WIXLIB

International Journal of Cyber-Security and Digital Forensics (IJCSDF) 2(2): 48-76The Society of Digital Information and Wireless Communications, 2013 (ISSN: 2305-0012)3 DISCUSSION AND ANALYSIS OFRESULTSDigital Forensic Investigation is arapidly growing field involved inInformation Technology era emergent. Itindicates the numerous techniques howthe crime in a computer system ishandled which occupied from the verylowest part end user to the highest level.In this paper, our summarization is basedon every part of keywords mention inthe Introduction section. We believe allthe methods are not synchronous. Wecompare all compiled methods whichhave been used for ages ago to thenewest techniques respectively. Part ofthe summary, we enclosed with thefuture work that we believed would besignificantly important to the furtherresearch onward.3.1 Forensic InvestigationIn a computer system, ForensicInvestigation (F.I) is a practice toestablishing the evidence and facts to bepresented in court. It may involve inmultiple number of system layer.Different network architecture woulddemand different F.I approach anddifferent level of difficulties. In [7], theauthor discusses the issue that makes theF.I. in cloud computing system morecomplex when it comes to thedecentralized authority issue. Theproviderofcloudcomputingdifferentiated by location and thelocation and some of them will encryptthe data before delivered to the publicnetwork.The usage of the peer-to-peer softwaremay cause to complexity of F.I recovery.As it capable of searching anddownloading files from or to anynode/computer, it also becomes a factorof exposing company private data to anyattack. In peer-to-peer (P2P) F.I, theanalyst have to determine theconfiguration parameter; password,username, log time, installation time andetc [9]. They also advocate theLANGuard software application tomonitor P2P activities within thenetwork.As mobilephones become more advancenowadays, the more vulnerable they areto attack. More users of Smartphone aredoing the personal private activitiesthrough Smartphone; online bankingtransaction or e-commerce. The misuseof mobile application involves obtainingand spreading confidential information,fraud,theft,moneylaundering,copyright infringement and indecentimage [6]. The author emphasizes thedigital acquisition method on theSubscriber Identity Module (SIM),memory card and flash memory byapplying bit-to-bit copy. On the otherhand, copying acquisition is alsodiscussed by the author in [80] using thehash verification process. The authorproposes a new software Chain ofCustody (CoC) which is able to print,custody and transfer any piece ofevidence recorded.During F.I. process, it is important tomaintain the privacy of honest userswhile the system is under investigation.In [47], the author proposes theEnhanced-Respect Private InformationNot Abuser (E-RPINA) to provideprivacy of honest user yet accountabilityto the attacker.In cloud computing system, it potentiallyinvolves great data exposure to thesecurity threat and privacy breach. Inaddition, the users activity can be tracedout using the audit trail process [51]. Theforensic analyst has to handle the53

International Journal of Cyber-Security and Digital Forensics (IJCSDF) 2(2): 48-76The Society of Digital Information and Wireless Communications, 2013 (ISSN: 2305-0012)information carefully or otherwise itmight fall into the wrong hand.The data can be either software orhardware encrypted in order to keep itprivate and confidential. High demandsto protect user's personal data and filesled to the introduction of encrypted disk.In [86] the author reveals an open sourceencryption software known as TruCrypt.It is freely available and able to encryptthe whole partition contain of operatingsystem file.Nowadays, it takes more considerationupon attack prevention process andtechnique.Themonitoringandvisualization of network activities are acrucialmechanismwithinanorganization's network. In [66] theauthor exposes the development ofEnterpriseNetworkActivitiesVisualizations (ENAVis) as an aid tonetwork administrator to manage andmonitor network activities.Nevertheless, still the computer systemsare potentially exposed to attack with theminimal information given. It affectsthe privacy of user when suing theencrypted traffic and believed they aresecurely protected. In [97] the authordemonstrates the attacking method onSecure Shell (SSH) and Skype software.3.2 Forensic Tools and ApplicationsTo run a F.I, the correct tools andsoftware play important role as aiding tothe efficiency and effectiveness of theinvestigation. As P2P is widely used forsharing illicit material, the authordiscusses a tool to extract informationfrom binary evidence based on JavaObjectSerialization(JOS)asimplemented in P2P [67]. Based on theJOS specification, personal informationabout users can be extracted using a toolknown as AScan. However, this toolonly available for the law enforcementcommunity. On the other hand, anothergreat tool is used to render back theHTML file through the tcpdumpprogram, which is known as PyFlag.Any recorder network can be captureand replicate the content. The same goesto Flash Memory in the Smartphone, theapplication can be used to determine anyrelated application logs and multimediafile upon a user [42]. The authordevelops a Mobile Internal AcquisitionTool (MIAT) in order to target theSymbian OS. However, because of theconflict issue regarding the user privacyinformation, the software is not to bereleased under open source license.There are special forensic tool involvesin different operating system (OS)respectively. The introduction ofMacintosh Evidence Gathering andAnalysis (MEGA) describes how theimplementation of system analysisworks in Mac OSX [72]. It has greatcapabilities in manage and monitor thenetwork and even can handle MacFileVault encrypted home directory.Nevertheless in the Linux OS, the authorin [92] mentioned about the uses ofForensic Automated Correlation Engine(FACE) as an image analyzer of theLinux partition. It may obtain anypersonal information of victim forforensic investigator or unauthorizedpersonnel.3.3 Image ForensicImage analysis is used in image forensicto expose the information using theimage support machine with decisionfusion techniques [4]. The authorproposes a model that identifies thesource model or device of an image byusing the support vector machineapproach along with decision fusion54

