What is Drone Image Forensics – Examination of Exif & JPEG Format
Images are considered as an important source of communication as like text. Images provide artifacts or recorded visualized perception of an object. In my previous blog, I discussed the ontology of Drone Forensics in which I mentioned about Image forensics as an important component of drone forensics. Thus continuing with image forensics, I will discuss format-based Drone Image Forensics. Mentioned previously, digital cameras are used in drone which supports JPEG format, so JPEG format forensics is the main aim behind this post. The image taken by the digital camera known as Digital Image supports “lossy compression” and this lossy compression method is used by JPEG. In digital images, the encoded content is displayed using an inexact approximation, so this method is referred as lossy compression.
What is JPEG?
The standard method of compressing Image referred to JPEG which stands for Joint Photographic Expert Group. Various file formats of this are .jpeg, .jpg, .jfif or .jpe and among all of them .jpg is the most used one. JPEG/Exif is the format used by the digital cameras; Exif refers to the Exchangeable Image file format which is used by audio, video, and image files recorded by the digital cameras. Exif formats support an additional metadata tag included in it: TIFF Rev 6.0 (for uncompressed image) and JPEG DCT (Discrete Cosine Transform) for compressed image.
What is EXIF File Format?
Exif also known as Exchangeable Image File formats are same as JPEG image it just adds an additional metadata that is the digicam/image information and thumbnail to the JPEG specifications. This metadata of Exif applied to JPEG are stored in Application Segment of the JPEG structure. EXif borrowed its tag structure from TIFF header. It also support location information tag referred as Geo-location Tag. These EXif data are inserted within the image file. So, this Geo-location tag can be a great artifact for the expert.
JPEG FILE FORMAT
If we look at the insight of JPEG structure we will find that there is a sequence of segment each starting with marker. The table given below will give a brief insight of JPEG markers.
We can see from the table that the JPEG file starts with SOI (Start of Image) Marker having binary value 0xFFD8 and ends with EOI (End of Image) marker having binary value 0xFFD9. So, the structure of JPEG marker has been shown below.
EXif files use “APPn application marker” APP1 (0xFFE1), similarly JFIF (JPEG File Interchange Format) also use application marker to insert digicam information and thumbnail image. But JFIF make use of APPO (0xFFE0) marker to avoid the conflicts. Below I have shown the structure of Exif marker.
As the Exif file marker starts with FFD8 so it is a JPEG file, and if we look at the structure we can see that the size of descriptor is also included in “SSSS” size. Also, after the APP data finishes, other markers start at the end, and EXif Data starts with ASCII “Exif” special data to identify Exif or nota and 2 bytes of 0x00, then after data follows.
DATA STRUCTURE OF EXIF FORMAT
In Exif file format TIFF data are being used to store data. Below, the EXif Format structure is shown in which “Intel” byte is align and JPEG thumbnail is used.
TIFF HEADER STRUCTURE
TIFF format is used by the EXif files to store data .TIFF holds 8 Bytes image header, the basic header structure is shown below:
The starting 2 byte of TIFF header shows type of align, if “II” is used then it is an Intel type byte align while “MM” denotes the Motorola type align. Commonly seen that only Ricoh use MM type byte align and most of the other digicams use II type byte align. So type of byte align must be checked if inspecting the TIFF header.
Image File Directory (IFD)
After seeing the structure of Exif file we came to know that after TIFF header there is IFD which holds image information data. Below IFD structure is shown along with the byte enclosed within it.
TTTT in the above figure shows the sort of data denoted by Tag number. In the Exif structure first IFD is linked to IFD thumbnail Image and after link of IFD is terminated. The digicam information is being stored in EXif SubIFD an offset link.
The Exif files contain the thumbnail image next to the IFD1. There are possibly three kinds of thumbnails available: RGB TIFF Format, JPEG format (it uses YCbCr) and YCbCr TIFF format.
The JPEG Thumbnail is composed of Compression Tag (0x0103) is 6 in IFD1. “JpegIFByteCount(0x0202)” Tag gives the Size of JPEG thumbnail and “JpegIFOffset(0x0201)” Tag gives the Offset Value of JPEG thumbnail.
JPEG Image Forensics
The very first issue that arises in the area of image forensics is to evaluate, whether the image belongs to the same source as it claimed. And the next important issue is whether the image has captured the original scenes. The answer about the facts lies in the components of image cycle, so multimedia forensics can be the way to find out these answers. Editing fingerprint, coding finger print, and acquisition fingerprint can be great sources of artifacts for the forensic expert. The JPEG image cycle comprises of the below mentioned steps:
1. Image is busted into 8×8 size pixel blocks.
2. DCT (Discrete Cosine Transform) is applied to every block from top to bottom and from left to right.
3. Quantization is used to compress every block.
4. Know the array of blocks (compressed) that comprise of the image amassed in small space.
5. For recovering the original image inverse DCT can be applied to the image.
If we see and study about the JPEG standard while studying about the Drone Image Forensics, we will find out that it doesn’t implement a specific Huffman code or quantization table, so it’s easy to adjust the compression and quality of the image. So if we want to decode the JPEG files then its quantization table and Huffman code are rooted into JPEG header, so table code and other extracted data from the JPEG header can be used for validation purpose. Image Dimensions, Huffman Code and quantization table are the important or basic elements of the Camera Signature. Cameras with different sensor resolutions can be classified on the basis of Image Dimensions. The total of 284 values can be hauled out from an image which includes 90 Huffman codes, 2 image dimensions and 192 quantization values. The Huffman code supports two different coefficients; DC and AC along with separate codes for each of them. The code length can be from 1, 2….15 corresponding to 15 values and Huffman supports 6 sets of such values. Similarly, in quantization table there is one dimensional array of 192 values, as table supports three sets of 8×8 such tables specified as single dimensional array.
The JPEG header also comprises of thumbnail version of the image, which can be used to carve out the next three components of camera signature. As we know the size of thumbnail image is not larger than some hundred square pixels. In some cases the cameras don’t assign or use the thumbnail image, so in such cases 0 is assigned to parameter associated with the thumbnail. Thumbnail will give 284 values comprising of 192 quantization tables, 90 Huffman codes and 2 image dimensions.
EXif metadata is being used to carve out the last component of camera signature. EXif metadata will give out 8 values which comprise of 5 entry counts for IFD, 1 for extra IFDs, 1 for parser error and last 1 is for entries in extra IFDs.
So in total 576 values can be carved out of the full resolution image consisting of 284 values from thumbnail header, 284 from image header and 8 from the Exif metadata which all together gives out the camera signature which will further help to prove the image authentication.
So to detect the alteration in a photo, the camera signature of the original camera is compared to the carved out signature value and if there is a difference then it can be a strong evidence in favor of tampering.
As the camera distribution is non uniform so there is equivalence class of size n to compare with camera configuration. So if we see the case of Adobe Photoshop and compare its signature with various camera signatures then we will find out that only thumbnail and image Huffman code and quantization table can be used for comparing. That means Photoshop signatures inhabit with equivalence class of size 1.
As mentioned above that the Image cycle involves DCT, quantization and encoding so, if we go for the decoding purpose we just have to apply IDCT (Inverse Discreet cosine Transform) to the image.
So we can conclude that, image forensics is an important aspect of any investigation including image involved in a crime or associated with it. In the forensics of Drone Image Forensics can prove to be a strong technique that also provides important artifacts to help out in the case. JPEG header, Exif header, thumbnail image; all of these can be good sources of artifacts if, data carving is done properly out of them.