SAK 4801 INTRODUCTION TO COMPUTER FORENSICS Chapter 7 Image Files Forensics Mohd Taufik Abdullah Department of Computer Science Faculty of Computer Science and Information Technology University Putra of Malaysia Room No: 2.28 Portions of the material courtesy Nelson et. al., and EC-Council
Learning Objectives At the end of this chapter, you will be able to: Describe types of graphics file formats Explain types of data compression Explain how to locate and recover graphics files Describe how to identify unknown file formats Explain copyright issues with graphics
Chapter 7 Outline 7. Image File Forensics 7.1. Introduction 7.2. Recognize image files 7.3. Understand data Compression 7.4. Locate and recover image files 7.5. Analyze image file header 7.6. Reconstructing file fragments
7.1 Introduction
7.1 Introduction Image file formats can be: A black and white Image A grayscale Image A color image Indexed Color image All image formats differ between ease of use, size of the file, and the quality of reproduction
7.2 Recognize Image Files
7.2 Recognize Image Files Contains digital photographs, line art, three-dimensional images, and scanned replicas of printed pictures Pixels: All small dots used to create images Bitmap images: collection of dots A representation of a graphics image a grid-type format Vector graphics: based on mathematical instructions/equations Metafile graphics: combination of bitmap and vector images Types of programs Graphics editors Image viewers
7.2 Recognize Image Files (Cont.) The circled area in this screen shot shows the resolution of the screen by pixels
7.2.1 Understanding Bitmap and Vector Images Bitmap images Grids of individual pixels Bitmap images can be made in the following applications: Photoshop MS Paint Image Ready Paintshop Pro Continuous tone photos Raster images Pixels are stored in rows Better for printing
7.2.1 Understanding Bitmap and Vector Images (Cont.) Uses geometric equations Higher quality image than a bitmap Useful for rendering types and shapes Characteristics Lines instead of dots Store only the calculations for drawing lines and shapes Smaller size Preserve quality when image is enlarged CorelDraw, Adobe Illustrator Image quality Screen resolution Software Number of color bits used per pixel
7.2.2 Understanding Metafile Graphics Metafiles combine raster and vector graphics. Metafiles have similar features of both bitmap and vector images. When metafiles are enlarged it results in a loss of resolution giving the image a shady appearance. Example Scanned photo (bitmap) with text (vector) Share advantages and disadvantages of both types When enlarged, bitmap part loses quality
7.2.3 Understanding Image File Formats Standard bitmap file formats Graphic Interchange Format (.gif) Joint Photographic Experts Group (.jpeg, .jpg) Tagged Image File Format (.tiff, .tif) Window Bitmap (.bmp) JPEG 2000 (.jp2) Portable Network Graphics (.png) Standard vector file formats Hewlett Packard Graphics Language (.hpgl) Autocad (.dxf)
7.2.3 Understanding Image File Formats (Cont.) Nonstandard graphics file formats Targa (.tga) Raster Transfer Language (.rtl) Adobe Photoshop (.psd) and Illustrator (.ai) Freehand (.fh9) Scalable Vector Graphics (.svg) Paintbrush (.pcx) Search the Web for software to manipulate unknown image formats
7.2.4 Understanding Digital Camera File Formats Witnesses or suspects can create their own digital photos Examining the raw file format Raw file format Referred to as a digital negative Typically found on many higher-end digital cameras Sensors in the digital camera simply record pixels on the camera’s memory card Raw format maintains the best picture quality
7.2.4 Understanding Digital Camera File Formats (Cont.) Examining the raw file format (continued) The biggest disadvantage is that it’s proprietary And not all image viewers can display these formats The process of converting raw picture data to another format is referred to as demosaicing Examining the Exchangeable Image File format Exchangeable Image File (EXIF) format Commonly used to store digital pictures Developed by JEIDA as a standard for storing metadata in JPEG and TIFF files
7.2.4 Understanding Digital Camera File Formats (Cont.) Examining the Exchangeable Image File format (continued) EXIF format collects metadata Investigators can learn more about the type of digital camera and the environment in which pictures were taken EXIF file stores metadata at the beginning of the file With tools such as ProDiscover and Exif Reader You can extract metadata as evidence for your case
