Goodbye Windows
Sunday, January 4. 2009
Over the last year I have been removing all of the Windows computers from my office. The last time I seriously used a Windows system was over two years ago -- ironically, when I was writing my Ubuntu book. Since then, my office has only had two Windows systems on-hand.
A few months ago I got fed up with Windows Vista. I wanted to put XP or 2000 on the laptop, but I couldn't ever get all of the drivers working. The Toshiba Satellite U305 only has drivers for Vista. Although there are some vague forum hints about where to pick up drivers for XP, I couldn't locate the right magic incantation.
Since then, I have installed Ubuntu on the laptop. Every driver worked out of the box with the exception of WiFi. And the MadWifi instructions were trivially easy to follow. For Windows support, I now run XP in a Qemu session under Linux. For sharing files between the VM guest and host systems, I use Samba.
That leaves one last Windows system. This is G's computer and I don't touch it. It has been running XP and was very stable for years. However nothing lasts forever.
Two days ago this computer decided to roll over and die. Nothing new was installed, no auto-updates, no malware... it just died. First Excel had problems, then the control panel generated errors about some bad exe, and then it wouldn't reboot.
Right now, I'm using Knoppix to mirror the entire disk to a portable USB drive. I can access the files on the system, so no personal data was lost. But I'm still needing to reinstall the OS, reinstall needed applications, and then recover personal files. Ugh, this is not going to be fun.
I've finally decided on my New Year's Resolution. I plan to not use or administer any Windows systems. (With the exception of reinstalling XP on G's computer, but I promised that before deciding this.)
I used to use Windows because some needed apps did not exist for other platforms. However, that isn't the case anymore. For example, Gimp is nice, but it just isn't the same as real Photoshop. And OpenOffice is getting there, but still isn't the same quality as Microsoft Word. Fortunately, I have real Photoshop and real MS Word for Mac OS X. And unlike a decade ago, the Mac versions are just as good as the Windows versions. I don't need Windows.
Even computer forensics: I do all my analysis of Windows systems from Linux. I never even boot the Windows image when doing analysis.
I do have a few needs for real Windows. For example, when a client says that they want my software ported to Windows, then I need to use Cygwin under Windows. However, this is rare and I certainly don't need to apply patches or even use an anti-virus system; I haven't browsed the web from Windows since 2005. Basically, I use Windows for generating content, but never for acquiring content.
Microsoft recently announced their next "newest" operating system: Windows 7. Some people are already praising this new OS.
I guess my pessimism is showing. I'm not holding my breath for Windows 7. Microsoft has been seriously trying to do graphical interfaces since 1990. (I'm not counting anything before Windows 3.0 since those were not serious graphical interfaces.) In all that time, they have been playing catch-up to Apple, Linux (Gnome and KDE both have advanced features that Windows lacks), and even OS/2 (while no longer supported, the OS/2 Desktop was decades ahead of even today's Linux and Mac desktops).
One would think that, after 19 years and nine major releases, that Windows wouldn't still be trying to catch up, crashing during updates, rebooting after every system change, fighting with stability issues, malware, and usability issues. Yet, Vista was such a disaster that companies are actually begging Microsoft to keep XP going and not force an upgrade to Vista.
And before anyone complains about my stability comment: since XP, Windows has been stable -- as long as you don't install third-party drivers or software. But I've never met anyone fitting that profile. And, yes, bad drivers for Linux can crash the OS. However there is a big difference here: if I install a bad driver under Linux, I can boot into a recovery mode and disable the driver. With Windows, bad drivers usually screw up the registry. You are better off recovering from a backup. (You have backups, right?)
I'm giving up on Windows. I don't even plan on giving Windows 7 a chance. When it comes to operating systems, Microsoft has failed me too many times for me to believe that year #20 will be different.
In my opinion, Microsoft should leave the OS world and focus on their strengths: non-network applications and networked online services. There is no question that MS Word is still king of the word processors, Powerpoint rules presentations, and Excel leads spreadsheets. And if Microsoft focused on online services, then they would stand a good chance of growing their position rather than continuing to lose in the browser market and managing the #3 search engine (8% market share) behind Google (64%) and Yahoo (20%).
A few months ago I got fed up with Windows Vista. I wanted to put XP or 2000 on the laptop, but I couldn't ever get all of the drivers working. The Toshiba Satellite U305 only has drivers for Vista. Although there are some vague forum hints about where to pick up drivers for XP, I couldn't locate the right magic incantation.
