• Like
File000134
Upcoming SlideShare
Loading in...5
×

File000134

  • 77 views
Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
77
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
4
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Module XXI– Image File Forensics
  • 2. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Poplar Bluff Man Pleads Guilty to Child Pornography Charge Source: http://www.semissourian.com/ Wednesday, November 26, 2008 POPLAR BLUFF, Mo. — A Poplar Bluff man faces a maximum of 30 years in federal prison after pleading guilty Friday to possessing child pornography. On May 1, law enforcement officers knocked on the door of Alspaugh's home. Although he was not home, the officers informed his son they had reason to believe someone in the home was accessing child pornography on the Internet. The home computer was given to law enforcement officers for analysis. Police said Alspaugh later contacted the seizing officer and told the officer he was the person responsible for the child pornography on the computer. Alspaugh reportedly stated he used the computer to find child pornography on the Internet and further reported he had been viewing child pornography for several years. Alspaugh also admitted he was aware it is illegal to possess images of child pornography. He stated the computer belonged to him and he had hidden the child pornography files so other users in the home would not be able to find them. Alspaugh reportedly agreed to allow a forensic analysis to be conducted on his computer and hard drive by signing a consent-to-search form. Forensic analysis of the hard drive revealed Alspaugh possessed more than 600 image files, including more than 90 video files, of child pornography. The charge against Alspaugh was the result of an investigation by Jeff Shackelford and Scott Phelps with the SEMO Cyber Crimes Task Force. "Through the use of a tracking program designed by the [Internet Crimes Against Children] Task Force, to track persons collecting and trading items of child pornography through file sharing networks, I was given the February 2008 database results for the state of Missouri, which showed one IP address, in particular, in the Poplar Bluff area that had numerous transmissions [uploads/downloads] of child pornography," Shackelford said earlier.
  • 3. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Scenario Owner of a massive for-profit software piracy web site was sentenced on 8th Sept. 2006 in federal court to 87 months in prison. Nathan L. Peterson, 27, of Antelope Acres, Calif., was also ordered to forfeit the proceeds of his illegal conduct and pay restitution of more than $5.4 million. Peterson operated the www.ibackups.net website which sold copies of software products that were copyrighted by companies such as Adobe Systems, Inc., Macromedia Inc., Microsoft Corporation, Sonic Solutions, and Symantec Corporation at prices substantially below the suggested retail price. The software products purchased on Peterson's website were reproduced and distributed. The investigation was conducted by agents of the FBI's Washington Field Office. As a result of the FBI's investigation, Peterson's website was taken down in February 2005.
  • 4. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Case Study
  • 5. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Image Files • Recognizing Image files • Data Compression • Locating and Recovering Image Files • Analyzing Image File Headers • Reconstructing File Fragments • Tools for Viewing Images • Steganography in Image Files • Steganalysis in Image Files • Image File Forensic Tools This module will familiarize you with:
  • 6. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Steganalysis in Image Files Image File Forensics Tools Introduction to Image File Forensics Locate and Recover Image Files Data Compression Steganography in Image Files Tools for Viewing Images Reconstructing File Fragments Analyze Image File Headers Image Files Identification
  • 7. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Common Terminologies • Pixel (Picture Element) is a single point in a graphic image • Number of pixels combines together to form an image Pixel • Refers to the sharpness and clarity of an image • The term describes monitors, printers, and bit- mapped graphic images Resolution
  • 8. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited An image is an artifact that reproduces the likeness of some subject These are produced by optical devices i.e. cameras, mirrors, lenses, telescopes, and microscopes Image may be: • A black and white image • A grayscale image • A color image • Indexed color image Images can be broadly categorized into: • Vector • Raster Image Files
  • 9. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Understanding Vector Images Vector graphics use geometrical primitives such as points, lines, curves, and polygons, which are all based upon mathematical equations to represent images in the computer • Smaller file size • Can be indefinitely zoomed without loss in quality • Moving, scaling, rotating, and filling do not degrade the quality of a drawing Advantages:
  • 10. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Understanding Raster Images A raster image is a data file or structure representing a generally rectangular grid of pixels, or points of color, on a computer monitor Color of each pixel is individually defined A colored raster image has pixels with eight bits of information for each of the red, green, and blue components Quality of a raster image is determined by the total number of pixels and the amount of information in each pixel Quality may be lost if raster graphics are scaled to a higher resolution
  • 11. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Metafile Graphics Metafiles combine raster and vector graphics Metafiles have similar features of both bitmap and vector images When metafiles are enlarged, it results in a loss of resolution giving the image a shaded appearance
  • 12. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Image File Formats
  • 13. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Understanding Image File Formats File Format File Extension Graphics Interchange Format (GIF) .gif Joint Photographic Experts Group (JPEG) .jpg Tagged Image File Format (TIFF) .tif Windows Bitmap (BMP) .bmp JPEG 2000 .jp2 Portable Network Graphics (PNG) .png A file format is ‘a particular way to encode information for storage in a computer file’ All image formats differ between ease of use, size of the file, and the quality of reproduction The given table shows commonly used image file formats
  • 14. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited GIF (Graphics Interchange Format) GIF is a 8-bit RGB bitmap image format for images with up to 256 distinct colors per frame Features: • Each color in the GIF color table is described in RGB values, with each value having a range of 0 to 255 Limited color palette: • This method is used to create the illusion of greater color depth by blending a smaller number of colored "dots" together Dithering: • GIF supports LZW lossless compression algorithmsLZW compression: • It is a mechanism that makes images appear faster on- screen by first displaying a low-res version of the image and gradually showing the full version Interlacing:
  • 15. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited GIF (cont’d) Each file begins with a Header and a Logical Screen Descriptor A Global Color Table may optionally be displayed after the Logical Screen Descriptor Each image stored in the file contains a Local Image Descriptor, an optional Local Color Table, and a block of the image data The last field in every GIF file is a Terminator character, which indicates the end of the GIF data stream
  • 16. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Trailer Image Data Local Color Table Local Image Descriptor …… Image Data Local Color Table Local Image Descriptor Image Data Local Color Table Local Image Descriptor Global Color Table Logical Screen Descriptor Header Header and Color Table Information Image 1 Image 2 Image n GIF (cont’d) There are two versions of the GIF format: • This version was released in 1987 • Supports LZW file compression, interlacing, 256-color palettes, and multiple image storage GIF 87a: • This version was released in 1989 • It supports properties such as background transparency, delay times, and image replacement parameters which helps to store multiple images GIF 89a:
  • 17. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited JPEG (Joint Photographic Experts Group) JPEG is a commonly used method for compression of the photographic images It performs the file compression in four phases: 1 • The JPEG algorithms first cuts up an image in separate blocks of 8x8 pixels 2 • The next step in the compression process is to apply a Discrete Cosine Transform (DCT) for the entire block 3 • After this, the actual compression starts. First, the compression software looks at the JPEG image quality the user requested and calculates two tables of quantization constants, one for luminance and one for chrominance 4 • The last step in the process is to compress these coefficients using either a Huffman or arithmetic encoding scheme
  • 18. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited JPEG File Structure (cont’d) End of imageEOI0xFF 0xD9 Segments Start of imageSOI0xFF 0xD8 DescriptionNameContents JPEG Image Segment data Segment size (2 bytes) excl. marker Segment marker (2 bytes) Description JPEG Segments
  • 19. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited JPEG File Structure (cont’d) This is the marker where Photoshop stores its information APP140xFF 0xED Start of scanSOS0xFF 0xDA Define Huffman TableDHT0xFF 0xC4 Start of frameSOF00xFF 0xC0 Quantization tableDQT0xFF 0xDB Application marker (in every JPEG file)APP00xFF 0xEo DescriptionNameContents Some JPEG Segment Markers
  • 20. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited JPEG 2000 JPEG 2000 is the new version of JPEG compression • It produces as much as 20% improvement in compression efficiency over the current JPEG format • Its compression has been mainly developed for use on the Internet • It can handle RGB, LAB, and CMYK with up to 256 channels of information Features:
  • 21. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited BMP (Bitmap) File BMP is a standard file format for computers running the Windows operating system BMP images can range from black and white (1 bit per pixel) up to 24 bit color (16.7 million colors) Each bitmap file contains: Header: • Contains information about the type, size, and layout of a file Info Header: • Specifies the dimensions, compression type, and color format for the bitmap The RGBQUAD array: • The Colors array contains a color table. The color table is absent for bitmaps with 24 color bits because each pixel is represented by 24- bit red-green-blue (RGB) values in the actual bitmap Image Data: • These are the actual image data, represented by consecutive rows, or "scan lines," of the bitmap
  • 22. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited BMP File Structure Image Data RGBQUAD Array Info Header Header
  • 23. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited PNG (Portable Network Graphics) PNG bitmap image format uses lossless data compression It improves the GIF image format and replaces it with the image file format It is patent and license free PNG supports: • 24-bit true color • Transparency - both normal and alpha channel PNG file structure consists of PNG File Signature: • This signature shows that the remainder of the file contains single PNG image • This image consisting of a series of chunks starting with an IHDR chunk and ending with an IEND chunk
  • 24. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited PNG (cont’d) • It comes after the header • It is a series of chunks each of which gives some information about the image • Each chunk has a header specifying the size and type of chunk • Each chunk consists of four parts: • Length • 4-byte unsigned integer giving the number of bytes in the chunk's data field • Chunk Type • A 4-byte chunk type code • Chunk Data • The data bytes appropriate to the chunk type, if any; this field can be of zero length • CRC (Cyclic Redundancy Check) • A 4-byte CRC calculated on the preceding bytes in the chunk • It includes the chunk type code and chunk data fields, but not the length field Chunk layout:
  • 25. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tagged Image File Format (TIFF) Tagged Image File Format is a flexible and platform-independent image file format It supports numerous image processing applications Features: • This is the ability to add new image types without invalidating the older types Extendibility: • TIFF is independent of the hardware platform and the operating system on which it executes Portability: • TIFF was designed to be an efficient medium for exchanging image information • It is used as a native internal data format for image editing applications Revisability:
  • 26. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited TIFF File Structure • The structure of a TIFF file has a fixed location • The 8-byte structure • It must be located at offset zero in the file • The IFH contains important information necessary to correctly interpret the remainder of the TIFF file Image File Header or IFH: • An IFD consists of a count N, the number of directory entries • Each entry is of 12-bytes • Each IFD must be located on a word boundary • If more than one IFD is present, the file contains more than one image Image File Directory (IFD): • Each DE is exactly 12 bytes in length and is segmented into the four fieldsDirectory Entry, or DE: TIFF files are made up of three unique data structures:
  • 27. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited ZIP (Zone Information Protocol) ZIP is a method of compressing computer data or files Advantages of zipping files: • It reduces storage space • You can achieve faster transfer rates over a network • It helps in packaging multiple files Zip files contain information about the zipped files (name, path, date, time of last modification, protection, and check information) to verify the file’s integrity They are created using Zip creation tools as WinZip, WinRAR They can be password protected for security reasons
  • 28. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Best Practices for Forensic Image Analysis Document the current condition of the evidence Prevent exposure to evidence that may be contaminated with dangerous substances or hazardous materials Use Write blockers to prevent the evidence from being modified Methods of acquiring evidence should be forensically sound and verifiable Forensic image(s) should be captured using hardware/software that is capable of capturing a “bit stream” image of the original media Digital evidence submitted for examination should be maintained in such a way that the integrity of the data is preserved Properly prepared media should be used when making forensic copies to ensure no commingling of data from different cases Forensic image(s) should be archived to media and maintained consistent with departmental policy and applicable laws
