Image Based Evidence In Forensic Science

Published Date: 02 Nov 2017

Forensic investigators examine large summon amount of pictures and videos to potential identify evidences. These tasks can be discouraging and time can be in any case of a very broad target to use the investigation for example if a web hosting service is currently an forensic tools they are usually unknown while facilitating within the investigation process.

The aims of this research to discuss a new approach that automates the examining process which is dependent on image analysing techniques. The general approach considers previously identified contents to perform feature extraction, which captures mathematically the essential properties of the images and videos. The important property of this report can be identified as the approach where it would not be possible to recover the original image from the feature set. Therefore, it potentially enables to build a very large database targeting known contraband images which investigators may be barred from collecting directly. On the other hand, the same approach can be used for searching case-specific images automatically, contraband or otherwise, or online monitoring of shared storage for early detection of certain images.

This is done to mathematical foundations image analysis tools that I have used. Finally, it was motive of this research by the real-world scenarios and describes the results of comprehensive tests that are also used tools for forensic purposes.

Contents

Introduction 1.1

Digital forensic investigation 1.2

Recovery of digital video evidence 1.3

Recovery of video evidence 1.4

Introduction 2.1

Issues evidence 2.2

Digital investigations and evidence 2.3

Digital crime scenes investigation process 2.4

Jurisdiction of case 2.5

Search and seizure of digital evidence 3.1

Evidence analysis 3.2

System preservation phase 3.3

Preservation techniques 3.4

Evidence searching phase 3.5

Data analysis 4.1

Overview 4.3.1

Testing 4.3.2

Error rates 4.3.3

Publication 4.3.4

Acceptance 4.3.5

Federal rules of evidence 4.4

A balance solution 4.5

Analysis types 4.6

Essential and nonessential data 4.7

Conclusion (5)

References (6)

Introduction

There is a relative increase o Security Cameras (devices, video, recording, and CCTV) system in the criminal investigations that have taken place. They also become more affordable for the private and public sectors it enabled crime investigators to find out more information about the suspect from the video also has enormous potential to help in the investigation. However it is important thing that shold taken into account that video is address the a evidence presented in the court strictly without any forensic video Analysts have error. The facing new challenges as the industry continues to change and security equipment replacement diverse digital old technologies. The previous standards of tape, such as VHS, S-VHS and others, which have given a way to thousands proprietary digital video recording systems that typically share few common characteristics. In the past any First Responders could recover video evidence from an analogue recording device and most of the evidence was easily viewed using a standard VHS player. In recent times, the digital movement is used with special skills, knowledge, training and equipment. New Digital Video Recorders (DVRs) carry out video images as zeros and ones that can be stored in digital storage devices.

analogy video the other hand of it technology are relied on a common frequency based signal is carried at approximately 4.28 MHz and stored as magnetic information on a videotape. Most DVRs employ loss compression technology that is large amounts of data is stored into computer hard drives and the compression reduces the amount of data required to its original image. Therefore it is required for the result of an image to be detailed that gives a poor quality as it is important for investigators to acquire the best available evidence accurately says (Medler 2008).

The first truly digital workshop States forensic digital forensics framework must be flexible enough to support future technology, and different types of cases for it to work. May therefore be said that if it was very simple and abstract, there can be difficult to create a tool requirements and test procedures (Gary Palmer, 2001).

This resersh deals with the concept of an investigation to determine the requirements and the results been obtained from framework of the existing event that could be used for the development of a synopsis.

Digital Forensic Investigation

The American Heritage Dictionary knows forensic adjective relating to the use of science or technology. Therefore, forensic is considered a process that must use science and technology where the results must be able to be used in a court of law .In the digital evidence, technology is always used to process the digital data and therefore the difference between a forensic and a non-forensic investigation of digital data is the evidence that can be used in a court of law. A forensic investigation process uses science and technology to develop and test hypothesis to answer questions about events that occurred. On the other hand, a digital forensic investigation is a process that uses science and technology to examine digital objects that develops and tests hypothesis to facilitate decisions in a court of law to answer questions about events. For example, the Daubert guidelines that are used by some U.S. courts to determine the reliability of scientific and technical evidence can be considered (Houghton Mifflin Company, 2000).