Since then, I have installed Ubuntu on the laptop. Every driver worked out of the box with the exception of WiFi. And the MadWifi instructions were trivially easy to follow. For Windows support, I now run XP in a Qemu session under Linux. For sharing files between the VM guest and host systems, I use Samba.
One Down...
That leaves one last Windows system. This is G's computer and I don't touch it. It has been running XP and was very stable for years. However nothing lasts forever.
Two days ago this computer decided to roll over and die. Nothing new was installed, no auto-updates, no malware... it just died. First Excel had problems, then the control panel generated errors about some bad exe, and then it wouldn't reboot.
Right now, I'm using Knoppix to mirror the entire disk to a portable USB drive. I can access the files on the system, so no personal data was lost. But I'm still needing to reinstall the OS, reinstall needed applications, and then recover personal files. Ugh, this is not going to be fun.
Resolution
I've finally decided on my New Year's Resolution. I plan to not use or administer any Windows systems. (With the exception of reinstalling XP on G's computer, but I promised that before deciding this.)
I used to use Windows because some needed apps did not exist for other platforms. However, that isn't the case anymore. For example, Gimp is nice, but it just isn't the same as real Photoshop. And OpenOffice is getting there, but still isn't the same quality as Microsoft Word. Fortunately, I have real Photoshop and real MS Word for Mac OS X. And unlike a decade ago, the Mac versions are just as good as the Windows versions. I don't need Windows.
Even computer forensics: I do all my analysis of Windows systems from Linux. I never even boot the Windows image when doing analysis.
I do have a few needs for real Windows. For example, when a client says that they want my software ported to Windows, then I need to use Cygwin under Windows. However, this is rare and I certainly don't need to apply patches or even use an anti-virus system; I haven't browsed the web from Windows since 2005. Basically, I use Windows for generating content, but never for acquiring content.
But Next Time For Sure!
Microsoft recently announced their next "newest" operating system: Windows 7. Some people are already praising this new OS.
I guess my pessimism is showing. I'm not holding my breath for Windows 7. Microsoft has been seriously trying to do graphical interfaces since 1990. (I'm not counting anything before Windows 3.0 since those were not serious graphical interfaces.) In all that time, they have been playing catch-up to Apple, Linux (Gnome and KDE both have advanced features that Windows lacks), and even OS/2 (while no longer supported, the OS/2 Desktop was decades ahead of even today's Linux and Mac desktops).
One would think that, after 19 years and nine major releases, that Windows wouldn't still be trying to catch up, crashing during updates, rebooting after every system change, fighting with stability issues, malware, and usability issues. Yet, Vista was such a disaster that companies are actually begging Microsoft to keep XP going and not force an upgrade to Vista.
And before anyone complains about my stability comment: since XP, Windows has been stable -- as long as you don't install third-party drivers or software. But I've never met anyone fitting that profile. And, yes, bad drivers for Linux can crash the OS. However there is a big difference here: if I install a bad driver under Linux, I can boot into a recovery mode and disable the driver. With Windows, bad drivers usually screw up the registry. You are better off recovering from a backup. (You have backups, right?)
I'm giving up on Windows. I don't even plan on giving Windows 7 a chance. When it comes to operating systems, Microsoft has failed me too many times for me to believe that year #20 will be different.
In my opinion, Microsoft should leave the OS world and focus on their strengths: non-network applications and networked online services. There is no question that MS Word is still king of the word processors, Powerpoint rules presentations, and Excel leads spreadsheets. And if Microsoft focused on online services, then they would stand a good chance of growing their position rather than continuing to lose in the browser market and managing the #3 search engine (8% market share) behind Google (64%) and Yahoo (20%).
2009: The Year of the Polar Bear
Friday, January 2. 2009
Fear, uncertainty, and doubt are certainly in the news as we start this new year. And interestingly, so are polar bears...
That's nothing like a good FUD. Yes: the Earth is getting warming. However, there is still no undebatable proof that it is man-made. Commonly cited items include the growing (now shrinking) Ozone hole, the missing (now returning) sunspots, the measurable increase in temperature on Mars, increasing CO2 levels from coal, and the fact that there is really no long-term recorded data (100 years is not long term) but we think we are coming out of an ice age...
But hey! Global Warming!
And with each mention of Global Warming, people also mention the shrinking antarctic ice shelf and polar bears (who live in the arctic, not antarctic, but most American's don't know geography anyway).
You see, the polar bears habitat is shrinking (Global Warming). As a result, there are more news reports of bears interacting with humans. (I'm sure it has nothing to do with humans leaving out easy-to-get food.) A few bears even come into contact with people!
