Chapter 1 (Computer Forensics)

Transcription

1 Final Study Guide Chapter 1 (Computer Forensics) CIST2612 Final will be given Sunday the 22 from 10:30 to 12:30 22 nd of May nd of Understanding Computer forensics {pages 2-3} Computer forensics involves obtaining and analyzing digital information for use as evidence in civil, criminal, or administrative cases. The FBI Computer Analysis and Response Team (CART) was formed in 1984 to handle the increasing number of cases involving digital evidence. Fourth Amendment (Katz v. United States) Even though his computer was validly siezed pursuant to a warrant, his attempted deletion of the documents in question created an expectation of privacy protected by the Fourth Amendment. [NO] A mere hope for secrecy is not a legally protected expectation. A Brief History of Computer Forensics {pages 5-7} Thirty years ago, most people didn t imagine that computers world be an integral part of everyday life. By the 1970s, electronic crimes were increasing, especially in the financial sector. One-half cent crime (mainframe era bad programmers took this money) Banks commonly tracked money in accounts to the third decimal place or more. They used and still use the rounding up accounting method when paying interest. If the interest applied to an account resulted in a fraction of a cent, that fraction was used in the calculation for the next account until the total resulted in a whole cent. It was assumed that sooner or later every customer would benefit. As PCs gained popularity and began to replace mainframe computers in the 1980 s, many different OSs emerged and Disk Operating System (DOS) was popular. In 1987, Apple produced the Mac SE, a Macintosh with an external EasyDrive hard disk with 60 MB of storage (first popular hard drive). Understanding Case Law (laws can t keep up with technology) {page 8} When statutes or regulations don t exist, case law is used. Case law allows legal counsel to use previous cases similar to the current one and addresses the ambiguity in laws. U.S. Fourth Amendment (search and seizure) {page 10} The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. Page 1

2 Understanding Law Enforcement Agency Investigations {page 11} In a criminal case, a suspect is tried for a criminal offense (such as burglary or fraud). Computers and networks might be only tools used to commit crimes and are, therefore, no different from the lockpick a burglar uses to break into a house. Following the Legal Processes (in general) {pages 12-14} Complaint Investigation Prosecution A criminal investigation can begin only when someone finds evidence of an illegal act or witnesses an illegal act. The witness or victim (often referred to as the complainant ) makes an allegation to the police, an accusation or supposition of fact that a crime has been committed. Understanding Corporate Investigations {page 14} Private or corporate investigations involve private companies and lawyers who address company policy violations and litigation disputes, such as wrongful termination. Private organization are not governed directly by Fourth Amendment issues but by internal company policies that define expected employee behavior and conduct in the workplace. When conducting a computer investigation for a private company, remember that business must continue with minimal interruption from your investigation. Embezzlement is a common computer crime, particularly in small firms. Corporate sabotage is most often committed by a disgruntled employee. For example, an employee decides to take a job at a competitor s firm and collects confidential files on a disk or USB drive before leaving. This type of crime can also lead to industrial espionage, which increases every year. Page 2

3 Final Study Guide Chapter 6 (Windows and DOS Systems) CIST2612 Understanding File Systems A file system gives an Operating System (OS) a road map to data on a disk. It is usually directly related to the OS. Understanding Disk Drives Disk drives are made up of one or more platters coated with magnetic material, and data is stored on platters in a particular way. List of disk drive components: Head The head is the device that reads and writes data to a drive. There s one head per platter. Tracks Tracks are circle areas that go around a platter where data is located. Cylinders A cylinder is a column of tracks on two or more disk platters. Sectors A sector is a section on a track, usually made up of 512 bytes. NOTE: Tracks and Cylinders are something interchanged. The manufacturer engineers a disk to have a certain number of sectors per track, and a typical disk drive stores 512 bytes per sector. To determine the total number of addressable bytes on a disk, multiply the number of tracks by the number of heads and by the number of sectors (Tracks x Heads x Sectors x 512 bytes). Example: 1024 Tracks x 32 heads x 63 sectors = 2,064,384 sectors 2,064,384 sectors x 512 bytes = 1,056,964,608 bytes = ~1 GB Microsoft file Structures File Allocation Table (FAT) New Technology File System (NTFS) In Microsoft file structures, sectors are grouped to form clusters, which are storage allocation units of one or more sectors. Clusters are typically 512, 1024, 2048, 4096, or more bytes each. Clusters are numbered sequentially starting at 2 because the first sector of all disks contains a system area (the boot record and a file structure database). Logical addresses Relative cluster positions (Cluster Number) Physical addresses Hardware level starting at 0 (Sector Number) Disk Partitions (a partition is a logical drive) Many hard disks are partitioned, or divided, into two or more sections. For example, an 8 GB hard disk might contain four partitions or logical drives. NOTE: FAT16 does not recognize disks larger than 2 GB (Book had a typo of 2 MB) Someone who wants to hide data on a hard disk can create hidden partitions or voids --- large unused gaps between partitions on a disk drive (called partition gap). Page 3

