Recovering Graphics Files PDF

Summary

This document is Chapter 8, "Recovering Graphics Files," from the Guide to Computer Forensics and Investigations, Fifth Edition. The presentation outlines topics like computer graphics overviews, data compression, file header analysis, steganography, and copyright considerations for graphics files.

Full Transcript

Guide to Computer Forensics
and Investigations
Fifth Edition

Chapter 8
Recovering Graphics Files
 Chapter 8 - Recovering Graphics Files
This chapter covers the following topics:
– overview of computer graphics
– data compression,
– and then explains how to locate and recover
graphics files based on information stored in file
headers.
Also, you’ll learn how to analyze file headers and repair
damaged file headers.
Two issues related to computer graphics will also be
discussed in this chapter.
– Steganography.
– Copyrights
Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 2
 Recovering Graphics Files

Steganography involves hiding data, including
images, in files.
Copyrights determine the ownership of media,
such as images downloaded from a Website, and
the right to use media.

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 3
 Recognizing a Graphics File

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 4
 Recognizing a Graphics File

You use graphics editors to create, modify, and
save bitmap, vector, and metafile graphics.
You use image viewers to open and view graphics
files, but you can’t change their contents.

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 5
 Recognizing a Graphics File

There are different types of graphics file formats,
such as BMP, GIF, and JPEG.
Each format has different qualities, including the
amount of color and compression it uses.
If you open a graphics file in a graphics editor that
supports multiple file formats, you can save the file
in another file format.
However, converting graphics files in this way can
change the image quality

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 6
 Bitmap and Raster Images
Bitmap images
– Grids of individual pixels (picture elements)
– Raster images - collections of pixels
– Pixels are stored in rows
– Better for printing
– Printing an image print pixels line by line instead of
processing the complete collection of pixels

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 7
 Bitmap and Raster Images
Image quality
– Screen resolution - determines amount of detail
that’s displayed.
– In other words: Resolution is related to the density
of pixels onscreen and depends on a combination of
hardware and software.

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 8
Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 9
 Hardware contributes to image quality
Monitors can display a range of resolutions; the
higher the resolution, the sharper the image.

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 10
 Hardware contributes to image quality
Another setting that affects image quality is the
number of colors the monitor displays
The following list shows the number of bits per
colored pixel:
1 bit >> 2 colors
4 bits >> 16 colors
8 bits >> 256 colors
16 bits >> 65,536 colors
24 bits >> 16,777,216 colors
32 bits >> 4,294,967,296 colors

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 11
 Hardware contributes to image quality

Computers also use a video card containing a
certain amount of memory for displaying images.
The more memory it has, the higher-quality images
will be displayed.

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 12
 Software contributes to image quality

Software includes drivers.
NOTE: bitmaps, especially those with low resolution,
usually lose quality when you enlarge them

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 13
 Understanding Vector Graphics

Characteristics of vector graphics
– A vector file stores only the calculations for drawing lines
and shapes.
– A graphics program converts these calculations into an
image.
– Because vector files store calculations, not
images, they are generally smaller than bitmap files
– You can also enlarge a vector graphic without
affecting image quality
CorelDraw, Adobe Illustrator
Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 14
 Understanding Metafile Graphics

Metafile graphics combine raster and vector
graphics
Example
– if you scan a photograph (a bitmap image) and then add
text or arrows (vector drawings)
Share advantages and disadvantages of both types
– When enlarged, bitmap part loses quality, but the
vector-formatted area remains sharp and clear

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 15
Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 16
Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 17
 Understanding Graphics File Formats

Graphics editor:
– Microsoft Paint
– Adobe
– Freehand MX (work only with vector graphics)
– Adobe Photoshop
– Gnome GIMP.

