Towards facilitating reliable recovery of JPEG pictures? P. De Smet

Similar documents
A block based storage model for remote online backups in a trust no one environment

RECOVERING FROM SHAMOON

The Evolution of File Carving [The benefits and problems of forensics recovery]

A Records Recovery Method for InnoDB Tables Based on Reconstructed Table Definition Files

Welcome to new students seminar!! Security is a people problem. forensic proof.com JK Kim

NTFS Undelete User Manual

Payroll Based Journal (PBJ) Frequently Asked Questions (FAQ)

Deleted File Recovery Tool Testing Results

FORENSIC ANALYSIS OF USB MEDIA EVIDENCE. Jesús Alexander García. Luis Alejandro Franco. Juan David Urrea. Carlos Alfonso Torres

Mobile memory dumps, MSAB and MPE+ Data collection Information recovery Analysis and interpretation of results

Q. If I purchase a product activation key on-line, how long will it take to be sent to me?

Lecture 5: GFS & HDFS! Claudia Hauff (Web Information Systems)! ti2736b-ewi@tudelft.nl

Introduction to File Carving

Recover My Files v Test Results for Video File Carving Tool

BookKeeper overview. Table of contents

THE ARCHIVAL SECTOR IN DW2.0 By W H Inmon

Google File System. Web and scalability

File System & Device Drive. Overview of Mass Storage Structure. Moving head Disk Mechanism. HDD Pictures 11/13/2014. CS341: Operating System

High-Performance SSD-Based RAID Storage. Madhukar Gunjan Chakhaiyar Product Test Architect

Guideline for stresstest Page 1 of 6. Stress test

File System Forensics FAT and NTFS. Copyright Priscilla Oppenheimer 1

Alternatives to Big Backup

Data Integrity by Aes Algorithm ISSN

Computer Forensics. Securing and Analysing Digital Information

DO NOT ASSUME THAT THE BACKUP IS CORRECT. MAKE SURE IT IS.

COMPUTER FORENSICS. DAVORY: : DATA RECOVERY

File Recovery: Find Files You Thought Were Lost F 2/1. Clever Tricks to Recover Deleted Files Even if They ve Been Emptied from the Recycle Bin!

RecoverIt Frequently Asked Questions

WHITE PAPER USING ONLINE BACKUP AS A GATEWAY TO CLOUD SERVICES

Using the HFSD journal for deleted file recovery

The Proper Acquisition, Preservation, & Analysis of Computer Evidence: Guidelines & Best-Practices

VIPERVAULT STORAGECRAFT SHADOWPROTECT SETUP GUIDE

Kroll Ontrack Data Recovery. Oracle Data Loss: When the best of plans fail

Nuix Forensic Focus 2014 Webinar Accelerating investigations using advanced ediscovery techniques 6 th March 2014

SOLUTION GUIDE AND BEST PRACTICES

Ahsay Online Backup. Whitepaper Data Security

Secret Sharing based on XOR for Efficient Data Recovery in Cloud

Retrieving Internet chat history with the same ease as a squirrel cracks nuts

Certificate Management in Environments with Multiple HP Software Products

VANGUARD ONLINE BACKUP

COMPUTER FORENSICS (EFFECTIVE ) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE CATE STUDENT REPORTING PROCEDURES MANUAL)

Ans.: You can find your activation key for a Recover My Files by logging on to your account.

A Comparison of Client and Enterprise SSD Data Path Protection

Data Superhero Online Backup Whitepaper Data Security

User Guide. Active Online Backup - Secure, automatic protection

COSC 6374 Parallel Computation. Parallel I/O (I) I/O basics. Concept of a clusters

Data Deduplication in Tivoli Storage Manager. Andrzej Bugowski Spała

Computer Forensics as an Integral Component of the Information Security Enterprise

Understanding Disk Storage in Tivoli Storage Manager

Statistical Modeling of Huffman Tables Coding

Backup Software Data Deduplication: What you need to know. Presented by W. Curtis Preston Executive Editor & Independent Backup Expert

AN10860_1. Contact information. NXP Semiconductors. LPC313x NAND flash data and bad block management

<Insert Picture Here>

Measurement Study of Wuala, a Distributed Social Storage Service

FAWN - a Fast Array of Wimpy Nodes

Chapter 12 File Management. Roadmap

Chapter 12 File Management

Hands-On How-To Computer Forensics Training

Introduction to Data Forensics. Jeff Flaig, Security Consultant January 15, 2014

HiDrive Intelligent online storage for private and business users.

