Lab Report 4: Photograph Forensics

Course ID: CPS 4498-01

Student: Abu Bakarr Jalloh Jr

Instructor: Dr. Jing-Chiou Liou

 1

Description:

System Configuration
● Make/Model: ASUS Gaming laptop
● Operating System: Windows 10
● Location: Home-Bordentown, NJ
● Connection Type: Wi-Fi
● ISP: Xfinity/Comcast

In this lab, we are going to try and learn how to use ProDiscover to search for and
extract possible evidence from certain JPEG files. We are going to be using two applications
with every step going to be presented in this lab report going to basically teach you along the
way. The other software is WinHex, a simple google search should be able to find the download
unless your professor provided a download link. You will also need to make sure the account
being used for this lab has administrator privileges, without the privileges the lab can not be
completed.

Procedure:

Lab 4.1: Searching for Digital Photograph Evidence

The first step is getting the images needed to start the investigation. The download
should be within the book’s DVD, but we got our copy from a shared Google Drive. You will
need to download the “Chap08” folder and save it into the work folder we created during the
other labs. If this is the first lab, the folder “work” can just be created. Once the images were
downloaded properly, start the software “ProDiscover” and create a new project and for the
project number and filename enter, “C08lnChp”. Within my screenshot it will say copy, that is
just because we never work on the original image and files to avoid corruption. Next is adding
the files, so you can hit “Action”, then “Add”, and “Image File”. Within that menu find the location
you placed the copy of the “C08lnChp.dd” file and open it. Then we need to search so hit
“Action”,”Search” then a box should open up. After it opens up, on the top you should see a tab
by the name of “Cluster Search”, choose that tab and then click the “Case Sensitive” check box,
then in the Search for the pattern(s) type in FIF. The reason it “FIF” is because it is part of the
label name of the JPEG format. Make sure the “c08lnChp.dd” file is selected under the Select
the Disk(s)/Image(s) before hitting the search button. Refer to Figure 1 for reference.
 2

Figure 1: This is what the

search pop up screen should
look like, mind you as
mentioned before mine is
different as it says copy.

Once the pop up screen looks familiar to the image above, (Figure 1), hit search and
once the search is done look for the search hit, “AC4(2756) to look at the cluster’s content. After
clicking it, you should see a bunch of numbers and letters. Since there are three files in this
section you can see that depending on which one you click it will show you a different set of
numbers in your bottom half, however the “FIF” search result will always be a light blue to
distinguish it from the rest. The first four bytes of the header of a JPEG has to be “FFD8”
however if I am looking in this correct spot the first four bytes are 0000 of the hexadecimal,
meaning that the image is not a JPEG but possibly being disguised as one. I will add a
screenshot for this as this part was slightly confusing for me as I am not 100% if I am looking in
the correct spot, so refer to Figure 2 for reference on what I am talking about.
 3

Figure 2: As you can see the first four bytes are 0000 and the light blue showing our search
results

Quickly moving onto the next step within the lab, you will right click the cluster number
“AC4(2756)” and click “Find File” along with hitting yes when the warning screen pops up. A pop
up will happen and you will see three files all with the same name of “gametour” but they will
have different numbers at the end of them. We will be working with “Gametour4.exe” and we are
going to right click that one and hit “Copy File”. (If you are curious like I was, I left clicked it as
well and within the first line you should be able to see what we were searching for before). After
hitting “Copy File” you will change the name of the file to “Recover1.jpg” and personally I
changed the bottom save as type to “All files” along with saving it in my work folder to keep
everything organized, and hit save. I attempted to open both files before running through
anything just to see what would happen. The “Reference1.jpg” appears in my quick access
within file explorer but not in the work folder where I exactly saved it along with it not opening
 4

anything, and within the place where I wanted to save the JPG image it saves it as “gametour”
and it’s just an “.exe” but I am unable to open it. I attached reference images to display exactly
what happened for me. When done though you are able to save and exit ProDiscover.

Figure 3: The JPG image appearing in my quick access

 5

Figure 4: Recover1.jpg is not where I saved however “gametour4.exe” appears instead

Figure 5: Nothing appearing when trying to open the jpg file

 6

Figure 6: My attempt to run the “gametour4.exe”

Lab 4.2: Rebuilding File Header Using WinHex (FlexHEX)

