You are currently viewing a new version of our website. To view the old version click .
MDPIMDPI
Search all articles
Electronics
Download PDF
  • Article
  • Open Access

3 May 2022

Error Level Analysis Technique for Identifying JPEG Block Unique Signature for Digital Forensic Analysis

,
,
and
1
School of Computing, Faculty of Engineering, Universiti Teknologi Malaysia (UTM), Skudai 81310, Malaysia
2
Department of Computing & Applied Technology, College of Technological Innovation, Zayed University, Abu Dhabi P.O. Box 144534, United Arab Emirates
3
Department of Computer Science (DIDA), Blekinge Institute of Technology, 37179 Karlskrona, Sweden
*
Author to whom correspondence should be addressed.
Electronics2022, 11(9), 1468;https://doi.org/10.3390/electronics11091468
This article belongs to the Special Issue Deep Learning Cognitive Computing Techniques and Their Application in Cybersecurity and Forensics
Version Notes
Order Reprints

Abstract

The popularity of unique image compression features of image files opens an interesting research analysis process, given that several digital forensics cases are related to diverse file types. Of interest has been fragmented file carving and recovery which forms a major aspect of digital forensics research on JPEG files. Whilst there exist several challenges, this paper focuses on the challenge of determining the co-existence of JPEG fragments within various file fragment types. Existing works have exhibited a high false-positive rate, therefore rendering the need for manual validation. This study develops a technique that can identify the unique signature of JPEG 8 × 8 blocks using the Error Level Analysis technique, implemented in MATLAB. The experimental result that was conducted with 21 images of JFIF format with 1008 blocks shows the efficacy of the proposed technique. Specifically, the initial results from the experiment show that JPEG 8 × 8 blocks have unique characteristics which can be leveraged for digital forensics. An investigator could, therefore, search for the unique characteristics to identify a JPEG fragment during a digital investigation process.

