file000134

Module XXI– Image File Forensics

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

News: Poplar Bluff Man Pleads Guilty to Child Pornography Charge

Source: http://www.semissourian.com/

Wednesday, November 26, 2008

POPLAR BLUFF, Mo. — A Poplar Bluff man faces a maximum of 30 years in federal prison after pleading guilty Friday to possessing child pornography.

On May 1, law enforcement officers knocked on the door of Alspaugh's home. Although he was not home, the officers informed his son they had reason to believe someone in the home was accessing child pornography on the Internet.The home computer was given to law enforcement officers for analysis. Police said Alspaugh later contacted the seizing officer and told the officer he was the person responsible for the child pornography on the computer.

Alspaugh reportedly stated he used the computer to find child pornography on the Internet and further reported he had been viewing child pornography for several years.

Alspaugh also admitted he was aware it is illegal to possess images of child pornography. He stated the computer belonged to him and he had hidden the child pornography files so other users in the home would not be able to find them.Alspaugh reportedly agreed to allow a forensic analysis to be conducted on his computer and hard drive by signing a consent-to-search form.

Forensic analysis of the hard drive revealed Alspaugh possessed more than 600 image files, including more than 90 video files, of child pornography.

The charge against Alspaugh was the result of an investigation by Jeff Shackelford and Scott Phelps with the SEMO Cyber Crimes Task Force.

"Through the use of a tracking program designed by the [Internet Crimes Against Children] Task Force, to track persons collecting and trading items of child pornography through file sharing networks, I was given the February 2008 database results for the state of Missouri, which showed one IP address, in particular, in the Poplar Bluff area that had numerous transmissions [uploads/downloads] of child pornography," Shackelford said earlier.



Scenario

Owner of a massive for-profit software piracy web site was sentenced on 8th Sept. 2006 in federal court to 87 months in prison.

Nathan L. Peterson, 27, of Antelope Acres, Calif., was also ordered to forfeit the proceeds of his illegal conduct and pay restitution of more than $5.4 million.

Peterson operated the www.ibackups.net website which sold copies of software products that were copyrighted by companies such as Adobe Systems, Inc., Macromedia Inc., Microsoft Corporation, Sonic Solutions, and Symantec Corporation at prices substantially below the suggested retail price. The software products purchased on Peterson's website were reproduced and distributed.

The investigation was conducted by agents of the FBI's Washington Field Office. As a result of the FBI's investigation, Peterson's website was taken down in February 2005.



Case Study



Module Objective

• Image Files• Recognizing Image files• Data Compression• Locating and Recovering Image Files• Analyzing Image File Headers• Reconstructing File Fragments• Tools for Viewing Images• Steganography in Image Files• Steganalysis in Image Files• Image File Forensic Tools

This module will familiarize you with:



Module Flow

Steganalysis in ImageFiles

Image File ForensicsTools

Introduction toImage File Forensics

Locate and RecoverImage Files

Data Compression

Steganography in ImageFiles

Tools for Viewing Images

Reconstructing File Fragments

Analyze Image FileHeaders

Image Files Identification



Common Terminologies

• Pixel (Picture Element) is a single point in a graphic image

• Number of pixels combines together to form an image

Pixel

• Refers to the sharpness and clarity of an image• The term describes monitors, printers, and bit-

mapped graphic images

Resolution



An image is an artifact that reproduces the likeness of some subject

These are produced by optical devices i.e. cameras, mirrors, lenses, telescopes, and microscopes

Image may be:

• A black and white image• A grayscale image• A color image• Indexed color image

Images can be broadly categorized into:

• Vector• Raster

Image Files



Understanding Vector Images

Vector graphics use geometrical primitives such as points, lines, curves, and polygons, which are all based upon mathematical equations to represent images in the computer

• Smaller file size• Can be indefinitely zoomed without loss in quality• Moving, scaling, rotating, and filling do not

degrade the quality of a drawing

Advantages:



