04 - Media Files and Digital Forensics
Class: CYBR-405
Notes:
Module Objectives
By the end of this module, you should be able to:
- Identify different types of media files
- Summarize data compression and obfuscation
- Define data-hiding techniques
- Explain how to locate and recover media files
- Explain digital evidence validation and discrimination techniques
- Describe an examination plan
Images
Recognizing a Graphics File
Graphic files contain digital photographs, line art, three dimensional images, text data converted to images, and scanned replicas of printed pictures
- Bitmap images: collection of dots
- Vector graphics: based on mathematical instructions
- Metafile graphics: combination of bitmap and vector
Bitmap vs Vector
- Bitmap: just a mathematical algorithm to say: "make me a circle and fill up that with a color gradient"
- Vector: It looks smooth the whole time
/CYBR-405/Visual%20Aids/Pasted%20image%2020260202093518.png)
- Bitmap looses its integrity when you zoom in
Understanding Metafile Graphics
Metafile graphics combine raster and vector graphics
Example
Scanned photo (bitmap) with text or arrows (vector)
Share advantages and disadvantages of both types
When enlarged, bitmap part loses quality
Standard graphics file formats
Common file formats
- Portable Network Graphic (.png)
- Graphic Interchange Format (.gif)
- Joint Photographic Experts Group (.jpeg, .jpg)
- Tagged Image File Format (.tiff, .tif)
- Window Bitmap (.bmp)
- Raw file format (.raw)
- Referred to as a digital negative
- Raw format maintains the best picture quality
Understanding Graphics File Formats
Nonstandard graphics file formats
- Targa (.tga)
- Raster Transfer Language (.rtl)
- Adobe Photoshop (.psd) and Illustrator (.ai)
- Freehand (.fh11)
- Scalable Vector Graphics (.svg)
- Paintbrush (.pcx)
Audio and Video File Formats
- Audio and video files come in many different formats
- The most common current audio and video file formats include:
- Apple QuickTime Movie (.mov)
- Audio Video Interleave (.avi)
- Motion Picture Expert Group (MPEG)
Identifying Unknown File Formats
- Knowing the purpose of each format and how it stores data is part of the investigation process
- The Internet is the best source
- Search engines
- Find explanations and viewers
- Popular Web sites
- FileFormat.info
- Extension Informer
- The Graphics File Formats Page
Viewing and Examining Media Files
- In addition to Windows Photos, other media viewing programs include the following:
- FastPictureViewer Pro
- FastStone
- Irfanview Graphic Viewer
- VLC Media Player
- When working with Windows OSs, the digital forensics examiner may find additional evidence by examining the content of thumbnail (thumb.db) files
- On digital cameras and smartphones, photo and video files are typically stored in a Digital Camera Image (DCIM) folder
- DCIM is part of the Design Rule for Camera Format system (DCF)
- The DCF folder and file structure recommendations are as follows:
- Subfolder names have three numbers followed by five letters
- Graphic file names have three letters with four numbers followed by the file type extension
Notes:
- You might find digital evidence by examining the contents of the thumbnail
Examining the Exchangeable Image File Format
- Exif format collects metadata
- Investigators can learn more about the type of digital device and the environment in which photos were taken
- Viewing an Exif metadata requires special programs
- Exif Reader, Exiftools, IrfanView, or Magnet Forensics AXIOM
- Exif file stores metadata at the beginning of the file
Notes:
- Metadata = data about data (about the file itself)
- Stored at the beginning of the file
EXIF (Exchangeable Image File Format)
- Also Known As (AKA)
- Properties
- Metadata
/CYBR-405/Visual%20Aids/Pasted%20image%2020260202094312.png)
- Camera Manufacturer
- Camera Model
- Date/Time (photograph was taken)
- Exposure Time
- ISO Speed
- GPS Information (when available)
- and more.
Notes:
- We can add fields to the EXIF data and store that information as well
EXIF Information
/CYBR-405/Visual%20Aids/Pasted%20image%2020260202094423.png)
Image Properties
/CYBR-405/Visual%20Aids/Pasted%20image%2020260202094531.png)
Notes:
- There are web tools to know the location from a given Latitude, Longitude, etc. given from metadata
- PIC2MAP
Understanding Data Compression
-
Data compression is the process of coding data from a larger form to a smaller form
-
Graphics files and most compression tools use one of two data compression schemes: lossless or lossy
-
Lossless compression techniques reduce file size without removing data
- Based on Huffman or Lempel-Ziv-Welch coding which uses a code to represent redundant bits of data
- Utilities: WinZip, PKZip, Stufflt, 7zip, and FreeZip
-
Lossy compression compresses data by permanently discarding bits of information
- Vector quantization (VQ) is a form of lossy compression that uses complex algorithms to determine what data to discard based on vectors in the graphics file
- Utility: Lzip
-
Lossless compression produces an exact replica of the original data after it has been uncompressed
-
Lossy compression typically produces an altered replica of the data
Notes:
- If you lose those compressions, that image may be lost forever
Steganography
What is Steganogrpahy
Steganós + Graphia
(covered or concealed) + (writing)
Notes:
- Osama Bin Laden was sending images with steganography hidden
- He was sending secret messages with images
Steganography in Graphics Files
- Two major forms of steganography are insertion and substitution
- Insertion places data from the secret file into the host file
- Hidden data is not displayed when viewing the host file in its associated program
- You need to analyze the data structure carefully
- Hidden data is not displayed when viewing the host file in its associated program
Inspect Images
/CYBR-405/Visual%20Aids/Pasted%20image%2020260202095041.png)
Notes:
-
Does Gmail show you images rendered in an email?
- Those attachments can have hidden pixels
- With these we can know if someone check that email
-
Substitution replaces bits of the host file with other bits of data
- Least Significant Bit
/CYBR-405/Visual%20Aids/Pasted%20image%2020260202095358.png)
- If we change just the last bit or two and store a secret message on those two bits, probably a difference won't be notable.
- The more math you change, the more notable it would be
Can you tell the difference?
/CYBR-405/Visual%20Aids/Pasted%20image%2020260202095621.png)
- Use steganalysis tools (also called "steg tools") to detect, decode, and record hidden data
- A steg tool can also detect variations of the graphic image
- When done correctly you cannot detect hidden data in most cases unless you compare the altered file with the original file
- Check to see whether the file size, image quality, or file extensions have changed
- Clues to look for include the following:
- Duplicate files with different hash values
- Steganography programs installed on the suspect's drive
YouTube channel for ctf challenges: Marty Carlos