Presentation is loading. Please wait.

Presentation is loading. Please wait.

SAK INTRODUCTION TO COMPUTER FORENSICS Chapter 7 Image Files Forensics

Published byMervyn Lucas Modified over 8 years ago

Similar presentations

Presentation on theme: "SAK INTRODUCTION TO COMPUTER FORENSICS Chapter 7 Image Files Forensics"— Presentation transcript:

1 SAK 4801 INTRODUCTION TO COMPUTER FORENSICS Chapter 7 Image Files Forensics
Mohd Taufik Abdullah Department of Computer Science Faculty of Computer Science and Information Technology University Putra of Malaysia Room No: 2.28 Portions of the material courtesy Nelson et. al., and EC-Council

2 Learning Objectives At the end of this chapter, you will be able to:
Describe types of graphics file formats Explain types of data compression Explain how to locate and recover graphics files Describe how to identify unknown file formats Explain copyright issues with graphics

3 Chapter 7 Outline 7. Image File Forensics 7.1. Introduction
7.2. Recognize image files 7.3. Understand data Compression 7.4. Locate and recover image files 7.5. Analyze image file header 7.6. Reconstructing file fragments

4 7.1 Introduction

5 7.1 Introduction Image file formats can be: A black and white Image
A grayscale Image A color image Indexed Color image All image formats differ between ease of use, size of the file, and the quality of reproduction

6 7.2 Recognize Image Files

7 7.2 Recognize Image Files Contains digital photographs, line art, three-dimensional images, and scanned replicas of printed pictures Pixels: All small dots used to create images Bitmap images: collection of dots A representation of a graphics image a grid-type format Vector graphics: based on mathematical instructions/equations Metafile graphics: combination of bitmap and vector images Types of programs Graphics editors Image viewers

8 7.2 Recognize Image Files (Cont.)
The circled area in this screen shot shows the resolution of the screen by pixels

9 7.2.1 Understanding Bitmap and Vector Images
Bitmap images Grids of individual pixels Bitmap images can be made in the following applications: Photoshop MS Paint Image Ready Paintshop Pro Continuous tone photos Raster images Pixels are stored in rows Better for printing

10 7.2.1 Understanding Bitmap and Vector Images (Cont.)
Uses geometric equations Higher quality image than a bitmap Useful for rendering types and shapes Characteristics Lines instead of dots Store only the calculations for drawing lines and shapes Smaller size Preserve quality when image is enlarged CorelDraw, Adobe Illustrator Image quality Screen resolution Software Number of color bits used per pixel

11 7.2.2 Understanding Metafile Graphics
Metafiles combine raster and vector graphics. Metafiles have similar features of both bitmap and vector images. When metafiles are enlarged it results in a loss of resolution giving the image a shady appearance. Example Scanned photo (bitmap) with text (vector) Share advantages and disadvantages of both types When enlarged, bitmap part loses quality

12 7.2.3 Understanding Image File Formats
Standard bitmap file formats Graphic Interchange Format (.gif) Joint Photographic Experts Group (.jpeg, .jpg) Tagged Image File Format (.tiff, .tif) Window Bitmap (.bmp) JPEG 2000 (.jp2) Portable Network Graphics (.png) Standard vector file formats Hewlett Packard Graphics Language (.hpgl) Autocad (.dxf)

13 7.2.3 Understanding Image File Formats (Cont.)
Nonstandard graphics file formats Targa (.tga) Raster Transfer Language (.rtl) Adobe Photoshop (.psd) and Illustrator (.ai) Freehand (.fh9) Scalable Vector Graphics (.svg) Paintbrush (.pcx) Search the Web for software to manipulate unknown image formats

14 7.2.4 Understanding Digital Camera File Formats
Witnesses or suspects can create their own digital photos Examining the raw file format Raw file format Referred to as a digital negative Typically found on many higher-end digital cameras Sensors in the digital camera simply record pixels on the camera’s memory card Raw format maintains the best picture quality

15 7.2.4 Understanding Digital Camera File Formats (Cont.)
Examining the raw file format (continued) The biggest disadvantage is that it’s proprietary And not all image viewers can display these formats The process of converting raw picture data to another format is referred to as demosaicing Examining the Exchangeable Image File format Exchangeable Image File (EXIF) format Commonly used to store digital pictures Developed by JEIDA as a standard for storing metadata in JPEG and TIFF files

16 7.2.4 Understanding Digital Camera File Formats (Cont.)
Examining the Exchangeable Image File format (continued) EXIF format collects metadata Investigators can learn more about the type of digital camera and the environment in which pictures were taken EXIF file stores metadata at the beginning of the file With tools such as ProDiscover and Exif Reader You can extract metadata as evidence for your case

17 7.2.4 Understanding Digital Camera File Formats (Cont.)