Understanding Raster Images

A raster image is a data file or structure representing a generally rectangular grid of pixels, or points of color, on a computer monitor

Color of each pixel is individually defined

A colored raster image has pixels with eight bits of information for each of the red, green, and blue components

Quality of a raster image is determined by the total number of pixels and the amount of information in each pixel

Quality may be lost if raster graphics are scaled to a higher resolution



Metafile Graphics

Metafiles combine raster and vector graphics

Metafiles have similar features of both bitmap and vector images

When metafiles are enlarged, it results in a loss of resolution giving the image a shaded appearance



Image File Formats



Understanding Image File Formats

File FormatFile Extension

Graphics Interchange Format (GIF)

.gif

Joint Photographic Experts Group (JPEG)

.jpg

Tagged Image File Format (TIFF)

.tif

Windows Bitmap (BMP) .bmp

JPEG 2000 .jp2

Portable Network Graphics (PNG)

.png

A file format is ‘a particular way to encode information for storage in a computer file’

All image formats differ between ease of use, size of the file, and the quality of reproduction

The given table shows commonly used image file formats



GIF (Graphics Interchange Format)

GIF is a 8-bit RGB bitmap image format for images with up to 256 distinct colors per frame

Features:

• Each color in the GIF color table is described in RGB values, with each value having a range of 0 to 255Limited color palette:

• This method is used to create the illusion of greater color depth by blending a smaller number of colored "dots" together

Dithering:

• GIF supports LZW lossless compression algorithms LZW compression:

• It is a mechanism that makes images appear faster on-screen by first displaying a low-res version of the image and gradually showing the full version

Interlacing:



GIF (cont’d)

Each file begins with a Header and a Logical Screen Descriptor

A Global Color Table may optionally be displayed after the Logical Screen Descriptor

Each image stored in the file contains a Local Image Descriptor, an optional Local Color Table, and a block of the image data

The last field in every GIF file is a Terminator character, which indicates the end of the GIF data stream



Trailer

Image Data

Local Color Table

Local Image Descriptor

……

Image Data

Local Color Table


Image Data

Local Color Table


Global Color Table

Logical Screen Descriptor

Header Header and Color Table Information

Image 1

Image 2

Image n

GIF (cont’d)

There are two versions of the GIF format:

• This version was released in 1987• Supports LZW file compression,

interlacing, 256-color palettes, and multiple image storage

GIF 87a:

• This version was released in 1989• It supports properties such as

background transparency, delay times, and image replacement parameters which helps to store multiple images

GIF 89a:



JPEG (Joint Photographic Experts Group)

JPEG is a commonly used method for compression of the photographic images

It performs the file compression in four phases:

1• The JPEG algorithms first cuts up an image in separate blocks of 8x8 pixels

2• The next step in the compression process is to apply a Discrete Cosine

Transform (DCT) for the entire block

3

• After this, the actual compression starts. First, the compression software looks at the JPEG image quality the user requested and calculates two tables of quantization constants, one for luminance and one for chrominance

4• The last step in the process is to compress these coefficients using either a

Huffman or arithmetic encoding scheme



JPEG File Structure (cont’d)

End of imageEOI0xFF 0xD9

Segments

Start of imageSOI0xFF 0xD8

DescriptionNameContents

JPEG Image

Segment data

Segment size (2 bytes) excl. marker

Segment marker (2 bytes)

Description

JPEG Segments



JPEG File Structure (cont’d)

This is the marker where Photoshop stores its information

APP140xFF 0xED

Start of scanSOS0xFF 0xDA

Define Huffman TableDHT0xFF 0xC4

Start of frameSOF00xFF 0xC0

Quantization tableDQT0xFF 0xDB

Application marker (in every JPEG file)APP00xFF 0xEo

DescriptionNameContents

Some JPEG Segment Markers



JPEG 2000

JPEG 2000 is the new version of JPEG compression

• It produces as much as 20% improvement in compression efficiency over the current JPEG format

