Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
8Activity
0 of .
Results for:
No results containing your search query
P. 1
Forensic Cop Journal 2(2) 2009-Standard Operating Procedure of Audio Forensic

Forensic Cop Journal 2(2) 2009-Standard Operating Procedure of Audio Forensic

Ratings: (0)|Views: 670|Likes:
This journal describes the Standard Operating Procedure (SOP) of Audio Forensic. This SOP explains about the importance of audio forensic in criminal investigation and how to do it properly through the steps proposed.
This journal describes the Standard Operating Procedure (SOP) of Audio Forensic. This SOP explains about the importance of audio forensic in criminal investigation and how to do it properly through the steps proposed.

More info:

Published by: Muhammad Nuh Al-Azhar on Dec 19, 2009
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

11/05/2012

pdf

text

original

 
Forensic Cop Journal Volume 2(2), Dec 2009
 
http://forensiccop.blogspot.com1
Standard Operating Procedure of Audio Forensic
by Muhammad Nuh Al-Azhar, MSc. (CHFI, CEI, MBCS)
Commissioner Police
 –
Coordinator of Digital Forensic Analyst TeamForensic Lab Centre of Indonesian National Police HQ 
Introduction
There are many types of digital evidence which could be encountered by digital forensicanalyst in dealing with computer crime or computer-related crime. Not only files, videos,digital images, encrypted items, unallocated clusters, slacks and so forth, but also digitalaudio files might be analysed. In certain cases, the audio files become significant evidence toshow the involvement of the perpetrators in the criminal case. Usually it contains speechrecords between two or more people talking about a plan to commit a crime; therefore theanalyst should be able to reveal this conversation to the criminal investigators. With thisevidence, the investigators have strong reason to prove that the perpetrators have planneda crime.To reveal the conversation contained in the audio files is not an easy job. The analyst shouldfollow strict guidelines of audio forensic so that the output of analysis could be accepted bythe court. Once the analyst does one step of analysis carelessly, the results of analysis mightbe rejected by the court. To reach the results of audio forensic analysis in the best output,this journal discusses Standard Operating Procedure (SOP) of Audio Forensic. With this SOP,it is expected that the analyst could have a good guidelines in guiding them to performaudio forensic analysis in step by step, so that the result of analysis is reliable.The SOP of Audio Forensic comprises five steps, namely acquisition, authentication, audioenhancement, decoding and voice recognition. Below is the explanation of each step.
Step 1: Acquisition
At this moment, conversation records which would like to be analysed are usually containedin the digital recorder in the form of audio files. It means that it is digital evidence whichrequires digital forensic procedure in order to handle it properly. Firstly, prepare theanalysis workstation to be ready to access the evidence of digital recorder. It can be reachedby applying write protect on the workstation. With this protect, it is expected that thecontents of digital recorder will not be changed during the process of acquisition. Writeprotect in this case could be software or hardware, or even by legally tweaking a certain fileon Linux system. For this purpose (i.e. forensically sound write protect on Ubuntu system),please access the forensic blog of  http://forensiccop.blogspot.com on how to do it properly.
 