1. Introduction

The field of Digital Forensics (DF) has faced a lot of growth in the recent past because of increased digital crimes and diverse forensic analysis strategies that have attempted to uncover events (usually posthumously) that occur in digital media. This can only be achieved through the use of scientifically verifiable methodologies [1,2,3,4]. Discounting that, diverse attention has been shifted to digital forensic analysis, which is a growing body of research that has an intent of not only understanding the threats to digital media [5] but also to provide mitigation strategies. Furthermore, research in multimedia forensics, which is a branch of digital forensics, presents a comprehensive study of the facets of multimedia and data from an investigation perspective. In essence, multimedia forensics utilizes scientific methods that aid in the extraction of media-related facts from digital devices [6] that can be used in forensic hypothesis formation for purposes of litigation. Joint Photographic Expert Group (JPEG) is a file format that can be considered to be the most adopted multimedia data due to its compression capabilities and its possibility of being commercialized. The JPEG compression level can further be termed as the quality of the image, which is theoretically device-specific and unique for each JPEG file since different devices may produce different image quality. More specifically, the JPEG format permits the customization (manipulation) of the image quality in different instances.
The process of recovering potential digital evidence and conducting forensic analysis from media-related devices is often considered the principal focus of multimedia forensics [7,8,9,10]. Before the analysis is conducted, images need to be extracted from the storage devices. Basically, in this context, analysis is a step towards justifying how a potential incident could have happened. This allows one to give a detailed description of each context, including links and relationships, and explanations [11,12,13,14,15]. Precisely, this helps to build strong arguments for multimedia forensics given that files can be deleted by suspects. In some specific situations, it may force files to be fragmented [16], where a special technique is often required to recover such media evidence, JPEG for instance. Generally, two available methods considered in the recovery process include file recovery and file carving. The traditional approach of file recovery works based on the information provided by the file system, while file carving works using the internal structure of the file to be recovered [17]. In such cases, a priori knowledge of the file type is usually known either through the file signature, header information, or other metadata on the media. These methods are contingent on the assumption that the file structure is contiguously stored in the allotted disk space. However, such an assumption does not always hold for JPEG files, as it permits fragmentation and a lossy compression process.
Therefore, it is challenging to deal with fragmented files in contrast to contiguous files stored in disk blocks [18]. Thus, a digital forensic technique of file carving is used to “carve” (copy) [19] bytes of data from the disk image, regardless of the type of file system. Existing studies have mainly focused on developing and enhancing an automated carver while some are focused on separating the process using a SmartCarver [20]. With an automated carver, the carving process is conducted directly through raw disk images by applying traditional carving which analyzes the JPEG header, footer, and some relevant markers. An example of the JPEG marker that is mainly used in carving includes the application-specific APP data marker, which is also referred to as thumbnail image/s [21,22,23,24]. The data or blocks between fragments that possess such characteristics will then be examined. Moreover, the main issue arises when non-JPEG blocks are decoded as JPEG fragments, which can be seen among the earliest carving approach called Bifragment Gap Carving (BGC) [18]. A Sequential Hypotheses Testing [25] is further proposed to enhance BGC by detecting fragmentation points. However, forward and reverse testing is needed if the carving result is found inconclusive. To avoid false identification of JPEG fragments, existing automated carving processes would specifically include a JPEG validator that is capable of minimizing the rate of false-positive carvings. Generally, a libjpeg decoder is used to validate the JPEG file, which further requires manual validation [18,23,26,27,28,29].
Nonetheless, the SmartCarver technique has proven to overcome the challenges of fragmented files by separating the carving process with three major steps: Pre-processing, collating, and reassembling. Existing works based on the second step of the SmartCarver technique (collation), perform poorly in accurately identifying compressed JPEG fragments, which also affects the fragmentation reassembly process. In a collation step, all unknown fragments are examined as to whether they can classify JPEG fragments. Therefore, a group of JPEG fragments (can be more than one JPEG file) can be prepared for further reassembling process. This can be performed using file fragment classification, to identify the known and unknown data fragments. Three categories of classification have been summarized for JPEG fragments classification: The signature-based approach, statistical approach, and Artificial Intelligence (AI) approach [30]. While the signature-based approach is based on a JPEG header, footer, and markers, a statistical approach is based on entropy information and byte frequency analysis. The results of JPEG classification are largely unsuccessful through the use of an AI approach, as different approaches use different datasets for training and testing. The existing classification of common file types has shown a high degree of accuracy, however, inconsistent whenever fragments contain compressed data [31]. A false-positive rate of 86% was observed when JPEG fragments are classified among 10 different file types [32], while a 96.8% rate was observed within 23 file types [33]. A study in [16] asserts that a detailed study and the analysis of a JPEG internal file structure could help in reducing the false-positive rate. To address the low accuracy rate of JPEG fragment identification, and the high false-positive rate, the current study thus attempts to define an alternative method for the identification of JPEG fragments by applying the error level analysis to highlight the unique signature of JPEG 8 × 8 blocks. Thus, the scope of this study is limited to an approach that attempts to provide a baseline for accurate identification and detection, in line with the assertions from [16,18]. In attempting to accurately carve a JPEG file among a series of compressed JPEG files, a forensic examiner could consider the approach presented in this study as a step towards a reliable carving process. In this regard, this is the first study, to the knowledge of the authors, that provides a reliable basis for the identification of compressed JPEG file fragm3ents using an inherent marker that is capable of further revealing JPEG file modification.
The remainder of the paper is organized as follows: background and related works are discussed in Section 2 while the proposed error level analysis technique for identifying JPEG block unique signature for purposes of forensic analysis is discussed in Section 3. Thereafter, results and discussions are discussed in Section 4 with a conclusion and a mention of future work given in Section 5.

3. Proposed Algorithm

The proposed algorithm is inspired by techniques used in detecting image manipulation. ELA works by resaving JPEGs with a particular compression level, while analysis is performed by observing the rate of ELA change relative to the resave count. The flowchart of the algorithm adopted for this study is further shown in Figure 3.
Figure 3. Flow of proposed method.
An ELA in the image forensics area makes use of JPEG pixels to observe the error level. Whereas in the proposed method, an uncompressed version of a JPEG in the format of a Bitmap image is used to examine the error level. As shown in Figure 3, we observed three phases of the ELA error rate (three repetitions in a flow chart), which depicts the number of times the JPEG file is resaved as shown in Figure 4. For every resaved JPEG, the error is calculated by examining the differences (DIFF) between the original image and the uncompressed image. To further simplify the results, error analysis based on average calculation is computed. The JPEG signature of 8 × 8 blocks is finalized based on graph representation. The summary of the three repetitions in the flow chart (in Figure 3) is further illustrated in Figure 4.
Figure 4. Simplified algorithm of ELA calculation.

