Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
Guide to Computer Forensics and Investigations, Fifth Edition 8-1
Chapter 8
Recovering Graphics Files
At a Glance
Instructor’s Manual Table of Contents
• Overview
• Objectives
• Teaching Tips
Guide to Computer Forensics and Investigations, Fifth Edition 8-2
Lecture Notes
Overview
Chapter 8 begins with an overview of computer graphics and data compression, and
then explains how to locate and recover graphics files based on information stored in
file headers. You learn to identify and reconstruct graphics file fragments, analyze
Chapter Objectives
• Describe types of graphics file formats
• Explain types of data compression
• Explain how to locate and recover graphics files
• Describe how to identify unknown file formats
• Explain copyright issues with graphics
Teaching Tips
Recognizing a Graphics File
1. Define a graphics file as a file that contains digital photographs, line art, three-
2. Explain all three kinds of graphics files:
3. Discuss both types of programs to work with graphics files:
Understanding Bitmap and Raster Images
1. Explain the differences between bitmap images and raster images. Bitmap images store
2. Explain the different factors that can alter the quality of an image, including:
a. Screen resolution
b. Software
c. Number of color bits used per pixel
Understanding Vector Images
1. Explain the main characteristics of vector images:
a. Use lines instead of dots
2. Mention some of the software you can use with vector images.
Understanding Metafile Graphics
1. Describe how metafile graphics combine both raster and vector images. Metafile
graphics inherit advantages and disadvantages from both types.
Understanding Graphics File Formats
1. Describe some of the standard bitmap image file formats, including:
a. Portable Network Graphic (.png)
2. Describe some of the standard vector image file formats, including:
3. List nonstandard image file formats like:
a. Targa (.tga)
4. Describe how to search the Web for software to manipulate unknown image formats.
Understanding Digital Camera File Formats
2. Explain that raw file format, referred to as a digital negative, is typically found on many
3. Explain that the advantage of the raw format is that it maintains the best picture quality.
4. Define demosaicing as the process of converting raw picture data to another format.
5. Define Exchangeable Image File (Exif) format as a standard developed by Japan
6. Explain that since the Exif format collects metadata, investigators can learn more about
7. Mention that with tools such as ProDiscover and Exif Reader, you can extract metadata
as evidence for your case. Use Figure 8-4 to illustrate your explanation.
Understanding Data Compression
1. Mention that some image formats compress their data, including GIF and JPEG. Others,
2. Define data compression as the process of coding data from a larger to a smaller form.
Lossless and Lossy Compression
1. Explain to your students the main difference between lossless compression and lossy
compression. Lossless compression uses coding techniques for redundant bits for
reducing file sizes without losing information. Lossy compression reduces file sizes by
discarding bits of information.
a. Lossless compression algorithms
2. Mention some of the graphic formats that use these types of compression:
a. Lossless compression
3. Mention to your students some data compression tools:
a. Lossless compression
i. WinZip
ii. PKZip
Locating and Recovering Graphics Files
1. Explain to your students how to use digital forensics tools to analyze image files. You
can use these tools to:
Identifying Graphics File Fragments
2. Computer forensics tools can be used to speed up this process.
Guide to Computer Forensics and Investigations, Fifth Edition 8-6
Repairing Damaged Headers
Searching for and Carving Data from Unallocated Space
1. Explain the steps needed when carving an image file from slack or free space.
Rebuilding File Headers
1. Use Figures 8-12 through 8-16 to explain the main steps for rebuilding a damaged
image file header, including:
a. Recover more pieces of file if needed
b. Examine file header
Reconstructing File Fragments
1. Use Figures 8-17 through 8-20 to illustrate the major steps for reconstructing file
fragments, including:
a. Locate and export all clusters of the fragmented file
2. Explain that ProDiscover adds a .txt extension automatically on all copied clusters the
Recover Clusters function exports.
Quick Quiz 1
1. A graphics program creates and saves one of three types of image files: bitmap, vector,
or ____.
2. ____ is related to the density of pixels on your screen and depends on a combination of
hardware and software.
3. ____ compression compresses data by permanently discarding bits of information in the
file.
4. Another form of lossy compression, _____, uses complex algorithms to determine what
data to discard based on vectors in the graphics file.
5. Recovering file fragments is called carving, also known as ____ outside North America.
Identifying Unknown File Formats
1. Use the Internet as your main source for finding explanations and viewers for
uncommon or unknown image formats. Some of the most useful Web sites include:
a. www.google.com
Analyzing Graphics File Headers
1. Mention that you should analyze graphics file headers when you find files that your
tools do not recognize.
Tools for Viewing Images
2. Mention that most GUI forensics tools include image viewers that display only common
image formats, especially GIF and JPEG. For less common file formats integrated
Guide to Computer Forensics and Investigations, Fifth Edition 8-8
Understanding Steganography in Graphics Files
1. Define steganography as the art of hiding information inside image files.
2. Explain and illustrate the use of both major steganography forms:
3. Explain that with insertion steganography, the hidden data is not displayed when
8-25 and 8-26 to illustrate your explanation.
Using Steganalysis Tools
1. Explain that steganalysis tools, also called steg tools, are used to find information
2. Discuss some of the benefits of using a steganalysis tool, including:
Understanding Copyright Issues with Graphics
1. Mention that steganography was originally developed to incorporate digital watermarks
3. There is no such thing as an international copyright law.
Guide to Computer Forensics and Investigations, Fifth Edition 8-9
Quick Quiz 2
1. The simplest way to access a file header is to use a(n) ____ such as WinHex.
2. The first 3 bytes of an XIF file are the same as a ______, followed by other
hexadecimal values that distinguish it from a TIF file.
3. ____ uses a host file to cover the contents of a secret message.
4. The two major forms of steganography are insertion and ____.
5. A _____ can identify the file format from the file header and indicate whether the file
contains an image.
Class Discussion Topics
1. Lossless compression tools generally use either Huffman coding or Lempel-Ziv-Welch
(LZW) coding. Ask your students to discuss the advantages and disadvantages of each
method. If they were asked to develop a new data compression tool, what coding system
2. Ask your students to discuss whether steganography is a good solution for image and
Additional Projects
1. Assign each student with a nonstandard image file format and ask him or her to
Additional Resources
1. Vector graphics:
2. Computer Graphics Metafile:
Guide to Computer Forensics and Investigations, Fifth Edition 8-10
3. Exchangeable image file format:
4. Digital Right Management Web sites:
5. Steganography Revealed:
Key Terms
➢ bitmap images — Collections of dots, or pixels, in a grid format that form a graphic.
➢ carving — The process of recovering file fragments that are scattered across a disk. See
displayed from right to left, so the rightmost bit is the LSB. OSs that read bits from
right to left are called “little endian.” OSs that display the LSB from left to right are
called “big endian.”
➢ lossless compression — A compression method in which no data is lost. With this type
of compression, a large file can be compressed to take up less space and then
converted to a bitmap image.
➢ raw file format — A file format typically found on higher-end digital cameras; the
camera performs no enhancement processing—hence the term “raw.” This format
Guide to Computer Forensics and Investigations, Fifth Edition 8-11
maintains the best picture quality, but because it’s a proprietary format, not all image
