Category Archives: Computer and Cell Phone Forensics

Introduction to Digital Documents

With the influx of digital expertise, the character and perpetration of white collar crime is undergoing stern change. Unfortunately, this has brought down some decisive security vulnerabilities that put digital credentials at menace. In the space of just 40 years we have gone from the Selectric — arguably the most technologically advanced typewriter of its day — to the computer age. A document creation system that had just two parts in 1961 (typewriter and element) can now have multiple components — some based in software and some in hardware.

We live in the Information Age, a time when information is being generated, published, and stored at an ever-increasing rate, and computers play an integral role in all three of these activities. Digital images are misused for plentiful reasons with and without a criminal intent. Images are cropped, rotated and compacted to make them fit for a document. In the days before imaging software became so widely accessible, creating adjustments to image data in the darkroom mandated considerable endeavor and proficiency. But now with the help of Photoshop it is very simple, and consequently tempting, to adjust or modify digital image files. Therefore, stating the genuineness of a document is becoming more and more difficult these days since scanners, printers and computers are good enough to generate fraud documents.

A number of clues can be used for detection of manipulation by visual assessment, like discrepancies in lighting, intensity levels, color distributions, edges, noise patterns and compression artifacts in the conversion among the tampered and original parts of the questioned image. The availability of powerful digital image processing programs, such as Photoshop, makes it comparatively easy to generate digital forgeries from one or numerous images. Cases of manipulated hard and soft copies of documents are frequently encountered due to their large acceptance in both business and legal matters. These types of forgeries have become remarkably frequent position in today’s scenario. Which is why, it is necessary for the forensic document examiners (FDE’s) to evaluate the authenticity of the digitized and hard copied documents and reveal evidence of manipulation if present. Therefore, it is also essential for the forensic document examiners to stay abreast of the latest scientific advancement in the field so that they can meet the challenges of the future and address new forms of evidence.

This article provides a boiled-down version of what is believed to be the most important information for those engaged in the forensic exami­nation of computer-generated documents.

The Pre-Examination Evaluation

The examination of digitally prepared documents should begin with the same pre­cautions and care that would be prudent with any type of examination. The pre-examination evaluation of digital documents is no different than document examinations of any type.

Examination Procedures

The well-established principle that documents should be thoroughly scru­tinized on both sides, corner to corner, is just as valid for modern, computer-generated documents as it has been since the dawn of forensic document examination.

Is the Document an Original or a Copy?

This is a question that may seem trivial to a new FDE, but daunting to the experienced practitioner. It may be difficult to deter­mine if the evidence is an original machine-printed document or a machine copy. Modern computer technology can blur how we define an original vs. a copy as well as the physical distinctions between an original and a copy. For instance, it is possible for multiple original versions of the same electronic docu­ment to be printed on different printers. This occurs daily in the modern world when e-mail attachments are printed out by the recipients. A preparer sends a policy change to individual employees in branch offices, who then print out the text on their machines. Each can lay claim to having an original document, even though some originals may have been printed on inkjet printers and some on laser printers. From a forensic standpoint, the problem is that the same machine that was used to print an original document may later be used to copy it. Original machine printed documents can have machine-rendered sig­natures. Several companies can take one’s original signatures and convert them into True Type fonts. Because these signatures are scalable fonts, they can be smoothly resized, bolded, and italicized to give them visually different appear­ances. A toner or inkjet signature appearing on a document, therefore, is not necessarily proof that the document itself is a reproduction.

Can the Printing Technology Be Identified?

It is a common practice for document examiners to step through their examinations attempting to first determine class characteristics, followed by efforts to ascertain more individual, identifiable features. Following this formula, the starting point for an examination of a computer-generated document will usually involve a micro­scopic examination of the printed text in order to determine the most general type of evidence — what technology was used to print the document.

The classifications that can be made from visual (microscopic) examinations will initially revolve around three basic determinations: Has the document been printed (1) in black and white or color, (2) using an impact or non-impact process, or (3) with toner, wet ink, or other medium?

Has More Than One Technology Been Used to Prepare the Document?

In some instances it may not be possible (without chemical or instrumental analysis) to determine much beyond the technology that was used to produce a computer-generated document. Depending on how the document was allegedly produced, however, this may be all that is necessary to resolve the issue. The two types of cases where this information can be of considerable importance are reinsertion and page substitution. In the first situation, a document is placed back into a printer after the parties have signed and agreed to the terms in the document. If a questioned passage is printed with a different type of printer than the surrounding text, it can be considered proof that the document was changed by reinsertion. An example of this occurred in a patent case, in which all of the unquestioned text had been printed on a dot matrix printer while the questioned assignment of the patent had been inserted with an inkjet printer at the bottom of a page that began with dot matrix printing. In the second type of case (page substitution), one or more pages of the original document are removed and different ones are inserted. This situation arises frequently in probate matters where the signature page of a will is left intact, but the preceding pages are replaced. Depending on what stories the various parties tell concerning the creation of a questioned document, merely being able to determine that more than one printer technology was used may be sufficient to resolve the litigation.

Is there Evidence that One or More Pages are Prepared Differently than the Others or that Text has been Altered

If there is a possibility that alteration has taken place, features such as font changes, formatting, paper type, etc., must be considered. In the case of computer printing technology there are several approaches that one can take to help determine if text (or entire pages) have been added, removed, or altered. The first step should be an attempt to determine if the same printing technology was used throughout the document.