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 18
 Understanding Graphics File Formats
Standard bitmap file formats
– Portable Network Graphic (.png)
– Graphic Interchange Format (.gif)
– Joint Photographic Experts Group (.jpeg,.jpg)
– Tagged Image File Format (.tiff,.tif)
– Window Bitmap (.bmp)
Standard vector file formats
– Hewlett Packard Graphics Language (.hpgl)
– Autocad (.dxf)
– EPS (Encapsulated PostScript),
– WMF (Windows Metafile Format)
– EMF (Enhanced Metafile)
Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 19
 Because you can open standard graphics files in
most or all graphics programs, they are easier to
work with in a digital forensics investigation.
If you encounter files in nonstandard formats, you
might need to rely on your investigative skills

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 20
 png header structure

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 21
 GIF Image Signature Format

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 22
 BMP Image Structure Format

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 23
 Understanding Graphics File Formats
Nonstandard graphics file formats
– Targa (.tga)
– Raster Transfer Language (.rtl)
– Adobe Photoshop (.psd) and Illustrator (.ai)
– Freehand (.fh11)
– Scalable Vector Graphics (.svg)
– Paintbrush (.pcx)
Search the Web for software to manipulate
unknown image formats

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 24
 INKSCAPE

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 25
 GIMP

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 26
 BLENDER

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 27
 Other applications

Visio
Photoshop

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 28
 Understanding Digital Camera File
Formats
Digital Camera Files are important because Witnesses
or suspects can create their own digital photos.
Most, if not all, digital cameras produce digital photos
in raw or Exif format

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 29
 RAW files
A camera performs no enhancement processing—hence the
term “raw” for this format.
Sensors in a digital camera simply record pixels on the
memory card.
– One advantage of this format is that it maintains the best
picture quality.
– From a digital forensics perspective, the biggest
disadvantage of the raw file format is that it’s proprietary,
and not all image viewers can display these formats.
– proprietary >> To view a raw graphics file, you might need to
get the viewing and conversion software from the camera
manufacturer.

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 30
 RAW files

– The process of converting raw picture data to
another format is referred to as demosaicing

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 31
 EXIF (Examining the Exchangeable
Image File Format)
Developed by JEITA (Japan Electronics and Information Technology
Industries Association) as a standard for storing metadata in JPEG and
TIF files.
In other words, adding some metadata at the header of the
JPEG and TIF.
Metadata >>
– information about the camera (such as model, make,
and serial number)
– and settings (such as shutter speed, focal length,
resolution, date, and time).
– In addition, if the camera has GPS capability, the
latitude and longitude location data might be recorded
Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 32
 Understanding Digital Camera File
Formats
– Viewing an Exif JPEG file’s metadata requires special
programs
Exif Reader
IrfanView
or ProDiscover

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 33
 Understanding Digital Camera File
Formats

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 34
 Understanding Digital Camera File
Formats The standard header
for regular JPEG files
is JPEG File
Interchange
Format (JFIF),
which has the
hexadecimal value
FFE0 starting at
offset 2. For Exif JPEG
files, the
hexadecimal value
All JPEG files,starting at offset 2 is
including
FFE1.
Exif, start from offset 0
(the first byte of a file)
with hexadecimal
FFD8
Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 35
 Understanding Digital Camera File
Formats

For all JPEG files,
the ending hexadecimal
marker, also known as
the end of image (EOI),
is FFD9

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 36
 Understanding Digital Camera File
Formats
Examining the Exchangeable Image File format
(cont’d)
– With tools such as ProDiscover and Exif Reader
You can extract metadata as evidence for your case

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 37
 Understanding Digital Camera File
Formats

Getting the Date and
Time could be difficult
because of several
reasons:
1- losing the camera
2- intentional
3- unintentional (Such as
the battery failing).