International Journal of Cyber-Security and Digital Forensics (IJCSDF) 2(2): 48-76The Society of Digital Information and Wireless Communications, 2013 (ISSN: 2305-0012)techniques. The paper considers featureselection algorithms as features inoptimal subsets are generated in a seriesof inclusion and exclusion steps andcount based aggregation as the algorithmof decision fusion. The algorithm selectsthe top λ features from 43 features inorder to get the highest identificationrate and the SVM trained model is builtwhere test images is fed into the trainedmodel to predict the camera sourcemodel. The flowchart of the model isillustrated in Figure 3.Figure 3. Flow Chart [4]In [56] the author introduces imagemeta-description approach suitable fordifferent image inference applicationsnamed as progressive randomization(PR). This technique is based onperturbations on the values of the LeastSignificant Bits of images that makes itdifferent from the state-of-the-artalgorithms.As the imaging analysis being enhanced,[55] contributes reviewing the state-ofthe-art image registration methods thatlays the foundations on evolutionarycomputation and analyzes the 3Dmodelling of forensic objects. The paperincludesdifferentevolutionaryapproaches in order to represent the widevariety of techniques within the ECparadigm and an IR method based on theclassical ICP algorithm proposed by Liu.The paper reveals that the majority ofthe EIR methods following a parameterbased approach achieve the best and themost robust performance and the poorperformance obtained by the matchingbased methods.With the highly advanced application,the forensic tool is able to differentiatebetween the fake and real image. Byusing multi resolution decompositionand higher order local autocorrelations(HLACs) image features are extractedand determine if it is real or fake [23].They are used and as by right of theinner product lemma of higher orderautocorrelation, the feature extractionand SVM are joined and the computationcomplexity is decreased significantly.The paper suggests Two dimensionaldiscrete wavelet transformation (2DDWT), a powerful multi resolutionanalysis tool. The signal characteristicsin detail can be localized in differentposition, orientation and scale and multiresolution decomposition contains manyintrinsic characteristics of natural imagesand fake images.As Noise degradation causes failure toblind forgery detection methods, in [9]the author proposes a model that dividesa suspected image into differentpartitions with homogenous noise levels.However, the authentic images also cancontain various isolated regions withvery different variations, which make theproposed method a supplement to otherforgery detection methods rather than astandalone forgery detector. Theproposed method is not able to find thecorrupted regions, when the noisedegradation is very small (σ 2). Theproposed method can be achieved byomitting the blocks merging step.55

International Journal of Cyber-Security and Digital Forensics (IJCSDF) 2(2): 48-76The Society of Digital Information and Wireless Communications, 2013 (ISSN: 2305-0012)In image analysis, the image can bedetected and located the duplicateregions with rotation, using an efficientand robust passive authenticationmethod [64] .It uses circle block and theHu moments for detection and location.In this method Gaussian pyramid is usedfor decomposition and to overcome thepossible distortion caused by JPEGcompression and noise contamination,produced sub-image in low frequency ischosen. The sub-image is divided intomany circle blocks overlapping eachother and from them the features of Humoments are extracted. Here, the circleblock mode and the Hu moments areable to eliminate the effect of rotation.We believe that the new rotationinvariant features should be constructeddirectly on the circle region. Thecorresponding robust detection methodwill be investigated for otherintermediate processing such as resizing,cropping etc.In order to detect image splicing thecommon form of image tampering, theauthor in [33] proposes an approximaterun length based scheme. Proposedscheme only computes run lengths onthe edge pixels and what makes it betteris that splicing normally introduces extraedges to the image. This methodintroduces to a threshold t. If theabsolute value of the difference of twoneighboring pixels’ grayscale value isnot greater than the threshold t, the twopixels are considered as they are in anapproximate run. We believe furtherresearch should be done on thefluctuation of grayscale values ofconsecutive pixels that tends to be moredramatic in an image with complextexture. Hence makes the authenticimages and the spliced one lessdistinguishable.The exposure to a new extractionalgorithm as proposed by the author in[25] is able to extract the block artifactsgrids (BAG) and then abnormal BAGsdue to interpolate or concealing objectscan be detected with a markingprocedure by copy–paste operations. Theauthor suggests that with extractingweak horizontal and vertical edges withperiodicity of 8 separately and thencombining them the BAGs are found.The image tampering applications likeimage cropping, painting and copy-pasteoperation can be detected by BAG usingmismatching phenomena.In order to detect image forgery, it doesnot require any other prior informationabout the image, for detecting imageforgery [20]. This paper includes all theexisting surveys and references thatdirectly deal with blind image forensics.Nevertheless, this method only impliesthat leaving the “ideal” lab conditionsand applying the existing methods toreal-life applications, higher rate of falsepositives are considered than reported.Lack of automation is another drawbackof existing methods. To localize theforgery, existing methods need to haveknowledge of various modificationregions containing some inconsistencies.Many of the existing methods deals onlywith JPEG and compression properties.Ideally the method to prove theauthenticity of a picture in legalproceedings is not straightforward, aneasier approach would be matching animage back to the type of device that lastmodified it, either hardware or software.[71] explains how quantization tables,which is generally used for JPEGcompression, can be used for imagesource identification since it can identifyif images have been processed bysoftware or not, thus can benefit forensicexaminer to only consider the unaltered56