In this regard, literally everything that is printed on the document should be examined, including the printing process used to prepare the letterhead.

Even if only one technology was used to create a document there may be evidence that passages were created on different machines. In some cases it may be possible to make this determination non-destructively; in other instances only destructive testing such as ink and toner analyses will provide definitive evidence in this regard.

Assessing Alignment, Spacing, and Copy Distortion

Various measurement techniques can be employed, including glass or plastic measuring templates or the use of scanning and graphics software. Regardless of the method employed, the FDE must be cognizant of any distortion, linear or otherwise, that may be present. This is especially true for multi-generation or fax copies, in which it is not uncommon to see the text baseline undulate across the page. In such circumstances, only very general measurements can be made. To properly assess any distortion present, multiple line mea­surements should be made. It would be a mistake to focus solely on the entry in question relative to the lines immediately above and below. Differences in line and margin spacing are only relevant if the surrounding text is consistently spaced.

Whether evaluating a facsimile reproduction, photocopy, or computer-generated text, Adobe Photoshop® or other similar software can be a valuable tool in assessing line ori­entation. The document is scanned into Photoshop, where the measurement tool is used in concert with the Rotate Arbitrary function to bring the document to a right angle based on a selected line of text. Once this is done, the same set of tools is used to obtain information about each line’s orientation.

Digital Manipulation Detection Methods

Various methods have been proposed to detect alteration done in computer generated documents which include automatically detecting and localizing duplicated regions in digital images, pixel- based techniques that detect statistical anomalies introduced at the pixel level, format-based techniques that leverage the statistical correlations introduced by a specific lossy compression scheme, camera-based techniques that exploit artifacts introduced by the camera lens, sensor, or on-chip post processing, physically based techniques that explicitly model and detect anomalies in the three-dimensional interaction between physical objects, light, and the camera and geometric-based techniques that make measurements of objects in the world and their positions relative to the camera.

Conclusion

It is safe to say that just as the technological methods used to create modern documents continue to change, so the forensic examination of computer-generated documents will continue to evolve. For instance, many laboratories around the world are currently doing research to determine if an analysis of toners, inkjet inks, and other media can be individ­ualized to a particular manufacturer. Devices used by the electronic printing industry itself to determine output quality and image banding are beginning to see their way into the forensic arena as identification tools.

As we can see a new field is emerging for forensic document examination in which not only the knowledge or experience in document examination but also good knowledge of modern computers and materials used to prepare computer generated documents is needed. This is because of the effect of computers in almost every aspect of our lives and their use in daily routine. Thus a fusion of computerized technology and documents is needed to deliver the justice in the modern times.

Shabnampreet Kaur
Research Fellow
Department of Forensic Science,
Punjabi University, Patiala
India

CELL PHONE FORENSICS INVESTIGATOR LEAVE NO STONE UNTURNED

Technology paved the way for development and also opened the door for criminals to commit crimes without being caught for years. Presently the mobile phones are a double-edged sword; it creates innovative security risks whilst offering valuable sources of verification for cell phone forensics investigator. Their competent capabilities make mobile devices more like computers that serve us to navigate the world. It uses information hoard on and generated by mobile devices to restructure our communications, movements and other personal details.
Cell phone forensics, being an integral part of digital forensics is vital to accurate investigations associated with criminal and civil litigation’s. It comprises of SMS recovery, locations tracking and recovery of multimedia files, contact records of a cell phone, date and time of incoming and outgoing call records. If anybody is intentionally engaged in illegal activities, he will take predictable precautions to hide their tracks. Some of the protective measures adopted by criminals to avoid being caught are listed below:

Encrypting data
Wiping tools
Secure deletion tools
Stenography
Remote data storage devices
Digital data compression

The cell phone forensics requires a lot to extract information from smartphones, cell phones and other devices. We, as forensic investigators of cell phones generally adopt 7 ways to extract and determine cell phone activity as listed below:

Bypassing Security Codes
With the help of specialized tools, digital forensic investigators can haul out the security code from some locked mobile devices. This bypass security code facilitates in acquiring data with forensic software from the device.

Safe SIM Card
The confidential data in memory is destroyed if the wrong SIM card is inserted in a cell phone. Keeping in mind this issue, investigators create “safe” SIM cards for inspection purposes.

Live acquisition
The valuable and confidential proofs might be destroyed if the battery is removed from the mobile phones before the performance of forensic acquisition. In few cases, to make sure that all evidence and useful information is conserved, investigators can leave the mobile device powered on until the forensic operation can be performed, in order to avoid external influences, it’s mandatory to take some precautions beforehand.

Trusted Time Source
Though the clock on the device shows incorrect time, still the network generated system functions properly and offer the accurate data. As an example, the time shown in SMS is generated by SMS service center, not by the phone.

Tracking movements
Several mobile devices store site-based data related to actions and bound media on the device. The investigators will recover this data to perceive this information to conclude the geographic location at a particular time on a mobile device.

Recovering Deleted Data
Accidentally or intentionally deleted information related to call logs may be easily recoverable by the investigators with the help of certain ready to use forensic tools. Such tools offer detailed information of missed, dialed and received calls.

Getting Physical
It is easier for the investigators to recover the extensive amount of deleted data from rising number of mobile devices by analyzing and acquiring the complete memory contents.