Presentation is loading. Please wait.

Presentation is loading. Please wait.

Guide to Computer Forensics and Investigations, Second Edition Chapter 11 Recovering Image Files.

Published byDominic Chambers Modified over 8 years ago

Similar presentations

Presentation on theme: "Guide to Computer Forensics and Investigations, Second Edition Chapter 11 Recovering Image Files."— Presentation transcript:

1 Guide to Computer Forensics and Investigations, Second Edition Chapter 11 Recovering Image Files

2 Guide to Computer Forensics and Investigations, 2e2 Objectives Recognize image files Understand data compression Locate and recover image files Analyze image file headers Identify copyright issues with graphics

3 Guide to Computer Forensics and Investigations, 2e3 Recognizing an Image File Contains graphics –Bitmap: collection of dots –Vector: mathematical instructions –Metafile: combination of bitmap and vector Types of programs –Graphics editor –Image viewers

4 Guide to Computer Forensics and Investigations, 2e4 Understanding Bitmap and Raster Images Bitmap images –Grids of individual pixels Raster images –Pixels are stored in rows –Better for printing Image quality –Screen resolution –Software –Number of color bits used per pixel

5 Guide to Computer Forensics and Investigations, 2e5 Understanding Vector Images Characteristics –Use lines –Store only the mathematics for drawing lines and shapes –Smaller size –Preserve quality when image is enlarged CorelDraw, Adobe Illustrator You can save vector images as bitmap images –Do not save bitmap images as vector images

6 Guide to Computer Forensics and Investigations, 2e6 Understanding Metafile Graphics Combine raster and vector graphics Example: scanned photo (bitmap) with text (vector) Share advantages and disadvantages of both types –When enlarged, bitmap part loses quality

7 Guide to Computer Forensics and Investigations, 2e7 Understanding Image File Formats Standard bitmap image file formats –Graphic Interchange Format (.gif) –Joint Photographic Experts Group (.jpeg,.jpg) –Tagged Image File Format (.tiff,.tif) –Window Bitmap (.bmp) Standard vector image file formats –Hewlett Packard Graphics Language (.hpgl) –Autocad (.dxf)

8 Guide to Computer Forensics and Investigations, 2e8 Understanding Image File Formats (continued) Nonstandard image file formats –Targa (.tga) –Raster Transfer Language (.rtl) –Adobe Photoshop (.psd) and Illustrator (.ai) –Freehand (.fh9) –Scalable Vector Graphics (.svg) –Paintbrush (.pcx) Search the Web for software to manipulate unknown image formats

9 Guide to Computer Forensics and Investigations, 2e9 Understanding Data Compression Some image formats compress their data –GIF, JPEG, PNG Others, like BMP, do not compress their data Use data compression tools for those formats Data compression –Coding of data from a larger to a smaller size

10 Guide to Computer Forensics and Investigations, 2e10 Reviewing Lossless and Lossy Compression Lossless compression –Reduces file size without removing data –Based on Huffman or Lempel-Ziv-Welch coding For redundant bits of data –WinZip, PKZip, FreeZip Lossy compression –Permanently discards bits of information –Vector quantization (VQ) –Lzip

11 Guide to Computer Forensics and Investigations, 2e11 Locating and Recovering Image Files OS tools –Time consuming –Results are difficult to verify Computer forensics tools –Image headers Compare them with good header samples –Reconstruct fragmented image files Identify data patterns and modified headers

12 Guide to Computer Forensics and Investigations, 2e12 Identifying Image File Fragments Carving or salvaging –Recovering all fragments Computer Forensics tools –Carves from slack and free space –Helps identify image file fragments and put them together

13 Guide to Computer Forensics and Investigations, 2e13 Repairing Damage Headers Use good header samples Each image file has a unique file header –JPEG: FF D8 FF E0 00 10 –Most JPEG files also include JFIF string

14 Guide to Computer Forensics and Investigations, 2e14 Carving Data from Unallocated Space Steps: –Create a duplicate bit-stream copy –Update your tools to search for image files –Search for images files (or fragments) –Carve for fragments using the results from your search Determine all clusters the image is using –Recover deleted data Determine absolute beginning and ending cluster

15 Guide to Computer Forensics and Investigations, 2e15 Carving Data from Unallocated Space (continued)

16 Guide to Computer Forensics and Investigations, 2e16 Carving Data from Unallocated Space (continued)

17 Guide to Computer Forensics and Investigations, 2e17 Carving Data from Unallocated Space (continued) Steps (continued): –Rebuild image file header Use hex editor to manually insert correct codes –Save as a new file –Test your new image file

