guide to computer forensics and investigations third edition2profs.net/steve/cisntwk442/ch10.pdf•...
TRANSCRIPT
![Page 1: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/1.jpg)
Guide to Computer Forensics and Investigations
Third Edition
Chapter 10Chapter 10Recovering Graphics Files
![Page 2: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/2.jpg)
ObjectivesObjectives
• Describe types of graphics file formats• Explain types of data compression• Explain how to locate and recover graphics files• Describe how to identify unknown file formats• Explain copyright issues with graphics
Guide to Computer Forensics and Investigations 2
![Page 3: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/3.jpg)
Recognizing a Graphics FileRecognizing a Graphics File
C• Contains digital photographs, line art, three-dimensional images, and scanned replicas of printed picturesprinted pictures – Bitmap images: collection of dots– Vector graphics: based on mathematical g p
instructions– Metafile graphics: combination of bitmap and vector
• Types of programs– Graphics editors
Image viewers
Guide to Computer Forensics and Investigations 3
– Image viewers
![Page 4: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/4.jpg)
Understanding Bitmap and Raster Images
• Bitmap images• Bitmap images– Grids of individual pixels
• Raster imagesRaster images– Pixels are stored in rows– Better for printing
• Image quality– Screen resolution– Software– Number of color bits used per pixel
Guide to Computer Forensics and Investigations 4
![Page 5: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/5.jpg)
Understanding Vector GraphicsUnderstanding Vector Graphics
• Characteristics– Lines instead of dots
S l h l l i f d i li d– Store only the calculations for drawing lines and shapes
– Smaller sizeSmaller size– Preserve quality when image is enlarged
• CorelDraw, Adobe Illustrator,
Guide to Computer Forensics and Investigations 5
![Page 6: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/6.jpg)
Understanding Metafile GraphicsUnderstanding Metafile Graphics
• Combine raster and vector graphics• Example
– Scanned photo (bitmap) with text (vector)• Share advantages and disadvantages of both types
– When enlarged, bitmap part loses quality
Guide to Computer Forensics and Investigations 6
![Page 7: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/7.jpg)
Understanding Graphics File FormatsUnderstanding Graphics File Formats
• Standard bitmap file formats– Graphic Interchange Format (.gif)– Joint Photographic Experts Group (.jpeg, .jpg)– Tagged Image File Format (.tiff, .tif)
Wi d Bit ( b )– Window Bitmap (.bmp)• Standard vector file formats
Hewlett Packard Graphics Language ( hpgl)– Hewlett Packard Graphics Language (.hpgl)– Autocad (.dxf)
Guide to Computer Forensics and Investigations 7
![Page 8: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/8.jpg)
Understanding Graphics File Formats (continued)
• Nonstandard graphics file formats• Nonstandard graphics file formats– Targa (.tga)– Raster Transfer Language (.rtl)g g ( )– Adobe Photoshop (.psd) and Illustrator (.ai)– Freehand (.fh9)– Scalable Vector Graphics (.svg)– Paintbrush (.pcx)
• Search the Web for software to manipulate unknown image formats
Guide to Computer Forensics and Investigations 8
![Page 9: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/9.jpg)
Understanding Digital Camera File Formats
• Witnesses or suspects can create their own digital photos
• Examining the raw file format– Raw file format
R f d t di it l ti• Referred to as a digital negative• Typically found on many higher-end digital cameras
– Sensors in the digital camera simply record pixels onSensors in the digital camera simply record pixels on the camera’s memory card
– Raw format maintains the best picture quality
Guide to Computer Forensics and Investigations 9
![Page 10: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/10.jpg)
Understanding Digital Camera File Formats (continued)
• Examining the raw file format (continued)– The biggest disadvantage is that it’s proprietary
• And not all image viewers can display these formats– The process of converting raw picture data to
another format is referred to as demosaicinganother format is referred to as demosaicing• Examining the Exchangeable Image File format
– Exchangeable Image File (EXIF) formatExchangeable Image File (EXIF) format• Commonly used to store digital pictures• Developed by JEIDA as a standard for storing
t d t i JPEG d TIFF fil
Guide to Computer Forensics and Investigations 10
metadata in JPEG and TIFF files
![Page 11: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/11.jpg)
Understanding Digital Camera File Formats (continued)
