COS/PSA 413 Day 18 Agenda • Lab 9 write-up grades – 2 A’s, 1 B, 1 D and 1 F – Answer the questions with a minimal amount of BS – I will start taking off points for superfluous information • Capstone progress report 2 overdue • Today we will be discussing Image Files – Chap 12 in 1e, Chap 11 in 2e, very similar but with some differences • Lab 11 in OMS Tuesday (team) – Project 12-1 and 12-2 – Make sure you know what is you will be doing before you get to the lab, requires you to do the example in the chapter before the projects • Lab 12 in N105 on Wednesday (individual) – Project 12-3, 12-4, 12-5, 12-6 and 12-7 – Much of the research parts and all of 12-5) can be done before the lab Recovering Image Files Chapter 12 Learning Objectives • • • • • Recognize Image Files Understand Data Compression Locate and Recover Image Files Analyze Image File headers Identify Copyright Issues with Graphics Recognizing An Image File Bitmap Images – A representation of a graphics image in a grid-type format. Vector Images – An image based on mathematical equations. Metafiles – Combination of bitmap and vector images. Pixels – A small dot used to create images. Recognizing an Image File Rasterizes – To convert a bitmap file to a raster file for printing. Screen Resolution – The density of pixels displayed on your monitor. Resolution – Density of pixels on the screen. Recognizing an Image File Recognizing an Image File Number of bits used per colored pixel: • 1 bit = 2 colors • 4 bits = 16 colors • 8 bits = 256 colors • 16 bits = 65,536 colors • 24 bits = 16,777,216 colors •All effect size of graphics •800 pixels * 600 pixels picture is 480000 pixels •@ 8 bits/pixel = 3840000 bits = 3750 Kb = 3.66 Mb •@ 16 bits/pixel = 7.32 Mb •@ 24 bits/pixel = 10.99 Mb Recognizing an Image File Standard Image File Formats •Graphics Interchange Format (.gif) •Joint Photographic Express Group (.jpg or .jpeg) •Tagged Image File Format (.tif or .tiff) •Windows Bitmap (.bmp) Recognizing an Image File Nonstandard Image File Formats • Targa (.tga) • Raster Transfer Language (.rtl) • Photoshop (.psd) • Illustrator (.ai) • Freehand (.h9) • Scalable Vector Graphics (.svg) • Paintbrush (.pcx) • Paint Shop Pro (.psp) Understanding Data Compression Data Compression – A complex algorithm used to reduce the size of a file. Lossless -- Big->Small and Back again Huffman, Lempel-Ziv Lossy -- Big->Small->Something else Jpeg Vector Quantization (VQ) – A form of vector image that uses an algorithm similar to rounding up decimal values to eliminate unnecessary data. Locating and Recovering Image Files Carving – The process of removing an item from a group of items. Salvaging – Another term for carving used in the United Kingdom; the process of removing an item from a group of them. Locating and Recovering Image Files Search for header bytes Locating and Recovering Image Files Locating and Recovering Image Files Do the math • File size is bytes/512 = # of Sectors • # of sectors/sector per clusters = # of clusters • Example Sawto~1.jpg from figure 12-3 – 254002/512 = 496.1 – Since Fat12 has 1 sector per cluster • Sawtoo~1.jpg starts at cluster 2 and ends at cluster 498 and we found a partial header at 499 Locating and Recovering Image Files Locating and Recovering Image Files Search for header bytes Rebuilding the files • Since we fond a partial header at 499 and the next file starts at 1392 – We use drivespy cluster command to find absolute cluster for 499 and 1391 Save the file • Using drivespy savesect command to save the sectors as a 8.jpg file • Use HexWorkshop to fix the header and save the file • View the file Fragmenated files • The previous example assumes the sectors were contiguous, they may be fragmented – – – – Search for potential headers Determine the cluster number View the cluster using drivespy View the NEXT cluster using drivespy to see if the graphic continues – Use DriveSpy CFE command on the two clusters Puting it all together • Chances are the two CFE results give you the entire file • Group the contiguous sectors – 449-494, 792-815,1194-1280 – Find the absolute sectors • Create a Drivespy script to ave the sectors (in order) as one *.jpg file • Rebuild the header using Hex Workshop • View the file Analyzing Image File Headers Analyzing Image File Headers Identifying unknown File formats • Google it! – Xif file format • • • • Http://Filext.com http://www.wotsit.org/ http://www.digitek-asi.com/file_formats.html http://whatis.techtarget.com/fileFormatA/0,289933 ,sid9,00.html Analyzing Image File Headers Steganography – Hiding data in a file. Analyzing Image File Headers Analyzing Image File Headers Identifying Copyright Issues with Graphics Section 106 of the 1976 Copyright Act generally gives the owner of copyright the exclusive right to do and to authorize others to do the following: - To reproduce the work in copies or phonorecords. - To prepare derivative works based upon the work. - To distribute copies or phonorecords of the work to the public by sale or other transfer of ownership, or by rental, lease, or lending. Identifying Copyright Issues with Graphics Continued... - To perform the work publicly, in case of literacy, musical, dramatic, and choreographic works, pantomimes, and motion pictures and other audiovisual works. Identifying Copyright Issues with Graphics Continued… - To display the copyright work publicly, in the case of literacy, musical, dramatic, and choreographic works, pantomimes, and pictorial, graphic, or sculptural works, including the individual images of a motion picture or other audiovisual work. - In the case of sound recordings, to perform the work publicly by means of a digital audio transmission. Identifying Copyright Issues with Graphics Copyrightable works include the following: 1. Literary works. 