5-Graphic Files & Encryption-1

Computer Forensics
Graphic Files & Encryption
By Richard Lentz
• Graphic files contain digital photographs, line art,
three-dimensional pictures, text data converted to
pictures, and scanned replicas of printed pictures
– Bitmap graphics: collection of dots formatted into a grid
– Vector graphics: based on mathematical instructions
– Metafile graphics: combination of bitmap and vector
• Most cases will involve some form of graphic file
2
• Standard bitmap file formats • Nonstandard graphics file formats
– Portable Network Graphic (.png) – Targa (.tga)
– Graphic Interchange Format (.gif) – Raster Transfer Language (.rtl)
– Joint Photographic Experts Group – Adobe Photoshop (.psd) and
(.jpeg, .jpg) Illustrator (.ai)
– Tagged Image File Format (.tiff, .tif) – Freehand (.fh11)
– Window Bitmap (.bmp) – Paintbrush (.pcx)
– High Efficiency Image File Format (.heic)
• Standard vector file formats • Search the Web for software to
– Hewlett Packard Graphics Language manipulate unknown image
(.hpgl) formats
– Autocad (.dxf)
– Scalable Vector Graphics (.svg)
3
Examining the raw picture file format
– Raw picture file format
• Referred to as a digital negative
• Typically found on many higher-end digital cameras
– Sensors in the digital camera simply record pixels on the
camera’s memory card
– Raw format maintains the best picture quality
– May require proprietary software for viewing
4
Carving Graphic Files
• File headers are a unique hexadecimal string that is
used to identify the file’s type
• Forensic tools will automatically scan for these file
headers & potentially carve out deleted files
• Process can also be done manually using a hex editor
– Knowledge needed to complete process
• File header
• End of file
– File footer
– File size
5
Hexadecimal
• Base 16 numeral system used to represent binary data in
computing
• Binary is base 2
• Decimal is base 10
6
Binary Storage
• Each single binary piece of data is called a bit
– A bit can be the symbol 0 or 1 – nothing else
• The standard for binary storage is to store the bits in
sets of 8 values
– A set of 8 binary values is called a Byte
• A single Byte of binary data can represent the values
0 – 255
• Two hexadecimal digits can be used to represent a
Byte
– A single hexadecimal digit represents a nibble or 4 bits
Linux Operations and Administration 7

Hexadecimal
• Computing Notation: 0x
– Example: 0xDB9E = 56,222
• Each hexadecimal digit represents a nibble (4 bits)
– 0xF = 1111 = 15
• Pairs of hexadecimal digits are used to represent a
byte
– 0xFF = 11111111 = 255
– 0xAD = 11111101 = 173
8
Bit Weights – Binary to Decimal
• Any number base can be converted to its equivalent decimal value by
using the sum of the weights
• Each bit in the binary value has a given weight
– For Example: 0101 1011
27 26 25 24 23 22 21 20
0 1 0 1 1 0 1 1
128 64 32 16 8 4 2 1
0 1 0 1 1 0 1 1 = (128*0)+(64*1)+(32*0)+(16*1)+(8*1)+(4*0)+(2*1)+(1*1)
= 0+64+0+16+8+0+2+1
= 91

Bit Weights
Bit Weights
• Given a binary number 1010 the bit weights can be
applied to convert the number to decimal or hex
• Example: Most Least
Significant Significant
23 22 21 20 8 4 2 1
1 0 1 0 1 0 1 0
(1*8) + (0*4) + (1*2) + (1*0) = 8 + 0 + 2 + 0 = 10 = 0xA
10
Hexadecimal to Decimal
• The sum of the weights can be used to convert hexadecimal to decimal

as well
– However, we use 16 instead of 2 when calculating the weight for each position
– For example: 0xFFFF
163 162 161 160
F F F F
4,096 256 16 1
15 15 15 15 = (4,096*15)+(256*15)+(16*15)+(1*15)
= 61,440+3,840+240+15 = 65535

