Guide to Computer Forensics

and Investigations
Fourth Edition

Chapter 9
Recovering Graphics Files
 Objectives

• Describe types of graphics file formats

• Explain types of data compression
• Explain how to locate and recover graphics files
• Describe how to identify unknown file formats
• Explain copyright issues with graphics
Recognizing a Graphics File
 Recognizing a Graphics File

• Contains digital photographs, line art, three-

dimensional images, and scanned replicas of printed
pictures
– Bitmap images: collection of dots
– Vector graphics: based on mathematical instructions
– Metafile graphics: combination of bitmap and vector
• Types of programs
– Graphics editors
– Image viewers
 Understanding Bitmap and Raster
Images
• Bitmap images
– Grids of individual pixels
• Raster images
– Pixels are stored in rows
– Better for printing
• Image quality
– Screen resolution
– Software
– Number of color bits used per pixel
 Understanding Vector Graphics

• Characteristics
– Lines and curves instead of dots
– Store only the calculations for drawing lines and
shapes
– Smaller size
– Preserve quality when image is enlarged
• CorelDraw, Adobe Illustrator
 Understanding Metafile Graphics

• Combine raster and vector graphics

• Example
– Scanned photo (bitmap) with text (vector)
• Share advantages and disadvantages of both
types
– When enlarged, bitmap part loses quality
 Understanding Graphics File Formats

• Standard bitmap file formats

– Graphic Interchange Format (.gif)
– Joint Photographic Experts Group (.jpeg, .jpg)
– Tagged Image File Format (.tiff, .tif)
– Window Bitmap (.bmp)
• Standard vector file formats
– Hewlett Packard Graphics Language (.hpgl)
– Autocad (.dxf)
Understanding Graphics File Formats
(continued)
• Nonstandard graphics file formats
– Targa (.tga)
– Raster Transfer Language (.rtl)
– Adobe Photoshop (.psd) and Illustrator (.ai)
– Freehand (.fh9)
– Scalable Vector Graphics (.svg)
– Paintbrush (.pcx)
• Search the Web for software to manipulate
unknown image formats
 Understanding Digital Camera File
Formats

• Witnesses or suspects can create their own digital

photos
• Examining the raw file format
– Raw file format
• Referred to as a digital negative
• Typically found on many higher-end digital cameras
– Sensors in the digital camera simply record pixels on
the camera’s memory card
– Raw format maintains the best picture quality
 Understanding Digital Camera File
Formats (continued)

• Examining the raw file format (continued)

– The biggest disadvantage is that it’s proprietary
• And not all image viewers can display these formats
– The process of converting raw picture data to
another format is referred to as demosaicing
• Examining the Exchangeable Image File format
– Exchangeable Image File (EXIF) format
• Commonly used to store digital pictures
• Developed by JEIDA as a standard for storing
metadata in JPEG and TIFF files
 Understanding Digital Camera File
Formats (continued)

• Examining the Exchangeable Image File format

(continued)
– EXIF format collects metadata
• Investigators can learn more about the type of digital
camera and the environment in which pictures were
taken
– EXIF file stores metadata at the beginning of the file
 Understanding Digital Camera File
Formats (continued)

• Examining the Exchangeable Image File format

(continued)
– With tools such as ProDiscover and Exif Reader
• You can extract metadata as evidence for your case
Understanding Data
Compression
 Understanding Data Compression

• Some image formats compress their data

– GIF, JPEG, PNG
• Others, like BMP, do not compress their data
– Use data compression tools for those formats
• Data compression
– Coding of data from a larger to a smaller form
– Types
• Lossless compression and lossy compression
 Lossless and Lossy Compression
• Lossless compression
– Reduces file size without removing data
– Based on Huffman or Lempel-Ziv-Welch coding
• For redundant bits of data
– Utilities: WinZip, PKZip, StuffIt, and FreeZip
• Lossy compression
– Permanently discards bits of information
– Vector quantization (VQ)
• Determines what data to discard based on vectors in the
graphics file
– Utility: Lzip
Locating and Recovering
Graphics Files
 Locating and Recovering Graphics
Files

• Operating system tools

– Time consuming
– Results are difficult to verify
• Computer forensics tools
– Image headers
• Compare them with good header samples
• Use header information to create a baseline analysis
– Reconstruct fragmented image files
• Identify data patterns and modified headers
 Identifying Graphics File Fragments

• Carving or salvaging
– Recovering all file fragments
• Computer forensics tools
– Carve from slack and free space
– Help identify image files fragments and put them
together
 Searching for and Carving Data from
Unallocated Space

• Steps
– Planning your examination
– Searching for and recovering digital photograph
evidence
• Use ProDiscover to search for and extract (recover)
possible evidence of JPEG files
• False hits are referred to as false positives
 Rebuilding File Headers

• Try to open the file first and follow steps if you can’t
see its content
• Steps
– Recover more pieces of file if needed
– Examine file header
• Compare with a good header sample
• Manually insert correct hexadecimal values
– Test corrected file
 Reconstructing File Fragments

• Locate the starting and ending clusters

– For each fragmented group of clusters in the file
• Steps
– Locate and export all clusters of the fragmented file
– Determine the starting and ending cluster numbers
for each fragmented group of clusters
– Copy each fragmented group of clusters in their
proper sequence to a recovery file
– Rebuild the corrupted file’s header to make it
readable in a graphics viewer
 Reconstructing File Fragments
(continued)

• Remember to save the updated recovered data

with a .jpg extension
• Sometimes suspects intentionally corrupt cluster
links in a disk’s FAT
– Bad clusters appear with a zero value on a disk
editor
Identifying Unknown File
Formats
 Identifying Unknown File Formats

• The Internet is the best source

– Search engines like Google
– Find explanations and viewers
 Analyzing Graphics File Headers

• Necessary when you find files your tools do not

recognize
• Use hex editor such as Hex Workshop
– Record hexadecimal values on header
• Use good header samples
 Tools for Viewing Images
• Use several viewers
– ThumbsPlus
– ACDSee
– QuickView
– IrfanView
• GUI forensics tools include image viewers
– ProDiscover
– EnCase
– FTK
– X-Ways Forensics
– iLook
 Understanding Steganography in
Graphics Files

• Steganography hides information inside image files

– Ancient technique
– Can hide only certain amount of information
• Insertion
– Hidden data is not displayed when viewing host file
in its associated program
• You need to analyze the data structure carefully
– Example: Web page
 Understanding Steganography in
Graphics Files (continued)

• Substitution
– Replaces bits of the host file with bits of data
– Usually change the last two LSBs
– Detected with steganalysis tools
• Usually used with image files
– Audio and video options
• Hard to detect
 Using Steganalysis Tools

• Detect variations of the graphic image

– When applied correctly you cannot detect hidden
data in most cases
• Methods
– Compare suspect file to good or bad image versions
– Mathematical calculations verify size and palette
color
– Compare hash values
 Identifying Copyright Issues with
Graphics

• Steganography originally incorporated watermarks

• Copyright laws for Internet are not clear
– There is no international copyright law