When viewing a file header, you need to include hexadecimal information to view the image.

Presentation on theme: "Chapter 8 Recovering Graphics Files"— Presentation transcript:

1 Chapter 8 Recovering Graphics Files
Guide to Computer Forensics and Investigations Fifth Edition Chapter 8 Recovering Graphics Files

2 Objectives Describe types of graphics file formats
Explain types of data compression Explain how to locate and recover graphics files Describe how to identify unknown file formats Explain copyright issues with graphics Guide to Computer Forensics and Investigations, Fifth Edition

3 Recognizing a Graphics File
Graphic files contain digital photographs, line art, three-dimensional images, and scanned replicas of printed pictures Bitmap images: collection of dots Vector graphics: based on mathematical instructions Metafile graphics: combination of bitmap and vector Types of programs Graphics editors Image viewers Guide to Computer Forensics and Investigations, Fifth Edition

4 Understanding Bitmap and Raster Images
Bitmap images Grids of individual pixels Raster images - also collections of pixels Pixels are stored in rows Better for printing Image quality Screen resolution - determines amount of detail Software contributes to image quality (drivers) Number of color bits used per pixel Guide to Computer Forensics and Investigations, Fifth Edition

5 Understanding Vector Graphics
Characteristics of vector graphics Uses lines instead of dots Store only the calculations for drawing lines and shapes Smaller than bitmap files Preserve quality when image is enlarged CorelDraw, Adobe Illustrator Guide to Computer Forensics and Investigations, Fifth Edition

6 Understanding Metafile Graphics
Metafile graphics combine raster and vector graphics Example Scanned photo (bitmap) with text (vector) Share advantages and disadvantages of both types When enlarged, bitmap part loses quality Guide to Computer Forensics and Investigations, Fifth Edition

7 Understanding Graphics File Formats
Standard bitmap file formats Portable Network Graphic (.png) Graphic Interchange Format (.gif) Joint Photographic Experts Group (.jpeg, .jpg) Tagged Image File Format (.tiff, .tif) Window Bitmap (.bmp) Standard vector file formats Hewlett Packard Graphics Language (.hpgl) Autocad (.dxf) Guide to Computer Forensics and Investigations, Fifth Edition

8 Understanding Graphics File Formats
Nonstandard graphics file formats Targa (.tga) Raster Transfer Language (.rtl) Adobe Photoshop (.psd) and Illustrator (.ai) Freehand (.fh9) Scalable Vector Graphics (.svg) Paintbrush (.pcx) Search the Web for software to manipulate unknown image formats Guide to Computer Forensics and Investigations, Fifth Edition

9 Understanding Digital Camera File Formats
Witnesses or suspects can create their own digital photos Examining the raw file format Raw file format Referred to as a digital negative Typically found on many higher-end digital cameras Sensors in the digital camera simply record pixels on the camera’s memory card Raw format maintains the best picture quality Guide to Computer Forensics and Investigations, Fifth Edition

10 Understanding Digital Camera File Formats
Examining the raw file format (cont’d) The biggest disadvantage is that it’s proprietary And not all image viewers can display these formats The process of converting raw picture data to another format is referred to as demosaicing Examining the Exchangeable Image File format Exchangeable Image File (Exif) format Commonly used to store digital pictures Developed by JEITA as a standard for storing metadata in JPEG and TIF files Guide to Computer Forensics and Investigations, Fifth Edition

11 Understanding Digital Camera File Formats
Examining the Exchangeable Image File format (cont’d) Exif format collects metadata Investigators can learn more about the type of digital camera and the environment in which pictures were taken Viewing an Exif JPEG file’s metadata requires special programs Exif Reader, IrfanView, or ProDiscover Exif file stores metadata at the beginning of the file Guide to Computer Forensics and Investigations, Fifth Edition

12 Understanding Digital Camera File Formats
Guide to Computer Forensics and Investigations, Fifth Edition

13 Understanding Digital Camera File Formats
Guide to Computer Forensics and Investigations, Fifth Edition

14 Understanding Digital Camera File Formats
Guide to Computer Forensics and Investigations, Fifth Edition

15 Understanding Digital Camera File Formats
Examining the Exchangeable Image File format (cont’d) With tools such as ProDiscover and Exif Reader You can extract metadata as evidence for your case Guide to Computer Forensics and Investigations, Fifth Edition