Weight of Digit Formula
• Weight = (Digit) * (BasePosition)
– Weight: The weight of the digit within the number
– Digit: The actual digit at that position
– Base: The base of the number system you're working in
• For example: 2 for binary, 10 for decimal, 16 for hexadecimal
– Position: The position of the digit
• For example: the leftmost digit is at position 0 the digit to its left is position 1 and so
on
• This conversion works for any base including decimal
103 102 101 100
2 4 0 1 = (1000*2)+(100*4)+(10*0)+(1*1)
= 2000+400+0+1

• What if the weights for each position was reversed?
– This would result in a different number
• Bit Weight never changes but Byte Weight does!
• Example: Least Most
20 21 22 23 1 2 4 8
1 0 1 0 1 0 1 0
(1*1) + (0*2) + (1*4) + (0*8) = 1 + 0 + 4 + 0 = 5
13
Big Endian vs Little Endian
• Endianness refers to the way multi-byte data types are stored in memory
– Big Endian stores the byte with the highest weight first
– Little Endian stores the byte with the lowest weight first
• Example:
– A 32-bit int is an example of a multi-byte data type
• Least
0x0A0B0C0D = 168496141.0 = 1010000010110000110000001101
Significant
167 166 165 164 163 162 161 160

0 A 0 B 0 C 0 D
Most
Significant
14
• Meaning when we read data from
memory, we need to take endianness
into account
167 166 165 164 163 162 161 160 Little Endian
= 218893066.0
0 D 0 C 0 B 0 A
Most Least
167 166 165 164 163 162 161 160 Big Endian
= 168496141.0
0 A 0 B 0 C 0 D
Big Endian
15
• Meaning when we read data from
memory, we need to take endianness
into account
167 166 165 164 163 162 161 160 Little Endian
= 168496141.0
0 A 0 B 0 C 0 D
Most Least
167 166 165 164 163 162 161 160 Big Endian
= 218893066.0
0 D 0 C 0 B 0 A
Little Endian
16
Common File Headers & Footers
Extension Header (Hex) Footer (Hex)
DOC D0 CF 11 E0 A1 B1 1A E1 57 6F 72 64 2E 44 6F 63 75 6D 65 6E 74 2E
XLS D0 CF 11 E0 A1 B1 1A E1 FE FF FF FF 00 00 00 00 00 00 00 00 57 00 6F 00
72 00 6B 00 62 00 6F 00 6F 00 6B 00
PPT D0 CF 11 E0 A1 B1 1A E1 50 00 6F 00 77 00 65 00 72 00 50 00 6F 00 69
00 6E 00 74 00 20 00 44 00 6F 00 63 00 75 00
6D 00 65 00 6E 00 74
ZIP 50 4B 03 04 14 50 4B 05 06 00
JPG FF D8 FF D9 (“Better To Use File size Check”)
GIF 47 49 46 38 39 61 4E 01 53 00 C4 21 00 00 3B 00
PDF 25 50 44 46 2D 31 2E 25 25 45 4F 46
PNG 89 50 4E 47 49 45 4E 44 AE 42 60 82
17
File Carving Demo
18
Are all files stored contiguously?
19
Rebuilding File Headers
20
Identifying Unknown file Formats
• Knowing the purpose of each format and how it
stores data is part of the investigation process
• The Internet is the best source
– Search engines
– Find explanations and viewers
• Popular Web sites