7.2.4 Understanding Digital Camera File Formats (Cont.)
7.2.4 Understanding Digital Camera File Formats (Cont.)
7.2.4 Understanding Digital Camera File Formats (Cont.)
7.2.4 Understanding Digital Camera File Formats (Cont.)
7.2.5 File Types Different types of files Graphics file format – .gif/.jpg/.jpeg/.jfif Text file format – .txt/.htm/.html Audio file format – .au/.uLaw/.MuLaw/.aiff – .mp3/.ra/.wav/.wma Video file format – .avi/.mov/.movie/.mpg/.mpeg/.qt/.ram Document file format – .doc/.pdf/.ps Compress file format – .z/.zip/.sit/.gzip/.gz Data compression: is done by using a complex algorithm used to reduce the size of a file Vector quantization: A form of vector image that uses an algorithm similar to rounding up decimal values to eliminate unnecessary data
7.3 Understand Data Compression
7.3 Understand Data Compression Some image formats compress their data GIF, JPEG, PNG Others, like BMP, do not compress their data Use data compression tools for those formats Data compression Coding of data from a larger to a smaller form Types Lossless compression and lossy compression
7.3.1 Understanding Lossless and Lossy Compression GIF and PNG image file formats reduce the file size by using lossless compression Lossless compression Reduces file size without removing data Based on Huffman or Lempel-Ziv-Welch coding For redundant bits of data Utilities: WinZip, PKZip, StuffIt, and FreeZip Lossy compression Permanently discards bits of information Vector quantization (VQ) Determines what data to discard based on vectors in the graphics file Utility: Lzip
7.4 Locate and Recover Images Files
7.4 Locate and Recover Image Files Operating system tools Time consuming Results are difficult to verify Computer forensics tools Image headers Compare them with good header samples Use header information to create a baseline analysis Reconstruct fragmented image files Identify data patterns and modified headers
7.4.1 Identifying Graphics File Fragments Carving or salvaging Recovering all file fragments Carving: The process of removing an item from a group of items Salvaging: Another term for carving. It is the process of removing an item from a group of them Computer forensics tools Carve from slack and free space Help identify image files fragments and put them together
7.4.1 Identifying Graphics File Fragments (Cont.) The screenshot above shows the location of the clusters where the data has been found and the data found with the matching search.
7.4.2 Repairing Damaged Headers Use good header samples Each image file has a unique file header JPEG: FF D8 FF E0 00 10 Most JPEG files also include JFIF string Exercise: Investigate a possible intellectual property theft by a contract employee of Exotic Mountain Tour Service (EMTS)
7.4.3 Searching for and Carving Data from Unallocated Space
7.4.3 Searching for and Carving Data from Unallocated Space (Cont.)
7.4.3 Searching for and Carving Data from Unallocated Space(Cont.) Steps Planning your examination Searching for and recovering digital photograph evidence Use ProDiscover to search for and extract (recover) possible evidence of JPEG files False hits are referred to as false positives
7.4.3 Searching for and Carving Data from Unallocated Space (Cont.)
7.4.3 Searching for and Carving Data from Unallocated Space (Cont.)
7.4.3 Searching for and Carving Data from Unallocated Space (Cont.)
7.4.3 Searching for and Carving Data from Unallocated Space (Cont.)
7.4.3 Searching for and Carving Data from Unallocated Space (Cont.)
7.4.3 Searching for and Carving Data from Unallocated Space (Cont.)
7.4.4 Rebuilding File Headers (Cont.) Try to open the file first and follow steps if you can’t see its content Steps Recover more pieces of file if needed Examine file header Compare with a good header sample Manually insert correct hexadecimal values Test corrected file
7.4.4 Rebuilding File Headers (Cont.)
7.4.4 Rebuilding File Headers (Cont.)
7.4.4 Rebuilding File Headers (Cont.)
7.4.4 Rebuilding File Headers (Cont.)
7.4.4 Rebuilding File Headers (Cont.)
7.4.4 Rebuilding File Headers (Cont.)
7.5 Analyze Image Files Headers
7.5 Analyze Image File Headers Necessary when you find files your tools do not recognize Use hex editor such as Hex Workshop Record hexadecimal values on header Use good header samples
