sak 4801 introduction to computer forensics chapter 7 image files forensics mohd taufik abdullah...

SAK 4801 INTRODUCTION TO COMPUTER FORENSICSChapter 7 Image Files Forensics

Mohd Taufik AbdullahDepartment of Computer Science

Faculty of Computer Science and Information TechnologyUniversity Putra of Malaysia

Room No: 2.28

Portions of the material courtesy Nelson et. al., and EC-Council

2 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer Forensics

Learning ObjectivesAt the end of this chapter, you will be

able to: Describe types of graphics file formats Explain types of data compression Explain how to locate and recover graphics files Describe how to identify unknown file formats Explain copyright issues with graphics


Chapter 7 Outline 7. Image File Forensics

7.1. Introduction 7.2. Recognize image files 7.3. Understand data Compression 7.4. Locate and recover image files 7.5. Analyze image file header 7.6. Reconstructing file fragments

7.1 Introduction


7.1 Introduction Image file formats can be:

A black and white Image A grayscale Image A color image Indexed Color image

All image formats differ between ease of use, size of the file, and the quality of reproduction

7.2 Recognize Image Files


7.2 Recognize Image Files Contains digital photographs, line art, three-

dimensional images, and scanned replicas of printed pictures Pixels: All small dots used to create images Bitmap images:

collection of dots A representation of a graphics image a grid-

type format Vector graphics: based on mathematical

instructions/equations Metafile graphics: combination of bitmap and

vector images Types of programs

Graphics editors Image viewers


7.2 Recognize Image Files (Cont.) The circled area

in this screen shot shows the resolution of the screen by pixels


7.2.1 Understanding Bitmap and Vector Images Bitmap images

Grids of individual pixels Bitmap images can be made in the following

applications: Photoshop MS Paint Image Ready Paintshop Pro

Continuous tone photos Raster images

Pixels are stored in rows Better for printing


7.2.1 Understanding Bitmap and Vector Images (Cont.) Vector Images

Uses geometric equations Higher quality image than a bitmap Useful for rendering types and shapes Characteristics

Lines instead of dots Store only the calculations for drawing lines and

shapes Smaller size Preserve quality when image is enlarged

CorelDraw, Adobe Illustrator Image quality

Screen resolution Software Number of color bits used per pixel


7.2.2 Understanding Metafile Graphics Metafiles combine raster and vector graphics. Metafiles have similar features of both bitmap and

vector images. When metafiles are enlarged it results in a loss of

resolution giving the image a shady appearance. Example

Scanned photo (bitmap) with text (vector) Share advantages and disadvantages of both types

When enlarged, bitmap part loses quality


7.2.3 Understanding Image File Formats Standard bitmap file formats

Graphic Interchange Format (.gif) Joint Photographic Experts Group (.jpeg, .jpg) Tagged Image File Format (.tiff, .tif) Window Bitmap (.bmp) JPEG 2000 (.jp2) Portable Network Graphics (.png)

Standard vector file formats Hewlett Packard Graphics Language (.hpgl) Autocad (.dxf)


7.2.3 Understanding Image File Formats (Cont.) Nonstandard graphics file formats

Targa (.tga) Raster Transfer Language (.rtl) Adobe Photoshop (.psd) and Illustrator (.ai) Freehand (.fh9) Scalable Vector Graphics (.svg) Paintbrush (.pcx)

Search the Web for software to manipulate unknown image formats


7.2.4 Understanding Digital Camera File Formats Witnesses or suspects can create their own digital

photos Examining the raw file format

Raw file format Referred to as a digital negative Typically found on many higher-end digital

cameras Sensors in the digital camera simply record pixels

on the camera’s memory card Raw format maintains the best picture quality


7.2.4 Understanding Digital Camera File Formats (Cont.) Examining the raw file format (continued)

The biggest disadvantage is that it’s proprietary And not all image viewers can display these

formats The process of converting raw picture data to

another format is referred to as demosaicing Examining the Exchangeable Image File format

