Digital Photograph Forensic Evidence Information Technology Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

This paper provides an overview of the forensic significance and legal implications of digital photography. Digital photography serves as powerful, efficient tools for law enforcement. The ability to take a picture and instantly view and distribute it helps officials in their efforts to serve and protect their communities. Law enforcements agencies have recognized the benefits of photography in criminal investigations for many years. Photography is incorporated in crime prevention activities through surveillance and security cameras during investigations for documentation of physical evidence, which is the integral part of the case for prosecution. Photographs can be extremely valuable evidence. The proper inspection and accurate documentation of crime scene is the most important initial step in any investigation. The notes, photos, and sketches generated to the document the scene and the discovered evidence serve as an aid and ready reference throughout the investigation. Images that are destined for use in a court of law must be obtained and processed using carefully documented procedures if they are to be allowed as evidence. The documentation typically includes the name of the photographer, the date the image was obtained, the names of anyone who had access to the image before it was introduced in court, the names of anyone who enhanced or altered the image, and the details of any enhancement procedures. Digital photography plays a key role as a part of legal evidence but there are some reasons to challenge the digital photography as evidence. There are some flaws in digital photography which are to be detected carefully and the evidence can't be taken as the appropriate one. We will discuss about some of the issues that are came into existence in the real time and also some of the tools who are used to detect the details from the digital photographs.

Table of Contents

1 Introduction 3

1.1 Digital photography 4

1.2 Advantages of Digital Photography 4

1.3 Altering of digital image 4

2 Overview of digital image forensics 5

2.1 The Problem with Photographs 6

2.2 Manipulation of Evidence 7

2.3 EXIF 9

3 Relevant Forensic Techniques 19

3.1 Imaging 20

3.2 Hashing 21

3.3 Carving 21

3.4 Identity Resolution 22

4 Current Tools 22

4.1 EnCase 23

4.2 FTK 23

4.3 Sleuthkit 24

4.4 PyFlag 24

Conclusion 24

Bibliography 25

1 Introduction

Pictures persuade people powerfully. Photos communicate more convincingly than do words alone by evoking an emotional and cognitive arousal that the same information, without the pictures, does not. A picture is a more effective conveyor of information than its verbal and written counterpart's alone in that the communication of its message occurs in less time, requires less mental effort on the part of the observer, incites less counterargument, and creates more confidence in the conclusions it proffers. This paper will explore the use of photography by forensics examiners as a means of identification. (Carrier, 2006)

1.1 Digital photography

Digital photographs exist only as digital data. Unlike conventional photographs, no film or paper are employed in their capture or storage. Although they may ultimately be displayed in a printed form, it is not necessary to do so they can just as easily be displayed on a monitor screen or, there need never be an analog representation of the scene or image. Digital photographs exist only as digital data. Unlike conventional photographs, no film or paper are employed in their capture or storage. Although they may ultimately be displayed in a printed form, it is not necessary to do so they can just as easily be displayed on a monitor screen or, there need never be an analog representation of the scene or image. (Farid, 2004)

1.2 Advantages of Digital Photography

There are many advantages to using digital photographs as opposed to traditional 35 mm film. Digital cameras produce instant images, allowing the photographer to view the images and instantaneously decide whether the photographs are adequate without the delay of waiting for the film and prints to be processed. Digital photography does not require outside developing or reproduction. Furthermore, digital photographs are easily stored, do not take up additional physical space and can be widely disseminated electronically with virtually no time delay. (Farid, 2004)

1.3 Altering of digital image

Many photographers make use of digital imaging technology specifically because the image is manipulable; examples include NASA scientists enhancing images transmitted from satellites, or a commercial photographer removing unwanted elements from an advertisement. Because digital data consists of only numbers, information may readily be added, removed, or replaced. Any such corruption of the original data is likely to occur in one of three contexts: it may be accidental, it may be intentional but innocent, or it may be fraudulent. Accidental alteration might result from a variety of causes for example, a magnetic disk on which data is stored might be placed too near a powerful magnetic field (such as that generated by some computer monitors). The effects of accidental alteration are likely to be catastrophic, and it is difficult to imagine what evidentiary problems could follow beyond those commonly raised by destroyed documents. (Farid, 2004)

