X_myKarve: Non-Contiguous JPEG File Carver

X_myKarve: Non-Contiguous JPEG File Carver

Nurul Azma Abdullah (Universiti Tun Hussein Onn Malaysia, Batu Pahat, Malaysia)
Copyright: © 2016 |Pages: 22
DOI: 10.4018/IJDCF.2016070105
OnDemand PDF Download:
$30.00
List Price: $37.50

Abstract

Many studies have been conducted in addressing problem of fragmented JPEG. However, carving fragmented JPEG files are not easy to solve due to the complexity of determining the fragmentation point. In this article, X_myKarvee framework is introduced to address the fragmentation issues that occur in JPEG images. X_myKarve introduce a new technique, deletion by binary search to detect fragmentation point which is used to separate a file into several individual fragments. These fragments are then reassembled with the correct pairs which form a complete and correct image. X_myKarve is tested using various datasets namely DFRWS 2006 and DFRWS 2007. The result shows that X_myKarve is capable of carving over 20% more than myKarve and RevIt for DFRWS 2006 datasets where X_myKarve can carve intertwined fragmented JPEG images completely compared to myKarve and RevIt. X_myKarve is a good alternative for carving fragmented JPEG files intertwined with each other.
Article Preview

Introduction

Computer forensics is to recover evidences resides on a computer, by mean to solve pornography cases (Garfinkel, 2010; Pal and Memon, 2003; Karresand and Shahmehri, 2008). This involves image files obtained from the perpetrator in certain format like Bitmap and JPEG but most common format is JPEG. JPEG is popular because of its compressed file that can reduce the size required to allocate an image. Joint Photographic Experts Group (JPEG) was formed by International Telegraph and Telephone Consultative Committee in 1986 inspired by an effort of International Organization of Standard (ISO) to find ways to use high resolution graphics and pictures in computers (Cohen, 2007). JPEG introduced compression standard for both grayscale and color continuous-tone images. The details of JPEG compressed data formats can be found in (CCITT, 1992) There are two types of JPEG that are mostly used today, JPEG File Interchange Format (JFIF) and JPEG Exchangeable Image File Format (Exif) (Bettelli, 2006). JFIF is popular for internet file while EXIF is the popular image file format used for digital camera (Alvarez, 2004).

A file in a target disk including JPEG file can be in two situations; contiguous or fragmented. Although most of the time, the files normally are in contiguous order, but fragmentation do occur due to certain conditions as described in (Garfinkel, 2007; Sencar and Memon, 2009). The conditions are as follows:

  • 1.

    A condition where no contiguous sectors available to hold the whole file size

  • 2.

    Appended data that cannot be appended at the end of cluster of the original file that cause it to be appended non-contiguously in other cluster at other location.

  • 3.

    Certain file system does not support writing files of a certain size into contiguous sectors. For example, Unix file system will fragment file that does not fit into an even number of sectors.

Mohamad and Mat Deris (2009) pointed out the importance of focusing on fragmentation problem especially within DHT (Define Huffman Table) area because any damaged in DHT can cause image distortion or worse, corruption. Nevertheless, image distortions can be used in identifying fragmentation point rather than conditions where fragmentation occurs in other areas that cause the image unable to be viewed which is hard to be traced.

A file can be fragmented with another whether same types, different types or random data. Fragmentation can occur either linearly or nonlinear. According to Kloet (2007), linear fragmentation occurs when a file has been fragmented and split into multiple parts with all parts are present in the dataset in their original order while nonlinear fragmentation is when the parts not in their original order or in reverse order.

Joachim Metz, Bas Kloet and Robert-Jan Mora have developed Revit07 to handle linearly fragmented files including JPEG. However, they handle thumbnails the same way as the parent. This may result thumbnail is assumed as a fragmentation point which may lead to falsely detect fragmentation point. On the other hand, myKarve identify thumbnails separately but concentrate on Exif thumbnail where the markers are distinct from its parent (original JPEG file) while JFIF’s thumbnails are identified as the parent. Hence, additional markers are required to distinguish JFIF’s thumbnail from their parents. Besides that, both RevIt and myKarve did not address scenarios where JPEG images are intertwined with each other. Revit does highlight of a scenario where JPEG image intertwine with another complete JPEG image but failed to recover intertwined JPEG files when both of files are fragmented. Therefore, a technique is required to identify the fragmentation point of these fragments before reconstruct them into two complete JPEG files.

In this article, with consideration of thumbnail, we proposed a new tool, X_myKarve to carve more JPEG files by allowing for linearly fragmented JPEG files. From the experiments, using datasets from DFRWS 2006 (DFRWS) shows that X_myKarve is capable of carving more JPEG files compared to Revit and myKarve.

The rest of the paper is organized as follows. Section 2 describes X_myKarve Carving System, section 3 describes the test sets used, section 4 discussed about the result and finally section 5 concludes this paper.

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 10: 4 Issues (2018): 1 Released, 3 Forthcoming
Volume 9: 4 Issues (2017)
Volume 8: 4 Issues (2016)
Volume 7: 4 Issues (2015)
Volume 6: 4 Issues (2014)
Volume 5: 4 Issues (2013)
Volume 4: 4 Issues (2012)
Volume 3: 4 Issues (2011)
Volume 2: 4 Issues (2010)
Volume 1: 4 Issues (2009)
View Complete Journal Contents Listing