Forensic Report

profileNIDHI CHOPRA
352-359.pdf
Home>Computer Science homework help>Forensic Report

CHAPTER 8 Recovering Graphics Files 352

Searching for and Recovering Digital Photograph Evidence In this section, you learn how to use Autopsy for Windows to search for and extract (recover) possible evidence of JPEG files from the USB drive the EMTS manager gave you. The search string to use for this examination is “FIF.” Because it’s part of the label name of the JFIF JPEG format, you might have several false hits if the USB drive contains several other JPEG files. These false hits, referred to as false positives, require examining each search hit to verify whether it’s what you are looking for. In this activity, you see that Autopsy has an Exif parser.

To begin the examination, follow these steps to load the image file:

1. Start Autopsy for Windows, and click the Create New Case button. In the New Case Information window, type C08InChp for the case name, and click Browse next to the Base Directory text box. Navigate to and click your work folder, and then click Next. In the Additional Information window, type C08InChp for the case number, enter your name for the examiner, and then click Finish.

2. In the Add Data Source window, leave the default selection Disk Image or VM file in the Type of Data Source to Add section, and then click Next.

3. In the Select Data Source window, click the Browse button, navigate to your work folder, click C08InChp.dd, and click Open. Then click Next.

4. In the Configure Ingest Modules window, you can select what type of processing you want, such as a hash lookup or an Exif parser (see Figure 8-7). Leave the default selections, click Next, and then click Finish.

5. In the left pane of Autopsy’s main window, click to expand Extracted Content, if necessary, and then click EXIF Metadata. Examine the files displayed in the upper-right pane (see Figure 8-8). As you scroll through these files, notice that the hexadecimal codes haven’t been altered. (In the e-mail Tom Johnson sent, the JFIF code was supposedly altered.)

Note

Before starting this activity, create the C:\Work\Chap08\Chapter folder on your system (referred to as your “work folder” in steps). Then download the C08InChp.exe file in the downloads section for this chapter on the student companion site for this book. You should extract this file to your work folder.

68944_ch08_hr_339-376.indd 352 3/15/18 2:37 PM

Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com Created from csuau on 2020-05-06 16:52:35.

C op

yr ig

ht ©

2 01

8. C

en ga

ge L

ea rn

in g

U S

. A ll

rig ht

s re

se rv

ed .

CHAPTER 8 Recovering Graphics Files 353

Figure 8-7 Processing options in the Configure Ingest Modules window Source: www.sleuthkit.org

Figure 8-8 Parsing Exif metadata in Autopsy Source: www.sleuthkit.org

68944_ch08_hr_339-376.indd 353 3/15/18 2:37 PM

Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com Created from csuau on 2020-05-06 16:52:35.

C op

yr ig

ht ©

2 01

8. C

en ga

ge L

ea rn

in g

U S

. A ll

rig ht

s re

se rv

ed .

CHAPTER 8 Recovering Graphics Files 354

Figure 8-9 The results of searching for “fif” Source: www.sleuthkit.org

Note

In Figure 8-10, the header for this JPEG file has been overwritten with zzzz. This unique header information might give you additional search values that could minimize false-positive hits in subsequent searches.

6. Click the Keyword Search down arrow at the upper right. To verify that no other codes have been altered, you should check whether a change has been made to the FIF format. In the text box, type FIF (all uppercase letters), click the Exact Match option, and then click Search. There are no results. Next, type fif (all lowercase letters), click the Substring Search option, and then click Search. Your results should be similar to what’s shown in Figure 8-9.

7. To view the changes made to the file header, you need to see the hexadecimal code. To do this, click the Hex tab in the lower-right pane, if necessary, and scroll down through the files until you see “zzzz” in the file header, as shown in Figure 8-10. You should be viewing the gametour2.exe file.

8. Click the File Metadata tab to view the written, accessed, and created dates and times along with the sectors used by the file (see Figure 8-11).

9. In the search results, right-click the gametour2.exe file and click Extract File(s). In the Save As dialog box, navigate to your work folder, type Recover1.jpg for the filename, and then click Save. Autopsy then creates an Export subfolder of your work folder to store this file. In the confirmation message box, click OK, and then exit Autopsy.

68944_ch08_hr_339-376.indd 354 3/15/18 2:37 PM

Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com Created from csuau on 2020-05-06 16:52:35.

C op

yr ig

ht ©

2 01

8. C

en ga

ge L

ea rn

in g

U S

. A ll

rig ht

s re

se rv

ed .

CHAPTER 8 Recovering Graphics Files 355

Figure 8-10 The altered file header Source: www.sleuthkit.org

File header overwritten with zzzz

Figure 8-11 Viewing all sectors used by the gametour2.exe file Source: www.sleuthkit.org

68944_ch08_hr_339-376.indd 355 3/15/18 2:37 PM

Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com Created from csuau on 2020-05-06 16:52:35.

C op

yr ig

ht ©

2 01

8. C

en ga

ge L

ea rn

in g

U S

. A ll

rig ht

s re

se rv

ed .

