Recognizing a Graphics File

• Graphic Files: Contain digital photographs, line art, three-dimensional images, text data converted to images, and scanned replicas of printed pictures.

• Bitmap images: Are collections of dots, or pixels, in a grid format that form a graphic.

• Vector Graphics: Are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes.

• Metafile graphics: Are combinations of bitmap and vector images.

Understanding Bitmap and Raster Images

• Bitmap Images: Store graphic information as grids of pixels (picture elements).

• Raster Images: Also collections of pixels, but they store pixels in rows to make images easy to print.

• Resolution: Determines the amount of detail that is displayed in an image.

• Graphics files can have different amounts of color per pixel, but each file must support colors with bits of space.

  • 1 bit = 2 colors

  • 4 bits = 16 colors

  • 8 bits = 256 colors

  • 16 bits = 65,536 colors

  • 24 bits = 16,777,216 colors

  • 32 bits = 4,294,967,296 colors

Understanding Vector Graphics

• Vector graphics use lines instead of dots to make up an image.

• Vector File: Stores only the calculations for drawing lines and shapes; graphic programs convert these calculations into an image.

• Vector files are typically smaller than bitmap files because they contain calculations rather than images, thereby conserving disk space.

• You can also double the size of a vector graphic without degrading the image's quality.

Understanding Metafile Graphics

• Metafile graphics combine raster and vector graphics and can have the characteristics of both file types.

• You construct a metafile graphic by scanning a photograph (a bitmap image) and then adding text or arrows (vector drawings).

• Although metafile graphics possess the characteristics of both bitmap and vector files, they also share their limitations.

• When you enlarge a metafile image, the bitmap-formatted area loses resolution while the vector-formatted area remains crisp and distinct.

Understanding Graphics File Formats

• Graphics files are created and saved in a graphics editor.

• Most graphics editors enable you to create and save files in one or more of the standard graphics file formats.

• Standard bitmap file formats include:

  • Portable Network Graphic (PNG)

  • Graphics Interchange Format (GIF)

  • Joint Photographic Network Graphic (JPEG;JPG)

  • Tagged Image File Format (TIFF; TIF)

  • Windows Bitmap (BMP)

• Standard vector file formats include:

  • Hewlett-Packard Graphics Language (HPGL)

  • AutoCad (DXF)

• Nonstandard graphics file formats include less common formats:

  • Targa (TGA)

  • Raster Transfer Language (RTL)

  • Photoshop (PSD)

  • Illustrator (AI)

  • Freehand (FHLL)

  • Scalable Vector Graphics (SVG)

  • Paintbrush (PCX)

Understanding Digital Photograph File Formats

• Raw File Format: It is typically used on many high-end digital cameras.

• Demosaicing: The process of converting raw picture to data to another format.

• Exchangeable Image File Format: Developed by the Japan Electronics and Information Technology Industries Association (JEITA) as a standard for storing metadata in JPEG and TIF files.

Understanding Data Compression

• Data Compression: The process of coding data from a larger form to a smaller form.

Lossless and Lossy Compression

• Lossless compression: A technique that reduce file size without removing data.

  • When you decompress a file compressed with lossless compression, you recover all of its data.

• Lossy compression: It compresses data by permanently discarding bits of information in the file.

  • When decompressing a graphic file with lossy compression, information is lost.

• Vector Quantization (VQ): It uses complex algorithms to determine what data to discard based on vectors in the graphics file.

Locating and Recovering Graphics Files

• In a digital forensics case involving graphics files, you must locate and recover all graphics files on the suspicious drive and determine which are relevant to the investigation.

• Each image file contains a header containing instructions for displaying the image; this header information is used to determine the file format.

• However, the header is complex and difficult to remember; rather than memorizing header information, you can compare the header of a known excellent file with that of a suspect file.

• Before examining a graphics file header, it is frequently necessary to reconstruct a fragmentary graphics file.

