guide to computer forensics and investigations, second edition chapter 11 recovering image files
TRANSCRIPT
Guide to Computer Guide to Computer Forensics and Forensics and Investigations, Investigations, Second EditionSecond Edition
Chapter 11Recovering Image Files
Guide to Computer Forensics and Investigations, 2e 2
ObjectivesObjectives
• Recognize image files
• Understand data compression
• Locate and recover image files
• Analyze image file headers
• Identify copyright issues with graphics
Guide to Computer Forensics and Investigations, 2e 3
Recognizing an Image FileRecognizing an Image File
• Contains graphics– Bitmap: collection of dots– Vector: mathematical instructions– Metafile: combination of bitmap and vector
• Types of programs– Graphics editor– Image viewers
Guide to Computer Forensics and Investigations, 2e 4
Understanding Bitmap Understanding Bitmap and Raster Imagesand Raster Images
• Bitmap images– Grids of individual pixels
• Raster images– Pixels are stored in rows– Better for printing
• Image quality– Screen resolution– Software– Number of color bits used per pixel
Guide to Computer Forensics and Investigations, 2e 5
Understanding Vector ImagesUnderstanding Vector Images
• Characteristics– Use lines– Store only the mathematics for drawing lines and
shapes– Smaller size– Preserve quality when image is enlarged
• CorelDraw, Adobe Illustrator
• You can save vector images as bitmap images– Do not save bitmap images as vector images
Guide to Computer Forensics and Investigations, 2e 6
Understanding Metafile GraphicsUnderstanding Metafile Graphics
• Combine raster and vector graphics
• Example: scanned photo (bitmap) with text (vector)
• Share advantages and disadvantages of both types– When enlarged, bitmap part loses quality
Guide to Computer Forensics and Investigations, 2e 7
Understanding Image File FormatsUnderstanding Image File Formats
• Standard bitmap image file formats– Graphic Interchange Format (.gif)– Joint Photographic Experts Group (.jpeg, .jpg)– Tagged Image File Format (.tiff, .tif)– Window Bitmap (.bmp)
• Standard vector image file formats– Hewlett Packard Graphics Language (.hpgl)– Autocad (.dxf)
Guide to Computer Forensics and Investigations, 2e 8
Understanding Image File Understanding Image File Formats (continued)Formats (continued)
• Nonstandard image file formats– Targa (.tga)– Raster Transfer Language (.rtl)– Adobe Photoshop (.psd) and Illustrator (.ai)– Freehand (.fh9)– Scalable Vector Graphics (.svg)– Paintbrush (.pcx)
• Search the Web for software to manipulate unknown image formats
Guide to Computer Forensics and Investigations, 2e 9
Understanding Data CompressionUnderstanding Data Compression
• Some image formats compress their data– GIF, JPEG, PNG
• Others, like BMP, do not compress their data
• Use data compression tools for those formats
• Data compression– Coding of data from a larger to a smaller size
Guide to Computer Forensics and Investigations, 2e 10
Reviewing Lossless and Reviewing Lossless and Lossy CompressionLossy Compression
• Lossless compression– Reduces file size without removing data– Based on Huffman or Lempel-Ziv-Welch coding
• For redundant bits of data
– WinZip, PKZip, FreeZip
• Lossy compression– Permanently discards bits of information– Vector quantization (VQ)– Lzip
Guide to Computer Forensics and Investigations, 2e 11
Locating and Recovering Image FilesLocating and Recovering Image Files
• OS tools– Time consuming– Results are difficult to verify
• Computer forensics tools– Image headers
• Compare them with good header samples
– Reconstruct fragmented image files• Identify data patterns and modified headers
Guide to Computer Forensics and Investigations, 2e 12
Identifying Image File FragmentsIdentifying Image File Fragments
• Carving or salvaging– Recovering all fragments
• Computer Forensics tools– Carves from slack and free space– Helps identify image file fragments and put them
together
Guide to Computer Forensics and Investigations, 2e 13
Repairing Damage HeadersRepairing Damage Headers
• Use good header samples
• Each image file has a unique file header– JPEG: FF D8 FF E0 00 10– Most JPEG files also include JFIF string
Guide to Computer Forensics and Investigations, 2e 14
Carving Data from Unallocated SpaceCarving Data from Unallocated Space
• Steps:– Create a duplicate bit-stream copy– Update your tools to search for image files– Search for images files (or fragments)– Carve for fragments using the results from your
search• Determine all clusters the image is using
– Recover deleted data• Determine absolute beginning and ending cluster
Guide to Computer Forensics and Investigations, 2e 15
Carving Data from Unallocated Space Carving Data from Unallocated Space (continued)(continued)
Guide to Computer Forensics and Investigations, 2e 16
Carving Data from Unallocated Space Carving Data from Unallocated Space (continued)(continued)
Guide to Computer Forensics and Investigations, 2e 17
Carving Data from Unallocated Space Carving Data from Unallocated Space (continued)(continued)
• Steps (continued):– Rebuild image file header
• Use hex editor to manually insert correct codes
– Save as a new file– Test your new image file
Guide to Computer Forensics and Investigations, 2e 18
Rebuilding File HeadersRebuilding File Headers
• Try opening the file first and follow steps if you can’t see its content
• Steps:– Recover more pieces of file if needed– Examine file header
• Compare with a good header sample
• Manually insert correct hexadecimal values
– Test corrected file
Guide to Computer Forensics and Investigations, 2e 19
Rebuilding File Headers (continued)Rebuilding File Headers (continued)
