Cyber Forensic Investigation

OUTLINE
• Investigation Tools
• eDiscovery
• Evidence Preservation
• Search and Seizure of Computers
• Introduction to Cyber Security
 Introduction
• Computer/cyber forensics is a branch of digital
forensic science pertaining to evidence found in
computers and digital storage media.

• The goal of computer forensics is to identify, preserve,

recover, analyze and present facts and opinions about
the digital information.

• It is used to solve variety of crimes including

-Espionage:
Fraud act of obtaining secret or confidential information
-orCracking
divulging of the same without the permission of the holder.
-Cyberstalking:
Child pornography
use of the Internet or other electronic means to
-stalk or harass an individual, group, or organization.
Espionage
- Cyberstalking
Markus Hess: Early Example of Digital Forensics
• Markus Hess was a German citizen known for his
hacking in late 1980s. He hacked military networks in
the US, Europe and East Asia, and sold the information
to the Soviet KGP for $54,000
• Used a transatlantic cable to Tymnet International
gateway, which routed him to any computer that also
used the Tymnet service.
• Clifford Stoll, a systems admin for a lab in California,
traced the call made to a Tymnet switch in Oakland,
CA. By tracing various calls, they traced Hess to
Hanover, Germany.
• Stoll created fake military project records on
computers that would be hacked by Hess, to keep him
connected long enough to trace his connection.
 Introduction
• Hardware comprises the physical components
of the computer. It is a computer component
that you can see, feel, and touch.
- the computer chassis
- monitor
- keyboard
- mouse
- hard disk drive
- random-access memory (RAM)
- central processing unit (CPU)
 Introduction
• Software, is a set of instructions compiled into a
program that performs a particular task.

• It consists of programs and applications that carry

out a set of instructions on the hardware.

• Operating systems (e.g., Windows, Mac OS, Linux,

Unix), word-processing programs (e.g., Microsoft
Word, WordPerfect), web-browsing applications
(e.g., Internet Explorer, Safari, Firefox), and
accounting applications (e.g., Quicken, QuickBooks,
Microsoft Money) are all examples of software.
What do Digital Forensics Experts Do?


Gather evidence

Preserve data integrity (Chain of evidence)

Analyze evidence

Present evidence
 Computer Investigation Techniques
• Cross-drive analysis: correlates information found on
multiple hard drives. The process, can be used to identify
social networks and to perform anomaly detection.
- Multi-drive correlation using text searching, e.g. email
addresses, message IDs, credit card numbers or social
security numbers. Such techniques can identify drives of
interest from a large set, provide additional information
about events that occurred on a single disk, and potentially
determine social network membership.
- Timelines (eg. MACE times) Tools currently exist that
can extract dates and times from the file system metadata
and also examine the content of certain file types and
extract metadata from within.
 Investigation Techniques
• Live analysis:
Encryption is examination of encoding
the process of computersa from within
message or
information
the operatingin system
such a way that
using only authorized
custom forensics parties can
or existing
access it tools to extract evidence.
sysadmin
- useful when dealing with Encrypting File Systems
- logical hard drive volume may be imaged (live
acquisition) before the computer is shut down.
- to recover RAM data
• Recovering Deleted files: Most operating systems and
file systems do not always erase physical file data,
allowing investigators to reconstruct it from the
physical disk sectors. File carving involves searching for
known file headers within the disk image and
reconstructing deleted materials.
 Investigation Techniques
• Stochastic forensics: is a method which uses
stochastic properties of the computer system
to investigate activities lacking digital artifacts.
Its chief use is to investigate data theft.

• Steganalysis: Steganography is the process of

hiding data inside of a picture or digital image.
Eg. to hide pornographic images of children or
other information that a given criminal does
not want to have discovered.
 Investigation Techniques
Steganalysis is the art of detecting and decoding
hidden data by looking at the hash of the file
and comparing it to the original image (if
available). While the image appears exactly the
same, the hash changes as the data changes.