  • 29. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Use MATLAB for Forensic Image Processing MATLAB is a general purpose programming language which provides important advantages for forensic image processing, such as: • It ensures the image processing steps used are completely documented and hence can be replicated • The source code for all image processing functions are accessible for scrutiny and test • It ensures that the numerical precision is maintained all the way through the enhancement process • Advanced image processing algorithms are used
  • 30. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Advantages of MATLAB Recording of the processing used • MATLAB is used to process images by writing function files or script files • These files form a formal record of the processing used and ensures that the final results can be tested and replicated Access to implementation details • Functions written in the MATLAB language are publicly readable as plain text files Numerical accuracy • It ensures maximal numerical precision in the final result • An image can be read into memory and the data cast into double precision floating point values Advanced algorithms • It provides strong mathematical and numerical support for the implementation of advanced algorithms
  • 31. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot: MATLAB
  • 32. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Compression
  • 33. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited How Does File Compression Work? In John F. Kennedy's 1961 inaugural address, he delivered this famous line: • "Ask not what your country can do for you -- ask what you can do for your country” When you go through Kennedy's famous words, pick out the words that are repeated and put them into the numbered index Then, simply write the number instead of writing out the whole word So, if this is your dictionary: • ask • what • your • country • can • do • for • you The sentence now reads: • "1 not 2 3 4 5 6 7 8 -- 1 2 8 5 6 7 3 4"
  • 34. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Understanding Data Compression Data compression means encoding the data to take up less storage space and less bandwidth for transmission There are two techniques of data compression: • Lossless Compression, which maintains the data’s integrity • Lossy Compression, which does not maintain the data’s integrity
  • 35. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Huffman Coding Algorithm Huffman Coding Algorithm is a fixed-to-variable length code A Huffman encoder takes a block of input characters with fixed length and produces a block of output bits of variable length The basic idea in Huffman coding is to assign short codeword to those input blocks with high probabilities and long codeword to those with low probabilities A Huffman code is designed by merging the two least probable characters together Repeat this merging process until there is only one character remaining
  • 36. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Huffman Coding Algorithm (cont’d) Example shows how it works:
  • 37. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Lempel-Ziv Coding Algorithm Lempel-Ziv Coding Algorithm is a variable-to-fixed length code The Lempel-Ziv code is not designed for any particular source but for a large class of sources In this, the input sequence are parsed into non-overlapping blocks of different lengths Dictionary of these blocks is constructed and the following algorithm is used • Initialize the dictionary to contain all blocks of length one (D={a,b}) • Search for the longest block W in the dictionary • Encode W by its index in the dictionary • Add W followed by the first symbol of the next block to the dictionary • Go to Step 2 Encoding Algorithm:
  • 38. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Lempel-Ziv Coding Algorithm (cont’d) An example of encoding:
  • 39. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Lossy Compression Lossy methods provide high degree of compression and small compressed files, but during decompression, certain amount of data is lost It does not maintain data integrity It is never used for business data and text files Original Data Restored Data Compressed Data
  • 40. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Vector Quantization Vector quantization is lossy data compression technique This technique is based on the principle of block coding, which means it replaces a block of information with an approximate average value 0 1 2 3 4-1-2-3-4 00 01 10 11
  • 41. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Locating and Recovering Image Files
  • 42. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Locating and Recovering Image Files • It is the process of data recovery • It uses the database of headers and footers (essential string of bytes) for a specific file type and recovers files from raw disk image • File carving also works if the file system metadata has been destroyed Carving • Collecting and regenerating the image from pieces of an image file dispersed into many areas on the disk is known as salvaging Salvaging Corrupted Image Recovered Image
  • 43. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Locating and Recovering Image Files Using DriveSpy The screenshot above shows the location of the clusters where the data has been found and “data found with the matching search”
