I am working on a malware case where after having done a search for SSN's, I found PII inside of pictures.
These pictures looked 'degraded' where the bottom third or quarter was damaged.
When I view the picture in a hex editor or FTK's 'filtered' view, I see the JFIF header, followed by javascript, html, and social security numbers that match up with our States three digit prefix.
These pictures were carved from deleted space.
Has anyone ever seen this before?
If so, can anyone point me to any articles about the malware that does this? I currently believe the machine became infected in June.
Thank you for any assistance. This is new to me.
–Bruce
You're carving items, so there's no guaranteed from <header> to <footer> will be 1 single file. Your PII (whatever that is) along with the other js/html etc are likely not part of whatever picture whose header you carved.
Forgive me if it's me who's misunderstanding your circumstances, but this doesn't seem to be a malware specific thing, I think you're maybe not fully understanding deleted files/unallocated space/carving works and the ramifications of carving items.
These pictures looked 'degraded' where the bottom third or quarter was damaged.
As the picture files were recovered, it sounds as if they have been partially overwritten since they have been deleted. Or perhaps that they were fragmented, but the carver is simplemeinded and only looks at consecutive blocks.
Does the non-image contents start on a block boundary – they way a file does?
I believe you are both correct. What I see is that as the data from graphic changes to javascript, it begins on a new cluster. The html also begins and ends in the middle of a tag. The javascript stops mid code and swtiches over to data containing PII. (Personally identifiable information)
I appreciate the quick responses.
–Bruce
What are you using for carving the images?
FTK 3.3
How does that tool work for carving? Does it locate a header and then proceed a set number of bytes? If so, that would explain why you're apparently seeing PII "inside" images…
Extracting from the help file
…identifying file headers / footers the blocks between two boundaries.
You can define things like Offset, Length, Endian, Tags, sizes.
I think what has happened is it saw the JFIF in the header, and went 'x' bytes and called it a file. (as you surmised)
Just guessing.
I looked at the custom carvers to see if there was a way to view the details such as offset, length etc. I didn't see a way to view the existing, only how to create new. I will contact AccessData to learn this so I can better understand what it is doing on carving in the future.
Thank you.
–Bruce
You can use Adroit Photo Forensics (full disclosure I am part of the company) to verify if the files are structurally intact.
Pure header-footer carving is not guaranteed to return a complete file, as others have noted. For deleted files we do validated carving, in other words, we look at the header and begin to decode/decompress the photo block by block to determine if the photo is indeed complete or not. We then separate out complete photos from invalid/corrupt photos. This allows us to give extremely high quality recovery results.
In your case, if the photos were separated out as incomplete, it would clearly indicate that the blocks of the photos were over-written. If you would like to know more about our carving techniques just drop me a mail.
Thank you.