4 Master Boot Record (MBR) (located in the 1 st sector on the disk) On Windows and DOS computer systems the MBR stores information about the partitions on a disk and their locations, size, and other important items. Examining FAT Disks (File Allocation Table (FAT)) The FAT database is typically written to a disk s outermost track and contains filenames, directory names, date and time stamps, the starting cluster number, and file attributes (archive, hidden, system, and read-only). The FAT version in Microsoft DOS 6.22 had a limitation of eight characters for filenames and three characters for extensions. FAT12 Floppy disk drives and Drives up to 16 MB FAT16 Maximum storage capacity of 2 GB, Cluster # s stored in 2 bytes (65536) FAT32 Maximum storage capacity of 2 TB, Windows 98, Me, 2000, XP, and Vista. FATX Xbox media is stored in the FATX format and can be read by any Windows system. The date stamps start at the year 2000, unlike the other FAT formats that start at Drive size Sectors per Cluster FAT16 Cluster Size in Bytes 0-32 MB bytes MB 2 1 KB MB 4 2 KB MB 8 4 KB MB 16 8 KB MB KB MB KB MB KB NOTE: The # of Clusters is stored in 2 bytes, so the limit of clusters is 65536! How Files are saved using Clusters (Older Microsoft OSs) Whole File EOF RAM Slack End of Sector File Slack End of Cluster RAM slack RAM Memory copied to right after End Of File (EOF) to End of Sector. Any information in RAM at that point, such as logon IDs or passwords, is placed in RAM slack on older Microsoft OSs when you save a file. File fragments, deleted s, and passwords are often found in RAM and file slack. Structure of a FAT Partition Boot sector (MBR) File Allocation Table 1 File Allocation Table 2 (Copy) Root Directory Other Directories and ALL Files Page 4

5 File Allocation Table (FAT) (Short Entry & Long Entry) File Allocation Table (FAT) Short Entry Byte Offset (hex) Field Length Sample Value Meaning 00 8 bytes NameList Short File Name 08 3 bytes EXE Short File Extension 0B 1 byte 0x01 File Attributes 0C 1 byte 0x10 Windows NT Uses 0D 2 bytes 150 Create Time ms/1 st Char of Del File 0E 2 bytes 0xB192 Create Time (Hours, Minutes, Sec) 10 1 byte 0xA499 Create Date (Year, Month, Day) 12 2 bytes 0xA499 Last Access Date/Last Modified Date 14 2 bytes 0x0FFF Access Rights 16 2 bytes 0xB192 Last Modified Time (Hours, Minutes, Sec) 18 2 bytes 0xA499 Last Modified Data (Year, Month, Day) 1A 2 bytes Start Cluster (0 to 65535) 1C 4 bytes File Size in Bytes 32 bytes Short File Name 1 st Byte of 0xE5 means file was deleted, 1 st Byte of 0x00 means End of FAT Entries. File Attributes Read Only, Hidden, System {should not be moved}, Volume Label, Subdirectory {file size of 0}, Archive {used for Backups}, Device {should not be changed}, Reserved {should not be changed}. Create Time ms Range is 0 to 199. Time Page 5 Date Item & Range bits Item & Range bits Hour (0 23) Year (0 = 1980) 9 15 Minutes (0 59) 5 10 Month (1 12) 5 8 Seconds/2 (0 29) 0 4 Day (1 31) 0 4 NOTE: Year (Range is 1980 to 2099 in years & 0 to 119 in values) Time Example Normal time: 18:12:44 or 6:12:44 pm Each number to binary 10110:001100:10010 Binary number put in 2 bytes ( )2 = 0xB192 = (B192)16 Date Example Normal date: Sept 20 th 2005 or 20/9/ Each number to binary 10100:1001: Binary number put in 2 bytes ( )2 = 0xA499 = (A499)16

