Docstoc

CHAPTER 1 INTRODUCTION - Universiti Putra Malaysia_1_

Document Sample
CHAPTER 1 INTRODUCTION - Universiti Putra Malaysia_1_ Powered By Docstoc
					SAK 4801 INTRODUCTION TO COMPUTER FORENSICS
Chapter 7 Image Files Forensics
                               Mohd Taufik Abdullah
                          Department of Computer Science
              Faculty of Computer Science and Information Technology
                            University Putra of Malaysia



                                  Room No: 2.28



          Portions of the material courtesy Nelson et. al., and EC-Council
                                          Learning Objectives
    At the end of this chapter, you will be able to:
    n     Describe types of graphics file formats
    n     Explain types of data compression
    n     Explain how to locate and recover graphics files
    n     Describe how to identify unknown file formats
    n     Explain copyright issues with graphics




2       Chapter 7 Image Files Forensics                  SAK4801 Introduction to Computer Forensics
                                          Chapter 7 Outline
    n    7. Image File Forensics
           n   7.1. Introduction
           n   7.2. Recognize image files
           n   7.3. Understand data Compression
           n   7.4. Locate and recover image files
           n   7.5. Analyze image file header
           n   7.6. Reconstructing file fragments




3       Chapter 7 Image Files Forensics               SAK4801 Introduction to Computer Forensics
7.1 Introduction
7.1 Introduction
n Image file formats can be:
   n A black and white Image

   n A grayscale Image

   n A color image

   n Indexed Color image

n All image formats differ between ease of use, size of the file, and the

  quality of reproduction



5   Chapter 7 Image Files Forensics         SAK4801 Introduction to Computer Forensics
7.2 Recognize Image Files
7.2 Recognize Image Files
    n     Contains digital photographs, line art, three-dimensional images, and scanned
          replicas of printed pictures
           n Pixels: All small dots used to create images

           n Bitmap images:

                n collection of dots

                n A representation of a graphics image a grid-type format

           n Vector graphics: based on mathematical instructions/equations

           n Metafile graphics: combination of bitmap and vector images

    n     Types of programs
           n Graphics editors

           n Image viewers

7       Chapter 7 Image Files Forensics                  SAK4801 Introduction to Computer Forensics
7.2 Recognize Image Files (Cont.)
    n    The circled area in this
         screen shot shows the
         resolution of the screen by
         pixels




8       Chapter 7 Image Files Forensics   SAK4801 Introduction to Computer Forensics
7.2.1 Understanding Bitmap and Vector Images
    n   Bitmap images
         n Grids of individual pixels

         n Bitmap images can be made in the following applications:

             n Photoshop

             n MS Paint

             n Image Ready

             n Paintshop Pro

         n Continuous tone photos

    n   Raster images
         n Pixels are stored in rows

         n Better for printing




9       Chapter 7 Image Files Forensics                SAK4801 Introduction to Computer Forensics
7.2.1 Understanding Bitmap and Vector Images (Cont.)
 n   Vector Images
       n    Uses geometric equations
       n    Higher quality image than a bitmap
       n    Useful for rendering types and shapes
       n    Characteristics
             n Lines instead of dots

             n Store only the calculations for drawing lines and shapes

             n Smaller size

             n Preserve quality when image is enlarged

       n CorelDraw, Adobe Illustrator
 n   Image quality
       n    Screen resolution
       n    Software
       n    Number of color bits used per pixel
10   Chapter 7 Image Files Forensics                      SAK4801 Introduction to Computer Forensics
7.2.2 Understanding Metafile Graphics
 n   Metafiles combine raster and vector graphics.
 n   Metafiles have similar features of both bitmap and vector images.
 n   When metafiles are enlarged it results in a loss of resolution giving the image a
     shady appearance.
 n   Example
      n Scanned photo (bitmap) with text (vector)

 n   Share advantages and disadvantages of both types
      n When enlarged, bitmap part loses quality




11   Chapter 7 Image Files Forensics                  SAK4801 Introduction to Computer Forensics
7.2.3 Understanding Image File Formats
 n    Standard bitmap file formats
       n Graphic Interchange Format (.gif)

       n Joint Photographic Experts Group (.jpeg, .jpg)

       n Tagged Image File Format (.tiff, .tif)

       n Window Bitmap (.bmp)

       n JPEG 2000 (.jp2)

       n Portable Network Graphics (.png)

 n    Standard vector file formats
       n Hewlett Packard Graphics Language (.hpgl)

       n Autocad (.dxf)



