Article Preview
TopIntroduction
Computer forensics is to recover evidences resides on a computer, by mean to solve pornography cases (Garfinkel, 2010; Pal and Memon, 2003; Karresand and Shahmehri, 2008). This involves image files obtained from the perpetrator in certain format like Bitmap and JPEG but most common format is JPEG. JPEG is popular because of its compressed file that can reduce the size required to allocate an image. Joint Photographic Experts Group (JPEG) was formed by International Telegraph and Telephone Consultative Committee in 1986 inspired by an effort of International Organization of Standard (ISO) to find ways to use high resolution graphics and pictures in computers (Cohen, 2007). JPEG introduced compression standard for both grayscale and color continuous-tone images. The details of JPEG compressed data formats can be found in (CCITT, 1992) There are two types of JPEG that are mostly used today, JPEG File Interchange Format (JFIF) and JPEG Exchangeable Image File Format (Exif) (Bettelli, 2006). JFIF is popular for internet file while EXIF is the popular image file format used for digital camera (Alvarez, 2004).
A file in a target disk including JPEG file can be in two situations; contiguous or fragmented. Although most of the time, the files normally are in contiguous order, but fragmentation do occur due to certain conditions as described in (Garfinkel, 2007; Sencar and Memon, 2009). The conditions are as follows:
- 1.
A condition where no contiguous sectors available to hold the whole file size
- 2.
Appended data that cannot be appended at the end of cluster of the original file that cause it to be appended non-contiguously in other cluster at other location.
- 3.
Certain file system does not support writing files of a certain size into contiguous sectors. For example, Unix file system will fragment file that does not fit into an even number of sectors.
Mohamad and Mat Deris (2009) pointed out the importance of focusing on fragmentation problem especially within DHT (Define Huffman Table) area because any damaged in DHT can cause image distortion or worse, corruption. Nevertheless, image distortions can be used in identifying fragmentation point rather than conditions where fragmentation occurs in other areas that cause the image unable to be viewed which is hard to be traced.
A file can be fragmented with another whether same types, different types or random data. Fragmentation can occur either linearly or nonlinear. According to Kloet (2007), linear fragmentation occurs when a file has been fragmented and split into multiple parts with all parts are present in the dataset in their original order while nonlinear fragmentation is when the parts not in their original order or in reverse order.
Joachim Metz, Bas Kloet and Robert-Jan Mora have developed Revit07 to handle linearly fragmented files including JPEG. However, they handle thumbnails the same way as the parent. This may result thumbnail is assumed as a fragmentation point which may lead to falsely detect fragmentation point. On the other hand, myKarve identify thumbnails separately but concentrate on Exif thumbnail where the markers are distinct from its parent (original JPEG file) while JFIF’s thumbnails are identified as the parent. Hence, additional markers are required to distinguish JFIF’s thumbnail from their parents. Besides that, both RevIt and myKarve did not address scenarios where JPEG images are intertwined with each other. Revit does highlight of a scenario where JPEG image intertwine with another complete JPEG image but failed to recover intertwined JPEG files when both of files are fragmented. Therefore, a technique is required to identify the fragmentation point of these fragments before reconstruct them into two complete JPEG files.
In this article, with consideration of thumbnail, we proposed a new tool, X_myKarve to carve more JPEG files by allowing for linearly fragmented JPEG files. From the experiments, using datasets from DFRWS 2006 (DFRWS) shows that X_myKarve is capable of carving more JPEG files compared to Revit and myKarve.
The rest of the paper is organized as follows. Section 2 describes X_myKarve Carving System, section 3 describes the test sets used, section 4 discussed about the result and finally section 5 concludes this paper.