Intentionally manipulated images, however, are another matter. There are a number of commercially available software packages which allow the user to remove elements from an image, rearrange the elements of an image, or add elements to an image. Even subtle details such as color, contrast, light, and shadow may be adjusted. A photographer or editor might want to manipulate an image for an innocent reason; National Geographic magazine, for instance, created a controversy by moving Egyptian pyramids closer together in a photograph so that the scene would look aesthetically pleasing on the magazine cover. Few evidentiary problems are raised by intentionally manipulated images, so long as a witness is available and willing to testify that the scene has been edited. If, however, someone were to intentionally manipulate an image for fraudulent purposes, the same tools used by the conscientious photographer may be applied to the task of perpetrating that fraud and there is no easy method of detection. (Farid, 2004)

2 Overview of digital image forensics

Digital image forensic techniques exploit either traces of image processing algorithms or characteristics introduced during the image acquisition process. The former are applicable without knowledge about the used digitization device.

To illustrate some characteristics typically introduced during image acquisition, Figure 1 shows a simplified image processing pipeline of a digital camera. The main components are the lens, the sensor with a color filter array (CFA) and the signal processing unit. The CFA is needed for color images as typical sensors are only sensitive to the intensity of incoming light. A true color RGB-image is obtained from interpolating intensity values of pixels in a close neighborhood.

The captured image data is further processed in the signal processing unit and afterwards stored in a data storage unit. Other digital image input devices, such as digital camcorders or digital flatbed scanners, use similar image processing pipelines and thus introduce similar statistical patterns in the image data.

Forensic algorithms may exploit specific characteristics of image statistics, which were introduced by components of the image processing pipeline. Starting with the lens, chromatic aberration [6] and radial distortions [2] are adequate features. Furthermore, defect sensor elements [4], sensor noise [11] and dependencies between adjacent pixels due to color interpolation [17] form typical ingredients for forensic methods. However, it is also possible to consider the whole image acquisition process as a black box and analyze the camera response function [9] or macroscopic features of acquired images [7].

2.1 The Problem with Photographs

A picture's power to persuade cannot be overemphasized. The purpose of any trial is to persuade the finders of fact. If the fact finders are going to give undue influence to pictures just because they can see them, this presents a panoply of problems because the ultimate purpose of a trial is to determine the truth. (Farid, 2004)

Jurors often are bored, confused, and frustrated when attorneys or witnesses try to explain technical or complex material. However, when attorneys present the same material with visual aids that simplify these complex issues, the pendulum can swing too far in the other direction. Because jurors may retain as much as 85% of what they learn visually and as little as 10% of the information they hear, the verdict a jury renders may have more to do with how memorable a photograph is, rather than what the jury has heard from lawyers and witnesses. (Farid, 2004)

Dye-sublimate digital printers can even confuse imaging experts. They cannot produce the highly accurate photographic images that film does, but their images appear to be photographs. They produce color and negative prints on photographic style paper that mimics the look and feel of photographs.

Even unsophisticated image enhancements can render some crime scene details and fingerprint minutiae unprintable. Dodge-and-burn, the selective lighting and darkening of areas within an image, can place details outside of the threshold of a digital printer's range of light and dark printing capabilities.

2.2 Manipulation of Evidence

Photography has many applications in forensic science. It is used in the first instance to photograph the crime scene. Then, photographs are taken of individual items of evidence, from fingerprints and bloodstains, to wounds on a victim's body both at the scene and during an autopsy. Specialized techniques such as microphotography and infrared photography can be extremely useful in particular settings. Forensic photography is a skilled job, for all photographs must be of high enough quality to be admissible as evidence in court. (Bassi, An automated acquisition system for media exploitation. , June 2008)

When it comes to photographing evidence that could easily be damaged or lost, such as fingerprints, shoeprints, tire tracks, and tool marks, it is important to take the photographs as soon as possible. Fingerprints may need to be made visible, by exposing to laser or ultraviolet light, or by applying special powders before they can be photographed at the scene. Similarly, shoeprints may need treatment before they can be visualized, although those in mud or blood can usually be captured on film without special preparation. It is important to take photographs of shoeprints at a 90-degree angle to its surface and centered in the camera lens. This avoids distortion in the image and makes comparison with control shoeprints more reliable. Tire track photographs need to be taken both as part of a general scene photograph, so that their location can be precisely determined, and also close up, to determine the pattern detail on the tire so it can be identified. Photographs of tool marks should at least show the location of this important source of evidence. However, even macro photography may not reveal enough detail to allow the photographs to be used for laboratory comparison with suspect tools. Each item of evidence is photographed individually before being touched if at all possible, and several shots of each item are taken. (Garfinkel., 2007)