12   Chapter 7 Image Files Forensics                 SAK4801 Introduction to Computer Forensics
7.2.3 Understanding Image File Formats (Cont.)
     n    Nonstandard graphics file formats
           n Targa (.tga)

           n Raster Transfer Language (.rtl)

           n Adobe Photoshop (.psd) and Illustrator (.ai)

           n Freehand (.fh9)

           n Scalable Vector Graphics (.svg)

           n Paintbrush (.pcx)

     n    Search the Web for software to manipulate unknown image formats




13       Chapter 7 Image Files Forensics              SAK4801 Introduction to Computer Forensics
7.2.4 Understanding Digital Camera File Formats
     n    Witnesses or suspects can create their own digital photos
     n    Examining the raw file format
           n Raw file format

               n Referred to as a digital negative

               n Typically found on many higher-end digital cameras

           n Sensors in the digital camera simply record pixels on the camera’s memory

              card
           n Raw format maintains the best picture quality




14       Chapter 7 Image Files Forensics               SAK4801 Introduction to Computer Forensics
7.2.4 Understanding Digital Camera File Formats (Cont.)
     n     Examining the raw file format (continued)
            n The biggest disadvantage is that it’s proprietary

               n And not all image viewers can display these formats

            n The process of converting raw picture data to another format is referred to as

              demosaicing
     n     Examining the Exchangeable Image File format
            n Exchangeable Image File (EXIF) format

               n Commonly used to store digital pictures

               n Developed by JEIDA as a standard for storing metadata in JPEG and TIFF

                  files

15       Chapter 7 Image Files Forensics                 SAK4801 Introduction to Computer Forensics
7.2.4 Understanding Digital Camera File Formats (Cont.)
     n    Examining the Exchangeable Image File format (continued)
           n EXIF format collects metadata

              n Investigators can learn more about the type of digital camera and the

                 environment in which pictures were taken
           n EXIF file stores metadata at the beginning of the file

           n With tools such as ProDiscover and Exif Reader

              n You can extract metadata as evidence for your case




16       Chapter 7 Image Files Forensics                SAK4801 Introduction to Computer Forensics
7.2.4 Understanding Digital Camera File Formats (Cont.)




17   Chapter 7 Image Files Forensics   SAK4801 Introduction to Computer Forensics
7.2.4 Understanding Digital Camera File Formats (Cont.)




18   Chapter 7 Image Files Forensics   SAK4801 Introduction to Computer Forensics
7.2.4 Understanding Digital Camera File Formats (Cont.)




19   Chapter 7 Image Files Forensics   SAK4801 Introduction to Computer Forensics
7.2.4 Understanding Digital Camera File Formats (Cont.)




20   Chapter 7 Image Files Forensics   SAK4801 Introduction to Computer Forensics
7.2.5 File Types
 n   Different types of files
       n Graphics file format – .gif/.jpg/.jpeg/.jfif

       n Text file format – .txt/.htm/.html

       n Audio file format – .au/.uLaw/.MuLaw/.aiff – .mp3/.ra/.wav/.wma

       n Video file format – .avi/.mov/.movie/.mpg/.mpeg/.qt/.ram

       n Document file format – .doc/.pdf/.ps

       n Compress file format – .z/.zip/.sit/.gzip/.gz

 n   Data compression: is done by using a complex algorithm used to reduce the size of a
     file
 n   Vector quantization: A form of vector image that uses an algorithm similar to
     rounding up decimal values to eliminate unnecessary data
21   Chapter 7 Image Files Forensics                SAK4801 Introduction to Computer Forensics
7.3 Understand Data Compression
7.3 Understand Data Compression
     n    Some image formats compress their data
           n GIF, JPEG, PNG

     n    Others, like BMP, do not compress their data
           n Use data compression tools for those formats

     n    Data compression
           n Coding of data from a larger to a smaller form

           n Types

               n Lossless compression and

               n lossy compression




23       Chapter 7 Image Files Forensics                SAK4801 Introduction to Computer Forensics
7.3.1 Understanding Lossless and Lossy Compression
     n    GIF and PNG image file formats reduce the file size by using lossless compression
     n    Lossless compression
           n Reduces file size without removing data

           n Based on Huffman or Lempel-Ziv-Welch coding

           n For redundant bits of data

           n Utilities: WinZip, PKZip, StuffIt, and FreeZip

     n    Lossy compression
           n Permanently discards bits of information

           n Vector quantization (VQ)