Hash values can be thought of as fingerprints for files. The

contents of a file are processed through a cryptographic
algorithm, and a unique numerical value – the hash value - is
produced that identifies the contents of the file.
 Investigation Tools
• Debian-based
• Kali Linux is a Debian-derived Linux
distribution designed for digital forensics and
penetration testing, formerly known as
BackTrack

• Parrot Security OS is a cloud-oriented

GNU/Linux distribution based on Debian and
designed to perform security and penetration
tests, do forensic analysis, or act in anonymity.
 Investigation Tools
• Ubuntu-based
- CAINE Linux is an ubuntu-based live CD/DVD.
CAINE stands for Computer Aided INvestigative
Environment. It contains a wealth of digital forensic
tools
- DEFT Zero (Digital Evidence & Forensic Toolkit) is
another live cd,
Penetration but focused
testing, on cloning
is the practice machine.
of testing a computer
system, network or web application to find security
vulnerabilities that an attacker could exploit.
• Gentoo-based
- Pento (Penetration Testing Overlay) is a live CD
and USB designed for penetration testing and
security assessment. It is available as an overlay
for an existing Gentoo installation.
 Investigation Tools

Commercial Packages

Encase

Forensics Tool Kit (FTK)

Open Source Software


Sleuth Kit libraries

Autopsy GUI
 Investigation Tools
Encase - Forensic- Guidance Software

Mobile/Cybersecurity/eDiscovery

Court approved forensic file format.

Extensive training program.

Forensic Tool Kit (FTK)- Access Data


Memory analysis

Custom tablet for mobile phone acquisition

Built in decryption and password cracking

Email analysis
 Investigation Tools
The Sleuth Kit Libraries
- collection of command line tools that allows us to
analyze disk images and recover files from them
- allows you to analyze volume and file system data

“Autopsy” GUI
- allows us to analyze hard drives and smartphones
efficiently.
- Libraries can be used in automated Forensics tasks
 eDiscovery
• Electronic discovery refers to any process in
which electronic data is sought, located,
secured, and searched with the intent of using
it as evidence in a civil or criminal legal case.

• It is subject to rules of civil procedure

 Types of eRecords sought/produced

• texts, images, calendar files

• databases, spreadsheets
• audio files, animation, flash video, tape backups
• Web sites and computer programs
• Emails and attachments
• Deleted messages, business contacts
 Importance of E-Discovery
• More than 90% records created today are in
eformat.
• More than 70% electronic info never printed.
• According to the 2005 reports, 90 percent of
U.S. corporations are engaged in some type of
litigation and E-discovery represents 35% of
the total cost of litigation
• The number of worldwide email users is
projected to increase from over 1.4 billion in
2009 to almost 1.9 billion by 2013.
E-Discovery process
Authenticity of E-Discovery Document
• The more you can show that the data was properly
secured, the easier it is to convince the Court of its
authenticity.

• Data that has been accessible to many different

persons could more easily have been modified

• One needs to have in place firewalls, anti-virus,

anti-malware and intrusion detection prevention
software to prevent data from being changed or
deleted by attackers or malicious software.
Authenticity of E-Discovery Document
• Enable file access auditing so you can show who
has accessed the data and when.

• Digitally sign important documents and email

messages to authenticate the identity of the
creator or sender and ensure that no changes
were made.
 Destruction of E-evidence
A subpoena or witness summons is a writ issued by a court,
to compel testimony by a witness or production of evidence
•under a penalty for failure
In SonoMedica, Inc. v. Mohler,2009 U.S. Dist.
LEXIS 65714 (E.D. Va. July 28, 2009) civil case two
individual's computers were subpoenaed for
examination and the Court ordered the parties to
turn over their home computer "without it being
touched except to turn it off." A forensic expert
discovered that before turning over the
computer "22,603 files/folders had been affected
and that 556 were deleted manually. The court
ordered penalty of $108,212.15 in fees and
referred he case for criminal proceedings.
 Digital Evidence Preservation
The isolation and protection of digital evidence
exactly as found without alteration so that it can
later be analyzed.
 Digital Evidence Preservation
1. Drive Imaging
Before investigators can begin analyzing evidence from a
source, they need to image it first.

