Image Forensics by habibix

VIEWS: 5 PAGES: 22

More Info
									1. Never change the content of evidence storage
   neither intentionally nor unintentionally
2. The result of cloning must be same as the source
   physically through sector per sector
3. The examination must be conducted by authorized
   and professional examiner
4. Every process of examination must be recorded for
   audit
5. The handling of evidence must refer to the Chain of
   Custody




                                            Created by M. Nuh Al-Azhar, CHFI
• Pixel is a single point in a graphic image. Numbers of pixel combine
  together to form an image
• Resolution refers to the sharpness and clarity of an image
• Images can be broadly categorized into :
    • Vector
    • Image
• Vector graphics use geometrical primitives such as points, lines,
  curves, and polygons which are all based upon mathematical
  equations to represent images in computer
    • Moving, scaling, rotating, filling, zooming and so on does not
      degrade the quality of a drawing
• Raster image is a data file or structure representing a generally
  rectangular grid of pixels or points of color
    • Quality is determined by the total number of pixels and the
      amount of information in each pixel
    • Quality is lost if scaled to a higher resolution
                                                         Created by M. Nuh Al-Azhar, CHFI
•   Graphics Interchange Format (GIF)
•   Joint Photographic Experts Group (JPEG)
•   Tagged Image File Format (TIFF)
•   Windows Bitmap (BMP)
•   JPEG 2000
•   Portable Network Graphics (PNG)




                                      Created by M. Nuh Al-Azhar, CHFI
• Can be accessed by Image File Metadata Viewer such as
  Opanda IEXIF, FTK and so on
• Generally consisting of Image, Camera and Thumbnail Info
• Image
    • Make, Model, Orientation, X Resolution, Y Resolution,
      Resolution Unit, Software, Date Time, YCbCr Positioning,
      EXIF IFD Pointer
• Camera
    • Exif Version, Components Configurations, Flashpix
      Version, Color Space, Exif Image Width, Exif Image Height
• Thumbnail Info
    • Compression, X Resolution, Y Resolution, Resolution
      Unit, JPEG Interchange Format, JPEG Interchange Format
      Length

                                                 Created by M. Nuh Al-Azhar, CHFI
• Image
    • Orientation, X Resolution, Y Resolution, Resolution Unit,
      Software, Date Time, YCbCr Positioning, EXIF IFD
      Pointer
• Camera
    • Exif Version, Components Configurations, Flashpix
      Version, Color Space, Exif Image Width, Exif Image Height
• Thumbnail Info
    • Compression, X Resolution, Y Resolution, Resolution
      Unit, JPEG Interchange Format, JPEG Interchange Format
      Length
  (The red color words show a differences and inconsistencies
  between them)



                                                  Created by M. Nuh Al-Azhar, CHFI
• Checking the metadata of image : X Resolution, Y
  Resolution, Software, Date Time
• Checking the metadata of Thumbnail Info : X Resolution, Y
  Resolution,
• If there are differences between those metadata on X
  Resolution and Y Resolution, it means that the image is edited
  image
• This is usually supported by the information about Software and
  Date Time which are used to edit the image




                                                   Created by M. Nuh Al-Azhar, CHFI
Created by M. Nuh Al-Azhar, CHFI
Created by M. Nuh Al-Azhar, CHFI
Created by M. Nuh Al-Azhar, CHFI
Created by M. Nuh Al-Azhar, CHFI
Created by M. Nuh Al-Azhar, CHFI
Created by M. Nuh Al-Azhar, CHFI
Created by M. Nuh Al-Azhar, CHFI
• Analyze generally the image between Original and Edited
• Analyze particularly on the suspicious location which had been
  edited or the location which there is a difference between
  Original and Edited image
• Use pixel zooming to see the color degradation which is
  inappropriate and unnatural
• For pixel zooming, use the Image Forensics Tool such as
  PhotoZoom Pro
• If there are some inappropriate and unnatural color
  degradations, it means the image is not original




                                                   Created by M. Nuh Al-Azhar, CHFI
Created by M. Nuh Al-Azhar, CHFI
Created by M. Nuh Al-Azhar, CHFI
Created by M. Nuh Al-Azhar, CHFI
Created by M. Nuh Al-Azhar, CHFI
• Examination to the image under Image Forensics is conducted by
  using a combination of methods of Metadata and Pixel Analysis
• The examination is performed by at least 2 examiners
• The tools for examination are Image Forensics Tools such as Opanda
  IEXIF and PhotoZoom Pro
• If there is inconsistency about the metadata of Image and Thumbnail
  Info on X Resolution and Y Resolution, it means the image is result of
  editing process
• This is usually supported by the info about Software and Date Time
  when the process is conducted
• If there is any color degradation which is inappropriate and unnatural
  after pixel zooming, it means that the image is not original




                                                        Created by M. Nuh Al-Azhar, CHFI
• Computer Hacking Forensic Investigator (CHFI) Version 3
  Module 16, EC-Council




                                              Created by M. Nuh Al-Azhar, CHFI

								
To top