• Examining the Exchangeable Image File format (continued)– EXIF format collects metadata
• Investigators can learn more about the type of digital camera and the environment in which pictures werecamera and the environment in which pictures were taken
– EXIF file stores metadata at the beginning of the file
Guide to Computer Forensics and Investigations 11
![Page 12: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/12.jpg)
Understanding Digital Camera File Formats (continued)
Guide to Computer Forensics and Investigations 12
![Page 13: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/13.jpg)
Understanding Digital Camera File Formats (continued)
Guide to Computer Forensics and Investigations 13
![Page 14: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/14.jpg)
Understanding Digital Camera File Formats (continued)
Guide to Computer Forensics and Investigations 14
![Page 15: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/15.jpg)
Understanding Digital Camera File Formats (continued)
• Examining the Exchangeable Image File format (continued)– With tools such as ProDiscover and Exif Reader
• You can extract metadata as evidence for your case
Guide to Computer Forensics and Investigations 15
![Page 16: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/16.jpg)
Guide to Computer Forensics and Investigations 16
![Page 17: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/17.jpg)
Understanding Data CompressionUnderstanding Data Compression
• Some image formats compress their data– GIF, JPEG, PNG
• Others, like BMP, do not compress their data– Use data compression tools for those formats
• Data compression– Coding of data from a larger to a smaller form
T– Types• Lossless compression and lossy compression
Guide to Computer Forensics and Investigations 17
![Page 18: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/18.jpg)
Lossless and Lossy CompressionLossless and Lossy Compression
• Lossless compression– Reduces file size without removing data– Based on Huffman or Lempel-Ziv-Welch coding
• For redundant bits of data– Utilities: WinZip, PKZip, StuffIt, and FreeZip
Lossy compression• Lossy compression– Permanently discards bits of information– Vector quantization (VQ)– Vector quantization (VQ)
• Determines what data to discard based on vectors in the graphics file
Guide to Computer Forensics and Investigations 18
– Utility: Lzip
![Page 19: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/19.jpg)
Locating and Recovering Graphics Files
• Operating system tools– Time consuming– Results are difficult to verify
• Computer forensics tools– Image headers
• Compare them with good header samples• Use header information to create a baseline analysisUse header information to create a baseline analysis
– Reconstruct fragmented image files• Identify data patterns and modified headers
Guide to Computer Forensics and Investigations 19
![Page 20: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/20.jpg)
Identifying Graphics File FragmentsIdentifying Graphics File Fragments
• Carving or salvaging– Recovering all file fragments
• Computer forensics tools– Carve from slack and free space– Help identify image files fragments and put them
together
Guide to Computer Forensics and Investigations 20
![Page 21: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/21.jpg)
Repairing Damage HeadersRepairing Damage Headers
• Use good header samples• Each image file has a unique file header
– JPEG: FF D8 FF E0 00 10– Most JPEG files also include JFIF string
• Exercise:– Investigate a possible intellectual property theft by a
contract employee of Exotic Mountain Tour Servicecontract employee of Exotic Mountain Tour Service (EMTS)
Guide to Computer Forensics and Investigations 21
![Page 22: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/22.jpg)
Searching for and Carving Data from Unallocated Space
Guide to Computer Forensics and Investigations 22
![Page 23: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/23.jpg)
Searching for and Carving Data from Unallocated Space (continued)
Guide to Computer Forensics and Investigations 23
![Page 24: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/24.jpg)
Searching for and Carving Data from Unallocated Space (continued)
• Steps– Planning your examination– Searching for and recovering digital photograph
evidence• Use ProDiscover to search for and extract (recover)• Use ProDiscover to search for and extract (recover)
possible evidence of JPEG files• False hits are referred to as false positives
Guide to Computer Forensics and Investigations 24
![Page 25: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/25.jpg)
Guide to Computer Forensics and Investigations 25