Imaging a drive is a forensic process in which an analyst

creates a bit-for-bit duplicate of a drive.

When analyzing the image, investigators should keep in

mind that even wiped drives can retain important
recoverable data to identify and catalogue.
 Digital Evidence Preservation
1. Drive Imaging

As a rule, investigators should exclusively operate on the

duplicate image and never perform forensic analysis on the
original media.

Limiting actions on the original computer is important,

especially if evidence needs to be taken to court, because
forensic investigators must be able to demonstrate that
they have not altered the evidence whatsoever by
presenting cryptographic hash values, digital time stamps,
legal procedures followed, etc.
 Digital Evidence Preservation
2. Hash Values

When an investigator images a machine for analysis, the

process generates cryptographic hash values (MD5, SHA-1).

The purpose of a hash value is to verify the authenticity

and integrity of the image as an exact duplicate of the
original media.

Hash values are critical, especially when admitting evidence

into court, because altering even the smallest bit of data
will generate a completely new hash value.
 Digital Evidence Preservation
2. Hash Values

When you create a new file or edit an existing file on your

computer, it generates a new hash value for that file.

This hash value and other file metadata are not visible in a
normal file explorer window but analysts can access it using
special software.

If the hash values do not match the expected values, it may

raise concerns in court that the evidence has been
tampered with.
 Digital Evidence Preservation
3. Chain of Custody

As investigators collect media from their client and transfer

it when needed, they should document all transfers of
media and evidence on Chain of Custody (CoC) forms and
capture signatures and dates upon media handoff.

This artifact demonstrates that the image has been under

known possession since the time the image was created.

Any lapse in chain of custody nullifies the legal value of the

image, and thus the analysis.
 Digital Evidence Preservation
3. Chain of Custody

Any gaps in the possession record, including any time the

evidence may have been in an unsecured location are
problematic. 

Investigators may still analyze the information but the

results are not likely to hold up in court against a
reasonably tech-savvy attorney.

Forms that investigators use to clearly and easily document

all records of change of possession are easy to find on the
Internet
Search and Seizure of Computers
 Search and Seizure of Computers

The Fourth Amendment states:

The right of the people to be secure in their

persons, houses, papers, and effects, against
unreasonable searches and seizures, shall not be
violated, and no Warrants shall issue, but upon
probable cause, supported by Oath or affirmation,
and particularly describing the place to be
searched, and the persons or things to be seized
 Seize what
• HW
• SW
• Data
• All things digital
• All things related to digital
• Media, notes, documentation
• Stay within the bounds of the search warrant
 Search Warrants for Computer stuff

2 separate search warrants are required

• Number 1:
• Search premises, people, vehicles, etc.
• Seize computers, docs, data media, etc.

• Number 2:
• Search the contents of the computers, digital devices, etc.
 Rule # 1
• If it is off, leave it off.

• Photograph everything
- the screen of each computer that is on
- The entire area containing HW & cables
- Floor plan
• Locate all equipment
• Number all equipment on the floor plan
 After Pictures of an “on” PC
• If the computer is a stand alone PC
• pull the plug
• Do not turn it off

• If it is a laptop
• Pull the plug
• If it is still on, it has a functioning battery
– Pull the battery
– Keep the battery separate
 Cyber Security
• Cyber security refers to the body of
technologies, processes, and practices designed
to protect networks, devices, programs, and data
from attack, damage, or unauthorized access.

• is the protection of computer systems and

networks from the theft of or damage to their
hardware, software, or electronic data, as well as
from the disruption or misdirection of the
services they provide.
 Categories of Cyber Crime

We can categorize cyber crime in two ways:-

The computer as a target: Using a computer to
attacks other computer e.g.
• Hacking, Virus/Worms attacks, DoS attack etc.