6 File Allocation Table (FAT) Long Entry Byte Offset (hex) Field Length Sample Value Meaning 00 1 byte 0x01 Sequence Number bytes Happy Name Characters (five UCS-2 characters) 0B 1 byte 0x0F Attributes (always 0x0F) 0C 1 byte 0x10 Type (always 0x00 for VFAT LFN) 0D 1 byte Checksum of DOS file name 0E 12 bytes Shapes Name Characters (six UCS-2 characters) 1A 2 byte 0x0000 First cluster (always 0x0000) 1C 4 bytes On Name Characters (two UCS-2 characters) 32 bytes Sequence Number Range of 0x01 to 0.x14, last one (bit 6 is set 0x40), and deleted entry 0xE5. Name Characters After the last UCS-2 character, a 0x0000 is added. The remaining unused characters are filled with 0xFFFF. Deleting FAT Files (1 st letter of file name is changed to a special value) When a file is deleted in Windows Explorer or with the MS-DOS Delete command, the OS inserts a HEX E5 (0xE5), which many hex-editing programs reflect as the lowercase Greek letter sigma (σ) in the filename s first letter position in the FAT database. Page 6

7 The FAT16 file system uses 16 bits per FAT entry, thus one entry spans two bytes in little-endian byte order: Example of FAT16 table start with several cluster chains Offset A +B +C +D +E +F F0 FF FF FF FF FF 0A C 00 0D 00 0E 00 0F FF FF FF FF F7 FF F7 FF 1A 00 FF FF F7 FF FAT ID / endianess marker (in reserved cluster #0), with 0xF0 indicating a volume on a non-partitioned superfloppy drive (must be 0xF8 for partitioned disks) End of chain indicator / maintenance flags (in reserved cluster #1) Second chain (7 clusters) for a non-fragmented file (here: #2, #3, #4, #5, #6, #7, #8) Third chain (7 clusters) for a fragmented, possibly grown file (here: #9, #A, #14, #15, #16, #19, #1A) Fourth chain (7 clusters) for a non-fragmented, possibly truncated file (here: #B, #C, #D, #E, #F, #10, #11) Empty clusters Fifth chain (1 cluster) for a sub-directory (here: #23) Bad clusters (3 clusters) (here: #27, #28, #2D) Page 7

8 Final Study Guide Chapter 6 (Sectors Cluster and Memory Size) CIST2612 Problem A How many sectors are there on this floppy disk and what is the disk size? Floppy Disk (info) Double Sided (2 heads) 80 Tracks 18 Sectors per Track 2 x 80 x 18 = 2880 Sectors 2880 x 512 bytes 1,474,560 bytes 1440 KB 1.44 MB Problem B How many sectors are there on this hard disk and what is the disk size? Hard Drive (info) 16 Double Sided Platters (32 heads) 1024 Tracks 127 Sectors per Track 32 x 1024 x 127 = 4,161,536 Sectors x 512 bytes 2,130,706,432 bytes 2032 MB 1.98 GB ~ 2 GB File Allocation Table (FAT) FAT16 Maximum storage capacity of 2 GB, Cluster # s stored in 2 bytes (65536) Drive size Sectors per Cluster FAT16 Cluster Size in Bytes 0-32 MB bytes MB 2 1 KB MB 4 2 KB MB 8 4 KB MB 16 8 KB MB KB MB KB MB KB Page 8

9 Problem C What is the cluster size of a 500MB hard drive (using FAT16)? 500MB = 524,288,000 bytes / / bytes Sectors are 512 bytes, so how many sectors are needed to fit 8000 bytes? 16 Sectors in each Cluster (16 x 512 bytes = 8192 bytes 8KB) Problem D What is the cluster size of a 2GB hard drive (using FAT16)? 2GB = 2,147,483,648 bytes / / bytes Sectors are 512 bytes, so how many sectors are needed to fit bytes? 64 Sectors in each Cluster (64 x 512 bytes = bytes 32KB) Whole File EOF RAM Slack End of Sector File Slack End of Cluster Problem E Using the Hard Drive from Problem C, how much memory will a 20KB file take up? The Hard Drive from Problem C use Clusters of size 8KB! 20KB = bytes 3 x Cluster size (8KB) = 3 x 8192 = 24,576 bytes 4KB wasted Problem F Using the Hard Drive from Problem D, how much memory will a 20KB file take up? The Hard Drive from Problem D use Clusters of size 32KB! 20KB = bytes 1 x Cluster size (32KB) = 1 x = 32,768 bytes 12KB wasted Page 9

