Forensic Data Extraction From UVC Camera embedded Spy Devices: A Case Study

 

Forensic Data Extraction From UVC Camera embedded Spy Devices: A Case Study

Published by : http://www.ijert.org

International Journal of Engineering Research & Technology (IJERT)

ISSN: 2278-0181

Volume 13, Issue 01 January 2024

Prakhar Prasoon, Gouri R. Uplenchwar, P N Ramakrishnan, M Krishna

Central Forensic Science Laboratory, Directorate of Forensic Science Services, Hyderabad, Telangana, India

Corresponding Authors: Prakhar Prasoon, Gouri R. Uplenchwar

abstract the present paper presents an interesting case study of spy cameras, exploring their ethical and legal implications. the case study examines a m mhb keychain spy camera’ and its memory card to determine the presence of an accused individual in recorded video clips. using versatile forensic tools like cellebrite ufed touch 2 and encase, data extraction and analysis were conducted, recovering seven incriminating video clips and numerous images. discrepancies in image counts between tools were observed. this comprehensive approach underscored the importance of employing diverse forensic methodologies for extracting, interpreting, and finalizing digital evidence report. it highlights the challenges posed by hidden surveillance devices, emphasizing the significance of legal and ethical considerations of their use in vital installation and breach of national security.

keywordsuvc camera device, ufed touch 2, encase, spy camera

1. INTRODUCTION

   a spy camera, also known as a covert or hidden camera, is a device employed to capture images or videos of subjects, frequently individuals, without their awareness. these cameras are often concealed from the subjects’ view, either by being camouflaged as other objects or by remaining entirely unseen. such covert cameras are commonly utilized as a means of surveillance [1].

   in the realm of surveillance, the term “hidden camera” denotes recording subjects without their knowledge or consent, while “spy camera” implies that subjects would object to being recorded if aware of its presence [4]. conversely, “security camera” refers to visible cameras or those accompanied by notices, ensuring subjects are aware of being filmed.

   hidden cameras find diverse applications including property security, personal monitoring, photography, and entertainment, although their usage extends to espionage or surveillance by law enforcement, intelligence agencies, corporations, and various entities. unfortunately, they are also employed for illicit activities such as criminal reconnaissance, stalking, or voyeurism [1].

   the utilization of hidden cameras poses significant challenges to personal privacy rights. these covert devices often raise ethical concerns as they capture footage without individuals’ knowledge or consent, potentially intruding upon private spaces or sensitive situations. legal considerations surrounding their use vary considerably based on jurisdiction, encompassing laws related to surveillance, privacy, and consent. in many regions, the legality of hidden camera uses hinges on factors such as the location of recording, the expectation of privacy in that particular space, and the purpose for which the recordings are being made. consequently,

   navigating the legal landscape around hidden cameras involves a complex interplay of local laws, regulations, and ethical considerations [4].

   many spy cameras leverage usb video class (uvc) cameras for their exceptional bandwidth, reliability, and seamless integration. these cameras feature prominently across various applications, including biometric and access control systems, robotic vision, medical imaging, surveillance drones, augmented reality, and numerous other fields. uvc cameras operate as usb-powered devices with built-in standard video streaming capabilities, facilitating smooth connectivity with host machines [3]. these cameras are characterized by standard and class-specific descriptors, which are data structures employed to outline the capabilities of a usb device. the comprehensive set of class-specific video control (vc) unit/terminal descriptors provides a complete description of the video function to the host [6].

   figure 1: block diagram of usb video class application

   in the laboratory, a case involving a suspected ‘m mhb keychain spy camera’ shown in figure-2 was received for examination. the forensic examination entails analyzing a spy device, a memory card, and a photograph of the suspect to determine if the individual was present in the video clips recorded by that particular spy camera. the memory card was subjected to physical extraction using cellebrite universal forensic extraction device (ufed) touch 2 device version

   7.60.0.222 which created ufed dump file which was further parsed using cellebrite physical analyzer version 7.62.0.59. also, it has been imaged and examined using encase version

   6.19 as e01 image.

   IJERTV13IS010016

   (This work is licensed under a Creative Commons Attribution 4.0 International License.)

   Published by : http://www.ijert.org

   figure 2: mhb keychain spy camera with micro-sd memory card 32 gb

2. MATERIALS AND METHODOLOGY

   upon its connection to the fred forensic workstation, the initial step involved evaluating its functionality. the spy camera, identified as general-uvc during this process, exhibited a blinking indicator that served as confirmation of its operational status, thereby validating the functionality of the device. the analysis commenced by utilizing the specialized hardware cellebrite universal forensic extraction device (ufed) touch 2 device version 7.60.0.222 shown in figure 3, specifically designed for data extraction from diverse digital devices, including memory cards. this tool established a connection with the memory card, initiating a comprehensive physical extraction process. this process aimed to capture both visible and deleted data, generating a ufed dump filea complete, unaltered copy of the memory card’s content in a raw format. the steps involved in extraction of the data from the memory card has been shown in figure 4.

   figure 3: cellebrite ufed touch 2 device

   International Journal of Engineering Research & Technology (IJERT)

   ISSN: 2278-0181

   Volume 13, Issue 01 January 2024

   initially, the memory card underwent connection to the ufed touch 2 via the cellebrite memory card reader (set to write blocked mode) shown in figure 5, where the mass storage option was activated. subsequently, the ‘mass storage device’ was specifically chosen, followed by the selection of the physical method within the extraction type, opting for the method 1 mode. lastly, the destination hard drive was connected, and the extraction location interface involved the selection of the ‘removable drive’ option.

   figure 4: steps involved in the extraction of data from memory card

   figure 5: cellebrite memory card reader

   subsequently, the data obtained in the ufed dump file having .ufdx extension underwent analysis using the cellebrite physical analyzer version 7.62.0.59 shown in figure 6. this software facilitated the interpretation and organization of the extracted data. through parsing and structuring, it transformed the complex raw data into a comprehensible format, enabling systematic examination and identification of relevant evidence by forensic examiners [5].