The computer as a weapon: Using a computer

to commit real world crime
• e.g. credit card fraud etc.
 Types of Cyber Crime

• Hacking
• Phishing
• Denial of Service
• Spam Email
• Spyware, Adware
• Malware (Trojan, Virus, Worms etc.)
• Ransomware
 Hacking
• Hacking in simple terms means an illegal
intrusion into a computer system and/or
network.

• It is also known as cracking.

• Government websites are the hot targets of

the hackers due to the press coverage, it
receives.
 Phishing
• Phishing is a fraudulent attempt, usually made
through email, to steal your personal information.

• Phishing is the attempt to obtain sensitive

information such as username, password and credit
card details, often for malicious reasons through an
electronic communication (such as E-mail).

• A common online phishing scam starts with an email

message that appears to come from a trusted
source(legitimate site) but actually directs recipients
to provide information to a fraudulent web site.
 Denial of Service
• This is an act by the criminals who flood the Bandwidth
of the victims network.

• A hacker uses a single internet connection to either

send information that triggers a crash or flood a target
with fake request so as to exhaust server resources.

• DDoS attacks are launched from multiple connected

devices that are distributed across the internet.

• DoS = When a single host attacks.

• DDoS = when multiple hosts attack simultaneously
and continuously.
 Malware
• It’s malicious software (like Virus, Worms &
Trojan), which are specifically designed to disrupt
or damage computer system or mobile device.
• Hackers use malware for extracting personal
information or passwords, stealing money or
preventing owners from accessing their device.
• Viruses are programs that attach themselves to a
computer or a file and then circulate themselves to
other files and to other computers on a network.
They usually affect the data on a computer and
mobile device either by altering or deleting it.
• Worms unlike viruses do not need the host to attach
themselves. They merely make functional copies of
themselves and do this repeatedly till they eat up all the
available space on the computer’s memory.

• Trojan is a type of malware that pretends to be something

useful, helpful, or fun while actually causing harm or stealing
data. Trojans are often silently downloading other malware
(e.g. spyware, adware, ransomware) on an infected device as
well.

• Trojans can infect you in places where you might not expect
it, such as emails, downloads and more. It's always better to
be safe than sorry when it comes to avoiding this type of
malware.
 Spyware
• Type of malware that hackers use to gain access
to your personal information, banking details or
online activity. We should protect ourselves by
an anti-spyware tool.

Adware
• Type of malware that bombards you with
endless ads and pop-up windows that could
potentially be dangerous for your device. The
best way to remove adware is to use an adware
removal tool.
 Ransomware

• Ransomware (a.k.a. rogueware or scareware)

restricts access to your computer system and
demands that a ransom is paid in order for the
restriction to be removed.

• The most dangerous ransomware attacks are caused

by Wannacry, Petya, Cerber and Locky ransomware.

• The money which is supposed to be paid to remove

ransomware from your system is called ransom
money.
 Advantages of Cyber Security
• It will defend us from hacks and virus.
• It helps us to browse the safe website.
• Internet Security process all the incoming and
outgoing data on our computer.

• The application of cyber security used in our

PC needs update every week.
• The security developers will update their
database every week once. Hence the new
virus also detected.
 Cyber Security Tools

• Use Antivirus Software.

• Insert Firewalls.
• Uninstall unnecessary software.
• Maintain backup.
• Check security settings.
• Never give your full name or address to
strangers.
• Learn more about the internet privacy.
Fingerprint analysis
 Outline

• Introduction
• Fundamental principles of fingerprinting
• Classification of fingerprints
• Development of fingerprint as science for
personal identification.
 Introduction
• The first systematic attempt at personal identifi cation
was devised and introduced by a French police expert,
Alphonse Bertillon, in 1883. The Bertillon system relied
on a detailed description of the subject, combined with
full-length and profile photographs and a system of
precise body measurements known as anthropometry.