10 Time Date Item & Range bits Item & Range bits Hour (0 23) Year (0 = 1980) 9 15 Minutes (0 59) 5 10 Month (1 12) 5 8 Seconds/2 (0 29) 0 4 Day (1 31) 0 4 NOTE: Year (Range is 1980 to 2099 in years & 0 to 119 in values) Time Example Normal time: 18:12:44 or 6:12:44 pm Each number to binary 10110:001100:10010 Binary number put in 2 bytes ( )2 = 0xB192 = (B192)16 Date Example Normal date: Sept 20th 2005 or 20/9/ Each number to binary 10100:1001: Binary number put in 2 bytes ( )2 = 0xA499 = (A499)16 Problem G How is Normal time 3:15:08 am represented? Each number to binary 00100:001111:00011 Binary number put in 2 bytes ( )2 = 0x21E3 = (21E3)16 16 Page 10

11 Final Study Notes Chapter 6 & 8 (File Systems Compared) CIST2612 File Systems (Where are they used?) A file system gives an Operating System (OS) a road map to data on a disk. It is usually directly related to the OS. File Allocation Table (FAT) Flash Drives & Older Window Computers New Technology File System (NTFS) Current Window Computers Hierarchical File System (HFS) Macintosh/Apple Computers, iphones UNIX & Linux Android phones Disk Drives (All these File Systems use this disk structure) Disk drives are made up of one or more platters coated with magnetic material, and data is stored on platters in a particular way. Data is stored in group of bytes called Sectors or Blocks on the disk (currently the normal is 512 bytes each. List of disk drive components: Head The head is the device that reads and writes data to a drive. There s one head per platter. Tracks Tracks are circle areas that go around a platter where data is located. Sectors A sector is a section on a track, a group of 512 bytes. What happens when a file is Created How many bytes are set aside for a file when it is created? File Allocation Table (FAT) A 32 bytes record is created, and the record points to the first grouping of sectors (cluster) only. New Technology File System (NTFS) A 1024 bytes record is created, and the record points to each grouping of sectors (cluster). Hierarchical File System (HFS) A 512 bytes record is created, and the record points to each grouping of blocks (allocation blocks). A tree structure is used called a B*-tree (balanced tree) which allows files to be found much faster than searching for it by name. UNIX & Linux A 512 bytes record is created called an inode, and this inode used address pointers (direct, single, double, or triple) to point to each block. Note block are not grouped, to make cluster like bigger block! Page 11

12 Structure of each file system All these file systems search the list of file records to find a file! How information is stored is where they are different! File Allocation Table (FAT) Record (called Short Entry, 32B) {Long Entries is used for long file name only} a) Name {8 characters for name and 3 for extension NNNNNNNN.EEE} b) Attribute (Read Only, Hidden, System, Subdirectory) c) Times & Dates (Creation, Access {only date}, Changes) d) First Cluster (Start of File s Linked List) e) File Size NOTE: No Access Security for files. Times & Dates (2B for time, 2B for date) Time (Seconds/2, Minutes, Hours) SSSSS:MMMMMM:HHHHH {16 bits} Date (Day, Month, Years since 1980) DDDDD:MMMM:YYYYYYY {16 bits} The FAT is a Linked List of all clusters with a pointer to the next cluster. FFFF/FFFFFFFF End of File FFFF FFFF FFFF 1508 FFFF New Technology File System (NTFS) Master File Table (MFT) Record (1024B, a record in the MFT has 15 subparts, Each start with FILE ) a) 0x10 Standard Times & Dates (Creation, Access, Data & Record Changes) b) 0x30 File Name Short & Long (up to 255) c) 0x40 Object ID Ownership & Access Rights d) 0x50 Security Access Control List e) 0x80 Data File Data (if under 512B) or Data Runs (groups of connected clusters) Note: This File System has the fastest Access Time for small files (under 512 bytes)! Times & Dates (WIN32 format, 8B) {100 nanosecond count used} 10,000,000 counts per second since Jan. 1 st 1601 Data Run (Examples) 1) 21 4B CA 08 This data run contains 75 clusters & starts at cluster 2250 (0x4B = 75 & 0x8CA = 2250) 2) 32 2C 01 F2 D4 01 This data run contains clusters 300 starts at cluster (0x12C = 300 & 0x1D4F2 = ) Page 12