               n Determines what data to discard based on vectors in the graphics file

           n Utility: Lzip
24       Chapter 7 Image Files Forensics                 SAK4801 Introduction to Computer Forensics
7.4 Locate and Recover Images Files
7.4 Locate and Recover Image Files
     n     Operating system tools
            n Time consuming

            n Results are difficult to verify

     n     Computer forensics tools
            n Image headers

                n Compare them with good header samples

                n Use header information to create a baseline analysis

            n Reconstruct fragmented image files

                n Identify data patterns and modified headers




26       Chapter 7 Image Files Forensics                 SAK4801 Introduction to Computer Forensics
7.4.1 Identifying Graphics File Fragments
 n    Carving or salvaging
       n Recovering all file fragments

 n    Carving: The process of removing an item from a group of items
 n    Salvaging: Another term for carving. It is the process of removing an item from a
      group of them
 n    Computer forensics tools
       n Carve from slack and free space

       n Help identify image files fragments and put them together




27   Chapter 7 Image Files Forensics                 SAK4801 Introduction to Computer Forensics
7.4.1 Identifying Graphics File Fragments (Cont.)
      The screenshot above shows the location of the
      clusters where the data has been found and the data
      found with the matching search.




28   Chapter 7 Image Files Forensics   SAK4801 Introduction to Computer Forensics
7.4.2 Repairing Damaged Headers
 n    Use good header samples
 n    Each image file has a unique file header
         JPEG: FF D8 FF E0 00 10
 n    Most JPEG files also include JFIF string
 n    Exercise:
       n Investigate a possible intellectual property theft by a contract employee of

          Exotic Mountain Tour Service (EMTS)




29   Chapter 7 Image Files Forensics                 SAK4801 Introduction to Computer Forensics
7.4.3 Searching for and Carving Data from Unallocated Space




30   Chapter 7 Image Files Forensics   SAK4801 Introduction to Computer Forensics
7.4.3 Searching for and Carving Data from Unallocated Space (Cont.)




31   Chapter 7 Image Files Forensics   SAK4801 Introduction to Computer Forensics
7.4.3 Searching for and Carving Data from Unallocated Space(Cont.)
     n    Steps
           n Planning your examination

           n Searching for and recovering digital photograph evidence

               n Use ProDiscover to search for and extract (recover) possible evidence of

                 JPEG files
               n False hits are referred to as false positives




32       Chapter 7 Image Files Forensics                SAK4801 Introduction to Computer Forensics
7.4.3 Searching for and Carving Data from Unallocated Space (Cont.)




33   Chapter 7 Image Files Forensics   SAK4801 Introduction to Computer Forensics
7.4.3 Searching for and Carving Data from Unallocated Space (Cont.)




34   Chapter 7 Image Files Forensics   SAK4801 Introduction to Computer Forensics
7.4.3 Searching for and Carving Data from Unallocated Space (Cont.)




35   Chapter 7 Image Files Forensics   SAK4801 Introduction to Computer Forensics
7.4.3 Searching for and Carving Data from Unallocated Space (Cont.)




36   Chapter 7 Image Files Forensics   SAK4801 Introduction to Computer Forensics
7.4.3 Searching for and Carving Data from Unallocated Space (Cont.)




37   Chapter 7 Image Files Forensics   SAK4801 Introduction to Computer Forensics
7.4.3 Searching for and Carving Data from Unallocated Space (Cont.)




38   Chapter 7 Image Files Forensics   SAK4801 Introduction to Computer Forensics
7.4.4 Rebuilding File Headers (Cont.)
     n    Try to open the file first and follow steps if you can’t see its
          content
     n    Steps
           n Recover more pieces of file if needed

           n Examine file header

              n Compare with a good header sample

              n Manually insert correct hexadecimal values

           n Test corrected file




39       Chapter 7 Image Files Forensics      SAK4801 Introduction to Computer Forensics
7.4.4 Rebuilding File Headers (Cont.)




40   Chapter 7 Image Files Forensics   SAK4801 Introduction to Computer Forensics
7.4.4 Rebuilding File Headers (Cont.)




41   Chapter 7 Image Files Forensics   SAK4801 Introduction to Computer Forensics
7.4.4 Rebuilding File Headers (Cont.)




42   Chapter 7 Image Files Forensics   SAK4801 Introduction to Computer Forensics
7.4.4 Rebuilding File Headers (Cont.)




43   Chapter 7 Image Files Forensics   SAK4801 Introduction to Computer Forensics
7.4.4 Rebuilding File Headers (Cont.)




44   Chapter 7 Image Files Forensics   SAK4801 Introduction to Computer Forensics
7.4.4 Rebuilding File Headers (Cont.)




45   Chapter 7 Image Files Forensics   SAK4801 Introduction to Computer Forensics
7.5 Analyze Image Files Headers
7.5 Analyze Image File Headers
 n   Necessary when you find files your tools do not recognize
 n   Use hex editor such as Hex Workshop
      n Record hexadecimal values on header

 n   Use good header samples




47   Chapter 7 Image Files Forensics        SAK4801 Introduction to Computer Forensics
7.5 Analyze Image File Headers (Cont.)