• Its compression has been mainly developed for use on the Internet

• It can handle RGB, LAB, and CMYK with up to 256 channels of information

Features:



BMP (Bitmap) File

BMP is a standard file format for computers running the Windows operating system

BMP images can range from black and white (1 bit per pixel) up to 24 bit color (16.7 million colors)

Each bitmap file contains:

Header:

• Contains information about the type, size, and layout of a file

Info Header:

• Specifies the dimensions, compression type, and color format for the bitmap

The RGBQUAD array:

• The Colors array contains a color table. The color table is absent for bitmaps with 24 color bits because each pixel is represented by 24-bit red-green-blue (RGB) values in the actual bitmap

Image Data:

• These are the actual image data, represented by consecutive rows, or "scan lines," of the bitmap



BMP File Structure

Image Data

RGBQUAD Array

Info Header

Header



PNG (Portable Network Graphics)

PNG bitmap image format uses lossless data compression

It improves the GIF image format and replaces it with the image file format

It is patent and license free

PNG supports:

• 24-bit true color • Transparency - both normal and alpha channel

PNG file structure consists of PNG File Signature:

• This signature shows that the remainder of the file contains single PNG image• This image consisting of a series of chunks starting with an IHDR chunk and

ending with an IEND chunk



PNG (cont’d)

• It comes after the header• It is a series of chunks each of which gives some information about the

image• Each chunk has a header specifying the size and type of chunk• Each chunk consists of four parts:• Length

• 4-byte unsigned integer giving the number of bytes in the chunk's data field

• Chunk Type• A 4-byte chunk type code

• Chunk Data• The data bytes appropriate to the chunk type, if any; this field can be of zero length

• CRC (Cyclic Redundancy Check) • A 4-byte CRC calculated on the preceding bytes in the chunk• It includes the chunk type code and chunk data fields, but not the length field

Chunk layout:



Tagged Image File Format (TIFF)

Tagged Image File Format is a flexible and platform-independent image file format

It supports numerous image processing applications

Features:

• This is the ability to add new image types without invalidating the older types

Extendibility:

• TIFF is independent of the hardware platform and the operating system on which it executes

Portability:

• TIFF was designed to be an efficient medium for exchanging image information

• It is used as a native internal data format for image editing applications

Revisability:



TIFF File Structure

• The structure of a TIFF file has a fixed location• The 8-byte structure • It must be located at offset zero in the file• The IFH contains important information necessary to

correctly interpret the remainder of the TIFF file

Image File Header or IFH:

• An IFD consists of a count N, the number of directory entries • Each entry is of 12-bytes• Each IFD must be located on a word boundary• If more than one IFD is present, the file contains more than

one image

Image File Directory (IFD):

• Each DE is exactly 12 bytes in length and is segmented into the four fields Directory Entry, or DE:

TIFF files are made up of three unique data structures:



ZIP (Zone Information Protocol)

ZIP is a method of compressing computer data or files

Advantages of zipping files:

• It reduces storage space• You can achieve faster transfer rates over a network• It helps in packaging multiple files

Zip files contain information about the zipped files (name, path, date, time of last modification, protection, and check information) to verify the file’s integrity

They are created using Zip creation tools as WinZip, WinRAR

They can be password protected for security reasons



Best Practices for Forensic Image Analysis

Document the current condition of the evidence

Prevent exposure to evidence that may be contaminated with dangerous substances or hazardous materials

Use Write blockers to prevent the evidence from being modified

Methods of acquiring evidence should be forensically sound and verifiable

Forensic image(s) should be captured using hardware/software that is capable of capturing a “bit stream” image of the original media

Digital evidence submitted for examination should be maintained in such a way that the integrity of the data is preserved

Properly prepared media should be used when making forensic copies to ensure no commingling of data from different cases

Forensic image(s) should be archived to media and maintained consistent with departmental policy and applicable laws



