You are on page 1of 77

SAK 4801 INTRODUCTION TO

COMPUTER FORENSICS
Chapter 7 Image Files
Forensics Mohd Taufik Abdullah
Department of Computer Science
Faculty of Computer Science and Information Technology
University Putra of Malaysia

Room No: 2.28

Portions of the material courtesy Nelson et. al., and EC-Council


Learning Objectives
At the end of this chapter, you will be
able to:
Describe types of graphics file formats
Explain types of data compression
Explain how to locate and recover graphics files
Describe how to identify unknown file formats
Explain copyright issues with graphics

2 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


Chapter 7 Outline
7. Image File Forensics
7.1. Introduction
7.2. Recognize image files
7.3. Understand data Compression
7.4. Locate and recover image files
7.5. Analyze image file header
7.6. Reconstructing file fragments

3 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.1 Introduction
7.1 Introduction
Image file formats can be:
A black and white Image

A grayscale Image

A color image

Indexed Color image

All image formats differ between ease of

use, size of the file, and the quality of


reproduction

5 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.2 Recognize Image
Files
7.2 Recognize Image Files
Contains digital photographs, line art, three-
dimensional images, and scanned replicas of
printed pictures
Pixels: All small dots used to create images

Bitmap images:

collection of dots

A representation of a graphics image a grid-

type format
Vector graphics: based on mathematical

instructions/equations
Metafile graphics: combination of bitmap and

vector images
7 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer
7.2 Recognize Image Files
(Cont.)
The circled area

in this screen
shot shows the
resolution of the
screen by pixels

8 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.2.1 Understanding Bitmap
and Vector
Bitmap
images Images
Grids of individual pixels

Bitmap images can be made in the following

applications:
Photoshop

MS Paint

Image Ready

Paintshop Pro

Continuous tone photos

Raster images
Pixels are stored in rows

Better for printing

9 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.2.1 Understanding Bitmap and
Vector Images (Cont.)
Vector Images
Uses geometric equations
Higher quality image than a bitmap
Useful for rendering types and shapes
Characteristics
Lines instead of dots
Store only the calculations for drawing lines and

shapes
Smaller size

Preserve quality when image is enlarged

CorelDraw, Adobe Illustrator



Image quality
Screen resolution
Software
10 Chapter
7 Image Files Forensics SAK4801 Introduction to Computer
7.2.2 Understanding Metafile
Graphics
Metafiles combine raster and vector graphics.

Metafiles have similar features of both bitmap and
vector images.
When metafiles are enlarged it results in a loss of
resolution giving the image a shady appearance.
Example
Scanned photo (bitmap) with text (vector)
Share advantages and disadvantages of both types
When enlarged, bitmap part loses quality

11 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.2.3 Understanding Image
File

Formats
Standard bitmap file formats
Graphic Interchange Format (.gif)
Joint Photographic Experts Group (.jpeg, .jpg)

Tagged Image File Format (.tiff, .tif)

Window Bitmap (.bmp)

JPEG 2000 (.jp2)

Portable Network Graphics (.png)

Standard vector file formats


Hewlett Packard Graphics Language (.hpgl)

Autocad (.dxf)

12 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.2.3 Understanding Image
File Formats
Nonstandard
graphics(Cont.)
file formats
Targa (.tga)
Raster Transfer Language (.rtl)

Adobe Photoshop (.psd) and Illustrator (.ai)

Freehand (.fh9)

Scalable Vector Graphics (.svg)

Paintbrush (.pcx)

Search the Web for software to manipulate unknown


image formats

13 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.2.4 Understanding Digital
Camera
Witnesses File Formats
or suspects can create their own digital
photos
Examining the raw file format
Raw file format

Referred to as a digital negative

Typically found on many higher-end digital

cameras
Sensors in the digital camera simply record pixels

on the cameras memory card


Raw format maintains the best picture quality

14 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.2.4 Understanding Digital
Camera
ExaminingFile Formats
the raw (Cont.)
file format (continued)
The biggest disadvantage is that its proprietary
And not all image viewers can display these

formats
The process of converting raw picture data to

another format is referred to as demosaicing


Examining the Exchangeable Image File format
Exchangeable Image File (EXIF) format

Commonly used to store digital pictures

Developed by JEIDA as a standard for storing

metadata in JPEG and TIFF files


15 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer
7.2.4 Understanding Digital
Camera
ExaminingFile FormatsImage
the Exchangeable (Cont.)
File format
(continued)
EXIF format collects metadata

Investigators can learn more about the type of

digital camera and the environment in which


pictures were taken
EXIF file stores metadata at the beginning of the

file
With tools such as ProDiscover and Exif Reader

You can extract metadata as evidence for your

case

16 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.2.4 Understanding Digital
Camera File Formats (Cont.)

17 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.2.4 Understanding Digital
Camera File Formats (Cont.)

18 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.2.4 Understanding Digital
Camera File Formats (Cont.)

19 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.2.4 Understanding Digital
Camera File Formats (Cont.)