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 38
 Understanding Data Compression
Some image formats (GIF and JPEG) compress
their data to:
– save disk space and
– reduce the file’s transmission time
Others, like BMP, do not compress their data
– Use data compression tools for those formats
Data compression
– Coding data from a larger to a smaller form
– Types
Lossless compression and lossy compression

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 39
 Lossless and Lossy Compression
Lossless compression
– Techniques reduce file size without removing data
– GIF and Portable Network Graphics (PNG) file
formats reduce file size with lossless compression
– Saves file space by using mathematical formulas to
represent data in a file.
– These formulas generally use one of two
algorithms:
Huffman or Lempel-Ziv-Welch coding
For redundant bits of data
– Utilities: WinZip, PKZip, StuffIt, and FreeZip

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 40
 Huffman

Visualization of the use of Huffman coding to encode the message
"A_DEAD_DAD_CEDED_A_BAD_BABE_A_BEADED_ABACA_BED".
Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 41
 Lossless compression

For example, if a graphics file contains a large red
area, the algorithm can set 1 byte to red and set
another byte to specify 200 red bytes instead of
having to store 200 red bytes. Therefore, only 2
bytes are used.

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 42
 Lossy compression
Lossy compression
– it compresses data by permanently discarding bits
of information in the file.
– lose information
– JPEG
– If you simply rename a file by using File Explorer or
the command line, however, the file doesn’t lose any
more data.
Vector quantization (VQ) uses complex
algorithms to determine what data to discard
based on vectors in the graphics file
– Utility: Lzip
Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 43
 Locating and Recovering Graphics Files
Option 1: Some OSs have built-in tools for recovering
graphics files
– Operating system tools
– Time consuming
– Results are difficult to verify
Option 2: Digital forensics tools
– Image headers
The header is complex and difficult to remember
compare a known good file header with that of a
suspected file (To know the file type and other information)
In other words, use the known JPEG header information to
create a baseline analysis

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 44
 Identifying Graphics File Fragments
If a graphics file is fragmented across areas on a disk,
you must recover all the fragments before re-creating
the file.
Recovering any type of file fragments is called Carving
or salvaging
– Recovering any type of file fragments
Digital forensics tools
– Can carve from file slack and free space
– ProDiscover, X-Ways Forensics, OS Forensics, EnCase,
and FTK

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 45
 File Slack

The space between the end of a file and the end of
the disk cluster it is stored in.

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 46
 Repairing Damaged Headers

When examining recovered fragments from files in
slack or free space
– You might find data that appears to be a header
If header data is partially overwritten, you must
reconstruct the header to make it readable
– By comparing the hexadecimal values of known
graphics file formats with the pattern of the file
header you found

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 47
 Repairing Damaged Headers

Each graphics file has a unique header value
Example:
– A JPEG file has the hexadecimal header value FFD8,
followed by the label JFIF for a standard JPEG or Exif
file at offset 6
Exercise: (Page 326)
– Investigate a possible intellectual property theft by a
contract employee of Exotic Mountain Tour Service
(EMTS)

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 48
 Repairing Damaged Headers

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 49
 Repairing Damaged Headers

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 50
Searching For and Carving Data from Unallocated Space

Steps
– Planning your examination
– Searching for and recovering digital photograph
evidence
Use ProDiscover to search for and extract (recover)
possible evidence of JPEG files
False hits are referred to as false positives
(Go back to Page 329 and read the first
paragraph after the title “searching for ….”)

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 51
 Searching For and Carving Data from
Unallocated Space

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 52
 Searching For and Carving Data from
Unallocated Space

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 53
 Searching For and Carving Data from
Unallocated Space

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 54
 Searching for and Carving Data from
Unallocated Space

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 55
 Searching for and Carving Data from
Unallocated Space

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 56
 Rebuilding File Headers

Before attempting to edit a recovered graphics file
– Try to open the file with an image viewer first
If the image isn’t displayed, you have to inspect and
correct the header values manually
Steps
– Recover more pieces of file if needed
– Examine file header
Compare with a good header sample
Manually insert correct hexadecimal values
– Test corrected file
Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 57
 Rebuilding File Headers

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 58
 Rebuilding File Headers

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 59
 Rebuilding File Headers

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 60
 Rebuilding File Headers

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 61
 Reconstructing File Fragments

Locate the noncontiguous clusters that make up
a deleted file
Steps
– Locate and export all clusters of the fragmented file
– Determine the starting and ending cluster numbers
for each fragmented group of clusters
– Copy each fragmented group of clusters in their
correct sequence to a recovery file
– Rebuild the file’s header to make it readable in a
graphics viewer

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 62
 Reconstructing File Fragments

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 63
 Reconstructing File Fragments

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 64
 Reconstructing File Fragments

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 65
 Reconstructing File Fragments

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 66
 Identifying Unknown File Formats

Sometimes, you’ll encounter graphics file formats
you’re not familiar with.
In addition, suspects might use older systems with
programs that create files in uncommon file formats.

