TASK
Task 1: Recovering scrambled bits (5%) (5 marks)
For this task I will upload a text file with scrambled bits on the subject interact2 site closer to the assignment due date. You will be required to restore the scrambled bits to their original order and copy the plain text in your assignment.
Deliverable: Describe the process used in restoring the scrambled bits and insert plain text in the assignment.
Task 2: Digital Forensics Report (20%) (20 marks)
In this major task you are asked to prepare a digital forensic report for the following scenario after carefully reading the scenario and looking at textbook figures as referred below: You are investigating a possible intellectual property theft by a new employee of Superior Bicycles, Inc. This employee, Tom Johnson, is the cousin of Jim Shu, an employee who had been terminated. Bob Aspen is an external contractor and investor who gets a strange e mail from Terry Sadler about Jim Shu’s new project (shown in Figure 8-5 of the textbook on p. 350).
Bob forwards the e-mail to Chris Robinson (the president of Superior Bicycles) to inquire about any special projects that might need capital investments. Chris forwards the e-mail to the general counsel, Ralph Benson, asking him to look into it. He also forwards it to Bob Swartz, asking him to have IT look for any e-mails with attachments. After a little investigation, Bob Swartz forwards an e-mail IT found to Chris Robinson (shown in Figure 8 – 6 of the textbook on p. 350).
Chris also found a USB drive on the desk Tom Johnson was assigned to. Your task is to search for and determine whether the drive contains any proprietary Superior Bicycles, Inc. data in the form of any digital photograph as an evidence. In particular, you may look for graphic files such as JPEG on the USB drive hidden with different format. Note for the USB drive image, you need to download the “C08InChp.exe” file from the download section of Chapter 8 on the student companion site of the textbook (Nelson, Phillips, & Steuart, 6/e, 2019).
Your task is to search all possible places data might be hidden (e-mails and USB drive) and recover and present any digital evidence in the report.
Deliverable: For this forensic examination, you need to provide a report of 1800-2000 words (approximately 5 A4 pages) in the format described in presentation section below.
Assessmentitem 3 – Tasks and Forensics Report
Value: 25%
TASK
Task 1: Recovering scrambled bits (5%) (5 marks)
For this task I will upload a text file with scrambled bits on the subject interact2 site closer to the assignment due date. You will be required to restore the scrambled bits to their original order and copy the plain text in your assignment.
Deliverable: Describe the process used in restoring the scrambled bits and insert plain text in the assignment.
Task 2: Digital Forensics Report (20%) (20 marks)
In this major task you are asked to prepare a digital forensic report for the following scenario after carefully reading the scenario and looking at textbook figures as referred below: You are investigating a possible intellectual property theft by a new employee of Superior Bicycles, Inc. This employee, Tom Johnson, is the cousin of Jim Shu, an employee who had been terminated. Bob Aspen is an external contractor and investor who gets a strange e mail from Terry Sadler about Jim Shu’s new project (shown in Figure 8-5 of the textbook on p. 350).
Bob forwards the e-mail to Chris Robinson (the president of Superior Bicycles) to inquire about any special projects that might need capital investments. Chris forwards the e-mail to the general counsel, Ralph Benson, asking him to look into it. He also forwards it to Bob Swartz, asking him to have IT look for any e-mails with attachments. After a little investigation, Bob Swartz forwards an e-mail IT found to Chris Robinson (shown in Figure 8 – 6 of the textbook on p. 350).
Chris also found a USB drive on the desk Tom Johnson was assigned to. Your task is to search for and determine whether the drive contains any proprietary Superior Bicycles, Inc. data in the form of any digital photograph as an evidence. In particular, you may look for graphic files such as JPEG on the USB drive hidden with different format. Note for the USB drive image, you need to download the “C08InChp.exe” file from the download section of Chapter 8 on the student companion site of the textbook (Nelson, Phillips, & Steuart, 6/e, 2019).
Your task is to search all possible places data might be hidden (e-mails and USB drive) and recover and present any digital evidence in the report.
Deliverable: For this forensic examination, you need to provide a report of 1800-2000 words (approximately 5 A4 pages) in the format described in presentation section below.
