Scribd
Upload
31 views42 pages

DFOR510 Week06 Validation Graphics

The document discusses validating forensic images, file analysis techniques like file signature analysis, and analyzing various graphic file types like vector and bitmap images. Metadata and header/footer information can be used to identify files and graphics can be used to hide data. Tools are needed to read metadata and validate files.

Uploaded by

DA MV
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
31 views42 pages

DFOR510 Week06 Validation Graphics

The document discusses validating forensic images, file analysis techniques like file signature analysis, and analyzing various graphic file types like vector and bitmap images. Metadata and header/footer information can be used to identify files and graphics can be used to hide data. Tools are needed to read metadata and validate files.

Uploaded by

DA MV
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 42

George Mason University

Week 06: Forensic Image Validation, File Analysis, &


Graphic Files
▪ HW2 Questions?
▪ Due Thursday, 10-March, 2022 (7:00pm ET)

▪ Week 06 Lecture
▪ File Analysis
▪ Graphic Analysis
▪ Validating Forensic Images

▪ Midterm – what to expect!


2
3
❑ Validating Forensic Images
❑ Identify ways of hiding & discovering data on a drive
❑ Challenges associated with hidden data
❑ File Analysis
❑ File Signature Analysis – what is it?
❑ How to properly identify files
❑ Extract file metadata
❑ Graphic Files
❑ Identify various graphic file types
❑ Using graphic files to hide information 4
5
▪ Critical aspect of digital
forensics
▪ Why?

▪ How?

https://blogs.sans.org/computer-forensics/files/2009/06/hash-verify.png 6
▪ Critical aspect of digital
forensics
▪ Why?
▪ Must prove that data was
unaltered from
acquisition to trial

▪ How?
▪ Hash entire forensic image
or applications/files

https://blogs.sans.org/computer-forensics/files/2009/06/hash-verify.png 7
Files Entire partitions
▪ Changing file extension ▪ Windows: diskpart
▪ File Signature Analysis remove/assign

▪ Hidden file/directory ▪ MacOs: diskutil list

▪ Linux: mnt/hidden;
MacOS: <COMMAND>+<SHIFT>+<.> disk management tool
*nix: ls -a
8
1. http://www.forensicfocus.com/hidden-data-analysis-ntfs
Files in bad clusters/blocks Bit shifting
▪ Marking good blocks1 ▪ Altering binary data making
▪ NTFS – $BadClus file unreadable
Issues?
▪ FAT – 0xFF7/FFF7/?FFFFFF7
▪ HFS+ – included in extents
overflow

1. http://www.forensicfocus.com/hidden-data-analysis-ntfs 9
Steganography Steganalysis
▪ Hiding data within a ▪ Stego detection techniques:
cover medium ▪ Stego-only

Steganography-only: Only the steganography medium is available for


▪ Known cover
analysis.
Known-cover/carrier: The carrier, that is, the original cover, and ▪ Known message
steganography media are both available for analysis.
Known-message: The hidden message is known. ▪ Chosen stego
Chosen-steganography: The steganography medium and tool (or
algorithm) are both known.
Chosen-message: A known message and steganography tool (or
▪ Chosen message
algorithm) are used to create steganography media for future analysis
and comparison. The goal in this attack is to determine corresponding
patterns in the steganography medium that may point to the use of
specific steganography tools or algorithms. 10
Encryption
▪ Turns human-readable text to cipher (unreadable) text
▪ Requires key to unlock/decode (password)
▪ Possible solutions
▪ Key escrow – Pretty Good Privacy (PGP); third party
▪ Brute-force
▪ Dictionary
▪ Rainbow tables

11
QUICK CHECK 1
1. What tools can be used to hash individual
files/applications/sectors?

2. Which data hiding method alters hash values of known files?

3. Name a method to access an encrypted drive.

4. With this steganalysis method, the steganography medium


and tool (or algorithm) are both known.

