Slide 1ObjectivesRecognizing a Graphics FileUnderstanding Bitmap and Raster ImagesUnderstanding Vector GraphicsUnderstanding Metafile GraphicsUnderstanding Graphics File FormatsUnderstanding Graphics File Formats (continued)Understanding Digital Camera File FormatsUnderstanding Digital Camera File Formats (continued)Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Understanding Data CompressionLossless and Lossy CompressionLocating and Recovering Graphics FilesIdentifying Graphics File FragmentsRepairing Damage HeadersSearching for and Carving Data from Unallocated SpaceSearching for and Carving Data from Unallocated Space (continued)Slide 24Slide 25Slide 26Slide 27Slide 28Slide 29Slide 30Rebuilding File HeadersRebuilding File Headers (continued)Slide 33Slide 34Slide 35Slide 36Reconstructing File FragmentsReconstructing File Fragments (continued)Slide 39Slide 40Slide 41Slide 42Slide 43Slide 44Identifying Unknown File FormatsAnalyzing Graphics File HeadersAnalyzing Graphics File Headers (continued)Slide 48Tools for Viewing ImagesUnderstanding Steganography in Graphics FilesSlide 51Understanding Steganography in Graphics Files (continued)Slide 53Slide 54Slide 55Using Steganalysis ToolsIdentifying Copyright Issues with GraphicsSummarySummary (continued)Slide 60Chapter 10Recovering Graphics FilesGuide to Computer Forensics and InvestigationsFourth EditionGuide to Computer Forensics and Investigations 2Objectives•Describe types of graphics file formats•Explain types of data compression•Explain how to locate and recover graphics files•Describe how to identify unknown file formats•Explain copyright issues with graphicsGuide to Computer Forensics and Investigations 3Recognizing a Graphics File•Contains digital photographs, line art, three-dimensional images, and scanned replicas of printed pictures –Bitmap images: collection of dots–Vector graphics: based on mathematical instructions–Metafile graphics: combination of bitmap and vector•Types of programs–Graphics editors–Image viewersGuide to Computer Forensics and Investigations 4Understanding Bitmap and Raster Images•Bitmap images–Grids of individual pixels•Raster images–Pixels are stored in rows–Better for printing•Image quality–Screen resolution–Software–Number of color bits used per pixelGuide to Computer Forensics and Investigations 5Understanding Vector Graphics•Characteristics–Lines instead of dots–Store only the calculations for drawing lines and shapes–Smaller size–Preserve quality when image is enlarged•CorelDraw, Adobe IllustratorGuide to Computer Forensics and Investigations 6Understanding Metafile Graphics•Combine raster and vector graphics•Example–Scanned photo (bitmap) with text (vector)•Share advantages and disadvantages of both types–When enlarged, bitmap part loses qualityGuide to Computer Forensics and Investigations 7Understanding Graphics File Formats•Standard bitmap file formats–Graphic Interchange Format (.gif)–Joint Photographic Experts Group (.jpeg, .jpg)–Tagged Image File Format (.tiff, .tif)–Window Bitmap (.bmp)•Standard vector file formats–Hewlett Packard Graphics Language (.hpgl)–Autocad (.dxf)Guide to Computer Forensics and Investigations 8Understanding Graphics File Formats (continued)•Nonstandard graphics file formats–Targa (.tga)–Raster Transfer Language (.rtl)–Adobe Photoshop (.psd) and Illustrator (.ai)–Freehand (.fh9)–Scalable Vector Graphics (.svg)–Paintbrush (.pcx)•Search the Web for software to manipulate unknown image formatsGuide to Computer Forensics and Investigations 9Understanding Digital Camera File Formats•Witnesses or suspects can create their own digital photos•Examining the raw file format–Raw file format•Referred to as a digital negative•Typically found on many higher-end digital cameras–Sensors in the digital camera simply record pixels on the camera’s memory card–Raw format maintains the best picture qualityGuide to Computer Forensics and Investigations 10Understanding Digital Camera File Formats (continued)•Examining the raw file format (continued)–The biggest disadvantage is that it’s proprietary•And not all image viewers can display these formats–The process of converting raw picture data to another format is referred to as demosaicing•Examining the Exchangeable Image File format–Exchangeable Image File (EXIF) format•Commonly used to store digital pictures•Developed by JEIDA as a standard for storing metadata in JPEG and TIFF filesGuide to Computer Forensics and Investigations 11Understanding Digital Camera File Formats (continued)•Examining the Exchangeable Image File format (continued)–EXIF format collects metadata•Investigators can learn more about the type of digital camera and the environment in which pictures were taken–EXIF file stores metadata at the beginning of the fileGuide to Computer Forensics and Investigations 12Understanding Digital Camera File Formats (continued)Guide to Computer Forensics and Investigations 13Understanding Digital Camera File Formats (continued)Guide to Computer Forensics and Investigations 14Understanding Digital Camera File Formats (continued)Guide to Computer Forensics and Investigations 15Understanding Digital Camera File Formats (continued)•Examining the Exchangeable Image File format (continued)–With tools such as ProDiscover and Exif Reader•You can extract metadata as evidence for your caseGuide to Computer Forensics and Investigations 16Guide to Computer Forensics and Investigations 17Understanding Data Compression•Some image formats compress their data–GIF, JPEG, PNG•Others, like BMP, do not compress their data–Use data compression tools for those formats•Data compression–Coding of data from a larger to a smaller form–Types•Lossless compression and lossy compressionGuide to Computer Forensics and Investigations 18Lossless and Lossy Compression•Lossless compression–Reduces file size without removing data–Based on Huffman or Lempel-Ziv-Welch coding•For redundant bits of data–Utilities: WinZip, PKZip, StuffIt, and FreeZip•Lossy compression–Permanently discards bits of information–Vector quantization (VQ)•Determines what data to discard based on vectors in the graphics file–Utility: LzipGuide to Computer Forensics and Investigations 19Locating and Recovering Graphics Files•Operating system tools–Time consuming–Results are difficult to verify•Computer