New to digital forensics so i'll try to be as clear as i can.
I'm currently studying it and at the moment I'm working on steganography and restructuring images. I was wondering how do you infact know where a sector of the data in an image begins and ends?
I understand for jpg for example, you would have the standard header FF D8 FF E0, then have the entire thing end with FF D9. If i have data carved from other images however, I'm still trying to understand how you determine what sections of that data are part of this file and then also to figure out in what order each section of data goes in to reconstruct the original image.
Â
Any advice would be appreciated,
thanksÂ
Basically you don't/cannot.
If the .jpg is contiguous it is a valid file, if it is not or you have only fragments of it you need a dedicated software that may (or may not) be able to rebuild (wholly or partially) a valid image, of course each of these programs will use different algorithms and methods, making use of filesystem strructures and what not.
Check this:
https://www.forensicfocus.com/forums/forensic-software/recommendations-for-carving-software/
to see how different softwares may succeed or fail (or both).
jaclazÂ
Thank you for that.
I figured it wasn't as simple as cut and paste but wasn't sure if it were impossible.
Â
to be a bit more clear, I have partially reconstructed jpeg's, and the missing data is stored in 2 or 3 other files. I've manually sorted and retrieved the relevant data (i know this because the rest was random excel or text), and can also see its part of the original when I add it into a temporary jpeg structure.
Obviously doesn't work or align properly by manually cutting and pasting, but I at least got an idea of how it all works.
Â
Thank you for that.
I figured it wasn't as simple as cut and paste but wasn't sure if it were impossible.
Â
to be a bit more clear, I have partially reconstructed jpeg's, and the missing data is stored in 2 or 3 other files. I've manually sorted and retrieved the relevant data (i know this because the rest was random excel or text), and can also see its part of the original when I add it into a temporary jpeg structure.
Obviously doesn't work or align properly by manually cutting and pasting, but I at least got an idea of how it all works.
Â
Yep, there is - JFYI - a (relatively rarely used) approach in data recovery that I call "negative approach".
Basically you find the extents for each and every file that is actually valid and write 00's to them, making sure to NOT overwrite "cluster slack space" and then delete them.
This way the disk will remain containing only the (remnants of) files that were deleted/unindexed/*whatever* and this may (or may not) help the various .jpg recovery tools to do a "better" job. (and it is a lot of work anyway).
Still, unless it is for learning/fun, you cannot manually rebuild a .jpg out of tens or hundreds of fragments, of course if you have a handful of fragments (and they are ALL the fragments needed to rebuild the .jpg) it is possible.
jaclaz
BTW, this may interest you:
https://www.forensicfocus.com/forums/general/partially-corrupted-jpeg-pictures/
jaclaz
Â
Thanks 🙂 they were both interesting reads.
I've pretty much dived into the deep end, so its interesting to learn more about how things work and why they work.
Â
Also, I managed to restructure it! Albeit a lengthy process.. I'm almost certain there's a shorter way.
With a generic header, I put separate files together and worked off the generated image. Once I figured out which parts I wanted and in what order, it was just a matter of etching out the extra bits.
@tkay These are already 'recovered'? If you need to recover fragmented files manually my tool JpegDigger allows for that, see: https://www.youtube.com/playlist?list=PLSL85pYTZnmuo4QCZlzrL6jzIOAJ3ngCo