Takahiro Haruyama, who is well known for bringing the power of Volatility to EnScript land, made a great revision to my Timeline EnScript by adding MFT FileName Attribute parsing to it! He’s published the update on his blog. This really makes the script much more versatile and I think forensics practitioners will love the update. Right now the script only outputs the info to the HTML view, but over the next few weeks I’ll try to find some time to push it into all the output formats and give everyone an update. Great work Haruyama, thanks for adding this much needed functionality!
NYC4SEC held a great Meetup on Wednesday to discuss image analysis and photo forensics… “Thanksgiving Meet-up: Let’s carve some data!” Professor Nasir Memon from NYU Poly came to give us some expert insight into the latest techniques in photo forensics. Before I give an overview of his talk, let me just say that NYC4SEC has been the best thing to happen to the NYC forensics community in the 4.5 years I’ve been here in the city. I’ve met a lot of great people working in our field through this Meetup group, some that I knew via email and message boards beforehand and some new. It’s also nice to see the students from John Jay’s computer forensics program coming to the Meetup to learn and meet industry experts.
Dr. Memon is a brilliant guy; in the past he served on the JPEG standard design committee which you can imagine leads to some very relevant experience for photo forensics. He gave us an overview of how SmartCarving works in Adroit Photo Forensics, a tool he helped design (which is awesome!). This wasn’t a sales pitch, though. He explained how the photo fragments are located and reassembled. This was interesting, but not as interesting as the work he’s done matching digital photos to their source. Memon went through all the various artifacts that digital photo capture devices leave behind. Every digital camera has physical imperfections in its hardware that leave a trail. Ballistics experts match a bullet to a gun by firing new bullets and comparing them to those left at crime scenes. In much the same way, photo experts can link a digital photo to a camera by taking new photos with that camera and comparing the noise patterns. There are two things that could be useful with this technique. (1) Creating a catalog of patterns from different types of cameras – the problem here is that sometimes different manufacturers use the same parts in their cameras. (2) Seizing a digital camera at a crime scene and being able to prove, definitively, that it took the pictures in question. It’s more than just a match to a Make and Model – it’s like DNA for cameras! The final item that Dr. Memon discussed was the ability to detect image manipulation in an automated fashion. This plays off the same basic theory of matching a camera to a photo. Basically he can detect if a portion of a photo has different noise patterns and then discern that pieces of the photo are not original, but doctored or added.
The NYC4SEC Meetups just keep getting better! We had a great turnout and I hope to see more industry professionals at the next one!