RATIONALE
This assessment task will assess the following learning outcome/s:
be able to determine and explain the legal and ethical considerations for investigating
and prosecuting digital crimes.
• be able to formulate a digital forensics process.
• be able to evaluate the technology in digital forensics to detect, prevent and recover
from digital crimes.
• be able to analyse data on storage media and various file systems.
• be able to collect electronic evidence without compromising the original data.
• be able to critique and compose technical tactics in digital crimes and assess the steps
involved in a digital forensics investigation.
• be able to prepare and defend reports on the results of an investigation.
PRESENTATION
The following should be included as minimum requirements in the report structure:
Executive Summary or Abstract
This section provides a brief overview of the case, your involvement as an examiner, authorisation, major findings and conclusion
• Table of Contents
• Introduction
Background, scope of engagement, forensics tools used and summary of potential findings
• Analysis Conducted
o Description of relevant programs on the examined items
o Techniques used to hide or mask data, such as encryption, steganography, hidden
attributes, hidden partitions etc
o Graphic image analysis
• Findings
This section should describe in greater detail the results of the examinations and may include:
o Specific files related to the request
o Other files, including any deleted files that support the findings
o String searches, keyword searches, and text string searches
o Internet-related evidence, such as Web site traffic analysis, chat logs, cache files, e-mail, and news group activity
o Indicators of ownership, which could include program registration data.
• Conclusion
Summary of the report and results obtained
• References
You must cite references to all material you have used as sources for the content of your work
CHAPTER 8 Recovering Graphics Files 373
Hands-On Projects
Create the C:\Work\Chap08\Projects folder on your system before starting these projects.
If necessary, copy all data files from the downloads section for this chapter (on the student
companion site for this book) to your work folder.
Hands-On Project 8-1
In this project, you use Autopsy for Windows to locate and extract JPEG files with altered
extensions. Some of these files are embedded in files with non-JPEG extensions. Find the
C08frag.dd file in your work folder, and then follow these steps:
1. Start Autopsy for Windows, and click the Create New Case button. In the New Case
Information window, type C08frag in the Case Name text box, and click Next. Enter
C08Frag for the case number and your name as the examiner, and then click Finish.
2. In Add Data Source window, click Disk Image or VM file in the Select Type of Data
Source to Add section, if necessary, and then click Next. In the Select Data Source
window, click the Browse button. In the Open dialog box, navigate to your work folder,
and click C08frag.dd. Click Open, and then click Next. Accept all the default selections
in the Configure Ingest Modules window, and click Next and then Finish.
3. Click the Keyword Search down arrow at the upper right. Type jfif in the text box, click
the Substring Match option, and then click Search.
4. Click each file in the search results that doesn’t have a extension. Then examine
the contents of each file to find any occurrences of a JFIF label. Right-click a file with a
JFIF label, point to Tag Files, and click Tag and Comment. In the Comment text box,
type Recovered hidden file, and then click OK. Repeat this procedure for each file
with a JFIF label.
5. Click Generate Report. Click the Results – HTML option button for the report format,
and then click Next. Click All Results, and then click Finish. Click the report link, and
examine your report in the browser window that opens.
6. Exit Autopsy for Windows, saving your project when prompted.
Hands-On Project 8-2
In this project, you continue examining the files found by IT staff at Superior Bicycles. In
the in-chapter activity, you recovered three files containing zzzz for the first 4 bytes of
altered JPEG files. These altered files had different extensions to hide the fact that they’re
graphics files.
Find the C08carve.dd file in your work folder. This image file is a new drive acquisition
the IT staff made. The CEO wants to know whether any similar files on this drive match the
files you recovered from the first USB drive. Because you know that the files you recovered
earlier have zzzz for the first 4 bytes, you can use it as your search string to see whether
similar files are on this drive.
1. Start Autopsy for Windows, and click the Create New Case button. In the New Case
Information window, type C08carve in the Case Name text box, and click Next. In the
68944_ch08_hr_339-376.indd 373 3/15/18 2:37 PM
Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com
Created from csuau on 2020-05-06 16:55:22.
C
op
yr
ig
ht
©
2
01
8.