• The use of anthropometry as a method of identifi

cation rested on the premise that the dimensions of
the human bone system remain fixed from age 20 until
death. Skeleton sizes were thought to be so extremely
diverse that no two individuals could have exactly the
same measurements.
 Introduction
• In ancient Babylonia and China, thumbprints and
fingerprints were used on clay tablets and seals as
signatures.

• The pioneer in fingerprint identification was Sir

Francis Galton, an anthropologist by training, who
was the first to show in 1880’s how fingerprints
could be used to identify individuals.

• Sir Edward Richard Henry, a British official stationed

in India, began to develop a system of fingerprint
identification for Indian criminals
 Introduction
• In the United States, the first systematic and offi- cial use
of fingerprints for personal identification was adopted by
the New York City Civil Service Commission in 1901.

• The Federal Bureau of Investigation has the largest

collection of fingerprints in the world.

• To eliminate duplicate fingerprints and make it easier to

store and share fingerprints among law enforcement
agencies, the FBI developed the Automated Fingerprint
Identification System (AFIS) in 1991, which computerized
the card system.
 First Case Based on Fingerprint Evidence
• The first murder case in the United States in which
fingerprint evidence was used successfully was People
v. Jennings in Illinois in 1910.
• On the night of September 19, 1910, Clarence B. Hiller,
encountered an intruder in his home and a struggle
ensued.
• Both fell to the foot of the stairway and Mr. Hiller was
shot twice. He died moments later.
• Mrs. Hiller screamed and the intruder fled...
• Luckily, the outside veranda had recently been painted
and it was here that the imprint of four fingers of
someone's left hand was found imbedded in the fresh
paint.
 First Case Based on Fingerprint Evidence
• At about 2:38 a.m. Thomas Jennings was spotted by police
and was questioned as to what he was doing out so late.
• They searched him and discovered a loaded revolver.
• Later, police found that Jennings had just been released on
parole in Aug, 1910 after serving a sentence for burglary.
• His fingerprint card was on file and was compared to the
prints lifted at the Hiller household.
• Four fingerprint experts at Jennings' trial declared the
fingerprints from the crime scene were a conclusive match
to Jennings own prints.
• Jennings was convicted of murder on February 1, 1911.
• It was shortly after this event that fingerprint science
spread to all the major American cities across the nation
 What are fingerprints
• Fingerprints are a reproduction of friction skin
ridges found on the palm side of the fingers and
thumbs.

• A visual inspection of friction skin reveals a series

of lines corresponding to hills (ridges) and valleys
(grooves).

• The shape and form of the skin ridges are what

one sees as the black lines of an inked fi ngerprint
impression (called as visual prints).
 What are fingerprints

Once the dermal papillae develop in human fetus,

the ridge patterns remain unchanged throughout
life, except for enlarging during growth.
 What are fingerprints
• Each skin ridge is populated by a single row of pores
that are the openings for ducts leading from the
sweat glands.
• Through these pores, perspiration is discharged and
deposited on the surface of the skin.
• Once the finger touches a surface, perspiration, along
with oils that may have been picked up by touching
the hairy portions of the body, is transferred onto
that surface, thereby leaving an impression of the
finger’s ridge pattern i.e. a fingerprint.
• Prints deposited in this manner are invisible to the
eye and are commonly referred to as latent
fingerprints.
 Principles of Fingerprinting
1. Individual characteristics
• A fingerprint is an individual characteristic & no two
fingers are found to have identical ridge patterns.
• Even identical twins, who share same genetic code,
do not share fingerprints.
• FBI has nearly 50 million fingerprint records and has
yet to find an identical image belonging to two
different people.
• Fingerprints are believed to be formed during the
growth of the human embryo and by the time it is
six months old, fingerprints are formed.
 Principles of Fingerprinting
2. Remain unchanged
• Fingerprints remains unchanged during the life
time of an individual.
• They may enlarge with physical growth, but the
patterns stays the same, just like inflating a balloon
doesn’t change what’s printed on it.
• This characteristic makes them useful for identity
management, authentication and biometric
applications.
• In some cases, due to wear or damage (for
example, severe burn or working in certain
industries or typing) they may distort or disappear.
Fig. 2-6 Permanence of Fingerprints Over Time 
 Principles of Fingerprinting
3. Unique patterns
• Fingerprints may look complicated, but the fact is
that they have general ridge patterns, making it
possible to systematically classify them.

