Guide to Computer Forensics and Investigations, 5th Edition,
Ch. 8 Solutions-1
Chapter 8 Solutions
Review Questions
1. Graphics files stored on a computer cant be recovered after they are deleted. True or
False?
2. When you carve a graphics file, recovering the image depends on which of the
following skills?
3. Explain how to identify an unknown graphics file format that your digital forensics
tool doesn’t recognize.
4. What type of compression uses an algorithm that allows viewing the graphics file
without losing any portion of the data?
5. When investigating graphics files, you should convert them into one standard format.
True or False?
6. Digital pictures use data compression to accomplish which of the following goals?
(Choose all that apply.)
7. The process of converting raw images to another format is called which of the
following?
8. In JPEG files, what’s the starting offset position for the JFIF label?
9. Each type of graphics file has a unique header containing information that
distinguishes it from other types of graphics files. True or False?
10. Copyright laws dont apply to Web sites. True or False?
11. When viewing a file header, you need to include hexadecimal information to view
the image. True or False?
12. When recovering a file with ProDiscover, your first objective is to recover cluster
values. True or False?
Guide to Computer Forensics and Investigations, 5th Edition,
Ch. 8 Solutions-2
13. Bitmap (.bmp) files use which of the following types of compression?
14. A JPEG file uses which type of compression?
15. Only one file format can compress graphics files. True or False?
16. A JPEG file is an example of a vector graphic. True or False?
17. Which of the following is true about JPEG and TIF files?
18. What methods do steganography programs use to hide data in graphics files?
19. Some clues left on a drive that might indicate steganography include which of the
following? (Choose all that apply.)
20. What methods are used for digital watermarking?
Hands-On Projects
Hands-On Project 8-1
Students should find nine .jpeg files with altered extensions that have the JFIF label in various
Hands-On Project 8-2
In this project, students practice carving data from a USB drive. This image file is filled with
many false-positive hits to challenge students in locating evidence. Students should locate these
seven files with altered extensions:
åICT0037.JPG (deleted file that wasn’t overwritten)
gametour1.txt
Guide to Computer Forensics and Investigations, 5th Edition,
Ch. 8 Solutions-3
gametour4.txt
Note: Extra credit projects using the image file can be assigned, as in these examples:
Have students use a hex editor to rebuild each recovered file with the correct JPEG
header value.
Hands-On Project 8-3
The purpose of this project is to give students practice in seeing changes that result when a
graphics file is changed from one file format to another. The intent is to get students accustomed
to see what graphics file data looks like in its raw form.
Hands-On Project 8-4
Students get an opportunity to see how hidden data is added to a steganography file.
Hands-On Project 8-5
This project shows students how to compare a known nonsteganograhy file with a duplicated
Case Projects
Case Project 8-1
Students should produce a list of steganographic tools similar to the following example.
Encourage students to add features as they see fit.
Tool
Vendor Web Site
Cost
Formats
Secret Layer Pro
www.steganographypro.com
$34.50
PNG
Stego PNG
www.hermetic.ch/stpng/stpng.htm
Free
PNG, JPEG
SilentEye
www.silenteye.org
Free
BMP, JPEG
Guide to Computer Forensics and Investigations, 5th Edition,
Ch. 8 Solutions-4
wbStego4
http://wbstego.wbailer.com
Free
Any text file
HTML
Case Project 8-2
For this project, students need to do their own research to find answers and develop the problem-
Case Project 8-3
Students should discover that the .xde extension is a Tgif-3.0 file used by the RedHat Linux