International Journal of Cyber-Security and Digital Forensics (IJCSDF) 2(2): 48-76The Society of Digital Information and Wireless Communications, 2013 (ISSN: 2305-0012)ones from a large volume of givenpictures. For this, the author classifiedquantizationtablesintoseveralcategories used by the JPEG images thatvary by different camera models andsoftware program. A software librarydeveloped known as Calvin to identifythe type of quantization tables used bythe existing images that the librarycontains. For excellent solution of imageforensic, we are recommending that theknowledge of JPEG quantization tablecombining with image factor EXIF data,signature program or color signature forreal skin may produce an excellent workof image analysis.The image of computer generated andreal image can be distinguished based onhuman visual system.In [38] itdescribes a series of psychophysicalexperiments that used images of varyingresolution, JPEG compression, and colorto explore the ability of observers. Fromthe experiments conducted, it revealsthat the image is in fact photographicwhen an observer believes it to bephotographic that can be expressed asthe following conditional probability,P (I photo R photo) where Rdenotes the user response and I theimage category.By replacing “photo” with “CG”, theconditional probability that an image isCG if an observer says it is CG,P (I CG R CG)However, the accuracies reported in thepaper are a lower bound on humanperformance, unlike time renderingtechnologies; observer performance canlikely be improved.To identify the source camera-model ofa digital image, [99] utilizes traces ofdemosaicing operation in digital camerasand employing two methods anddefining a set of image characteristicswhich are used as features in designingclassifiers that distinguish betweendigital camera models. the paperidentifiesdemosaicingartifactsassociated with different camera-models.By determining the differences in theimageformationpipeline,e.g.,processing techniques and componenttechnologies, the first method in thispaper tries to detect the source cameramodel of the image. Two methodsnamelyExpectation–Maximizationalgorithm that analyzes the correlation ofeach pixel value to its neighbors andanalysis of inter-pixel differences areused to detect and classify the traces ofinterpolation operation in images.Experiment proposes to feed the imagesto the classifier to verify the consistencyof demosaicing artifacts. Hence, the finaldecision is made by the classifier. It isexpected that the use of combinedmethod would eliminate some of thefalse-positives due to mismatch of thereference pattern.3.4 Security MechanismIn [81], author confers the importance ofcomputer forensics as a standard forelectronic crime investigations and theexpertise required. As the computerforensic field is growing, the field ofoperation and the number andcomplexity of the managed casesdetermine required tools or equipments.Computer forensics, in this paper istermed as mechanism of prevention,compliance and assurance rather thaninvestigation and response.[26] proposes information hidingtechniques as an alternative toencryption. This paper uses the FAT filesystem as a proof-of-concept example ofa covert communication medium. Insimple approach, the information to behidden is embedded in the arrangement57

International Journal of Cyber-Security and Digital Forensics (IJCSDF) 2(2): 48-76The Society of Digital Information and Wireless Communications, 2013 (ISSN: 2305-0012)of the clusters of a file. In an alternativeapproach, the distribution of the coverfile clusters can be used to create acovert channel. The approach proposedis undetectable of encrypted or randomdata.[43] reveals the fact that PortableDocument Format is not imperviousfrom some privacy related issues. Twoissues, how changes made to PDFdocuments handled and interactivefeatures of PDF, are investigated in thispaper. This paper shows while triggerevents like opening or closing ofdocuments takes place, other programsmight be executed or external link mightbe resolved without user awareness.[57] emphasis on building up oftechnological advancement for fraud. Itmarks phone specially Smartphone as amodern threat to confidentiality. Thispaper states that Smartphones have a‘dual personality’ - one that is loyal tothe employer’s exchange server, VPNand security systems, the other whichcan operate on public WiFi, alternativeSIM cards and other seeminglyanonymous networks, as described inFigure 4.with the Symmetric-padding mode is theelementary concept of this paper. Fouriertransform (FFT) together with the outputof Hash Algorithm 1 (SHA-1) forms astrongimageencryptionsettingMoreover, using DWT gives advantageof the

impact of forensics in the broader context of business goals and make the hard decisions that trade off forensics capabilities with issues of privacy and, correspondingly, morale. Key strategies for digital forensics in order to protect privacy are selective r