![Page 26: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/26.jpg)
Searching for and Carving Data from Unallocated Space (continued)
Guide to Computer Forensics and Investigations 26
![Page 27: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/27.jpg)
Searching for and Carving Data from Unallocated Space (continued)
Guide to Computer Forensics and Investigations 27
![Page 28: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/28.jpg)
Searching for and Carving Data from Unallocated Space (continued)
Guide to Computer Forensics and Investigations 28
![Page 29: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/29.jpg)
Searching for and Carving Data from Unallocated Space (continued)
Guide to Computer Forensics and Investigations 29
![Page 30: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/30.jpg)
Searching for and Carving Data from Unallocated Space (continued)
Guide to Computer Forensics and Investigations 30
![Page 31: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/31.jpg)
Rebuilding File HeadersRebuilding File Headers
• Try to open the file first and follow steps if you can’t see its content
• Steps– Recover more pieces of file if needed
E i fil h d– Examine file header• Compare with a good header sample• Manually insert correct hexadecimal valuesManually insert correct hexadecimal values
– Test corrected file
Guide to Computer Forensics and Investigations 31
![Page 32: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/32.jpg)
Rebuilding File Headers (continued)Rebuilding File Headers (continued)
Guide to Computer Forensics and Investigations 32
![Page 33: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/33.jpg)
Guide to Computer Forensics and Investigations 33
![Page 34: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/34.jpg)
Guide to Computer Forensics and Investigations 34
![Page 35: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/35.jpg)
Rebuilding File Headers (continued)Rebuilding File Headers (continued)
Guide to Computer Forensics and Investigations 35
![Page 36: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/36.jpg)
Rebuilding File Headers (continued)Rebuilding File Headers (continued)
Guide to Computer Forensics and Investigations 36
![Page 37: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/37.jpg)
Reconstructing File FragmentsReconstructing File Fragments
• Locate the starting and ending clusters – For each fragmented group of clusters in the file
• Steps– Locate and export all clusters of the fragmented file– Determine the starting and ending cluster numbers
for each fragmented group of clusters– Copy each fragmented group of clusters in theirCopy each fragmented group of clusters in their
proper sequence to a recovery file– Rebuild the corrupted file’s header to make it
Guide to Computer Forensics and Investigations 37
readable in a graphics viewer
![Page 38: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/38.jpg)
Reconstructing File Fragments (continued)
Guide to Computer Forensics and Investigations 38
![Page 39: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/39.jpg)
Reconstructing File Fragments (continued)
Guide to Computer Forensics and Investigations 39
![Page 40: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/40.jpg)
Reconstructing File Fragments (continued)
Guide to Computer Forensics and Investigations 40
![Page 41: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/41.jpg)
Reconstructing File Fragments (continued)
Guide to Computer Forensics and Investigations 41
![Page 42: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/42.jpg)
Reconstructing File Fragments (continued)
• Remember to save the updated recovered data with a .jpg extension
• Sometimes suspects intentionally corrupt cluster links in a disk’s FAT
Bad clusters appear with a zero value on a disk– Bad clusters appear with a zero value on a disk editor
Guide to Computer Forensics and Investigations 42
![Page 43: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/43.jpg)
Reconstructing File Fragments (continued)
Guide to Computer Forensics and Investigations 43
![Page 44: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/44.jpg)
Reconstructing File Fragments (continued)
Guide to Computer Forensics and Investigations 44
![Page 45: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/45.jpg)
Identifying Unknown File FormatsIdentifying Unknown File Formats
• The Internet is the best source– Search engines like Google– Find explanations and viewers
• Popular Web sites– www.digitek-asi.com/file_formats.html– www.wotsit.org
http://whatis techtarget com– http://whatis.techtarget.com
Guide to Computer Forensics and Investigations 45
![Page 46: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/46.jpg)
