What is Drone Image Forensics – Examination of Exif & JPEG Format
Images are considered an important source of communication like text. Images provide artefacts or recorded visualized perceptions of an object. In my previous blog, I discussed the ontology of Drone Forensics in which I mentioned Image forensics as an important component of drone forensics. Thus continuing with image forensics, I will discuss format-based Drone Image Forensics. As mentioned previously, digital cameras are used in drones that support JPEG format. So JPEG format forensics is the main aim of this post. The image taken by the digital camera known as Digital Image supports “lossy compression” and this lossy compression method is used by JPEG. In digital images, the encoded content is displayed using an inexact approximation. So this method is referred to as lossy compression.
What is JPEG?
The standard method of compressing images is referred to as JPEG which stands for Joint Photographic Expert Group. Various file formats of this are .jpeg, .jpg, .jfif or .jpe and among all of them .jpg is the most used one. JPEG/Exif is the format used by the digital cameras; Exif refers to the Exchangeable Image file format which is used by audio, video, and image files recorded by the digital cameras. Exif formats support an additional metadata tag including it: TIFF Rev 6.0 (for uncompressed images) and JPEG DCT (Discrete Cosine Transform) for the compressed images.
What is EXIF File Format?
Exif also known as Exchangeable Image File formats are the same as JPEG images it just adds an additional metadata that is the digicam/image information and thumbnail to the JPEG specifications. This metadata of Exif applied to JPEG is stored in the Application Segment of the JPEG structure. EXif borrowed its tag structure from the TIFF header. It also supports a location information tag referred to as Geo-location Tag. These EXif data are inserted within the image file. So, this Geo-location tag can be a great artefact for the expert.
JPEG FILE FORMAT
If we look at the insight of JPEG structure we will find that there is a sequence of segments each starting with the marker. The table given below will give a brief insight into JPEG markers.
We can see from the table that the JPEG file starts with SOI (Start of Image) Marker having binary value 0xFFD8 and ends with EOI (End of Image) marker having binary value 0xFFD9. So, the structure of JPEG marker has been shown below.
EXif files use “APPn application marker” APP1 (0xFFE1), similarly, JFIF (JPEG File Interchange Format) also use an application marker to insert digicam information and thumbnail image. But JFIF makes use of APPO (0xFFE0) marker to avoid conflicts. Below I have shown the structure of Exif marker.
As the Exif file marker starts with FFD8 so it is a JPEG file. And if we look at the structure we can see that the size of descriptor is also included in “SSSS” size. Also, after the APP data finishes, other markers start at the end, and EXif Data starts with ASCII “Exif” special data to identify Exif or nota and 2 bytes of 0x00, then after data follows.
DATA STRUCTURE OF EXIF FORMAT
In Exif file format TIFF data are being used to store data. Below, the EXif Format structure is shown in which the “Intel” byte is aligned and a JPEG thumbnail is used.
TIFF HEADER STRUCTURE
The TIFF format is used by the EXif files to store data .TIFF holds 8 Bytes image header, the basic header structure is shown below:
The starting 2 byte of TIFF header shows type of align, if “II” is used then it is an Intel type byte align while “MM” denotes the Motorola type align. Commonly seen that only Ricoh use MM type byte align and most of the other digicams use II type byte align. So the type of byte alignment must be checked if inspecting the TIFF header.
Image File Directory (IFD)
After seeing the structure of Exif file we came to know that after TIFF header there is IFD which holds image information data. Below IFD structure is shown along with the byte enclosed within it.
TTTT in the above figure shows the sort of data denoted by Tag number. In the Exif structure first IFD is linked to IFD thumbnail Image and after the link of IFD is terminated. The digicam information is being stored in EXif SubIFD an offset link.
The Exif files contain the thumbnail image next to the IFD1. There are possibly three kinds of thumbnails available: RGB TIFF Format, JPEG format (it uses YCbCr) and YCbCr TIFF format.
The JPEG Thumbnail is composed of Compression Tag (0x0103) is 6 in IFD1. “JpegIFByteCount(0x0202)” Tag gives the Size of JPEG thumbnail and “JpegIFOffset(0x0201)” Tag gives the Offset Value of JPEG thumbnail.
JPEG Image Forensics
The very first issue that arises in the area of image forensics is to evaluate, whether the image belongs to the same source as it claimed. And the next important issue is whether the image has captured the original scenes. The answer to the facts lies in the components of the image cycle. So multimedia forensics can be the way to find out these answers. Editing fingerprints, coding finger print, and acquiring fingerprints can be great sources of artefacts for the forensic expert. The JPEG image cycle comprises the below-mentioned steps:
1. Image is busted into 8×8 size pixel blocks.
2. DCT (Discrete Cosine Transform) is applied to every block from top to bottom and from left to right.
3. Quantization is used to compress every block.
4. Know the array of blocks (compressed) that comprise the image amassed in a small space.
5. For recovering the original image inverse DCT can be applied to the image.
If we see and study the JPEG standard while studying the Drone Image Forensics. We will find out that it doesn’t implement a specific Huffman code or quantization table, so it’s easy to adjust the compression and quality of the image. So if we want to decode the JPEG files then its quantization table and Huffman code are rooted into the JPEG header. So table code and other extracted data from the JPEG header can be used for validation purposes. Image Dimensions, Huffman Code and quantization table are the important or basic elements of the Camera Signature. Cameras with different sensor resolutions can be classified on the basis of Image Dimensions.
A total of 284 values can be hauled out from an image which includes 90 Huffman codes, 2 image dimensions and 192 quantization values. The Huffman code supports two different coefficients; DC and AC along with separate codes for each of them. The code length can be from 1, 2….15 corresponding to 15 values and Huffman supports 6 sets of such values. Similarly, in the quantization table, there is a one-dimensional array of 192 values, as the table supports three sets of 8×8 such tables specified as a single-dimensional array.
The JPEG header also comprises of thumbnail version of the image. Which can be used to carve out the next three components of the camera signature. As we know the size of the thumbnail image is not larger than some hundred square pixels. In some cases, the cameras don’t assign or use the thumbnail image. So in such cases, 0 is assigned to the parameter associated with the thumbnail. Thumbnails will give 284 values comprising 192 quantization tables, 90 Huffman codes and 2 image dimensions.
EXif metadata is being used to carve out the last component of the camera signature. EXif metadata will give out 8 values which comprise of 5 entry counts for IFD, 1 for extra IFDs, 1 for parser error and the last 1 is for entries in extra IFDs.
So in total 576 values can be carved out of the full resolution image consisting of 284 values from the thumbnail header, 284 from the image header and 8 from the Exif metadata which altogether gives out the camera signature which will further help to prove the image authentication.
So to detect the alteration in a photo, the camera signature of the original camera is compared to the carved out signature value and if there is a difference then it can be strong evidence in favour of tampering.
As the camera distribution is non-uniform so there is an equivalence class of size n to compare with camera configuration. So if we see the case of Adobe Photoshop and compare its signature with various camera signatures then we will find out that only the thumbnail and can use the image Huffman code and quantization table for comparing. That means Photoshop signatures inhabit an equivalence class of size 1.
As mentioned above that the Image cycle involves DCT, quantization and encoding. So if we go for the decoding purpose we just have to apply IDCT (Inverse Discreet cosine Transform) to the image.
So we can conclude that image forensics is an important aspect of any investigation including image involved in a crime or associated with it. In the forensics of Drone, Image Forensics can prove to be a strong technique that also provides important artefacts to help out in the case. JPEG header, Exif header, thumbnail image. All of these can be good sources of artefacts if, data carving is done properly out of them.