C
en
ga
ge
L
ea
rn
in
g
U
S
. A
ll
rig
ht
s
re
se
rv
ed
.
CHAPTER 8 Recovering Graphics Files 374
Additional Information window, type the date in the Case Number text box and your
name in the Examiner text box. Click Finish.
2. In the Select Data Source window, click the Browse button, navigate to your work
folder, click c08carve.dd, and then click Open. Then click Next.
3. Next, click the Keyword Search down arrow. In the text box, type zzzz, click the Exact
Match option button, and then click Search.
4. Click each file in the search results to display its contents. If the file contains zzzz at
the beginning of the sector, right-click the file, point to Tag Files, and click Tag and
Comment. In the Comment text box, type Similar file, and then click OK.
5. Click the gametour5.exe file. Ctrl+click to select gametour1.exe, gametour2.exe,
gametour3.exe, gametour4.exe, and gametour6.exe. Right-click the selection, point
to Tag Files, and click Tag and Comment. In the Comment text box, type Additional
similar files, and then click OK.
6. Click Generate Report. Click the Results – HTML option button, and then click Next.
Click All Results, and then click Finish. Examine the results in the browser window, and
then exit Autopsy.
Hands-On Project 8-3
In this project, you use IrfanView to open graphics files and save them in a compressed
graphics format different from the original format. You should note any changes in
image quality after converting files to a different format. Download IrfanView from
www.irfanview.com and install it, and then follow these steps:
1. Start IrfanView. Click File, Open from the menu. In the Open dialog box, navigate to
your work folder, and then double-click SPIDER.bmp to open the file.
2. Click File, Save as from the menu. Change the file type to JPG and save the file as
Spider in the same
location.
3. Save Spider as Spider2.bmp in the same location.
4. Open these three graphics files in new sessions of IrfanView and compare the files.
Document any changes you notice.
5. Open FLOWER.gif from your work folder, and save it as Flower in the same
location.
Tip
If your screen is cluttered with too many open IrfanView windows, close a few that
you’re no longer working with.
6. Save Flower as Flower2.gif in the same location.
7. Open these three graphics files in new sessions of IrfanView, and document any
changes you see when comparing the files.
68944_ch08_hr_339-376.indd 374 3/15/18 2:37 PM
Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com
Created from csuau on 2020-05-06 16:55:22.
C
op
yr
ig
ht
©
2
01
8.
C
en
ga
ge
L
ea
rn
in
g
U
S
. A
ll
rig
ht
s
re
se
rv
ed
.
CHAPTER 8 Recovering Graphics Files 375
8. Open Cartoon.bmp from your work folder, and save it as Cartoon.gif in the same
location.
9. Save Cartoon.gif as Cartoon2.bmp in the same location.
10. Open these three graphics files in new sessions of IrfanView, and document any
changes you see when comparing the files.
11. Exit all instances of IrfanView. Summarize your conclusions in a brief report and submit
it to your instructor.
Hands-On Project 8-4
In this project, you use S-Tools4 to create a steganography file for hiding an image. Download
S-Tools4 from http://packetstormsecurity.com/files/21688/s-tools4.zip.html or www.4shared.com/
zip/q764vcPu/s-tools4.htm, install the program, and then follow these steps:
1. In File Explorer, navigate to where you installed S-Tools4, and start the program by
double-clicking S-Tools.exe. If necessary, click Run, and then click Continue, if
necessary.
2. Drag RUSHMORE.bmp from your work folder to the S-Tools window.
3. To hide text in the RUSHMORE.bmp file, drag Findme.txt from your work folder to the
RUSHMORE.bmp image.
4. In the Hiding dialog box, type FREEDOM in the Passphrase and Verify passphrase text
boxes, and then click OK. A hidden data window opens in the S-Tools window.
5. Right-click the hidden data window and click Save as. Save the image as Steg.bmp in
your work folder.
6. Close the Steg.bmp and RUSHMORE.bmp windows, but leave S-Tools open for the next
project.
