Hello everyone.
sorry if this question is dumb, but i'm not that good in image forensics so if i'm saying tons of stupid things, please forgive me )
i was wondering if there are tools that can render partially damaged/overwritten images.
imagine that i have a jpg file of wich the header is missing but other parts of the file are intact, is it possible to view such parts?
like by rebuilding the header and then try to render the image? if it comes that parts are damaged maybe other parts are still visible..
thanks )
Well, jpeg-snoop comes to mind
http//
But nothing actually "easy"
http//
Also, I presume it greatly depends on the type of "damage" the picture has, some errors can be corrected easily, others may not.
It's a lot of time since I tried the thingy, and possibly the info above is outdated, I seem to remember that at the time I tried a number of .jpg viewers and found one or two that (probably because they were "badly" programmed) could render images that were partially corrupted and did not display at all on common viewers.
But I really cannot remember which one those were.
Also browsers tend to be more "forgiving" and allow to view some images otherwise corrupted.
jaclaz
jpegsnoop didn't work for me, i knew that software and it's wonderful.
the problem is that in my case, the file is fully allocated but cant be opened,
i think that the image is corrupt because the disk had screwed up partitions table.
as you can see from the hex, even if the file is supposed to be a jpeg, all the header characteristics are missing.
00000000 F93D F972 1228 A44A 34B9 E16E 34C9 577A .=.r.(.J4..n4.Wz
00000010 514F 9F8D 8E36 F20D 0B87 0C23 B9DA 0250 QO...6.....#...P
00000020 8451 F049 A94E 1E4C 1573 F75F DCB8 5C2D .Q.I.N.L.s._..\-
00000030 CE2C 89BD 9FF2 EF94 A775 11F7 F115 13E2 .,.......u......
00000040 2E0B 5BEA 945C 2C6C 8F25 C3C4 5DD1 1D8F ..[..\,l.%..]...
00000050 7DD3 CDDC F207 47E8 DCF2 3190 60B6 54D2 }.....G...1.`.T.
00000060 75DC 99AE 28D9 2925 E048 6E5E 9E41 19EA u...(.)%.Hn^.A..
00000070 4348 CE26 3CC3 41EC D096 1432 D913 FB9D CH.&<.A....2....
00000080 7D5C A4AF B1B1 FF20 98D8 78B9 1EA9 DD54 }\..... ..x....T
00000090 EFE5 4722 9D3A 677C 4572 444F E762 8D4C ..G".g|ErDO.b.L
000000A0 BAAF 294C 9AC0 6263 FA9B 48C6 719D CF2A ..)L..bc..H.q..*
000000B0 0F6C 589C 56AB 15AB 9145 FEF4 523B 48D5 .lX.V....E..R;H.
i was wondering if there were ways to brute force the rendering of uncorrupted area, but it looks like really complex to achieve.
i was wondering if there were ways to brute force the rendering of uncorrupted area, but it looks like really complex to achieve.
No, I don't think there are any unlike a bitmap or tiff, jpeg is a compressed file (not completely unlike a .zip one) and if headers/key parameters are missing, the content is simply "noise".
jaclaz
i was wondering if there were ways to brute force the rendering of uncorrupted area, but it looks like really complex to achieve.
No, I don't think there are any unlike a bitmap or tiff, jpeg is a compressed file (not completely unlike a .zip one) and if headers/key parameters are missing, the content is simply "noise".
jaclaz
I have spent a long time working on joining up fragmented JPEGs. I do know it is possible to join two fragments and get a viewable photo made up of two different pictures. Sometimes, the second half is the wrong colour, or shifted partway across the screen. This is normally viewed in Windows Pictire viewer.
For my application, this counts as a failure, but it does indicate that at times it is possible to add a header from a different pciture, and at least get an idea of what the fragment is. Forensically this must count as 'dubious' but popssibly OK as long as any donnor headers came from the same disk.
