Book Three-Chapter5- Image File Forensics Flashcards Preview

Computer Forensics > Book Three-Chapter5- Image File Forensics > Flashcards

Flashcards in Book Three-Chapter5- Image File Forensics Deck (10)
Loading flashcards...

Describe 3 differences between vector images and raster images:

Understanding Vector Images
Vector images use geometrical shapes and primitives, such as points, lines, curves, and polygons, based upon mathematical equations, in order to represent images in a computer. Because each image is basically an equation, it is easy to move, scale, rotate, and fill a completed image. The file size of a vector image is relatively small, because it stores only the mathematical calculations, not the images, of the pictures included. Vector images can be easily embedded into another program without bloating the host file size.

It is possible to enlarge a vector image without affecting the quality of the image; the graphic program simply multiplies the existing pixels on the image file by the magnification you select. When investigators examine images in forensic investigations, they can enlarge elements greatly to examine them better.

Vector files can be converted into raster files, as long as there are no other images, such as digital photography or scanned photographs, in the vector file format.

Understanding Raster Images
Unlike vector images, raster images are composed of a collection of pixels. A pixel is a single point in a graphic image. The quality of raster images is specified by the number of pixels present and information present in each pixel. Because the number of pixels is fixed when the image is set, if you enlarge the image, it loses its quality. (Imagine a photograph. When you enlarge the photograph, the picture becomes blurry, and it is harder to see specific elements.)

In every raster image, pixels are associated with three 8-bit color values (0–255 values) that define the amount of each of the three colors (red, green, and blue) in each pixel. Images that have less color require less information per pixel. Images that have only black and white pixels contain only a single bit for each piece of information.

File formats such as BMP, JPEG, and GIF are examples of the raster image. In a raster image, the pixels are arranged in rows that make the image file easier to print. When any type of image is printed, it has to be converted to a raster image first to print the pixels line by line, in order to finish the complete set of pixels.


Name 3 image file formats and name whether each is vector, raster, or both

File formats such as BMP, JPEG, and GIF are examples of the raster image. In a raster image, the pixels are arranged in rows that make the image file easier to print. When any type of image is printed, it has to be converted to a raster image first to print the pixels line by line, in order to finish the complete set of pixels.


How does file compression work?

Data Compression in Image Files
Image file formats, like bitmaps, cannot compress data without the help of some compression tools. Some of the most popular image file formats use the Graphics Interchange Format (GIF) and Joint Photographic Experts Group (JPEG) to compress data. This saves disk space and reduces the time it would take to transfer the image from one system to another. Compression tools make the data compact and reduce the file size so drive space can be saved.

Data compression is a procedure that makes use of multifaceted algorithms used to reduce the file size. Typically, coding the data from a larger image to another smaller one is known as data compression. Vector quantization is similar to data compression. A vector image makes use of a mathematical equation that is similar to rounding up decimal values to eliminate unnecessary data.

Data compression is of interest in computer forensics because of its advantages in data processing, such as the cost savings and large volume of data manipulated in many business applications. The genre of local redundancy present in business data files comprise runs of zeros in numeric fields, series of blanks in alphanumeric fields, and fields present in some records and null in others.

Understanding File Compression
Most files use the same information, meaning they repeat the same sentences or words many times. File compression programs simply get rid of the redundancy. The file compression techniques list the information that is repeated, assign a code or number to each unique bit of information, and use the code to compress the information.

In this technique, repeated words are selected and stored into the dictionary. This dictionary consists of the words and numbers assigned to them. So when any word is repeated, the number is written, rather than the word. It is necessary to maintain the dictionary because the dictionary is used to decompress the file. Most compression methods use the LZW adaptive dictionary-based algorithm.

For example: The cat is in the tree.

1 2 3 4 1 5

In the above example “the” word is repeated twice, so rather than write “the” two times, it is easier to give the number.

There are two main techniques of data compression:

Lossless compression: Lossless compression maintains data integrity.

Lossy compression: Lossy compression does not maintain data integrity.


What is the difference between lossless and lossy data compressions? Which would you use with text files?

Lossy Compression
Lossy compression is different from lossless compression, as it can compress data permanently by overlooking some parts of the data. However, data integrity is not maintained in the lossy data compression technique.

The lossy data compression technique is never used for text compression. When a JPEG file is saved under a different image format, lossy compression is used to compress the data. However, once the image file is decompressed, the user will lose a lot of information. Another form of lossy compression is when vectors are used to compress the file, known as vector quantization.

Vector Quantization
Vector quantization is a lossy data compression technique. Vector quantization uses an algorithm to find out if the data can be disregarded based on vectors that are present in the image file. The algorithms used are based on the principle of block coding. In each block, the information is replaced by the approximate average value.


Describe 2 main differences between the LZW and Huffman coding systems.