Network Layer IPv4. Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS. School of Computing, UNF

Digital Forensics Tutorials Acquiring an Image with FTK Imager

Lab V: File Recovery: Data Layer Revisited

Computer Forensic Capabilities

Technical Note. Dell PowerVault Solutions for Microsoft SQL Server 2005 Always On Technologies. Abstract

Distributed Backup And Disaster Recovery for AFS. A work in progress Steve Simmons Dan Hyde scs@umich.edu drh@umich.edu University of Michigan

Cloud Storage Backup for Storage as a Service with AT&T

Practical Data Integrity Protection in Network-Coded Cloud Storage

WHITE PAPER Achieving Continuous Data Protection with a Recycle Bin for File Servers. by Dan Sullivan. Think Faster. Visit us at Condusiv.

EMC CLOUDARRAY PRODUCT DESCRIPTION GUIDE

Firebird database recovery: tools and techniques

Availability Digest. Data Deduplication February 2011

Storage Architecture in XProtect Corporate

Data recovery Data management Electronic Evidence

New Technologies File System (NTFS) Priscilla Oppenheimer. Copyright 2008 Priscilla Oppenheimer

EnCase 7 - Basic + Intermediate Topics

Physical Data Organization

Nasir Memon Polytechnic Institute of NYU

CA ARCserve Replication and High Availability Deployment Options for Hyper-V

OCT Training & Technology Solutions Training@qc.cuny.edu (718)

Clearswift SECURE File Gateway

Introducing Graves IT Solutions Online Backup System

Data Deduplication and Tivoli Storage Manager

Windows clustering glossary

WDL RemoteBunker Online Backup For Client Name

Load Balancing in Fault Tolerant Video Server

Abstract. Introduction. Section I. What is Denial of Service Attack?

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Recovering and Analyzing Deleted Registry Files

1.5 Million Log Lines per Second Building and maintaining Flume flows at Conversant

Digital Evidence Search Kit

Transcription:

Towards facilitating reliable recovery of JPEG pictures? P. De Smet (edited for public release) patrick.desmet@just.fgov.be http://nicc.fgov.be/datarecovery/

Introduction & disclaimer Aim of this talk: discuss simple possibilities which may have a major impact on data recovery This talk is not only about law enforcement but it s also about consumers, society: digital heritage/preservation, you: What to do when you (accidentally) damage/erase your HDD/SD/USBstick/? We have limited knowledge about JPEG (beyond ISO/IEC 10918); so maybe solutions are trivial? broken hard drive illustration removed (public version) deep-fried smartphone illustration removed (public version)

Introduction Forensic data recovery: recover and/or verify information from damaged devices, file systems, or data files. In this presentation focus only on: software based data recovery using a proper forensic copy or "data dump" D, obtained for a given electronic device We focus on non-allocated data; i.e., if you have an active file system the first step is reading those files

Introduction: file fragmentation File systems typically try to recycle storage space, so files may be split into multiple fragments that can written anywhere when some free space has been located File system meta-data/"table of contents" File mytext.txt 2, 3, 5 Lena.jpg 4, 6, 7 Address in storage space Both files are fragmented, i.e., they are not stored as sequential/linear blobs 1 2 3 bla bla bla bla and 4 5 6 7 8 and also some so on, etc. etc.

