Making complex data simple and compelling
From digital device to digital evidence
Unlock your vehicle's digital evidence potential
Forensic Analysis and Enhancement
Investigating and analyzing financial records
Gain access to the online accounts of deceased loved ones
Clear, precise evidence for a messy world
Expert reports to suit your specific needs
We can locate people anywhere
Stop worrying and learn the truth
Prevent, Detect, Respond To Cyberattacks
First response is crucial. Every minute counts.
The first response is critical to reduce liability
Detection & Removing Spyware Services
Reduce your electronic risk from digital transmittals
Find out who you are really talking to
Experienced, Confidential Services
Swift, professional incident response
Complicated cases require compelling digital facts
Find, recover and document digital evidence
Bring solid evidence before a judge
Cases can be investigated using Social Media
Everyday millions of devices, such as smartphones, tablets, cameras, scanners, etc, create billions of image files in JPG format. And, of course, these files often are subjects of digital forensic examinations. In this article we want to discuss uncommon forensic artifacts that can be found in JPG files.
There are two types of such artifacts:
Undocumented thumbnails
JFIF’s specification isn’t finished, so manufacturers of the devices capable of creating JPG images can add it’s own data or objects. Very often Exif header of a JPG file contains not only a standard thumbnail, but also undocumented one, added by the device which created the image.
For example, here is an image file created by HP Photosmart R960 (Fig. 1).
Fig. 1. The image created by HP Photosmart R960
On Fig. 1 the main image is changed to the image of a white square, 8×8 px. This file contains not only a standard thumbnail, but also an undocumented one, which is 320×240 px. Very often undocumented thumbnails are even bigger. One can find undocumented thumbnails in JPG files up to 640 px.
Merged images
A file containing a merged image usually is a JPG file with a standard Exif header. But there is another copy of the original image, but smaller in size.
For example, here is an image created by Samsung S860 (Fig. 2).
Fig. 2. The image created by Samsung S860
As you can see, the file SDC10677.JPG contains the original image, which is 3264×2448 px, and the merged file with the same image, but this time it’s 640×480 px.
Discussion
The artifacts described in the article can be very useful during examinations of corrupted or partially recovered images. Using such artifacts we can understand, what kind of images these corrupted files contained.
Also, these artifacts can help digital forensics analysts with forgery detection. Due to the fact that graphic editors don’t support such artifacts, they disappear after saving the changed image. It means that if there are no such artifacts in the file being analyzed, we can say that the image has been changed with an editor.
About the author:
Igor Mikhaylov
Interests: Computer, Cell Phone & Chip-Off Forensics
Speak to a Specialist Now
Get Help Now