Exif Data in Digital Images

Ever wondered when a digital photograph was taken, or by what camera, or even where it was taken? Did you know that you could answer a lot of these questions by looking at the digital photograph? I do not mean by looking at the pictorial image itself, but rather at the data attached to such a digital picture. This data is referred to as Exif data, or Exchangeable Image File Format. Which is an image file format used by digital cameras and cellular phones equipped with cameras. Without getting into the entire history of this technology, suffice it to say it was invented in Japan in 1998 and is widely used throughout the digital image industry.

How can it be used forensically?

The first step you would have to take is to search the internet for a good Exif Reader. There are several and they are usually a free utility to download. They are also easy to navigate through and use.
Next, direct your utility to open the digital image in question.



This is just some of the information you could obtain very easily. If you look closely you can see not only a thumbnail preview of the image but some very interesting data. Such as:
* The make and model of the camera.
* The date and time the image was taken.

And even if the a flash was utilized by the camera. And if the image was taken using a cellular phone, for example a Blackberry Curve 8310, this information would be stored as well in the image. This information will follow the image from download to download. And barring the use of a metadata wiping utility to remove the Exif data, it will stay with the image. By now you are probably seeing the value to such data.
* Let's say you are examining a computer with child porn images and you locate digital images that have images of the bad guys daughter. You can use this utility to specify which camera or phone was used to obtain the image. This device can then be examined.

GPS?

Yes GPS tagging is attached to more and more digital devices. You simply take the longitude and latitude coordinates obtained from the Exif Reader and place them into a mapping utility, such as Google Maps, and it will tell you where the photograph was taken.

Just another tool to add to your growing arsenal.

*

Child Pornography caused by a Virus?

So you seize a computer because of suspected child pornography and you find it stuffed in every corner of the hard drive. Case closed. Matter resolved. Bad guy goes to jail. Move on to next case. Right? Not so fast. This guy is adamant that he did not download these images. Things just aren't adding up. So what could have happened? Is it possible that a virus has implanted itself on the bad guys computer and caused it to surreptitiously download child pornography? The simple answer is, well, yes!!

In a 2007 case from Massachusetts a workers compensation investigator had several child porn images discovered on his work computer. He was fired and spent the next 11 months trying to rebuild his reputation and life. It was later determined that a virus found on his computer was responsible for constantly searching 40 separate child pornography sites for new images/videos every minute. This could not be done by physically searching for the items. A virus had performed this feat. It was also determined that the person who had infected his computer could access his computer and actually store his child porn images on this poor guys work computer.

I realize that storing illegal images on another persons computer has its limitations. The computer must be online. The machine which stores the image may have the images deleted by the user. And there is still a digital trace between the two machines. (An experienced examiner would be able to find this connection.) That being said, child porn producing viruses are very rare. It is more probable that a user would be redirected to a child porn site while looking for a legitimate adult porn site.

WHAT CAN BE DONE?

If you have a case where you suspect that a virus may be involved, what can you do? Here are some tips for your investigation:

* Determined if the owner was even using the computer at the time of the download.
* Determine if more than one image was downloaded at a time.
* Were images downloaded or cached due to being redirected from an adult porn site?
* Check on the anti virus on the computer; Has it been recently updated?

Now these are not the only tricks to use, but its a place to start. More and more defendants are using the "Virus invaded my computer" defense. And in the large majority of the cases they are wrong. But I hope this gives you a little "heads-up" on the this possibility.

Project-a-Phone ICD 5200 with Reporting Software - An Ideal addition to any digital forensics lab!

PATCtech recognizes that there is no single utility in Cell Phone Forensics that will capture everything you need off of every phone. That's where the Project-a-Phone ICD 5200 fills the void! With this device, investigators and forensic examiners are able to manually navigate a phone, and record what they see. This device can be used as a stand-alone solution for capturing evidence off of handheld devices, or used to accentuate the findings from other utilities by displaying them in court in real time right from the phone, or with a graphical report that is generated by the included reporting software ~ an ideal addition to any digital forensics lab!

Project-a-Phone ICD 5200 with Reporting Software is used for both cell phone forensics and for live presentation displays of handheld devices, the ICD-5200 Image Capture and Display system uses a USB connection to link to a computer, where the basic software lets you capture screen shots and video clips or display the image on a computer monitor. The new case reporting software lets the investigator combine information about the case and phone with collected screen shots and video captures to create a case report in .pdf, .html, or .rtf rich text formats.