Exchangeable Image File (EXIF) format Commonly used to store digital pictures Developed by JEIDA as a standard for storing

metadata in JPEG and TIFF files


7.2.4 Understanding Digital Camera File Formats (Cont.) Examining the Exchangeable Image File format

(continued) EXIF format collects metadata

Investigators can learn more about the type of digital camera and the environment in which pictures were taken

EXIF file stores metadata at the beginning of the file

With tools such as ProDiscover and Exif Reader You can extract metadata as evidence for your

case


7.2.4 Understanding Digital Camera File Formats (Cont.)


7.2.5 File Types Different types of files

Graphics file format – .gif/.jpg/.jpeg/.jfif Text file format – .txt/.htm/.html Audio file format – .au/.uLaw/.MuLaw/.aiff

– .mp3/.ra/.wav/.wma Video file format

– .avi/.mov/.movie/.mpg/.mpeg/.qt/.ram Document file format – .doc/.pdf/.ps Compress file format – .z/.zip/.sit/.gzip/.gz

Data compression: is done by using a complex algorithm used to reduce the size of a file

Vector quantization: A form of vector image that uses an algorithm similar to rounding up decimal values to eliminate unnecessary data

7.3 Understand Data Compression


7.3 Understand Data Compression Some image formats compress their data

GIF, JPEG, PNG Others, like BMP, do not compress their data

Use data compression tools for those formats Data compression

Coding of data from a larger to a smaller form Types

Lossless compression and lossy compression


7.3.1 Understanding Lossless and Lossy Compression GIF and PNG image file formats reduce the file size

by using lossless compression Lossless compression

Reduces file size without removing data Based on Huffman or Lempel-Ziv-Welch coding For redundant bits of data Utilities: WinZip, PKZip, StuffIt, and FreeZip

Lossy compression Permanently discards bits of information Vector quantization (VQ)

Determines what data to discard based on vectors in the graphics file

Utility: Lzip

7.4 Locate and Recover Images Files


7.4 Locate and Recover Image Files Operating system tools

Time consuming Results are difficult to verify

Computer forensics tools Image headers

Compare them with good header samples Use header information to create a baseline

analysis Reconstruct fragmented image files

Identify data patterns and modified headers


7.4.1 Identifying Graphics File Fragments Carving or salvaging

Recovering all file fragments Carving: The process of removing an item from a

group of items Salvaging: Another term for carving. It is the

process of removing an item from a group of them Computer forensics tools

Carve from slack and free space Help identify image files fragments and put them

together


7.4.1 Identifying Graphics File Fragments (Cont.)The screenshot above shows the location of the

clusters where the data has been found and the data found with the matching search.


7.4.2 Repairing Damaged Headers Use good header samples

Each image file has a unique file headerJPEG: FF D8 FF E0 00 10

Most JPEG files also include JFIF string Exercise:

Investigate a possible intellectual property theft by a contract employee of Exotic Mountain Tour Service (EMTS)


7.4.3 Searching for and Carving Data from Unallocated Space


7.4.3 Searching for and Carving Data from Unallocated Space (Cont.)


7.4.3 Searching for and Carving Data from Unallocated Space(Cont.) Steps

Planning your examination Searching for and recovering digital photograph

evidence Use ProDiscover to search for and extract

(recover) possible evidence of JPEG files False hits are referred to as false positives


7.4.4 Rebuilding File Headers (Cont.) Try to open the file first and follow steps if you can’t

see its content Steps

Recover more pieces of file if needed Examine file header

Compare with a good header sample Manually insert correct hexadecimal values

Test corrected file


7.4.4 Rebuilding File Headers (Cont.)

7.5 Analyze Image Files Headers


Necessary when you find files your tools do not recognize

Use hex editor such as Hex Workshop Record hexadecimal values on header

Use good header samples

7.5 Analyze Image File Headers


7.5 Analyze Image File Headers (Cont.)

7.6 Reconstructing File Fragments


Locate the starting and ending clusters For each fragmented group of clusters in the file