– FileFormat.info
– Extension Informer
– The Graphics File Formats Page
21
Examining Exif Data
– Exchangeable Image File (Exif) format
• Commonly used to store meta data in digital pictures such as JPGs & TIFs
– Exif format collects metadata
• Investigators can learn more about the type of digital device and the
environment in which photos were taken
• Camera model, Creation data/time, Location, etc
– Viewing an Exif JPEG file’s metadata requires special
programs
• Exif Reader, IrfanView, or Magnet Forensics AXIOM
– Exif file stores metadata at the beginning of the file
22
EXIF Demo
23
Steganography
• Is a technique that conceals secret data within open data
• The first technique of steganography was developed
sometime around 440 BC in ancient Greece. The Greek ruler,
Histaeus, sent secret messages by shaving a slave’s head,
tattooing a secret message onto the slave’s scalp, allow the
hair to grow back and then sending the slave to deliver the
message. The message was retrieved by shaving the slave’s
head.
24
Steganography
• Two major forms:
– Insertion
• Hidden data is not displayed when viewing host file in its
associated program
– You need to analyze the data structure carefully
• Example: Web page
– Substitution
• Replaces bits of the host file with other bits of data
• Usually change the last two LSBs (least significant bit)
• Detected with steganalysis tools (a.k.a - steg tools)
• Example: Picture
25
26
27
Steganography – Substitution
Least Significant Bit (LSB) Original Pixel Altered Pixel
• Utilizes the last bit or least significant bit
used to store data. The technique relies 1010 1010 1010 1001
on the fact that data is saved in binary
form but as 8-bit sets (bytes) or 16-bit 1001 1101 1001 1110
sets (words). The LSB is the right-most bit
of the byte (8-bit set). The value of byte is 1111 0000 1111 0011
determined by the position of the bits.
0011 1111 0011 1100
• Usually, the last two LSBs are changed
28
Steganography
• Terms
– Payload – The information to be concealed
– Carrier – The signal, stream or file in which the payload is
concealed
– Channel – The type of medium used such as an picture
file, audio file, streaming video or VoIP (Voice Over IP)
29
Steganography
• LSB Example
– Full RGB (Red, Green, Blue) pictures are represented by
24-bit color encoding where each picture pixel is
comprised of three 8-bit sets. Each color component
contains a value between 0-255.
– The combination of the three components represents the
actual color. By changing the first bit (LSB) of a color
component, the resulting value would be insignificant.
– Thus, changing the LSB from 1 to 0 would result in a net