The next step is going to be trying to look at the image using WinHex. However when
attempting to use WinHex, the application is only able to load up images up to 200 KB so if
needed here is a different application known as “FlexHEX”, http://www.flexhex.com/download/.
Once the download is complete, open up WinHex, and hit “File”, “Open”, and double click the
“Recover1.jpg” wherever it was saved. However, I don’t know fully if I am doing it properly but I
am unable to open the “Recover1.jpg” so for the time being I am using the gametour4 file that
was saved and seeing if I am able to conduct it with this file. For this part of the lab, I will say I
am confused exactly on what to do, but for the offset 0, the ASCII in the first four bytes is 7A 7A
7A 7A and the offset 6 the ASCII for 6-9 are 05 00 01 00. The part that is confusing goes as
follows when trying to change some of the hexadecimal to get the image to fix itself. So within
the first panel for offset 0, you will need to change the first hexadecimal values to, FF D8 FF E0,
and then this part was the confusing part for me so go to the right panel and in offset 6 change
the letter to J. Refer to Figure 7 for reference as I circled the changes and compared it to the
original. If your hexadecimal looks the same as Figure 7 you are able to click, “File”, “Save As”,
and then a menu will pop up and save it as “fixed1.jpg” in the work folder. After this the image
should be able to open without problems. Refer to Figure 8 for the image that was fixed.
 7

Figure 7: Here I circled where you need to change the code, right panel change it to “J” and the
left change it to “FF D8 FF E0”

Figure 8: This is my image after fixing it // fixed1.jpg // using the gametour4.exe worked to fix it
 8

Lab 4.3: Reconstructing File Fragments

Going onto the next step within the lab, and after closing WinHex, reopen ProDiscover
and open the project we created earlier. After opening the project, on the left in the tree view,
you will need to click “Cluster Search Results”. We will need to right click on “AC4(2756)”, and
click “Find File” and when prompted with the waning hit “yes”. After that you need to click “Copy
to Clipboard” and then go into the notepad application on the computer, paste what we just
copied into the new document and save the file as “AC4-carve.txt” in the work folder we created.
Leave the notepad open as we will need to use it for the rest of the lab. Refer to Figure 9 for
reference.

Figure 9: Here is what the notepad will look like after pasting and saving

Once your notepad and everything is set up, go back into ProDiscover and within the
tree view we will need to open up the “Cluster View” and then click to expand “Images” and then
click the image we have been working on. A different menu will pop up and this pop up is just
the fragments between all of the images. For the AC4 image we have been using it is located on
the final page, and it is on the “ABF” line with it being about 12 fragments across until the
sequence ends. Refer to Figure 10 for reference on exactly where the “AC4” fragment is
located.
 9

Figure 10: Exactly where the fragment is located

After completing that step, the next step is to do the same thing but this time we will use
the box and enter “AC4” and hit “Go”. For this next part of the lab we will need to do some work
with trying to find the exact number of fragments. There are a total of six fragments, the first
fragment we will need to find ourselves so after hitting “Go”, you will need to click and drag to
the right until all the clusters from AC4 to B20 are highlighted. After highlighting them you will
need to right click on any of the highlighted fragments and press “Select” after that you will click
“Apply to all items” and then you will need to add the comment, “Fragment 1 to recover”. Once
that happens you will notice the way it looks will change. From there you will need to go into the
notepad we made and find the rest of the fragments through trial and error with entering the
different fragments and press “Go”. Go along and name them “Fragment n to recover” by
replacing the n with the actual number until you run out on the notepad list. Refer to Figure 11
for reference with making sure you set up the first Fragment correctly.

Figure 11: This is what the fragments will look like after adding the comments
 10

After getting all of the clusters, click “Tools”, “Copy Evidence of Interest”, “Copy All
Selected Clusters”. Once that is selected, you will get a new menu and then you need to change
the type of recovery to “Recover all clusters to a single file”, click the “Recover Binary”
checkbox, and then hit “Browse” and find your work folder and click “ok”. After that you will need
to check the work folder to make sure it is done right and if it’s there you can close ProDiscover.

After ProDiscover is closed from here all you need to do to verify the images is by
making sure it lines up. So after everything you will repeat the steps used to get fixed1.jpg, and
after changing the hexadecimal the photos should be the exact same. With the image below.

Rest of the images

For this part, I will just be going through the last two image files that I have, I will only be
showing the images as following the steps above you can get the images. I will provide a few
screenshots to make sure everything lines up along with the actual images themselves after
being fixed.
 11

This image is from gametour3

 12

This figure is from gametour2

Hashcheck:

Original image located in the work folder under the original image folder:

Copy of the image worked on:

 13

Original image located in the work folder under the original image folder:

Copy of the image worked on:

Original image located in the work folder under the original image folder:

Copy of the image worked on:

Conclusion:

In conclusion, from looking at all of the images, it is evident that the suspects were
attempting to build a boat. After running through make sure to switch applications as you will be
restricted from looking at some of the images.