1. Never change the content of evidence storage neither intentionally nor unintentionally 2.

The result of cloning must be same as the source physically through sector per sector 3. The examination must be conducted by authorized and professional examiner 4. Every process of examination must be recorded for audit 5. The handling of evidence must refer to the Chain of Custody

Created by M. Nuh Al-Azhar, CHFI

 Pixel is a single point in a graphic image. Numbers of pixel combine together to form an image Resolution refers to the sharpness and clarity of an image Images can be broadly categorized into : Vector Image Vector graphics use geometrical primitives such as points, lines, curves, and polygons which are all based upon mathematical equations to represent images in computer Moving, scaling, rotating, filling, zooming and so on does not degrade the quality of a drawing Raster image is a data file or structure representing a generally rectangular grid of pixels or points of color Quality is determined by the total number of pixels and the amount of information in each pixel Quality is lost if scaled to a higher resolution
Created by M. Nuh Al-Azhar, CHFI

Graphics Interchange Format (GIF) Joint Photographic Experts Group (JPEG) Tagged Image File Format (TIFF) Windows Bitmap (BMP) JPEG 2000 Portable Network Graphics (PNG)

Created by M. Nuh Al-Azhar, CHFI

 Can be accessed by Image File Metadata Viewer such as Opanda IEXIF, FTK and so on Generally consisting of Image, Camera and Thumbnail Info Image Make, Model, Orientation, X Resolution, Y Resolution, Resolution Unit, Software, Date Time, YCbCr Positioning, EXIF IFD Pointer Camera Exif Version, Components Configurations, Flashpix Version, Color Space, Exif Image Width, Exif Image Height Thumbnail Info Compression, X Resolution, Y Resolution, Resolution Unit, JPEG Interchange Format, JPEG Interchange Format Length
Created by M. Nuh Al-Azhar, CHFI

 Image Orientation, X Resolution, Y Resolution, Resolution Unit, Software, Date Time, YCbCr Positioning, EXIF IFD Pointer Camera Exif Version, Components Configurations, Flashpix Version, Color Space, Exif Image Width, Exif Image Height Thumbnail Info Compression, X Resolution, Y Resolution, Resolution Unit, JPEG Interchange Format, JPEG Interchange Format Length (The red color words show a differences and inconsistencies between them)

Created by M. Nuh Al-Azhar, CHFI

 Checking the metadata of image : X Resolution, Y Resolution, Software, Date Time Checking the metadata of Thumbnail Info : X Resolution, Y Resolution, If there are differences between those metadata on X Resolution and Y Resolution, it means that the image is edited image This is usually supported by the information about Software and Date Time which are used to edit the image

Created by M. Nuh Al-Azhar, CHFI

Created by M. Nuh Al-Azhar, CHFI

Created by M. Nuh Al-Azhar, CHFI

Created by M. Nuh Al-Azhar, CHFI

Created by M. Nuh Al-Azhar, CHFI

Created by M. Nuh Al-Azhar, CHFI

Created by M. Nuh Al-Azhar, CHFI

Created by M. Nuh Al-Azhar, CHFI

 Analyze generally the image between Original and Edited Analyze particularly on the suspicious location which had been edited or the location which there is a difference between Original and Edited image Use pixel zooming to see the color degradation which is inappropriate and unnatural For pixel zooming, use the Image Forensics Tool such as PhotoZoom Pro If there are some inappropriate and unnatural color degradations, it means the image is not original

Created by M. Nuh Al-Azhar, CHFI

Created by M. Nuh Al-Azhar, CHFI

Created by M. Nuh Al-Azhar, CHFI

Created by M. Nuh Al-Azhar, CHFI

Created by M. Nuh Al-Azhar, CHFI

 Examination to the image under Image Forensics is conducted by using a combination of methods of Metadata and Pixel Analysis The examination is performed by at least 2 examiners The tools for examination are Image Forensics Tools such as Opanda IEXIF and PhotoZoom Pro If there is inconsistency about the metadata of Image and Thumbnail Info on X Resolution and Y Resolution, it means the image is result of editing process This is usually supported by the info about Software and Date Time when the process is conducted If there is any color degradation which is inappropriate and unnatural after pixel zooming, it means that the image is not original

Created by M. Nuh Al-Azhar, CHFI

 Computer Hacking Forensic Investigator (CHFI) Version 3 Module 16, EC-Council

Created by M. Nuh Al-Azhar, CHFI