Hands-On Project 8-5
In this project, you use S-Tools4 to create a secret message in a bitmap file and compare this
steganography file with the original file by using the DOS comp command. You need S-Tools4
and the Mission.bmp and USDECINP.rtf files in your work folder. First, follow these steps
to create a steganography file:
1. If you have exited S-Tools4, start it by double-clicking S-Tools.exe in File Explorer.
2. Drag Mission.bmp from your work folder to the S-Tools window.
3. Next, drag USDECINP.rtf from your work folder to the Mission.bmp image.
4. Type hop08-5 in the Passphrase and Verify passphrase text boxes, and then click OK.
A hidden data window opens in the S-Tools window.
5. Right-click the hidden data window and click Save as. Save the image as
Mission-steg.bmp in your work folder. Exit S-Tools.
Next, you use the DOS comp command to compare these two files and redirect the
output to a text file for further analysis:
1. To open a command prompt window in Windows, click the Search icon, type cmd, and
then press Enter. (In earlier Windows versions, you can click Start, type cmd in the
“Search for programs and files” text box, and then press Enter.)
68944_ch08_hr_339-376.indd 375 3/15/18 2:37 PM
Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com
Created from csuau on 2020-05-06 16:55:22.
C
op
yr
ig
ht
©
2
01
8.
C
en
ga
ge
L
ea
rn
in
g
U
S
. A
ll
rig
ht
s
re
se
rv
ed
.
www.4shared.com/zip/q764vcPu/s-tools4.htm
www.4shared.com/zip/q764vcPu/s-tools4.htm
CHAPTER 8 Recovering Graphics Files 352
Searching for and Recovering Digital Photograph Evidence
In this section, you learn how to use Autopsy for Windows to search for and extract
(recover) possible evidence of JPEG files from the USB drive the EMTS manager gave
you. The search string to use for this examination is “FIF.” Because it’s part of the
label name of the JFIF JPEG format, you might have several false hits if the USB drive
contains several other JPEG files. These false hits, referred to as false positives, require
examining each search hit to verify whether it’s what you are looking for. In this
activity, you see that Autopsy has an Exif parser.
To begin the examination, follow these steps to load the image file:
1. Start Autopsy for Windows, and click the Create New Case button. In the New Case
Information window, type C08InChp for the case name, and click Browse next to the
Base Directory text box. Navigate to and click your work folder, and then click Next.
In the Additional Information window, type C08InChp for the case number, enter
your name for the examiner, and then click Finish.
2. In the Add Data Source window, leave the default selection Disk Image or VM
file in the Type of Data Source to Add section, and then click Next.
3. In the Select Data Source window, click the Browse button, navigate to your
work folder, click C08InChp.dd, and click Open. Then click Next.
4. In the Configure Ingest Modules window, you can select what type of processing
you want, such as a hash lookup or an Exif parser (see Figure 8-7). Leave the
default selections, click Next, and then click Finish.
5. In the left pane of Autopsy’s main window, click to expand Extracted Content,
if necessary, and then click EXIF Metadata. Examine the files displayed in the
upper-right pane (see Figure 8-8). As you scroll through these files, notice that
the hexadecimal codes haven’t been altered. (In the e-mail Tom Johnson sent,
the JFIF code was supposedly altered.)
Note
Before starting this activity, create the C:\Work\Chap08\Chapter folder on your system
(referred to as your “work folder” in steps). Then download the C08InChp.exe file in the
downloads section for this chapter on the student companion site for this book. You should
extract this file to your work folder.
68944_ch08_hr_339-376.indd 352 3/15/18 2:37 PM
Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com
Created from csuau on 2020-05-06 16:52:35.
C
op
yr
ig
ht
©
2
01
8.
C
en
ga
ge
L
ea
rn
in
g
U
S
. A
ll
rig
ht
s
re
se
rv
ed
.
CHAPTER 8 Recovering Graphics Files 353
Figure 8-7 Processing options in the Configure Ingest Modules window
Source: www.sleuthkit.org
Figure 8-8 Parsing Exif metadata in Autopsy
Source: www.sleuthkit.org
68944_ch08_hr_339-376.indd 353 3/15/18 2:37 PM
Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com
Created from csuau on 2020-05-06 16:52:35.
C
op
yr
ig
ht
©
2
01
8.