Use MATLAB for Forensic Image Processing

MATLAB is a general purpose programming language which provides important advantages for forensic image processing, such as:

• It ensures the image processing steps used are completely documented and hence can be replicated

• The source code for all image processing functions are accessible for scrutiny and test

• It ensures that the numerical precision is maintained all the way through the enhancement process

• Advanced image processing algorithms are used



Advantages of MATLAB

Recording of the processing used

• MATLAB is used to process images by writing function files or script files• These files form a formal record of the processing used and ensures that the final

results can be tested and replicated

Access to implementation details

• Functions written in the MATLAB language are publicly readable as plain text files

Numerical accuracy

• It ensures maximal numerical precision in the final result• An image can be read into memory and the data cast into double precision floating

point values

Advanced algorithms

• It provides strong mathematical and numerical support for the implementation of advanced algorithms



Screenshot: MATLAB



Data Compression



How Does File Compression Work?

In John F. Kennedy's 1961 inaugural address, he delivered this famous line:

• "Ask not what your country can do for you -- ask what you can do for your country”

When you go through Kennedy's famous words, pick out the words that are repeated and put them into the numbered index

Then, simply write the number instead of writing out the whole word

So, if this is your dictionary:

• ask • what • your • country • can • do • for • you

The sentence now reads:

• "1 not 2 3 4 5 6 7 8 -- 1 2 8 5 6 7 3 4"



Understanding Data Compression

Data compression means encoding the data to take up less storage space and less bandwidth for transmission

There are two techniques of data compression:

• Lossless Compression, which maintains the data’s integrity

• Lossy Compression, which does not maintain the data’s integrity



Huffman Coding Algorithm

Huffman Coding Algorithm is a fixed-to-variable length code

A Huffman encoder takes a block of input characters with fixed length and produces a block of output bits of variable length

The basic idea in Huffman coding is to assign short codeword to those input blocks with high probabilities and long codeword to those with low probabilities

A Huffman code is designed by merging the two least probable characters together

Repeat this merging process until there is only one character remaining



Huffman Coding Algorithm (cont’d)

Example shows how it works:



Lempel-Ziv Coding Algorithm

Lempel-Ziv Coding Algorithm is a variable-to-fixed length code

The Lempel-Ziv code is not designed for any particular source but for a large class of sources

In this, the input sequence are parsed into non-overlapping blocks of different lengths

Dictionary of these blocks is constructed and the following algorithm is used

• Initialize the dictionary to contain all blocks of length one (D={a,b})• Search for the longest block W in the dictionary • Encode W by its index in the dictionary • Add W followed by the first symbol of the next block to the dictionary• Go to Step 2

Encoding Algorithm:



Lempel-Ziv Coding Algorithm (cont’d)

An example of encoding:



Lossy Compression

Lossy methods provide high degree of compression and small compressed files, but during decompression, certain amount of data is lost

It does not maintain data integrity

It is never used for business data and text files

Original DataRestored

Data

Compressed Data



Vector Quantization

Vector quantization is lossy data compression technique

This technique is based on the principle of block coding, which means it replaces a block of information with an approximate average value

0 1 2 3 4-1-2-3-4

00 01 10 11



Locating and Recovering Image Files



Locating and Recovering Image Files

• It is the process of data recovery• It uses the database of headers and footers

(essential string of bytes) for a specific file type and recovers files from raw disk image

• File carving also works if the file system metadata has been destroyed

Carving

• Collecting and regenerating the image from pieces of an image file dispersed into many areas on the disk is known as salvaging

Salvaging

Corrupted Image

Recovered Image



Locating and Recovering Image Files Using DriveSpy

The screenshot above shows the location of the clusters where the data has been found and “data found with the matching search”



Analyzing Image File Headers

Investigators analyze image file headers when new file extensions are present that forensic tools cannot recognize

File headers are accessed with the help of a hexadecimal editor such as the Hex Workshop