Guide to Computer Forensics and Investigations, 2e 20
Rebuilding File Headers (continued)Rebuilding File Headers (continued)
Guide to Computer Forensics and Investigations, 2e 21
Rebuilding File Headers (continued)Rebuilding File Headers (continued)
Guide to Computer Forensics and Investigations, 2e 22
Reconstructing File FragmentsReconstructing File Fragments
• Bad clusters appear with a zero value on a disk editor
• Steps:– Determine clusters of possible header– Find if other fragments are linked to header
• DriveSpy CFE command
– Find linked fragments on unallocated clusters• DriveSpy GFE command
• Copy all sectors after a nonlinked cluster
Guide to Computer Forensics and Investigations, 2e 23
Reconstructing File Fragments Reconstructing File Fragments (continued)(continued)
Guide to Computer Forensics and Investigations, 2e 24
Reconstructing File Fragments Reconstructing File Fragments (continued)(continued)
Guide to Computer Forensics and Investigations, 2e 25
Reconstructing File Fragments Reconstructing File Fragments (continued)(continued)
• Steps (continued):– Save linked fragments on unallocated clusters to
valid clusters• Create a script file to use with DriveSpy SaveSect
• Group contiguous blocks and find absolute beginning and ending sector numbers
• Combine all saved sectors into a file
– Rebuild file header if needed– Save new file and test it
Guide to Computer Forensics and Investigations, 2e 26
Reconstructing File Fragments Reconstructing File Fragments (continued)(continued)
Guide to Computer Forensics and Investigations, 2e 27
Reconstructing File Fragments Reconstructing File Fragments (continued)(continued)
Guide to Computer Forensics and Investigations, 2e 28
Reconstructing File Fragments Reconstructing File Fragments (continued)(continued)
Guide to Computer Forensics and Investigations, 2e 29
Identifying Unknown File FormatsIdentifying Unknown File Formats
• The Internet is the best source– Search engines like Google– Find explanations and viewers
• Popular Web sites:– www.digitek-asi.com/file_formats.html– www.wotsit.org– http://whatis.techtarget.com
Guide to Computer Forensics and Investigations, 2e 30
Analyzing Image File HeadersAnalyzing Image File Headers
• For files your tools do not recognize
• Use hex editor like Hex Workshop– Record hexadecimal values on header
• Update your forensics tools– DriveSpy.ini
• Use good header samples
Guide to Computer Forensics and Investigations, 2e 31
Analyzing Image File Headers Analyzing Image File Headers (continued)(continued)
Guide to Computer Forensics and Investigations, 2e 32
Analyzing Image File Headers Analyzing Image File Headers (continued)(continued)
Guide to Computer Forensics and Investigations, 2e 33
Tools for Viewing ImagesTools for Viewing Images
• Use several viewers– ThumbsPlus– ACDSee– QuickView– IrfanView
• GUI forensics tools include image viewers– EnCase– FTK– iLook
Guide to Computer Forensics and Investigations, 2e 34
Understanding Steganography in Understanding Steganography in Image FilesImage Files
• Steganography hides information inside image files– Ancient technique– Can hide only certain amount of information
• Insertion– Hidden data is not displayed when viewing host file
in its associated program– Web page
Guide to Computer Forensics and Investigations, 2e 35
Understanding Steganography in Understanding Steganography in Image Files (continued)Image Files (continued)
Guide to Computer Forensics and Investigations, 2e 36
Understanding Steganography in Understanding Steganography in Image Files (continued)Image Files (continued)
Guide to Computer Forensics and Investigations, 2e 37
Understanding Steganography in Understanding Steganography in Image Files (continued)Image Files (continued)
• Substitution– Replaces bits of the host file with bits of data– Usually change the last two LSB– Detected with steganalysis tools
• Usually used with image files– Audio and video options
• Hard to detect
Guide to Computer Forensics and Investigations, 2e 38
Understanding Steganography in Understanding Steganography in Image Files (continued)Image Files (continued)
Guide to Computer Forensics and Investigations, 2e 39
Understanding Steganography in Understanding Steganography in Image Files (continued)Image Files (continued)
Guide to Computer Forensics and Investigations, 2e 40
Using Steganalysis ToolsUsing Steganalysis Tools
• Detect variations of the graphic image– When applied correctly you cannot detect hidden
data
• Methods– Compare suspect file to good or bad image versions– Mathematical calculations verify size and palette
color– Compare hash values
Guide to Computer Forensics and Investigations, 2e 41
Identifying Copyright Issues with Identifying Copyright Issues with GraphicsGraphics
• Steganography originally incorporated watermarks
• Copyright laws for Internet are not clear– There is no international copyright law
• Check www.copyright.gov
Guide to Computer Forensics and Investigations, 2e 42
SummarySummary
• Image types– Bitmap– Vector– Metafile
• Image quality depends on various factors
• Image formats– Standard– Nonstandard
Guide to Computer Forensics and Investigations, 2e 43
Summary (continued)Summary (continued)
• Some image formats compress their data– Lossless compression– Lossy compression
• Recovering image files– Carving file fragments– Rebuilding image headers
• Software– Image editors– Image viewers
Guide to Computer Forensics and Investigations, 2e 44
Summary (continued)Summary (continued)
• Steganography– Hides information inside image files– Insertion– Substitution
• Steganalysis– Finds whether image files hide information