Guide to Computer Forensics and Investigations, Second Edition Chapter 11 Recovering Image Files.

Guide to Computer Guide to Computer Forensics and Forensics and Investigations, Investigations, Second EditionSecond Edition

Chapter 11Recovering Image Files

Guide to Computer Forensics and Investigations, 2e 2

ObjectivesObjectives

• Recognize image files

• Understand data compression

• Locate and recover image files

• Analyze image file headers

• Identify copyright issues with graphics


Recognizing an Image FileRecognizing an Image File

• Contains graphics– Bitmap: collection of dots– Vector: mathematical instructions– Metafile: combination of bitmap and vector

• Types of programs– Graphics editor– Image viewers


Understanding Bitmap Understanding Bitmap and Raster Imagesand Raster Images

• Bitmap images– Grids of individual pixels

• Raster images– Pixels are stored in rows– Better for printing

• Image quality– Screen resolution– Software– Number of color bits used per pixel


Understanding Vector ImagesUnderstanding Vector Images

• Characteristics– Use lines– Store only the mathematics for drawing lines and

shapes– Smaller size– Preserve quality when image is enlarged

• CorelDraw, Adobe Illustrator

• You can save vector images as bitmap images– Do not save bitmap images as vector images


Understanding Metafile GraphicsUnderstanding Metafile Graphics

• Combine raster and vector graphics

• Example: scanned photo (bitmap) with text (vector)

• Share advantages and disadvantages of both types– When enlarged, bitmap part loses quality


Understanding Image File FormatsUnderstanding Image File Formats

• Standard bitmap image file formats– Graphic Interchange Format (.gif)– Joint Photographic Experts Group (.jpeg, .jpg)– Tagged Image File Format (.tiff, .tif)– Window Bitmap (.bmp)

• Standard vector image file formats– Hewlett Packard Graphics Language (.hpgl)– Autocad (.dxf)


Understanding Image File Understanding Image File Formats (continued)Formats (continued)

• Nonstandard image file formats– Targa (.tga)– Raster Transfer Language (.rtl)– Adobe Photoshop (.psd) and Illustrator (.ai)– Freehand (.fh9)– Scalable Vector Graphics (.svg)– Paintbrush (.pcx)

• Search the Web for software to manipulate unknown image formats


Understanding Data CompressionUnderstanding Data Compression

• Some image formats compress their data– GIF, JPEG, PNG

• Others, like BMP, do not compress their data

• Use data compression tools for those formats

• Data compression– Coding of data from a larger to a smaller size


Reviewing Lossless and Reviewing Lossless and Lossy CompressionLossy Compression

• Lossless compression– Reduces file size without removing data– Based on Huffman or Lempel-Ziv-Welch coding

• For redundant bits of data

– WinZip, PKZip, FreeZip

• Lossy compression– Permanently discards bits of information– Vector quantization (VQ)– Lzip


Locating and Recovering Image FilesLocating and Recovering Image Files

• OS tools– Time consuming– Results are difficult to verify

• Computer forensics tools– Image headers

• Compare them with good header samples

– Reconstruct fragmented image files• Identify data patterns and modified headers


Identifying Image File FragmentsIdentifying Image File Fragments

• Carving or salvaging– Recovering all fragments

• Computer Forensics tools– Carves from slack and free space– Helps identify image file fragments and put them

together


Repairing Damage HeadersRepairing Damage Headers

• Use good header samples

• Each image file has a unique file header– JPEG: FF D8 FF E0 00 10– Most JPEG files also include JFIF string


Carving Data from Unallocated SpaceCarving Data from Unallocated Space

• Steps:– Create a duplicate bit-stream copy– Update your tools to search for image files– Search for images files (or fragments)– Carve for fragments using the results from your

search• Determine all clusters the image is using

– Recover deleted data• Determine absolute beginning and ending cluster


Carving Data from Unallocated Space Carving Data from Unallocated Space (continued)(continued)



• Steps (continued):– Rebuild image file header

• Use hex editor to manually insert correct codes

– Save as a new file– Test your new image file


Rebuilding File HeadersRebuilding File Headers

• Try opening the file first and follow steps if you can’t see its content

• Steps:– Recover more pieces of file if needed– Examine file header

• Compare with a good header sample

• Manually insert correct hexadecimal values

– Test corrected file


Rebuilding File Headers (continued)Rebuilding File Headers (continued)


Reconstructing File FragmentsReconstructing File Fragments

• Bad clusters appear with a zero value on a disk editor

• Steps:– Determine clusters of possible header– Find if other fragments are linked to header

• DriveSpy CFE command

– Find linked fragments on unallocated clusters• DriveSpy GFE command

• Copy all sectors after a nonlinked cluster


Reconstructing File Fragments Reconstructing File Fragments (continued)(continued)



• Steps (continued):– Save linked fragments on unallocated clusters to

valid clusters• Create a script file to use with DriveSpy SaveSect

• Group contiguous blocks and find absolute beginning and ending sector numbers

• Combine all saved sectors into a file

– Rebuild file header if needed– Save new file and test it


Identifying Unknown File FormatsIdentifying Unknown File Formats

• The Internet is the best source– Search engines like Google– Find explanations and viewers

• Popular Web sites:– www.digitek-asi.com/file_formats.html– www.wotsit.org– http://whatis.techtarget.com


Analyzing Image File HeadersAnalyzing Image File Headers

• For files your tools do not recognize

• Use hex editor like Hex Workshop– Record hexadecimal values on header

• Update your forensics tools– DriveSpy.ini

• Use good header samples


Analyzing Image File Headers Analyzing Image File Headers (continued)(continued)


Tools for Viewing ImagesTools for Viewing Images

• Use several viewers– ThumbsPlus– ACDSee– QuickView– IrfanView

• GUI forensics tools include image viewers– EnCase– FTK– iLook


Understanding Steganography in Understanding Steganography in Image FilesImage Files

• Steganography hides information inside image files– Ancient technique– Can hide only certain amount of information

• Insertion– Hidden data is not displayed when viewing host file

in its associated program– Web page


Understanding Steganography in Understanding Steganography in Image Files (continued)Image Files (continued)



• Substitution– Replaces bits of the host file with bits of data– Usually change the last two LSB– Detected with steganalysis tools

• Usually used with image files– Audio and video options

• Hard to detect


Using Steganalysis ToolsUsing Steganalysis Tools

• Detect variations of the graphic image– When applied correctly you cannot detect hidden

data

• Methods– Compare suspect file to good or bad image versions– Mathematical calculations verify size and palette

color– Compare hash values


Identifying Copyright Issues with Identifying Copyright Issues with GraphicsGraphics

• Steganography originally incorporated watermarks

• Copyright laws for Internet are not clear– There is no international copyright law

• Check www.copyright.gov


SummarySummary

• Image types– Bitmap– Vector– Metafile

• Image quality depends on various factors

• Image formats– Standard– Nonstandard


Summary (continued)Summary (continued)

• Some image formats compress their data– Lossless compression– Lossy compression

• Recovering image files– Carving file fragments– Rebuilding image headers

• Software– Image editors– Image viewers


Summary (continued)Summary (continued)

• Steganography– Hides information inside image files– Insertion– Substitution

• Steganalysis– Finds whether image files hide information

Guide to Computer Forensics and Investigations, Second Edition Chapter 11 Recovering Image Files.

Documents

Transcript of Guide to Computer Forensics and Investigations, Second Edition Chapter 11 Recovering Image Files.