Reasoning for Complex Data (RECOD) Lab. Institute of Computing, University of Campinas (Unicamp) Av. Albert Einstein, 1251 - Cidade Universitária CEP 13083-970 • Campinas/SP - Brasil Digital Forensics MO447 / MC919 * Pintura de Rajib Roy, Case Investigation - 2012 Prof. Dr. Anderson Rocha Microsoft Research Faculty Fellow Affiliate Member, Brazilian Academy of Sciences Reasoning for Complex Data (Recod) Lab. [email protected]http://www.ic.unicamp.br/~rocha
25
Embed
Digital Forensics - ic.unicamp.brrocha/teaching/2013s2/mo447/classes/2013-mo44… · • Statistical analysis to detect traces of image manipulations ... Samsung L74wide, NV15 Sony
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Reasoning for Complex Data (RECOD) Lab.Institute of Computing,
University of Campinas (Unicamp)
Av. Albert Einstein, 1251 - Cidade UniversitáriaCEP 13083-970 • Campinas/SP - Brasil
Digital Forensics MO447 / MC919
* Pintura de Rajib Roy, Case Investigation - 2012
Prof. Dr. Anderson Rocha
Microsoft Research Faculty FellowAffiliate Member, Brazilian Academy of Sciences
. Auxiliary information is oftenconsidered unreliable.
04/12/2012 Forensic Analysis of Ordered Data Structures slide 2 of 11
Counterfeiting Auxiliary Information of JPEGs
• The JPEG standard defines a lossy compression scheme for natural scenesand the JPEG container format.
color spaceconversion(optional)
sub-sampling(optional)
8 ⇥ 8 blocksplitting
DCT trans-formation
quantisationentropy
encodingJPEGdata
JPEGcontainer
source image
image parameters
JPEG compression
JPEG compression parameters
. Tools are available to forge auxiliary information.• Some image processing software allows to employ original JPEG
compression parameters after image manipulation (e.g., Gimp)• Alternatively, cjpeg of libJPEG allows to set all compression parameters• Metadata can be preserved (e.g., Gimp), copied (Jhead) and altered (ExifTool)• Update of preview images employing cjpeg and Jhead
. Are there other forensic characteristics in JPEG files?
04/12/2012 Forensic Analysis of Ordered Data Structures slide 3 of 11
Counterfeiting Auxiliary Information of JPEGs
• The JPEG standard defines a lossy compression scheme for natural scenesand the JPEG container format.
color spaceconversion(optional)
sub-sampling(optional)
8 ⇥ 8 blocksplitting
DCT trans-formation
quantisationentropy
encodingJPEGdata
JPEGcontainer
source image
image parameters
JPEG compression
JPEG compression parameters
. Tools are available to forge auxiliary information.• Some image processing software allows to employ original JPEG
compression parameters after image manipulation (e.g., Gimp)• Alternatively, cjpeg of libJPEG allows to set all compression parameters
• Metadata can be preserved (e.g., Gimp), copied (Jhead) and altered (ExifTool)• Update of preview images employing cjpeg and Jhead
. Are there other forensic characteristics in JPEG files?
04/12/2012 Forensic Analysis of Ordered Data Structures slide 3 of 11
Counterfeiting Auxiliary Information of JPEGs
• The JPEG standard defines a lossy compression scheme for natural scenesand the JPEG container format.
color spaceconversion(optional)
sub-sampling(optional)
8 ⇥ 8 blocksplitting
DCT trans-formation
quantisationentropy
encodingJPEGdata
JPEGcontainer
source image
image parameters
JPEG compression
JPEG compression parameters
+ metadata metadatacontainer
. Tools are available to forge auxiliary information.• Some image processing software allows to employ original JPEG
compression parameters after image manipulation (e.g., Gimp)• Alternatively, cjpeg of libJPEG allows to set all compression parameters• Metadata can be preserved (e.g., Gimp), copied (Jhead) and altered (ExifTool)
• Update of preview images employing cjpeg and Jhead
. Are there other forensic characteristics in JPEG files?
04/12/2012 Forensic Analysis of Ordered Data Structures slide 3 of 11
Counterfeiting Auxiliary Information of JPEGs
• The JPEG standard defines a lossy compression scheme for natural scenesand the JPEG container format.
color spaceconversion(optional)
sub-sampling(optional)
8 ⇥ 8 blocksplitting
DCT trans-formation
quantisationentropy
encodingJPEGdata
JPEGcontainer
source image
image parameters
JPEG compression
JPEG compression parameters
+ preview image(s)previewJPEGdata
JPEGcontainer
preview parameters
+ metadata metadatacontainer
. Tools are available to forge auxiliary information.• Some image processing software allows to employ original JPEG
compression parameters after image manipulation (e.g., Gimp)• Alternatively, cjpeg of libJPEG allows to set all compression parameters• Metadata can be preserved (e.g., Gimp), copied (Jhead) and altered (ExifTool)• Update of preview images employing cjpeg and Jhead
. Are there other forensic characteristics in JPEG files?
