Professional Documents
Culture Documents
1, JUNE 2007 1
AbstractIn many instances computer forensic practitioners JPEG images to be shared and recognized amongst foreign
come across digital photographs within an investigation. Ex- applications.
amples include law enforcement examining computers for child
In 1996, Digital Still Camera Image File Format Standard
pornography, intellectual property disputes involving proprietary
digital images, or file recovery for individuals who have lost (Exif: Exchangeable image file format) was published, which
personal photos due to accidental deletion or electronic media is referenced as EXIF Format ISO 12234-1 [2] by Japan
corruption. More technical examples include locating stegano- Electronic Industry Development Association (JEIDA)
graphic images and digital rights management. Also in 1996, a competing file format standard was pub-
Photographic images residing on electronic media most likely
originated from digital still cameras (DSC). To identify the
lished by Eastman Kodak, FlashPix Format Specification.
origin of a DSC image, a forensic examiner should understand Though FlashPix was adopted by Eastman Kodak in collabora-
the characteristics of a DSC image. tion with Hewlett-Packard, Microsoft, and Live Picture, it did
This paper describes some of the characteristics associated not gain wide acceptance with some of the other manufacturers
with DSC images. Knowledge allows a forensic practitioner of DSCs.
to isolate specific attributes within a DSC image to identify
exact replicas, derivates, or additional images that fall within In 1997, Canon published CIFF Specification on Image
a particular group set. Data File to specify its camera image file format (CIFF).
This paper further outlines some open source software that CIFF was intended to become a standard file system to be
can be used to extract images based upon the characteristics of adopted for removable media used to store images by DSCs,
a DSC image. such as SmartMedia, Compact Flash Disks, Memory Sticks,
Index TermsDigital Still Camera, JPEG Metadata, JFIF or San Disks.
Metadata, DCF Metadata, Exif Metadata, Linux Forensics, In 1998, JEIDA wrote Design rule for Camera File system
Recover pictures, Recover digital photos, Digital photo forensics,
(DCF), a FAT based file system which is now the generally
DSC, Jpeg header, Exif header, USB, DSC images
accepted format and replaced the CIFF architecture.
In 2002, Japan Electronics and Information Technology
I. A B RIEF H ISTORY OF THE DIGITAL STILL IMAGE Industries Association (JEITA), formerly JEIDA, published
Exchangeable image file format for digital still cameras: Exif
T HE file extension .jpg is most commonly referred to as
the JPEG file format - a lossy1 compression method that
takes advantage of the limitation of the human eye. (ITU-T
Version 2.2.
Prior to the development of inexpensive DSCs, scanners
T81) were used on a much larger scale. In 1986, the Aldus Cor-
poration wrote the TIFF specification. TIFF is the standard
In 1983, the International Organization for Standardization
for scanning an image without compression. Much of the
(ISO) started to look into methods for adding high resolu-
Exif metadata comes from the document TIFF Revision 6.0
tion graphics and pictures onto computers (at that time text
published by Aldus in 1992. There are other digital image
based terminals). Three years later, the Joint Photographic
standards such as JPEG2000, JPEG-LS, and SPIFF; however,
Experts Group (JPEG) was formed by the International
for the purpose of this paper, we will not be describing them.
Telegraph and Telephone Consultative Committee (CCITT)
and ISO/IEC to develop a standard procedure for encoding As of the writing of this article, Exif is the most current
grayscale and color images. JPEG published Information standard for DSCs. Exif incorporates the best features of
Technology - Digital Compression and Coding of Continuous- JPEG, JFIF, TIFF, and DCF while allowing for backwards
tone Still images - Requirements and guidelines, otherwise compatibility of FlashPix, CIFF, and other proprietary formats.
known as the JPEG specifications for encoding and decoding
compressed images, which is referenced as ISO 10918-1 or
ITU-T T.81 (ITU stands for International Telecommunication A. Analysis of metadata in a .JPG Image
Union, which is an agency within the United Nations. CCITT The term metadata refers to data about data. The most
is a part of the ITU). common interpretation of metadata is the information found
In 1992, Eric Hamilton wrote JPEG File Interchange within the directory entries of a FAT file system that describes
Format (JFIF) which calls for some metadata information the cluster chains associated with file data, or more recently
regarding the JPEG images to be shared outside of the entropy the Master File Table (MFT) Entry describing a data portion
encoded data segments. This additional information allows of a file within an NTFS partition. The MFT Entry describes
the creation time, modified time, accessed time, written time,
1 Lossy - The opposite of lossy is lossless. The term lossy is used to express
file name, file extension, file size, location of file data, owner,
slight degradation from the original image. Since the human eye does not
notice sharp changes in brightness of color, lossy compression can alter images file permissions, and other attributes associated with the file
with little or no visual effect. data.
SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL, VOL. 1, NO. 1, JUNE 2007 2
C. JFIF Metadata
JPEG File Interchange Format adds some additional infor-
mation to the JPEG image which enables foreign applications
to read and view the contents of a compressed JPEG image.
SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL, VOL. 1, NO. 1, JUNE 2007 3
TABLE IV
M ETADATA TAGS USED IN E XIF (JEITA CP-3451)
TIFF
Tags relating to image data structure
ImageWidth
ImageLength
BitsPerSample
Compression
PhotometricInterpretation
Orientation
SamplesPerPixel
PlanarConfiguration Fig. 1. fdisk example
YCbCrSubSampling
YCbCrPositioning
XResolution
YResolution necessary for ensuring that the evidence is not overwritten.
Tags relating to recording offset
StripOffsets
(Windows XP does have a registry key that can be added
RowsPerStrip for write blocking. This method of protection may work;
JPEGInterchangeFormat however, it is not recommended because the software write
JPEGInterchangeFormatLength
block is not initiated between the BIOS and the operating
Tags relating to image data characteristics
TransferFunction system.) A list of tested write blocking hardware can be
WhitePoint found on the Computer Forensic Tool Testing website, part of
PrimaryChromaticities the National Institute of Standards and Technology (NIST).
YCbCrCoefficients
ReferenceBlackWhite http://www.cftt.nist.gov/hardware write block.htm
Other Tags A less expensive technique is to utilize software write
DateTime block protection of an operating system that has control over
ImageDescription
Make the read and write functions of its devices. Linux allows
Model for such control. In fact, Guidance Software supports the
Software use of Linux software write block protection for acquiring
Artist
Copyright devices as described in its article How to Acquire a Drive
Safely found on its website http://www.guidancesoftware.
TABLE V com/support/articles/acquire safely.aspx.
M ETADATA TAGS USED IN E XIF (JEITA CP-3451) In its article, Guidance Software suggests the use of a non-
auto mount distribution of Linux. By attaching an external
GPS IFD
Tags Relating to GPS
device or card reader to the USB port, the device will not be
GPSVersionID automatically mounted. Read calls can be manually initiated to
GPSLatitudeRef the device without altering or adding additional information.
GPSLatitude
GPSLongitudeRef
Setting up a Linux forensic laptop or workstation can be
GPSLongitude laborious, yet rewarding. An easier and faster method is to use
GPSAltitude a bootable Linux CD that is customized for forensics analysis.
GPSTimeStamp
GPSSatellites
A forensic bootable Linux CD can be used on just about any
GPSStatus computer, allowing it to become a forensic laptop or work-
GPSMeasureMode station. A bootable Linux CD flavor that was recommended
GPSDOP
GPSSpeedRef
by the SANS Institute is Helix, http://www.e-fense.com/helix.
GPSTrackRef Helix is a bootable Linux CD that is customized for forensics
GPSTrackRef and incident response based on the Knoppix Live Linux CD.
GPSImgDirectionRef
GPSImgDirectionRef
2) Acquisition and Verification using Linux: Within Linux
there are a few programs that a forensic examiner should
GPSMapDatum become familiar with during the acquisition stage of an
GPSDestLatitudeRef
GPSDestLatitude
investigation: man, fdisk, mount, dd, and md5sum.
GPSDestLongitudeRef The command man is used to view manual pages, similar
GPSDestLongitude to a help file. If any questions arise about any of the com-
GPSDestBearingRef
GPSDestBearing
mands, type man fdisk, man mount, man dd, or man
GPSDestDistanceRef md5sum. To escape out of a man page, type q for quit.
GPSDestDistanceRef The command fdisk is a partition table manipulator for
GPSProcessingMethod
GPSAreaInformation
Linux. The program fdisk is used to identify the naming
GPSDateStamp convention of the suspect and target device.
GPSDifferential By typing fdisk -l, the program fdisk will display devices
with their associated partition tables as seen in figure 1. The
first SCSI device (small computer system interface) associated
with a Linux operating system is /dev/sda. Since a USB device
SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL, VOL. 1, NO. 1, JUNE 2007 5
Fig. 4. dd example
#foremost -v -q -c ourfile.conf -o TEMPOUT media1.dls
Where:
consecutively. In some instances where a file is fragmented, the -v = verbose
next cluster in its cluster chain is written to the next available -q = quick (Searches for the header in the beginning of a
cluster or set of clusters. Thus, if the beginning or SOI of a sector. Most files start in the beginning of a sector; however
digital image file is found, the remaining clusters should be when searching a compressed file or a cache file, the header
relatively close. might not start at the beginning of a sector.)