The principal requirements to admit a photograph into evidence are relevance and authentication. In general, a photograph will be admitted into evidence at the discretion of the trial judge. In rare cases a chain of custody (including custody of the undeveloped film) will be required, or the best evidence rule may be invoked if the photograph is offered for its truth and is the basis of a controlling issue in the case. The most important of these requirements is authentication. Unless the photograph is admitted by stipulation of the parties, the party seeking to introduce the photograph into evidence must be prepared to present testimony that the photograph is accurate and correct. In most cases, the testimony need not be from the photographer; any witness qualified to testify that a photograph accurately portrays a scene familiar to that witness will suffice. Some courts will rule that a photograph is self-authenticating, or presumptively authentic. If the authenticity of a photograph is challenged, it is usually a question for the trier of fact to settle. (Wright FD, 2001)

2.3 EXIF

Exchangeable image file format (EXIF) is a specification for the image file format used by digital cameras. The specification uses the existing JPEG, TIFF, and RIFF file formats, with the addition of specific metadata tags. The metadata tags define in the EXIF standard cover date and time information, camera settings, thumbnail for previewing, descriptions and copyright information. Currently, geolocation is also part of the standard of the EXIF format (Figure 3.1). Although there are only very few cameras have built-in GPS receiver and store the location information in the EXIF header when the picture is taken, but we can except that camera will have GPS receiver embedded in the future. (Simson L. Garfinkel, 2006)

EXIF data is embedded within the image file itself. Many recent image manipulation programs recognize and preserve EXIF data when writing to a modified image. Also, many image gallery programs also recognize EXIF data and optionally display it alongside the images. Software libraries, such as libexif and Exiv2 for C, or read EXIF data () function for PHP, parse EXIF data from files and read/write EXIF tag values. (Garfinkel., 2007)

Every JPEG file begins with "FFD8" which is defined as the SOI (Start of Image) Marker and ends with "FFD9" which is the EOI (End of Image) marker. In between these two markers, the data is divided into several segments, each of which is defined by a specific marker. The length of each segment is defined within the segment to provide the maximum flexibility and still allow applications to separate and examine each segment. This flexible file structure has allowed the creation of standards such as JFIF and EXIF which add specific markers and segments to store data while still conforming to the overall JPEG specification. The diagram below shows this generalized structure.

The original JPEG specification defined a set of markers called application markers which range from FFE0 to FFEF that allow for the addition of application specific information. This information is not needed to decode the JPEG image, but rather, add information to be used by specific applications. JFIF was the first to employ these application markers and used the APP0 marker (FFE0) to identify the segment which contained the information added by JFIF. The newer EXIF specification uses the APP1 marker (FFE1) to mark the additional metadata information to be added to a file. This APP1 marker must follow directly after the SOI marker. The file format for EXIF approximately is as follows:

ExIF Tag Information

The real benefit to the investigator of the ExIF standard is the information that may be provided in the Tags fields. The tables below list the Tags defined by the ExIF standard for the IFD0, ExIF sub IDF fields as well as the miscellaneous ExIF Tags. Investigators should note, Tag fields may or may not have meaningful information stored in them. Tag field use is implementation dependant and varies from manufacturer to manufacture.

It is apparent from the tables above a vast amount of data that may be stored in the ExIF Metadata. While some data, like make and model of the camera used, date and time of original, copyright, user comments, Artist, Time Zone offset, GPS Information, Image History, and Subject Location have obvious benefits to an investigator if present, other fields may be helpful in comparing multiple images taken at or near the same time to establish that they were taken with the same camera. This may allow one image with identifying information to tie back to another image and more importantly the images to the device.

3 Relevant Forensic Techniques

One of the reasons that digital forensics is such a demanding profession is that it requires mastery of many different, highly specialized techniques. An added complication is that most of these techniques are in a constant state of flux given the speed with which the industry changes.