48   Chapter 7 Image Files Forensics   SAK4801 Introduction to Computer Forensics
7.5 Analyze Image File Headers (Cont.)




49   Chapter 7 Image Files Forensics   SAK4801 Introduction to Computer Forensics
7.6 Reconstructing File Fragments
7.6 Reconstructing File Fragments
     n    Locate the starting and ending clusters
           n For each fragmented group of clusters in the file

     n    Steps
           n Locate and export all clusters of the fragmented file

           n Determine the starting and ending cluster numbers for each fragmented group

             of clusters
           n Copy each fragmented group of clusters in their proper sequence to a

             recovery file
           n Rebuild the corrupted file’s header to make it readable in a graphics viewer




51       Chapter 7 Image Files Forensics               SAK4801 Introduction to Computer Forensics
7.6 Reconstructing File Fragments (Cont.)




52   Chapter 7 Image Files Forensics   SAK4801 Introduction to Computer Forensics
7.6 Reconstructing File Fragments (Cont.)




53   Chapter 7 Image Files Forensics   SAK4801 Introduction to Computer Forensics
7.6 Reconstructing File Fragments (Cont.)




54   Chapter 7 Image Files Forensics   SAK4801 Introduction to Computer Forensics
7.6 Reconstructing File Fragments (Cont.)




55   Chapter 7 Image Files Forensics   SAK4801 Introduction to Computer Forensics
7.6 Reconstructing File Fragments (Cont.)
n    Remember to save the updated recovered data with a .jpg extension
n    Sometimes suspects intentionally corrupt cluster links in a disk’s FAT
      n Bad clusters appear with a zero value on a disk editor




56   Chapter 7 Image Files Forensics                  SAK4801 Introduction to Computer Forensics
7.6 Reconstructing File Fragments (Cont.)




57   Chapter 7 Image Files Forensics   SAK4801 Introduction to Computer Forensics
7.6 Reconstructing File Fragments (Cont.)




58   Chapter 7 Image Files Forensics   SAK4801 Introduction to Computer Forensics
7.6.1 Identifying Unknown File Formats
 n    The Internet is the best source
       n Search engines like Google

       n Find explanations and viewers

 n    Popular Web sites
       n www.digitek-asi.com/file_formats.html

       n www.wotsit.org

       n http://whatis.techtarget.com




59   Chapter 7 Image Files Forensics       SAK4801 Introduction to Computer Forensics
7.6.2 Tools For Viewing Images
 n    Use several viewers
       n ThumbsPlus

       n ACDSee

       n QuickView

       n IrfanView

 n    GUI forensics tools include image viewers
       n ProDiscover

       n EnCase

       n FTK

       n X-Ways Forensics

       n iLook

60   Chapter 7 Image Files Forensics              SAK4801 Introduction to Computer Forensics
7.6.3 Understanding Steganography
     n     Steganography hides information inside image files
            n Ancient technique

            n Can hide only certain amount of information

     n     Insertion
            n Hidden data is not displayed when viewing host file in its associated

              program
                n You need to analyze the data structure carefully

            n Example: Web page




61       Chapter 7 Image Files Forensics               SAK4801 Introduction to Computer Forensics
7.6.3 Understanding Steganography (Cont.)




62   Chapter 7 Image Files Forensics   SAK4801 Introduction to Computer Forensics
7.6.3 Understanding Steganography (Cont.)




63   Chapter 7 Image Files Forensics   SAK4801 Introduction to Computer Forensics
7.6.3 Understanding Steganography (Cont.)
     n   Substitution
          n Replaces bits of the host file with bits of data

          n Usually change the last two LSBs

          n Detected with steganalysis tools

     n   Usually used with image files
          n Audio and video options

     n   Hard to detect


64   Chapter 7 Image Files Forensics              SAK4801 Introduction to Computer Forensics
7.6.3 Understanding Steganography (Cont.)
 n    Two files need to hide a message within an image file
       n The file containing the image into which the message is supposed to be put in

       n The file containing the message itself

 n    There are 3 methods to hide messages in images, they include:
       n Least Significant Bit

       n Filtering and Masking

       n Algorithms and Transformation aa




65   Chapter 7 Image Files Forensics                 SAK4801 Introduction to Computer Forensics
7.6.3 Understanding Steganography (Cont.)