7.5 Analyze Image File Headers (Cont.)
7.5 Analyze Image File Headers (Cont.)
7.6 Reconstructing File Fragments
7.6 Reconstructing File Fragments Locate the starting and ending clusters For each fragmented group of clusters in the file Steps Locate and export all clusters of the fragmented file Determine the starting and ending cluster numbers for each fragmented group of clusters Copy each fragmented group of clusters in their proper sequence to a recovery file Rebuild the corrupted file’s header to make it readable in a graphics viewer
7.6 Reconstructing File Fragments (Cont.)
7.6 Reconstructing File Fragments (Cont.)
7.6 Reconstructing File Fragments (Cont.)
7.6 Reconstructing File Fragments (Cont.)
7.6 Reconstructing File Fragments (Cont.) Remember to save the updated recovered data with a .jpg extension Sometimes suspects intentionally corrupt cluster links in a disk’s FAT Bad clusters appear with a zero value on a disk editor
7.6 Reconstructing File Fragments (Cont.)
7.6 Reconstructing File Fragments (Cont.)
7.6.1 Identifying Unknown File Formats The Internet is the best source Search engines like Google Find explanations and viewers Popular Web sites www.digitek-asi.com/file_formats.html www.wotsit.org http://whatis.techtarget.com
7.6.2 Tools For Viewing Images Use several viewers ThumbsPlus ACDSee QuickView IrfanView GUI forensics tools include image viewers ProDiscover EnCase FTK X-Ways Forensics iLook
7.6.3 Understanding Steganography Steganography hides information inside image files Ancient technique Can hide only certain amount of information Insertion Hidden data is not displayed when viewing host file in its associated program You need to analyze the data structure carefully Example: Web page
7.6.3 Understanding Steganography (Cont.)
7.6.3 Understanding Steganography (Cont.)
7.6.3 Understanding Steganography (Cont.) Substitution Replaces bits of the host file with bits of data Usually change the last two LSBs Detected with steganalysis tools Usually used with image files Audio and video options Hard to detect
7.6.3 Understanding Steganography (Cont.) Two files need to hide a message within an image file The file containing the image into which the message is supposed to be put in The file containing the message itself There are 3 methods to hide messages in images, they include: Least Significant Bit Filtering and Masking Algorithms and Transformation aa
7.6.3 Understanding Steganography (Cont.)
7.6.3 Understanding Steganography (Cont.)
7.6.4 Using Steganalysis Tools Detect variations of the graphic image When applied correctly you cannot detect hidden data in most cases Methods Compare suspect file to good or bad image versions Mathematical calculations verify size and palette color Compare hash values
7.6.4 Using Steganalysis Tools (Cont.) Hex Workshop The Hex Workshop application can detect and write messages on to a file Investigators use the Hex Workshop tool to reconstruct damaged file headers
7.6.4 Using Steganalysis Tools (Cont.) Hex Workshop AS-Tools can hide and detect files hidden in BMP, GIF and WAV files Investigators have the advantage of multi-threaded operation Investigators can hide/reveal operations simultaneously without fear of interference to the work environment
7.6.3 Identifying Copyright Issues with Graphics Steganography originally incorporated watermarks Copyright laws for Internet are not clear There is no international copyright law Check www.copyright.gov
7.6.3 Identifying Copyright Issues with Graphics (Cont.) Section 106 of the 1976 Copyright Act generally gives the owner of copyright the exclusive right to do and to authorize others to do the following: To perform the work publicly To display the copyright work publicly In the case of sound recordings, to perform the work publicly by means of a digital audio transmission To reproduce the work in copies or phonorecords – To prepare derivative works based upon the work To distribute copies or phonorecords of the work to the public by sale or other transfer of ownership, or by rental, lease, or lending
7.6.3 Identifying Copyright Issues with Graphics (Cont.) Copyrightable works include the following: Literary works Musical works; including any accompanying words Dramatic works; including any accompanying music Pantomimes and choreographic works Pictorial, graphic, and sculptural works. Motion pictures and other audiovisual works. Sound recordings Architectural works
Summary Image types Bitmap Vector Metafile Image quality depends on various factors Image formats Standard Nonstandard Digital camera photos are typically in raw and EXIF JPEG formats
Summary (Cont.) Some image formats compress their data Lossless compression Lossy compression Recovering image files Carving file fragments Rebuilding image headers Software Image editors Image viewers
Summary (Cont.) Some image formats compress their data Lossless compression Lossy compression Recovering image files Carving file fragments Rebuilding image headers Software Image editors Image viewers
Summary (Cont.) Steganography Hides information inside image files Forms Insertion Substitution Steganalysis Finds whether image files hide information
End of Chapter 7