensics multimedia forensicsphysical evidence
WWW
WWWWWW
10111 0 0 1
digital evidence
physical evidence
10111 0 0 1
digital evidence
I digital evidence is not linkedto the outside world
I digital evidence is linkedto the outside world
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 10 of 24
![Page 20: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/20.jpg)
Computer forensics 6= Multimedia forensics
computer forensics multimedia forensicsphysical evidence
WWW
WWW
WWW
10111 0 0 1
digital evidence
physical evidence
10111 0 0 1
digital evidence
I digital evidence is not linkedto the outside world
I digital evidence is linkedto the outside world
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 10 of 24
![Page 21: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/21.jpg)
Computer forensics 6= Multimedia forensics
computer forensics multimedia forensicsphysical evidence
WWW
WWW
WWW10111 0 0 1
digital evidence
physical evidence
10111 0 0 1
digital evidence
I digital evidence is not linkedto the outside world
I digital evidence is linkedto the outside world
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 10 of 24
![Page 22: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/22.jpg)
Computer forensics 6= Multimedia forensics
computer forensics multimedia forensicsphysical evidence
WWW
WWW
WWW10111 0 0 1
digital evidence
physical evidence
10111 0 0 1
digital evidence
I digital evidence is not linkedto the outside world
I digital evidence is linkedto the outside world
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 10 of 24
![Page 23: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/23.jpg)
Computer forensics 6= Multimedia forensics
computer forensics multimedia forensicsphysical evidence
WWW
WWW
WWW10111 0 0 1
digital evidence
physical evidence
10111 0 0 1
digital evidence
I digital evidence is not linkedto the outside world
I digital evidence is linkedto the outside world
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 10 of 24
![Page 24: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/24.jpg)
Computer forensics: A closer look
reality
digitaldata
processing
suspicioustraces?
I digital evidence is stored in thefinite automaton each computerrepresents
I number of states in a closedsystem is finite
I non-negligible chance that acomputer is left in a state whichperfectly erases all traces
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 11 of 24
![Page 25: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/25.jpg)
Computer forensics: A closer look
reality
digitaldata
processingsuspicioustraces?
I digital evidence is stored in thefinite automaton each computerrepresents
I number of states in a closedsystem is finite
I non-negligible chance that acomputer is left in a state whichperfectly erases all traces
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 11 of 24
![Page 26: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/26.jpg)
Computer forensics: A closer look
reality
digitaldata
processingsuspicioustraces?
I digital evidence is stored in thefinite automaton each computerrepresents
I number of states in a closedsystem is finite
I non-negligible chance that acomputer is left in a state whichperfectly erases all traces
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 11 of 24
![Page 27: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/27.jpg)
Computer forensics: A closer look
reality
digitaldata
processingsuspicioustraces?
I digital evidence is stored in thefinite automaton each computerrepresents
I number of states in a closedsystem is finite
I non-negligible chance that acomputer is left in a state whichperfectly erases all traces
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 11 of 24
![Page 28: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/28.jpg)
Computer forensics: A closer look
reality
digitaldata
processingsuspicioustraces?
I digital evidence is stored in thefinite automaton each computerrepresents
I number of states in a closedsystem is finite
I non-negligible chance that acomputer is left in a state whichperfectly erases all traces
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 11 of 24
![Page 29: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/29.jpg)
Multimedia forensics: A closer look
digital mediaobject
processing
sensor
original?
source(device) ?
I sensors capture parts of the reality andtransform them into digital representations
I reality is incognizable: ultimate knowledgewhether a piece of digital media reflectsreality or not cannot exist
I multimedia forensics = empirical science
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 12 of 24
![Page 30: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/30.jpg)
Multimedia forensics: A closer look
digital mediaobject
processing
sensor
original?
source(device) ?
I sensors capture parts of the reality andtransform them into digital representations
I reality is incognizable: ultimate knowledgewhether a piece of digital media reflectsreality or not cannot exist
I multimedia forensics = empirical science
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 12 of 24
![Page 31: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/31.jpg)
Multimedia forensics: A closer look
digital mediaobject
processing
sensor
original?
source(device) ?
I sensors capture parts of the reality andtransform them into digital representations
I reality is incognizable: ultimate knowledgewhether a piece of digital media reflectsreality or not cannot exist
I multimedia forensics = empirical science
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 12 of 24
![Page 32: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/32.jpg)
Multimedia forensics: A closer look
digital mediaobject
processing
sensor
original?
source(device) ?