• The individuality of a fingerprint is not determined

by its general shape or pattern but by a careful study
of its ridge characteristics (also known as minutiae).

• Minutiae: Ridge endings, bifurcations, enclosures

and other ridge details that must match in two
fingerprints to establish their common origin.
Ridge characteristics: minutiae
 Ridge characteristics: minutiae
Core: in a loop fingerprint, this is the centre of the loop.
Delta: in loop and whorl patterns, this is an area where
ridges meet from three directions. (There is usually one
delta on a loop and two or more on a whorl.
Ridge end: notice where individual ridges come to an
end.
Bifurcation: notice where a ridge divides into two ridges
(like a fork in a road).
Island: notice any short ridges cut off from others.
Crossover: notice where any ridges appear to cross over
each other
Ridge characteristics: minutiae
Ridge characteristics: minutiae
 Types of Fingerprint Patterns
1. Arches
Ridges enter on one sides and exit on the other
side.
5% of total world’s population is believed to have
arches in their fingerprints.
 Types of Fingerprint Patterns
2. Loops
They have ridges entering on one side and exiting
on the same side.
60 – 65% of world’s population is believed to have
loops in their fingerprints.

Type Lines

Ulnar Loop Radial Loop

 Types of Fingerprint Patterns
3. Whorls
Consists of circles, more than one loop, or a
mixture of pattern type.

30 – 35% of world’s population is believed to have

whorls in their fingerprints.
 Dermatoglyphics

• The scientific study of fingerprints, lines, mounts

and shapes of hands, as distinct from the
superficially similar pseudoscience of palmistry.
 Total Ridge Count
• TRC of a finger is the number of ridges that touch
across the line of count drawn between the delta
and core of loop patterns.
 Total Ridge Count
• TRC of a finger is the number of ridges that touch
across the line of count drawn between the delta
and core of loop patterns.

WHORLS

Plain Central Pocket Double loop

 Correlation of TRC with genetic diseases
• Trisomy 21 (Down syndrome): people with Down syndrome
have a fingerprint pattern with mainly ulnar loops,
• Radial loop on ring and index finger
• and a distinct angle between the triradia a, t, and d (the 'atd’
angle).

• Klinefelter syndrome: excess of arches on digit 1, more

frequent ulnar loops on digit 2, overall fewer whorls, lower
ridge counts for loops and whorls as compared with controls,
and significant reduction of the total finger ridge count
 Types of Fingerprints
• Plastic prints: Fingerprints on soft surfaces such as
soap, wax, wet paint, mud etc.
 Types of Fingerprints
• Patent/Visible prints: are formed when blood,
dirt, ink, paint, etc. is transferred from a finger or
thumb to a solid surface.

Solid surface can be smooth or rough, porous (like

paper, cloth or wood) or nonporous (like metal, glass or
plastic).
 Types of Fingerprints
Latent prints:
• formed when the body’s natural oils and sweat on
the skin are deposited onto a solid surface.

• 2 major glands in dermis sebaceous glands and

sudoriferous glands (eccrine and apocrine).

• The print is 99% water (sweat) and rest is trace

amount of amino acids, lipids urea, lactic acid,
creatinine, glucose and drugs.
 Types of Fingerprints
Latent prints:
• 250 ng of amino acid per fingerprint. They remain
there after water evaporates.

• not readily visible and detection often requires the

use of fingerprint powders, chemical reagents or
alternate light sources.

