image forensics

8/4/2019 Image Forensics

http://slidepdf.com/reader/full/image-forensics 1/22



1. Never change the content of evidence storageneither intentionally nor unintentionally

2. The result of cloning must be same as the sourcephysically through sector per sector

3. The examination must be conducted by authorizedand professional examiner

4. Every process of examination must be recorded foraudit

5. The handling of evidence must refer to the Chain ofCustody

Created by M. Nuh Al-Azhar, CHFI



• Pixel is a single point in a graphic image. Numbers of pixel combinetogether to form an image

• Resolution refers to the sharpness and clarity of an image

• Images can be broadly categorized into :

• Vector

• Image

• Vector graphics use geometrical primitives such as points, lines,curves, and polygons which are all based upon mathematicalequations to represent images in computer

• Moving, scaling, rotating, filling, zooming and so on does notdegrade the quality of a drawing

• Raster image is a data file or structure representing a generallyrectangular grid of pixels or points of color

• Quality is determined by the total number of pixels and theamount of information in each pixel

• Quality is lost if scaled to a higher resolution




• Graphics Interchange Format (GIF)

• Joint Photographic Experts Group (JPEG)

• Tagged Image File Format (TIFF)

• Windows Bitmap (BMP)

• JPEG 2000

• Portable Network Graphics (PNG)




• Can be accessed by Image File Metadata Viewer such asOpanda IEXIF, FTK and so on

• Generally consisting of Image, Camera and Thumbnail Info

• Image

• Make, Model, Orientation, X Resolution, Y Resolution,Resolution Unit, Software, Date Time, YCbCr Positioning,EXIF IFD Pointer

• Camera

• Exif Version, Components Configurations, FlashpixVersion, Color Space, Exif Image Width, Exif Image Height

• Thumbnail Info• Compression, X Resolution, Y Resolution, Resolution

Unit, JPEG Interchange Format, JPEG Interchange FormatLength





• Image

• Orientation, X Resolution, Y Resolution, Resolution Unit,Software, Date Time, YCbCr Positioning, EXIF IFDPointer

• Camera

• Exif Version, Components Configurations, FlashpixVersion, Color Space, Exif Image Width, Exif Image Height

• Thumbnail Info

• Compression, X Resolution, Y Resolution, ResolutionUnit, JPEG Interchange Format, JPEG Interchange Format

Length

(The red color words show a differences and inconsistenciesbetween them)




• Checking the metadata of image : X Resolution, Y

Resolution, Software, Date Time

• Checking the metadata of Thumbnail Info : X Resolution, YResolution,

• If there are differences between those metadata on XResolution and Y Resolution, it means that the image is editedimage

• This is usually supported by the information about Software andDate Time which are used to edit the image




• Analyze generally the image between Original and Edited

• Analyze particularly on the suspicious location which had beenedited or the location which there is a difference betweenOriginal and Edited image

• Use pixel zooming to see the color degradation which isinappropriate and unnatural

• For pixel zooming, use the Image Forensics Tool such asPhotoZoom Pro

• If there are some inappropriate and unnatural colordegradations, it means the image is not original



• Examination to the image under Image Forensics is conducted byusing a combination of methods of Metadata and Pixel Analysis

• The examination is performed by at least 2 examiners

• The tools for examination are Image Forensics Tools such as OpandaIEXIF and PhotoZoom Pro

• If there is inconsistency about the metadata of Image and ThumbnailInfo on X Resolution and Y Resolution, it means the image is result ofediting process

• This is usually supported by the info about Software and Date Timewhen the process is conducted

• If there is any color degradation which is inappropriate and unnaturalafter pixel zooming, it means that the image is not original




• Computer Hacking Forensic Investigator (CHFI) Version 3Module 16, EC-Council


image forensics

Documents