   IJERTV13IS010016

   (This work is licensed under a Creative Commons Attribution 4.0 International License.)

   Published by : http://www.ijert.org

   International Journal of Enineering Research & Technology (IJERT)

   ISSN: 2278-0181

   Volume 13, Issue 01 January 2024

   figure 6 parsing of .ufdx file using cellebrite physical analyzer v 7.62

   moreover, the memory card which was imaged and same was analaysed using encase version 6.19 in ‘.e01’ format. extracted data accessible from the memory card has been retrieved along with their mac properties [2].

   figure 7 analysing imaged data using encase software

   this cardinal standard methodological approach involving specialized hardware and advanced software tools ensured a systematic and detailed process for extracting, analysing, and interpreting digital data from memory cards, supporting forensic analysis and legal validations.

3. RESULTS AND DISCUSSION

   after the forensic examination and analysis of the suspected ‘m mhb keychain spy camera’, utilizing tools like cellebrite ufed touch 2 and encase, significant digital data was recovered from the memory card. after analyzing it with cellebrite physical analyzer version 7.62.0.9, seven video clips and 7,529 images were recovered. subsequently, when the same memory card was imaged with encase version 6.19, the same seven video clips were retrieved, but the number of images retrieved was less, a discrepancy in the number of images was noted in comparison to ufed physical analyzer. this variation in the quantity of images emphasizes the significance of using diverse forensic techniques to ensure thorough data retrieval. it also brings attention to the possible differences in outcomes between various forensic tools during the analysis of digital

   evidence. further file property studies like file extension, hex codes, codecs, metadata and other pixel properties are required, particularly concerning the involvement of the accused individual in the video recordings.

4. CONCLUSION

the examination and analysis involving the m mhb keychain spy camera’ and its associated memory card utilized comprehensive forensic methodologies. the extraction and analysis conducted through tools like cellebrite ufed touch 2 and encase resulted in the recovery of crucial digital content, comprising seven video clips and a significant number of images. notably, discrepancies in image counts between the tools were observed, emphasizing the importance of employing multiple forensic techniques for comprehensive data retrieval and analysis in such cases. this case study underscores the critical role of forensic procedures in uncovering digital evidence, albeit needing further expert scrutiny, especially concerning the presence of the accused individual in the recorded video clips. however, the conclusions drawn from the retrieved data, including the presence of the suspect in the video clips recorded by the spy camera, would require further study and analysis by forensic experts and legal authorities including the codecs and metadata of the images and the videos for the authentication generated by such uvc-cameras can scientifically strengthen the authentication and veracity.

LIST OF ABBREVIATIONS

uvc usb video class

ufed universal forensic extraction device

ACKNOWLEDGMENT

the authors are thankful to shri sujay saha, director, cfsl hyderabad for constant encouragement and support for carrying out r&d activities. also, the authors wish to thank the senior scientists of digital forensics division, cfsl hyderabad for the technical know-how and support during the critical stage of interpretation and finalizing the paper.

REFERENCES

[1] herodotou, s., & hao, f. (2023). spying on the spy: security analysis of hidden cameras. 119. http://arxiv.org/abs/2306.00610

[2] javed, a. r., ahmed, w., alazab, m., jalil, z., kifayat, k., & gadekallu, t. r. (2022). a comprehensive survey on computer forensics: state-of-the-art, tools, techniques, challenges, and future directions. ieee access, 10, 1106511089. https://doi.org/10.1109/access.2022.3142508

[3] krejcar, o. (2013). motion detection using a usb camera. ines 2013 – ieee 17th international conference on intelligent engineering systems, proceedings, 281286. https://doi.org/10.1109/ines.2013.6632827

[4] liu, t., liu, z., huang, j., tan, r., & tan, z. (2018). detecting wireless spy cameras via stimulating and probing. mobisys 2018 – proceedings of the 16th acm international conference on mobile systems, applications, and services, 243255. https://doi.org/10.1145/3210240.3210332

[5] shukla, r. k., agrawal, j., sharma, s., & tomer, g. s. (2019). data, engineering and applications: volume 2. in data, engineering and applications: volume 2 (vol. 2). springer singapore. https://doi.org/10.1007/978-981-13-6351-1

[6] wlodek, j., & gofron, k. j. (n.d.). aduvc – an epics areadetector driver for usb video class devices also at stony brook university , stony brook , usa. https://doi.org/10.18429/jacow-icalepcs2019-wepha174

IJERTV13IS010016

(This work is licensed under a Creative Commons Attribution 4.0 International License.)