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 67
 Identifying Unknown File Formats

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 68
 Analyzing Graphics File Headers
You should analyze graphics file headers when you
find new or unique file types that forensics tools don’t
recognize.
Use a hexadecimal editor such as WinHex
– Record hexadecimal values in the header and use them
to define a file type
Example:
– XIF file format is old, little information is available
– The first 3 bytes of an XIF file are the same as a TIF file
– Build your own header search string

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 69
 Analyzing Graphics File Headers

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 70
 Analyzing Graphics File Headers

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 71
 Tools for Viewing Images
After recovering a graphics file
– Use an image viewer to open and view it
No one viewer program can read every file format
– Having many different viewer programs is best
Most GUI forensics tools include image viewers
that display common image formats
Be sure to analyze, identify, and inspect every
unknown file on a drive

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 72
 Understanding Steganography in
Graphics Files
Steganography hides information inside image files
– An ancient technique
Two major forms: insertion and substitution
Insertion
– Hidden data is not displayed when viewing host file
in its associated program
You need to analyze the data structure carefully
– Example: Web page

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 73
 Understanding Steganography in
Graphics Files

It contains
hidden text,
which is
shown in
Figure 8-24

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 74
 Understanding Steganography in
Graphics Files

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 75
 Understanding Steganography in Graphics Files
Substitution
– Replaces bits of the host file with other bits of data
– To avoid detection, you substitute only those bits that
result in the least amount of change.
– For example, if you use an 8-bit graphics file, each pixel
is represented by 8 bits of data containing information
about the color each pixel displays onscreen. The bits
are prioritized from left to right, such as 11101100. The
first bit on the left is the most significant bit (MSB), and
the last bit on the right is the least significant bit (LSB).
– changing the MSB affects the pixel display more than
changing the LSB does.
– you can usually change only the last two LSBs in an
image without producing a noticeable change
Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 76
 Understanding Steganography in
Graphics Files
Detected with steganalysis tools (a.k.a - steg
tools)
You should inspect all files for evidence of
steganography
Clues to look for:
– Duplicate files with different hash values
– Steganography programs installed on suspect’s drive

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 77
 Understanding Steganography in
Graphics Files

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 78
 Understanding Steganography in
Graphics Files

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 79
 Understanding Steganography in
Graphics Files

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 80
 Using Steganalysis Tools

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 81
 Understanding Copyright Issues with
Graphics
Steganography has also been used to protect
copyrighted material by inserting digital watermarks into a
file.
– By inserting digital watermarks into a file
Digital investigators need to be aware of copyright laws
Copyright laws for Internet are not clear
– There is no international copyright law
Check www.copyright.gov
– U.S. Copyright Office identifies what can and can’t be
covered under copyright law in U.S. (check the next slide)

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 82
 Understanding Copyright Issues with
Graphics
Copyrightable works include the following
categories:
1. literary works;
2. musical works, including any accompanying words;
3. dramatic works, including any accompanying music;
4. pantomimes and choreographic works;
5. pictorial, graphic, and sculptural works;
6. motion pictures and other audiovisual works;
7. sound recordings;
8. architectural works.
Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 83
 Digital Watermarks

Digital watermarks can be visible or imperceptible.
– Visible watermarks are usually an image, such
as the copyright symbol or a company logo.
– Imperceptible watermarks don’t change the
appearance of a copyrighted file.
Methods used for imperceptible watermarks
involve modifying a file’s LSBs into a unique
pattern

Guide to Computer Forensics and Investigations, Fifth Edition © Cengage Learning 2015 84