I sensors capture parts of the reality andtransform them into digital representations
I reality is incognizable: ultimate knowledgewhether a piece of digital media reflectsreality or not cannot exist
I multimedia forensics = empirical science
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 12 of 24
![Page 33: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/33.jpg)
Multimedia forensics: A closer look
digital mediaobject
processing
sensor
original?
source(device) ?
I sensors capture parts of the reality andtransform them into digital representations
I reality is incognizable: ultimate knowledgewhether a piece of digital media reflectsreality or not cannot exist
I multimedia forensics = empirical science
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 12 of 24
![Page 34: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/34.jpg)
Sensors: A source of uncertainty
I projection of reality to discrete symbols means a dimensionality reduction
I multimedia forensics has to cope with an additional source of uncertainty
I what kind of commonpost-processing islegitimate / tolerable?
?
degrees of freedom
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 13 of 24
![Page 35: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/35.jpg)
Sensors: A source of uncertainty
I projection of reality to discrete symbols means a dimensionality reductionI multimedia forensics has to cope with an additional source of uncertainty
I what kind of commonpost-processing islegitimate / tolerable?
?
degrees of freedom
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 13 of 24
![Page 36: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/36.jpg)
Sensors: A source of uncertainty
I projection of reality to discrete symbols means a dimensionality reductionI multimedia forensics has to cope with an additional source of uncertainty
I what kind of commonpost-processing islegitimate / tolerable?
?
degrees of freedom
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 13 of 24
![Page 37: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/37.jpg)
Models: Yet another dimensionality reduction
I models make projection of reality todiscrete symbols tractable with formalmethods
I typical models in multimedia forensics:. sensor noise follows a Gaussian distribution. connected regions of identical pixel values are
unlikely to occur in original images
p
projection to a1-dimensionalvariable
I models of reality function as yet another dimensionality reductionI quality of forensic methods depends on the quality of the employed model!
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 14 of 24
![Page 38: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/38.jpg)
Models: Yet another dimensionality reduction
I models make projection of reality todiscrete symbols tractable with formalmethods
I typical models in multimedia forensics:. sensor noise follows a Gaussian distribution. connected regions of identical pixel values are
unlikely to occur in original images
p
projection to a1-dimensionalvariable
I models of reality function as yet another dimensionality reductionI quality of forensic methods depends on the quality of the employed model!
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 14 of 24
![Page 39: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/39.jpg)
Models: Yet another dimensionality reduction
I models make projection of reality todiscrete symbols tractable with formalmethods
I typical models in multimedia forensics:. sensor noise follows a Gaussian distribution. connected regions of identical pixel values are
unlikely to occur in original images
p
projection to a1-dimensionalvariable
I models of reality function as yet another dimensionality reductionI quality of forensic methods depends on the quality of the employed model!
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 14 of 24
![Page 40: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/40.jpg)
Models: Yet another dimensionality reduction
I models make projection of reality todiscrete symbols tractable with formalmethods
I typical models in multimedia forensics:. sensor noise follows a Gaussian distribution. connected regions of identical pixel values are
unlikely to occur in original images
p
projection to a1-dimensionalvariable
I models of reality function as yet another dimensionality reductionI quality of forensic methods depends on the quality of the employed model!
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 14 of 24
![Page 41: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/41.jpg)