4. Results and Discussions

An experiment was conducted using 21 JPEG files of JFIF format, each comprised of 48, 8 × 8 blocks: a total of 1008 blocks. The original images are resized for the sake of seeking the initial results of the experiment. All images are from a personal collection to confirm there is no modification of the images. Otherwise, ELA will not work. The resizing of images and compression–decompression are performed using Adobe Photoshop. Using Adobe Photoshop, 75% of JPEG resaving, and 95% of the compression level were performed. The observation and analysis showed that different tools give different rounding errors of decompression results and Adobe Photoshop produces the best results. The ELA error rates were then calculated using Matlab R2013a. Observations were then carried out based on a graph creation process by using an ELA of 95%. For each run, the average difference for each 8 × 8 JPEG block was observed. The blocks were set up as shown in Table 2. The JPEGs were resized to 64 × 48 pixels. The setup position was only for experiment references, not a JPEG baseline sequence.
Table 2. JPEG block location setup for experiment.
The ELA calculation was performed for three runs and was obtained based on the following steps:
1 . I A 0 ( i , j ) I B 1 ( i , j ) = E L A 1 2 . I A 1 ( i , j ) I B 2 ( i , j ) = E L A 2 3 . I A 2 ( i , j ) I B 3 ( i , j ) = E L A 3
By assuming the JPEG file (in this case is I A 0 ) is stored in a disk is using 75% compression quality-based JPEG DHT metadata, this image is recompressed using 95% quality (in this case it is I B 1 ) and the difference of both files is declared as ELA₁. In the second step, I A 0 is further resaved by using the same compression level which is 75%, recompressed with 95% quality, and then E L A 2 is computed. Finally, E L A 3 is computed based on the difference of the I A 1 ( i , j ) resaved and 95% recompression. The result of the ELA of the 21 JPEG files is shown in Table 3. The values of ELA₁, ELA₂, and ELA₃ refer to the re-compression of the first, second, and third respectively.
Table 3. ELA for all blocks of 21 JPEGs.
The highlighted sequences in Table 3 illustrate the component that belongs to the particular blocks that have changed in the ELA values for each file-resave process, with 18% of the total of 1008 blocks. However, the number of a particular block is not constant for each JPEG as different JPEGs consist of various pixel values and colors. The unchanged values depict a block that was not affected by the compression process. It was observed that the lower the quality of the image, the lesser the value of the ELA. For instance, a closer observation of Table 3 reveals that a reduction of value can be observed from 95% quality to 75% quality. This thus shows a linear relationship between the quality of the image and the corresponding ELA value. In some instances, the value of the corresponding ELA remains the same within the modified range (quality). However, the corresponding values are still greater than the unmodified ELA values. Furthermore, for some blocks of the image, the value of the ELA remains unchanged irrespective of the quality of modification. The graph in Figure 5 shows the pattern that occurred during the first re-compressed D I F F ( i , j ) , while Figure 6 depicts the pattern during the second re-compressed D I F F 2 ( i 2 , j 2 ) . Furthermore, Figure 7 shows the pattern of the third re-compressed D I F F ( i , j ) .
Figure 5. ELA for images of first resaved.
Figure 6. ELA for images of second resaved.
Figure 7. ELA for images of third resaved.
From the observation in Figure 5, Figure 6 and Figure 7, for each re-compression cycle, the value of ELA is below 4. However, the scatter plot further shows that the ELA values for most of the images range between 0 and 3. On further examination of the scatter plots, values above 3 were generated from images img4, img13, img14, and img15, respectively. To fully examine the probable cause of these outliers, further evaluation of the range of ELA values for those four images was carried out, by modifying the quality of JPEG re-savings. This process involves decreasing the quality value of the image during resaving, 70% of compression quality in this case. ELA calculation is then carried out for the three runs, and a slight modification to the steps is as follows:
1 . I A 1 ( i , j ) I B 2 ( i , j ) = E L A 1 2 . I A 2 ( i , j ) I B 3 ( i , j ) = E L A 2   3 . I A 3 ( i , j ) I B 4 ( i , j ) = E L A 3
In the previous steps, I A 0 originally stored in a disk with 75% quality compression quality is re-compressed with 95% quality to observe ELA of 95% quality. Compared to the above-stated steps, I A 0 of 75% quality compression quality in a disk is resaved again with 70% quality to obtain I A 1 . I A 1 is then re-compressed with 95% quality to produce E L A 1 . In the second step, the I A 1 is resaved with 70% quality to reach I A 2 . I A 2 is then re-compressed with 95% quality to produce E L A 2 . The same step is repeated for the third step. The result of this process is shown in Table 4.
Table 4. ELA for images img4, img13, img14 and img15.
Similar patterns were observed between Table 3 and Table 4. However, a scatter plot of the combined images (by applying the modified process to all the images), shown in Figure 8, Figure 9, and Figure 10 respectively, deviates from the observed pattern in Figure 5, Figure 6 and Figure 7. Whilst the ELA threshold for the first sets of the re-saved processes (as presented in the expression in Equation (2)) had values greater than 3, the current process (as presented in the expression in Equation (3)) generates values that are below ELA of 3.
Figure 8. ELA for images of first resaved.
Figure 9. ELA for images of second resaved.
Figure 10. ELA for images of third resaved.
Therefore, in each resaved phase (first, second and third resaved) associated with each JPEG, it was observed, as shown in Figure 8, Figure 9 and Figure 10, that the ELA values are below 3.0. A closer examination of each block of each image shows that there is a small change whenever images are resaved three times. In image forensics, this is where ELA can be used to detect whether images are modified or not. There will be a significant degree of changes if images have been modified for some purpose. Furthermore, to ascertain if a given JPEG file has been modified, a forensic investigator can compare the ELA of the given JPEG file to the original image. Further study will, however, adapt this benefit towards developing a novel carving algorithm that can be utilized for the subsequent stages of JPEG image-file forensic analysis. This process could be specifically useful for identifying modified images during the investigation. A forensic examiner equipped with this knowledge will be able to, in addition to other knowledge, identify falsified images even when the metadata and the image header seems to be correct. This approach, therefore, offers signature-based identification metrics which cannot be easily altered [45,46]. In a preliminary observation, the study has observed ELA values that are greater than 3, tested on non-JPEG file (PDF file) fragments with JPEG fragments.
Timely and effective forensic investigation is paramount in any setting and owing to the complexity and structure of the compressed JPEG files, the author emphasizes not only focusing on the fragments but also using the file fragments as a way of linking the potential crime to a suspect. While the authors admit that pre-processing these data may have some implications due to the error rate, our approach has significantly outlined that it could be useful when implemented for purposes of digital forensic analysis. This in many instances could find traces from JPEG files that could, in most cases, defeat anti-forensic techniques. While this study advocates that this approach could only exist in a reactive approach, we also opine to the need for incorporating some forensic readiness [47,48] mechanisms which could allow automated signature identification in a proactive approach. This is because an image forger usually exercises an objective of consistent alteration in a camouflaging manner to be undetectable and defeat forensic investigation tools. Further study would be needed to confirm this observation and provide reliable proof of JPEG identification. Notably, leveraging error level analysis to identify the unique signatures could also be applied in diverse forensic investigation mechanisms, for example, in an IoT environment during end-to-end communication, where data traveling as plaintext or data that are altered when a cryptosystem is broken, over the networks. Given that wireless sensor networks are more vulnerable to these kinds of attacks, applying forensic analysis in these environments would be ideal in extracting artifacts that can be used to create key forensic hypotheses [49,50,51]. This forensic hypothesis would duly follow an investigation cycle that is deemed scientific based on acceptable processes and standards for the artifacts to be admissible in case of a security incident.

