Nurul Azma Abdullah, Rosziati Ibrahim, Kamaruddin Malik Mohamad
Faculty of Computer Science & Information Technology, UTHM, Malaysia.
DOI: 10.4236/jsea.2013.63B014   PDF    HTML     4,696 Downloads   7,495 Views   Citations

Abstract

Images (typically JPEG) are used as evidence against cyber perpetrators. Typically the file is carved using standard patterns. Many concentrate on carving JPEG files and overlook the important of thumbnail in assisting forensic investigation. However, a new unique pattern is used to detect thumbnail/s and embedded JPEG file. This paper is to introduce a tool call PattrecCarv to recognize thumbnail/s or embedded JPEG files using unique hex patterns (UHP). A tool called PattrecCarv is developed to automatically carve thumbnail/s and embedded JPEG files using DFRWS 2006 and DFRWS 2007 datasets. The tool successfully recovers 11.5% more thumbnails and embedded JPEG files than PredClus.

Keywords

Component; JPEG Image; Pattern Matching; File Carving; DFRWS 2006/07; Thumbnail

Share and Cite:

Conflicts of Interest

The authors declare no conflicts of interest.

References

[1]	S. L. Garfinkel, “Digital forensic research: the next 10 years,” Digital Investigation, 7(1), 2010, S64-S73.
[2]	A. Pal and N. Memon, “Automated reas-sembly of the file fragmented images using greedy algo-rithms,” IEEE Trans. Image Processing, 15(2), 2003, 385-393.
[3]	M. Karresand and N. Shahmehri, “Reas-sembly of fragmented jpeg images containing restart markers,” in 2008 European conference on computer network defense.
[4]	M. I. Cohen, “ Advanced carving techniques,” Digital Investigation, 4(1-4), 2007, pp. 119-128
[5]	The International Telegraph and Tele-phone Consultative Committee (CCITT) 1992 “Information technology—digital compression and coding of continuous-tone still images–requirements and guideline (ITU-T T.81),” 1992. Retrieved Sept. 5, 2012, from World Wide Web Consortium (W3C): http://www.w3.org/Graphics/JPEG/itu-t81.pdf
[6]	K. M. Mohamad, and M. Mat Deris, “Visualization of JPEG metadata,” in: Proceeding. of the 2009 first Inter-national Visual Informatics Conference on Visual Informatics.
[7]	E. Hamilton, “JPEG file interchange file format version 1.02.” Retrieved Sept. 5, 2012 from JPEG Committee Homepage: http://www.jpeg.org/public/jfif.pdf
[8]	P. Alvarez, “ Using extended file information (exif) file headers in digital evidence analysis,” International Journal of Digital Evidence. 2(3), 2004.
[9]	H. Guo and M. Xu, “A method for recovering jpeg files based on thumbnail,” in: Automation and Systems Engineering (CASE) 2011 International Conference.1-4.
[10]	Thumbnail. Retrieved Sept 5, 2012, from Wikipedia: http://en.wikipedia.org/wiki/Thumbnail.
[11]	A. Merola, “Data carving concepts,” 2008. Retrieved Sept. 5, 2012,
[12]	from SANS Institute: http://www.sans.org/reading_room/whitepapers/forensics/datacarving-concepts_32969Y.
[13]	K. M. Mohamad, A. Patel and M. Mat Deris, “Carving JPEG images and thumbnails using image pattern matching,” in 2011 IEEE Symposium on Computers and Informatics.
[14]	K. M. Mohamad, A.Patel, T. Herawan and M. Mat Deris, “myKarve: JPEG image and thumbnail carver,” Journal of Digital Forensic Practice. 3, 2011, 74-97.
[15]	K. Cohen, “Digital still camera forensics. Small Scale Digi-tal Device Forensics,” 1(1), 2007, 1-8.
[16]	N.A. Ab-dullah, R. Ibrahim,and K.M. Mohamad,”Cluster size determination using JPEG files,” in Proceedings of the 12th international conference on Computational Science and Its Applications.
[17]	K.M. Mohamad, T.Herawan and M. Mat Deris, “Dual-byte-marker algorithm for detecting JFIF header.,”in Bandyopadyay, S. M., Adi, W., Kim, T. & Xiao, Y. (eds.) Information Security and Assuranc,. 17-26, 2010,Springer,Heidelber.