Hi,
We have developed some new techniques that help in carving images with missing fragments from unallocated space. In some cases we can recover the image even though the file header may be missing. In the past, others, including us, have developed techniques for carving images that assumed that all the data including the header was available. In fact, we even developed techniques to carve images that were fragmented and built a product based on such techniques. But I do not know of other work that can recover an image when there are missing fragments. Of course the part of the image corresponding to the missing data itself is not recovered (that would need magic!) but the rest of the image is recovered intact.
So my question is, how important is our development in real life forensics analysis? How often do you run into situations where you think some image evidence is there but cannot view it as the image header is missing or some part in the middle is missing and hence cannot decode?
BTW, for those who are interested, we published a paper at DFRWS 09 describing the technique above. The paper can be downloaded from our research website at http//
best,
nasir
So my question is, how important is our development in real life forensics analysis?
I don't know, but I have developed software that does the same thing, however I never realised there was any use for it.
I have been able to reconstruct images without the header for some formats, and in some cases the missing data (small amounts) can be reconstructed.
My username reflects my area of interest, however in Australia there is no demand for it, so most of my work just sits here doing nothing. Most of my image recovering software is geared towards this field and for testing stego algorithms. I need dumps of images from stego algorithms that have gone wrong 😯 , hence the image reconstruction software.
It's an interesting field (image reconstruction) however, I don't have enough time to play with it.
Quite many tools can recognize files based on file header/footer. If you can identify a picture based merely on its content without needing a header (for example a piece of a picture where the beginning has been overwritten and the end was lost) then I would say go for it, it may be a very useful product.
I can imagine a situation when some criminal has some pictures on his harddrives which he doesn't want to be found (in case of seizure etc.). Normally, he would just erase the disks. But if he doesn't have enough time for that, if he has only a few seconds left (the police is just entering his place etc.), he may just press a shortcut and execute some custom tool which will just overwrite first/last xx bytes of each file, just enough to "disable" all those usual file carving algorithms. This is not a sci-fi. In such cases your tool would be of a great help, especially if you are able to recognize BMP, GIF, JPEG and PNG files.
No one is examining all those terabytes of data manually these days, there are tools for everything. In fact, even "manual" examination would mean nothing else but again using some tool. The least problem for the criminals is to get the very same software (EnCase, FTK, XWF, Scalpel, whatever) which may be used by a forensic experts, find out what algorithms are used for file carving and create a little fast tool to intentionally "damage" files so that they are not recognized anymore, or recognized wrongly. Sure you see my point.
I currently have a couple of image files with damaged headers or headers completely missing. What tools are available to recover these headers?
I'm trying to manually repair them with a hex editor, but I'm not having any success so far.
Any help will be appreciated!
I currently have a couple of image files with damaged headers or headers completely missing. What tools are available to recover these headers?
I'm trying to manually repair them with a hex editor, but I'm not having any success so far.
Any help will be appreciated!
Unfortunately, Adroit Photo Forensics currently does not support reconstruction with missing headers. We have researched ways to do it and the paper describing our research is at http//
We only have matlab code that we developed for our research and if you send the data to us we could help you but I doubt you may be able to do this if it is a forensics investigation -(
I currently have a couple of image files with damaged headers or headers completely missing. What tools are available to recover these headers?
What format images are they? For instance - jpg, png, bmp, DIB (swap file recovery) etc.
Ok, cools,
I managed to repair all of them. Lots of googling, messing around, trial and error…
Thanks for the replies though!
Digital forensics challenge.
It was a challenge locating my old software, and trying to get a Microsoft compiler to compile it. It was even a greater challenge trying to read my notes to find out exactly what various programs did.
However, it may have helped with BMP, and some JPGs, but GIF I couldn't help with.
Swako,
I also participated in the DC3 challenge. I remember those files but had no idea what to with them. Could you maybe PM me and give me some insight, since the contest is now over I would not be using your methods for my gain.