13 Hierarchical File System (HFS) Master Directory Block (MDB) Record (512B, a data fork & a resource fork {things like icons}) Like the data on a UNIX & Linux (minus the Block Address) Note: The B-tree (or balanced tree) allows HFS file systems to find a file record faster! Times & Dates (4B 32 bits, 1 bit for sign +/-) Seconds since Jan. 1 st 1970 (range of 13Dec1901 to 19Jan2038) UNIX & Linux Record (Inode,512B) a) Mode & Type b) Number of Links (like short cuts) c) UID & GID d) Size in bytes e) Time & Dates (record change time, and data access & modified time) f) Block Address ([10] direct, [1] indirect, [1] double-indirect, [1] triple-indirect) g) Number of blocks h) File generation number and version number Note: The create time & date is not stored! 2 nd Note: Bad blocks are tracked! The book pointed out that data could be hidden by adding good block to the bad list. Times & Dates (4B 32 bits, 1 bit for sign +/-) Seconds since Jan. 1 st 1970 (range of 13Dec1901 to 19Jan2038) Double-Indirect Pointers (1 pointer 128 pointers Each pointer to another 128) [897, 925, 977,, {128}] 897[10501, 12876, 16456,, {128}] Page 13

14 What happens when a file is Searched for so the file can be loaded on the computer What steps are done by the computer? General Steps 1) Search the list of records to find the needed file record {Search Time} a) Check the 1 st record by name or file # (if found stop) b) Check the 2 nd record by name or file # (if found stop) c) Repeat, Repeat, Repeat until found 2) When the record is found, use the information in the file record to put the file together piece by piece {Access Time} Note: Information is loaded in chunks of data (cluster/allocation blocks) during the search for file record also. File Allocation Table (FAT) o Check each 32 byte record to see if the names match o When the file record found, use the first cluster location to find the first piece of the file o Now use the Linked List to find any other pieces of the file and put New Technology File System (NTFS) o Check each 1024 byte record (marked with FILE ) to see if the names match o When the file record is found If file is under 512 bytes in size, your done data in already in the computer o If file is over 512 bytes in size, use all the Data Run to information to put the file together piece by piece Hierarchical File System (HFS) o Search the B*-tree structure 512 byte records to find the file record that matches the file number Note: The B*-tree can be searched much faster than a normal list of records o When the file record is found, locate the allocated block in the file record o Use the allocated block information to find all the blocks and put the file together block by block UNIX & Linux o Check each 512 byte record (called an Inode) to see if the file numbers match o When the file record is found, locate the pointers (direct, indirect, double-indirect, triple-indirect) and the number of blocks in the file record (called an Inode) o Use the pointers (direct, indirect, double-indirect, triple-indirect) and the number of blocks to put the file together block by block Page 14

15 Final Study Notes Chapter 6 & 8 (File Systems - Examples) CIST2612 Example (Clusters are 4 Sectors/Blocks each) A Sector/Block is 512 bytes and a Cluster is 4 Sectors/Blocks, so a Cluster is 2KB or 2048 bytes. File is named FOODLIST.DAT and contains 1825 bytes. Cluster # Sector/Block # Sector/Block # Sector/Block # Sector/Block # How would the data for this file be stored in our file systems? File Allocation Table (FAT16) It s 32 bytes file record would have a field for the [Start Cluster] = Cluster_List[0] = Cluster_List[1] = : Cluster_List[2758] = 2759 Cluster_List[2759] = 7432 : Cluster_List[7432] = 7433 Cluster_List[7433] = : Cluster_List[8793] = 0 : FAT16 Short Entry (Record) for this file Field Length Sample Value Meaning 8 bytes FOODLIST Short File Name 3 bytes DAT Short File Extension 1 byte 0x01 File Attributes 1 byte 0x10 Windows NT Uses 1 byte 150 Create Time 10ms/1 st Char of Del File 2 bytes 0xB192 Create Time (Hours, Minutes, Sec) 2 bytes 0xA499 Create Date (Year, Month, Day) 1 bytes 0xA499 Last Access Date/Last Modified Date 2 bytes 0x0FFF Access Rights 2 bytes 0xB192 Last Modified Time (Hours, Minutes, Sec) 2 bytes 0xA499 Last Modified Data (Year, Month, Day) 2 bytes C6 0A Start Cluster (0xAC6 = 2758) 4 bytes File Size in Bytes (0x721 = 1825) 32 bytes Page 15

