Analysing Image Files Michael Jones. Overview Images and images Binary, octal, hexadecimal File headers and footers Example (image) files Looking for.

Slides:



Advertisements
Similar presentations
Web Design Vocab 3 PNG, JPG, GIF, MP3, MPEG.
Advertisements

Information Representation
COEN 252 Computer Forensics
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
Multimedia for the Web: Creating Digital Excitement Multimedia Element -- Graphics.
Guide to Computer Forensics and Investigations Fourth Edition
Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition.
File Formats By Jack Turner. Raster (Bitmap) Raster or bitmap is a dot matrix data structure, containing columns of dots and rows, of a graphics image.
COEN 252 Computer Forensics Forensic Duplication of Hard Drives.
COEN 252 Computer Forensics
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #12 Computer Forensics Analysis/Validation and Recovering Graphic.
©Brooks/Cole, 2003 Chapter 2 Data Representation.
Objectives Learn what a file system does
Chapter 11 Fluency with Information Technology 4 th edition by Lawrence Snyder (slides by Deborah Woodall : 1.
1 Perception, Illusion and VR HNRS 299, Spring 2008 Lecture 14 Introduction to Computer Graphics.
Bit-Mapped Graphic Data: Input (Capture) Hardware Multimedia – Section 2.
Component 4: Introduction to Information and Computer Science Unit 4: Application and System Software Lecture 3 This material was developed by Oregon Health.
1 3 Computing System Fundamentals 3.7 Utility Software.
Common file formats  Lesson Objective: Understanding common file formats and their differences.  Learning Outcome:  Describe the type of files which.
Multimedia Specification Design and Production 2012 / Semester 1 / L3 Lecturer: Dr. Nikos Gazepidis
Guide to Computer Forensics and Investigations Fourth Edition
Module 13: Computer Investigations Introduction Digital Evidence Preserving Evidence Analysis of Digital Evidence Writing Investigative Reports Proven.
Addressing Image Compression Techniques on current Internet Technologies By: Eduardo J. Moreira & Onyeka Ezenwoye CIS-6931 Term Paper.
Guide to Computer Forensics and Investigations, Second Edition Chapter 11 Recovering Image Files.
1J. M. Kizza - Ethical And Social Issues Module 13: Computer Investigations Introduction Introduction Digital Evidence Digital Evidence Preserving Evidence.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #4 Data Acquisition September 8, 2008.
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
 JPEG is a standardized image compression mechanism.  JPEG stands for Joint Photographic Experts Group.  JPEG is designed for compressing either full-
File Analysis Dr. John P. Abraham Professor UTPA.
Using the Sony DSC-P52 Camera Sunday, December 06, 2015.
Selective and Intelligent Imaging Using Digital Evidence Bags.
Files Chapter 4.
 Forensics  Application of scientific knowledge to a problem  Computer Forensics  Application of the scientific method in reconstructing a sequence.
Digital Images are represented by manipulating this…
Chapter 8 Recovering Graphics Files
Image File Formats. What is an Image File Format? Image file formats are standard way of organizing and storing of image files. Image files are composed.
Digital File Formats By Ali Aslam. JPEG JPEG Stands for Joint Photographic Experts Group. JPEG uses a lossy compression routine. Lossy compression means.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.
Chapter 8 File Systems FAT 12/16/32. Defragmentation Defrag a hard drive – Control Panel  System and Security  Administration tools  Defrag hard drive.
By Nathan Lowe.  Graphic cards are high specification cards with lots of memory and fast processors providing lots of power for the updated games or.
Forensic Investigation Techniques Michael Jones. Overview Purpose People Processes Michael Jones2Digital Forensic Investigations.
Tech Acodemy Highline College August 20, 2015 Cybersecurity Steve Simpson S2 Forensics.
Forensic Investigation Techniques Michael Jones. Overview Purpose People Processes Michael JonesDigital Forensic Investigations2.
Binary Representation in Text
Binary Representation in Text
Encase Overview.
IMAGE COMPRESSION.
Image Formats.
File Formats.
JPG vs GIF vs PNG What is the difference?
"Digital Media Primer" Yue-Ling Wong, Copyright (c)2013 by Pearson Education, Inc. All rights reserved.
A computer display is made up of small squares, called pixels.
Image File Size and File Compression
Introduction to Computer Graphics
File Managements.
Representing Images 2.6 – Data Representation.
Web Design and Development
1. Explain how ASCII is used to represent text in a computer system
FILE SYSTEM ANALYSIS Dr Fudong Li
Interpreting Binary Data
Chapter 10 Recovering Graphics Files
COMS 161 Introduction to Computing
COMP1321 Digital Infrastructures
Digital Forensics CJ
Understanding Hex “I hope you have the worst headache of your life, then you will begin to understand” ~unknown.
Computer Forensics Lab 1 INFORMATION TECHNOLOGY DEPARTMENT LEBANESE FRENCH UNIVERSITY (LFU) COURSE CODE: IT402CF 1.
Lecture 4 - Introduction to Computer Graphics
Creating Digital Graphics
Presentation transcript:

Analysing Image Files Michael Jones

Overview Images and images Binary, octal, hexadecimal File headers and footers Example (image) files Looking for more information Michael JonesAnalysing Image Files2

Review: Locard’s (Exchange) Principle Dr Edmond Locard ( ) Quote (Paul Kirk) – Wherever he steps, whatever he touches, whatever he leaves, even unconsciously, will serve as a silent witness against him Michael JonesAnalysing Image Files3

Images and Images Common usage: ‘image’ = ‘picture’ In digital forensics – ‘image’ is an bit-by-bit copy of a digital device – Note: it is not an exact copy The physical structure of the device is not replicated Michael JonesAnalysing Image Files4