3.1 Imaging

One of the first techniques used in a digital forensics investigation is to image, or copy, the media to be examined. Though this seems to be a straightforward step at first, modern Operating Systems (OSs) perform many operations on file systems when connected, such as indexing or journal resolution. Without care, media can be modified, however slightly, and the integrity of the evidence can be compromised. For example, OSs that index files may modify the access times of the files being indexed or the act of mounting a disk may cause data in the disk journal to overwrite other data. A trained investigator is required to have intricate knowledge of different operating system behaviors so that residual data will not inadvertently be overwritten. Both hardware and software solutions have been created to allow imaging that does not modify the drive. For most OSs, there are procedures to follow to protect the media to be imaged. This involves disabling auto-mounting services and accessing the raw device directly. There are also hardware solutions, in the form of write blockers that physically prevent the OS from modifying the media. Write blockers are most common for hard drives, and provide several variations on implementation technique. (Englberger, 1994)

Once the investigator is assured that the source disk will not be modified, the data must be copied off the source disk for analysis. Once again, this seemingly simple procedure has important details that must be considered. A physical media device is normally made of addressable blocks where data is stored. These blocks can be grouped into multiple partitions per device, with potential gaps between the partitions. Partitions are then formatted into file systems, with certain blocks containing metadata and control data for the file system. To ensure all information is accurately copied from media, the media must be imaged at the block level. Also, if the original media is damaged or presents input/output errors, the imaging software must account for the error, yet try to recover as much of the data as possible. (Palmer, 2001)

3.2 Hashing

To quickly identify a file and to provide authenticity that an image or file was not modified, the forensic community adopted cryptographic hashing. Modern hashing functions use one way cryptographic functions to obtain a hash. The uniqueness of the hash depends on the cryptographic function used. MD5 hashing was developed in 1991 by Ron Rivest and was rapidly adopted by the forensics community. NIST soon decided upon SHA-1 as the federal standard, but the forensic community continued to use MD5 in most tools because it was faster and produced a shorter hash. In 2004, MD5 was shown to be insecure by Chinese researchers.

Since basic hashing provides drastically different results for a 1 bit change in a file, research is underway to provide approximate hashing. State of the art in hashing is Multi-Resolution Similarity Hashing based on context triggered piecewise hashing; using hash similarities to form edit distances between files.

3.3 Carving

One category of tools in the digital forensic toolkit is called file carvers. These tools allow the scanning of disk blocks that don't belong to current files to find deleted data. Carvers use known header and footer signatures to combine these 'unused' inodes into the original files that were deleted. Carving can recover deleted but not overwritten files as well as temporarily cached files on media. An analysis of carving techniques was performed by Mikus in 2005.

Recent advances in carving allowing fragmented files to be recovered with more accuracy. Garfinkel demonstrated file carving with object validation [18], showing it was possible to validate whether blocks belonged to certain files as they are carved out, allowing fragmented files to be recovered intelligently. In 2008 Pal took validation further to present Sequential Hypothesis Testing using earlier work in Parallel Unique Path [30]. This allowed largely fragmented files to be recovered as long as a sufficient validation function exists for the file type. Also in 2008 Cohen described advanced JPEG carving, creating a jpeg validator based off of the open source lib jpeg and a distance function to find sudden image changes, indicative of an invalid reconstruction. (Carrier, 2006)

3.4 Identity Resolution

Resolving individual pieces of data or information to an owner or identity is a significant problem in forensics cases. Where multiple users could exist on a single machine or network capture, the process of data ascription becomes complicated. Two techniques for resolution are heuristic techniques like Jonas's work for IBM, and probabilistic machine learning techniques developed by researchers for law enforcement. Data is correlated together from various sources into a database and then pointed to by an entity entry meant to represent a person. As more data is ingested, an entity may gain more pieces of data for greater resolution, or new information may arise that causes an entity to split into separate entities. The pieces of data that an entity owns may represent communication to other entities and social networks may now be formed in the database for further analysis. (Garfinkel, 2006)

4 Current Tools

The forensic market has created many opportunities for commercial ventures and popular for open source alternatives. Standalone tools that perform specific functions such as extraction of EXIF data from JPEG are constantly being developed and distributed in the academic and open source communities. These novel functions are eventually incorporated into larger analysis suites. These suites are typically large GUI-based programs that allow an analyst to explore and search the data on a hard drive. The remainder of this section discusses the most popular forensic suites.