Request a Quote for Project-a-Phone, or other Utilities >>
View all Forensic Utilities offered by PATCtech >>
View sample report created by Project-a-Phone Reporting Software >>

CelleBrite Announces the Launch of UFED Physical Pro

October 12, 2009

CelleBrite Ltd. announces the UFED Physical Pro, an upgrade module to its ubiquitous UFED (Universal Forensic Extraction Device) family of products. The UFED Physical Pro expands on the already robust logical extraction feature set found in the UFED to add the capability to extract deleted data and user passwords located in phone memory.

The UFED Physical Pro’s unique capability to provide deeper, more invasive access to mobile phone memory is the latest innovation for CelleBrite’s UFED system currently in use by law enforcement and security agencies worldwide. With an add-on module that can be deployed to any UFED device, existing UFED users can easily upgrade their systems with this latest functionality. With over 5,000 UFED units already deployed and in use, this represents a significant upgrade in capabilities for the current user base, as well as new opportunities for first time users.

“This innovative advancement enables the UFED to remove evidence from a phone that was never available through logical extraction. Cellebrite is extremely proud to offer the law enforcement community and anti-terror organizations the most advanced technology and most comprehensive solution on the market to protect our country as well as our families,” said Adi Ofrat, CEO of Cellebrite USA Corp.

Utilizing CelleBrite UFED’s user friendly and field-proven user interface, a complete high-speed hex dump of the phone memory is acquired without the need of cumbersome PC drivers. The flash memory of the phone is imaged as a binary file, which is decoded with the Physical Analyzer PC software tool. Critical data such as user lock codes and deleted information such as text messages, call history, pictures, and video are retrieved, sorted, and decoded by CelleBrite’s Physical Pro engine. The UFED Physical Analyzer also includes robust search tools for manual hex dump analysis, as well as an expert mode which allows advanced capabilities for researchers. Extracted data is presented in clear concise reports which can be used for intelligence gathering, investigative research, and legal evidence in court.

Features include:

• Access to deleted data (ex: deleted call history, text messages, pictures, phonebook entries, and videos)


• On board password extraction with no PC required for field use (450+ models)


• Open Source Plug-In support: author, collaborate on, and utilize custom search and value parsing algorithms


• Intelligent string finder


• Built-in knowledge-base of each phone’s memory structure for automated retrieval, decoding, and translation of critical data


• Hierarchical “tree” view for efficient and fast navigation


• Advanced search capabilities both for novice and expert users


• Customizable search, parsing, and report functions


• Proprietary, forensically sound bootloaders for most supported devices


• Deep access to data inaccessible by logical methods


• Handset security or PIN lock code


• Access to deep internal memory


• Phone internal data (ex. IMSI history, past SIM cards used, past user lock code history where supported)

For more information, visit www.ufedsystem.com.

Homeland Security to Hire Up to 1K Cyber Experts

SOURCE: InsideTech.com

WASHINGTON – The Obama administration has given a green light to the Homeland Security Department to be more competitive and choosey as it hires up to 1,000 new cyber experts over the next three years, the first major personnel move to fulfill its vow to bolster security of the nation’s computer networks.


The announcement follows a wave of cyber attacks on federal agencies, including a July assault that knocked government Web sites off the Internet and earlier intrusions into the country’s electrical grid.

Homeland Security Secretary Janet Napolitano, who made the announcement on Thursday, said the hiring plan reflects the Obama administration’s commitment to improving cyber security. The move gives DHS officials far greater flexibility to hire whom they want, outside of more stringent federal guidelines. And it will also allow more latitude in pay.

As a result, Napolitano told an audience of cyber industry professionals, the new rules “will allow us to be competitive with you all” in luring quality applicants.

Much of the funding already has been budgeted, but DHS also is working with Congress for more money. Officials refused to say how much money the program would represent.

The hiring push also underscores the administration’s ongoing struggle to better organize and manage the country’s vulnerable digital defense. President Barack Obama vowed in February to tackle cyber issues, but still has not named a cyber coordinator, a job that experts say will be difficult to fill.

Napolitano said her department does not anticipate filling all 1,000 positions, which will include cyber analysts, developers and engineers who can detect, investigate and deter cyber attacks.