As Jaclaz said, JPEGs are compressed, (in several possible ways) and so the data does look like noise, but all is not necessarily lost.
There was a posting on the site I think about last Christmas time of a program that did claim to view fragments from JPEGs.
As an approach, I would try and defragment all possible JPEGs on the disk and after that you will know which possible fragments are 'unattached'
Yep,
I was talking about "brute-forcing" partial data.
If you recreate and add a "good-enough" header, the noise may become "something".
Apparently even adroit cannot recover files without headers
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=4724
Anyway, you can have a try with it
http//
jaclaz
/I was talking about "brute-forcing" partial data.
Would help if you have a JPEG created by same device. The file in this video is a blob of header-less JPEG data. Into the video you can see it's actually a combination of 2 JPEGs, first chunk being JPEG data without header, second part at bottom is start OF JPEG with header and some data. https://
In essence a header a header is glued to 'arbitrary' data (however entropy looks 'jpeggy'). Tool used strips data following the header from FFxx byte combinations that may upset a decoder so image, including corrupt data can be viewed. You can then remove corrupt data and work your way towards a presentable image.
If you used a file system based recovery tool, I'd suggest you rather use something that does a RAW scan. I have seen so many instances where file system based file recovery tools produced corrupt files while carving them was still possible.
I know it's an old thread, but I bumper into it ..
I know it's an old thread, but I bumper into it ..
Which is good, as you added interesting insight on the matter.
Old per old, I will point you to here
https://www.forensicfocus.com/Forums/viewtopic/p=6544120/
Do you believe it possible (and actually useful besides my particular case, as an added feature to your tool(s)) to see if the missing/overwritten bytes can be bruteforced (specifically for JPEG images?
jaclaz
I'm not sure what you're asking ..
This each file 4 bytes every 512 are overwritten?
2D 2D 2D 2D is not a problem for JPEG decoders. FF 2D FF 2D would be. If the 2D's overwrite existing data then there's no way of easily guessing original bytes. If they were inserted, deletion of the bytes would restore the image.
It would certainly require some manual intervention. I'm not sure if the code that detects patterns in my tool is still active, I'd have to look but I think I disabled it. Detection is easy enough but then next question is what you want to do with it. if inserted, simply delete them but then I'd need first figure that out (insert or overwrite).
I am doing some experiments BTW currently, making the assumption that visually a MCU looks very much like the MCU right below or above it. It's basically what you do when clone-stamping corrupt data with data looking very similar to the corrupt portion.
So I am trying to see if I can use actual RAW data (pre-decdoded data) to fill corrupted areas with.
So in case of this image I patched away a complete row of corrupt MCUs, and then use the above row of MCUs to make up for lost data.
I see forum doesn't handle the photo too well, URL is https://
I'm not sure what you're asking ..
This each file 4 bytes every 512 are overwritten?
Yes, 4 bytes every 512 are overwritten, but not on the actual "jpeg", rather in the .eml message, where the binary is actually base64 encoded.
So there is an "intermediate step, where the 4 bytes (base64) are converted to three bytes (actual binary, hex bytes) . (related to this at the time I put together a spreadsheet (intended to reducing the possibilities for text) analyzing the possible patterns, as the data is organized in "lines" of 78 characters, or - better - by 19 quadruplets, so 19x4=76 bytes+ CR+LF=78)
The spreadsheet was at the time only a base POC, but it showed that the probabilities were less than the 2^32-1 that could appear at first sight, depending on where the overwritten 4 bytes "fell" relative to the quadruplets, though possibly this is not true for the the whole 00-FF range ? .
I was thinking about something like (I see that you well know about it ) ) repair-jpg
https://
where changing/inserting/deleting a single byte sometimes made *miracles*.
I thought that a "smart" jpeg parser might be able to "guess" much smaller ranges than the 000000-FFFFFF of the overwritten bytes and then provide an interactive interface so that the user can select the value that seems to "make progress" in the rendering of the image.
jaclaz