18 7.2.4 Understanding Digital Camera File Formats (Cont.)

19 7.2.4 Understanding Digital Camera File Formats (Cont.)

20 7.2.4 Understanding Digital Camera File Formats (Cont.)

21 7.2.5 File Types Different types of files
Graphics file format – .gif/.jpg/.jpeg/.jfif Text file format – .txt/.htm/.html Audio file format – .au/.uLaw/.MuLaw/.aiff – .mp3/.ra/.wav/.wma Video file format – .avi/.mov/.movie/.mpg/.mpeg/.qt/.ram Document file format – .doc/.pdf/.ps Compress file format – .z/.zip/.sit/.gzip/.gz Data compression: is done by using a complex algorithm used to reduce the size of a file Vector quantization: A form of vector image that uses an algorithm similar to rounding up decimal values to eliminate unnecessary data

22 7.3 Understand Data Compression

23 7.3 Understand Data Compression
Some image formats compress their data GIF, JPEG, PNG Others, like BMP, do not compress their data Use data compression tools for those formats Data compression Coding of data from a larger to a smaller form Types Lossless compression and lossy compression

24 7.3.1 Understanding Lossless and Lossy Compression
GIF and PNG image file formats reduce the file size by using lossless compression Lossless compression Reduces file size without removing data Based on Huffman or Lempel-Ziv-Welch coding For redundant bits of data Utilities: WinZip, PKZip, StuffIt, and FreeZip Lossy compression Permanently discards bits of information Vector quantization (VQ) Determines what data to discard based on vectors in the graphics file Utility: Lzip

25 7.4 Locate and Recover Images Files

26 7.4 Locate and Recover Image Files
Operating system tools Time consuming Results are difficult to verify Computer forensics tools Image headers Compare them with good header samples Use header information to create a baseline analysis Reconstruct fragmented image files Identify data patterns and modified headers

27 7.4.1 Identifying Graphics File Fragments
Carving or salvaging Recovering all file fragments Carving: The process of removing an item from a group of items Salvaging: Another term for carving. It is the process of removing an item from a group of them Computer forensics tools Carve from slack and free space Help identify image files fragments and put them together

28 7.4.1 Identifying Graphics File Fragments (Cont.)
The screenshot above shows the location of the clusters where the data has been found and the data found with the matching search.

29 7.4.2 Repairing Damaged Headers
Use good header samples Each image file has a unique file header JPEG: FF D8 FF E Most JPEG files also include JFIF string Exercise: Investigate a possible intellectual property theft by a contract employee of Exotic Mountain Tour Service (EMTS)

30 7.4.3 Searching for and Carving Data from Unallocated Space

31 7.4.3 Searching for and Carving Data from Unallocated Space (Cont.)

32 7.4.3 Searching for and Carving Data from Unallocated Space(Cont.)
Steps Planning your examination Searching for and recovering digital photograph evidence Use ProDiscover to search for and extract (recover) possible evidence of JPEG files False hits are referred to as false positives

33 7.4.3 Searching for and Carving Data from Unallocated Space (Cont.)

34 7.4.3 Searching for and Carving Data from Unallocated Space (Cont.)

35 7.4.3 Searching for and Carving Data from Unallocated Space (Cont.)

36 7.4.3 Searching for and Carving Data from Unallocated Space (Cont.)

37 7.4.3 Searching for and Carving Data from Unallocated Space (Cont.)

38 7.4.3 Searching for and Carving Data from Unallocated Space (Cont.)

39 7.4.4 Rebuilding File Headers (Cont.)
Try to open the file first and follow steps if you can’t see its content Steps Recover more pieces of file if needed Examine file header Compare with a good header sample Manually insert correct hexadecimal values Test corrected file

40 7.4.4 Rebuilding File Headers (Cont.)

41 7.4.4 Rebuilding File Headers (Cont.)

42 7.4.4 Rebuilding File Headers (Cont.)

43 7.4.4 Rebuilding File Headers (Cont.)

44 7.4.4 Rebuilding File Headers (Cont.)

45 7.4.4 Rebuilding File Headers (Cont.)