16 File is named FOODLIST.DAT and contains 1825 bytes. Cluster # Sector/Block # Sector/Block # Sector/Block # Sector/Block # New Technology File System (NTFS) It s a 1024 bytes file record that has a data file attribute (0x80) {1 of 15} that stores the data or the data location(s). Nonresident Flag Start of attribute 0x80 Length of attribute 0x C AD 1A C B B C6 0A D FF FF FF FF Data Run 1 Data Run 2 End of Data Runs End of file record Data Run C6 0A Data Run D Page 16

17 File is named FOODLIST.DAT and contains 1825 bytes. Cluster # Sector/Block # Sector/Block # Sector/Block # Sector/Block # UNIX & Linux A 512 bytes record is created called an inode, and this inode used address pointers (direct, single, double, or triple) to point to each block. Note: Block are not grouped, to make cluster like bigger block! Inode other file information Size 1825 # of Blocks 16 Block Address Block Address Block Address Block Address Block Address Block Address Block Address Block Address Block Address Block Address Indirect Address D-Indirect Address 0 T-Indirect Address : : Page 17

18 Final Study Notes Chapter 10 (Graphic Files - BMP) CIST2612 bitmap (BMP file format) = Device Independent Bitmap (DIB) The BMP file format is capable of storing two-dimensional digital images of arbitrary width, height, and resolution, both monochrome and color, in various color depths, and optionally with data compression, alpha channels, and color profile. (*.bmp, *.dib) BMP File Structure (these parts come in order) Only 3 parts are required (1) Bitmap file header, (2) DIB header, and (3) Pixel array. Bitmap file header General information about the bitmap image file. DIB header Detailed information about the bitmap image and define the pixel format. Extra bit masks Pixel format. Color table Colors used by the bitmap image data (Pixel array). Required for color depths < 8 bits. Gap1 Structure alignment for the File offset to Pixel array in the bitmap file header. Pixel array The actual values of the pixels. Each row in the Pixel array is padded to a multiple of 4 bytes in size. Pixels are stored upside-down and left to right. Gap2 Structure alignment for the ICC profile data offset field in the DIB header. ICC color profile The color profile for color management. Bitmap File Header (only 14 bytes) Page 18

19 DIB header (bitmap information header) BMP Example Small black & white smiley face (only 100 pixels in size, 10 x 10). Page 19

20 BMP File Header Example - Black & White Smiley Face (See next page) Header Field 42 4D BM Size of BMP file x176 (374)10 Offset to bitmap image data (pixel array) (54)10 DIB Header Example - Black & White Smiley Face (See previous page) Size of the Header x28 (40)10 bitmap width in pixels 0A xA (10)10 bitmap height in pixels 0A xA (10)10 number of color panels x1 (1)10 10 number of bits per pixels x18 (24)10 compression method image size x140 (320)10 horizontal resolution of the image (pixel per meter) vertical resolution of the image (pixel per meter) number of colors in the color palette (0 = 2 n ) number of important colors used Pixel array Example - Black & White Smiley Face (See previous page) The Bottom row comes first! Bottom row of image FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF (white dot white dot white dot white dot white dot white dot white dot white dot white dot white dot padding) nd Bottom row image FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF (white dot white dot white dot black dot black dot black dot black dot white dot white dot white dot padding) 2 nd Page 20

21 Final Study Notes Chapter 10 (Graphic Files - GIF) CIST2612 GIF (Graphics Interchange Format) Introduced in 1987 The format supports up to 8 bits per pixel for each image, allowing a single image to reference its own palette of up to 256 different colors chosen from the 24-bit RGB color space. It also supports animations and allows a separate palette of up to 256 colors for each frame. These palette limitations make the GIF format less suitable for reproducing color photographs and other images with continuous color, but it is well-suited for simpler images such as graphics or logos with solid areas of color. GIF images are compressed using the Lempel-Ziv-Welch (LZW) lossless data compression technique to reduce the file size without degrading the visual quality. GIF File Structure (Main parts only ) Header GIF89a/GIF87a Logical Screen Descriptor Width, Height, Color Table Type *, Background, aspect ratio Global Color Table (GCT) List of up to 256 RGB colors starts at 0 Graphic Control Extension 21 F9 GCE code, Size of GCE, Animation Delay, Transparent # Image Descriptor C2, NW corner position, Width & Height, Local Color Table * Image Start/LZW code size, LZW data size, LSW data GIF File Header (All parts) Offset Offset Size hex dec bytes Purpose Header GIF89a ( ) or GIF87a ( ) Logical screen width in pixels Logical screen height in pixels 0A 10 1 * Color Table Type F7 (Flag[1]:Color Bit Sz[3]:Sorted[1]:Table Sz[3]) 0B 11 1 Background color (00 to FF, 0 to 255) 0C 12 1 Default pixel aspect ratio (0 means 1:1) 0D 13 1 to = to FF = FF FF FF (Max of 256) 2 Graphic Control Extension (GCE) (21 F9) 1 Size of GCE in bytes 1 * Disp Meth (3 bits):usr In F(1 bit):delay(3 bits):transparency F(1 bit) 2 Delay for animation (00 00 means not used) 1 Number of Transparent Color in GCT 1 End of GCE block (00) 1 Image Descriptor (2C =, {Comma}) 4 NW corner position of image in logical screen 4 Image width and height in pixels 1 * Local color table Descriptor (0 = no local color table) 1 Start of image LZW minimum bit code size (8 bit code size) 1 Size of LZW encode image data follow var LZW encode image data (based of previous byte) 1 End of image data marker (00) 1 End of GIF file (3B = ; {semicolon} Page 21