Hexadecimal values present in the header can be used to define a file type



Repairing Damaged Headers

Investigators recover data remnants from free space

This data would be similar to headers from common image files

Header data that is partly overwritten can be used to repair the damaged headers

The HEX Workshop application can be used to repair the damaged headers by the process of comparison

JPEG files would include letters “JFIF” after hexadecimal values

• Example: JPEG files have a hexadecimal value of: FF D8 FF E0 00 10



Reconstructing File Fragments

Corruption of the data prevents investigators from reconstructing file fragments for image files

Data corruption can be:

• Accidental • Intentional

File fragments can be reconstructed by examining a suspect disk with the help of the DriveSpy application

Investigators can build the case based on the data reconstructed



Identifying Unknown File Formats

To understand unknown image file formats ,you should know about non-standard file formats:

• Targa (.tga)• Raster Transfer Language (.rtl)• Photoshop (.psd)• Illustrator (.ai)• Freehand (.h9)• Scalable vector graphics (.svg)• Paintbrush (.pcx)

Tools to identify the unknown file formats:

• Picture Viewer: IrfanView• Picture Viewer: Acdsee• Picture Viewer: Thumbsplus• Picture Viewer: AD• Picture Viewer: Max• FastStone Image Viewer• XnView



Identifying Image File Fragments

The first step in recovering the deleted data files is to identify the image files fragments

Recover all the fragments to re-create the image if the image file is fragmented across different disk areas

Recovering a piece of file is called salvaging or carving

After recovering the parts of the fragmented image file, restore the fragments and continue the forensic investigation



http://www.filext.com



Picture Viewer: IrfanView

IrfanView is an image viewing program that supports many unknown file formats, including:

• Targa (.tga)• Illustrator (.ai)• Scalable vector graphics (.svg)• FlashPix (fpx)



Picture Viewer: ACDSee

• Find images• View images• Manage image files on the drive• Search and view unknown file formats

ACDSee is an image viewing program that enables investigators to:



Picture Viewer: Thumbsplus

ThumbsPlus is an image viewing program that enables investigators to:

• View images from a drive database• View files other than images such as

audio and multimedia files• Catalog image files for future

reference



Picture Viewer: AD

AD is the fastest, easy-to-use, and compact image viewer available for Windows platform

It allows you to view, print, organize, and catalog the image

This program supports all popular graphic formats



Picture Viewer: Max

Picture Viewer Max is an image and multimedia viewer for Windows 98/ ME/2000/XP

It helps to locate, view, edit, print, organize, and send/receive picture/image files over the Internet



FastStone Image Viewer

FastStone Image Viewer is a fast, stable, user-friendly image browser, converter, and editor

• Supports common image formats, loading and saving of JPEG, JPEG2000, GIF, BMP, PNG, PCX, TIFF, WMF, ICO, CUR, and TGA

• Supports zoom - full screen viewer • Crystal clear and customizable magnifier• Image EXIF metadata support• Resizing, flipping, rotating, cropping, emailing, and color

adjusting tool

Features:



FastStone Image Viewer: Screenshot



XnView

XnView is a software to view and convert graphic files

It exists for Windows, MacOS X, Linux x86, Linux ppc, FreeBSD x86, OpenBSD x86, NetBSD x86, Solaris sparc, Solaris x86, Irixmips, HP-UX, and AIX

Features:

• Imports about 400 graphic file formats• Exports about 50 graphic file formats• Supports multipage TIFF, animated GIF, and animated ICO• Supports Image IPTC, EXIF metadata• Supports lossless rotate & crop (jpeg)• Creates web page



XnView: Screenshot



Faces – Sketch Software

FACES contains a data bank of over 3,850 facial features, along with tools and accessories that allow the user to rapidly put a composite image together

Generally, used by law enforcement agencies in identifying suspects



Faces: Screenshot



Digital Camera Data Discovery Software: File Hound

File Hound is a software package which helps to deal with crimes involving digital pictures