Phases of a Digital Investigation Secure the scene * Capture the evidence * – E.g., computers, devices Transfer to a secure store Create and verify images (bit-by-bit copies) Analyse the copies Produce reports * usually conducted by scenes of crime officers Michael JonesAnalysing Image Files5

Verifying Images After a copy has been made, it is important that the copy be verified against the original Technique: ‘hashing’ Method: – An algorithm is applied to the original and then to the copy – The output from the algorithm is a ‘checksum’ or a ‘hash’ – Is the hashes match, then the copy is a true copy of the original Michael JonesImage Files6

Issues with Hashing Algorithms A hashing algorithm is no good if: – The output (hash) can be predicted Why? Common hashing algorithms: – MD4, MD5 (Message Digest) Are considered insecure (sort of) – SHA-1, SHA-256, etc. (Secure Hash Algorithm) Michael JonesImage Files7

Security of Hashes Example: MD5 – Output is a 32 character hex string – The chances of 2 sources resulting in the same hash: 32 16, which is around 1 in Equivalent to around a hundredth of the number of atoms in the universe – But… The output can be predicted to an extent – With a huge amount of computing power and some time Michael JonesAnalysing Image Files8

Solution: 2 hashes If 2 algorithms are applied to the original and the copy, then manipulation becomes impossible Note – The hashes from the 2 algorithms will not match Michael JonesAnalysing Image Files9

Files and File Systems A file contain data – Office documents, image files, etc. Files are organised in a file system – Generally hierarchical in folders/directories How they are organised varies Example file systems – Windows: FAT, FAT32, NTFS – OS X: HFS, HFS+ – Linux: ext2, ext3, ext4 Michael JonesAnalysing Image Files10

Why more than one File System? Files are changed – May not be able to be restored to the same place Files are created and deleted Directories need to expand and contract Question: how to organise the file system: – To handle file creation, change, deletion – To enable fast access to files – To minimise the need for reorganisation Michael JonesAnalysing Image Files11

Binary, octal, hexadecimal Binary: base 2 – symbols 0 and 1 Octal: base 8 – symbols 0 to 7 Hexadecimal: base 16 – symbols 0 to 9 and A to F As octal and hexadecimal are powers of 2, binary can be directly converted to these and vice versa bits of binary > (octal) > 6D (hexadecimal) Michael JonesAnalysing Image Files12

Why is Hexadecimal important? Viewing binary is painful – Too many digits (bits) – Only 2 symbols Most computers use bytes (8 bits) By grouping these as 2 x 4 bits, each byte can be represented by 2 hexadecimal digits – Note: can use lowercase: 6d Michael JonesAnalysing Image Files13

File Headers and Footers All file types (formats) have a defined header – Most have a defined footer So the extension is often unimportant – Except for Windows file associations The header contains – File type identifier – Metadata Michael JonesAnalysing Image Files14

Why not have a Footer? The footer defines the end of the file If the header contains information about the length of a file, then no need for a footer Why does this matter? – No footer makes it more difficult to identify files You need to decode the header Michael JonesAnalysing Image Files15

File Carving Process of extracting files from a larger file Why? – Suppose files have been deleted, and an image taken of the file system – Many files will be contiguous – Problems if they are not Process: – Find the first header – Find the footer, or the end of file or the next header Michael JonesAnalysing Image Files16

Example file format: JPEG Joint Photographic Experts Group Compression of digital images – Header – FF D8 Footer – FF D9 Michael JonesAnalysing Image Files17

Consider this The rest of the file contains: – Metadata – Colour table – Compressed data What is the chance of FF D9 in 2 successive bytes – 1 in 256 x 256 = 1 in 65,536 Compression algorithm must ensure this sequence does not occur – Which it does - simply Michael JonesAnalysing Image Files18

Hiding Data in a JPEG Problem: compression – If data is added to image before compression Data might be corrupted when compression occurs – If data is added afterwards, how can we control side-effects? Possible solution: hiding data in metadata – EXIF information Can use existing fields, or additional ones Possible solution: adding data after the footer Michael JonesAnalysing Image Files19

Other Image File Types GIF (Graphics Interchange Format) – Created by Compuserve – Lossless format – Headers: GIF87a and GIF89a (in hex) – Has a footer – but care needed PNG – Portable Network Graphics – Open (lossless) format – Header: 89 (hex) PNG (in hex) – Has a footer Michael JonesAnalysing Image Files20

Computer Crime: Ransomware Michael JonesAnalysing Image Files21

Debunking Myths: Surveillance Michael JonesAnalysing Image Files22

Carving and Blurring Suppose someone has had a problem with his camera – And photographs are corrupted On examination, the footer of a JPEG has been corrupted – 2 files might appear as 1 Boundary between files is blurred – Can we ‘un-blur’ the files and present this to the court? Michael JonesAnalysing Image Files23

Example The byte sequence is: – FF D9 … FF D7 FF D8 … FF D9 What could be seen in a viewer? If we change the second byte to ‘D9’, then 2 files could be ‘created’ – What is the legal status of doing this? Michael JonesAnalysing Image Files24

Issues with File Carving Non-contiguous files – How likely is this? Why is this a problem? What solutions could be possible? – Think about the standard sector size (512 bytes) Michael JonesAnalysing Image Files25

Summary File carving is at the heart of digital forensics It allows a physical analysis of the data – Compared with a logical view of the data The process involves finding headers and footers – Extracting (carving) files from a digital ‘image’ Image here means bit-by-bit copy of the data (e.g., disk or SD card) Michael JonesAnalysing Image Files26

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.