5. Comparison with Existing Techniques

The experiment that has been conducted in this study was mainly focused on highlighting how the suggested ELA technique is leveraged in identifying JPEG block signatures for purpose of digital forensics. Section 4 highlighted systematic steps that showed that 21 images have been used to realize the exercise where unique characteristics have been identified. It is worth noting that this study mainly capitalized on the drawbacks of existing works that have exhibited a high false-positive rate, therefore rendering the need for manual validation. While this study develops a technique that can identify the unique signature of JPEG 8 × 8 blocks using the Error Level Analysis technique, the authors have noted or drawn comparison with existing works that closely match the proposed, as is shown in Table 5. Researchers in [52] have suggested an approach that utilizes ELA in image forensics; however, the authors note that that study was more generalized. Moreover, researchers in [53] use lossy compression using ELA; however, this has a limitation where the color drops below 256. In addition, other studies in [54,55,56,57] have identified photo forensics algorithms using ELA, ELA for semi-automatic wavelet soft-thresholding, forgery identification using forensic tools, and face-swap image exposure on deep learning based ELA with a number of limitations inclined towards weakness with the addition of noise, generalized study, and difficulty in identifying identification when deep learning training models are used.
Table 5. Comparison with other studies.
The advantage of the proposed approach in this paper is drawn based on the comparisons that have been highlighted from other studies as follows:
Alteration of images can significantly be reduced with a lower degree of false-positives where the features extracted from the images are subjected to ELA, and this can help to build a forensic hypothesis.
The experiment that has been conducted in this study has shown that this approach is effective.
Our approach has utilized a simple dataset which in the context of this study overcomes the intensive need for rigorous training while pointing out specific features, which from a digital forensic perspective may save an investigator time.
The experimental results that have been shown in Section 4 shows that the efficiency rate of identification of this approach can be improved if embedded with other techniques; however, this study has potentially been positioned as a build-up owing to the fact that it has put across a proof of concept based on the identified problem.