• It searches images based on file signature• It distinguishes PNG, GIF, JPG, TIF, WMF, BMP, ICO• It searches for files based on filenames• It previews thumbnail images and file information• It can preview/print reports based on search results

Features:



http://vectormagic.com/

It is a web-based service to convert bitmap images into vector images



Steganography in Image Files

Two files are required to hide a message within an image file:

• The file containing the image into which the message is supposed to be put

• The file containing the message itself

There are 3 methods to hide messages in images, they include:

• Least Significant Bit replacement• Filtering and Masking• Algorithms and Transformation



Steganalysis

The goal of steganalysis is to detect the suspected information

It determines whether there is encoded hidden messages present, and if possible, it recovers the hidden information

Challenges of steganalysis:

• The hidden data, if any, may have been encrypted before being inserted into the signal or file

• Some of the suspect signals or files may have noise or irrelevant data encoded into them which makes it time consuming to analyze



Steganalysis Tools: Hex Workshop & S-Tools

The Hex Workshop application can detect and write messages onto a file

Investigators use the Hex Workshop tool to reconstruct the damaged file headers

S-Tools can hide and detect files hidden in BMP, GIF, and WAV files

Investigators have the advantage of multi-threaded operation



Steganalysis Tools: Stegdetect

• It is an automated tool for detecting steganographic content in images

• It is capable of detecting several different steganographicmethods to embed hidden information in JPEG images

Stegdetect:



Image File Forensic Tools



GFE Stealth™ - Forensics Graphics File Extractor Toolhttp://www.forensics-intl.com/

GFE Stealth tool automatically extracts the exact copies of graphics file images from ambient data sources and SafeBack bit stream image backup files

It quickly reconstructs copies of "deleted" image files

• It operates under DOS, Windows 98/NT/2000/XP• Partial image file patterns (caused due to fragmentation and/or file

corruption) can be automatically reconstructed and viewed • The highly accurate graphics file identification search engine ensures that

every byte is checked for integrity • The software when combined with other NTI software processes, operates in

batch file mode for automatic processing

Features:



GFE Stealth (cont’d)

• To find evidence in corporate, civil, and criminal investigations which involve computer graphics files

• Along with the other computer forensic software, quickly reconstruct and view previously deleted BMP, GIF, and JPEG graphics files

• As "after-the-fact" to determine what files may have been viewed over or downloaded from the Internet

GFE Stealth is used:



Tool: Ilookhttp://www.perlustro.com/

ILook is a multi-threaded, Unicode compliant, fast, and efficient forensic analysis tool designed to analyze an image taken from the seized computer systems and other digital media

It can be used to examine images obtained from other forensic imaging tools that produce a raw bit stream image

• Supports FAT12, FAT16, FAT32, FAT32x, VFAT, NTFS, HFS, HFS+, Ext2FS, Ext3FS, SysV AFS, SysV EAFS, SysV HTFS, CDFS, Netware NWFS, Reiser FS, and ISO9660 file systems

• Granular extraction facilities which allow all or part of a file system to be extracted from an image

• It runs on Windows XP / Server platforms, both 32 and 64 bit versions • It has File salvage (carve) facilities

Features:



Tool: P2 eXplorerhttp://www.paraben-forensics.com/

P2 eXplorer allows you to mount your forensic image and explore it as though it were a drive on your machine while preserving the forensic nature of your evidence

Features:

• Mounts Paraben's Forensic Replicator images (PFR) • Mounts compressed & encrypted PFR images • Mounts EnCase images • Mounts SafeBack 1 & 2 images • Mounts WinImage non-compressed images • Mounts RAW images from Linux DD & other tools • Supports Dynamic drive images • Auto-detects image format • Supports both logical and physical images types • MD5 hash verification • Shell support for easy mounting/unmounting• Write-protection for preserving evidence • MD5 checksum verification



Tool: VisionStagehttp://www.alliancevision.com/

VisionStage is an image acquisition software package which integrates a set of the simplified functions for capturing image