18 Guide to Computer Forensics and Investigations, 2e18 Rebuilding File Headers Try opening the file first and follow steps if you can’t see its content Steps: –Recover more pieces of file if needed –Examine file header Compare with a good header sample Manually insert correct hexadecimal values –Test corrected file

19 Guide to Computer Forensics and Investigations, 2e19 Rebuilding File Headers (continued)

20 Guide to Computer Forensics and Investigations, 2e20 Rebuilding File Headers (continued)

21 Guide to Computer Forensics and Investigations, 2e21 Rebuilding File Headers (continued)

22 Guide to Computer Forensics and Investigations, 2e22 Reconstructing File Fragments Bad clusters appear with a zero value on a disk editor Steps: –Determine clusters of possible header –Find if other fragments are linked to header DriveSpy CFE command –Find linked fragments on unallocated clusters DriveSpy GFE command Copy all sectors after a nonlinked cluster

23 Guide to Computer Forensics and Investigations, 2e23 Reconstructing File Fragments (continued)

24 Guide to Computer Forensics and Investigations, 2e24 Reconstructing File Fragments (continued)

25 Guide to Computer Forensics and Investigations, 2e25 Reconstructing File Fragments (continued) Steps (continued): –Save linked fragments on unallocated clusters to valid clusters Create a script file to use with DriveSpy SaveSect Group contiguous blocks and find absolute beginning and ending sector numbers Combine all saved sectors into a file –Rebuild file header if needed –Save new file and test it

26 Guide to Computer Forensics and Investigations, 2e26 Reconstructing File Fragments (continued)

27 Guide to Computer Forensics and Investigations, 2e27 Reconstructing File Fragments (continued)

28 Guide to Computer Forensics and Investigations, 2e28 Reconstructing File Fragments (continued)

29 Guide to Computer Forensics and Investigations, 2e29 Identifying Unknown File Formats The Internet is the best source –Search engines like Google –Find explanations and viewers Popular Web sites: –www.digitek-asi.com/file_formats.html –www.wotsit.org –http://whatis.techtarget.com

30 Guide to Computer Forensics and Investigations, 2e30 Analyzing Image File Headers For files your tools do not recognize Use hex editor like Hex Workshop –Record hexadecimal values on header Update your forensics tools –DriveSpy.ini Use good header samples

31 Guide to Computer Forensics and Investigations, 2e31 Analyzing Image File Headers (continued)

32 Guide to Computer Forensics and Investigations, 2e32 Analyzing Image File Headers (continued)

33 Guide to Computer Forensics and Investigations, 2e33 Tools for Viewing Images Use several viewers –ThumbsPlus –ACDSee –QuickView –IrfanView GUI forensics tools include image viewers –EnCase –FTK –iLook

34 Guide to Computer Forensics and Investigations, 2e34 Understanding Steganography in Image Files Steganography hides information inside image files –Ancient technique –Can hide only certain amount of information Insertion –Hidden data is not displayed when viewing host file in its associated program –Web page

35 Guide to Computer Forensics and Investigations, 2e35 Understanding Steganography in Image Files (continued)

36 Guide to Computer Forensics and Investigations, 2e36 Understanding Steganography in Image Files (continued)

37 Guide to Computer Forensics and Investigations, 2e37 Understanding Steganography in Image Files (continued) Substitution –Replaces bits of the host file with bits of data –Usually change the last two LSB –Detected with steganalysis tools Usually used with image files –Audio and video options Hard to detect

38 Guide to Computer Forensics and Investigations, 2e38 Understanding Steganography in Image Files (continued)

39 Guide to Computer Forensics and Investigations, 2e39 Understanding Steganography in Image Files (continued)

40 Guide to Computer Forensics and Investigations, 2e40 Using Steganalysis Tools Detect variations of the graphic image –When applied correctly you cannot detect hidden data Methods –Compare suspect file to good or bad image versions –Mathematical calculations verify size and palette color –Compare hash values

41 Guide to Computer Forensics and Investigations, 2e41 Identifying Copyright Issues with Graphics Steganography originally incorporated watermarks Copyright laws for Internet are not clear –There is no international copyright law Check www.copyright.gov

42 Guide to Computer Forensics and Investigations, 2e42 Summary Image types –Bitmap –Vector –Metafile Image quality depends on various factors Image formats –Standard –Nonstandard

43 Guide to Computer Forensics and Investigations, 2e43 Summary (continued) Some image formats compress their data –Lossless compression –Lossy compression Recovering image files –Carving file fragments –Rebuilding image headers Software –Image editors –Image viewers

44 Guide to Computer Forensics and Investigations, 2e44 Summary (continued) Steganography –Hides information inside image files –Insertion –Substitution Steganalysis –Finds whether image files hide information

Download ppt "Guide to Computer Forensics and Investigations, Second Edition Chapter 11 Recovering Image Files."