20 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.2.5 File Types
Different types of files
Graphics file format .gif/.jpg/.jpeg/.jfif

Text file format .txt/.htm/.html

Audio file format .au/.uLaw/.MuLaw/.aiff

.mp3/.ra/.wav/.wma
Video file format

.avi/.mov/.movie/.mpg/.mpeg/.qt/.ram
Document file format .doc/.pdf/.ps

Compress file format .z/.zip/.sit/.gzip/.gz

Data compression: is done by using a complex


algorithm used to reduce the size of a file

21 Vector quantization: A form of vector


Chapter 7 Image Files Forensics
image that uses
SAK4801 Introduction to Computer
7.3 Understand Data
Compression
7.3 Understand Data
Compression
Some image formats compress their data

GIF, JPEG, PNG


Others, like BMP, do not compress their data


Use data compression tools for those formats

Data compression
Coding of data from a larger to a smaller form

Types

Lossless compression and

lossy compression

23 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.3.1 Understanding Lossless and
Lossy
GIF andCompression
PNG image file formats reduce the file size
by using lossless compression
Lossless compression

Reduces file size without removing data

Based on Huffman or Lempel-Ziv-Welch coding

For redundant bits of data

Utilities: WinZip, PKZip, StuffIt, and FreeZip

Lossy compression

Permanently discards bits of information

Vector quantization (VQ)

Determines what data to discard based on

vectors
24 Chapter 7 Image in the graphics fileSAK4801 Introduction to Computer
Files Forensics
7.4 Locate and Recover
Images Files
7.4 Locate and Recover Image
Files
Operating
system tools
Time consuming

Results are difficult to verify

Computer forensics tools


Image headers

Compare them with good header samples

Use header information to create a baseline

analysis
Reconstruct fragmented image files

Identify data patterns and modified headers

26 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.4.1 Identifying Graphics File
Fragments
Carving or salvaging
Recovering all file fragments
Carving: The process of removing an item from a
group of items
Salvaging: Another term for carving. It is the
process of removing an item from a group of them
Computer forensics tools
Carve from slack and free space

Help identify image files fragments and put them

together

27 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.4.1 Identifying Graphics File
Fragments (Cont.)
The screenshot above shows the location of the
clusters where the data has been found and the
data found with the matching search.

28 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.4.2 Repairing Damaged
Headers
Use good header samples

Each image file has a unique file header


JPEG: FF D8 FF E0 00 10
Most JPEG files also include JFIF string
Exercise:
Investigate a possible intellectual property theft

by a contract employee of Exotic Mountain Tour


Service (EMTS)

29 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.4.3 Searching for and Carving Data
from Unallocated Space

30 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.4.3 Searching for and Carving Data
from Unallocated Space (Cont.)

31 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.4.3 Searching for and Carving Data
from Unallocated Space(Cont.)
Steps

Planning your examination


Searching for and recovering digital photograph
evidence
Use ProDiscover to search for and extract

(recover) possible evidence of JPEG files


False hits are referred to as false positives

32 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.4.3 Searching for and Carving Data
from Unallocated Space (Cont.)

33 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.4.3 Searching for and Carving Data
from Unallocated Space (Cont.)

34 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.4.3 Searching for and Carving Data
from Unallocated Space (Cont.)

35 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.4.3 Searching for and Carving Data
from Unallocated Space (Cont.)

36 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.4.3 Searching for and Carving Data
from Unallocated Space (Cont.)

37 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.4.3 Searching for and Carving Data
from Unallocated Space (Cont.)

38 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.4.4 Rebuilding File Headers
(Cont.)
Try to open the file first and follow steps if you cant

see its content


Steps
Recover more pieces of file if needed

Examine file header

Compare with a good header sample

Manually insert correct hexadecimal values

Test corrected file

39 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.4.4 Rebuilding File Headers
(Cont.)

40 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.4.4 Rebuilding File Headers
(Cont.)

41 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.4.4 Rebuilding File Headers
(Cont.)

42 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.4.4 Rebuilding File Headers
(Cont.)

43 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.4.4 Rebuilding File Headers
(Cont.)

44 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.4.4 Rebuilding File Headers
(Cont.)

45 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.5 Analyze Image Files
Headers
7.5 Analyze Image File
Headers
Necessary when you find files your tools

do not recognize
Use hex editor such as Hex Workshop
Record hexadecimal values on header

Use good header samples

47 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.5 Analyze Image File
Headers (Cont.)

48 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.5 Analyze Image File
Headers (Cont.)

49 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.6 Reconstructing File
Fragments
7.6 Reconstructing File
Fragments
Locate the starting and ending clusters

For each fragmented group of clusters in the file


Steps
Locate and export all clusters of the fragmented

file
Determine the starting and ending cluster

numbers for each fragmented group of clusters


Copy each fragmented group of clusters in their

proper sequence to a recovery file


Rebuild the corrupted files header to make it

readable in a graphics viewer


51 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer
7.6 Reconstructing File
Fragments (Cont.)

52 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.6 Reconstructing File
Fragments (Cont.)

