Finding digital forensic evidence when graphic design applications are used for document counterfeiting

Mabuto, Enos Kudakwashe

January 2013

Graphic design applications are often used for the editing and design of digital art. The same applications can be used for creating counterfeit documents such as identity documents (IDs), driver’s licenses or passports, among others. The products of graphic design applications, however, leave behind traces of digital information which can be used during a digital forensic investigation. Although current digital forensic tools are designed to scrutinise systems with the purpose of finding digital evidence, the tools are not designed to examine such systems specifically for the purpose of identifying counterfeit documents. This dissertation reviews the digital evidence relating to the creation of counterfeit documents and gathered from graphic design applications. Digital evidence gathered in this way consists mainly of identifying and corroborating the counterfeiting events that occurred on a particular system. Firstly, such an analysis is accomplished by establishing linkages between the digital forensic information that has been gathered and the specific actions that were performed when the counterfeit documents were created. Such actions comprise scanning, editing, saving, and printing. The researcher is able to compile a dossier of the digital forensic information that is generated by such actions by analysing the files that were generated by making use of a particular graphic design application for document creation. Secondly, the researcher extends the analysis to the actual files created by the application user. These files can be used as evidence to establish linkages between the content of the counterfeit documents that are being investigated and the document editing actions that are necessary for creating such documents. The researcher gathers digital forensic information of this kind by analysing the different file types that are associated with these applications. The researcher then gathers the associated timeline evidence separately by means of a third analysis that identifies timestamps from the application’s system files and evidence files. The researcher is then able to draw a timeline from the timestamps to illustrate the sequence of events that occurred. From the digital evidence gathered in this way it is possible to propose a two-pronged counterfeiting investigation process. This proposed investigation process is application and platform independent. The researcher concludes the study by transforming the model into a working prototype by demonstrating how the prototype is capable of analysing and extracting digital forensic information from certain graphic design application file types and log files. Such a prototype is capable of identifying the system that was utilised for counterfeiting particular documents or identifying whether a specific document is counterfeited or not. / Dissertation (MSc)--University of Pretoria, 2013. / gm2014 / Computer Science / unrestricted

Counterfeit documents

Digital evidence

Digital forensics

Digital forensic artifacts

Graphic design applications

UCTD

Forensiska Artefakter hos Mobila Applikationer : Utvinning och Analys av Applikationen Snapchat

Nordin, Anton, Liffner, Felix

January 2019

Today's smartphones and tablets use different applications and software for all sorts of purposes: communication, entertainment, fitness, to share images with each other, to keep up to date with the news and lots of different daily tasks. With the heavy usage of all these apps, it is no wonder that it comes with a few issues. Private data is stored in large quantities both on the local device and on the app-creators' servers. It is no wonder that applications advertising user secrecy and transient storage of user data. One of these applications is Snapchat, with over 500 million downloads on Google Play store, at the time of writing. Snapchat is a communication application with the niched feature that the images and messages sent, disappear once opened or after 24 hours have passed. With the illusion of privacy behind Snapchats niche it has become a breeding ground for criminal activity. The niche itself translates to a troublesome hurdle for law enforcement trying to retrieve evidence from devices of Snapchat users. This paper is aimed to investigate these issues and perform a methodology to retrieve potential evidence on a device using Snapchat to send images and messages. By performing a physical acquisition on a test device and analyzing to find artifacts pertaining to Snapchat and the test-data that was created. The method is performed on a Samsung Galaxy S4 with Android 5.0.1 running Snapchat version 10.52.3.0. Test data such as different images and messages were created and attempted to be retrieved at three points in time. First one being right after data creation. Second one after a restart and 24 hours after the data was created. And the third with 48 hours passed and the Snapchat user logged out at the time of acquisition. The acquisition resulted in the extraction of several sent images and a full text conversation between the experimental device and another party. A full video which was uploaded by the receiving user was able to be extracted even though the experimental device never actually viewed the video. The second acquisition which was made when 24h had passed gave the same results as the first one. This meant that time at least up to a day after the initial creation of the data did not have any effect on the evidence. However, when the Snapchat user was logged out from the application, the data was then unobtainable and had disappeared. Presumably Snapchat has a function which deletes personal data about the user when logged out from the application. This function might become a hurdle in law enforcement investigations where the application Snapchat is involved.

Forensics

Mobile forensics

DFIR

Snapchat

Magnet Axiom

Extraction

Snapchat analysis

Forensic investigation

Snapchat artifacts

forensic artifacts

digital forensics

Forensik

Digitalforensik

Mobilforensik

Snapchat

Artefakter

Magnet Axiom

Utvinning

Samsung Galaxy S4

Applikationer

Mobilutvinning

Övrig annan teknik

Computer and Information Sciences

Data- och informationsvetenskap