• affected by age, gender, occupation, surface

temperature, humidity, time since they were
placed
 Collecting Plastic/Patent Prints

• Patent prints are collected mainly using

photography in high resolution or under
oblique lighting.
• Latent prints are collected using Physical
and/or certain chemical methods.
• These prints may also be preserved with
silicone-type casting materials.
 Collecting Latent Prints
1. Dusting:
• 2 components
– Pigment (for visualization)
– Binder (for adhesion to latent print)

• Pigments include black granular powders like,

lampblack, antimony trisulfide, lead iodide, lead
oxide mercuric oxide, mercuric sulfide or aluminium
flakes OR magnetic particles like that of iron.

• Adhesive materials included starch, kaolin, rosin and

silica gel
 Collecting Latent Prints
1. Dusting:
• Oils from our finger leave an impression of our prints
on the slide. When we brush the powder off the
smooth slide, some of it sticks to the oils, allowing us
to see the patterns.
• Visualization Is done by reflected/absorbed light or
fluorescence
• If any prints appear, they are lifted from the surface
with clear adhesive tape.

• The lifting tape is then placed on a latent lift card to

preserve the print.
1. Dusting
 A general powder dusting method for latent fingerprint
development based on AIEgens
SCIENCE CHINA Chemistry, Volume 61, Issue 8: 966-970(2018)
Abstract
Powder dusting method is the most practically useful approach for latent
fingerprint development in the crime scene. Herein, a general powder dusting
method has been explored for latent fingerprint development based on
aggregation-induced emission luminogens (AIEgens). A series of
tetraphenylethene (TPE) derivatives with multiple diphenylamine (DPA),
namely, TPE-DPA, TPE-2DPA and TPE-4DPA, were selected as candidates to
dope with magnetic powders and applied for latent fingerprint development.
The magnetic powder 3 doped with TPE-4DPA proves to be the best, in terms
of fluorescent intensity, resolution and adhesiveness. Afterwards, the
magnetic powder 3 was applied for visualization of latent fingerprint on
various smooth and porous substrates, including glass, stainless steel, leaf,
ceram, plastic bag, lime wall, wood and paper money. Specific details, such as
island, core, termination and bifurcation, can be clearly observed for the
fluorescent fingerprint images.
A general powder dusting method for latent fingerprint
development based on AIEgens
SCIENCE CHINA Chemistry, Volume 61, Issue 8: 966-970(2018)
 2. Superglue Fuming
• The sweat in a fingerprint evaporates relatively
quickly while the other compounds remain in the
print for a longer period of time.
• Cyanoacrylate or super glue fumes adhere to
amino acids, fatty acids and proteins in a
fingerprint, where they build up as a crystalline
white deposit.
• These can be photographed or copied on a tape
strip.
• The fuming is performed in a developing
chamber for fingerprints typically on non-porous
surfaces.
 2. Superglue Fuming
• A few drops of super glue are put into an
aluminium container which is then placed onto a
coffee cup warmer.
• Water is also placed into an aluminium container
on a different coffee cup warmer.     
• The piece of evidence is placed into the
developing chamber along with the super glue
and water containers.
• This results in the super glue aggregating on the
print, leaving a white film on the ridges, making
the print visible.
 3. Iodine Fuming
• used to reveal prints on porous and semiporous
surfaces such as paper, cardboard, and unfinished
wood but not on metallic surfaces.
• Natural body fats and oils in sebaceous material
of a latent print temporarily absorb the iodine
vapors.
• This results in a change in color, from clear to a
dark brown until the effect fades with time.
• Iodine crystals are placed in the ceramic or glass
dish.
• Specimen to be processed is placed in the fuming
 3. Iodine Fuming
• Gently heating the crystals cause them to
sublime.
• The violet iodine vapour adheres selectively to
fingerprint residues turning them orange/brown.
 3. Iodine Fuming
• In the lab, iodine fuming is done in a chamber
• On the Crime scene, Fuming wands or fuming
guns are used.
• These are simple tubes with a small reservoir for
iodine crystals.
• The reservoir is heated and iodine vapor is
expelled from other end of the tube
 3. Iodine Fuming
• Semi-permanent: Prints can further be treated
with a starch solution, which turns the orange
stains blue-black (persist for weeks to months).