53 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.6 Reconstructing File
Fragments (Cont.)

54 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.6 Reconstructing File
Fragments (Cont.)

55 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.6 Reconstructing File
Fragments
Remember to save(Cont.)
the updated recovered data with
a .jpg extension
Sometimes suspects intentionally corrupt cluster
links in a disks FAT
Bad clusters appear with a zero value on a disk

editor

56 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.6 Reconstructing File
Fragments (Cont.)

57 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.6 Reconstructing File
Fragments (Cont.)

58 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.6.1 Identifying Unknown
File
The Formats
Internet is the best source
Search engines like Google
Find explanations and viewers

Popular Web sites


www.digitek-asi.com/file_formats.html

www.wotsit.org

http://whatis.techtarget.com

59 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.6.2 Tools For Viewing
Images
Use several viewers
ThumbsPlus
ACDSee

QuickView

IrfanView

GUI forensics tools include image viewers


ProDiscover

EnCase

FTK

X-Ways Forensics

iLook

60 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.6.3 Understanding
Steganography
Steganography hides information inside image

files
Ancient technique

Can hide only certain amount of information

Insertion
Hidden data is not displayed when viewing

host file in its associated program


You need to analyze the data structure

carefully
Example: Web page

61 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.6.3 Understanding
Steganography (Cont.)

62 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.6.3 Understanding
Steganography (Cont.)

63 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.6.3 Understanding
Steganography
Substitution (Cont.)
Replaces bits of the host file with bits
of data
Usually change the last two LSBs

Detected with steganalysis tools

Usually used with image files


Audio and video options

Hard to detect

64 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.6.3 Understanding
Steganography

(Cont.)
Two files need to hide a message within an image file
The file containing the image into which the
message is supposed to be put in
The file containing the message itself

There are 3 methods to hide messages in images,


they include:
Least Significant Bit

Filtering and Masking

Algorithms and Transformation aa

65 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.6.3 Understanding
Steganography (Cont.)

66 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.6.3 Understanding
Steganography (Cont.)

67 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.6.4 Using Steganalysis
Tools
Detect variations of the graphic image

When applied correctly you cannot detect hidden


data in most cases


Methods
Compare suspect file to good or bad image

versions
Mathematical calculations verify size and palette

color
Compare hash values

68 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.6.4 Using Steganalysis
Tools (Cont.)
Hex Workshop
The Hex Workshop
application can
detect and write
messages on to a
file
Investigators use
the Hex Workshop
tool to reconstruct
damaged file
headers

69 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.6.4 Using Steganalysis
Tools (Cont.)
Hex Workshop
AS-Tools can hide
and detect files
hidden in BMP, GIF
and WAV files
Investigators have
the advantage of
multi-threaded
operation
Investigators can
hide/reveal
operations
70 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer
7.6.3 Identifying Copyright
Issues with Graphics
Steganography originally incorporated
watermarks
Copyright laws for Internet are not
clear
There is no international copyright

law
Check www.copyright.gov

71 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


7.6.3 Mengidentifikasi Masalah Hak
Cipta dengan
Bagian Graphics
106 dari 1976 Copyright Act pada umumnya
memberikan pemilik hak cipta atau hak eksklusif
untuk dilakukan dan mengotorisasi orang lain untuk
melakukan hal berikut:
Untuk melakukan pekerjaan public

Untuk menampilkan hak cipta ke public

Dalam kasus rekaman suara, untuk melakukan

pekerjaan publik dengan cara transmisi audio


digital
Untuk mereproduksi pekerjaan dalam salinan

atau phonorecords samapai untuk


mempersiapkan karya turunan berdasarkan
72 pekerjaan
Chapter 7 Image Files Forensics SAK4801 Introduction to Computer
7.6.3 Mengidentifikasi Masalah
Hak Cipta
Karya dengan
yang memiliki Graphics
hak cipta meliputi::
karya sastra
Karya musik; termasuk kata-kata yang menyertai
Karya dramatis; termasuk musik yang menyertai
Pantomim dan koreografi
Bergambar, grafis, dan karya-karya patung.
Gambar gerak dan karya audiovisual lainnya.
rekaman suara
karya arsitektur

73 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


Penjelasan
Tipe Gambar
Bitmap

Vector

Metafile

Kualitas gambar tergantung pada berbagai faktor


Format Gambar
Standard

Nonstandard

Pada Digital foto kamera yang biasanya dalam


format JPEG mentah dan EXIF

74 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


Penjelasan
Beberapa format gambar yang kompresi datanya
kompresi lossless

kompresi lossy

Memulihkan file gambar


Membangun kembali header image

Ukiran fragmen file

Software
Editor gambar

Penampil gambar

75 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


Penjelasan
Steganografi
Menyembunyikan informasi dalam file gambar

Bentuk

Insersi

Substitusi

Steganalysis
Menemukan apakah file gambar

menyembunyikan informasi

76 Chapter 7 Image Files Forensics SAK4801 Introduction to Computer


End of Chapter 7

You might also like