Recovery of Digital Video Evidence

In this time there is no standard exists in the optical industry to extract security and access to digital video evidence. Clearly operating systems, transmission technologies and component hardware vary from manufacturer to manufacturer. As a result, there is no 'best process' is available for connecting to a digital video recorder in order to recover digital evidences. However, it is essential to avoid the critical processes that may change or alter the original data during the acquisition attempt. Mostly, a digital video system provides a mechanism that allows recovery of the original data that was recorded to the DVR in the first instance. On the other hand, itis equally important to understand that many DVRs recompress the video images to another format on output. The reasoning provided for recompression of the visual information is used to allow easy viewing in a standard digital video file format. It is obvious that recompression alters the original data and always removes actual image details. Therefore, it is not worthy to rely on recompressed data for examination purposes if the original data exists and is available for forensic analysis as mentioned (Gary, 2001).

1.4 Recovery of Video Evidence

It should be the law enforcement agencies to follow all the general principles to keep the video evidence. These principles are as follows:

1. Rules of Evidence

General rules of evidence are the same, and should be applied to all the video evidence because they would be on any other type of show such as fingerprints in the first half.

2. Chain of Custody

Should be used, proper documentation of chain of custody and preserved so that the video evidence is safe and can be tendered in court.

3. Evidence Preservation

Before taking on video evidence, action should be taken to ensure the evidence is not changed in any circumstances. For this to happen the following needs to be done:

a. For analogue video evidence, the record tab needs to be removed or moved to somewhere safe.

b. for a digital video evidence, and write protection requires be placed in the system.

4. Evidence Storage

A low heated room should be used to store video evidences.

5. Custodian Responsibility

Maintain the evidentiary value of the video evidence rests with the person who seized or signed to receive evidence. Recorded by (Wesley, 2003).

Chapter 2|Literature Review

2.1 Introduction

Can a forensic analysis of the images and video will be useful in helping to identify individuals, vehicles and objects that can help to determine the sequence of events during an incident. However, it is vital that this analysis is performed correctly in order to protect the images true to their original content and context. That is why experts tend to use the most up-to date equipment and specialist software so as to ensure that all evidence is examined in accordance with established best practices.

The performance of a group of expert’s specialised procedures and tests in forensic order to determine the events recorded, for example, the actions taken by an individual or whether an individual might be seen to be carrying a gun, knife or other weapon. The range of specialised tests and procedures create more accurate and definable results which may then be analysed in greater detail, including digitisation, enlargement and enhancement. This procedure allows the optimisation of an image and often reveals information which is extremely useful to an investigation process as mentioned by (Kenneally, 2002).

2.2 Issues in evidence

Has been defined digital forensics through Biros WISER (2006) as "scientists acknowledge and apply to preparations similarities, security, tests, series and analysis of facts stored or transfered in binary form in a polite acceptable way for application in legal demands". Forensic digital investigation needs to be defined procedures that can respond with industry tests and practices appropriate laws, for criminal investigations or general security incidents. However, the skill and tools used by investigators may alter and the process generally which includes organizing, conquest, preservation, analysis and reporting. Presenting digital evidence is a unique legal challenge for computer forensic professionals. Evidence in legal cases is admitted or not admitted based on the relative weight of its probative and prejudicial value. It is known that the legal system is based on precedents and forensic investigators must introduce consistency in the expanding field of extracting and examining evidences, Recorded by (Johnson, 2005).

2.3 Digital Investigations and Evidence

There are a number of definitions area investigations and digital forensics in this section gives definitions that will be used to justify. The focus on a digital investigation is usually some type of digital device that has been used in an incident or crime. The digital device is either used to do physical damage to someone crime or its executed a digital event that has violated a policy or law. The example of the first case given is that where a suspect used the Internet to research about a physical crime. Normally the latter case is that an suspect gains access to a computer that they are unauthorised to use. The person using the computer downloads a contraband material, or maybe they just send a threatening e-mail. As soon as the violation is detected, an investigation is started to answer questions on why the crime occurred and who or what happened for it to start.

Investigation is known as a digital process where all hypotheses are developed, tested and answers can be found on. This is done by using a scientific method where a hypothesis is developed for using evidence. Also the hypothesis is tested by looking for evidence that shows the hypothesis isn’t possible. Digital evidence is an object that contains useful information that supports or disapproves a hypothesis.