22 GIF File Header Example 1 pixel GIF Header Field GIF89a Width in pixels x1 (1)10 10 Height in pixels x1 (1)10 10 Color Table Type 08 0x8 (8)10 Background Color 00 0x0 (0)10 Aspect Ratio 00 0x0 (0)10 Global Color Table FF FF FF Graphic Control Extension 21 F9 0x21F9 {21 is the ASCII code for!} Size of GCE 04 0x4 (4)10 Graphic Control Extension Special Byte 01 0x1 (1)10 10 Animation Delay x0 (0)10 Transparent Color 00 0x0 (0)10 End of GCE 00 0x0 (0)10 Image Marker 2C 0x2C {ASCII for comma,} NW Corner Position x0 Width & Height x1 & 0x1 Local Color Table 00 0x0 {not used} Image Start/LZW code size 01 0x2 (2)10 LZW data size 01 0x1 (1)10 10 LZW data 44 0x44 ( )2 End of data marker 00 0x0 (0)10 End of GIF file marker 3B 0x3B {ASCII for semicolon ;} *Color Table Type (Global Color Table Flag (1 bit) : Bit Color Resolution (3 bits) Value + 1 : Global Table Sort Flag (1 bit) : Size of Global Color Table (3 bits) 2 Value + 1 *Graphic Control Extension Special Byte (Disposal Method (3 bits) (0=No Disp,1=Do Not Dispose,2=Restore BKGR,3=Restore Previous) : User Input Flag (1 bit) : User Input Delay Time (3 bits) : Transparency Flag (1 bit) *Local Color Table Type (Local Color Table Flag (1 bit) : Interlace Flag (1 bit) : Local Table Sort Flag (1 bit) : RESERVED (2 bits) : Size of Local Color Table (3 bits) 2 Value + 1 Page 22

23 Final Study Notes Chapter 10 (Graphic Files - PNG) CIST2612 PNG (Portable Network Graphics) Introduced in 1996 PNG was created as an improved, non-patented replacement for Graphics Interchange Format (GIF), and is the most used lossless image compression format on the Internet. PNG was and is intended to be a single-image format only. Compression used is like LZ77 called Deflate, and a filter step used. PNG File header (A PNG file starts with an 8-byte signature) Values 89 Purpose Has the high bit set to detect transmission systems that do not support 8 bit data and to reduce the chance that a text file is mistakenly interpreted as a PNG, or vice versa. 50 4E 47 In ASCII, the letters PNG, allowing a person to identify the format easily if it is viewed in a text editor. 0D 0A 1A 0A A DOS-style line ending (CRLF) to detect DOS-Unix line ending conversion of the data. A byte that stops display of the file under DOS when the command type has been used the end-of-file character A Unix-style line ending (LF) to detect Unix-DOS line ending conversion. PNG File Structure (chunks of information {4 Critical types & 15 Ancillary types}) After header comes a series of chunks, each of which gives certain information about the image. Chuck Data Length Chunk type Chunk data CRC 4 bytes 4 bytes Length bytes 4 bytes NOTE: CRC = Cyclic Redundancy Code (checksum) A decoder must be able to interpret critical chunks to read and render a PNG file. IHDR must be the first chunk; it contains (in this order) the image's width, height, bit depth, color type, compression method, filter method, interlace method. PLTE contains the palette; list of colors (indexed color like in a GIF). IDAT contains the image, which may be split among multiple IDAT chunks. Such splitting increases filesize slightly, but makes it possible to generate a PNG in a streaming manner. The IDAT chunk contains the actual image data, which is the output stream of the compression algorithm. IEND marks the image end. Color type Name PNG color types Binary A C P 0 Grayscale True color (RGB) color Masks 3 Indexed color, palette 4 Grayscale and alpha alpha 6 True color and alpha alpha, color Page 23