46 7.5 Analyze Image Files Headers

47 7.5 Analyze Image File Headers
Necessary when you find files your tools do not recognize Use hex editor such as Hex Workshop Record hexadecimal values on header Use good header samples

48 7.5 Analyze Image File Headers (Cont.)

49 7.5 Analyze Image File Headers (Cont.)

50 7.6 Reconstructing File Fragments

51 7.6 Reconstructing File Fragments
Locate the starting and ending clusters For each fragmented group of clusters in the file Steps Locate and export all clusters of the fragmented file Determine the starting and ending cluster numbers for each fragmented group of clusters Copy each fragmented group of clusters in their proper sequence to a recovery file Rebuild the corrupted file’s header to make it readable in a graphics viewer

52 7.6 Reconstructing File Fragments (Cont.)

53 7.6 Reconstructing File Fragments (Cont.)

54 7.6 Reconstructing File Fragments (Cont.)

55 7.6 Reconstructing File Fragments (Cont.)

56 7.6 Reconstructing File Fragments (Cont.)
Remember to save the updated recovered data with a .jpg extension Sometimes suspects intentionally corrupt cluster links in a disk’s FAT Bad clusters appear with a zero value on a disk editor

57 7.6 Reconstructing File Fragments (Cont.)

58 7.6 Reconstructing File Fragments (Cont.)

59 7.6.1 Identifying Unknown File Formats
The Internet is the best source Search engines like Google Find explanations and viewers Popular Web sites

60 7.6.2 Tools For Viewing Images
Use several viewers ThumbsPlus ACDSee QuickView IrfanView GUI forensics tools include image viewers ProDiscover EnCase FTK X-Ways Forensics iLook

61 7.6.3 Understanding Steganography
Steganography hides information inside image files Ancient technique Can hide only certain amount of information Insertion Hidden data is not displayed when viewing host file in its associated program You need to analyze the data structure carefully Example: Web page

62 7.6.3 Understanding Steganography (Cont.)

63 7.6.3 Understanding Steganography (Cont.)

64 7.6.3 Understanding Steganography (Cont.)
Substitution Replaces bits of the host file with bits of data Usually change the last two LSBs Detected with steganalysis tools Usually used with image files Audio and video options Hard to detect

65 7.6.3 Understanding Steganography (Cont.)
Two files need to hide a message within an image file The file containing the image into which the message is supposed to be put in The file containing the message itself There are 3 methods to hide messages in images, they include: Least Significant Bit Filtering and Masking Algorithms and Transformation aa

66 7.6.3 Understanding Steganography (Cont.)

67 7.6.3 Understanding Steganography (Cont.)

68 7.6.4 Using Steganalysis Tools
Detect variations of the graphic image When applied correctly you cannot detect hidden data in most cases Methods Compare suspect file to good or bad image versions Mathematical calculations verify size and palette color Compare hash values

69 7.6.4 Using Steganalysis Tools (Cont.)
Hex Workshop The Hex Workshop application can detect and write messages on to a file Investigators use the Hex Workshop tool to reconstruct damaged file headers

70 7.6.4 Using Steganalysis Tools (Cont.)
Hex Workshop AS-Tools can hide and detect files hidden in BMP, GIF and WAV files Investigators have the advantage of multi-threaded operation Investigators can hide/reveal operations simultaneously without fear of interference to the work environment

71 7.6.3 Identifying Copyright Issues with Graphics
Steganography originally incorporated watermarks Copyright laws for Internet are not clear There is no international copyright law Check

72 7.6.3 Identifying Copyright Issues with Graphics (Cont.)
Section 106 of the 1976 Copyright Act generally gives the owner of copyright the exclusive right to do and to authorize others to do the following: To perform the work publicly To display the copyright work publicly In the case of sound recordings, to perform the work publicly by means of a digital audio transmission To reproduce the work in copies or phonorecords – To prepare derivative works based upon the work To distribute copies or phonorecords of the work to the public by sale or other transfer of ownership, or by rental, lease, or lending

73 7.6.3 Identifying Copyright Issues with Graphics (Cont.)
Copyrightable works include the following: Literary works Musical works; including any accompanying words Dramatic works; including any accompanying music Pantomimes and choreographic works Pictorial, graphic, and sculptural works. Motion pictures and other audiovisual works. Sound recordings Architectural works

74 Summary Image types Bitmap Vector Metafile
Image quality depends on various factors Image formats Standard Nonstandard Digital camera photos are typically in raw and EXIF JPEG formats