Outline
1 Multimedia forensics and computer forensics
2 Multimedia forensics is not computer forensics
3 Counter-forensics
4 And how does this all relate to practice?
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 15 of 24
![Page 42: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/42.jpg)
Digital forensics: proposed ontology
forensics
digital forensics
computerforensics
multimediaforensics
analog forensics
digital evidence physical evidence
0 0 0 1 0 0 1 1 0 0 0
1 0 1 1 0 0 1 0 1 1 0
0 0 1 1 0 1 1 0 0 0 1
0 1 1 0 0 1 0 1 0 0 1
1 1 1 0 0 0 1 0 0 1 0
0 0 1 0 0 0 1 0 0 1 0
1 1 0 1 1 1 0 1 0 1 1
1 1 0 0 0 1 0 1 1 0 0
0 0 1 1 1 1 1 0 0 1 0
1 1 0 1 1 0 1 0 1 0 1
forgeability
counter-forensics
b=
perfect crimepossible
compete forthe best model
perfect crimeimpossible
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 16 of 24
![Page 43: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/43.jpg)
Digital forensics: proposed ontology
forensics
digital forensics
computerforensics
multimediaforensics
analog forensics
digital evidence physical evidence
0 1 1 0 0 1 1 1 1 1 0
1 1 1 0 0 0 0 1 1 1 1
0 0 1 0 1 0 1 0 0 1 0
0 1 0 1 0 1 1 1 0 0 0
1 0 0 1 0 0 0 0 0 0 1
0 1 1 1 1 0 0 0 0 0 0
1 1 1 0 0 1 1 1 0 1 1
0 1 0 1 1 0 0 0 1 0 1
0 0 0 0 0 1 1 0 1 0 0
0 0 0 0 1 1 0 0 0 1 0
forgeability
counter-forensics
b=
”physical evidence cannot be wrong,it cannot perjure itself,it cannot be wholly absent”
Kirk (1953)
perfect crimepossible
compete forthe best model
perfect crimeimpossible
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 16 of 24
![Page 44: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/44.jpg)
Counter-forensics: Computer forensics
leavetraces
eliminatetraces
preemptivelyavoid traces
valid state invalid state
valid state
valid states are perfectly knownor can be recorded before
and cannot be recorded before
virtualization in a larger system
invalidity depends onthe model of reality
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 17 of 24
![Page 45: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/45.jpg)
Counter-forensics: Computer forensics
leavetraces
eliminatetraces
preemptivelyavoid traces
valid state invalid state valid state
valid states are perfectly knownor can be recorded before
and cannot be recorded before
virtualization in a larger system
invalidity depends onthe model of reality
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 17 of 24
![Page 46: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/46.jpg)
Counter-forensics: Computer forensics
leavetraces
eliminatetraces
preemptivelyavoid traces
valid state invalid state valid state
valid states are perfectly knownor can be recorded before
and cannot be recorded before
virtualization in a larger system
invalidity depends onthe model of reality
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 17 of 24
![Page 47: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/47.jpg)
Counter-forensics: Computer forensics
leavetraces
eliminatetraces
preemptivelyavoid traces
valid state invalid state valid state
valid states are perfectly knownor can be recorded before
and cannot be recorded before
virtualization in a larger system
invalidity depends onthe model of reality
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 17 of 24
![Page 48: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/48.jpg)
Counter-forensics: Computer forensics
leavetraces
eliminatetraces
preemptivelyavoid traces
valid state invalid state valid state
valid states are perfectly knownor can be recorded before
and cannot be recorded before
virtualization in a larger system
invalidity depends onthe model of reality
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 17 of 24
![Page 49: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/49.jpg)
Counter-forensics: Multimedia forensics
leavetraces
eliminatetraces
preemptivelyavoid traces
valid state invalid state valid state
valid states are perfectly knownor can be recorded before
and cannot be recorded before
virtualization in a larger system
invalidity depends onthe model of reality
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 18 of 24
![Page 50: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/50.jpg)
Counter-forensics: Multimedia forensics
leavetraces
eliminatetraces
preemptivelyavoid traces
valid state invalid state valid state
valid states are not perfectly knownor can be recorded before
and cannot be recorded before
virtualization in a larger system is not possible
invalidity depends onthe model of reality
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 18 of 24
![Page 51: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/51.jpg)
Digital forensics: proposed ontology
forensics
digital forensics
computerforensics
multimediaforensics
analog forensics
digital evidence physical evidence
0 0 0 1 1 0 1 1 0 0 1
1 1 0 0 1 0 0 1 0 1 0
0 0 1 1 0 0 0 1 1 1 1
1 0 0 0 0 0 1 0 0 1 0
0 0 1 1 0 1 0 0 0 1 1
0 1 0 1 1 1 0 0 1 1 1
1 1 0 1 1 1 0 0 1 0 1
1 0 1 0 1 1 1 1 0 0 1
0 1 1 1 1 0 1 1 0 0 0
1 0 1 1 1 1 0 0 0 0 0
forgeability
counter-forensics
b=
perfect crimepossible
compete forthe best model
perfect crimeimpossible
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 19 of 24
![Page 52: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/52.jpg)