4.1 EnCase

EnCase is a forensic suite sold by Guidance Software, certified by the NIST CFTT, and used by many law enforcement agencies throughout the United States. "EnCase Enterprise is a powerful, network-enabled, multi-platform enterprise investigation solution. It enables immediate response to computer-related incidents and thorough forensic analysis. It also preserves volatile and static data on servers and workstations anywhere on the network, without disrupting operations." (Palmer, 2001; Farid, 2004)

EnCase uses a proprietary file format to store its images. The open source library libewf allows other forensic tools to use these images. EnCase has a complicated interface that requires many steps and operations before actionable intelligence can be returned in an investigation. EnCase provides a basic scripting language to automate common tasks in the suite and scripts are often traded in the user community. This scripting language allows custom carving, extracting and reporting, though the reports are limited to within the EnCase viewer and are not immediately able to cross reference other cases. The source code is closed and users are not able to add their own extensions to the program (Palmer, 2001; Farid, 2004).

4.2 FTK

Forensics Tool Kit (FTK) is a forensics suite sold by Access Data. FTK is another commercial tool with a steep learning curve for its users. Like EnCase, FTK has been validated in courtrooms with legal precedent [1]. FTK provides more data rich reports in the default interface than EnCase. FTK does not provide a scripting language and does not allow users to add additional functionality (Palmer, 2001).

4.3 Sleuthkit

The world of open source forensics is dominated by The SleuthKit (TSK), the primary tool for extracting files from disk images. TSK is an open source suite of digital forensic tools based on the original The Coroner's Toolkit tool set. TSK supports file system browsing, string searching, timeline building, and other reports. TSK also has a programming library, allowing other programs to be written on top of it. Although SleuthKit can be run from the command line, many practitioners find it easier to use a graphical user interface. Autopsy and PTK are little more than graphical shells which run the TSK commands as child processes and present the results in a web browser for easier visualization than the command line tools. (Palmer, 2001)

4.4 PyFlag

The Australian government has released the Python Forensic and Log Analysis GUI (PyFlag). PyFlag is an open source forensics suite designed for media and network analysis. PyFlag imports a case image into a back-end database where persistent information is stored for access through a web browser from a client workstation. In practice the database can be on the same system as the client, allowing for a mobile deployment, or on a central server, allowing many investigators to work n the same case at the same time. PyFlag uses TSK for underlying image access and builds individual file analysis, extraction and reporting on top of TSK. PyFlag provides its own scripting language called PyFlash and also allows users to write their own extensions to the suite in python. PyFlag has proven its usefulness by being the main tool to solve the DFRWS 2007 and 2008 forensic challenges (Bassi, June 2008).


In this paper, we have described the importance of a standard, open format for digital evidence provenance; both for description and comparison of particular pieces of evidence as well as for tool interoperability and validation. To protect against the ease with which dissembling witnesses can facilitate the admission of false evidence, a better method of authenticating images must be adopted. It is widely recognized, and widely ignored, that digital images are easy to create, easy to manipulate, and difficult to authenticate.

The Tag tables above provide a tremendous amount of potentially useful information if contained in the ExIF section of a JPEG file. While it is cumbersome to try to pull this data manually from the file, programs exist today to extract this data for the investigator. Programs such as EXIFutils or IMatch can be used to view this information. Technology Pathways forensic tool, ProDiscover will automatically extract and report this information for investigators if desired for all JPEG and TIFF files marked as evidence of interest. This can open up a whole new avenue for investigators and capture ExIF metadata in an evidentiary quality manner to be used in court at a latter date. There are a number of methods, with varying degrees of practicality and reliability that, if employed, would ensure that the photographs used in court to help ascertain the truth would be truthful themselves.

Currently available forensic tools are designed with the forensic expert in mind. The tools present a wealth of options and require specific and technical knowledge to extract data media images. These tools then present the extracted data in poorly organized fashions that try to show the user as much data as possible rather than prioritizing information according to relevance. This paper is attempted to show some of the uses and tools used imaging by the forensics community. Image processing techniques and digital photography have contributed a lot to the toolbox in this field.