04/12/2012 Forensic Analysis of Ordered Data Structures slide 3 of 11
Counterfeiting Auxiliary Information of JPEGs
• The JPEG standard defines a lossy compression scheme for natural scenesand the JPEG container format.
color spaceconversion(optional)
sub-sampling(optional)
8 ⇥ 8 blocksplitting
DCT trans-formation
quantisationentropy
encodingJPEGdata
JPEGcontainer
source image
image parameters
JPEG compression
JPEG compression parameters
+ preview image(s)previewJPEGdata
JPEGcontainer
preview parameters
+ metadata metadatacontainer
. Tools are available to forge auxiliary information.• Some image processing software allows to employ original JPEG
compression parameters after image manipulation (e.g., Gimp)• Alternatively, cjpeg of libJPEG allows to set all compression parameters• Metadata can be preserved (e.g., Gimp), copied (Jhead) and altered (ExifTool)• Update of preview images employing cjpeg and Jhead
. Are there other forensic characteristics in JPEG files?
04/12/2012 Forensic Analysis of Ordered Data Structures slide 3 of 11
Data Structures of JPEG Container Formats
marker id short value JIF JFIF EXIF description
SOI 0xFF D8 ⇥ ⇥ ⇥ start of imageAPPn 0xFF En application dataAPP0 0xFF E0 ⇥ JFIF application dataAPP1 0xFF E1 ⇥ EXIF application dataDQT 0xFF DB ⇥ ⇥ ⇥ define quantisation tablesDHT 0xFF C4 (⇥) ⇥ ⇥ define Huffman tablesSOF 0xFF Cn ⇥ start of frameSOF 0xFF C0 ⇥ ⇥ baseline DCTSOS 0xFF DA ⇥ ⇥ ⇥ start of scanDRI 0xFF DD define restart intervalRSTn 0xFF Dn nth restartCOM 0xFF FE commentEOI 0xFF D9 ⇥ ⇥ ⇥ end of image
• Full-featured container format JPEG Interchange Format (JIF)• Subsets with lower complexity JFIF and JPEG/EXIF• Different types of information are stored in segments• Each segment is identified by a short value (marker) at the beginning.• Required markers to decompress an image successfully:
SOI, DQT, DHT, SOF, SOS as well as the image data
• Format standards predefine only position of SOI, SOS & EOI
04/12/2012 Forensic Analysis of Ordered Data Structures slide 4 of 11
Test Setup. Customised JPEG format parser to extract all format-specific characteristics• Employed images of the ‘Dresden Image Database’ capturing natural scenes
(16,958 JPEGs including 44,041 JPEG containers) and JPEG scenes (1,851JPEGs including 4,666 JPEG containers)
• Additionally, created post-processed images using common softwarepackages
• Sequence and occurrence of marker segments differs between groups ofmodels
• Most cameras store one quantisation table for intensity (Y) and one for colourinformation (Cb/Cr) (exceptions are for example Ricoh GX100, Pentax W60)
04/12/2012 Forensic Analysis of Ordered Data Structures slide 6 of 11
Sequence of JPEG Data StructuresImage Processing Software
software / type of thumbnail:software
sequence of JPEG marker segments (selection)
PS CS2, CS3, CS4, E9 SOI APP0(JFIF) APP1(EXIF) APP13(PS3) APP1(XMP) APP2(ICC) APP14(Adobe) DQT SOF0 DRI DHT SOS RSTn EOIPS CS2, CS3, CS4, E9 SOI APP0(JFIF) APP1(EXIF) APP13(PS3) APP1(XMP) APP2(ICC) APP14(Adobe) DQT SOF2 DHT SOS SOS SOS ...
Gimp (with original compres-sion settings), Paint.Net
SOI APP0(JFIF) APP1(EXIF) APP2(ICC) DQT DQT SOF0 DHT DHT DHT DHT SOS EOI
Gimp SOI APP0(JFIF) APP1(EXIF) COM DQT DQT SOF0 DHT DHT DHT DHT DRI SOS EOI
Gimp, IrfanView, Paint.Net SOI APP0(JFIF) APP1(EXIF) DQT DQT SOF0 DHT DHT DHT DHT SOS EOIGimp, IrfanView SOI APP0(JFIF) APP1(EXIF) DQT DQT SOF2 DHT DHT SOS DHT SOS DHT SOS ...