C
en
ga
ge
L
ea
rn
in
g
U
S
. A
ll
rig
ht
s
re
se
rv
ed
.
CHAPTER 8 Recovering Graphics Files 354
Figure 8-9 The results of searching for “fif”
Source: www.sleuthkit.org
Note
In Figure 8-10, the header for this JPEG file has been overwritten with zzzz. This unique
header information might give you additional search values that could minimize false-positive
hits in subsequent searches.
6. Click the Keyword Search down arrow at the upper right. To verify that no other
codes have been altered, you should check whether a change has been made to
the FIF format. In the text box, type FIF (all uppercase letters), click the Exact
Match option, and then click Search. There are no results. Next, type fif (all
lowercase letters), click the Substring Search option, and then click Search. Your
results should be similar to what’s shown in Figure 8-9.
7. To view the changes made to the file header, you need to see the hexadecimal
code. To do this, click the Hex tab in the lower-right pane, if necessary, and
scroll down through the files until you see “zzzz” in the file header, as shown in
Figure 8-10. You should be viewing the gametour2.exe file.
8. Click the File Metadata tab to view the written, accessed, and created dates and
times along with the sectors used by the file (see Figure 8-11).
9. In the search results, right-click the gametour2.exe file and click Extract File(s).
In the Save As dialog box, navigate to your work folder, type Recover1 for
the filename, and then click Save. Autopsy then creates an Export subfolder of
your work folder to store this file. In the confirmation message box, click OK, and
then exit Autopsy.
68944_ch08_hr_339-376.indd 354 3/15/18 2:37 PM
Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com
Created from csuau on 2020-05-06 16:52:35.
C
op
yr
ig
ht
©
2
01
8.
C
en
ga
ge
L
ea
rn
in
g
U
S
. A
ll
rig
ht
s
re
se
rv
ed
.
CHAPTER 8 Recovering Graphics Files 355
Figure 8-10 The altered file header
Source: www.sleuthkit.org
File header overwritten with zzzz
Figure 8-11 Viewing all sectors used by the gametour2.exe file
Source: www.sleuthkit.org
68944_ch08_hr_339-376.indd 355 3/15/18 2:37 PM
Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com
Created from csuau on 2020-05-06 16:52:35.
C
op
yr
ig
ht
©
2
01
8.
C
en
ga
ge
L
ea
rn
in
g
U
S
. A
ll
rig
ht
s
re
se
rv
ed
.
CHAPTER 8 Recovering Graphics Files 356
The next section shows you how to rebuild header data from this recovered file
by using WinHex, although any hexadecimal editor has the capability to examine
and repair damaged file headers. From a digital forensics view, this procedure can
be considered corrupting the evidence, but knowing how to reconstruct data, as in
the preceding example, is part of an investigator’s job. When you change data as part
of the recovery and analysis process, make sure you document each step as part of
your reporting procedures. Your documentation should be detailed enough that other
investigators could repeat the steps, which increases the credibility of your findings.
When you’re rebuilding a corrupted evidence image file, create a new file and leave the
original file in its initial corrupt condition.
Rebuilding File Headers
Before attempting to edit a graphics file you have recovered, try to open it with an
image viewer, such as the default Microsoft tool. To test whether you can view the
image, double-click the recovered file in its current location in File Explorer. If you
can open and view the image, you have recovered the graphics file successfully.
If the image isn’t displayed, you have to inspect and correct the header values
manually.
If some of the data you recovered from the graphics file header is corrupt, you
might need to recover more pieces of the file before you can view the image, as you’ll
see in the next section. Because the deleted file you recovered in the previous activity,
Recoverl , was altered intentionally, you might see an error message similar to
the one in Figure 8-12 when you attempt to open the file.
Figure 8-12 Error message indicating a damaged or an altered graphics file
68944_ch08_hr_339-376.indd 356 3/15/18 2:37 PM
Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com
Created from csuau on 2020-05-06 16:52:35.
C
op
yr
ig
ht
©
2
01
8.
C
en
ga
ge
L
ea
rn
in
g
U
S
. A
ll
rig
ht
s
re
se
rv
ed
.