For example, a server can be considered that has been compromised. An investigation can be started to determine how it happened and who done it. Whilst in the investigation, data can be created by events related to the incident. Deleted log entries can be revealed by the server that finds attack tools, and find much different vulnerability that has existed on the server. Consumption of data hypothesis can be formulated about the weakness the attacker used to gain access and what they done later on. Afterwards, the all the firewalls logs can be examined to see that some of the sequences in the hypotheses are entirely impossible due to a type of network that could not have existed. As (Group, et. al, 2006).

In my research that has been used evidence in the investigation of context. Evidence both were legal forensic investigation use. The previously given definition was later for the investigative uses of proof where not all of it can be given in a court of law .As the legal requirements may vary by country that might not have a legal background which means a general focus on the subject of evidence can be given for jurisdiction.

The word "forensic" during the discussion has not yet been used about of a digital investigation. An American Heritage Dictionary defines the term forensic as an adjective and "relates it to the use of science and technology used in the investigation and establishes it of facts or even evidence in the court of law" as mentioned by (Houghton Mifflin Company, 2000).

Nature of the evidence requires the use of digital technology during the investigation and enter the legal requirements can be determined as the difference between the digital investigation and digital forensic investigations. A digital forensic investigation uses only science technology to make digital objects different that develops and tests all theories these can be entered into a court of law, to maintain questions about the events that occurred during that time. A digital forensics investigation is also more constrained form of forensic investigation.

2.4 Digital Crime Scene Investigation Process

Ways to investigate different approaches where some are more effective than others. Is here and upon investigation the verification process in the digital crime scene material (carrier 2003)in this report , We have here the environment that Ncit digital software and hardware. This process consists of the basic stages and must act and come to maintain order and good research evidence and reconstruction of the event

These stages need not talked one after the other. They can be used when investigating both live and dead systems and there is a possibility of analysis of the beard when you use someone operating systems or other resources of the parents being omitted investigation to find evidence. The analysis of the Dead is the most perfect of analysis live because in the analysis of the live can be fraud or concealment to discover evidence, but not possible in all circumstances by the deceased

2.5Jurisdiction of case

Possible me computer systems that lead to questions about competence, but the legal system in a different jurisdiction to another jurisdiction at the location of the data and information, as (Wilson, 2008). Digital forensic evidence must have to meet the formal evidentiary requirements and it is to be admissible in a court of law in a particular jurisdiction. The act of a com, a businessman was awarded the right to sue for defamation in Australia by the Australian High Court over an article published in the United States and posted on the Internet.

Chapter3| Methodology

3.1 Search and seizure of digital evidence

Article 12 of the UN Declaration of Human Rights endorses the right of privacy for everyone (whitetehead 2005)

Closely linked to grab digital evidence and the issue of privacy so, people have the right to be secure in their houses, papers, persons, and effects, against irrational searches and seizures. For example, in the court case of United States against Triumph Capital Group, the government sought and obtained a search warrant to search and seize a laptop computer in a public corporation case that avoided an infringement of privacy of evidence (Kroll OntrackInc, 2004). This seizure is often a target for protestation in court.

3.2 Evidence analysis

Evidence sets of results in the courtroom, which calls for using estimation methods used in the collection of evidence and needs to make sure that the evidence is not and has not been tampered in the process of analysis is recorded by (Huebner & Hensksen, 2008). Normally forensics will perform an autopsy of the forensic evidence using special equipment and techniques to resolve the actions that were carried out on computer involving its stored data (Thomas, 2004). An incorrect analysis of evidence can adversely affect its acceptability within the court. The forensic investigators have to be able to defend forensic findings at court. For example, if Galaxy Computer Services Incorporation against Baker had a court case where experience of computer forensic expert was challenged and the court is about what we found out in this legal argument. The defendant lawyer had argued that the testimony of the computer forensic expert of the plaintiff should be excluded because he was unqualified and had used incorrect procedures. The court rejected the defendant’s motion stating that the computer forensic expert had good educational background, skill, knowledge and experience. As (Find Law, 2005).

In another example, police seized computers from the defendant and asked independent software company to analyze the evidence. The defendant argued that the evidence had been corrupted and therefore excluded. However, the court decided that the analysed evidence was trustworthy and acceptable (Howell & Cogar, 2003).

