Extracting uncommon forensic artifacts from JPG files

Everyday millions of devices, such as smartphones, tablets, cameras, scanners, etc, create billions of image files in JPG format. And, of course, these files often are subjects of digital forensic examinations. In this article we want to discuss uncommon forensic artifacts that can be found in JPG files.

There are two types of such artifacts:

  • undocumented thumbnails in JPG files headers;
  • merged images.

Undocumented thumbnails

JFIF’s specification isn’t finished, so manufacturers of the devices capable of creating JPG images can add it’s own data or objects. Very often Exif header of a JPG file contains not only a standard thumbnail, but also undocumented one, added by the device which created the image.

For example, here is an image file created by HP Photosmart R960 (Fig. 1).

Digital Image Forensics, JPG forensics

Fig. 1. The image created by HP Photosmart R960

On Fig. 1 the main image is changed to the image of a white square, 8×8 px. This file contains not only a standard thumbnail, but also an undocumented one, which is 320×240 px. Very often undocumented thumbnails are even bigger. One can find undocumented thumbnails in JPG files up to 640 px.

Merged images

A file containing a merged image usually is a JPG file with a standard Exif header. But there is another copy of the original image, but smaller in size.

For example, here is an image created by Samsung S860 (Fig. 2).

Digital image forensics, JPG forensics

Fig. 2. The image created by Samsung S860

As you can see, the file SDC10677.JPG contains the original image, which is 3264×2448 px, and the merged file with the same image, but this time it’s 640×480 px.

Discussion

The artifacts described in the article can be very useful during examinations of corrupted or partially recovered images. Using such artifacts we can understand, what kind of images these corrupted files contained.

Also, these artifacts can help digital forensics analysts with forgery detection. Due to the fact that graphic editors don’t support such artifacts, they disappear after saving the changed image. It means that if there are no such artifacts in the file being analyzed, we can say that the image has been changed with an editor.

About the author:

Igor Mikhaylov

Interests: Computer, Cell Phone & Chip-Off Forensics

Leave a Reply

Your email address will not be published. Required fields are marked *