change of only one.
30
Steganography
• LSB Example
Since pictures
contain millions of
pixels, changing the
LSB can allow the
concealment of data
without any
recognizable change
to the original
picture.
31
Steganography Tools
• QuickStego
• Invisible Secrets
• MP3Stego
• Stealth Files 4
• Snow
• MSU StegoVideo
32
Stenography Analysis - Steganalysis
• Steganalysis is the process of analyzing a carrier for concealed
data. Analyzation for a concealed payload is difficult.
• Duplicate files with different hash values is a sign of stenography
• Examination of Close-Color Pairs:
– Raw Quick Pair method – Frequency of close-color pairs analyzed. Too high could
indicate a concealed payload.
– Chi-Square method – Calculates the probabilities of theoretical frequencies versus
calculated frequencies of close-color pairs.
• Tools
– StegSecret – http://stegsecret.sourceforge.net
– StegSpy – http://www.spy-hunter/stegspydownload.htm
33
Encryption
• Cryptography – The study of writing secret messages or
technically, the study of encryption and decryption.
Encryption obfuscates the real message so it can’t be
understood or easily deciphered.
34
Modern Encryption
• Symmetric Cryptography – Encryption that uses one key to
both encrypt and decrypt
– Substitution and Transposition
– Block Ciphers and Stream Ciphers
– Feistel Function
– Data Encryption Standard (DES)
– Triple DES (3DES)
– Advanced Encryption Standard (AES)
– Blowfish
– Serpent
– Skipjack
35
Modern Encryption
• Asymmetric Cryptography - Encryption that uses two keys
—one to encrypt and another to decrypt
– RSA
– Diffie-Hellman
– MQV
– Elliptic Curve
– DSA
36
Modern Encryption
Kerkhoff’s Principle
• The security of the cryptographic algorithm depends only on
the secrecy of the key, not the algorithm itself. The converse
is ”security by obfuscation” whereas the algorithm is kept
secret as well.
37
Data Encryption Standard (DES) – Symmetric
• Oldest of modern symmetric ciphers
• Developed in the 1970’s
• U.S. government standard in the 1990’s
• Modified from the Lucifer cipher (designed by Feistel) by the NSA & IBM
• Data divided into 64-bits
• Data manipulated by 16 separate steps of encryption utilizing
substitutions, bit- shifting and logical operations using a 56-bit key.
• Data then scrambled using a swapping algorithm
• Data is lastly transposed.
• No longer considered secure due to the small key space (~72 quadrillion)
38
Advanced Encryption Standard (AES) – Symmetric
• Also known as Rijindael block cipher
• Originally designated as replacement for DES in 2001
• Designated as Federal Information Processing Standard 197 (FIPS 197)
• Three key sizes – 128, 192, 256 bits
• Block size is 128 bits
• Not based on the Feistel function
• Uses a substitution-permutation matrix that is 4 x 4 of bytes aka the
state
• NSA approved 256-bit AES for use with top secret data
• Secure for commercial applications
39
RSA
• Described publicly in 1977 by Ron Rivest, Adi Shamir and Leonard
Adleman of MIT. The initials of their surnames makes the name “RSA”.
• Keys are created from two large, random primes, p and q, of
approximately equal size
• Public keys, e and n ; private keys, d and n are generated using the
random primes, p and q
• Encrypt with public, decrypt with private
• Factoring of public key is possible. However, very large prime numbers
are extremely difficult to factor.
• There is no efficient algorithm to factor large prime numbers
40
Breaking Encryption
• Cryptoanalysis is the technique, other than brute force, to attempt to
uncover a key to the encrypted data. This is also known as knowledge-
based code breaking. The process is tedious and generally very time
consuming. There is no guarantee the attempt will work.
• Techniques
– Frequency analysis
• Certain letters of the alphabet appear more frequently. Key can be
derived from compared frequencies in ciphertext.
– Kasiski examination
• Used to deduce key length in polyalphabetic substitution ciphers.
Ciphertext lined up in the number of columns related to the key length.
Frequency analysis then applied.
41
Breaking Encryption
• Techniques, continued
– Known plaintext attack
• Set of known plaintext and corresponding ciphertext are used to deduce the key
– Chosen plaintext attack
• Set of chosen plaintext and their corresponding ciphertext are used to ascertain
information about the key
– Ciphertext-only attack
• Samples of ciphertext are used to deduce the plaintext or key by understanding
the redundancy assumptions of the plaintext
– Related-key attack
• Attempt to derive key from the relationship of several keys used for encryption by
knowing the encryption functions of the related keys
42
Breaking Encryption
• Cracking passwords and encrypted data
– Social engineering
• Acquisition of keys and/or passwords through social interaction or non-
technical means (dumpster diving).
– Rainbow tables
• Pre-calculated hashes of all passwords available within a certain keyspace
and/or character set(s). Acquired hash of password is compared to
known, calculated hashes to find the associated password.
– Brute-force
• Various combinations of passwords and/or usernames are applied to
locked target or ciphertext in an effort to gain access or crack code. It is
systematic guessing.
43

5-Graphic Files & Encryption-1

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

5-Graphic Files & Encryption-1

Uploaded by

Copyright:

Available Formats

Computer Forensics

Graphic Files & Encryption

• Most cases will involve some form of graphic file

Linux Operations and Administration 7

Linux Operations and Administration 9

(18) + (04) + (12) + (10) = 8 + 0 + 2 + 0 = 10 = 0xA

• The sum of the weights can be used to convert hexadecimal to decimal

Linux Operations and Administration 11

Linux Operations and Administration 12

(11) + (02) + (14) + (08) = 1 + 0 + 4 + 0 = 5

167 166 165 164 163 162 161 160

– Thus, changing the LSB from 1 to 0 would result in a net

You might also like