A process Model for seizure and handling of forensic evidence

3.3 System Preservation Phase

The investigation process and maintain the system phase is from the early stages where forensics tries to preserve the state of the digital crime scene. However, the actions taken in this phase vary depending on the legal, business, or operational requirements of the investigation. For example, legal requirements may cause to unplug the system and make a full copy of all data. On the other hand there could be a case involving a spyware infection. Recorded by (Dixon, 2005).

Ina corporate or military setting most investigations will not go to court and will use techniques in between these two extremes. This process continues after data has been acquired from the system because we need to preserve the data for future analysis. The purpose of this phase is to reduce the amount of overwritten evidence.

3.4 Preservation Techniques

The target of this phase is to reduce the amount of evidence that is overwritten, so we want to limit the number processes that can write to storage devices. For a dead analysis, the termination all processes by turning the system off is required and making of duplicate copies of all data are essential.

On another note, for a live analysis suspect processe it can be killed or suspended. The network connection can be unplugged or network filters can be applied in order to prevent the perpetrator to connect from a remote system and delete data. While searching for evidence important data should be copied from the system in case it is overwritten.

Thus a cryptographic hash should be calculated to prevent the data to be changed when important data are saved during a dead or alive analysis. A cryptographic hash can be identified as MD5, SHA-1, and SHA-256, which is a mathematical formula that generates a very big number based on input data. If any bit of the input data changes, the output number changes dramatically. The algorithms are designed such that it is extremely difficult to find two inputs that generate the same output. So, if the hash value of an important data changes, then it is obvious that the data has been modified by (Stahlberg et al, 2007).

3.5 Evidence Searching Phase

Once you take steps to keep the data necessary to search them for evidence. I remember that we are looking for data that support or refute hypotheses about the incident. This process usually begins with a survey of sites shared on the basis of the type of incident. For example, for investigating Web-browsing habits Web browser cache, history file, and bookmarks are to be looked at. In case of investigating a Linux intrusion, signs of a root kit or new user accounts needs to be looked at. As the investigation proceeds and hypotheses can be developed which will search for evidence that will disprove or support them. It is important to look for evidence that disproves hypothesis instead of only looking for evidence that supports hypothesis. The theory behind the searching process is fairly simple. The general characteristics of the object need to be defined for searching and then to look for that object in a collection of data. For example, if all files with the JPG extension are wanted each file name and identify needs to be looked at ending with the characters ".JPG." As recorded by (Robbins, 2008)

Chapter 4|Results and Discussion

4.1 Data Analysis

In the last section, digital evidence it was discussed which is a rather general statement because u could found evidence anywhere. In this section, the report tries to narrow down the different aria where search for digital evidence are identified.

I have found digital forensics and computers since data storage that can be used as evidence. Digital forensics has been used by government agencies for many years but has become common in the commercial sector over the past several years. The analysis software was customised and developed as analysis software and made available for both the private and public sectors with the time (Michael et. Al, 2005)

4.2 Digital forensic analysis

Digital forensic analysis identifies digital evidence for an investigation

Typically an investigation uses both physical and digital evidence in conjunction with the scientific method to draw conclusions That digital forensics includes to break into computers and unauthorized use of computers and companies., child pornography, and any physical crime whose suspect could be a computer. At the most basic level, digital forensics has three major phases:

Acquisition

Analysis and

Presentation

The acquisition phase protects the state of the digital system to analyze at a later stage. This is similar to taking photographs, fingerprints, blood samples, or tire patterns from crime scene. Since it is unknown which data will be used as digital evidence, the goal of this phase is to save all the available digital values. For this reason, the allocated and unallocated areas of the hard is copied, and known as an image. Tools are used in the acquisition phase to copy data from the suspect storage device to at rusted device. These tools must modify the suspect device as little as possible and copy all data. The Analysis Phase takes the acquired data and examines it to identify pieces of evidence. There are three major categories of evidence are available:

Inculpatory Evidence: This supports a given theory

Exculpatory Evidence: This contradicts a given theory

Evidence of tampering: This cannot be related to any theory, but shows that the system was tampered with to avoid identification. This phase includes examining file and directory contents and recovering deleted content (Michael et. Al, 2005).