  • 44. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Analyzing Image File Headers Investigators analyze image file headers when new file extensions are present that forensic tools cannot recognize File headers are accessed with the help of a hexadecimal editor such as the Hex Workshop Hexadecimal values present in the header can be used to define a file type
  • 45. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Repairing Damaged Headers Investigators recover data remnants from free space This data would be similar to headers from common image files Header data that is partly overwritten can be used to repair the damaged headers The HEX Workshop application can be used to repair the damaged headers by the process of comparison JPEG files would include letters “JFIF” after hexadecimal values • Example: JPEG files have a hexadecimal value of: FF D8 FF E0 00 10
  • 46. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Reconstructing File Fragments Corruption of the data prevents investigators from reconstructing file fragments for image files Data corruption can be: • Accidental • Intentional File fragments can be reconstructed by examining a suspect disk with the help of the DriveSpy application Investigators can build the case based on the data reconstructed
  • 47. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Identifying Unknown File Formats To understand unknown image file formats ,you should know about non-standard file formats: • Targa (.tga) • Raster Transfer Language (.rtl) • Photoshop (.psd) • Illustrator (.ai) • Freehand (.h9) • Scalable vector graphics (.svg) • Paintbrush (.pcx) Tools to identify the unknown file formats: • Picture Viewer: IrfanView • Picture Viewer: Acdsee • Picture Viewer: Thumbsplus • Picture Viewer: AD • Picture Viewer: Max • FastStone Image Viewer • XnView
  • 48. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Identifying Image File Fragments The first step in recovering the deleted data files is to identify the image files fragments Recover all the fragments to re-create the image if the image file is fragmented across different disk areas Recovering a piece of file is called salvaging or carving After recovering the parts of the fragmented image file, restore the fragments and continue the forensic investigation
  • 49. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited http://www.filext.com
  • 50. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Picture Viewer: IrfanView IrfanView is an image viewing program that supports many unknown file formats, including: • Targa (.tga) • Illustrator (.ai) • Scalable vector graphics (.svg) • FlashPix (fpx)
  • 51. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Picture Viewer: ACDSee • Find images • View images • Manage image files on the drive • Search and view unknown file formats ACDSee is an image viewing program that enables investigators to:
  • 52. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Picture Viewer: Thumbsplus ThumbsPlus is an image viewing program that enables investigators to: • View images from a drive database • View files other than images such as audio and multimedia files • Catalog image files for future reference
  • 53. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Picture Viewer: AD AD is the fastest, easy-to-use, and compact image viewer available for Windows platform It allows you to view, print, organize, and catalog the image This program supports all popular graphic formats
  • 54. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Picture Viewer: Max Picture Viewer Max is an image and multimedia viewer for Windows 98/ ME/2000/XP It helps to locate, view, edit, print, organize, and send/receive picture/image files over the Internet
  • 55. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited FastStone Image Viewer FastStone Image Viewer is a fast, stable, user-friendly image browser, converter, and editor • Supports common image formats, loading and saving of JPEG, JPEG2000, GIF, BMP, PNG, PCX, TIFF, WMF, ICO, CUR, and TGA • Supports zoom - full screen viewer • Crystal clear and customizable magnifier • Image EXIF metadata support • Resizing, flipping, rotating, cropping, emailing, and color adjusting tool Features:
  • 56. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited FastStone Image Viewer: Screenshot
  • 57. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited XnView XnView is a software to view and convert graphic files It exists for Windows, MacOS X, Linux x86, Linux ppc, FreeBSD x86, OpenBSD x86, NetBSD x86, Solaris sparc, Solaris x86, Irix mips, HP-UX, and AIX Features: • Imports about 400 graphic file formats • Exports about 50 graphic file formats • Supports multipage TIFF, animated GIF, and animated ICO • Supports Image IPTC, EXIF metadata • Supports lossless rotate & crop (jpeg) • Creates web page
  • 58. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited XnView: Screenshot
  • 59. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Faces – Sketch Software FACES contains a data bank of over 3,850 facial features, along with tools and accessories that allow the user to rapidly put a composite image together Generally, used by law enforcement agencies in identifying suspects