IrfanView SOI APP0(JFIF) APP1(EXIF) DQT SOF0 DHT DHT SOS EOIIrfanView SOI APP0(JFIF) APP1(EXIF) DQT SOF2 DHT SOS DHT SOS DHT SOS DHT SOS ...
Gimp SOI APP0(JFIF) COM DQT DQT SOF0 DHT DHT DHT DHT SOS EOIPaintShop Pro 8.10 SOI APP0(JFIF) COM SOF0 DQT DHT SOS EOI
PaintShop Pro 8.10, X3 SOI APP0(JFIF) COM SOF2 DQT DHT DHT DHT SOS DHT SOS DHT SOS ...cjpeg (libJPEG), Gimp, Irfan-View / EXIF IFD1: Gimp
SOI APP0(JFIF) DQT DQT SOF0 DHT DHT DHT DHT SOS EOI
PaintShop Pro X3 SOI APP0(JFIF) SOF3 DHT DHT DHT SOS EOIPS CS5 SOI APP1(EXIF) APP13(PS3) APP1(XMP) APP2(ICC) APP14(Adobe) DQT SOF0 DRI DHT SOS RSTn EOI
PS CS5 SOI APP1(EXIF) APP13(PS3) APP1(XMP) APP2(ICC) APP14(Adobe) DQT SOF2 DHT SOS SOS SOS SOS ...PaintShop Pro 8.10, X3 SOI APP1(EXIF) SOF0 DQT DHT SOS EOI
APP13(PS3)& EXIF IFD1: PSCS2, CS3, CS4, E9
SOI APP0(JFIF) APP13(ACM) APP14(Adobe) DQT SOF0 DRI DHT SOS RSTn EOI
APP13(PS3)& EXIF IFD1: PSCS5
SOI APP13(ACM) APP14(Adobe) DQT SOF0 DRI DHT SOS RSTn EOI
EXIF IFD1: PaintShop Pro X3 SOI SOF0 DQT DHT SOS EOI
• Image processing software employs different sequences marker segments
• Gimp and cjpeg allow to employ original compression settings, but usedifferent sequences of marker segments
04/12/2012 Forensic Analysis of Ordered Data Structures slide 7 of 11
Sequence of JPEG Data StructuresImage Processing Software
software / type of thumbnail:software
sequence of JPEG marker segments (selection)
PS CS2, CS3, CS4, E9 SOI APP0(JFIF) APP1(EXIF) APP13(PS3) APP1(XMP) APP2(ICC) APP14(Adobe) DQT SOF0 DRI DHT SOS RSTn EOIPS CS2, CS3, CS4, E9 SOI APP0(JFIF) APP1(EXIF) APP13(PS3) APP1(XMP) APP2(ICC) APP14(Adobe) DQT SOF2 DHT SOS SOS SOS ...
Gimp (with original compres-sion settings), Paint.Net
SOI APP0(JFIF) APP1(EXIF) APP2(ICC) DQT DQT SOF0 DHT DHT DHT DHT SOS EOI
Gimp SOI APP0(JFIF) APP1(EXIF) COM DQT DQT SOF0 DHT DHT DHT DHT DRI SOS EOI
Gimp, IrfanView, Paint.Net SOI APP0(JFIF) APP1(EXIF) DQT DQT SOF0 DHT DHT DHT DHT SOS EOIGimp, IrfanView SOI APP0(JFIF) APP1(EXIF) DQT DQT SOF2 DHT DHT SOS DHT SOS DHT SOS ...
IrfanView SOI APP0(JFIF) APP1(EXIF) DQT SOF0 DHT DHT SOS EOIIrfanView SOI APP0(JFIF) APP1(EXIF) DQT SOF2 DHT SOS DHT SOS DHT SOS DHT SOS ...