• To accomplish this, you must identify the data patterns utilized by the image file. If a portion of the file header has been overwritten by other data, it may be necessary to also restore the damaged header.

• You can then conduct a forensics analysis on a graphics file by recreating the file's header. These methods are described in the sections that follow.

Identifying Graphics File Fragments

• Before re-creating a graphics file that has been fractured across different regions of a disk, you must recover every fragment.

• Carving: Recovering any type of file fragments.

• You should be familiar with the data patterns of well-known graphics file types in order to carve a graphics file's data from file slack space and free space.

• After recovering a graphics file's pieces, you restore it to continue your analysis.

Repairing Damaged Headers

• You may come across data that looks to be a header for a common graphics file type when you're looking through recovered fragments from files in slack or free space.

• By matching the hexadecimal values of well-known graphics file formats with the pattern of the file header you uncovered, you can recreate partially overwritten header data to make it legible.

• Each type of graphics file has its own header value.

• You can identify data from partially overwritten headers in file slack or free space once you are familiar with these header values.

• The typical JPEG or Exif file label comes after the hexadecimal header value FFD8 in a JPEG file at offset 6.

Reconstructing File Fragments

• Locate and export all fragmented file sectors.

• Determine the beginning and ending cluster numbers for every group of fragmented sectors.

• Copy each group of fragmented sectors in their correct order to a recovery file.

• Rebuild the file's header so that a graphics viewer can comprehend it.

• Add the extension .txt to all copied sectors.

Identifying Unknown File Formats

Analyzing Graphics File Headers

• When you discover new or unusual file types that forensics tools do not recognize, you should analyze the graphics file headers.

• Using a hexadecimal editor such as WinHex is the simplest method to access a file's header.

• The hexadecimal values can then be recorded in the header and used to define the file type.

• TIF is a well-established file format for sending faxes and publishing printed materials.

Understanding Steganography in Graphics Files

• Steganography: A data hiding technique used to hide information inside an image.

• Insertion Steganography: It places data a from the secret file into the host file.

  • Unless you thoroughly examine the data structure, the inserted data is hidden when you view the host file in its associated program.

• Substitution Steganography: It replaces bits of the host file with other bits of data.

  • Replace bits used for pixels and colors in a bitmap file, for instance, with concealed data.

Using Steganalysis Tools

• Several steganalysis tools can be used to detect, decode, and record concealed data, even in renamed files designed to conceal their contents.

• These instruments can also detect image variations.

• If a graphics file has been renamed, a steganalysis utility can determine the file format from the file's header and determine whether or not the file contains an image.

• In the majority of instances, unless you compare the altered file to the original file, it is impossible to detect the hidden data if steganography is executed accurately.

Understanding Copyright Issues with Graphics

• By embedding digital watermarks within a file, steganography has also been used to protect copyrighted content.

• Digital investigators must be aware of copyright laws when working with graphic files, particularly in corporate environments where they frequently collaborate with the legal department to prevent copyright violations.

• Additionally, investigators may need to determine if a photograph comes from a known copyrighted source.

• The U.S. Copyright Office determines what can and cannot be protected by U.S. copyright law.

• Copyright: Protects “original works of authorship” that are fixed in a tangible form of expression.

• Copyrightable works include the following categories:

  • literary works;

  • musical works, including any accompanying words;

  • dramatic works, including any accompanying music;

  • pantomimes and choreographic works;

  • pictorial, graphic, and sculptural works;

  • motion pictures and other audiovisual works;

  • sound recordings;

  • architectural works.

• Fair Use: A legal doctrine that promotes freedom of expression by permitting the unlicensed use of copyright-protected works in certain circumstances.

  • A brief direct quote for news reporting or criticism is considered fair use, and the material's author or proprietor is not required to be compensated.

  • Material used for educational and noncommercial purposes.

  • If, however, the instructor submits the book to a printer for duplication and pays the printer, a copyright violation has occurred because a commercial printer was paid to copy the book, even though the copies were intended for educational purposes.