16 Understanding Digital Camera File Formats
Guide to Computer Forensics and Investigations, Fifth Edition

17 Understanding Data Compression
Some image formats compress their data GIF and JPEG Others, like BMP, do not compress their data Use data compression tools for those formats Data compression Coding data from a larger to a smaller form Types Lossless compression and lossy compression Guide to Computer Forensics and Investigations, Fifth Edition

18 Lossless and Lossy Compression
Lossless compression Reduces file size without removing data Based on Huffman or Lempel-Ziv-Welch coding For redundant bits of data Utilities: WinZip, PKZip, StuffIt, and FreeZip Lossy compression Permanently discards bits of information Vector quantization (VQ) Determines what data to discard based on vectors in the graphics file Utility: Lzip Guide to Computer Forensics and Investigations, Fifth Edition

19 Locating and Recovering Graphics Files
Operating system tools Time consuming Results are difficult to verify Digital forensics tools Image headers Compare them with good header samples Use header information to create a baseline analysis Reconstruct fragmented image files Identify data patterns and modified headers Guide to Computer Forensics and Investigations, Fifth Edition

20 Identifying Graphics File Fragments
Carving or salvaging Recovering any type of file fragments Digital forensics tools Can carve from file slack and free space Help identify image files fragments and put them together Guide to Computer Forensics and Investigations, Fifth Edition

21 Repairing Damaged Headers
When examining recovered fragments from files in slack or free space You might find data that appears to be a header If header data is partially overwritten, you must reconstruct the header to make it readable By comparing the hexadecimal values of known graphics file formats with the pattern of the file header you found Guide to Computer Forensics and Investigations, Fifth Edition

22 Repairing Damaged Headers
Each graphics file has a unique header value Example: A JPEG file has the hexadecimal header value FFD8, followed by the label JFIF for a standard JPEG or Exif file at offset 6 Exercise: Investigate a possible intellectual property theft by a contract employee of Exotic Mountain Tour Service (EMTS) Guide to Computer Forensics and Investigations, Fifth Edition

23 Repairing Damaged Headers
Guide to Computer Forensics and Investigations, Fifth Edition

24 Repairing Damaged Headers
Guide to Computer Forensics and Investigations, Fifth Edition

25 Searching For and Carving Data from Unallocated Space
Steps Planning your examination Searching for and recovering digital photograph evidence Use ProDiscover to search for and extract (recover) possible evidence of JPEG files False hits are referred to as false positives Guide to Computer Forensics and Investigations, Fifth Edition

26 Searching For and Carving Data from Unallocated Space
Guide to Computer Forensics and Investigations, Fifth Edition

27 Searching For and Carving Data from Unallocated Space
Guide to Computer Forensics and Investigations, Fifth Edition

28 Searching For and Carving Data from Unallocated Space
Guide to Computer Forensics and Investigations, Fifth Edition

29 Searching for and Carving Data from Unallocated Space
Guide to Computer Forensics and Investigations, Fifth Edition

30 Searching for and Carving Data from Unallocated Space
Guide to Computer Forensics and Investigations, Fifth Edition

31 Rebuilding File Headers
Before attempting to edit a recovered graphics file Try to open the file with an image viewer first If the image isn’t displayed, you have to inspect and correct the header values manually Steps Recover more pieces of file if needed Examine file header Compare with a good header sample Manually insert correct hexadecimal values Test corrected file Guide to Computer Forensics and Investigations, Fifth Edition

32 Rebuilding File Headers
Guide to Computer Forensics and Investigations, Fifth Edition

33 Rebuilding File Headers
Guide to Computer Forensics and Investigations, Fifth Edition

34 Rebuilding File Headers
Guide to Computer Forensics and Investigations, Fifth Edition

35 Rebuilding File Headers
Guide to Computer Forensics and Investigations, Fifth Edition

36 Rebuilding File Headers
Guide to Computer Forensics and Investigations, Fifth Edition

37 Reconstructing File Fragments
Locate the noncontiguous clusters that make up a deleted file Steps Locate and export all clusters of the fragmented file Determine the starting and ending cluster numbers for each fragmented group of clusters Copy each fragmented group of clusters in their correct sequence to a recovery file Rebuild the file’s header to make it readable in a graphics viewer Guide to Computer Forensics and Investigations, Fifth Edition