Lossless Compression Algorithms
Huffman Coding Algorithm
The Huffman coding algorithm is a fixed-to-variable length code algorithm. It takes input characters that have a fixed length and gives the output, which has a variable length. The main concept behind the algorithm is that short code words are assigned to those input blocks that have high probabilities, and long code words to those with low probabilities. The characters can be arranged in any way.

This algorithm combines two possible characters into a single possibility by adding the code word. This procedure is continued until only one character remains. The tree is formed, and from that code tree, the Huffman code is obtained. Huffman codes are not unique. You can assign any label, such as a label to the upper branches of zero, and to the lower branches a label of one.

This algorithm uses two possible characters. In the example below, these characters are zero and one. The values with the highest probability, a and e, have the shortest codes (00 and 10). The values with the lowest probability, j and b, have the longest codes (111111 and 111110). Once these values are compressed, the file will be shorter because there will be fewer long-code values in the resulting file than short-code values.

LZW (Lempel-Ziv-Welch) Coding Algorithm
The LZW is used in most of the lossless compression techniques. LZW is a fixed-to-variable length code algorithm. Input is given in the variable length, while the output is given in the fixed length. It was generated not for a particular source, but for a large class of sources. In this algorithm, the input is given to the nonoverlapping blocks that have different lengths.

The following explains how to apply the encoding algorithm:

First, create a dictionary that contains all the blocks of one length, but all are nonoverlapping blocks (D={a,b}).

Find the longest block W present in the dictionary.

Encode that W, by its value present in the dictionary.

Add W, followed by the first symbol of the next block to the dictionary.

Return to step 2 and repeat the same procedure.

In this way, the final amount of bits needed to contain the same information is reduced.


When you analyze image file headers, what are you looking for?

Analyzing Image File Headers
Investigators must analyze image file headers when normal forensic tools cannot recognize new file extensions. Hexadecimal values present in the header can be used to define a file type in DriveSpy. A hexadecimal editor, such as Hex Workshop, can help access the file header.

For instance, when an investigator encounters a .h9 Freehand file, the file headers section of DriveSpy.ini is not able to define the .h9 format. In order to determine the file type, the investigator will need to know the file’s good header value. This can be found by comparing the existing file headers with file headers of another image file format. The investigator can then identify a tool that can rescue and display the image.


What does carving mean?

AKA salvaging
Reconstructing an image file that was accidentally or deliberately destroyed using file fragments


Name a steganalysis tool and describe how it works.

Steganalysis is the reverse process of steganography. Steganography hides the data, while steganalysis is used to detect the data hidden via steganography. Steganalysis determines the encoded hidden message and, if possible, recovers that message. The message can be detected by looking at variances between bit patterns and unusually large file sizes.

There are two main challenges of steganalysis:

The data may have been encrypted before it was hidden.

If some of the signal or file contains noise or irrelevant data encoded into it, steganalysis can be complicated and take longer.

Tool: Hex Workshop
The Hex Workshop is a set of hexadecimal development tools for Microsoft Windows, combining advanced binary editing with the ease and flexibility of a word processor. With Hex Workshop, forensic investigators can edit, cut, copy, paste, insert, and delete hex; print customizable hex dumps; and export to RTF or HTML for publishing. Additionally, investigators can go to, find, replace, compare, and calculate checksums and character distributions within a sector or file.

Hex Workshop is integrated with Windows Explorer so investigators can hex-edit from the most frequently used workspaces. Hex Workshop includes a Base Converter for converting between hex, decimal, and binary, and a Hex Calculator supporting arithmetic and logical operations. The Hex Workshop also contains a Data Inspector and Structure Viewer so examiners can view and edit interpreted decimal values and embedded arithmetic and logical operations, allowing direct manipulation of the data.

Some features of the Hex Workshop application include:

1. A highly customizable editing environment

2. Data in its natural and native structured form as viewed through the Structure Viewer

3. Dynamic bookmarks in a simple macro language

4. The ability to edit sectors of floppies and hard disks

5. Prints high-quality hex dumps with customized headers, footers, and fonts

6. Views and edits raw binary data as decimal values with the Data Inspector

7. Interprets values in either little-endian (e.g., Intel) or big-endian (e.g., Motorola) byte ordering

8. Manipulates data using one of 22 embedded operations: byteflip, inverse bits, left shift, right shift, rotate left, rotate right, block shift left, block shift right, XOR, OR, AND, change sign, plus, minus, multiply, divide, mod, setfloorvalue, setceilingvalue, uppercase, lowercase, and swapcased