12
13
▪ Important part of investigations
▪ Yields important metadata facts; visible when using a metadata
viewer/exif tool
▪ Owner/creator of file
▪ File size
▪ Timestamps (modified, accessed, created - MAC)
▪ File type
▪ And more…
▪ MAC timestamps may help piece together timeline
▪ Timestamps that are accessible to users can be modified – so
be cautious! 14
▪ Within NTFS, timestamps are found in the $STANDARD_INFO
and $FILE_NAME attributes
▪ $STANDARD_INFO can be modified by a user
▪ $FILE_NAME is updated by the kernel

Modified Last time file contents were updated


Access Last time file contents were viewed
Creation/Birth File was created or copied onto a medium
Change time $MFT (a.k.a metadata) modified
Is it possible to have a Creation time that is more recent than the Modified or Access times?
15
https://cyberforensicator.com/2018/03/25/windows-10-time-rules/
16
▪ Common way to mask a file’s identity is to change the file extension
▪ Why would someone want to do that?
▪ Validate files by comparing file extension to their magic number
(header)
▪ Magic number – first 2-10 bytes of a file when viewing in a hex editor
▪ Common magic numbers include
File type File extension Magic number Footer/Trailer
MS Word .docx 0x 50 4B 03 04 14 00 06 00 0x 50 4B 05 06
PDF .pdf 0x 25 50 44 46 (%PDF) 0x 0A 25 25 45 4F 46 (%%EOF)
JPEG Image .jpg 0xFF D8 0xFF D9
▪ An extensive list can be found here (by Gary Kessler) 17
FILE ANALYSIS
From BB → Course Content → Class06… → FileAnalysis.zip
1. Download:
❑ FileAnalysis.zip
❑ Follow the steps in the FileAnalysis.pdf file
❑ Answer questions in the file.

2. Complete Quick Check with your team

18
QUICK CHECK 2
1. What type of information does file metadata yield?
2. Describe the difference between Modified, Access, and Creation
times.
3. In what case would you have a Create time more recent than a
Modify time?
4. What is the process of verifying a file’s identity? How is it done?
5. Describe what a magic number is.

19
20
VECTOR

21
Bitmap (or Raster) Vector Metafile

Description Collection of picture Stored mathematical Contains both pixels and


elements (pixels) laid out in instructions to draw math instructions
a grid format geometric shapes (e.g
lines, circles, curves, etc.).

Resolution Loses resolution when No image degradation as Bitmap areas lose


enlarged you enlarge resolution when enlarged
while vector areas do not

File types .jpg, .bmp, .tiff, . png, .gif, .ai, .eps, .pdf, .svg .eps, .pdf, .svg, .rtf
heic/heif
24
▪ EXIF = metadata that also
includes camera information
▪ What do we expect to find?
▪ Should we just trust Exif
timestamps?

▪ Need an Exif reader to view


(e.g. Find Exif, VeriExif, Autopsy,
OSForensics, etc.)

https://digital-photography-school.com/wp-content/uploads/old/exif.gif
25
▪ JPEG JFIF – no embedded
camera metadata
▪ header = 0xFF D8 FF E0
▪ footer = 0xFFD9

▪ JPEG Exif – embedded


camera metadata
▪ header = 0xFFD8FFE1
▪ footer = 0xFFD9
https://upload.wikimedia.org/wikipedia/commons/6/6a/JFIF-HEX.png
https://i.imgur.com/2RWT3.png
26
▪ Why is it good to know header and footer information of various
image files (or files in general)?

▪ May have to carve (salvage) image out of the disk


▪ Create a new file by locating the header and footer
information
▪ NOTE: some file formats may allow for multiple footers
without corrupting the file

27
File Type Extension Magic Number/ Footer
Joint Photographic Experts Group .jpg, .jpeg, .jfif, .jfe 0xFF D8/0xFFD9

Tagged Image File Format .tif, .tiff 0x49 49 2A 00

Graphics Interchange Format .gif 0x47 49 46/0x3B

Bitmap .bmp 0x424D

Portable Network Graphics .png 0x89 50 4E 47/0x49 45 4E 44 AE


42 60 82
Adobe Encapsulated PostScript file .eps 0xC5D0D3C6 or
%!PS-Adobe-3.0 EPSF-3.0
Adobe Illustrator Graphics files .ai 0x25 50 44 46/%%EOF.
28
GRAPHIC FILES
From BB → Course Content → Class06… → GraphicFiles.zip
1. Download:
❑ CarveGraphic.zip
❑ Follow the steps in the CarveGraphics.pdf file
❑ Answer questions in the file.