38 Reconstructing File Fragments
Guide to Computer Forensics and Investigations, Fifth Edition

39 Reconstructing File Fragments
Guide to Computer Forensics and Investigations, Fifth Edition

40 Reconstructing File Fragments
Guide to Computer Forensics and Investigations, Fifth Edition

41 Reconstructing File Fragments
Guide to Computer Forensics and Investigations, Fifth Edition

42 Identifying Unknown File Formats
Knowing the purpose of each format and how it stores data is part of the investigation process The Internet is the best source Search engines like Google Find explanations and viewers Popular Web sites Guide to Computer Forensics and Investigations, Fifth Edition

43 Analyzing Graphics File Headers
Necessary when you find files your tools do not recognize Use a hexadecimal editor such as WinHex Record hexadecimal values in the header and use them to define a file type Example: XIF file format is old, little information is available The first 3 bytes of an XIF file are the same as a TIF file Build your own header search string Guide to Computer Forensics and Investigations, Fifth Edition

44 Analyzing Graphics File Headers
Guide to Computer Forensics and Investigations, Fifth Edition

45 Analyzing Graphics File Headers
Guide to Computer Forensics and Investigations, Fifth Edition

46 Tools for Viewing Images
After recovering a graphics file Use an image viewer to open and view it No one viewer program can read every file format Having many different viewer programs is best Most GUI forensics tools include image viewers that display common image formats Be sure to analyze, identify, and inspect every unknown file on a drive Guide to Computer Forensics and Investigations, Fifth Edition

47 Understanding Steganography in Graphics Files
Steganography hides information inside image files An ancient technique Two major forms: insertion and substitution Insertion Hidden data is not displayed when viewing host file in its associated program You need to analyze the data structure carefully Example: Web page Guide to Computer Forensics and Investigations, Fifth Edition

48 Understanding Steganography in Graphics Files
Guide to Computer Forensics and Investigations, Fifth Edition

49 Understanding Steganography in Graphics Files
Guide to Computer Forensics and Investigations, Fifth Edition

50 Understanding Steganography in Graphics Files
Substitution Replaces bits of the host file with other bits of data Usually change the last two LSBs (least significant bit) Detected with steganalysis tools (a.k.a - steg tools) You should inspect all files for evidence of steganography Clues to look for: Duplicate files with different hash values Steganography programs installed on suspect’s drive Guide to Computer Forensics and Investigations, Fifth Edition

51 Understanding Steganography in Graphics Files
Guide to Computer Forensics and Investigations, Fifth Edition

52 Understanding Steganography in Graphics Files
Guide to Computer Forensics and Investigations, Fifth Edition

53 Understanding Steganography in Graphics Files
Guide to Computer Forensics and Investigations, Fifth Edition

54 Using Steganalysis Tools
Use steg tools to detect, decode, and record hidden data Detect variations of the graphic image When applied correctly you cannot detect hidden data in most cases Check to see whether the file size, image quality, or file extensions have changed Guide to Computer Forensics and Investigations, Fifth Edition

55 Understanding Copyright Issues with Graphics
Steganography has been used to protect copyrighted material By inserting digital watermarks into a file Digital investigators need to aware of copyright laws Copyright laws for Internet are not clear There is no international copyright law Check U.S. Copyright Office identifies what can and can’t be covered under copyright law in U.S. Guide to Computer Forensics and Investigations, Fifth Edition

56 Summary Three types of graphics files
Bitmap Vector Metafile Image quality depends on various factors Standard file formats: .gif, .jpeg, .bmp, and .tif Nonstandard file formats: .tga, .rtl, .psd, and .svg Some image formats compress their data Lossless compression Lossy compression Guide to Computer Forensics and Investigations, Fifth Edition

57 Summary Digital camera photos are typically in raw and EXIF JPEG formats Recovering image files Carving file fragments Rebuilding image headers The Internet is best for learning more about file formats and their extensions Software Image editors Image viewers Guide to Computer Forensics and Investigations, Fifth Edition

58 Summary Steganography Steganalysis
Hides information inside image files Forms Insertion Substitution Steganalysis Finds whether image files hide information Guide to Computer Forensics and Investigations, Fifth Edition

What is true about JPEG and TIF files?

When investigating graphics files you should?

How can you identify an unknown graphics file format that is unrecognized by your forensics tool?

Which of the following should you wipe a target drive for?