  • 60. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Faces: Screenshot
  • 61. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Digital Camera Data Discovery Software: File Hound File Hound is a software package which helps to deal with crimes involving digital pictures • It searches images based on file signature • It distinguishes PNG, GIF, JPG, TIF, WMF, BMP, ICO • It searches for files based on filenames • It previews thumbnail images and file information • It can preview/print reports based on search results Features:
  • 62. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited http://vectormagic.com/ It is a web-based service to convert bitmap images into vector images
  • 63. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Steganography in Image Files Two files are required to hide a message within an image file: • The file containing the image into which the message is supposed to be put • The file containing the message itself There are 3 methods to hide messages in images, they include: • Least Significant Bit replacement • Filtering and Masking • Algorithms and Transformation
  • 64. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Steganalysis The goal of steganalysis is to detect the suspected information It determines whether there is encoded hidden messages present, and if possible, it recovers the hidden information Challenges of steganalysis: • The hidden data, if any, may have been encrypted before being inserted into the signal or file • Some of the suspect signals or files may have noise or irrelevant data encoded into them which makes it time consuming to analyze
  • 65. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Steganalysis Tools: Hex Workshop & S-Tools The Hex Workshop application can detect and write messages onto a file Investigators use the Hex Workshop tool to reconstruct the damaged file headers S-Tools can hide and detect files hidden in BMP, GIF, and WAV files Investigators have the advantage of multi- threaded operation
  • 66. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Steganalysis Tools: Stegdetect • It is an automated tool for detecting steganographic content in images • It is capable of detecting several different steganographic methods to embed hidden information in JPEG images Stegdetect:
  • 67. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Image File Forensic Tools
  • 68. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited GFE Stealth™ - Forensics Graphics File Extractor Tool http://www.forensics-intl.com/ GFE Stealth tool automatically extracts the exact copies of graphics file images from ambient data sources and SafeBack bit stream image backup files It quickly reconstructs copies of "deleted" image files • It operates under DOS, Windows 98/NT/2000/XP • Partial image file patterns (caused due to fragmentation and/or file corruption) can be automatically reconstructed and viewed • The highly accurate graphics file identification search engine ensures that every byte is checked for integrity • The software when combined with other NTI software processes, operates in batch file mode for automatic processing Features:
  • 69. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited GFE Stealth (cont’d) • To find evidence in corporate, civil, and criminal investigations which involve computer graphics files • Along with the other computer forensic software, quickly reconstruct and view previously deleted BMP, GIF, and JPEG graphics files • As "after-the-fact" to determine what files may have been viewed over or downloaded from the Internet GFE Stealth is used:
  • 70. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: Ilook http://www.perlustro.com/ ILook is a multi-threaded, Unicode compliant, fast, and efficient forensic analysis tool designed to analyze an image taken from the seized computer systems and other digital media It can be used to examine images obtained from other forensic imaging tools that produce a raw bit stream image • Supports FAT12, FAT16, FAT32, FAT32x, VFAT, NTFS, HFS, HFS+, Ext2FS, Ext3FS, SysV AFS, SysV EAFS, SysV HTFS, CDFS, Netware NWFS, Reiser FS, and ISO9660 file systems • Granular extraction facilities which allow all or part of a file system to be extracted from an image • It runs on Windows XP / Server platforms, both 32 and 64 bit versions • It has File salvage (carve) facilities Features:
  • 71. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: P2 eXplorer http://www.paraben-forensics.com/ P2 eXplorer allows you to mount your forensic image and explore it as though it were a drive on your machine while preserving the forensic nature of your evidence Features: • Mounts Paraben's Forensic Replicator images (PFR) • Mounts compressed & encrypted PFR images • Mounts EnCase images • Mounts SafeBack 1 & 2 images • Mounts WinImage non-compressed images • Mounts RAW images from Linux DD & other tools • Supports Dynamic drive images • Auto-detects image format • Supports both logical and physical images types • MD5 hash verification • Shell support for easy mounting/unmounting • Write-protection for preserving evidence • MD5 checksum verification