66   Chapter 7 Image Files Forensics   SAK4801 Introduction to Computer Forensics
7.6.3 Understanding Steganography (Cont.)




67   Chapter 7 Image Files Forensics   SAK4801 Introduction to Computer Forensics
7.6.4 Using Steganalysis Tools
     n     Detect variations of the graphic image
            n When applied correctly you cannot detect hidden data in most cases

     n     Methods
            n Compare suspect file to good or bad image versions

            n Mathematical calculations verify size and palette color

            n Compare hash values




68       Chapter 7 Image Files Forensics                SAK4801 Introduction to Computer Forensics
7.6.4 Using Steganalysis Tools (Cont.)
     Hex Workshop
     n     The Hex Workshop application
           can detect and write messages
           on to a file
     n     Investigators use the Hex
           Workshop tool to reconstruct
           damaged file headers




69       Chapter 7 Image Files Forensics   SAK4801 Introduction to Computer Forensics
7.6.4 Using Steganalysis Tools (Cont.)
     Hex Workshop
     n     AS-Tools can hide and detect
           files hidden in BMP, GIF and
           WAV files
     n     Investigators have the
           advantage of multi-threaded
           operation
     n     Investigators can hide/reveal
           operations simultaneously
           without fear of interference to
           the work environment
70       Chapter 7 Image Files Forensics     SAK4801 Introduction to Computer Forensics
7.6.3 Identifying Copyright Issues with Graphics
     n   Steganography originally incorporated watermarks
     n   Copyright laws for Internet are not clear
          n There is no international copyright law

     n   Check www.copyright.gov




71   Chapter 7 Image Files Forensics     SAK4801 Introduction to Computer Forensics
7.6.3 Identifying Copyright Issues with Graphics (Cont.)
     n     Section 106 of the 1976 Copyright Act generally gives the owner of copyright the
           exclusive right to do and to authorize others to do the following:
            n To perform the work publicly

            n To display the copyright work publicly

            n In the case of sound recordings, to perform the work publicly by means of a

               digital audio transmission
            n To reproduce the work in copies or phonorecords – To prepare derivative

               works based upon the work
            n To distribute copies or phonorecords of the work to the public by sale or other

               transfer of ownership, or by rental, lease, or lending


72       Chapter 7 Image Files Forensics                 SAK4801 Introduction to Computer Forensics
7.6.3 Identifying Copyright Issues with Graphics (Cont.)
     Copyrightable works include the following:
     n Literary works

     n Musical works; including any accompanying words

     n Dramatic works; including any accompanying music

     n Pantomimes and choreographic works

     n Pictorial, graphic, and sculptural works.

     n Motion pictures and other audiovisual works.

     n Sound recordings

     n Architectural works




73    Chapter 7 Image Files Forensics              SAK4801 Introduction to Computer Forensics
                                           Summary
     n     Image types
            n Bitmap

            n Vector

            n Metafile

     n     Image quality depends on various factors
     n     Image formats
            n Standard

            n Nonstandard

     n     Digital camera photos are typically in raw and EXIF JPEG formats


74       Chapter 7 Image Files Forensics                 SAK4801 Introduction to Computer Forensics
                                           Summary (Cont.)
     n    Some image formats compress their data
           n Lossless compression

           n Lossy compression

     n    Recovering image files
           n Carving file fragments

           n Rebuilding image headers

     n    Software
           n Image editors

           n Image viewers




75       Chapter 7 Image Files Forensics              SAK4801 Introduction to Computer Forensics
                                           Summary (Cont.)
     n    Some image formats compress their data
           n Lossless compression

           n Lossy compression

     n    Recovering image files
           n Carving file fragments

           n Rebuilding image headers

     n    Software
           n Image editors

           n Image viewers




76       Chapter 7 Image Files Forensics              SAK4801 Introduction to Computer Forensics
                                           Summary (Cont.)
     n    Steganography
           n Hides information inside image files

           n Forms

               n Insertion

               n Substitution

     n    Steganalysis
           n Finds whether image files hide information




77       Chapter 7 Image Files Forensics                  SAK4801 Introduction to Computer Forensics
End of Chapter 7

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:0
posted:3/31/2014
language:English
pages:78