Analyzing Graphics File HeadersAnalyzing Graphics File Headers
• Necessary when you find files your tools do not recognize
• Use hex editor such as Hex Workshop– Record hexadecimal values on header
U d h d l• Use good header samples
Guide to Computer Forensics and Investigations 46
![Page 47: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/47.jpg)
Analyzing Graphics File Headers (continued)
Guide to Computer Forensics and Investigations 47
![Page 48: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/48.jpg)
Analyzing Graphics File Headers (continued)
Guide to Computer Forensics and Investigations 48
![Page 49: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/49.jpg)
Tools for Viewing ImagesTools for Viewing Images• Use several viewers
– ThumbsPlus– ACDSee
Q i kVi– QuickView– IrfanView
• GUI forensics tools include image viewers• GUI forensics tools include image viewers– ProDiscover– EnCaseEnCase– FTK– X-Ways Forensics
Guide to Computer Forensics and Investigations 49– iLook
![Page 50: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/50.jpg)
Understanding Steganography in Graphics Files
• Steganography hides information inside image files– Ancient technique– Can hide only certain amount of information
• Insertion– Hidden data is not displayed when viewing host file
in its associated program• You need to analyze the data structure carefullyYou need to analyze the data structure carefully
– Example: Web page
Guide to Computer Forensics and Investigations 50
![Page 51: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/51.jpg)
Guide to Computer Forensics and Investigations 51
![Page 52: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/52.jpg)
Understanding Steganography in Graphics Files (continued)
Guide to Computer Forensics and Investigations 52
![Page 53: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/53.jpg)
Understanding Steganography in Graphics Files (continued)
• Substitution– Replaces bits of the host file with bits of data– Usually change the last two LSBs– Detected with steganalysis tools
U ll d ith i fil• Usually used with image files– Audio and video options
Hard to detect• Hard to detect
Guide to Computer Forensics and Investigations 53
![Page 54: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/54.jpg)
Understanding Steganography in Graphics Files (continued)
Guide to Computer Forensics and Investigations 54
![Page 55: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/55.jpg)
Understanding Steganography in Graphics Files (continued)
Guide to Computer Forensics and Investigations 55
![Page 56: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/56.jpg)
Using Steganalysis ToolsUsing Steganalysis Tools
• Detect variations of the graphic image– When applied correctly you cannot detect hidden
data in most cases• Methods
Compare suspect file to good or bad image versions– Compare suspect file to good or bad image versions– Mathematical calculations verify size and palette
color– Compare hash values
Guide to Computer Forensics and Investigations 56
![Page 57: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/57.jpg)
Identifying Copyright Issues with Graphics
• Steganography originally incorporated watermarks• Copyright laws for Internet are not clear
– There is no international copyright law• Check www.copyright.gov
Guide to Computer Forensics and Investigations 57
![Page 58: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/58.jpg)
SummarySummary
• Image typesImage types– Bitmap– Vector– Metafile
• Image quality depends on various factors• Image formats
– Standard– Nonstandard
• Digital camera photos are typically in raw and EXIF JPEG formats
Guide to Computer Forensics and Investigations 58
JPEG formats
![Page 59: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/59.jpg)
Summary (continued)Summary (continued)
• Some image formats compress their dataSome image formats compress their data– Lossless compression– Lossy compression
• Recovering image files– Carving file fragments– Rebuilding image headers
• Software– Image editors– Image viewers
Guide to Computer Forensics and Investigations 59
![Page 60: Guide to Computer Forensics and Investigations Third Edition2profs.net/steve/CISNTWK442/Ch10.pdf• Share advantages and disadvantages of both types – When enlarged, bitmap part](https://reader030.vdocuments.us/reader030/viewer/2022040407/5ea781df7df2450a954f0286/html5/thumbnails/60.jpg)
Summary (continued)Summary (continued)
• Steganography– Hides information inside image files– Forms
• Insertion• Substitution• Substitution
• Steganalysis– Finds whether image files hide informationFinds whether image files hide information
Guide to Computer Forensics and Investigations 60