It is designed for managing image sequence and for importing and exporting AVI files

Supports several frame grabbers such as gain, contrast, signal type, trigger and shutter, digitization mode

It has functional graphical interface for optimizing each step of the digitization process



Tool: VisionStage (cont’d)

• Frame grabber configuration• Choice of the trigger• Dynamic "live image" visualization• Acquisition of simple images or complete sequences• Selection of a Region of Interest• In sequence acquisition mode: Time Code generation and support• Reading of image files, images folders, sequence files and AVI files• Selection/suppression of images, sequences or parts of sequences• External processing and analysis support for specific applications

Functions provided by Vision Stage:



Tool: Digital Pictures Recoveryhttp://www.photosrecovery.com/

Digital Pictures Recovery Tool recovers images from the camera's memory card

It recovers lost photos, files, and data from all media types

It recovers lost, deleted, and formatted digital photos on removable media and works with every type of digital card reader

It recovers lost or deleted digital photos from:

CompactFlash Memory Stick DuoMemory Stick Pro

SmartMedia

Memory Stick Pro Duo miniSD SD Card MultiMediaCard MMC

xD Picture Card Digital Cell Phones CDR / CDRW PDA

Zip Disk Hard Disk any compact flash Floppy Disk



Identifying Copyright Issues on Graphics

The owner of copyright under this title has the exclusive rights to do and to authorize any of the following:

• (1) to reproduce the copyrighted work in copies or phonorecords;• (2) to prepare derivative works based upon the copyrighted work;• (3) to distribute copies or phonorecords of the copyrighted work to the public by sale or

other transfer of ownership, or by rental, lease, or lending;• (4) in the case of literary, musical, dramatic, and choreographic works, pantomimes,

and motion pictures and other audiovisual works, to perform the copyrighted work publicly;

• (5) in the case of literary, musical, dramatic, and choreographic works, pantomimes, and pictorial, graphic, or sculptural works, including the individual images of a motion picture or other audiovisual work, to display the copyrighted work publicly; and

• (6) in the case of sound recordings, to perform the copyrighted work publicly by means of a digital audio transmission

Section 106 of the 1976 Copyright Act:



Case Study

Barracuda reels in image-based spamCara Garretson July 19, 2006 (Network World)

Barracuda Networks Wednesday announced downloads for its email security appliances designed to help fend off the growing nuisance of image spam.

Image spam is unwanted email in which text is embedded in an image to foil traditional spam filters that catch spam by scanning messages for keywords and by using other text-based techniques. Barracuda says that approximately 25 percent of all unwanted e-mail today is image-based spam.The company's new downloads use optical character recognition (OCR) and fingerprint analysis to catch image-based spam, according to officials.

The OCR feature recognizes the embedded text and coverts it to data so it can be scanned like any other piece of e-mail. The fingerprint analysis feature scans spam messages caught in Barracuda's honeypot network and breaks them down into components, assigning unique identifiers to each portion so they can be easily recognized. The software then compares incoming messages to this database of image-based spam fingerprints and flags those that match, officials say.

The free OCR and fingerprint analysis updates are available now to customers of Barracuda's Spam Firewall appliances. The company's enterprise version, designed for organizations with up to 25,000 users, is priced starting at $29,999 plus $6,599 for update services.



Summary

An image is an artifact that reproduces the likeness of some subject

A file format is ‘a particular way to encode information for storage in a computer file’

The standard image file formats include JPEG, GIF, BMP, TAG, and EPS

Data compression means encoding the data to take up less storage space and less bandwidth for transmission

Data is compressed by using a complex algorithm to reduce the size of a file

Lossy compression compresses data permanently by removing information contained in the file

Image files have a unique file header value. Common image header values have residual data from partially overwritten headers in file slack

file000134

Technology

image files tools

image pixel

image files steganalysis

grayscale image

white image

microscopes image

eccouncil copyright

color image images