  • 72. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: VisionStage http://www.alliancevision.com/ VisionStage is an image acquisition software package which integrates a set of the simplified functions for capturing image It is designed for managing image sequence and for importing and exporting AVI files Supports several frame grabbers such as gain, contrast, signal type, trigger and shutter, digitization mode It has functional graphical interface for optimizing each step of the digitization process
  • 73. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: VisionStage (cont’d) • Frame grabber configuration • Choice of the trigger • Dynamic "live image" visualization • Acquisition of simple images or complete sequences • Selection of a Region of Interest • In sequence acquisition mode: Time Code generation and support • Reading of image files, images folders, sequence files and AVI files • Selection/suppression of images, sequences or parts of sequences • External processing and analysis support for specific applications Functions provided by Vision Stage:
  • 74. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: Digital Pictures Recovery http://www.photosrecovery.com/ Digital Pictures Recovery Tool recovers images from the camera's memory card It recovers lost photos, files, and data from all media types It recovers lost, deleted, and formatted digital photos on removable media and works with every type of digital card reader It recovers lost or deleted digital photos from: CompactFlash Memory Stick Duo Memory Stick Pro SmartMedia Memory Stick Pro Duo miniSD SD Card MultiMediaCard MMC xD Picture Card Digital Cell Phones CDR / CDRW PDA Zip Disk Hard Disk any compact flash Floppy Disk
  • 75. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Identifying Copyright Issues on Graphics The owner of copyright under this title has the exclusive rights to do and to authorize any of the following: • (1) to reproduce the copyrighted work in copies or phonorecords; • (2) to prepare derivative works based upon the copyrighted work; • (3) to distribute copies or phonorecords of the copyrighted work to the public by sale or other transfer of ownership, or by rental, lease, or lending; • (4) in the case of literary, musical, dramatic, and choreographic works, pantomimes, and motion pictures and other audiovisual works, to perform the copyrighted work publicly; • (5) in the case of literary, musical, dramatic, and choreographic works, pantomimes, and pictorial, graphic, or sculptural works, including the individual images of a motion picture or other audiovisual work, to display the copyrighted work publicly; and • (6) in the case of sound recordings, to perform the copyrighted work publicly by means of a digital audio transmission Section 106 of the 1976 Copyright Act:
  • 76. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Case Study Barracuda reels in image-based spam Cara Garretson July 19, 2006 (Network World) Barracuda Networks Wednesday announced downloads for its email security appliances designed to help fend off the growing nuisance of image spam. Image spam is unwanted email in which text is embedded in an image to foil traditional spam filters that catch spam by scanning messages for keywords and by using other text-based techniques. Barracuda says that approximately 25 percent of all unwanted e-mail today is image-based spam. The company's new downloads use optical character recognition (OCR) and fingerprint analysis to catch image-based spam, according to officials. The OCR feature recognizes the embedded text and coverts it to data so it can be scanned like any other piece of e-mail. The fingerprint analysis feature scans spam messages caught in Barracuda's honeypot network and breaks them down into components, assigning unique identifiers to each portion so they can be easily recognized. The software then compares incoming messages to this database of image- based spam fingerprints and flags those that match, officials say. The free OCR and fingerprint analysis updates are available now to customers of Barracuda's Spam Firewall appliances. The company's enterprise version, designed for organizations with up to 25,000 users, is priced starting at $29,999 plus $6,599 for update services.
  • 77. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary An image is an artifact that reproduces the likeness of some subject A file format is ‘a particular way to encode information for storage in a computer file’ The standard image file formats include JPEG, GIF, BMP, TAG, and EPS Data compression means encoding the data to take up less storage space and less bandwidth for transmission Data is compressed by using a complex algorithm to reduce the size of a file Lossy compression compresses data permanently by removing information contained in the file Image files have a unique file header value. Common image header values have residual data from partially overwritten headers in file slack
  • 78. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 79. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited