COS/PSA 413
Day 18
Agenda
• Lab 9 write-up grades
– 2 A’s, 1 B, 1 D and 1 F
– Answer the questions with a minimal amount of BS
– I will start taking off points for superfluous information
• Capstone progress report 2 overdue
• Today we will be discussing Image Files
– Chap 12 in 1e, Chap 11 in 2e, very similar but with some differences
• Lab 11 in OMS Tuesday (team)
– Project 12-1 and 12-2
– Make sure you know what is you will be doing before you get to the lab,
requires you to do the example in the chapter before the projects
• Lab 12 in N105 on Wednesday (individual)
– Project 12-3, 12-4, 12-5, 12-6 and 12-7
– Much of the research parts and all of 12-5) can be done before the lab
Recovering Image Files
Chapter 12
Learning Objectives
•
•
•
•
•
Recognize Image Files
Understand Data Compression
Locate and Recover Image Files
Analyze Image File headers
Identify Copyright Issues with Graphics
Recognizing An Image File
Bitmap Images – A representation of a graphics
image in a grid-type format.
Vector Images – An image based on mathematical
equations.
Metafiles – Combination of bitmap and vector
images.
Pixels – A small dot used to create images.
Recognizing an Image File
Rasterizes – To convert a bitmap file to a raster file
for printing.
Screen Resolution – The density of pixels
displayed on your monitor.
Resolution – Density of pixels on the screen.
Recognizing an Image File
Recognizing an Image File
Number of bits used per colored pixel:
• 1 bit = 2 colors
• 4 bits = 16 colors
• 8 bits = 256 colors
• 16 bits = 65,536 colors
• 24 bits = 16,777,216 colors
•All effect size of graphics
•800 pixels * 600 pixels picture is 480000 pixels
•@ 8 bits/pixel = 3840000 bits = 3750 Kb = 3.66 Mb
•@ 16 bits/pixel = 7.32 Mb
•@ 24 bits/pixel = 10.99 Mb
Recognizing an Image File
Standard Image File Formats
•Graphics Interchange Format (.gif)
•Joint Photographic Express Group (.jpg or .jpeg)
•Tagged Image File Format (.tif or .tiff)
•Windows Bitmap (.bmp)
Recognizing an Image File
Nonstandard Image File Formats
• Targa (.tga)
• Raster Transfer Language (.rtl)
• Photoshop (.psd)
• Illustrator (.ai)
• Freehand (.h9)
• Scalable Vector Graphics (.svg)
• Paintbrush (.pcx)
• Paint Shop Pro (.psp)
Understanding Data Compression
Data Compression – A complex algorithm used to
reduce the size of a file.
Lossless -- Big->Small and Back again
Huffman, Lempel-Ziv
Lossy -- Big->Small->Something else
Jpeg
Vector Quantization (VQ) – A form of vector image
that uses an algorithm similar to rounding up
decimal values to eliminate unnecessary data.
Locating and Recovering Image Files
Carving – The process of removing an item from a
group of items.
Salvaging – Another term for carving used in the
United Kingdom; the process of removing an item
from a group of them.
Locating and Recovering Image Files
Search for header bytes
Locating and Recovering Image Files
Locating and Recovering Image Files
Do the math
• File size is bytes/512 = # of Sectors
• # of sectors/sector per clusters = # of
clusters
• Example Sawto~1.jpg from figure 12-3
– 254002/512 = 496.1
– Since Fat12 has 1 sector per cluster
• Sawtoo~1.jpg starts at cluster 2 and ends at cluster
498 and we found a partial header at 499
Locating and Recovering Image Files
Locating and Recovering Image Files
Search for header bytes
Rebuilding the files
• Since we fond a partial header at 499 and
the next file starts at 1392
– We use drivespy cluster command to find
absolute cluster for 499 and 1391
Save the file
• Using drivespy savesect command to save
the sectors as a 8.jpg file
• Use HexWorkshop to fix the header and
save the file
• View the file
Fragmenated files
• The previous example assumes the sectors
were contiguous, they may be fragmented
–
–
–
–
Search for potential headers
Determine the cluster number
View the cluster using drivespy
View the NEXT cluster using drivespy to see if
the graphic continues
– Use DriveSpy CFE command on the two
clusters
Puting it all together
• Chances are the two CFE results give you the
entire file
• Group the contiguous sectors
– 449-494, 792-815,1194-1280
– Find the absolute sectors
• Create a Drivespy script to ave the sectors (in
order) as one *.jpg file
• Rebuild the header using Hex Workshop
• View the file
Analyzing Image File Headers
Analyzing Image File Headers
Identifying unknown File formats
• Google it!
– Xif file format
•
•
•
•
Http://Filext.com
http://www.wotsit.org/
http://www.digitek-asi.com/file_formats.html
http://whatis.techtarget.com/fileFormatA/0,289933
,sid9,00.html
Analyzing Image File Headers
Steganography – Hiding data in a file.
Analyzing Image File Headers
Analyzing Image File Headers
Identifying Copyright Issues with Graphics
Section 106 of the 1976 Copyright Act generally gives
the owner of copyright the exclusive right to do and to
authorize others to do the following:
- To reproduce the work in copies or
phonorecords.