6. Future Directions

Research on image quality assessment can be significantly leveraged for multimedia forensics. Evaluation metrics, such as the peak-signal-to-noise ratio (PSNR), the structural similarity index measure (SSIM), root mean square error (RMSE), and the feature similarity indexing method (FSIM), can be used to evaluate as well as discriminate the structural content of an image. For instance, studies in [49,50,51] have observed that the SSIM is more sensitive to JPEG compression relative to the PSNR. The JPEG image compression process introduces distinguishable structural distortion which can be measured by these metrics. By using the absolute errors computation capability of the PSNR and RMSE, coupled with the perception and saliency-based errors provided by the SSIM and FSIM, future works will focus on exploiting these features in addition to the ELA for forensic analysis. Using these, a forensic investigator can examine the luminance, structural and contrast properties of a given image. Furthermore, the authors intend to validate the result of these metrics on a larger scale by identifying ELA, SSIM, FSIM, RMSE, and PSNR values for larger JPEG file sizes, with more blocks, which can precisely be used to identify JPEG fragments in the carving process. This output will then be used to develop an intelligent system for carving compressed JPEG files. This is currently a largely missing component for digital forensic examiners.

7. Conclusions

A multitude of digital forensic challenges show that there is still a lack of suitable techniques that can facilitate electronic discovery, especially for JPEG file formats. This creates the need of developing suitable techniques that can solve this perennial challenge. In this paper, we have introduced a new technique of identifying a unique JPEG block signature using error level analysis, which is a significant process during forensic analysis. This has been achieved by observing the stages of JPEG compression level and identifying JPEG 8 × 8 blocks based on ELA values that have a range of 0 to 3.0.

Author Contributions

Conceptualization, N.A.N.A., R.A.I., S.A.R. and V.R.K.; methodology, N.A.N.A. and R.A.I.; software, N.A.N.A., R.A.I., S.A.R. and V.R.K.; validation, N.A.N.A., R.A.I., S.A.R. and V.R.K.; formal analysis, N.A.N.A., R.A.I., S.A.R. and V.R.K.; investigation, N.A.N.A., R.A.I., S.A.R. and V.R.K.; resources, N.A.N.A., R.A.I. and S.A.R.; data curation, N.A.N.A., R.A.I. and S.A.R.; writing---original draft preparation, N.A.N.A., R.A.I. and S.A.R.; writing---review and editing, N.A.N.A., R.A.I. and S.A.R.; visualization, N.A.N.A., R.A.I. and S.A.R.; supervision, R.A.I. and S.A.R.; project administration, N.A.N.A., R.A.I. and S.A.R.; funding acquisition, V.R.K. All authors have read and agreed to the published version of the manuscript.

Funding

APC was funded by Blekinge Institute of Technology, BTH, Sweden.

