1. Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #12 Computer Forensics Analysis/Validation and Recovering Graphic Files October 1, 2008

2. Outline l Topics fir Lecture #12 - What data to collect and analyze - Validating forensics data - Data hiding techniques - Remote acquisitions - Recovering Graphic files - Data compression - Locating and recovering graphic files - Stgenaography and Steganalysis - Reference: Chapter 9 am 10 of Textbook l Topics for Lecture Number #13

3. What data to collect and analyze l Depends on the type of investigation l Email investigation will involve network logs, email server backups l Industrial espionage may include collecting information from cameras, keystrokes l Scope creep: Investigation extends beyond the original description due to unexpected evidence

4. Validating forensic data l Validating with hexadecimal editors - Provides support such as hashing files and sectors l Discriminating functions - Selecting suspicious data from normal data l Validating with forensics programs - Use message digests, hash values

5. Data Hiding l Data hiding is about changing or manipulating a file to conceal information l Hiding partitions: Create partitions and use disk editor to delete reference to it, then recreate links to find the partition l Marking bad clusters: Placing sensitive or incriminating data in free space; use disk editors to mark good clusters as bad clusters l But shifting: Change bit patterns or alter byte values l Using Stereography to hide data (Lecture 13) l Encrypt files to prevent access l Recover passwords using passwords recovery tools

6. Remote Acquisitions l Tools are available for acquiring data remotely - E.g., Diskexplorer for FAT - Diskexporer for NTFS l Steps to follow - Prepare the tool for remote acquisition - Make remote connection - Acquire the data

7. Recovering Graphic Files l What are graphic files - Bitmaps and Raster images - Vector graphics - Metafile graphics l Graphics file formats - Standards and Specialized l Digital camera file formats - Raw and Inage file format

8. Data Compression l Lossless compression - Reduce file size without removing data l Lossy compression - Reduces file size but some bits are removed - JPEG l Techniques are taught in Image processing courses

9. Locating and Recovering Graphic Files l Identify the graphic file fragments - If the file is fragmented, need to recover all the fragments carving or salvaging) l Repair damage headers - If header data is partially overwritten need to figure out what the missing pieces are l Procedures also exist form recovering digital photograph evidence l Steps to follow - Identify file - Recover damage headers - Reconstruct file fragments - Conduct exam

10. Steganography l Steganography is the art of covered or hidden writing. l The purpose of steganography is covert communication to hide a message from a third party. l This differs from cryptography, the art of secret writing, which is intended to make a message unreadable by a third party but does not hide the existence of the secret communication.

11. Topics for Lecture #13 l Steganography l Null Ciphers l Digital Image and Audio l Digital Carrier Methods l Detecting Steganography l Tools l Reference: - http://www.fbi.gov/hq/lab/fsc/backissu/july2004/research/2 004_03_research01.htm http://www.fbi.gov/hq/lab/fsc/backissu/july2004/research/2 004_03_research01.htm - http://en.wikipedia.org/wiki/Steganography http://en.wikipedia.org/wiki/Steganography - http://en.wikipedia.org/wiki/Digital_watermarking http://en.wikipedia.org/wiki/Digital_watermarking - http://www.garykessler.net/library/steganography.html http://www.garykessler.net/library/steganography.html - http://www.spectrum.ieee.org/aug08/6593 http://www.spectrum.ieee.org/aug08/6593