The method used in this stage is to reach conclusions based on the evidence found. At this stage file system analysis tools to list the contents of the directory and the names of deleted files, perform deleted file recovery, and present data in a format which is most useful. This phase should use an exact copy of the original, which can be verified by calculating an MD5 checksum. Equally it is important that these tools show all data that exists inan image. Irrespective of the investigation setting, the steps performed in the acquisition and analysis phases are similar because they are dominated by technical issues, rather than legal. Although the Presentation Phase is based entirely on policy and law, they are different for each setting. This phase presents the conclusions and corresponding evidence from the investigation.

In a corporate investigation, the audience typically includes the general counsel, human resources, and executives. Privacy laws and corporate policies dictate what is presented. In a legal setting, the audience is normally a judge and jury, but lawyers must first evaluate the evidence before it is entered (Robbins, 2008)

4.3 Admissibility of digital forensic evidence

4.3.1Overview

To be accepted in court, evidence must be relevant and reliable. Is determining the reliability of the scientific evidence by a judge in the "hearing Daubert" pre-trial detention.

The responsibility of the judge is to determine whether the methodology underlying the technique used to determine the proper evidence. As is Salt, the evidence is reliable. Process Daubert identifies four general categories used for guidance when an assessment:

Testing: Can and has the procedure been tested?

Error Rate: Is there a known error rate of the procedure?

Publication: Has the procedure been published and subject to peer review?

Acceptance: Is the procedure generally accepted in the relevant scientific community?

The Dauber Test is an expansion of the Court’s prior approach to the admissibility of scientific evidence. Previously, under the "Frye Test", courts placed responsibility of identifying acceptable procedures on the scientific community using peer-reviewed journals. However, as not every field has peer-reviewed journals, the Dauber Test offered additional methods of testing the quality of evidence.

The guideline should be addressed in more detail with respect to digital forensics. Guidelines will be checked for each of the tools to get the data and analysis tools. The majority of digital forensics included buying hard drives and file systems analysis Therefore; special attention should be paid to these tools. The general procedures for copying data from one storage device to another and extracting files and other data from a file system image should maintain procedures. As (Robert,2004).

4.3.2 Testing

Guideline test determines whether you can test to make sure that they provide accurate results. This is a complex problem with digital forensics because of the complexity of computers. Two major categories of tests must be performed on the tool output:

False Negatives

False Positives

False-positive tests to ensure that the tool does not display the new data to the output. For example, when a tool lists the contents of the directory. Likewise, if the tool is capable of listing deleted file names, all deleted names should be displayed. An acquisition tool must copy all data to the destination. This category is the easiest to test and most formalized testing is of this type with digital forensic tools. In the case of known data planted on a system, it is acquired, analyzed, and it is verified that the data can be found.

The false positive tests ensure that the tool does not introduce new data to the output. For example, when a tool lists the contents of a directory, it does not add new filenames and this category is more difficult to test. A tool is not introducing data to validate the results with a second tool (Herath et. Al, 2005).

Has developed the National Institute of Standards and Technology (NIST) dedicated group working on the computer forensic testing tool (CFTT).They develop test methodologies for a category of tools and conduct tests using specific input cases. Moreover, they have not created a test methodology for analysis tools until now. The test planted data in different locations of different disk types to acquire the disk and tried to find the planted data. These evaluations are useful considering which tool to purchase and should not be the only ones available for a legal process.

How open is the correct way to test the forensic tools. Must therefore arise requirements of each type of tool and tests must be designed corresponding to impose requirements. Catching bugs using specific test conditions for all tools can only go so far because of the large number of possible tests. For example, designing a comprehensive set of test requirements for all NTFS file system analysis tools is a massive task, especially because the file system structures are not public. It is unlikely that a test suite can be developed which can validate every possible file system configuration based on time requirements. In fact, the testing requirements are likely to be stricter for digital forensic analysis tools then the original application or operating system tests.