Data Availability Statement

The dataset used in this study is available online here.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Adeyemi, I.R.; Razak, S.A.; Zainal, A.; Azhan, N.A.N. A Digital Forensic Investigation Model for Insider Misuse. In Advances in Computational Science, Engineering and Information Technology, AISC; Springer: Berlin/Heidelberg, Germany, 2013; Volume 225, pp. 293–305. [Google Scholar]
  2. Ikuesan, A.R.; Venter, H.S. Digital forensic readiness framework based on behavioral-biometrics for user attribution. In Proceedings of the 2017 IEEE Conference on Application, Information and Network Security (AINS), Miri, Malaysia, 13–14 November 2017; Volume 2018-Janua, pp. 54–59. [Google Scholar]
  3. Adeyemi, I.R.; Razak, S.A.; Salleh, M.; Venter, H.S. Leveraging human thinking style for user attribution in digital forensic process. Int. J. Adv. Sci. Eng. Inf. Technol. 2017, 7, 198–206. [Google Scholar]
  4. Mohlala, M.; Ikuesan, A.R.; Venter, H.S. User attribution based on keystroke dynamics in digital forensic readiness process. In Proceedings of the 2017 IEEE Conference on Application, Information and Network Security (AINS), Miri, Malaysia, 13–14 November 2017; Volume 2018-Janua, pp. 1–6. [Google Scholar]
  5. Adeyemi, I.R.; Razak, S.A.; Azhan, N.A.N. A Review of Current Research in Network Forensic Analysis. Int. J. Digit. Crime Forensics 2013, 5, 1–26. [Google Scholar] [CrossRef] [Green Version]
  6. Piva, A. An Overview on Image Forensics. ISRN Signal Process. 2013, 2013, 496701. [Google Scholar] [CrossRef]
  7. Yasinsac, A.; Erbacher, R.F.; Marks, D.G.; Pollitt, M.M.; Sommer, P.M. Computer forensics education. IEEE Secur. Priv. 2003, 1, 15–23. [Google Scholar] [CrossRef]
  8. Abdullah, M.T.; Mahmod, R.; Ghani, A.A.A.; Abdullah, M.Z.; Sultan, A.B.M. Advances in Computer Forensics. Int. J. Comput. Sci. Netw. Secur. 2008, 8, 215–219. [Google Scholar]
  9. Singh, A.; Ikuesan, A.R.; Venter, H.S. Digital Forensic Readiness Framework for Ransomware Investigation. In International Conference on Digital Forensics and Cyber Crime, Proceedings of the 10th International EAI Conference (ICDF2C 2018), New Orleans, LA, USA, 10–12 September 2018; Springer: Berlin/Heidelberg, Germany, 2018; Volume 259, p. 259. [Google Scholar]
  10. Makura, S.M.; Venter, H.S.; Ikuesan, R.A.; Kebande, V.R.; Karie, N.M. Proactive Forensics: Keystroke Logging from the Cloud as Potential Digital Evidence for Forensic Readiness Purposes. In Proceedings of the 2020 IEEE International Conference on Informatics, IoT, and Enabling Technologies (ICIoT 2020), Doha, Qatar, 2–5 February 2020; pp. 200–205. [Google Scholar]
  11. Kebande, V.R.; Ikuesan, R.A.; Karie, N.M.; Alawadi, S.; Choo, K.-K.R.; Al-Dhaqm, A. Quantifying the need for supervised machine learning in conducting live forensic analysis of emergent configurations (ECO) in IoT environments. Forensic Sci. Int. Rep. 2020, 2, 100122. [Google Scholar] [CrossRef]
  12. Kebande, V.R.; Karie, N.M.; Venter, H.S. Cloud-Centric Framework for isolating Big data as forensic evidence from IoT infrastructures. In Proceedings of the 2017 1st International Conference on Next Generation Computing Applications (NextComp), Mauritius, 19–21 July 2017; pp. 54–60. [Google Scholar]
  13. Karie, N.M.; Kebande, V.R.; Venter, H.S. Diverging deep learning cognitive computing techniques into cyber forensics. Forensic Sci. Int. Synerg. 2019, 1, 61–67. [Google Scholar] [CrossRef]
  14. Adeyemi, I.R.; Abd Razak, S.; Salleh, M. Understanding Online Behavior: Exploring the Probability of Online Personality Trait Using Supervised Machine-Learning Approach. Front. ICT 2016, 3, 8. [Google Scholar] [CrossRef] [Green Version]
  15. Kebande, V.R.; Karie, N.M.; Michael, A.; Malapane, S.; Kigwana, I.; Venter, H.S.; Wario, R.D. Towards an integrated digital forensic investigation framework for an IoT-based ecosystem. In Proceedings of the 2018 IEEE International Conference on Smart Internet of Things (SmartIoT), Xi’an, China, 17–19 August 2018; pp. 93–98. [Google Scholar]
  16. Simone, M.P. Data Carving Concepts; SANS Institute: Bethesda, MD, USA, 2009; p. 27. [Google Scholar]
  17. Beek, C. Introduction to File Carving; White Paper; McAfee Foundstone Professional Services: Mission Viejo, CA, USA, 2011. [Google Scholar]
  18. Garfinkel, S.L. Carving Contiguous and Fragmented Files with Fast Object Validation. Digit. Investig. 2007, 4, 2–12. [Google Scholar] [CrossRef]
