LiU Electronic Press
Download:
File size:
9452 kb
Format:
application/pdf
Author:
Karresand, Martin (Linköping University, Department of Computer and Information Science, IISLAB - Laboratory for Intelligent Information Systems) (Linköping University, The Institute of Technology)
Title:
Completing the Picture: Fragments and Back Again
Department:
Linköping University, Department of Computer and Information Science, IISLAB - Laboratory for Intelligent Information Systems
Linköping University, The Institute of Technology
Publication type:
Licentiate thesis, monograph (Other academic)
Language:
English
Publisher: Institutionen för datavetenskap
Pages:
111
Series:
Linköping Studies in Science and Technology. Thesis, ISSN 0280-7971; 1361
Year of publ.:
2008
URI:
urn:nbn:se:liu:diva-11752
Permanent link:
http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-11752
ISBN:
978-91-7393-915-7
Subject category:
Computer Science
SVEP category:
Computer science
Keywords(en) :
Computer security, computer forensics, digital forensics, file carving, data recovery, fragment reassembly, file type categorisation
Abstract(en) :

Better methods and tools are needed in the fight against child pornography. This thesis presents a method for file type categorisation of unknown data fragments, a method for reassembly of JPEG fragments, and the requirements put on an artificial JPEG header for viewing reassembled images. To enable empirical evaluation of the methods a number of tools based on the methods have been implemented.

The file type categorisation method identifies JPEG fragments with a detection rate of 100% and a false positives rate of 0.1%. The method uses three algorithms, Byte Frequency Distribution (BFD), Rate of Change (RoC), and 2-grams. The algorithms are designed for different situations, depending on the requirements at hand.

The reconnection method correctly reconnects 97% of a Restart (RST) marker enabled JPEG image, fragmented into 4 KiB large pieces. When dealing with fragments from several images at once, the method is able to correctly connect 70% of the fragments at the first iteration.

Two parameters in a JPEG header are crucial to the quality of the image; the size of the image and the sampling factor (actually factors) of the image. The size can be found using brute force and the sampling factors only take on three different values. Hence it is possible to use an artificial JPEG header to view full of parts of an image. The only requirement is that the fragments contain RST markers.

The results of the evaluations of the methods show that it is possible to find, reassemble, and view JPEG image fragments with high certainty.

Presentation:
2008-05-20, Visionen, Hus B, Campus Valla, Linköpings universitet, Linköping, 10:15 (English)
Supervisor:
Shahmehri, Nahid (Linköping University, Department of Computer and Information Science, IISLAB - Laboratory for Intelligent Information Systems) (Linköping University, The Institute of Technology)
Opponent:
Franke, Katrin Y., Professor (Norwegian Information Security Laboratory (NISlab), Department of Computer Science and Media Technology, Gjøvik University College, Norway)
Available from:
2008-05-07
Created:
2008-05-07
Last updated:
2009-05-05
Statistics:
611 hits
FILE INFORMATION
File size:
9452 kb
Mimetype:
application/pdf
Type:
fulltext
Statistics:
1299 hits
File size:
59 kb
Mimetype:
application/pdf
Type:
cover
Statistics:
54 hits