2. Complete Quick Check with your team

29
QUICK CHECK 3
1. Raster vs. Vector vs. MetaFile images
2. What information does EXIF data include?
3. 0xFF D8 FF E0 vs 0xFF D8 FF E1
4. The process of manually recovering a file is known as what?
5. T or F. Some files may have multiple footers without corrupting the
file.

30
▪ Images can be used to conceal information suspects want
to keep hidden using steganography
▪ Two methods:
▪ Insertion – place data from secret file into the host file; host file
looks normal to the human eye, so need to analyze the file structure
carefully
▪ Substitution – replaces bits of the host file with information that is
too be hidden

31
Which image contains steg?

32
Which image contains steg?

33
Header Information

Footer Information

34
▪ Least Significant Bit (LSB)
algorithm – most common
▪ Insert messages with
minimal color change

https://www.rapidtables.com/web/color/RGB_Color.html
35
▪ Want to embed the message ‘hi’ into an image using the LSB
method
▪ ‘hi’ → 0x6869 = 0110 1000 0110 1001
▪ Group bits 2 x 2 → 01 10 10 00 01 10 10 01
▪ Select 8 bytes from cover image to perform the substation
▪ Perform substitution by replacing the last 2 bits of each byte

2D EA 5B FF 00 8C FF 00 (8 bytes before end of the file)


0010 1101 1110 1010 0101 1011 1111 1111 0000 0000 1000 1100 1111 1111 0000 0000
01 10 10 00 01 10 10 01
0010 1101 1110 1010 0101 1010 1111 1100 0000 0001 1000 1110 1111 1110 0000 0001
2D EA 5A FC 01 8E FE 01 (data to be inserted at end of file)
36
Can you spot the hidden message?

37
Tesla2.jpg original
image with no hidden
content

Tesla3hi.jpg with ‘hi’


embedded using LSB

38
Other forms of data hiding that come to mind?

39
DATA HIDING IN IMAGES
1. In your groups, download Steghide (or any steganography tool)
2. Using any of the files from the previous exercises, create a
steganographic file with a hidden message or hide an image within an
image
3. Examine the graphic file
a. Are you able to tell the difference between the original and the steg
image? (e.g. appearance, file size, functionality – can you open it in a
viewer with no issues)
b. How easy is it to recover your hidden content?

2. Complete Quick Check with your team

40
QUICK CHECK 3
1. Describe the two methods used to conceal information in
image files?
2. Describe the simplest Substitution method used for data
hiding.
3. Are all data hiding methods used for malicious purposes?

41
▪ 10–March: Midterm
▪ Covers lectures to date (to include slides, class
discussions, presentations and assignments)
▪ 1-page (8 ½ x11”) handwritten notes permitted

▪ 24 & 31 October: Presentations


▪ Upload pptx/pdf on BB NLT 24 March 7pm (EDT)
▪ Presentation order will be given day of
presentations
42
https://www.ted.com/topics/presentation
43
B. Nelson, A. Phillips, C. Steuart. (2016). Guide to computer forensics and investigations. Cengage Learning

TimeStamps
https://cyberforensicator.com/2018/03/25/windows-10-time-rules/

Image File Formats


https://www.w3.org/Graphics/JPEG/jfif3.pdf
Image source: https://www.freepik.com/free-photos-vectors
https://web.archive.org/web/20170818010030/
https://www-cdf.fnal.gov/offline/PostScript/5002.PDF
https://nokiatech.github.io/heif/technical.html
https://www.w3.org/TR/PNG/#11IHDR

File signatures
https://www.garykessler.net/library/file_sigs.html

Data Hiding/Finding (steganography/steganalysis)


http://www.jjtc.com/index.html

44

You might also like