  19. Richard III, G.G.; Roussev, V. Scalpel: A Frugal, High Performance File Carver. In Proceedings of the Digital Forensic Research Conference DFRWS 2005, New Orleans, LA, USA, 17–19 August 2005; pp. 1–10. [Google Scholar]
  20. Pal, A.; Memon, N. The Evolution of File Carving. IEEE Signal Process. Mag. 2009, 26, 59–71. [Google Scholar] [CrossRef]
  21. Deris, M.M.; Mohamad, K.M. Carving JPEG Images and Thumbnails Using Image Pattern Matching. In Proceedings of the 2011 IEEE Symposium on Computers & Informatics, Kuala Lumpur, Malaysia, 20–23 March 2011; pp. 78–83. [Google Scholar]
  22. Abdullah, N.A.; Ibrahim, R.; Mohamad, K.M. Carving Thumbnail/s and Embedded JPEG Files Using Image Pattern Matching. J. Softw. Eng. Appl. 2013, 6, 62–66. [Google Scholar] [CrossRef] [Green Version]
  23. Birmingham, B.; Farrugia, R.A.; Vella, M. Using Thumbnail Affinity for Fragmentation Point Detection of JPEG Files. In Proceedings of the IEEE EUROCON 2017—17th International Conference on Smart Technologies, Ohrid, Macedonia, 6–8 July 2017. [Google Scholar]
  24. Guo, H.; Xu, M. A Method for Recovering JPEG Files Based on Thumbnail. In Proceedings of the 2011 International Conference on Control, Automation and Systems Engineering (CASE), Singapore, 30–31 July 2011. [Google Scholar]
  25. Pal, A.; Sencar, H.T.; Memon, N. Detecting file fragmentation point using sequential hypothesis testing. Digit. Investig. 2008, 5, 2–13. [Google Scholar] [CrossRef]
  26. Cohen, M.I. Advanced JPEG carving. In Proceedings of the e-Forensics’08: 1st International ICST Conference on Forensic Applications and Techniques in Telecommunications, Information and Multimedia, Adelaide, Australia, 21–23 January 2008; Volume 1, pp. 1–6. [Google Scholar]
  27. van den Bos, J.; van der Storm, T. Bringing Domain-Specific Languages to Digital Forensics. In Proceedings of the 2011 33rd International Conference on Software Engineering (ICSE), Honolulu, HI, USA, 21–28 May 2011. [Google Scholar]
  28. van den Bos, J.; van der Storm, T. Domain-Specific Optimization in Digital Forensics. In International Conference on Theory and Practice of Model Transformations, Proceedings of the 5th International Conference (ICMT 2012), Prague, Czech Republic, 28–29 May 2012; Springer: Berlin/Heidelberg, Germany, 2012; pp. 121–136. [Google Scholar]
  29. De Bock, J.; De Smet, P. JPGcarve: An Advanced Tool for Automated Recovery of Fragmented JPEG Files. IEEE Trans. Inf. Forensics Secur. 2016, 11, 19–34. [Google Scholar] [CrossRef]
  30. Poisel, R.; Rybnicek, M.; Tjoa, S. Taxonomy of Data Fragment Classification Techniques. In International Conference on Digital Forensics and Cyber Crime, Proceedings of the Fifth International Conference (ICDF2C 2013), Moscow, Russia, 26–27 September 2013; Springer: Berlin/Heidelberg, Germany, 2014; pp. 67–85. [Google Scholar]
  31. Garfinkel, S.L. Digital forensics research: The next 10 years. Digit. Investig. 2010, 7, S64–S73. [Google Scholar] [CrossRef] [Green Version]
  32. Veenman, C.J. Statistical disk cluster classification for file carving. In Proceedings of the Third International Symposium on Information Assurance and Security, Manchester, UK, 29–31 August 2007; pp. 393–398. [Google Scholar]
  33. Fitzgerald, S.; Mathews, G.; Morris, C.; Zhulyn, O. Using NLP techniques for file fragment classification. Digit. Investig. 2012, 9, 44–49. [Google Scholar] [CrossRef]
  34. Alshammary, E.; Hadi, A. Reviewing and Evaluating Existing File Carving Techniques for JPEG Files. In Proceedings of the 2016 Cybersecurity and Cyberforensics Conference (CCC), Amman, Jordan, 2–4 August 2016; pp. 55–59. [Google Scholar]
  35. Warlock, Digital forensics: File Carving. InfoSec Publication. Available online: https://resources.infosecinstitute.com/topic/file-carving/ (accessed on 1 February 2022).
  36. Kadir, N.F.A.; Abd Razak, S.; Chizari, H. Identification of fragmented JPEG files in the absence of file systems. In Proceedings of the 2015 IEEE Conference on Open Systems (ICOS), Melaka, Malaysia, 24–26 August 2015; pp. 1–6. [Google Scholar]
  37. Gopal, S.; Yang, Y.; Salomatin, K.; Carbonell, J. Statistical Learning for File-Type Identification. In Proceedings of the 2011 10th International Conference on Machine Learning and Applications and Workshops, Honolulu, HI, USA, 18–21 December 2011. [Google Scholar]
  38. Ahmed, I.; Lhee, K.; Shin, H.; Hong, M. Fast Content-based File Type Identification. In International Conference on Digital Forensics, Proceedings of the 7th IFIP WG 11.9 International Conference on Digital Forensics, Orlando, FL, USA, 31 January–2 February 2011; Springer: Berlin/Heidelberg, Germany; pp. 65–75.