Carving is a technique used to extract segment(s) of data -c = configuration file (this is a file that should be edited
within a larger body of data. Rules for carving are normally to search only what is desired. The default configuration file
based on the header and footer being the start and stop points is foremost.conf. The file foremost.conf has too many file
to carve the data segments. Rules also could be based on a structures to search for that might confuse results.)
header and a fixed length. There are many different carving -o = output directory
tools; however, this paper will discuss the open source tool
foremost, originally developed by the United States Air Force The default configuration file foremost.conf can be located
Office of Special Investigations and the Center for Information in the source directory of foremost, or it might have been
Systems Security Studies and Research. Current versions of copied to the /usr/local/etc/ directory during installation. The
foremost can be found at http://foremost.sourceforge.net. file foremost.conf is a good reference as it describes how to
Unallocated clusters are a large body of data that is a great write rules for foremost.
data set to examine. Forensic software programs should have Each foremost rule set is written on one line. Attributes of a
the ability to export the unallocated clusters to a file. Sticking foremost rule include the extension, the maximum size, header
with open source, a good tool to extract the unallocated and footer. A foremost rule that will carve out Exif image files
clusters from a partition is dls. The program dls is a tool that is:
can be found within Sleuth Kit and is maintained by Brian This rule described in figure 5 should be added to the
Carrier at http://www.sleuthkit.org. outfile.conf configuration file for the foremost example to work
For dls to work it has to read a partition file not a device The configuration rule in figure 5 uses 2,000,000 bytes as the
file. The tool mmls can be used to obtain the key information size, which is close to 2MB - a little larger than an Exif file
on how to extract a partition into a file. The program mmls should be. In the Exif header, \x is the representation for a
is another tool developed by Carrier and found within Sleuth hexadecimal character and ? is a wild card character. \?\? is
Kit. In the dd example from figure 2, the device is media.img. the two byte value that represents the length.
The tool mmls describes the file partition(s) within an image The foremost rule also has a footer. However, if we leave
file. Figure 3 describes the FAT16 partition within media.img the footer out, foremost will extract 2,000,000 bytes, or, if the
starts at sector 249 and has a length of 1983495 sectors. To footer is not found, foremost will extract 2,000,000 bytes.
extract the FAT16 partition using dd, options bs, skip, and The REVERSE value is necessary after the footer, as it
count should be used. implies to start looking for the footer value 2,000,000 bytes
In figure 4, the byte count for read and write process is in after the header and work backwards. The reason for using
chunks of 512 bytes (one sector). The copy process starts after REVERSE is the footer for both the Exif File and the
skipping 249 sectors (0-248) and the copy process occurs for Thumbnail is FF D9. If the REVERSE value was left out,
1983495 sectors. the carving tool would carve from the beginning of the Exif
Another method of extracting the FAT16 partition into header to the end of the thumbnail image (APP1 contains the
the media1.img file would have been to copy the first thumbnail, and APP1 is 64Kb or less).
partition out of the original DSC flash memory card Another method of extracting the entire Exif image would
/dev/sda1 found from the fdisk -l command in figure 1. be to leave the footer out. If the footer is left out, the foremost
The command dd if=/dev/sda1 of=media1.img img bs=512 carving tool will extract 2,000,000 bytes, a file larger than the
conv=noerror,notrunc,sync will create an identical file to the Exif image. The extra data will be ignored by an image viewer
one created from command in figure 4, possessing the same and will appear as normal.
md5 value. To only extract the thumbnail image, the foremost rule
SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL, VOL. 1, NO. 1, JUNE 2007 7
Mr. Cohen has worked in the field of computer forensics since 1998. He is
qualified as a computer forensics expert by multiple courts, has been appointed
as a neutral computer forensics expert, and has given expert testimony in civil
cases involving billions of dollars.
Mr. Cohen obtained his Bachelors of Arts in economics at the University
of Colorado. He is a Certified Information Systems Security Professional
(CISSP), Certified Information Systems Auditor (CISA), Global Information
Assurance Certification (GIAC) Certified Intrusion Analyst (GCIA), GIAC
Certified Forensic Analyst (GCFA), and EnCase Certified Examiner (EnCE).