- To prepare derivative works based upon the
work.
- To distribute copies or phonorecords of the work
to the public by sale or other transfer of ownership,
or by rental, lease, or lending.
Identifying Copyright Issues with Graphics
Continued...
- To perform the work publicly, in case of literacy,
musical, dramatic, and choreographic works,
pantomimes, and motion pictures and other
audiovisual works.
Identifying Copyright Issues with Graphics
Continued…
- To display the copyright work publicly, in the
case of literacy, musical, dramatic, and
choreographic works, pantomimes, and pictorial,
graphic, or sculptural works, including the individual
images of a motion picture or other audiovisual
work.
- In the case of sound recordings, to perform
the work publicly by means of a digital audio
transmission.
Identifying Copyright Issues with Graphics
Copyrightable works include the following:
1. Literary works.
2. Musical works; including any accompanying
words.
3. Dramatic works; including any accompanying
music.
4. Pantomimes and choreographic works.
5. Pictorial, graphic, and sculptural works.
6. Motion pictures and other audiovisual works.
7. Sound recordings.
8. Architectural works.
Chapter Summary
- An image file contains graphics, such as a
digital photograph, line art, a three-dimensional
image, or a scanned replica of a printed picture.
A graphics program creates and saves one of
three types of image files: bitmap, vector, or
metafile. Bitmap images are collections of dots,
or pixels, that form an image. Vector images are
mathematical instructions that define lines,
curves, text, ovals, and other geometric shapes.
Metafiles are combinations of bitmap and vector
images.
Chapter Summary
- When you use either a graphic editor or image
viewer, you can open a file in one of many
image file formats, which is indicated by the file
extension, such as .bmp, .gif, or .eps. Each
format has different qualities, including the
amount of color and compression it uses. If you
open an image file in a graphics program that
supports multiple file formats, you can save the
file in a different file format. However, converting
image files this way can change the quality of
the image.
Chapter Summary
- Bitmap images store graphic information as
grips of individual pixels, short for picture
elements. The quality of a bitmap image
displayed on a computer monitor is governed by
screen resolution, which determines the amount
of detail displayed in the image. Vector files are
different from bitmap and raster files; a raster
image uses dots and the vector format uses
lines. A vector file stores only the mathematics
for drawing lines and shapes; a graphics
program converts the calculation into the
appropriate image.
Chapter Summary
- Most image file formats, including GIF and
JPEG, compress their data to save disk space
and to reduce the amount of time it takes to
transfer the image from one computer to
another. Lossless compression saves file space
by using mathematical formulas to represent the
data contained in a file. Lossy compression is
significantly different from lossless compression
because it compresses data permanently
discarding bits of information contained in the
file.
Chapter Summary
- If a computer forensics investigation involves
image files, you need to locate and recover all of
the image files on a drive and determine which
ones are pertinent to your case. An image file
contains a header with instructions for displaying
the image. Each type of image file has its own
header and examining the header helps you
identify the file format. Because the header is
complex and difficult to remember, you can
compare a known good file header with that of a
suspected file.
Chapter Summary
- When you are examining recovered data
remnants from files in slack or free space, you
might find data that appears to be a header for a
common image file type. If you locate header
data that is partially overwritten, you must
reconstruct the header. After you identify
fragmented data, you can use a computer
forensics program to recover the fragmented
file.
Chapter Summary
- If you cannot open an image file in an image
viewer, your next step is to examine the header
data of the file to see if it matches the header in
a good JPEG file. If the header does not match,
you must manually insert the correct
hexadecimal values using a tool such as Hex
Workshop. You can then inspect and correct the
hexadecimal values within a file.
Chapter Summary
- The Internet is the best source for learning more
about file formats and their associated
extensions. You have already used the
Webopedia Web site to research the TGA file
format. You can use also any popular search
engine to search for “file type” or “file format”
and find the latest list of Web sites providing
information on file extensions.
Chapter Summary
- You should analyze image file headers when
you find new or unique file types that computer
forensics tools do not recognize. The simplest
way to access a file header is to use a
hexadecimal editor such as Hex Workshop. You
can then record the hexadecimal values in the
header and later use them to define a file type in
DriveSpy.ini.
Chapter Summary
- Many popular viewer utilities are shareware
programs such as ThumbsPlus, ACDSee, Quick
View, and IrFanView that let you view a wide
range of image file formats. Most GUI computer
forensics tools such as EnCase, FTK, and ILook
integrate image viewers that display only
common image formats, especially GIF and
JPEG, which are often involved in computing
investigations related to Internet cases.
Chapter Summary
- Steganography is a method for hiding data
using a host file to cover the contents of the
secret message. The two major forms of
steganography are insertion and substitution.
Insertion places data from the secret file into the
host file without displaying the secret data when
you view the host file in it’s associated program.
The inserted data is hidden unless you review
the data structure. The second type of
steganography, substitution, replaces bits of the
host file with other bits of data.
Chapter Summary
- Several steganalysis tools can detect hidden
data in image files, even in files that have been
renamed to protect their contents. The
steganalysis tool must be able to detect the
variations of the graphic image. If the image file
has been renamed, the steganalysis tool can
use the file header to identify the file format and
indicate whether the file contains an image.