Introduction -Types of Recovery Complete file carving: single fragment (SF) multi-fragment (MF) Embedded files: SF, MF, partially re-encoded (e.g., JPEG in zip) Incomplete files: SF and MF "Trace evidence" : triage and examination of remnant data: JPEG or not JPEG? 5

Importance of JPEG Big data requires triage JPEG is everywhere (Recovery of) a picture is worth 1000 man hours of work (what if someone took a snapshot of a criminal stabbing one of your family members?) Getting one format right will help recovery of all others E.g. multi-fragment files may require exhaustive search for missing fragments E.g. simple header footer carver may destroy (many) other files Big data joke: illustration removed (public version) 6

JPGcarve vs. APF (C) IEEE TIFS 2015 http://dx.doi.org/10.1109/tifs.2015.2475238 7

JPGcarve Search for JPEG headers in data dump D Recover all single fragment files (header-footer carving and libjpeg(turbo) based file validation) For all remaining JPEG headers: Use search space S =D {SF files} Eliminate clusters in S based on: JPEG markers, areas that have not been properly byte stuffed, entropy Find end positions of fragment, try matching end to new data, i.e., all remaining clusters (again using libjpeg(turbo) decoding: very slooooow)

NICC/INCC; publication pending State-of-the-Art (?)... Complete files: single fragment (SF) multi-fragment (MF) Incomplete files: SF MF Embedded files: SF MF re-encoding + + +?? + +-? +-? +- - - -- -/? -- -- -- --- --- + +? - -- +- +-? - -- -- --? -- -- "Trace evidence" +- -- -- -- --- 9

So Please ignore any issues related to bit stream error detection/correction (please don t, but: ) Consider file system fragmentation: a file can be split at any point, into one or multiple fragments: Do we have reliable statistics? Yes, some in literature (HDDs), but what about SSDs, any wear-aware device?! statistics are irrelevant (for HDDs, traditional sector API devices): depends on usage: backup media (linear blobs) vs. smartphone (shoot, delete, shoot, download, ) And: these fragments can be (partially) overwritten, or corrupt (e.g., due to hardware repair issues)

Conclusion Please consider investigating any technical possibilities enabling (faster) JPEG file recovery, including: IDing JPEG remnants: within data dump IDing JPEG remnants: as being parts of the same or a similar file regrouping and matching JPEG remnants to reconstruct files robustness against loss of meta-data and/or any part of the data (certain fragments).? 11

Random crazy/stupid solutions? Hurray for JPEG byte stuffing and markers! Recovery facilitating ID of any (sub)fragments (JPEG will be box based?); i.e., how to include/exclude (encrypted?) data in the recovery search space? Bulk of pixel data: additional integrity checks could be used to verify if chunks of data clusters belong together? (fragmentation/error detection without decoding) A ToC could be used to group chunks/fragments together, at correct offsets? Main point:?, if interested: let us discuss this 12

References J. De Bock, P. De Smet, JPGcarve: an Advanced Tool for Automated Recovery of Fragmented JPEG Files, IEEE TIFS, to appear Nov./Dec.2015, http://dx.doi.org/10.1109/tifs.2015.2475238 http://nicc.fgov.be/datarecovery/ E. Uzun, H. T. Sencar, Carving Orphaned JPEG File Fragments, IEEE TIFS, vol. 10, no. 8, 2015 B. Kloet, Measuring and Improving the Quality of File Carving Methods, MSc Thesis, Eindhoven University, Oct. 2007 L. Huang, M. Xu, H. Zhang, J. Xu, N. Zheng, A Method of Approximately Reconstructing JPEG Quantization Table via Saturated Overflow, IEEE ICCSIT2011, China. D. Salamani, Header construction for carved JPEG fragments, EAFS2015. A. Pal, N. Memon, The Evolution of File Carving, IEEE SPM, March2009. H. Sencar, M. Memon, Identification and recovery of JPEG files with missing fragment, Digital Investigation, 2009. etc. (full reference list available upon request) 13

Thank you! Q&A Please join us in further collaboration regarding this and related topics: patrick.desmet@just.fgov.be / nicc-din@just.fgov.be 14