Multimedia file reconstruction and analyse in digital forensics

Abstract

There is an increasing number of crime cases involving computers and multimedia files such as child pornographic photos, recorded voices and CCTV videos. It is not uncommon that suspects can manage to erase the files or even destroy the whole file system before seized by the law enforcement officer. Reconstructing fragmented files is still a challenge in digital forensics for both damaged and integrity files, especially without the file system information.

Firstly, this work focuses on JPEG files, one of the most popular photograph formats, and proposes techniques for recovering partially-damaged standalone JPEG fragments by reconstructing pseudo headers. The techniques deal with missing Huffman tables and sub-sampling factors, estimate the resolution of JPEG fragments, assess the image quality of JPEG files with incorrect quantization tables, and create quantization tables that are very close to the correct quantization tables in a reasonable amount of time. Extensive experiments with real camera pictures demonstrate that the techniques can recover standalone fragments accurately and efficiently.

Secondly, this study focuses on JPEG file carving for, in particular, heavily fragmented JPEG files when file system information damaged. Due to the fact that, it is a critical challenge to identify encrypted or compressed unknown data streams without sufficient corresponding decoding information. To begin with, we propose a technology to display and identify the JPEG file fragmentation piece, which is a partial content of a file and consist of one or more physically consecutive data blocks, from unknown data streams. A new similarity matching metric (CED) is proposed to evaluate the difference between data blocks in large scale. By evaluating the pattern of similarity distribution in fragmented file, we can identify the occurrence of fragmentation point in advance. Then, a fragmentation piece-based _le carving methodology is presented to recover heavily fragmented JPEG files. By comparing with state-of-the-art photo recovery technical, the proposed techniques can automatically and successfully recover most of fragmented files from real case.

Moreover, with the popularity of smart phone, voice chat of instant message (IM) applications are getting popular. However, huge amount of manpower is required to listen, analyze, and identify relevant chat files of IM apps during current forensic investigation tools and techniques. This study proposes a semi-automatic integrated framework to deal with audio forensic investigation for IM apps by applying modern technologies. The main objective is to reduce the amount of manpower in the investigation. This is the first work that applies speech to text technology in voice chat of IM apps forensic. Both text and audio features are extracted to reconstruct the dialog conversation. Experiments with real case data show that the framework is promising. And it is able to translate dialog into readable text and improve the efficiency during investigation with reconstructed conversation.