75 Summary (Cont.) Some image formats compress their data
Lossless compression Lossy compression Recovering image files Carving file fragments Rebuilding image headers Software Image editors Image viewers

76 Summary (Cont.) Some image formats compress their data
Lossless compression Lossy compression Recovering image files Carving file fragments Rebuilding image headers Software Image editors Image viewers

77 Summary (Cont.) Steganography Hides information inside image files
Forms Insertion Substitution Steganalysis Finds whether image files hide information

78 End of Chapter 7

Download ppt "SAK INTRODUCTION TO COMPUTER FORENSICS Chapter 7 Image Files Forensics"

Similar presentations

Introduction to Computer Graphics Raster Vs. Vector COMMUNICATION TECHNOLOGY.

Introduction to Computer Graphics Raster Vs. Vector COMMUNICATION TECHNOLOGY.
Chapter 10 Recovering Graphics Files

Chapter 10 Recovering Graphics Files
Chapter 8 Recovering Graphics Files

Chapter 8 Recovering Graphics Files
Multimedia for the Web: Creating Digital Excitement Multimedia Element -- Graphics.

Multimedia for the Web: Creating Digital Excitement Multimedia Element -- Graphics.
Graphics CS 121 Concepts of Computing II. What is a graphic? n A rectangular image. n Stored in a file of its own, or … … embedded in another data file.

Graphics CS 121 Concepts of Computing II. What is a graphic? n A rectangular image. n Stored in a file of its own, or … … embedded in another data file.
COS/PSA 413 Day 18. Agenda Lab 9 write-up grades –2 A’s, 1 B, 1 D and 1 F –Answer the questions with a minimal amount of BS –I will start taking off points.

COS/PSA 413 Day 18. Agenda Lab 9 write-up grades –2 A’s, 1 B, 1 D and 1 F –Answer the questions with a minimal amount of BS –I will start taking off points.
Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition.

Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition.
COS 413 Day 15. Agenda Assignment 4 corrected –2 A’s, 5 B’s, 1 C and 1 non-submit Assignment 5 Due Assignment 6 will be assigned next week Lab 4 write-up.

COS 413 Day 15. Agenda Assignment 4 corrected –2 A’s, 5 B’s, 1 C and 1 non-submit Assignment 5 Due Assignment 6 will be assigned next week Lab 4 write-up.
Introduction to Computer Graphics

Introduction to Computer Graphics
Image and Sound Editing Raed S. Rasheed 2012. Image Image. Digital image. – Raster images. – Vector Images. – Stereo Images. – Image File Formats Lossless.

Image and Sound Editing Raed S. Rasheed Image Image. Digital image. – Raster images. – Vector Images. – Stereo Images. – Image File Formats Lossless.
Manipulating Images Image A visual representation of something that is seen in real life. It can be two-dimensional or three-dimensional A visual representation.

Manipulating Images Image A visual representation of something that is seen in real life. It can be two-dimensional or three-dimensional A visual representation.
File Formats By Jack Turner. Raster (Bitmap) Raster or bitmap is a dot matrix data structure, containing columns of dots and rows, of a graphics image.

File Formats By Jack Turner. Raster (Bitmap) Raster or bitmap is a dot matrix data structure, containing columns of dots and rows, of a graphics image.
Part A Multimedia Production Rico Yu. Part A Multimedia Production Ch.1 Text Ch.2 Graphics Ch.3 Sound Ch.4 Animations Ch.5 Video.

Part A Multimedia Production Rico Yu. Part A Multimedia Production Ch.1 Text Ch.2 Graphics Ch.3 Sound Ch.4 Animations Ch.5 Video.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #12 Computer Forensics Analysis/Validation and Recovering Graphic.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #12 Computer Forensics Analysis/Validation and Recovering Graphic.
Web Design, 4 th Edition 5 Typography and Images.

Web Design, 4 th Edition 5 Typography and Images.
Zinnia Bell. RAWimages are image files that have not yet processed, they contain minimally processed data from the image sensor of either a image scanner,

Zinnia Bell. RAWimages are image files that have not yet processed, they contain minimally processed data from the image sensor of either a image scanner,
Prepared by George Holt Digital Photography BITMAP GRAPHIC ESSENTIALS.

Prepared by George Holt Digital Photography BITMAP GRAPHIC ESSENTIALS.
Graphics.

Graphics.
File Formats About graphic file formats And image compression.

File Formats About graphic file formats And image compression.
Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition.

Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition.

Similar presentations

Ads by Google