liu.seSearch for publications in DiVA
Change search
ReferencesLink to record
Permanent link

Direct link
Completing the Picture: Fragments and Back Again
Linköping University, Department of Computer and Information Science, IISLAB - Laboratory for Intelligent Information Systems. Linköping University, The Institute of Technology.
2008 (English)Licentiate thesis, monograph (Other academic)
Abstract [en]

Better methods and tools are needed in the fight against child pornography. This thesis presents a method for file type categorisation of unknown data fragments, a method for reassembly of JPEG fragments, and the requirements put on an artificial JPEG header for viewing reassembled images. To enable empirical evaluation of the methods a number of tools based on the methods have been implemented.

The file type categorisation method identifies JPEG fragments with a detection rate of 100% and a false positives rate of 0.1%. The method uses three algorithms, Byte Frequency Distribution (BFD), Rate of Change (RoC), and 2-grams. The algorithms are designed for different situations, depending on the requirements at hand.

The reconnection method correctly reconnects 97% of a Restart (RST) marker enabled JPEG image, fragmented into 4 KiB large pieces. When dealing with fragments from several images at once, the method is able to correctly connect 70% of the fragments at the first iteration.

Two parameters in a JPEG header are crucial to the quality of the image; the size of the image and the sampling factor (actually factors) of the image. The size can be found using brute force and the sampling factors only take on three different values. Hence it is possible to use an artificial JPEG header to view full of parts of an image. The only requirement is that the fragments contain RST markers.

The results of the evaluations of the methods show that it is possible to find, reassemble, and view JPEG image fragments with high certainty.

Place, publisher, year, edition, pages
Institutionen för datavetenskap , 2008. , 111 p.
Linköping Studies in Science and Technology. Thesis, ISSN 0280-7971 ; 1361
Keyword [en]
Computer security, computer forensics, digital forensics, file carving, data recovery, fragment reassembly, file type categorisation
National Category
Computer Science
URN: urn:nbn:se:liu:diva-11752ISBN: 978-91-7393-915-7 (print)OAI: diva2:18186
2008-05-20, Visionen, Hus B, Campus Valla, Linköpings universitet, Linköping, 10:15 (English)
Available from: 2008-05-07 Created: 2008-05-07 Last updated: 2009-05-05

Open Access in DiVA

cover(59 kB)81 downloads
File information
File name COVER01.pdfFile size 59 kBChecksum MD5
Type coverMimetype application/pdf
fulltext(9452 kB)1679 downloads
File information
File name FULLTEXT01.pdfFile size 9452 kBChecksum MD5
Type fulltextMimetype application/pdf

Search in DiVA

By author/editor
Karresand, Martin
By organisation
IISLAB - Laboratory for Intelligent Information SystemsThe Institute of Technology
Computer Science

Search outside of DiVA

GoogleGoogle Scholar
Total: 1679 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

Total: 970 hits
ReferencesLink to record
Permanent link

Direct link