Forensic Cop Journal Volume 2(2), Dec 2009
 
http://forensiccop.blogspot.com2
After ensuring the write protect runs well, attach the digital recorder into the workstation,after that do forensic imaging. It means that the contents of the recorder are imagedphysically through bit stream copy method, so that it produces an identical forensic imagewhich is 100% the same as the source (i.e. the evidence of digital recorder). To do forensicimaging, the digital forensic analyst could use some reliable forensic tools running underWindows such as FTK Imager from Access Data or EnCase from Guidance Software,meanwhile the analyst could also rely on dcfldd on Linux system to do the same thing. Toknow how to perform forensic imaging properly by using dcfldd on Ubuntu machine andhow to check the identical image, please also accesshttp://forensiccop.blogspot.som.  Briefly the analyst could do hashing to obtain md5 or sha1 value as the digital fingerprint oneither the source or the image. The values are then compared between the source and theimage. If they are match, it means that they are identical and the process of forensicimaging is successful.Based on this reason, it is expected that the analyst should also be able to understand Linuxsystem (i.e. in this case, it is Ubuntu) for digital forensic purposes, not only Windows. Withvariety of forensic tools under Windows and Linux, the analyst will have many ways to dodigital forensic in order to obtain the best results.
Step 2: Authentication
On this step, the analyst extracts the audio file which would like to be analysed from theimage file; and then checks whether or not the file is original. If it is found that it has beentampered causing the contents changed, so the further steps must be stopped. It is not trueto continue analysis when the audio file is not original. If the analyst still wants to do so, sothe results will be unreliable or even it will be rejected by the court. The effect of this, thecredibility of the analyst becomes sharply decreased.To know the originality of the audio file, the analyst could apply two techniques, namelymetadata analysis and spectrum analysis. On metadata analysis, the analyst checks the MAC(i.e. Modified, Access and Created date) time of the file. If the Modified and Created datesshow the same, so it can be considered the file is original. When a recording is started, therecorder automatically makes a new audio file as the output of the recording after finishes.This is the same as digital image produced by still image camera. The files produced havethe same Modified and Created dates. If the Created date is younger than the Modifieddate, it means that the file is the result of copy-paste process. The file is originally fromother storage media; and then copied and pasted into the recorder. If this is found, so thefile stored in the recorder is not original.On spectrum analysis, the analyst could use applications (i.e. software, hardware or both) toanalyse the spectrum of the file. One of them which is well-known in audio signal processing
 
Forensic Cop Journal Volume 2(2), Dec 2009
 
http://forensiccop.blogspot.com3
is Cedar Cambridge. This instrument provides many modules for processing the audio. Onemodule which is useful to analyse the audio spectrum is Retouch. With this module, theaudio spectrum is visualised clearly, so that the analyst could find whether or not there isediting or insertion in the contents of the audio. If such issues are not found, so the audiocan be considered original, otherwise it is not. To do spectrum analysis by Retouch on Cedarinstrument is not an easy work, the analyst must be carefully in analysing every area of theaudio. The combination of General and Zooming analysis is the best technique to see thearea of the audio clearly and precisely.
Step 3: Audio Enhancement
Many times, the evidence obtained is the audio with poor quality to listen. The poor audiogives difficulty for the analyst to listen and to know what words pronounced by thespeakers. The conversation between two or more people is not clear, or even it is worst, the
speaker’s voice cannot be listened at all. The noise sound is much louder than the human
voice. To solve this problem, the analyst should be able to improve the quality over audioenhancement by removing noises. The output of audio enhancement is that the audioquality becomes clear to listen.To do audio enhancement, the analyst could use several reliable applications, eithercommercials or freeware. After dealing with these applications, it is found that thecommercials application such as Cedar Cambridge is better than freeware tools such asAudacity on noise removal. However Audacity is still the first choice for audio signalprocessing users as it can be run on either Windows or Linux. Besides flexibility, Audacityprovides user many useful modules to enhance the audio quality. They are noise removal,high pass filter, low pass filter, amplify, click removal, normalize and so forth. Howeverthese modules are not sufficient when dealing with high level of noise. For instance, theconversation between two people is recorded with the background of jet engine sound asthe noise. The human voice cannot be listened at all. The only sound listened is the jetengine sound. To remove such noises, the analyst could use Cedar Cambridge providingmany powerful modules for noise filtering. The modules offered by Cedar are Retouch, DNS(Dialogue Noise Suppression), NR (Noise Reduction), Dehiss, Declick, Decrackle, Debuzz,Spectrum Analysis and so forth. These modules are reliable to process any types of noise, sothat the analyst has a wide range of noise removal tools to apply.
Step 4: Decoding
On this step, the enhanced audio with good quality is decoded by the analysts. There is nodecoding for poor audio. The output of decoding process is transcript describingconversation in the audio. The analysts have to transcript any words pronounced by the
speakers clearly. For the words pronounced unclearly, the analysts have to put “unc
lear
words” in the transcript.

Activity (8)

You've already reviewed this. Edit your review.
1 hundred reads
1 thousand reads
tpqnhat liked this
Ong Soongin liked this
Su San To liked this
Nader Abouargoub liked this
rfcarr2009 liked this

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->