• Permanent fixation can be done by Benzoflavone

which turn the prints a dark blue color.
 4. Vacuum Metal Deposition
• Use Gold and zinc combination
• To reveal prints on clothing, Plastic bags/bottles,
Glass, Firearms, Glossy papers, clean leather
items, Adhesive tapes (nonsticky side).
 4. Vacuum Metal Deposition
• The questioned surface is placed in a vacuum
chamber containing small pieces of gold and zinc.
• The chamber is electrically heated to vaporize
the metal.
• Zinc cannot deposit on the oily residues present
in the fingerprint but gold can deposit on the
entire surface.
• Gold absorbed into the oil containing ridges of
the fingerprint. Thus there is no gold on the
surface of the ridges.
 4. Vacuum Metal Deposition
• Next, Zinc is vaporized and deposits on the
substance where Gold is present i.e. on the
background but not on the fingerprint ridges.
• The area where zinc is not deposited will be the
fingerprint
 4. Chemical Developers
• Porous surfaces such as paper are typically processed
with chemicals.

• These chemicals react with specific components of

latent print residue, such as amino acids and inorganic
salts.

• Ninhydrin causes prints to turn a purple color, on

reacting with free amines of lysine residue in proteins.

• DFO (1,2-diazafluoren-9-one) is another chemical

which causes fingerprints to fluoresce, or glow, when
they are illuminated by blue-green light.
Ninhydrin
 ACE-V PROCESS
• Analysis, Comparison, Evaluation and Verifi
Cation

• used to identify and individualize a fingerprint

• Analysis: Examiner identifies any distortions

associated with the ridges such as surface or
deposition factors or processing techniques, that
may impinge on the print’s appearance.
 ACE-V PROCESS
Comparison: Examiner compares the questioned
print to the known print at three levels.
• Level 1 looks at the general ridge flow and
pattern confi guration.
• Level 2 includes locating and comparing ridge
characteristics, or minutiae. Such details can
individualize a print.
• Level 3 includes the examination and location of
ridge pores, breaks, creases, scars, and other
permanent minutiae.
 ACE-V PROCESS
Evaluation: stage requires the examination of the
questioned and known prints in their totality. The fi
nal result of this stage is either individualization,
elimination or an inconclusive determination.

Verification: of the examiner’s result requires an

independent examination of the questioned and
known prints by a second examiner. Ultimately, a
consensus between the two examiners must be
arrived at before a final conclusion is drawn.
 Automated Fingerprint Identification Systems
(AFIS)
• Uses a computer to scan and digitally encode
fingerprints
• automatic scanning devices convert the image of a
fingerprint into digital minutiae that contain data
about points of termination (i.e. ridge endings)
and the branching of ridges into two ridges (i.e.
bifurcations).
• relative position and orientation of the minutiae
are also recorded, allowing the computer to store
each fingerprint in the form of a digitally recorded
 Automated Fingerprint Identification Systems
(AFIS)
• The computer’s search algorithm determines the
degree of correlation between the location and
relationship of the minutiae in the search print
and those in the file prints.
• In this manner, a computer can make thousands
of fingerprint comparisons in a second.
• For example, a set of ten fingerprints can be
searched against a file of 500,000 ten-fingerprints
in about eight-tenths of a second.
Fig. 1-4 Architecture of a typical Biometric System 
 Collecting Latent Prints
2. Alternate Light Source (ALS):
• These include laser or LED devices that emit a
particular wavelength or spectrum of light.
• Some devices have different filters to provide a
variety of spectra that can be photographed or
further processed with powders or dye stains.
• For example, investigators may use a blue light with
an orange filter to find latent prints on desks, chairs,
computer equipment or other objects at the scene of
a break-in