And could potentially suspect creating a situation that would conceal the data from the investigator only analysis tool each case should be treated as possible. Usually, the original application has to test that it can handle every situation that can create. The errors are identified in today's applications closed and open source by investigators in the field and reported items although no standard testing methodology to create. People with malicious intent can find flaws in the source code and exploit them without publishing the details is a common argument against open source applications. While this scenario is possible, it is not unique to open source applications. Flaws and bugs are found in both closed and open source applications and it is just as probable that a malicious person could exploit a closed source application. The long-term solution for this situation is to have a comprehensive test methodology to decrease the total number of flaws so that the chances of malicious person exploitation are decreased. However, having access to a tool’s source code will improve the quality of the testing process as bugs can be identified through a code review and by designing tests based on the design and flow of the software. Experienced and unbiased experts should conduct these tests and all details should be published. At a minimum, closed source tools should publish design specifications so that third parties, such as NIST CFTT, can more effectively test the tool’s procedures. As (Gary, 2001).

4.3.3 Error Rates

We want to forensic investigators follow the guideline that determines the percentage of error is unknown margin of error investigation in digital forensics. Digital forensic tools normally process data through a series of rules. The developers of the original application designed these rules. For instance, a file system analysis tool uses the specifications of a file system. In case of the specification is public, there should be no errors in the tool except programming mistakes. In the event, the specification is not public; there could be errors because of the specification is not fully been understood. This situation is similar to the testing techniques associated with natural systems such as DNA tests or fingerprints, and has an error rate based on how the test was conducted.

There are two types of errors that can be found in the means of digital forensics is an implementation tool error and error abstraction. Tool Implementation Error arises from bugs in the code while using the wrong specification. On the other hand an Abstraction Error arises from the tool making decisions that do not have a100% inevitability. This normally occurs from data reduction techniques or by processing data in a way that it was not originally designed for. It is relatively easy to give each procedure an Abstraction Error value and this value will improve with research. It is more difficult to assign value for Tool Implementation Error. Based on the number and severity of bugs an error rate could be calculated for each tool. An access would require to the bug history of a tool to maintain such value. This is relatively easy for open source tools as the bug is not documented where the latest source release can be compared with the previous one to find out changed code. The error rate would beery difficult to maintain with closed source applications because if the bug was never made public, it could be quietly fixed and not added to the error rate (Biros and weiser 2006).

Moreover, the error rate also be difficult to start an account that drives commercial tools in terms of revenue and sales volume. Publishing and error rates guarded subject for those who fear the loss of sales. As a formula for calculating an error rate has not been proposed, market share has been used as a metric since a tool with a high error rate would not be purchased and used. This may be true but a more scientific approach could be developed as the field matures. Sales figures do not show how often a tool is used or the complexity of the data it is processing. An error rate must account for both simple analysis scenarios and complex ones where the suspect has tried to hide data from the tool.

To calculate the margin of error is necessary to develop the testing methodology guidelines required by the. Open source or closed source documented design tools allow a testing methodology to be created more easily. Besides, it is much more difficult for an open source application to hide its history of bugs and errors. Recorded by (Casey, 2008).

4.3.4 Publication

The earlier under surveillance Free BSD, and this prerequisite for admission of evidence. Show recently to review and found magazine and so far they not addressed procedures tool in digital forensics aria Of the International magazine of digital evidence, and technologies used magazine articles to show the publication. .

In the case of a file system analysis and procedures that need to be published are those that are used to break .single article states that the use the tool extensively It lists certain features. May dissemination this kind of treatment procedures acquire high level of disk and analyze themes, but do not address technical procedures used to extract evidence the system. they are only from the efforts in Linux society that detailed structures of NTFS known openly. It is important that the tool published actions used to handle type file system, including without documentation especially.

Furthermore, most of the means of digital forensics analysis system file shows that the files and directories that were deleted recently, and occasionally can be restored. of these functions were not part of the original file system Specifications, so there is standard method for the performance Names deleted files through the processing and any unused space and find the data and meet some requirements of prudence check. If prudence checks tightening, And delete some names do not appear and cannot find evidence to prove that If requirements itsvery low, then data is displayed its mot correct . it have be dissemination details of this operation so can be determine how investigator actions are performed (Carroll 2006).

