chapter 10 recovering graphics files guide to computer forensics and investigations third edition
Post on 21-Dec-2015
306 views
TRANSCRIPT
![Page 1: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/1.jpg)
Chapter 10Recovering Graphics Files
Guide to Computer Forensics and Investigations
Third Edition
![Page 2: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/2.jpg)
Guide to Computer Forensics and Investigations 2
Objectives
• Describe types of graphics file formats
• Explain types of data compression
• Explain how to locate and recover graphics files
• Describe how to identify unknown file formats
• Explain copyright issues with graphics
![Page 3: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/3.jpg)
Guide to Computer Forensics and Investigations 3
Recognizing a Graphics File
• Contains digital photographs, line art, three-dimensional images, and scanned replicas of printed pictures – Bitmap images: collection of dots
– Vector graphics: based on mathematical instructions
– Metafile graphics: combination of bitmap and vector
• Types of programs– Graphics editors
– Image viewers
![Page 4: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/4.jpg)
Guide to Computer Forensics and Investigations 4
Understanding Bitmap and Raster Images
• Bitmap images– Grids of individual pixels
• Raster images– Pixels are stored in rows– Better for printing
• Image quality– Screen resolution– Software– Number of color bits used per pixel
![Page 5: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/5.jpg)
Guide to Computer Forensics and Investigations 5
Understanding Vector Graphics
• Characteristics– Lines instead of dots– Store only the calculations for drawing lines and
shapes– Smaller size– Preserve quality when image is enlarged
• CorelDraw, Adobe Illustrator
![Page 6: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/6.jpg)
Guide to Computer Forensics and Investigations 6
Understanding Metafile Graphics
• Combine raster and vector graphics
• Example– Scanned photo (bitmap) with text (vector)
• Share advantages and disadvantages of both types– When enlarged, bitmap part loses quality
![Page 7: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/7.jpg)
Guide to Computer Forensics and Investigations 7
Understanding Graphics File Formats
• Standard bitmap file formats– Graphic Interchange Format (.gif)– Joint Photographic Experts Group (.jpeg, .jpg)– Tagged Image File Format (.tiff, .tif)– Window Bitmap (.bmp)
• Standard vector file formats– Hewlett Packard Graphics Language (.hpgl)– Autocad (.dxf)
![Page 8: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/8.jpg)
Guide to Computer Forensics and Investigations 8
Understanding Graphics File Formats (continued)
• Nonstandard graphics file formats– Targa (.tga)– Raster Transfer Language (.rtl)– Adobe Photoshop (.psd) and Illustrator (.ai)– Freehand (.fh9)– Scalable Vector Graphics (.svg)– Paintbrush (.pcx)
• Search the Web for software to manipulate unknown image formats
![Page 9: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/9.jpg)
Guide to Computer Forensics and Investigations 9
Understanding Digital Camera File Formats
• Witnesses or suspects can create their own digital photos
• Examining the raw file format– Raw file format
• Referred to as a digital negative
• Typically found on many higher-end digital cameras
– Sensors in the digital camera simply record pixels on the camera’s memory card
– Raw format maintains the best picture quality
![Page 10: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/10.jpg)
Guide to Computer Forensics and Investigations 10
Understanding Digital Camera File Formats (continued)
• Examining the raw file format (continued)– The biggest disadvantage is that it’s proprietary
• And not all image viewers can display these formats
– The process of converting raw picture data to another format is referred to as demosaicing
• Examining the Exchangeable Image File format– Exchangeable Image File (EXIF) format
• Commonly used to store digital pictures
• Developed by JEIDA as a standard for storing metadata in JPEG and TIFF files
![Page 11: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/11.jpg)
Guide to Computer Forensics and Investigations 11
Understanding Digital Camera File Formats (continued)
• Examining the Exchangeable Image File format (continued)– EXIF format collects metadata
• Investigators can learn more about the type of digital camera and the environment in which pictures were taken
– EXIF file stores metadata at the beginning of the file
![Page 12: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/12.jpg)
Guide to Computer Forensics and Investigations 12
Understanding Digital Camera File Formats (continued)
![Page 13: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/13.jpg)
Guide to Computer Forensics and Investigations 13
Understanding Digital Camera File Formats (continued)
![Page 14: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/14.jpg)
Guide to Computer Forensics and Investigations 14
Understanding Digital Camera File Formats (continued)
![Page 15: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/15.jpg)
Guide to Computer Forensics and Investigations 15
Understanding Digital Camera File Formats (continued)
• Examining the Exchangeable Image File format (continued)– With tools such as ProDiscover and Exif Reader
• You can extract metadata as evidence for your case
![Page 16: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/16.jpg)
Guide to Computer Forensics and Investigations 16
![Page 17: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/17.jpg)
Guide to Computer Forensics and Investigations 17
Understanding Data Compression
• Some image formats compress their data– GIF, JPEG, PNG
