When you are required to find all pictures in an image file,
a) you find all active and deleted pictures,
b) you do "file signature analysis" and get those pictures with changed extensions,
c) extract those inside compressed files like zip, rar, tar.gz…,
d) and finally you do data carving for possible other pictures that might be included in word files and for those that were disguised by adding some hex values before the actual header and put into a form to look like some other type of file like .dat file.
When you are done all these and have found all you can, do you think the examination is over or is there any other method left? I know there is stegoanalysis but I exclude it for now.
Thanks
You may wish to consider picture or graphic files that are made up of layers like those produced using Corel Draw or Adobe. These graphic files can contain many layers each of which may be a unique image.
Those with an interest in hiding images of child abuse have been known to apply this technique.
You may also need to look for Yenc encoded image files as found in Newsgroup postings or Base64 encoded data associated with email messages.
Thumbs.db or Thumbcache*.db ?
Exif thumbnails inside .jpg photos ?
MRUs for indications files that may have been obliterated, or from removable media.
All nice answers. Thank you for the contributions colleagues.
Don't forget encrypted containers.
Images knowingly concealed using NTFS ADS methodology.
Thanks Fab4.
I made some research on the internet about ADS and found out that there is currently no method to understand if you have any ADS file in your drive, except for a small utility, the lads.exe.
So, in terms of forensics, how does this relate to Encase, FTK and other software? Do forensic software miss any possible ADS file in a suspect drive?
Copy the whole volume to a FAT32 volume and you will find them all!
If two files have the same 'File Identifier' then they come from the same MFT entry which means one is an ADS attached to the other. So, sort by the 'File Identifier' column in EnCase and you will see if there are duplicates. Also EnCase identifies ADSs by starting with the original filename and then the ADS appears straight after in the format .$[name].
Please see the below screenshot from EnCase and the circled entries representing the original file '$Secure' Followed by its ADSs
I hope that helps )