FBI dissemination of the magazine forensic document for use in digital photography 1999

In software section guidelines, Note is made ​​that require legal software manufacturers used for image processing to make the exporter code software available to litigants, subject to appropriate protective system designed to protect the property interests of manufacturer. can be in case of failure part of a Manufacturer to provide this information to the opponents leading to the exclusion of evidence photography in the court proceedings. So should when choosing this considered software . And therefore must be responsible for software developers release source code in the event used to generate evidence. If developer not willing to do so, and should then be known early so that they can be a factor when buying analysis tool. While the courts allow for reconsideration in the source code by the expert witness but not disclosed, then this guideline can be satisfied if there is a generally accepted technique for data processing are available. The expert witness can compare the source code with the accepted procedures and verify that they are properly implemented. On the other hand, the publication guideline is equally very important and is most lacking in digital forensic analysis. A little amount, so far has been published on deleted file recovery and file system analysis. Closed source tools should publish a design specification that documents the procedures and details of analysis. Open source tools could disclose all procedures through source code and allow one to verify that the tool is indeed following the published process and not publishing only the minimum required. Moreover, open source tools should publish the procedural details in a language other than just source code. As (Venzi, 2007).

4.3.5 Acceptance

Accepted guideline is part of the society to evaluation actions related of scientific literature. the published actions required to that divides the guideline. have responded pre closed exporter Thread Tools for this guideline, but not big number of users and accept tool varies from acceptance the action . and If there’s few options tool available that perform action and one of them has published details action then choose the selection to be based on not procedural factors like interface the support. And the size of user society is not valid measure of acceptance the procedural so be dissemination procedural details and become a factor when buying Forensic Medicine analysis Thread Tools digital.

Thread Tools an open source documentation of procedures through the provision the source code which enables society to accepted or refusal by the (Takahashi 2004).

4.4 Federal Rules of Evidence

The debateable either digital evidence is part scientific evidence and guiding principles the Federal Rules Evidence and scientific not artistic testimony. operation can ratification with evidence describing system used to get a result and show that produces accurate score . This directly address the dissemination guidelines and mistake rate. Processing rules the test guidelines that should be placed before testing systematic and mistake rate can be accounted, even the basic concepts are application to the guidelines for digital wasp evidence irrespective of unscientific or technique certificate of scientific evidence (Orzo 2000).

4.5 A Balanced solution

Since developed many forensic analyse of digital instruments shared with the commercial interests, it is not likely that vendors are ready to publish all the source . By using the tool definitions one could provide a more operational solution of 100% of open source.

It can be two instrument categories the extraction and supply, data extraction instrument is that process which extracts a subset of them, For example, the tool extractions process a photo files and output system including the content of files and metadata, as arrival time post. Arrange your data Offer tools from tool to extract helpful format. Otherwise one can take on each tool or roles could be separated. Extraction tool could be analyse a system image files and output, including the names and times each file. However, one can Offer tool display data sorted by directories and most people view the file system. Tool can be displayed again display the same data, but sorted by the access or modify or change the times to create a schedule of activity. Recorded by (CCLSR 2004).

If tools are open source and extraction investigator has access to output in this layer, and then could be verified from the out of the Offer tool. So presentation tools, can still closed source with published design. Moreover, several of the new features in the file system tools digital forensic analysis on the presentation. For example, looking for fragmentation in the database, and enterprise solutions across a network, compared with the file type extension, and keyword searches are actions that occur after the data is extracted from the file system image. Hence, creating standard techniques of data extraction would not limit a software company’s ability to remain competitive. The differentiators between vendors can be in the area of us erinterface, features, and support. This would allow vendors to focus on innovative presentation techniques for file, system analysis, and thus improving extraction tools and less mature areas, as networks and log reduction. The digital, this model allows an accurate error rate to be calculated as all data extraction related bug fixes would be made public. If you use multiple tools in the same code base to extract the data, one can put the code base stable and testing methodology fairly quickly (Takahashi, 2004).

In addition, the instrument has an error similar rate because the only difference would be in the interface bugs and presentation of data. So, vendors may be more willing to participate in an effort to calculate error rates .This open source model is different than that of the most familiar ones. The aim of many open source projects is to have a large number of developers who can access and update the code too reach the aim of this research it can be easier to access code for inspection , however only limited access for mating. The developers have a limited group of people and the Panel of all validation software updates. At the same time the program code is released to sign encryption as a group is supposed.

4.6 Analysis Types

When analysing digital data, one should look to the object, which was designed by the people. Again, has been a designed storage system most digital devices to be scalable and flexible so that they have a layered design (Carrier, 2003).