CHAPTER 8 Recovering Graphics Files 357
If you can’t open a graphics file in an image viewer, the next step is to examine
the file’s header data to see whether it matches the header in a good JPEG file. If the
header doesn’t match, you must insert the correct hexadecimal values manually with a
hexadecimal editor. To inspect a file with WinHex, follow these steps:
1. Start WinHex, and click File, Open from the menu. Navigate to your work folder, and
then double-click Recover1 . If necessary, click OK. Figure 8-13 shows this file
open in WinHex.
Figure 8-13 Recover1 open in WinHex
Source: X-Ways AG, www.x-ways.net
Offset position 0 Offset position 6
2. At the top of the WinHex window, notice that the hexadecimal values starting at
the first byte position (offset 0) are 7A 7A 7A 7A, and the sixth position (offset 6)
is also 7A. Leave WinHex open for the next activity.
As mentioned, a standard JFIF JPEG file has a header value of FF D8 FF E0 from
offset 0 and the label name JFIF starting at offset 6. Using WinHex, you can correct this
file header manually by following these steps:
1. In the center pane, click to the left of the first 7A hexadecimal value. Then type
FF D8 FF E0, which are the correct hexadecimal values for the first 4 bytes of a
JPEG file.
2. In the right pane at offset 6, click the z, and then type J, as shown in Figure 8-14.
68944_ch08_hr_339-376.indd 357 3/15/18 2:37 PM
Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com
Created from csuau on 2020-05-06 16:52:35.
C
op
yr
ig
ht
©
2
01
8.
C
en
ga
ge
L
ea
rn
in
g
U
S
. A
ll
rig
ht
s
re
se
rv
ed
.
CHAPTER 8 Recovering Graphics Files 358
3. Click File, Save As from the menu. In the Save File As dialog box, navigate to
your work folder, type Fixed1 as the filename, and then click Save. If
you’re using the demo version of WinHex, you get an error message because of
the file size. Exit WinHex.
Figure 8-14 Inserting correct hexadecimal values for a JPEG file
Source: X-Ways AG, www.x-ways.net
Inserting FF D8 FF E0 starting at offset 0 After changing z to an uppercase J
Tip
In WinHex, when you type a keyboard character in the right pane, the corresponding
hexadecimal value appears in the center pane. So, for example, when you type J in the right
pane, the hexadecimal value 4A appears in the center pane.
Note
In WinHex Demo, you can save only up to 200 KB of data in a file.
68944_ch08_hr_339-376.indd 358 3/15/18 2:37 PM
Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com
Created from csuau on 2020-05-06 16:52:35.
C
op
yr
ig
ht
©
2
01
8.
C
en
ga
ge
L
ea
rn
in
g
U
S
. A
ll
rig
ht
s
re
se
rv
ed
.
CHAPTER 8 Recovering Graphics Files 359
Every two hexadecimal values you entered in the previous steps are equivalent to
one ASCII character. For example, an uppercase “A” has the hexadecimal value 41, and
a lowercase “a” has the hexadecimal value 61. Most disk editors have a reference chart
for converting hexadecimal values to ASCII characters, such as in Figure 8-15.
Figure 8-15 ASCII equivalents of hexadecimal values
Second hexadecimal
number
First hexadecimal number
After you repair a graphics file header, you can test the updated file by opening
it in an image viewer, such as Windows Photo Viewer, IrfanView, ThumbsPlus,
QuickView, or ACDSee. If the file displays the image, as shown in Figure 8-16, you have
performed the recovery correctly.
Figure 8-16 Fixed1 open in an image viewer
The process of repairing file headers isn’t limited to JPEG files. You can apply the
same technique to any file you can determine the header value for, including Microsoft
Word, Excel, and PowerPoint documents and other image formats. You need to know
only the correct header format for the type of file you’re attempting to repair.
68944_ch08_hr_339-376.indd 359 3/15/18 2:37 PM
Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com
Created from csuau on 2020-05-06 16:52:35.
C
op
yr
ig
ht
©
2
01
8.
C
en
ga
ge
L
ea
rn
in
g
U
S
. A
ll
rig
ht
s
re
se
rv
ed
.