Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analysing Image Files Michael Jones. Overview Images and images Binary, octal, hexadecimal File headers and footers Example (image) files Looking for.

Published byWendy O’Brien’ Modified over 7 years ago

Similar presentations

Presentation on theme: "Analysing Image Files Michael Jones. Overview Images and images Binary, octal, hexadecimal File headers and footers Example (image) files Looking for."— Presentation transcript:

1 Analysing Image Files Michael Jones

2 Overview Images and images Binary, octal, hexadecimal File headers and footers Example (image) files Looking for more information Michael JonesAnalysing Image Files2

3 Review: Locard’s (Exchange) Principle Dr Edmond Locard (1877-1966) Quote (Paul Kirk) – Wherever he steps, whatever he touches, whatever he leaves, even unconsciously, will serve as a silent witness against him Michael JonesAnalysing Image Files3

4 Images and Images Common usage: ‘image’ = ‘picture’ In digital forensics – ‘image’ is an bit-by-bit copy of a digital device – Note: it is not an exact copy The physical structure of the device is not replicated Michael JonesAnalysing Image Files4

5 Phases of a Digital Investigation Secure the scene * Capture the evidence * – E.g., computers, devices Transfer to a secure store Create and verify images (bit-by-bit copies) Analyse the copies Produce reports * usually conducted by scenes of crime officers Michael JonesAnalysing Image Files5

6 Verifying Images After a copy has been made, it is important that the copy be verified against the original Technique: ‘hashing’ Method: – An algorithm is applied to the original and then to the copy – The output from the algorithm is a ‘checksum’ or a ‘hash’ – Is the hashes match, then the copy is a true copy of the original Michael JonesImage Files6

7 Issues with Hashing Algorithms A hashing algorithm is no good if: – The output (hash) can be predicted Why? Common hashing algorithms: – MD4, MD5 (Message Digest) Are considered insecure (sort of) – SHA-1, SHA-256, etc. (Secure Hash Algorithm) Michael JonesImage Files7

8 Security of Hashes Example: MD5 – Output is a 32 character hex string – The chances of 2 sources resulting in the same hash: 32 16, which is around 1 in 10 21 Equivalent to around a hundredth of the number of atoms in the universe – But… The output can be predicted to an extent – With a huge amount of computing power and some time Michael JonesAnalysing Image Files8

9 Solution: 2 hashes If 2 algorithms are applied to the original and the copy, then manipulation becomes impossible Note – The hashes from the 2 algorithms will not match Michael JonesAnalysing Image Files9

10 Files and File Systems A file contain data – Office documents, image files, etc. Files are organised in a file system – Generally hierarchical in folders/directories How they are organised varies Example file systems – Windows: FAT, FAT32, NTFS – OS X: HFS, HFS+ – Linux: ext2, ext3, ext4 Michael JonesAnalysing Image Files10

11 Why more than one File System? Files are changed – May not be able to be restored to the same place Files are created and deleted Directories need to expand and contract Question: how to organise the file system: – To handle file creation, change, deletion – To enable fast access to files – To minimise the need for reorganisation Michael JonesAnalysing Image Files11

12 Binary, octal, hexadecimal Binary: base 2 – symbols 0 and 1 Octal: base 8 – symbols 0 to 7 Hexadecimal: base 16 – symbols 0 to 9 and A to F As octal and hexadecimal are powers of 2, binary can be directly converted to these and vice versa 01101101 8 bits of binary 011 011 01 -> 3 3 2 (octal) 0110 1101 -> 6D (hexadecimal) Michael JonesAnalysing Image Files12

13 Why is Hexadecimal important? Viewing binary is painful – Too many digits (bits) – Only 2 symbols Most computers use bytes (8 bits) By grouping these as 2 x 4 bits, each byte can be represented by 2 hexadecimal digits – Note: can use lowercase: 6d Michael JonesAnalysing Image Files13

14 File Headers and Footers All file types (formats) have a defined header – Most have a defined footer So the extension is often unimportant – Except for Windows file associations The header contains – File type identifier – Metadata Michael JonesAnalysing Image Files14

15 Why not have a Footer? The footer defines the end of the file If the header contains information about the length of a file, then no need for a footer Why does this matter? – No footer makes it more difficult to identify files You need to decode the header Michael JonesAnalysing Image Files15

16 File Carving Process of extracting files from a larger file Why? – Suppose files have been deleted, and an image taken of the file system – Many files will be contiguous – Problems if they are not Process: – Find the first header – Find the footer, or the end of file or the next header Michael JonesAnalysing Image Files16

17 Example file format: JPEG Joint Photographic Experts Group Compression of digital images – http://www.dspguide.com/ch27/6.htm http://www.dspguide.com/ch27/6.htm Header – FF D8 Footer – FF D9 Michael JonesAnalysing Image Files17

18 Consider this The rest of the file contains: – Metadata – Colour table – Compressed data What is the chance of FF D9 in 2 successive bytes – 1 in 256 x 256 = 1 in 65,536 Compression algorithm must ensure this sequence does not occur – Which it does - simply Michael JonesAnalysing Image Files18