• Others, like BMP, do not compress their data– Use data compression tools for those formats
• Data compression– Coding of data from a larger to a smaller form– Types
• Lossless compression and lossy compression
![Page 18: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/18.jpg)
Guide to Computer Forensics and Investigations 18
Lossless and Lossy Compression
• Lossless compression– Reduces file size without removing data– Based on Huffman or Lempel-Ziv-Welch coding
• For redundant bits of data
– Utilities: WinZip, PKZip, StuffIt, and FreeZip
• Lossy compression– Permanently discards bits of information– Vector quantization (VQ)
• Determines what data to discard based on vectors in the graphics file
– Utility: Lzip
![Page 19: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/19.jpg)
Guide to Computer Forensics and Investigations 19
Locating and Recovering Graphics Files
• Operating system tools– Time consuming– Results are difficult to verify
• Computer forensics tools– Image headers
• Compare them with good header samples
• Use header information to create a baseline analysis
– Reconstruct fragmented image files• Identify data patterns and modified headers
![Page 20: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/20.jpg)
Guide to Computer Forensics and Investigations 20
Identifying Graphics File Fragments
• Carving or salvaging– Recovering all file fragments
• Computer forensics tools– Carve from slack and free space– Help identify image files fragments and put them
together
![Page 21: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/21.jpg)
Guide to Computer Forensics and Investigations 21
Repairing Damage Headers
• Use good header samples
• Each image file has a unique file header– JPEG: FF D8 FF E0 00 10– Most JPEG files also include JFIF string
• Exercise:– Investigate a possible intellectual property theft by a
contract employee of Exotic Mountain Tour Service (EMTS)
![Page 22: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/22.jpg)
Guide to Computer Forensics and Investigations 22
Searching for and Carving Data from Unallocated Space
![Page 23: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/23.jpg)
Guide to Computer Forensics and Investigations 23
Searching for and Carving Data from Unallocated Space (continued)
![Page 24: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/24.jpg)
Guide to Computer Forensics and Investigations 24
Searching for and Carving Data from Unallocated Space (continued)
• Steps– Planning your examination– Searching for and recovering digital photograph
evidence• Use ProDiscover to search for and extract (recover)
possible evidence of JPEG files
• False hits are referred to as false positives
![Page 25: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/25.jpg)
Guide to Computer Forensics and Investigations 25
![Page 26: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/26.jpg)
Guide to Computer Forensics and Investigations 26
Searching for and Carving Data from Unallocated Space (continued)
![Page 27: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/27.jpg)
Guide to Computer Forensics and Investigations 27
Searching for and Carving Data from Unallocated Space (continued)
![Page 28: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/28.jpg)
Guide to Computer Forensics and Investigations 28
Searching for and Carving Data from Unallocated Space (continued)
![Page 29: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/29.jpg)
Guide to Computer Forensics and Investigations 29
Searching for and Carving Data from Unallocated Space (continued)
![Page 30: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/30.jpg)
Guide to Computer Forensics and Investigations 30
Searching for and Carving Data from Unallocated Space (continued)
![Page 31: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/31.jpg)
Guide to Computer Forensics and Investigations 31
Rebuilding File Headers
• Try to open the file first and follow steps if you can’t see its content
• Steps– Recover more pieces of file if needed– Examine file header
• Compare with a good header sample
• Manually insert correct hexadecimal values
– Test corrected file
![Page 32: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/32.jpg)
Guide to Computer Forensics and Investigations 32
Rebuilding File Headers (continued)
![Page 33: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/33.jpg)
Guide to Computer Forensics and Investigations 33
![Page 34: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/34.jpg)
Guide to Computer Forensics and Investigations 34
![Page 35: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/35.jpg)
Guide to Computer Forensics and Investigations 35
Rebuilding File Headers (continued)
![Page 36: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/36.jpg)
Guide to Computer Forensics and Investigations 36
Rebuilding File Headers (continued)
![Page 37: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/37.jpg)
Guide to Computer Forensics and Investigations 37
Reconstructing File Fragments
• Locate the starting and ending clusters – For each fragmented group of clusters in the file
• Steps– Locate and export all clusters of the fragmented file– Determine the starting and ending cluster numbers
for each fragmented group of clusters– Copy each fragmented group of clusters in their
proper sequence to a recovery file– Rebuild the corrupted file’s header to make it
readable in a graphics viewer
![Page 38: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/38.jpg)
Guide to Computer Forensics and Investigations 38
Reconstructing File Fragments (continued)
![Page 39: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/39.jpg)