Gimp SOI APP0(JFIF) COM DQT DQT SOF0 DHT DHT DHT DHT SOS EOIPaintShop Pro 8.10 SOI APP0(JFIF) COM SOF0 DQT DHT SOS EOI
PaintShop Pro 8.10, X3 SOI APP0(JFIF) COM SOF2 DQT DHT DHT DHT SOS DHT SOS DHT SOS ...cjpeg (libJPEG), Gimp, Irfan-View / EXIF IFD1: Gimp
SOI APP0(JFIF) DQT DQT SOF0 DHT DHT DHT DHT SOS EOI
PaintShop Pro X3 SOI APP0(JFIF) SOF3 DHT DHT DHT SOS EOIPS CS5 SOI APP1(EXIF) APP13(PS3) APP1(XMP) APP2(ICC) APP14(Adobe) DQT SOF0 DRI DHT SOS RSTn EOI
PS CS5 SOI APP1(EXIF) APP13(PS3) APP1(XMP) APP2(ICC) APP14(Adobe) DQT SOF2 DHT SOS SOS SOS SOS ...PaintShop Pro 8.10, X3 SOI APP1(EXIF) SOF0 DQT DHT SOS EOI
APP13(PS3)& EXIF IFD1: PSCS2, CS3, CS4, E9
SOI APP0(JFIF) APP13(ACM) APP14(Adobe) DQT SOF0 DRI DHT SOS RSTn EOI
APP13(PS3)& EXIF IFD1: PSCS5
SOI APP13(ACM) APP14(Adobe) DQT SOF0 DRI DHT SOS RSTn EOI
EXIF IFD1: PaintShop Pro X3 SOI SOF0 DQT DHT SOS EOI
• Image processing software employs different sequences marker segments• Gimp and cjpeg allow to employ original compression settings, but use
different sequences of marker segments
04/12/2012 Forensic Analysis of Ordered Data Structures slide 7 of 11
Data Structures of EXIF Metadata• Metadata stores acquisition parameters, time, coordinates, preview images,
. . .• EXIF metadata format is based on TIFF
entry group content
EXIF identifier character string ‘Exif’TIFF header byte order (little- or big-endian), number 42, offset to 0th IFD
0th IFD entries of 0th IFD defining general image properties, like image dimension,and offsets to other IFDs: EXIF IFD, GPS IFD (optional), manufacturer non-standardised IFDs (optional) and 1st IFD storing the standard thumbnail
0th IFD data storage for data of 0th IFD greater than 32 bit
EXIF IFD entries of EXIF IFD including version, camera settings and manufacturer-specific maker notes
EXIF IFD data storage for data of EXIF IFD greater than 32 bit
GPS IFD entries specific to GPS IFD including GPS coordinatesGPS IFD data storage for data of GPS IFD greater than 32 bit
man. IFD entries specific to manufacturer non-standardised IFDs
man. IFD data storage for data of man. IFD greater than 32 bit
1st IFD entries specific to 1st IFD describing the thumbnail properties1st IFD data storage for data of 1st IFD greater than 32 bit
thumbnail thumbnail data with its own sequence of JPEG marker segments
04/12/2012 Forensic Analysis of Ordered Data Structures slide 8 of 11
Data Structures of EXIF Metadata• Structure of standardised EXIF entries in 0th, Exif, GPS and 1st IFD:
tag data type count value or offsetto IFD data
byte1 2 3 4 5 6 7 8 9 10 11 12
• Tag identifies the semantical meaning of information stored within an entry(similar to JPEG markers).
• Standard suggests for each tag one or more types• Count specifies the number of values• Values are either stored directly, when all values together are 32 bit, or at
an offset position within the corresponding data segment.
. Exif standard proposes to store the sequence of entries in accordance to theirtag number.
. Sequence of data stored in the data segment is not standardised and differsbetween camera and software manufacturers.
04/12/2012 Forensic Analysis of Ordered Data Structures slide 9 of 11
Editing EXIF Metadata• Selection of EXIF entries of Canon Ixus 70 before and after metadata editing:
• Sequence of EXIF entries (tags), data type and offset before the first previewimage is equal for all images acquired with the same camera model
. Updating entries with ExifTool reorders values in the data segment
. Detecting manipulations of EXIF metadata is possible
04/12/2012 Forensic Analysis of Ordered Data Structures slide 10 of 11
Summary
• File format standards are boring to read, but we can use their complexity todistinguish between files acquired with different devices and files stored withprocessing software.
• Order and occurrence of data structures differs between implementations(e.g., JPEG files and EXIF metadata) and makes auxiliary information morereliably than commonly accepted
• Simple characteristics of the JPEG container format for quick separation ofauthentic and manipulated images
– Investigated digital cameras store natural images in JPEG/EXIF format.Characteristic start of file: [SOI, APP1, segment length, identifier ‘Exif’]
– Image processing software stores JPEG files typically in JFIF.Characteristic start of file: [SOI, APP0, segment length, identifier ‘JFIF’]
. Some image processing software adds software-specific segments.e.g., Photoshop APP13 & APP14 (thumbnail image, metadata in the XMP-Format, ICC-Profil, . . . )
. Perfect forgeries are possible, but at the moment no software or combinationof software is available preserving all characteristics
04/12/2012 Forensic Analysis of Ordered Data Structures slide 11 of 11
Faculty of Computer Science Institute of Systems Architecture – Privacy and Data Security
Forensic Analysis of Ordered Data Structureson the Example of JPEG Files