9. Inserts external file contents or save a block of data as a new file

10. Changes are tracked and coded in color

11. Exports and copies hex as RTF, text, and HTML for publishing or as C source or Java source

12. Imports and exports Intel hex code and Motorola S-Records.

13. Finds and replaces hex, bitmasks, decimal, or ASCII (including Unicode) values

14. Easily navigates documents and sectors using the goto command

15. Views text interpretations under ASCII, DOS, EBCDIC, Macintosh, Windows, and Unicode character set filters

16. A binary compare tool to find differences in files

17. Calculates checksums and digests (MD2, MD4, MD5, SHA1) for all or part of a file

18. Views character distributions and exports results as tabbed text or comma-separated values

19. File/disk properties with the click of the mouse

20. File/disk attributes in the status bar

21. Online help including multiple character tables and list of data types and ranges

Tool: Stegdetect
Stegdetect is used for the detection of steganographic content in an image. Stegdetect supports linear discriminant analysis. Linear discriminant analysis is the technique that determines the stego image that contains the hidden data. It detects different steganographic methods to embed hidden information in JPEG images.

Stegdetect supports several different feature vectors, and automatically computes receiver operating characteristics, which can be used to evaluate the quality of the automatically learned detection function.

Can penetrate information hidden using applications such as jsteg, jphide (UNIX and Windows), Invisible Secrets, Outguess v.01.3b, F5, appendX, and Camouflage.

Tool: ILook v8
ILook is a multithreaded, Unicode-compliant image file forensic investigation tool. It recovers images from seized computer systems or other digital media quickly. It is also used to detect images obtained from forensic imaging tools that produce a raw bitstream image. It supports Windows 2000 or Windows XP 32-bit platforms and the Windows Server 2003 64-bit platform.

Some features of ILook include:

Identification and support of the following file systems: FAT12, FAT16, FAT32, FAT32x, VFAT, NTFS, HFS, HFS+, Ext2FS, Ext3FS, SysV AFS, SysV EAFS, SysV HTFS, CDFS, Netware NWFS, ReiserFS, and ISO9660

An Internet Explorer–like interface allowing an investigator to view and navigate the file system as it originally appeared on the suspect’s computer

Granular extraction facilities that allow all or part of a file system to be extracted from an image

Fast, sophisticated, regular expression search engine

Built-in multiformat file viewing

Password and pass-phrase dictionary generators

File salvage (carve) capabilities

Orphaned FAT directory recovery

Hash analysis functions

Data tagging and categorization features

Case and evidence management features and multievidential item handling

Internet cache and mailbox deconstruction functions

Additional imager built into ILook for imaging directly attached devices

File filtering and elimination functions

Search-results database stores the results of all searches run against any item in a case

Tool: P2 eXplorer
Paraben’s P2 eXplorer allows an investigator to mount a forensic image and explore it as though it were a drive. The image is not just mounted to view logical files, but is mounted as the actual bitstream image, preserving unallocated, slack, and deleted data.

P2 eXplorer is able to:

Mount compressed and encrypted Paraben’s Forensic Replicator (PFR) images, and several images at a time

Mount PFR, EnCase images (up to v4.02), SafeBack 1 and 2 images, WinImage noncompressed images and RAW images from Linux dd and other tools

Support dynamic drive images and both logical and physical image types

Autodetect image format

Shell support easy mounting/unmounting as well as mounting over a network

Write-protect for preserving evidence

MD5 checksum verify and hash verify


How do you reconstruct file fragments?

Reconstructing File Fragments
Corruption of data prevents investigators from reconstructing file fragments from an image file. Data can be corrupted accidentally without the knowledge of the user of the computer, or the data can be corrupted intentionally. It is up to the forensic investigator to find out how the data was corrupted. File fragments can be reconstructed by using DriveSpy to examine a suspect disk. Investigators can then build the case based on the reconstructed data.

Many forensic investigations lead to the conclusion that the suspect has intentionally corrupted data in order to hide incriminating evidence. The suspect may have done this by corrupting cluster links in a FAT of a disk. A disk-editing tool can help a forensic investigator access the FAT and identify the corrupted cluster. Corrupted clusters display 0000 in the disk editor.


List 3 different image file forensic tools. Describe why you would use each.

Identifying Unknown File Formats
Computer forensic investigators often come across unknown image file formats. The following is a list of nonstandard image file formats:

Targa (.tga)

Raster Transfer Language (.rtl)

Photoshop (.psd)

Illustrator (.ai)

Freehand (.h9)

Scalable vector graphics (.svg)

Paintbrush (.pcx)

In order to find and view nonstandard image file formats, forensic investigators can use any search engine, using the image file extension, to identify and download a tool that can view the image.

The following tools can identify nonstandard file formats:





AD Picture Viewer

Picture Viewer Max

FastStone Image Viewer


FACES—Sketch Software

Tool: FILExt
FILExt is a quick way to identify the file type or parent application of a file based on the extension. On the FILExt Web site, enter the extension (for example, .lmp), and the application will return the most likely file type as well as some notes about the parent application and/or history of the file type. Some even return header strings in hexadecimal. Some extensions, such as .crc, will return several possible parent applications or file types. A forensic investigator can use the header strings to confirm which of the returned file types it is.

