Module 12 Image Files Forensics PDF

Computer Hacking
Forensics Investigator
Module XII
Image Files Forensics
Scenario
Target Software systems has completed an

expensive marketing and customer service
analysis. The company plans to advertise for
the latest product, which is to be released.
However the company suspects that an
employee might have given their sensitive
marketing data to a competitor.
A floppy disc was found containing
proprietary company data regarding key
clients hidden in an image file headers.
Exhaustive investigation resulted in evidence
found in fragments of a JPEG file header.
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Module Objectives
~ Introduction to image files

~ Recognize image files
~ Understand data compression
~ Locate and recover image files
~ Analyze image file headers
~ Reconstructing file fragments
~ Understanding steganography in image files
~ Tools for viewing images
Module Flow
Introduction Image files identification
Locate and recover

Data compression
Image files
Analyze image file Reconstructing file

Headers Fragments
Recovering image file tools Steganography
Introduction to Image Files
~ Image file formats can be:

• A black and white Image
• A grayscale Image
• A color image
• Indexed Color image
~ All image formats differ between ease of use,
size of the file, and the quality of reproduction
Recognizing an Image File
~ Pixels: are small dots used to create images

~ Bitmap Images: A representation of a graphics
image in a grid-type format
~ Metafiles: Combination of bitmap and vector
images
~ Vector Images: An image based on
mathematical equations
Recognizing an Image File
The circled area in this

screen shot shows the
resolution of the screen by
pixels
Understanding Bitmap and Vector Images
Bitmap Images Vector Images

~ Bitmap images can be ~ Uses geometric
made in the following equations
applications: ~ Higher quality image
• Photoshop than a bitmap
• MS Paint ~ Useful for rendering
• Image Ready types and shapes
• Paintshop Pro
~ Continuous tone
photos
Metafile Graphics
~ Metafiles combine raster and vector graphics.

~ Metafiles have similar features of both bitmap
and vector images.
~ When metafiles are enlarged it results in a loss
of resolution giving the image a shady
appearance.
Understanding Image File Formats
File Format File Extension Icon Appearance in ACDSee
Graphics Interchange Format .gif
Joint Photographic Experts .jpg

Group
Tagged mage File Format .tif
Windows Bitmap .bmp
JPEG 2000 .jp2
Portable Network Graphics .png
File types
~ Different types of files
• Graphics file format
– .gif/.jpg/.jpeg/.jfif
• Text file format
– .txt/.htm/.html
• Audio file format
– .au/.uLaw/.MuLaw/.aiff
– .mp3/.ra/.wav/.wma
• Video file format
– .avi/.mov/.movie
– .mpg/.mpeg/.qt/.ram
• Document file format
– .doc/.pdf/.ps
• Compress file format
– .z/.zip/.sit/.gzip/.gz
Understanding Data Compression
~ Data compression: is done

by using a complex
algorithm used to reduce the
size of a file
~ Vector quantization: A form
of vector image that uses an
algorithm similar to
rounding up decimal values
to eliminate unnecessary
data
Understanding Lossless and Lossy
Compression
~ GIF and PNG image file formats
reduce the file size by using
lossless compression
~ Lossless compression saves file
space by using algorithms to
represent data contained in the file
~ Lossy compression compresses
data permanently removing
information contained in the file
Locating and Recovering Image Files
Carving: The process of removing

an item from a group of items
Salvaging: Another term for carving.
It is the process of removing an item
from a group of them
Locating and Recovering Image Files
The screenshot above shows the location of the clusters where the
data has been found and the data found with the matching search.
Repairing Damaged Headers
~ Investigators recover data remnants from free

space
~ This data would be be similar to headers from
common image files
~ Header data that is partly overwritten can be
used to repair damaged headers
~ The HEX Workshop application can be used to
repair damaged headers by the process of
comparison
~ Jpeg files would include letters “JFIF” after
hexadecimal values
Example:
Jpeg file have a hexadecimal value of : FF D8 FF E0 00 10
Reconstructing File Fragments
~ Corruption of data prevents

investigators from reconstructing
file fragments for image files
~ Data corruption can be:
• Accidental
• Intentional
~ File fragments can be reconstructed
by examining a suspect disk with the
help of the DriveSpy application
~ Investigators can build the case
based on the data reconstructed
Identifying Unknown File Formats
To understand unknown image file formats one

should know about non-standard file formats:
• Targa (.tga)
• Raster Transfer Language (.rtl)
• Photoshop (.psd)
• Illustrator (.ai)
• Freehand (.h9)
• Scalable vector graphics (.svg)
• Paintbrush (.pcx)
Analyzing Image File Headers
~ Investigators analyze image file headers when

new file extensions are present that forensic
tools cannot recognize
~ File Headers are accessed with the help of a
hexadecimal editor such as the Hex Workshop
~ Hexadecimal values present in the header can
be used to define a file type
Picture Viewer: Ifran View
IfranView is an image
viewing program that
supports many unknown
file formats including
•Targa (.tga)
•Illustrator (.ai)
•Scalable vector graphics (.svg)
•FlashPix (fpx)
Picture Viewer: Acdsee
ACDSee is an image
enables investigators to
•Find images
•View images
•Manage image files on the drive
•Search and view unknown file
formats
Picture Viewer: Thumbsplus
ThumbsPlus is an image
enables investigators to
•View images from a drive
database
•View files other than
images such as audio and
multimedia files
•Catalog image files for
future reference
Steganography in Image Files
~ Two files need to hide a message within an

image file
– The file containing the image into which the
message is supposed to be put in
– The file containing the message itself
~ There are 3 methods to hide messages in
images, they include:
– Least Significant Bit
– Filtering and Masking
– Algorithms and Transformation
Steganalysis Tool: Hex Workshop
~ The Hex Workshop

application can
detect and write
messages on to a file
~ Investigators use the
Hex Workshop tool
to reconstruct
damaged file headers
Steganalysis Tool: S-tools
~ S-Tools can hide and

detect files hidden in
BMP, GIF and WAV
files
~ Investigators have the
advantage of multi-
threaded operation
~ Investigators can
hide/reveal operations
simultaneously without
fear of interference to
the work environment
Identifying Copyright Issues With
Graphics
~ Section 106 of the 1976 Copyright Act generally
gives the owner of copyright the exclusive right
to do and to authorize others to do the
following:
– To perform the work publicly
– To display the copyright work publicly
– In the case of sound recordings, to perform the work
publicly by means of a digital audio transmission
– To reproduce the work in copies or phonorecords
– To prepare derivative works based upon the work
– To distribute copies or phonorecords of the work to the
public by sale or other transfer of ownership, or by rental,
lease, or lending
Identifying Copyright Issues With
Graphics (Contd..)
Copyrightable works include the following:
~ Literary works
~ Musical works; including any accompanying words
~ Dramatic works; including any accompanying
music
~ Pantomimes and choreographic works
~ Pictorial, graphic, and sculptural works.
~ Motion pictures and other audiovisual works.
~ Sound recordings
~ Architectural works
Summary
~ The standard image file formats include Jpeg,

GIF, BMP, TAG and EPS
~ Data Compression is done by using a complex
algorithm to reduce the size of a file
~ Lossy compression compresses data
permanently removing information contained
in the file
~ Image files have a unique file header value.
Common image header values have residual
data from partially overwritten headers in file
slack

Module 12 Image Files Forensics PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Module 12 Image Files Forensics PDF

Uploaded by

Copyright:

Available Formats

Computer Hacking

Target Software systems has completed an

~ Introduction to image files

Introduction Image files identification

Locate and recover

Analyze image file Reconstructing file

Recovering image file tools Steganography

~ Image file formats can be:

~ Pixels: are small dots used to create images

The circled area in this

Bitmap Images Vector Images

~ Metafiles combine raster and vector graphics.

File Format File Extension Icon Appearance in ACDSee

Graphics Interchange Format .gif

Joint Photographic Experts .jpg

Tagged mage File Format .tif

Windows Bitmap .bmp

JPEG 2000 .jp2

Portable Network Graphics .png

~ Data compression: is done

Carving: The process of removing

~ Investigators recover data remnants from free

~ Corruption of data prevents

To understand unknown image file formats one

~ Investigators analyze image file headers when

~ Two files need to hide a message within an

~ The Hex Workshop

~ S-Tools can hide and

~ The standard image file formats include Jpeg,

You might also like