Chapter 08 Homework Answer Screen Resolution Guide Computer Forensics And

Guide to Computer Forensics and Investigations, Fifth Edition 8-1

Chapter 8

Recovering Graphics Files

At a Glance

Instructor’s Manual Table of Contents

• Overview

• Objectives

• Teaching Tips

Guide to Computer Forensics and Investigations, Fifth Edition 8-2

Lecture Notes

Overview

Chapter 8 begins with an overview of computer graphics and data compression, and

then explains how to locate and recover graphics files based on information stored in

file headers. You learn to identify and reconstruct graphics file fragments, analyze

Chapter Objectives

• Describe types of graphics file formats

• Explain types of data compression

• Explain how to locate and recover graphics files

• Describe how to identify unknown file formats

• Explain copyright issues with graphics

Teaching Tips

Recognizing a Graphics File

1. Define a graphics file as a file that contains digital photographs, line art, three-

2. Explain all three kinds of graphics files:

3. Discuss both types of programs to work with graphics files:

Understanding Bitmap and Raster Images

1. Explain the differences between bitmap images and raster images. Bitmap images store

2. Explain the different factors that can alter the quality of an image, including:

a. Screen resolution

b. Software

c. Number of color bits used per pixel

Understanding Vector Images

1. Explain the main characteristics of vector images:

a. Use lines instead of dots

2. Mention some of the software you can use with vector images.

Understanding Metafile Graphics

1. Describe how metafile graphics combine both raster and vector images. Metafile

graphics inherit advantages and disadvantages from both types.

Understanding Graphics File Formats

1. Describe some of the standard bitmap image file formats, including:

a. Portable Network Graphic (.png)

2. Describe some of the standard vector image file formats, including:

3. List nonstandard image file formats like:

a. Targa (.tga)

4. Describe how to search the Web for software to manipulate unknown image formats.

Understanding Digital Camera File Formats

2. Explain that raw file format, referred to as a digital negative, is typically found on many

3. Explain that the advantage of the raw format is that it maintains the best picture quality.

4. Define demosaicing as the process of converting raw picture data to another format.

5. Define Exchangeable Image File (Exif) format as a standard developed by Japan

6. Explain that since the Exif format collects metadata, investigators can learn more about

7. Mention that with tools such as ProDiscover and Exif Reader, you can extract metadata

as evidence for your case. Use Figure 8-4 to illustrate your explanation.

Understanding Data Compression

1. Mention that some image formats compress their data, including GIF and JPEG. Others,

2. Define data compression as the process of coding data from a larger to a smaller form.

Lossless and Lossy Compression

1. Explain to your students the main difference between lossless compression and lossy

compression. Lossless compression uses coding techniques for redundant bits for

reducing file sizes without losing information. Lossy compression reduces file sizes by

discarding bits of information.

a. Lossless compression algorithms

2. Mention some of the graphic formats that use these types of compression:

a. Lossless compression

3. Mention to your students some data compression tools:

a. Lossless compression

i. WinZip

ii. PKZip

Locating and Recovering Graphics Files

1. Explain to your students how to use digital forensics tools to analyze image files. You

can use these tools to:

Identifying Graphics File Fragments

2. Computer forensics tools can be used to speed up this process.

Guide to Computer Forensics and Investigations, Fifth Edition 8-6

Repairing Damaged Headers

Searching for and Carving Data from Unallocated Space

1. Explain the steps needed when carving an image file from slack or free space.

Rebuilding File Headers

1. Use Figures 8-12 through 8-16 to explain the main steps for rebuilding a damaged

image file header, including:

a. Recover more pieces of file if needed

b. Examine file header

Reconstructing File Fragments

1. Use Figures 8-17 through 8-20 to illustrate the major steps for reconstructing file

fragments, including:

a. Locate and export all clusters of the fragmented file

2. Explain that ProDiscover adds a .txt extension automatically on all copied clusters the

Recover Clusters function exports.

Quick Quiz 1

1. A graphics program creates and saves one of three types of image files: bitmap, vector,

or ____.

2. ____ is related to the density of pixels on your screen and depends on a combination of

hardware and software.

3. ____ compression compresses data by permanently discarding bits of information in the

file.

4. Another form of lossy compression, _____, uses complex algorithms to determine what

data to discard based on vectors in the graphics file.

5. Recovering file fragments is called carving, also known as ____ outside North America.

Identifying Unknown File Formats

1. Use the Internet as your main source for finding explanations and viewers for

uncommon or unknown image formats. Some of the most useful Web sites include:

a. www.google.com

Analyzing Graphics File Headers

1. Mention that you should analyze graphics file headers when you find files that your

tools do not recognize.

Tools for Viewing Images

2. Mention that most GUI forensics tools include image viewers that display only common

image formats, especially GIF and JPEG. For less common file formats integrated

Guide to Computer Forensics and Investigations, Fifth Edition 8-8

Understanding Steganography in Graphics Files

1. Define steganography as the art of hiding information inside image files.

2. Explain and illustrate the use of both major steganography forms:

3. Explain that with insertion steganography, the hidden data is not displayed when

8-25 and 8-26 to illustrate your explanation.

Using Steganalysis Tools

1. Explain that steganalysis tools, also called steg tools, are used to find information

2. Discuss some of the benefits of using a steganalysis tool, including:

Understanding Copyright Issues with Graphics

1. Mention that steganography was originally developed to incorporate digital watermarks

3. There is no such thing as an international copyright law.

Guide to Computer Forensics and Investigations, Fifth Edition 8-9

Quick Quiz 2

1. The simplest way to access a file header is to use a(n) ____ such as WinHex.

2. The first 3 bytes of an XIF file are the same as a ______, followed by other

hexadecimal values that distinguish it from a TIF file.

3. ____ uses a host file to cover the contents of a secret message.

4. The two major forms of steganography are insertion and ____.

5. A _____ can identify the file format from the file header and indicate whether the file

contains an image.

Class Discussion Topics

1. Lossless compression tools generally use either Huffman coding or Lempel-Ziv-Welch

(LZW) coding. Ask your students to discuss the advantages and disadvantages of each

method. If they were asked to develop a new data compression tool, what coding system

2. Ask your students to discuss whether steganography is a good solution for image and

Additional Projects

1. Assign each student with a nonstandard image file format and ask him or her to

Additional Resources

1. Vector graphics:

2. Computer Graphics Metafile:

Guide to Computer Forensics and Investigations, Fifth Edition 8-10

3. Exchangeable image file format:

4. Digital Right Management Web sites:

5. Steganography Revealed:

Key Terms

➢ bitmap images — Collections of dots, or pixels, in a grid format that form a graphic.

➢ carving — The process of recovering file fragments that are scattered across a disk. See

displayed from right to left, so the rightmost bit is the LSB. OSs that read bits from

right to left are called “little endian.” OSs that display the LSB from left to right are

called “big endian.”

➢ lossless compression — A compression method in which no data is lost. With this type

of compression, a large file can be compressed to take up less space and then

converted to a bitmap image.

➢ raw file format — A file format typically found on higher-end digital cameras; the

camera performs no enhancement processing—hence the term “raw.” This format

Guide to Computer Forensics and Investigations, Fifth Edition 8-11

maintains the best picture quality, but because it’s a proprietary format, not all image