Structure Starting with a needs assessment Research training Research workstream project selection Nine workstreams Automated forensic analysis Image linkage for victim identification and framework for image fingerprint management Automated grooming detection Frontline officer awareness development and decision support mobile app Assessment of methods of cyber training Framework for seizure, preservation and preservation of cloud evidence An evaluation of the role of the Digital Media Investigator within WYP Characteristics of victims of cybercrime Broadcast media artefacts
Linking images to source camera devices
Motivation Often images and camera devices are part of the digital evidence that is seized Digital images are used in the commission of crime; for example, Child Sexual Exploitation Forces would benefit from a method to link digital pictures to the source camera devices Image: http://smartphones.reviewed.com
Image Acquisition Process
Sensor Noise as Digital Fingerprint Sensor Pattern Noise (SPN) Natural imperfections in the silicon chip and different sensitivity of pixels to light SPN created by one sensor is different to other imaging sensors Can differentiate between sensors from same model Image: By Filya1, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=6304562
Our results SPN algorithm improvements A less lossy algorithm, that was shown to improve accuracy of results Evaluated against state-of-the-art SPN, using image datasets Development into a software tool available to forces Operating procedures and user guide Installed and evaluated in WYP Digital Forensics Unit (DFU) 18 Canon digital cameras with 5 pictures each Followed procedures to match images to devices Police user feedback
Request permission from superior Device Fingerprint Creation Process Flow No Device Imaged? Get device Imaged Yes No Internal Yes Request permission from superior Memory card slot present? No memory End full? Yes No Yes Yes Memory card present? Remove original memory card No Insert compatible memory card
Conclusion New algorithm and software outputs, along with supporting procedures Capability to help identify victims of CSE, and links new cases to historical cases based on images matches to previously seized devices Future work: improve scale, and capabilities to match troves of images to each other