Digital Forensics Chapter 8
MEMORIZE THIS
All JPEG files including Exif start from offset 0 with hexadecimal FF D8 The current standard for JPEG is JPEG File Interchange Format (JFIF) at offset 2 is Hex FFE0 For Exif JPEG file it will be Hex FFE1 at offset 2 The hexadecimal value at offet 6 &7 is 4A46 4946 which is JFIF in Ascii For all JPEG files the end-of-file (EOF) marker is hex FF D9
Clues to look for: STEG
Duplicate files with different hash values Steganography programs installed on suspect's drive
Standard vector file formats
Hewlett Packard Graphics Language (.hpgl) Autocad (.dxf)
Exchangeable Image File (Exif)
A file format the Japan Electronics and Information Technology Industries Association (JEITA) developed as a standard for storing metadata in JPEG and TIF files. When a digital photo is taken, information about the device (such as model, make, and serial number) and settings (such as shutter speed, focal length, resolution, date, and time) are stored in the graphics file. n addition, if the device has GPS capability, the latitude and longitude location data might be recorded in the Exif section of the file
raw file format
A file format typically found on higher-end digital cameras; the camera performs no enhancement processing—hence the term "raw." This format maintains the best picture quality, but because it's a proprietary format, not all image viewers can display it. (digital negative)
vector quantization (VQ)
A form of lossy compression that uses an algorithm similar to rounding off decimal values to eliminate unnecessary bits of data.
graphics file header
Each graphics file contains a header with instructions for displaying the image; this header information helps you identify the file format. (The header is complex and difficult to remember, however; instead of memorizing header information, you can compare a known good file header with that of a suspected file.)
(True or False) images are always stored in standard graphics file formats
False; you should examine all files your forensics tools find, even if they aren't identified as graphics files.
Another setting that affects image quality is the number of _________ the monitor displays.
colors; Graphics files can have different amounts of color per pixel, but each file must support colors with bits of space. The following list shows the number of bits per colored pixel: 1 bit = 2 colors 4 bits = 16 colors 8 bits = 256 colors 16 bits = 65,536 colors 24 bits = 16,777,216 colors 32 bits = 4,294,967,296 colors Bitmap and raster files use as much of the color palette as possible. However, when you save a bitmap or raster file, the resolution and color might change, depending on the colors in the original file and whether the file format supports these colors.
The two major forms of steganography are
Insertion places data from the secret file into the host file. substitution, replaces bits of the host file with other bits of data.
All _____files, including Exif, start from offset 0 (the first byte of a file) with hexadecimal FFD8. The current standard header for regular JPEG files is JPEG File Interchange Format (JFIF), which has the hexadecimal value FFE0 starting at offset 2. For Exif JPEG files, the hexadecimal value starting at offset 2 is FFE1. In addition, the hexadecimal values at offset 6 specify the label name (refer to Figure 8-2). For all JPEG files, the ending hexadecimal marker, also known as the end of image (EOI), is FFD9 (see Figure 8-3).
JPEG
Most digital cameras store graphics file as
JPEG Exif files. Investigators can learn more about the type of digital camera (make, model) and the environment (shutter speed, focal length, resolution, date and time) in which pictures were taken • Exif is an enhancement of JPEG and TIF
Standard bitmap file formats include
Portable Network Graphic (.png), Graphics Interchange Format (.gif), Joint Photographic Experts Group (.jpg or .jpeg), Tagged Image File Format (.tif or .tiff), and Windows Bitmap (.bmp). Standard vector file formats include Hewlett-Packard Graphics Language (.hpgl) and AutoCad (.dxf).
If you locate header data that's partially overwritten, you must:
Reconstruct the header to make it readable by comparing the hexadecimal values of known graphics file formats with the pattern of the file header you found.
Substitution
Replaces bits of the host file with other bits of data Usually change the last two LSBs (least significant bits) Detected with steganalysis tools (a.k.a - steg tools)
T or F if steganography is done correctly, in most cases you can't detect the hidden data unless you can compare the altered file with the original file.
T; Check to see whether the file size, image quality, or file extensions have changed. If so, you might be dealing with a steganography image.
Data compression
The process of coding data from a larger form to a smaller form. to save disk space and reduce the file's transmission time
demosaicing
The process of converting raw picture data to another format
carving / salvaging
The process of recovering file fragments that are scattered across a disk. If a graphics file is fragmented across areas on a disk, you must recover all the fragments before re-creating the file.
Before attempting to edit a recovered graphics file
Try to open the file with an image viewer first
if your secret message is converted to binary form to equal 01101100 and you want to embed this secret message into a picture, you
alter the last 2 bits of four pixels. You break the binary form into sections of two, as in 01 10 11 00, and insert the bits into the last 2 bits of each pixel
Bitmap images
are collections of dots, or pixels, in a grid format that form a graphic; becomes pixelated when expanded
Metafile graphics
are combinations of bitmap and vector images and share the limitations of both
Raster images
collection of pixels stored in rows to make images easy to print; usually created when a vector graphic is converted to a bitmap image.
Graphics files
contain digital photographs, line art, three-dimensional images, text data converted to images, and scanned replicas of printed pictures. (You use graphics editors to create, modify, and save bitmap, vector, and metafile graphics. You use image viewers to open and view graphics files, but you can't change their contents)
When you're dealing with date and time values in Exif metadata, always look for ____________________________________
corroborating information
Lossless Compression
data compression techniques in which no data is lost. produces an exact replica of the original data after it has been uncompressed
Lossy Compression
data compression techniques in which some amount of data is lost. This technique attempts to eliminate redundant information.; lossy compression typically produces an altered replica of the data.
The simplest way to access a file header is to use a
hexadecimal editor
examine the file's header data to see whether it matches the header in a good JPEG file. If the header doesn't match, you must _______.
insert the correct hexadecimal values manually with a hexadecimal editor
Nonstandard graphics file formats include
less common formats, such as Targa (.tga) and Raster Transfer Language (.rtl); proprietary formats, such as Photoshop (.psd), Illustrator (.ai), and Freehand (.fh11); newer formats, such as Scalable Vector Graphics (.svg); and old or obsolete formats, such as Paintbrush (.pcx).
GIF and Portable Network Graphics (PNG) file formats reduce file size with _____________________, which saves file space by using mathematical formulas to represent data in a file.
lossless compression; These formulas generally use one of two algorithms: Huffman or Lempel-Ziv-Welch (LZW) coding. Each algorithm uses a code to represent redundant bits of data.
The JPEG format is one that uses _________________________.
lossy compression
Vector graphics
only the calculations for drawing lines and shapes and converts these calculations into an image saving disk space and creating images that can also enlarge without affecting image quality.
With a bitmap file you could replace bits used for ___________ with hidden data. To avoid detection, you substitute only those bits that result in the least amount of change.
pixels and colors
Steganography has also been used to ____________________________
protect copyrighted material by inserting digital watermarks into a file.
Before you can examine a graphics file header, often you need to _________________________________________________.
reconstruct a fragmented graphics file
If some of the data you recovered from the graphics file header is corrupt, you might need to ____
recover more pieces of the file before you can view the image
A ________________can also detect variations of an image. If a graphics file has been renamed as well as identify the file format from the file header and indicate whether the file contains an image.
steganalysis tool
someone might have hidden information inside the image by using a data-hiding technique called _______ , which uses _________
steganography; a host file to cover the contents of a secret message.