If one starts at the bottom of the design layers, there are two independent analysis areas can be recognised. One is based on storage devices and the other on communication devices. This research focus on the analysis of storage devices, specifically non-volatile device, such as hard disk. Recorded by (Casey 2004).

The shadow appears different types of analysis in many areas while the bottom layer is a Physical Storage Media Experiment which involves an analysis of the physical storage medium. There are many examples of physical storage mediums which include things such as memory devices, hard disks, and CD-ROMs an analysis of this particular area could involve reading of general data between tracks or any anther techniques which might need a clean room. As (Group et al. 2003).

Figure

And typically organized in storage devices and storage units that are used to store non-volatile. There is a volume collection of storage addresses that a use and applicant can write to read from. The difference is one is a division, where it is split one folder into several smaller volumes, and the other is the assembly, where multiple sizes in one larger volume and collectively, which may be later examined. There are many examples of these different kinds including, Apple partitions, DOS partition tables, and as RAID arrays, but some media such as floppy disks include it any data at all in layer. And also full disk is the size of. Data at the volume Level require to be analysed to determine the system file or other data that fall and locate to know if we may find hidden data. Within each folder there could be any type of data, however the most common are the contents of the file systems, although contain other amounts databases and maybe used like a temporarily swap, one could analyse the file system to files found and recover deleted files thin find hidden data as a result of files system analysis Content can be file, fragments statements, and associated statements files

To know content within single files needs to move to application layer. Internally, they needed very different structures and different tools for the analysis of each. Analysis of the application that is very important and here where we analyse configuration files to determine what programs are running or determine what a JPEG image is. Volumes are analysed in file system layer for producing files. File is then analysed in application a layer. As (Herath et. Al, 2005).

4.7 Essential and Nonessential Data

In all layers of structure statements from some, but not everyone structure of important for a layer to serve the main purpose of this nature, and for document layer sound system is set up empty so you can store the details and information at a later time and then discuss them. System is required documentation for along with the file name of the file content. So it is necessary to name and location on the disk of the content of files are necessary. Could see this in Figure that where there is a file whose name miracle. TXT located in Address 345 content, If are either name or address are incorrect or missing, and could then read contents the file. For example, if the subject set to 344, then file have different content mention by (Carroll, 2006).

Figure

5. Conclusion

In this research, it has been to introduce new approach to forensic investigations of visual images through photo retrieval on the content (CBIR). Techniques are used CBIR was established and originally developed for other application areas and apply for the purposes digital forensics. The approach taken to extract 'fingerprint' a photo (feature set) to implementation of a subsequent inter comparisons to find top match between group of pictures Prominent status of this method is that it does not require to store original photo only fingerprint for a subsequent make comparison The main advantage is that this allows the building of a reference database of fingerprints of contraband images, a secondary interest is that it significantly reduces storage requirements to reference database, making it much easier to achieve good performance at reasonable.

Has conducted series of experiments to assess the appropriateness techniques used for forensic CBIR. In particular, and test the durability report of query results search through in the reference database for versions of original images obtained through joint shifts, such resizing. The results, based on a sample of images, strongly support the suitability of the chosen techniques for forensic purposes. Specifically, the report propose two main applications, widespread use of to computers and online in homes, businesses and the government facilities has revolutionized access and store information .The digital revolution has created the need for new laws, computer forensic investigators, forensic methods, forensic tools and techniques.

Become computer forensic investigation overriding resource for lawyers and prosecutors in criminal and civil procedure. Computer forensics investigator faces the problem of procedure forensic investigations and provides forensic guides that can be acceptable in court the forensic investigator is expected to be competent in the use of a variety of forensic tools and ensure that every forensic investigation process is conducted within the acceptable legal framework of the court system.

Showed model gives a performance of forensic operation that should be adhered to further development of this model it may be undertaken to highlight specific areas of worries for the presentation of evidence in court. Most areas identified as likely to have the question is in a legal case where state competence, search and seizure, exploitation of evidence, to save of evidence. In addition, popular pitfalls and suggested transformation for in corrections in this method can be Realization. There are growing bodies of precedents in where the objection is digital evidence that was general challenged such as it confirms the importance of forensic adherence and procedures to them. Models such as that appear in this paper can always be the cornerstone to the development of the region that will be no doubt about it become more serious to us in future.