Steps Locate and export all clusters of the fragmented

file Determine the starting and ending cluster

numbers for each fragmented group of clusters Copy each fragmented group of clusters in their

proper sequence to a recovery file Rebuild the corrupted file’s header to make it

readable in a graphics viewer

7.6 Reconstructing File Fragments


7.6 Reconstructing File Fragments (Cont.)


Remember to save the updated recovered data with a .jpg extension

Sometimes suspects intentionally corrupt cluster links in a disk’s FAT Bad clusters appear with a zero value on a disk

editor



7.6.1 Identifying Unknown File Formats The Internet is the best source

Search engines like Google Find explanations and viewers

Popular Web sites www.digitek-asi.com/file_formats.html www.wotsit.org http://whatis.techtarget.com


7.6.2 Tools For Viewing Images Use several viewers

ThumbsPlus ACDSee QuickView IrfanView

GUI forensics tools include image viewers ProDiscover EnCase FTK X-Ways Forensics iLook


7.6.3 Understanding Steganography Steganography hides information inside image

files Ancient technique Can hide only certain amount of information

Insertion Hidden data is not displayed when viewing

host file in its associated program You need to analyze the data structure

carefully Example: Web page


7.6.3 Understanding Steganography (Cont.)


7.6.3 Understanding Steganography (Cont.) Substitution

Replaces bits of the host file with bits of data

Usually change the last two LSBs Detected with steganalysis tools

Usually used with image files Audio and video options

Hard to detect


7.6.3 Understanding Steganography (Cont.) Two files need to hide a message within an image

file The file containing the image into which the

message is supposed to be put in The file containing the message itself

There are 3 methods to hide messages in images, they include: Least Significant Bit Filtering and Masking Algorithms and Transformation aa


Detect variations of the graphic image When applied correctly you cannot detect hidden

data in most cases Methods

Compare suspect file to good or bad image versions

Mathematical calculations verify size and palette color

Compare hash values

7.6.4 Using Steganalysis Tools


Hex Workshop

The Hex Workshop application can detect and write messages on to a file

Investigators use the Hex Workshop tool to reconstruct damaged file headers

7.6.4 Using Steganalysis Tools (Cont.)


Hex Workshop

AS-Tools can hide and detect files hidden in BMP, GIF and WAV files

Investigators have the advantage of multi-threaded operation

Investigators can hide/reveal operations simultaneously without fear of interference to the work environment

7.6.4 Using Steganalysis Tools (Cont.)


Steganography originally incorporated watermarks

Copyright laws for Internet are not clear There is no international copyright

law Check www.copyright.gov

7.6.3 Identifying Copyright Issues with Graphics


Section 106 of the 1976 Copyright Act generally gives the owner of copyright the exclusive right to do and to authorize others to do the following: To perform the work publicly To display the copyright work publicly In the case of sound recordings, to perform the

work publicly by means of a digital audio transmission

To reproduce the work in copies or phonorecords – To prepare derivative works based upon the work

To distribute copies or phonorecords of the work to the public by sale or other transfer of ownership, or by rental, lease, or lending

7.6.3 Identifying Copyright Issues with Graphics (Cont.)


Copyrightable works include the following: Literary works Musical works; including any accompanying words Dramatic works; including any accompanying music Pantomimes and choreographic works Pictorial, graphic, and sculptural works. Motion pictures and other audiovisual works. Sound recordings Architectural works

7.6.3 Identifying Copyright Issues with Graphics (Cont.)


Summary Image types

Bitmap Vector Metafile

Image quality depends on various factors Image formats

Standard Nonstandard

Digital camera photos are typically in raw and EXIF JPEG formats


Summary (Cont.) Some image formats compress their data

Lossless compression Lossy compression

Recovering image files Carving file fragments Rebuilding image headers

Software Image editors Image viewers


Summary (Cont.) Steganography

Hides information inside image files Forms

Insertion Substitution

Steganalysis Finds whether image files hide information

End of Chapter 7

sak 4801 introduction to computer forensics chapter 7 image files forensics mohd taufik abdullah...

Documents

graphics image

color image

image formats

image files7

grayscale image

white image

image file forensics7

image files cont