CHAPTER 8 Recovering Graphics Files 356

The next section shows you how to rebuild header data from this recovered file by using WinHex, although any hexadecimal editor has the capability to examine and repair damaged file headers. From a digital forensics view, this procedure can be considered corrupting the evidence, but knowing how to reconstruct data, as in the preceding example, is part of an investigator’s job. When you change data as part of the recovery and analysis process, make sure you document each step as part of your reporting procedures. Your documentation should be detailed enough that other investigators could repeat the steps, which increases the credibility of your findings. When you’re rebuilding a corrupted evidence image file, create a new file and leave the original file in its initial corrupt condition.

Rebuilding File Headers Before attempting to edit a graphics file you have recovered, try to open it with an image viewer, such as the default Microsoft tool. To test whether you can view the image, double-click the recovered file in its current location in File Explorer. If you can open and view the image, you have recovered the graphics file successfully. If the image isn’t displayed, you have to inspect and correct the header values manually.

If some of the data you recovered from the graphics file header is corrupt, you might need to recover more pieces of the file before you can view the image, as you’ll see in the next section. Because the deleted file you recovered in the previous activity, Recoverl.jpg, was altered intentionally, you might see an error message similar to the one in Figure 8-12 when you attempt to open the file.

Figure 8-12 Error message indicating a damaged or an altered graphics file

68944_ch08_hr_339-376.indd 356 3/15/18 2:37 PM

Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com Created from csuau on 2020-05-06 16:52:35.

C op

yr ig

ht ©

2 01

8. C

en ga

ge L

ea rn

in g

U S

. A ll

rig ht

s re

se rv

ed .

CHAPTER 8 Recovering Graphics Files 357

If you can’t open a graphics file in an image viewer, the next step is to examine the file’s header data to see whether it matches the header in a good JPEG file. If the header doesn’t match, you must insert the correct hexadecimal values manually with a hexadecimal editor. To inspect a file with WinHex, follow these steps:

1. Start WinHex, and click File, Open from the menu. Navigate to your work folder, and then double-click Recover1.jpg. If necessary, click OK. Figure 8-13 shows this file open in WinHex.

Figure 8-13 Recover1.jpg open in WinHex Source: X-Ways AG, www.x-ways.net

Offset position 0 Offset position 6

2. At the top of the WinHex window, notice that the hexadecimal values starting at the first byte position (offset 0) are 7A 7A 7A 7A, and the sixth position (offset 6) is also 7A. Leave WinHex open for the next activity.

As mentioned, a standard JFIF JPEG file has a header value of FF D8 FF E0 from offset 0 and the label name JFIF starting at offset 6. Using WinHex, you can correct this file header manually by following these steps:

1. In the center pane, click to the left of the first 7A hexadecimal value. Then type FF D8 FF E0, which are the correct hexadecimal values for the first 4 bytes of a JPEG file.

2. In the right pane at offset 6, click the z, and then type J, as shown in Figure 8-14.

68944_ch08_hr_339-376.indd 357 3/15/18 2:37 PM

Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com Created from csuau on 2020-05-06 16:52:35.

C op

yr ig

ht ©

2 01

8. C

en ga

ge L

ea rn

in g

U S

. A ll

rig ht

s re

se rv

ed .

CHAPTER 8 Recovering Graphics Files 358

3. Click File, Save As from the menu. In the Save File As dialog box, navigate to your work folder, type Fixed1.jpg as the filename, and then click Save. If you’re using the demo version of WinHex, you get an error message because of the file size. Exit WinHex.

Figure 8-14 Inserting correct hexadecimal values for a JPEG file Source: X-Ways AG, www.x-ways.net

Inserting FF D8 FF E0 starting at offset 0 After changing z to an uppercase J

Tip

In WinHex, when you type a keyboard character in the right pane, the corresponding hexadecimal value appears in the center pane. So, for example, when you type J in the right pane, the hexadecimal value 4A appears in the center pane.

Note

In WinHex Demo, you can save only up to 200 KB of data in a file.

68944_ch08_hr_339-376.indd 358 3/15/18 2:37 PM

Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com Created from csuau on 2020-05-06 16:52:35.

C op

yr ig

ht ©

2 01

8. C

en ga

ge L

ea rn

in g

U S

. A ll

rig ht

s re

se rv

ed .

CHAPTER 8 Recovering Graphics Files 359

Every two hexadecimal values you entered in the previous steps are equivalent to one ASCII character. For example, an uppercase “A” has the hexadecimal value 41, and a lowercase “a” has the hexadecimal value 61. Most disk editors have a reference chart for converting hexadecimal values to ASCII characters, such as in Figure 8-15.

Figure 8-15 ASCII equivalents of hexadecimal values

Second hexadecimal number

First hexadecimal number

After you repair a graphics file header, you can test the updated file by opening it in an image viewer, such as Windows Photo Viewer, IrfanView, ThumbsPlus, QuickView, or ACDSee. If the file displays the image, as shown in Figure 8-16, you have performed the recovery correctly.

Figure 8-16 Fixed1.jpg open in an image viewer

The process of repairing file headers isn’t limited to JPEG files. You can apply the same technique to any file you can determine the header value for, including Microsoft Word, Excel, and PowerPoint documents and other image formats. You need to know only the correct header format for the type of file you’re attempting to repair.

68944_ch08_hr_339-376.indd 359 3/15/18 2:37 PM

Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com Created from csuau on 2020-05-06 16:52:35.

C op

yr ig

ht ©

2 01

8. C

en ga

ge L

ea rn

in g

U S

. A ll

rig ht

s re

se rv

ed .