  39. Roussev, V.; Garfinkel, S.L. File Fragment Classification-The Case for Specialized Approaches. In Proceedings of the 2009 Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering, Berkeley, CA, USA, 21–21 May 2009; pp. 3–14. [Google Scholar]
  40. Shaban Al-Ani, M.; Awad, F.H. The Jpeg Image Compression Algorithm. Int. J. Adv. Eng. Technol. 2013, 6, 1055–1062. [Google Scholar]
  41. Alherbawi, N.; Shukur, Z.; Sulaiman, R. A Survey on Data Carving in Digital Forensics. Asian J. Inf. Technol. 2016, 15, 5137–5144. [Google Scholar]
  42. ChandraSekhar, C.; Ramesh, C. A Novel Compression Technique for JPEG Error Analysis and for Digital Image Applications. Int. J. Latest Trends Comput. 2012, 3, 84–89. [Google Scholar]
  43. Azhan, N.; Abd Razak, S.; Adeyemi, I.R. Analysis of DQT and DHT in JPEG Files. Int. J. Inf. Technol. Comput. Sci. (IJITCS) 2013, 10, 1–11. [Google Scholar]
  44. Krawetz, N. A Picture ’ s Worth… Version 2 Table of Contents. Solutions 2008, 1–43. [Google Scholar]
  45. Ikuesan, A.R.; Venter, H.S. Digital behavioral-fingerprint for user attribution in digital forensics: Are we there yet? Digit. Investig. 2019, 30, 73–89. [Google Scholar] [CrossRef]
  46. Ikuesan, A.R.; Salleh, M.; Venter, H.S.; Razak, S.A.; Furnell, S.M. A heuristics for HTTP traffic identification in measuring user dissimilarity. Hum.-Intell. Syst. Integr. 2020, 2, 17–28. [Google Scholar] [CrossRef]
  47. Kebande, V.R.; Venter, H.S. On digital forensic readiness in the cloud using a distributed agent-based solution: Issues and challenges. Aust. J. Forensic Sci. 2018, 50, 209–238. [Google Scholar] [CrossRef] [Green Version]
  48. Kebande, V.R.; Venter, H.S. A comparative analysis of digital forensic readiness models using CFRaaS as a baseline. Wiley Interdiscip. Rev. Forensic Sci. 2019, 1, e1350. [Google Scholar] [CrossRef]
  49. Setiadi, D.R.I.M. PSNR vs SSIM: Imperceptibility quality assessment for image steganography. Multimedia Tools Appl. 2021, 80, 8423–8444. [Google Scholar] [CrossRef]
  50. Horé, A.; Ziou, D. Image quality metrics: PSNR vs. SSIM. In Proceedings of the 2010 20th International Conference on Pattern Recognition, Istanbul, Turkey, 23–26 August 2010; pp. 2366–2369. [Google Scholar]
  51. Sara, U.; Akter, M.; Uddin, M.S. Image Quality Assessment through FSIM, SSIM, MSE and PSNR—A Comparative Study. J. Comput. Commun. 2019, 07, 8–18. [Google Scholar] [CrossRef] [Green Version]
  52. Abd Warif, N.B.; Idris, M.Y.I.; Wahab, A.W.A.; Salleh, R. An evaluation of Error Level Analysis in image forensics. In Proceedings of the 2015 5th IEEE International Conference on System Engineering and Technology (ICSET), Shah Alam, Malaysia, 10–11 August 2015; pp. 23–28. [Google Scholar]
  53. Cha, S.; Kang, U.; Choi, E. The image forensics analysis of jpeg image manipulation (lightning talk). In Proceedings of the 2018 International Conference on Software Security and Assurance (ICSSA), Seoul, Korea, 26–27 July 2018; pp. 82–85. [Google Scholar]
  54. Gunawan, T.S.; Hanafiah, S.A.M.; Kartiwi, M.; Ismail, N.; Za’bah, N.F.; Nordin, A.N. Development of photo forensics algorithm by detecting photoshop manipulation using error level analysis. Indones. J. Electr. Eng. Comput. Sci. 2017, 7, 131–137. [Google Scholar] [CrossRef]
  55. Jeronymo, D.C.; Borges, Y.C.C.; Coelho, L.D.S. Image forgery detection by semi-automatic wavelet soft-Thresholding with error level analysis. Expert Syst. Appl. 2017, 85, 348–356. [Google Scholar] [CrossRef]
  56. Parveen, A.; Khan, Z.H.; Ahmad, S.N. Identification of the forged images using image forensic tools. In Communication and Computing Systems, Proceedings of the 2nd International Conference on Communication and Computing Systems (ICCCS 2018), Gurgaon, India, 1–2 December 2018; CRC Press: Boca Raton, FL, USA, 2018; p. 39. [Google Scholar]
  57. Zhang, W.; Zhao, C. Exposing Face-Swap Images Based on Deep Learning and ELA Detection. Proceedings 2019, 46, 29. [Google Scholar]
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Article Metrics

Citations

Article Access Statistics

Journal Statistics
Multiple requests from the same IP address are counted as one view.
Download PDF
Simulation-Based Testing of Subsystems for Autonomous Vehicles at the Example of an Active Suspension Control System
Previous
A Memristor-Based High-Resolution A/D Converter
Next