Guide to Computer Forensics and Investigations 39
Reconstructing File Fragments (continued)
![Page 40: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/40.jpg)
Guide to Computer Forensics and Investigations 40
Reconstructing File Fragments (continued)
![Page 41: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/41.jpg)
Guide to Computer Forensics and Investigations 41
Reconstructing File Fragments (continued)
![Page 42: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/42.jpg)
Guide to Computer Forensics and Investigations 42
Reconstructing File Fragments (continued)
• Remember to save the updated recovered data with a .jpg extension
• Sometimes suspects intentionally corrupt cluster links in a disk’s FAT– Bad clusters appear with a zero value on a disk
editor
![Page 43: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/43.jpg)
Guide to Computer Forensics and Investigations 43
Reconstructing File Fragments (continued)
![Page 44: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/44.jpg)
Guide to Computer Forensics and Investigations 44
Reconstructing File Fragments (continued)
![Page 45: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/45.jpg)
Guide to Computer Forensics and Investigations 45
Identifying Unknown File Formats
• The Internet is the best source– Search engines like Google– Find explanations and viewers
• Popular Web sites– www.digitek-asi.com/file_formats.html– www.wotsit.org– http://whatis.techtarget.com
![Page 46: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/46.jpg)
Guide to Computer Forensics and Investigations 46
Analyzing Graphics File Headers
• Necessary when you find files your tools do not recognize
• Use hex editor such as Hex Workshop– Record hexadecimal values on header
• Use good header samples
![Page 47: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/47.jpg)
Guide to Computer Forensics and Investigations 47
Analyzing Graphics File Headers (continued)
![Page 48: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/48.jpg)
Guide to Computer Forensics and Investigations 48
Analyzing Graphics File Headers (continued)
![Page 49: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/49.jpg)
Guide to Computer Forensics and Investigations 49
Tools for Viewing Images• Use several viewers
– ThumbsPlus– ACDSee– QuickView– IrfanView
• GUI forensics tools include image viewers– ProDiscover– EnCase– FTK– X-Ways Forensics– iLook
![Page 50: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/50.jpg)
Guide to Computer Forensics and Investigations 50
Understanding Steganography in Graphics Files
• Steganography hides information inside image files– Ancient technique– Can hide only certain amount of information
• Insertion– Hidden data is not displayed when viewing host file
in its associated program• You need to analyze the data structure carefully
– Example: Web page
![Page 51: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/51.jpg)
Guide to Computer Forensics and Investigations 51
![Page 52: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/52.jpg)
Guide to Computer Forensics and Investigations 52
Understanding Steganography in Graphics Files (continued)
![Page 53: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/53.jpg)
Guide to Computer Forensics and Investigations 53
Understanding Steganography in Graphics Files (continued)
• Substitution– Replaces bits of the host file with bits of data– Usually change the last two LSBs– Detected with steganalysis tools
• Usually used with image files– Audio and video options
• Hard to detect
![Page 54: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/54.jpg)
Guide to Computer Forensics and Investigations 54
Understanding Steganography in Graphics Files (continued)
![Page 55: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/55.jpg)
Guide to Computer Forensics and Investigations 55
Understanding Steganography in Graphics Files (continued)
![Page 56: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/56.jpg)
Guide to Computer Forensics and Investigations 56
Using Steganalysis Tools
• Detect variations of the graphic image– When applied correctly you cannot detect hidden
data in most cases
• Methods– Compare suspect file to good or bad image versions– Mathematical calculations verify size and palette
color– Compare hash values
![Page 57: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/57.jpg)
Guide to Computer Forensics and Investigations 57
Identifying Copyright Issues with Graphics
• Steganography originally incorporated watermarks
• Copyright laws for Internet are not clear– There is no international copyright law
• Check www.copyright.gov
![Page 58: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/58.jpg)
Guide to Computer Forensics and Investigations 58
Summary
• Image types– Bitmap– Vector– Metafile
• Image quality depends on various factors• Image formats
– Standard– Nonstandard
• Digital camera photos are typically in raw and EXIF JPEG formats
![Page 59: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/59.jpg)
Guide to Computer Forensics and Investigations 59
Summary (continued)
• Some image formats compress their data– Lossless compression– Lossy compression
• Recovering image files– Carving file fragments– Rebuilding image headers
• Software– Image editors– Image viewers
![Page 60: Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition](https://reader033.vdocuments.net/reader033/viewer/2022061408/56649d545503460f94a31088/html5/thumbnails/60.jpg)
Guide to Computer Forensics and Investigations 60
Summary (continued)
• Steganography– Hides information inside image files– Forms
• Insertion
• Substitution
• Steganalysis– Finds whether image files hide information