SCI 4201

Digital Forensics
Lecture 8: Image Forensics

July 2021

Dr. Phil Nyoni

Cell: 0779457249
[email protected]
 Objectives

• Describe types of graphics file formats

• Explain types of data compression
• Explain how to locate and recover graphics files
• Describe how to identify unknown file formats
The Use of Photograph Images by
The Internet Users
• A digital photograph is an image taken with a camera
and stored as a computer file.
• Digital images are stored on a variety of storage media,
including the following.
– Internal memory, SD card, CompactFlash card, MMC
• Websites and smart devices running social media
applications can act as huge repositories of photo
images.
• These images can sometimes be incriminating or can
simply help solve a crime or locate a missing person.
 Recognizing a Graphics File

• Graphic files contain digital photographs, line art,

three-dimensional images, and scanned replicas of
printed pictures
– Bitmap/Raster images: collection of dots
– Vector graphics: based on mathematical
instructions
– Metafile graphics: combination of bitmap and vector
• Types of programs
– Graphics editors
– Image viewers
 Understanding Digital Graphics
• Bitmap/Raster images: Pixels
– Screen resolution - determines amount of detail
– Number of color bits used per pixel
– Some uses compression algorithms to reduce the
size of large digital images
• Vector graphics: Lines, curves, and shape
– Store only the calculations for drawing lines and
shapes. Smaller than bitmap files.
– Preserve quality when image is enlarged
• Metafile graphics
– Scanned photo (bitmap) with text (vector)
 Understanding Digital Graphics File
Formats
• Standard bitmap file formats
– Portable Network Graphic (.png)
– Graphic Interchange Format (.gif)
– Joint Photographic Experts Group (.jpeg, .jpg)
– Tagged Image File Format (.tiff, .tif)
– Window Bitmap (.bmp)
• Standard vector file formats
– Hewlett Packard Graphics Language (.hpgl)
– Autocad (.dxf)
• Nonstandard graphics file formats
– Targa (.tga), Raster Transfer Language (.rtl), Adobe
Photoshop (.psd) and Illustrator (.ai), Freehand (.fh9)
– Scalable Vector Graphics (.svg), Paintbrush (.pcx)
Understanding Digital Camera File
Formats
• Raw file format
– Sensors in the digital camera simply record pixels on the
camera’s memory card
– Not all image viewers can display these formats
The process of converting raw picture data to another
format is referred to as demosaicing
• Exchangeable Image File (Exif)
– Exif format collects metadata
– Viewing an Exif JPEG file’s metadata requires special
programs
Exif Reader, IrfanView, or ProDiscover
– Exif file stores metadata at the beginning of the file
 Metadata Found in Photograph
Images
• Exchangeable Image File Format (EXIF) is the
metadata associated with digital pictures.
• Most smart devices today use the EXIF data
format in the photographs they produce.
• EXIF data can include the following.
– Date and time
– Make and model of camera
– Thumbnail
– Aperture, shutter speed, and other camera settings
– Optionally, longitude and latitude
Metadata Found in Photograph
Images (Cont.)
 Metadata Found in Photograph
Images (cont.)
▪ BR Software produces a free tool called BR’s
EXIFextracter that can extract the EXIF data from a
folder of photos and then save that metadata to a
comma-separated values (CSV) file.
Understanding Data Compression
• Some image formats compress their data
– GIF and JPEG
• Others, like BMP, do not compress their data
– Use data compression tools for those formats
• Lossless compression
– Reduces file size without removing data
– Based on Huffman or Lempel-Ziv-Welch coding
• For redundant bits of data
– Utilities: WinZip, PKZip, StuffIt, and FreeZip
• Lossy compression
– Permanently discards bits of information
– Vector quantization (VQ)
• Determines what data to discard based on vectors in the
graphics file
Locating and Recovering Graphics
Files
• Identifying Graphics File Fragments
– Carving or salvaging
– Digital forensics tools
• Can carve from file slack and free space
• Help identify image files fragments and put them together
• Operating system tools
– Time consuming and results are difficult to verify
• Digital forensics tools
– Image headers
• Compare them with good header samples
• Use header information to create a baseline analysis
– Reconstruct fragmented image files
• Identify data patterns and modified headers
 Repairing Damaged Headers

• If header data is partially overwritten, you must

reconstruct the header to make it readable
– By comparing the hexadecimal values of known
graphics file formats with the pattern of the file
header you found
• Each graphics file has a unique header value
– Example, A JPEG file has the hexadecimal header
value FFD8, followed by the label JFIF for a
standard JPEG or Exif file at offset 6
 Identifying Unknown File Formats
• The Internet is the best source
– www.fileformat.info/format/all.htm
– http://extension.informer.com
– www.martinreddy.net/gfxl
• Analyzing Graphics File Headers
– Necessary when you find files your tools do not
recognize
– Use a hexadecimal editor such as WinHex
– Record hexadecimal values in the header and use
them to define a file type
– Build your own header search string
 Understanding Steganography in
Graphics Files
• Steganography hides
information inside image files
– An ancient technique
• Two major forms: insertion
and substitution
• Insertion
– Hidden data is not displayed
when viewing host file in its
associated program
• You need to analyze the data
structure carefully
– Example: Web page
Understanding Steganography in
Graphics Files (Cont.)
 Understanding Steganography in
Graphics Files (Cont.)
• Substitution
– Replaces bits of the host file with other bits of data
– Usually change the last two LSBs (least significant bit)
– Detected with steganalysis tools (a.k.a - steg tools)
• Clues to look for:
– Duplicate files with different hash values
– Steganography programs installed on suspect’s drive
 Understanding Steganography in
Graphics Files (Cont.)
• Using Steganalysis Tools
– Detect variations of the graphic image
– Check to see whether the file size, image quality, or
file extensions have changed
 Understanding Copyright Issues
with Graphics
• Steganography has been used to protect
copyrighted material
– By inserting digital watermarks into a file
• Digital investigators need to aware of copyright
laws
• Copyright laws for Internet are not clear
– There is no international copyright law
Admissibility of Photographs in the
Courtroom (cont.)
▪ An investigator can review a photograph’s
metadata and see whether changes were made
and when.
▪ With digital images, the investigator can
perform improved enhancements to make
background images or far away objects clearer
because of higher-resolution photographs.
 Lab 5 Photograph Forensics
• Using ProDiscover to search for and recovering
digital photograph evidence
• Steps
– Planning your
examination
– Searching for and
recovering digital
photograph
evidence
• Use
ProDiscover to
search for and
extract (recover)
possible
evidence of
JPEG files
• False hits are
referred to as
false positives
 Summary
• Image types
– Bitmap
– Vector
– Metafile
• Image quality depends on various factors
• Image formats
– Standard
– Nonstandard
• Digital camera photos are typically in raw and EXIF
JPEG formats
 Summary (continued)
• Some image formats compress their data
– Lossless compression
– Lossy compression
• Recovering image files
– Carving file fragments
– Rebuilding image headers
• Software
– Image editors
– Image viewers