24 PNG Example Small black & white smiley face (only 100 pixels in size, 10 x 10). Figure 1 - PNG file with IDAT information highlighted File Header Header Field E 47 0D 0A 1A 0A 89 P N G {CR} {Line Feed} {End of File} {LF} IHDR Chunk Chunk Data Length in Bytes D 0xD (13)10 10 Chunk Type IHDR Width in pixels A 0xA (10)10 Height in pixels A 0xA (10)10 Bit Depth 08 0x8 (8)10 Color Type 06 True color (RGB) & Alpha Compression method 00 Compression method 0 Filter method 00 Filter method 0 Interlace method 00 0 = No Interlace Chunk Checksum 8D 32 CF BD 0x8D32CFBD IDAT Chunk Chunk Data Length in Bytes x46 (70)10 Chunk Type IDAT Image data CE 70 Bytes {highlighted above} Chunk Checksum AE xAE IEND Chunk Chunk Data Length in Bytes x0 (0)10 Chunk Type E 44 IEND Image data 0 Bytes Chunk Checksum 4C EE 0x4C6256EE Page 24

25 Final Study Notes Chapter 10 (Graphic Files JPEG) CIST2612 JPEG (Joint Photographic Experts Group) Introduced in 1991 Uses Lossy Compression JPG is optimized for photographs and similar continuous tone images that contain many, many colors. It can achieve astounding compression ratios even while maintaining very high image quality. JPG works by analyzing images and discarding kinds of information that the eye is least likely to notice. It stores information as 24 bit color. JPEG File header (Segment FF D8 = Start Of Image, FF E0 = Application Specific) Values FF D8 FF E0 Purpose Start Of Image Segment Application Specific Segment for a JPEG JFIF (File Interchange Format Specification) Byte count (does not include Segment Marker) 4A Identifier (zero terminated string { JFIF }) Version of Application 01 Units for the X and Y densities (0 = no units, 1 = dots per inch, 2 = dots per cm) Horizontal pixel density {0x60 = (96) 10} 96 dots per inch is common! Vertical pixel density {0x60 = (96) 10} 96 dots per inch is common! 00 Thumbnail horizontal pixel count 00 Thumbnail vertical pixel count There are more bytes if thumbnails are not 0 JPEG File Structure (segments of information {11 segment types}) A JPEG image consists of a sequence of segments, each beginning with a marker, each of which begins with a 0xFF byte followed by a byte indicating what kind of marker it is. Some markers consist of just those two bytes; others are followed by two bytes (high then low) indicating the length of marker-specific payload data that follows. (The length includes the two bytes for the length, but not the two bytes for the marker.) Segment Marker Length of Segment Data Segment data Entropy-data FF 2 bytes 2 bytes Length bytes? bytes Most Common JPEG Segment markers (not all) Name Bytes Payload Name Comments SOI 0xFF, 0xD8 none Start Of Image SOF0 SOF2 APPn 0xFF, 0xC0 0xFF, 0xC2 0xFF, 0xEn variable size variable size variable size Start Of Frame (Baseline DCT) Start Of Frame (Progressive DCT) Applicationspecific EOI 0xFF, 0xD9 none End Of Image Indicates that this is a baseline DCT-based JPEG, and specifies the width, height, number of components, and component subsampling (e.g., 4:2:0). Indicates that this is a progressive DCT-based JPEG, and specifies the width, height, number of components, and component subsampling (e.g., 4:2:0). For example, an Exif JPEG file uses an APP1 marker to store metadata, laid out in a structure based closely on TIFF. Page 25

26 JPEG Example Small black & white smiley face (only 100 pixels in size, 10 x 10). Figure 1 Start of Frame (Baseline DCT) (Width, Height, # of Components, Component subsampling) Start of Frame (Baseline DCT) Segment Data Segment Marker FF C0 Length of Segment Data x11 (17)10 10 Bit Sample Precision 08 0x8 (8)10 Width in pixels 00 0A 0xA (10)10 Height in pixels 00 0A 0xA (10)10 Number of Component 03 0x3 (3)10 1 st Component Subsampling (1:34:0) 2 th Component Subsampling (2:17:1) 3 rd Component Subsampling (3:17:1) Page 26