Similar presentations

Raster Graphics 2.01 Investigate graphic image design.

Raster Graphics 2.01 Investigate graphic image design.
Introduction to Computer Graphics Raster Vs. Vector COMMUNICATION TECHNOLOGY.

Introduction to Computer Graphics Raster Vs. Vector COMMUNICATION TECHNOLOGY.
Chapter 10 Recovering Graphics Files

Chapter 10 Recovering Graphics Files
Chapter 8 Recovering Graphics Files

Chapter 8 Recovering Graphics Files
Multimedia for the Web: Creating Digital Excitement Multimedia Element -- Graphics.

Multimedia for the Web: Creating Digital Excitement Multimedia Element -- Graphics.
Graphics CS 121 Concepts of Computing II. What is a graphic? n A rectangular image. n Stored in a file of its own, or … … embedded in another data file.

Graphics CS 121 Concepts of Computing II. What is a graphic? n A rectangular image. n Stored in a file of its own, or … … embedded in another data file.
COS/PSA 413 Day 18. Agenda Lab 9 write-up grades –2 A’s, 1 B, 1 D and 1 F –Answer the questions with a minimal amount of BS –I will start taking off points.

COS/PSA 413 Day 18. Agenda Lab 9 write-up grades –2 A’s, 1 B, 1 D and 1 F –Answer the questions with a minimal amount of BS –I will start taking off points.
Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition.

Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition.
2.01 Understand Digital Raster Graphics

2.01 Understand Digital Raster Graphics
COS 413 Day 15. Agenda Assignment 4 corrected –2 A’s, 5 B’s, 1 C and 1 non-submit Assignment 5 Due Assignment 6 will be assigned next week Lab 4 write-up.

COS 413 Day 15. Agenda Assignment 4 corrected –2 A’s, 5 B’s, 1 C and 1 non-submit Assignment 5 Due Assignment 6 will be assigned next week Lab 4 write-up.
Image and Sound Editing Raed S. Rasheed 2012. Image Image. Digital image. – Raster images. – Vector Images. – Stereo Images. – Image File Formats Lossless.

Image and Sound Editing Raed S. Rasheed Image Image. Digital image. – Raster images. – Vector Images. – Stereo Images. – Image File Formats Lossless.
File Formats By Jack Turner. Raster (Bitmap) Raster or bitmap is a dot matrix data structure, containing columns of dots and rows, of a graphics image.

File Formats By Jack Turner. Raster (Bitmap) Raster or bitmap is a dot matrix data structure, containing columns of dots and rows, of a graphics image.
Introduction to Computer Graphics Raster Vs. Vector TGJ 2OI St. Christopher C.S.S. 4 Introduction to Computer Graphics.ppt.

Introduction to Computer Graphics Raster Vs. Vector TGJ 2OI St. Christopher C.S.S. 4 Introduction to Computer Graphics.ppt.
SAK INTRODUCTION TO COMPUTER FORENSICS Chapter 7 Image Files Forensics

SAK INTRODUCTION TO COMPUTER FORENSICS Chapter 7 Image Files Forensics
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #12 Computer Forensics Analysis/Validation and Recovering Graphic.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #12 Computer Forensics Analysis/Validation and Recovering Graphic.
Web Design, 4 th Edition 5 Typography and Images.

Web Design, 4 th Edition 5 Typography and Images.
File Formats Different applications (programs) store data in different formats. Applications support some file formats and not others. Open…, Save…, Save.

File Formats Different applications (programs) store data in different formats. Applications support some file formats and not others. Open…, Save…, Save.
Hands-on: Capturing an Image with AccessData FTK Imager

Hands-on: Capturing an Image with AccessData FTK Imager
Graphics.

Graphics.
File Formats COM 366 Web Design & Layout. Native file format –Format native to software program –.psd > PhotoShop default Preserves layers –Use “Save.

File Formats COM 366 Web Design & Layout. Native file format –Format native to software program –.psd > PhotoShop default Preserves layers –Use “Save.

Similar presentations

Ads by Google