Tool: Picture Viewer—IrfanView
IrfanView is an image-viewing program that supports many nonstandard file formats including:

Targa (.tga)

Illustrator (.ai)

Scalable vector graphics (.svg)

FlashPix (.fpx)

Some notable features of IrfanView include:

Ability to edit and add to images

Various view options, including slideshow and thumbnail view

Batch conversion

Command line options

Multipage TIFF editing and lossless JPEG rotation

Tool: ACDSee
ACDSee is an image-viewing program that allows an investigator to find, view, manage, and edit images. With ACDSee version 9, investigators can also acquire image files, create PDFs, and view unknown file formats, including media files. ACDSee viewer displays images in full resolution.

Tool: ThumbsPlus
ThumbsPlus is an image-cataloging program that enables an investigator to locate, view, edit, print, and organize images, metafiles, fonts, and movies.

Version 10 supports a variety of file formats, including:

Common formats: TIFF, JPEG, PNG, RAW

Photoshop (.psd), including documents loaded with plug-ins

Various camera file formats

Images loaded using new Cerious plug-ins

Scanned images (TWAIN)

Tool: AD Picture Viewer
AD Picture Viewer is a fast and compact image viewer for the Windows environment. It allows an investigator to view, print, organize, and manage images. It supports all popular graphic formats.

Tool: Picture Viewer Max
Picture Viewer Max is an image and multimedia viewer for Windows 98/ME/2000/XP/Vista/7/8, and 10. It locates, views, edits, prints, organizes, sends and receives picture and image files, including videos, sounds, music, text files, documents, HTML, and system files. A forensic investigator can edit picture/image files using techniques such as flip, reverse, rotate, resize, brightness, contrast, color saturation, grayscale, hue, and other special effects and filters.

Some notable features of Picture Viewer Max are:

It can add 3-D text and geometric shapes to pictures and images displayed in a multiple document interface.

It can create blank picture frames with color gradients for logos or picture backgrounds.


It can convert picture file formats between picture file types.

It can print up to eight pictures on a page, with titles for each page and picture. Select your font and color for all printed text.

It can receive pictures and Zip files by e-mail, and view, edit, save, and print with Picture Viewer Max.

Tool: FastStone Image Viewer
The FastStone Image Viewer is an image browser, converter, and editor. It has a nice array of features that include: image viewing, management, comparison, red-eye removal, e-mailing, resizing, cropping, and color adjustments.

Some notable features of FastStone Image Viewer are:

Image modification tools: Resize/resample, rotate/flip, crop, sharpen/blur, brightness/contrast

Support for all major graphic formats (BMP, JPEG, JPEG 2000, animated GIF, PNG, PCX, TIFF, WMF, ICO, and TGA), and popular digital camera RAW formats (CRW, CR2, NEF, PEF, RAF, MRW, ORF, SRF, and DNG)

High-quality magnification and a musical slideshow with 150+ transitional effects

Image annotation and scanner support

Image color effects: grayscale, sepia, negative, RGB adjustment

Image special effects: watermark, annotation, drop shadows, framing, bump map, lens, morph, waves

Image management, including tagging capability, with drag-and-drop and copy to/move to folder support

Versatile screen capture capability

Tool: XnView
The XnView tool can display and convert graphics files. It supports more than 400 graphics formats. Versions of it support Windows, Mac OS X, Linux x86, Linux ppc, FreeBSD x86, OpenBSD x86, NetBSD x86, Solaris sparc, Solaris x86, Irix mips, HP-UX, and AIX.

XnView includes the following features:

It can import about 400 graphics file formats and export about 50 graphics file formats.

It can support multipage TIFF, animated GIF, and animated ICO, as well as Image IPTC and EXIF metadata.

It can support resize, rotate, and crop.

It includes support for auto levels and contrast.

The user can apply filters and effects (e.g., blur, average, emboss, lens, wave) and modify the number of colors.

It supports full-screen mode.

It has support to create or edit multipage files (TIFF, DCX, LDF).

It prints, drags and drops, and has 44 languages in Windows.

Tool: FACES—Sketch Software
FACES contains a database of more than 3,850 facial features, including tools and accessories. This utility allows you to compose many images with their permutations and combinations. Law enforcement agencies use the software to identify suspects.

The features included in the software are coded in morphological order, and allow you to design images or faces of your choice with ease. One of the main features of this software is the utility InterCode, which encrypts the composite image and converts it into a character ID code. There exists a unique InterCode with every original image. When you click in the InterCode, a corresponding composite image appears on the screen. Thus, the software performs the process in seconds. This software is primarily used by law enforcement agencies and crime branch investigation organizations in identifying suspects.