19 Hiding Data in a JPEG Problem: compression – If data is added to image before compression Data might be corrupted when compression occurs – If data is added afterwards, how can we control side-effects? Possible solution: hiding data in metadata – EXIF information Can use existing fields, or additional ones Possible solution: adding data after the footer Michael JonesAnalysing Image Files19

20 Other Image File Types GIF (Graphics Interchange Format) – Created by Compuserve – Lossless format – Headers: GIF87a and GIF89a (in hex) – Has a footer – but care needed PNG – Portable Network Graphics – Open (lossless) format – Header: 89 (hex) PNG (in hex) – Has a footer Michael JonesAnalysing Image Files20

21 Computer Crime: Ransomware Michael JonesAnalysing Image Files21

22 Debunking Myths: Surveillance Michael JonesAnalysing Image Files22

23 Carving and Blurring Suppose someone has had a problem with his camera – And photographs are corrupted On examination, the footer of a JPEG has been corrupted – 2 files might appear as 1 Boundary between files is blurred – Can we ‘un-blur’ the files and present this to the court? Michael JonesAnalysing Image Files23

24 Example The byte sequence is: – FF D9 … FF D7 FF D8 … FF D9 What could be seen in a viewer? If we change the second byte to ‘D9’, then 2 files could be ‘created’ – What is the legal status of doing this? Michael JonesAnalysing Image Files24

25 Issues with File Carving Non-contiguous files – How likely is this? Why is this a problem? What solutions could be possible? – Think about the standard sector size (512 bytes) Michael JonesAnalysing Image Files25

26 Summary File carving is at the heart of digital forensics It allows a physical analysis of the data – Compared with a logical view of the data The process involves finding headers and footers – Extracting (carving) files from a digital ‘image’ Image here means bit-by-bit copy of the data (e.g., disk or SD card) Michael JonesAnalysing Image Files26

Download ppt "Analysing Image Files Michael Jones. Overview Images and images Binary, octal, hexadecimal File headers and footers Example (image) files Looking for."

Similar presentations

Web Design Vocab 3 PNG, JPG, GIF, MP3, MPEG.

Web Design Vocab 3 PNG, JPG, GIF, MP3, MPEG.
Information Representation

Information Representation
COEN 252 Computer Forensics

COEN 252 Computer Forensics
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.

MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
Multimedia for the Web: Creating Digital Excitement Multimedia Element -- Graphics.

Multimedia for the Web: Creating Digital Excitement Multimedia Element -- Graphics.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition.

Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition.
File Formats By Jack Turner. Raster (Bitmap) Raster or bitmap is a dot matrix data structure, containing columns of dots and rows, of a graphics image.

File Formats By Jack Turner. Raster (Bitmap) Raster or bitmap is a dot matrix data structure, containing columns of dots and rows, of a graphics image.
COEN 252 Computer Forensics Forensic Duplication of Hard Drives.

COEN 252 Computer Forensics Forensic Duplication of Hard Drives.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #12 Computer Forensics Analysis/Validation and Recovering Graphic.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #12 Computer Forensics Analysis/Validation and Recovering Graphic.
©Brooks/Cole, 2003 Chapter 2 Data Representation.

©Brooks/Cole, 2003 Chapter 2 Data Representation.
Objectives Learn what a file system does

Objectives Learn what a file system does
Chapter 11 Fluency with Information Technology 4 th edition by Lawrence Snyder (slides by Deborah Woodall : 1.

Chapter 11 Fluency with Information Technology 4 th edition by Lawrence Snyder (slides by Deborah Woodall : 1.
1 Perception, Illusion and VR HNRS 299, Spring 2008 Lecture 14 Introduction to Computer Graphics.

1 Perception, Illusion and VR HNRS 299, Spring 2008 Lecture 14 Introduction to Computer Graphics.
Bit-Mapped Graphic Data: Input (Capture) Hardware Multimedia – Section 2.

Bit-Mapped Graphic Data: Input (Capture) Hardware Multimedia – Section 2.
Component 4: Introduction to Information and Computer Science Unit 4: Application and System Software Lecture 3 This material was developed by Oregon Health.

Component 4: Introduction to Information and Computer Science Unit 4: Application and System Software Lecture 3 This material was developed by Oregon Health.
1 3 Computing System Fundamentals 3.7 Utility Software.

1 3 Computing System Fundamentals 3.7 Utility Software.
Common file formats  Lesson Objective: Understanding common file formats and their differences.  Learning Outcome:  Describe the type of files which.

Common file formats  Lesson Objective: Understanding common file formats and their differences.  Learning Outcome:  Describe the type of files which.
Multimedia Specification Design and Production 2012 / Semester 1 / L3 Lecturer: Dr. Nikos Gazepidis

Multimedia Specification Design and Production 2012 / Semester 1 / L3 Lecturer: Dr. Nikos Gazepidis

Similar presentations

Ads by Google