The secretary’s announcement marked the start of National Cybersecurity Awareness Month, which reflects the White House goal to draw more public attention to the need for everyday computer users to exercise more diligence in protecting their online security.

In other comments, Deputy Defense Secretary William Lynn said the Pentagon expects to make decisions in the coming weeks on whether to relax restrictions on the use of external computer flash drives and social media Web sites by members of the military and department employees.

The Pentagon banned the use of flash drives last November because of a virus threat officials detected on Defense Department networks.

Have you been hacked?

In keeping with the hacking theme of a recent post, I wanted to address one of the most famous yet difficult-to-investigate and difficult-to-prove types of crimes out there: Hacking. I regularly hear the statement “Someone hacked my computer”. As soon as I hear this, the wheels in my brain start to spin. I start to ask myself what was on their computer system that someone else wanted. And to be honest, the answer is nothing. The average hacker is not going to go after one computer system to gain access to one credit card or one bank account. Instead they are going to go after computers that have thousands of credit cards and bank account information. And to be more bluntly honest, most of the time it is a misdiagnosis. No one hacked the person’s computer; instead they have a virus, or malware. And while those can be very troublesome, they are not a “hack”.

Now, after listing all of the issues and errors associated with hacking incidents, does that mean that I should leave my wireless network unsecured? And the answer is ABSOLUTELY NOT! Just because your machine was not hacked as the target, does not mean that a hacker isn’t going to use your machine as a launch pad for his attack on a bigger target. A good hacker (OK, even beginner hackers) is not going to hack from their own network; they are going to use a different network to host their activity. And lastly, I am not saying that encrypting your network makes it impossible for someone to get into your network. Encrypting it only makes one more hurdle for the hacker to overcome. All you want to do is make your network harder to get into than the other networks around you. That way the hacker avoids yours to save time, and uses the wide open network at your neighbor’s house.

Susteen Releases New Cell Phone Forensics Utility: Secure View 2 with svProbe

IRIVINE, Calif., September 9, 2009 – Susteen, Inc. today announced Secure View 2 with svProbe, a comprehensive forensic solution which enables law enforcement and corporate security consultants to acquire, analyze, and report data from cell phones. This software release is a step up of Susteen’s leading Secure View for Forensics and the first cell phone data acquisition solution to incorporate a true analytical tool set, namely svProbe, which significantly automates, speeds up, and reveals critical data during the investigation phase.

The svProbe offers unique functionalities currently not included in any of the competitive offerings on the market:

• Data Discovery and Bookmarking – search data for relevant information with ease and bookmark results for quick and painless access during the investigation process.


• Link Graph to establish interdependencies between received calls, dialed numbers, sent/ received SMS and MMS.


• Activity Map – Snapshot of the cell phone activity volume within a predefined timeframe to identify how and when cell phone has been used


• Prime Number report to determine the phone number with the most activity within the cell phone report, as well as to display the specific activity associated with the number.

The Secure View 2 also enables investigators to merge multiple reports generated from diverse cell phone forensic solutions into one report. No need to browse through different formats – Secure View 2 will aggregate the necessary data into a central location.

The Secure View 2 builds upon the existing strengths of the Secure View for Forensics including but not limited to, wide phone support (over 2,000 phones supported), OS agnostic solution (Windows Mobile, iPhone, Blackberry, Symbian, or proprietary operational systems), software ease-of-use and reliability, and data validation by means of HASH signature.

“Our product strategy to innovate in the newly emerged cell phone forensics field brought to the market the first ever data acquisition tool with analytical capability. Secure View 2 with svProbe fills in the missing link in an investigation process, which is data analysis. It empowers the investigators to make inferences of cell phone use besides mere data acquisition and reporting”, said Sonny Farinas, Director of World Wide Sales of Susteen.

For more information about Secure View 2 with svProbe visit Susteen online at www.mobileforensics.com and/or visit PATCtech.com for a complete list of cell phone forensics solutions.

________About Susteen, Inc.



Susteen, Inc. is an international design solution provider, specializing in the area of data communications and mobile computing. Susteen strives to enhance data communications through multi-level applications, and to develop products that provide convenience to the client through technological innovations. Susteen's vision is to ascend to the position of worldwide dominant player in the seamless data management software industry through the ongoing enhancement of product quality and complete satisfaction of the stakeholders involved. Susteen is based in Irvine, California.