Outline
1 Multimedia forensics and computer forensics
2 Multimedia forensics is not computer forensics
3 Counter-forensics
4 And how does this all relate to practice?
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 20 of 24
![Page 53: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/53.jpg)
Computer forensics in a broader sense
I computers interact with their environment
physical evidence
WWW
WWW10111 0 0 1
digital evidence
WWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
I computers can be part of a networkI computers can be sensors itselfI computers leave physical evidence
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 21 of 24
![Page 54: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/54.jpg)
Computer forensics in a broader sense
I computers interact with their environment
physical evidence
WWW
WWW10111 0 0 1
digital evidenceWWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
I computers can be part of a network
I computers can be sensors itselfI computers leave physical evidence
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 21 of 24
![Page 55: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/55.jpg)
Computer forensics in a broader sense
I computers interact with their environment
physical evidence
WWW
WWW10111 0 0 1
digital evidence
WWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
I computers can be part of a networkI computers can be sensors itself
I computers leave physical evidence
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 21 of 24
![Page 56: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/56.jpg)
Computer forensics in a broader sense
I computers interact with their environment
physical evidence
WWW
WWW10111 0 0 1
digital evidence
WWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
WWW
I computers can be part of a networkI computers can be sensors itselfI computers leave physical evidence
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 21 of 24
![Page 57: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/57.jpg)
(Finally) A more practical view
2
2
IWCF ’09
2A
3
3
IWCF ’09
3A
4
4
IWCF ’09
4A
5
5
IWCF ’09
5A
6
6
IWCF ’09
6A
7
7
IWCF ’09
7A
8
8
IWCF ’09
8A
9
9
IWCF ’09
9A
10
10
IWCF ’09
10A
11
11
IWCF ’09
11A
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 22 of 24
![Page 58: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/58.jpg)
Concluding remarks
I forensic examinations include techniques from a variety of forensic sciencesI important differences in the underlying assumptions between different methods are
blurred by practiceI in particular: digital evidence 6= digital evidence (6= physical evidence):
. digital evidence in computer forensics is not linked to the outside world whereasin multimedia forensics it is
. effects the reliability of forensic methods
I furture work: rigorous probabilistic modeling
reality is ultimately incognizable, butyour comments will help to gain a more comprehensive view on it
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 23 of 24
![Page 59: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/59.jpg)
Concluding remarks
I forensic examinations include techniques from a variety of forensic sciencesI important differences in the underlying assumptions between different methods are
blurred by practiceI in particular: digital evidence 6= digital evidence (6= physical evidence):
. digital evidence in computer forensics is not linked to the outside world whereasin multimedia forensics it is
. effects the reliability of forensic methods
I furture work: rigorous probabilistic modeling
reality is ultimately incognizable, but
your comments will help to gain a more comprehensive view on it
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 23 of 24
![Page 60: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/60.jpg)
Concluding remarks
I forensic examinations include techniques from a variety of forensic sciencesI important differences in the underlying assumptions between different methods are
blurred by practiceI in particular: digital evidence 6= digital evidence (6= physical evidence):
. digital evidence in computer forensics is not linked to the outside world whereasin multimedia forensics it is
. effects the reliability of forensic methods
I furture work: rigorous probabilistic modeling
reality is ultimately incognizable, butyour comments will help to gain a more comprehensive view on it
The Hague, 2009/8/14 Multimedia Forensics is not Computer Forensics slide 23 of 24
![Page 61: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/61.jpg)
Thanks for your attention
Questions?
Rainer Bohme†, Felix Freiling‡, Thomas Gloe†, Matthias Kirchner†
†Technische Universitat Dresden ‡Universitat Mannheim
Matthias Kirchner gratefully receives a doctorate scholarship fromDeutsche Telekom Stiftung, Bonn, Germany.
![Page 62: Multimedia Forensics is not Computer Forensicsws.binghamton.edu/kirchner/papers/2009_IWCF_slides.pdf · Multimedia Forensics is not Computer Forensics Rainer Bohme¨ y, Felix Freilingz,](https://reader031.fdocuments.us/reader031/viewer/2022021520/5b8626067f8b9a9a4d8c3a37/html5/thumbnails/62.jpg)
Image sources
I Iranian missile test (4) http://www.spiegel.de
I hard drive (6) http://commons.wikimedia.org/wiki/File:Open_hard-drive.jpg
I floppy disk (11,17) http://commons.wikimedia.org/wiki/GNOME_Desktop_icons
I core memory (11) http://commons.wikimedia.org/wiki/File:KL_CoreMemory.jpg
I multimedia (12,18) http://commons.wikimedia.org/wiki/GNOME_Desktop_icons
I fingerprints (22) http://www.lanl.gov/news/albums/chemistry/fingerprint.jpg
I handcuffs (22) http://commons.wikimedia.org/wiki/File:Handcuffs01_2003-06-02.jpg