1/2 Day (Friday) 9:00 AM till Noon

An Image Is Worth More than a Thousand Words: Conducting Image-based Forensic Investigations

Category: Forensics

Instructor: Nikita Mazurov and Kenny Brown

Instructor Bio:

Nikita Mazurov, PhD, is a Postdoctoral Researcher at the Living Archives Project, Malmo University, Sweden, focusing on privacy issues revolving around data archival.

Kenneth Brown, CISSP, is a Federal Project Manager at VMware, USA, specializing in automation and operations management.

Course Description:

IT security professionals are increasingly faced with the challenges of interacting with multimedia content in the course of conducting internal audit or forensic investigations. This course will cover the diverse facets of investigating image-based content from the start to the finish of the investigative process, including the following core components of relevance to IT security professionals who may find themselves dealing with image-based evidence.

I. Evidence Discovery

How potential image-based evidence may be discovered. An exposition of open source intelligence (OSINT) evidence gathering resources, ranging from general social media and video search parameters, to the discovery of local and personal web sources.

II. Evidence Collection

Covering both manual and automated scraping techniques, discussing how to acquire varying media.

III. Evidence Storage

Secure storage protocols (e.g. encryption) will be discussed along both on/off-site and local/cloud-based backup solutions and strategies, as well as setting up and maintaining Chain of Custody (CoC) records and access logs.

IV. Evidence Corroboration

Techniques of corroborating evidence utilizing all-source intelligence will be presented, and the checking of corroborating conditions (e.g. weather conditions) will all be discussed.

V. Evidence Provenance

The identification of the point of origin of a given piece of potential evidence. Techniques covered will vary from conducting various forms of Content Based Image Retrieval (CBIR) using various assets.

VI. Evidence Extrapolation

The extrapolation of any potentially-actionable information from a given piece of evidence. A technical analysis of any metadata present in the given media, followed by an even more rigorous binary-level analysis of the content.

VII. Evidence Tamper Detection

A foray into conducting media forensics to ascertain whether a piece of potential evidence has been tampered with. Techniques covered will span from identification of any possible metadata tampering to content manipulation in the form of techniques and approaches such as Error Level Analysis (ELA).

VIII. Evidence Presentation

How to present culminating findings to both technical and generalist audiences, including compiling incident reports and presentations.

Requirements:

Laptop required.