2. Musical works; including any accompanying words. 3. Dramatic works; including any accompanying music. 4. Pantomimes and choreographic works. 5. Pictorial, graphic, and sculptural works. 6. Motion pictures and other audiovisual works. 7. Sound recordings. 8. Architectural works. Chapter Summary - An image file contains graphics, such as a digital photograph, line art, a three-dimensional image, or a scanned replica of a printed picture. A graphics program creates and saves one of three types of image files: bitmap, vector, or metafile. Bitmap images are collections of dots, or pixels, that form an image. Vector images are mathematical instructions that define lines, curves, text, ovals, and other geometric shapes. Metafiles are combinations of bitmap and vector images. Chapter Summary - When you use either a graphic editor or image viewer, you can open a file in one of many image file formats, which is indicated by the file extension, such as .bmp, .gif, or .eps. Each format has different qualities, including the amount of color and compression it uses. If you open an image file in a graphics program that supports multiple file formats, you can save the file in a different file format. However, converting image files this way can change the quality of the image. Chapter Summary - Bitmap images store graphic information as grips of individual pixels, short for picture elements. The quality of a bitmap image displayed on a computer monitor is governed by screen resolution, which determines the amount of detail displayed in the image. Vector files are different from bitmap and raster files; a raster image uses dots and the vector format uses lines. A vector file stores only the mathematics for drawing lines and shapes; a graphics program converts the calculation into the appropriate image. Chapter Summary - Most image file formats, including GIF and JPEG, compress their data to save disk space and to reduce the amount of time it takes to transfer the image from one computer to another. Lossless compression saves file space by using mathematical formulas to represent the data contained in a file. Lossy compression is significantly different from lossless compression because it compresses data permanently discarding bits of information contained in the file. Chapter Summary - If a computer forensics investigation involves image files, you need to locate and recover all of the image files on a drive and determine which ones are pertinent to your case. An image file contains a header with instructions for displaying the image. Each type of image file has its own header and examining the header helps you identify the file format. Because the header is complex and difficult to remember, you can compare a known good file header with that of a suspected file. Chapter Summary - When you are examining recovered data remnants from files in slack or free space, you might find data that appears to be a header for a common image file type. If you locate header data that is partially overwritten, you must reconstruct the header. After you identify fragmented data, you can use a computer forensics program to recover the fragmented file. Chapter Summary - If you cannot open an image file in an image viewer, your next step is to examine the header data of the file to see if it matches the header in a good JPEG file. If the header does not match, you must manually insert the correct hexadecimal values using a tool such as Hex Workshop. You can then inspect and correct the hexadecimal values within a file. Chapter Summary - The Internet is the best source for learning more about file formats and their associated extensions. You have already used the Webopedia Web site to research the TGA file format. You can use also any popular search engine to search for “file type” or “file format” and find the latest list of Web sites providing information on file extensions. Chapter Summary - You should analyze image file headers when you find new or unique file types that computer forensics tools do not recognize. The simplest way to access a file header is to use a hexadecimal editor such as Hex Workshop. You can then record the hexadecimal values in the header and later use them to define a file type in DriveSpy.ini. Chapter Summary - Many popular viewer utilities are shareware programs such as ThumbsPlus, ACDSee, Quick View, and IrFanView that let you view a wide range of image file formats. Most GUI computer forensics tools such as EnCase, FTK, and ILook integrate image viewers that display only common image formats, especially GIF and JPEG, which are often involved in computing investigations related to Internet cases. Chapter Summary - Steganography is a method for hiding data using a host file to cover the contents of the secret message. The two major forms of steganography are insertion and substitution. Insertion places data from the secret file into the host file without displaying the secret data when you view the host file in it’s associated program. The inserted data is hidden unless you review the data structure. The second type of steganography, substitution, replaces bits of the host file with other bits of data. Chapter Summary - Several steganalysis tools can detect hidden data in image files, even in files that have been renamed to protect their contents. The steganalysis tool must be able to detect the variations of the graphic image. If the image file has been renamed, the steganalysis tool can use the file header to identify the file format and indicate whether the file contains an image.