One news story making its rounds features photos of a polar bear chasing a guy around his truck. (In all sincerity, I have to wonder who was taking the pictures and why wasn't he helping the guy.) Forget the fact that there are polar bear encounters every year, even before we discovered Global Warming. It's a good thing the truck was a Ford -- and Ford saved his life without needing a bailout.
Then again, some people are just asking to be eaten by a polar bear. I love the quote about why the German guy entered the polar bear's zoo habitat:
In Germany, it takes a nut to understand a Knut.
Yosemite is becoming more active. News reports say that the volcano under Yosemite could blow at any moment! Then again, this time last year they called Yosemite a "ticking time bomb". If their FUD didn't cause panic last year, then let's try it again!
But even if Yosemite blows, don't worry... it will reverse global warming and send us into a thousand-year deep freeze. Which will lead to more polar bears. Good thing we have Palin back in Alaska to shoot them darn bears, dontyaknow.
As an aside, the news article about Alaska also says:
Since DNA testing takes a week or longer, I have to wonder: did they kill the bear before matching the DNA, or after?
For a lame duck, he is giving away billions like there is no tomorrow. Because for him, Obama is the end of the world, and "tomorrow" ends on January 20th.
So what does Bush have to do with polar bears? Plenty! Back in 2006, the Bush Administration wanted the bears listed as "threatened" and not "endangered". The classification difference determines how much we can interfere with their environment. In December 2008, the same administration pushed the US Fish and Wildlife Service to announce "that it will deny the polar bear the appropriate and necessary protections of the Endangered Species Act (ESA)." Now this lame duck is giving away oil drilling rights in the bear's habitat. (See! It all comes back to polar bears and global warming!)
Yes, the stupid economy. We're still in a depression. No wonder they call it a "Bear Market".
To some, this is a serious threat. For example, Al Qaeda endorsed McCain. So Obama already has an unpopular start.
And then there are all of the anti-Obama conspiracy idiots... Sadly, the anti-Obama crowd cannot keep their conspiracies straight. First they said Obama was not born in the USA, then their said his birth certificate was fake. I disproved findings from TechDude and Polarik.
The conspiracy crowd also said that Obama was a Muslim (not that there's anything wrong with that, but they use it to feed fear/uncertainty/doubt). Forget the fact that they also criticized Obama for his non-Muslim preacher and that the Indonesian elementary school document listing Obama's religion as "Muslim" also says that he was born in Hawaii. Uh, you can either pretend he was not born in Hawaii or you can try to argue that he is a Muslim, but the documents contradict arguing both.
Even that sad little troll, Polarik, cannot keep his story straight. For example:
I could go on and shred his declaration, but I already did that. And yet, "Dr." Polarik still tries to tell people that Obama's birth certificate is fake.
I think the truth is a little deeper: Polar bears support Obama.
Sadly, Obama is already being promoted as the next best thing to Swiss cheese. Many worshipers are promoting Obama as if he were the Second Coming. Let's tone down the praise until after Obama starts his new job and actually accomplishes something. Remember, the last time we had a Democratic President with a Democratic Congress, Clinton was in office and they only held the majority for two years. Before that was Jimmy Carter (right President for the wrong year). Both times, the President lacked strong congressional support.
Global Warming!
That's nothing like a good FUD. Yes: the Earth is getting warming. However, there is still no undebatable proof that it is man-made. Commonly cited items include the growing (now shrinking) Ozone hole, the missing (now returning) sunspots, the measurable increase in temperature on Mars, increasing CO2 levels from coal, and the fact that there is really no long-term recorded data (100 years is not long term) but we think we are coming out of an ice age...
But hey! Global Warming!
And with each mention of Global Warming, people also mention the shrinking antarctic ice shelf and polar bears (who live in the arctic, not antarctic, but most American's don't know geography anyway).
You see, the polar bears habitat is shrinking (Global Warming). As a result, there are more news reports of bears interacting with humans. (I'm sure it has nothing to do with humans leaving out easy-to-get food.) A few bears even come into contact with people!
One news story making its rounds features photos of a polar bear chasing a guy around his truck. (In all sincerity, I have to wonder who was taking the pictures and why wasn't he helping the guy.) Forget the fact that there are polar bear encounters every year, even before we discovered Global Warming. It's a good thing the truck was a Ford -- and Ford saved his life without needing a bailout.
Then again, some people are just asking to be eaten by a polar bear. I love the quote about why the German guy entered the polar bear's zoo habitat:
Police said the man, before being let go, told them that he felt lonely and the bear — Knut, a famed attraction at the zoo — appeared lonely, too. Knut, 2, weighs 440 pounds.
In Germany, it takes a nut to understand a Knut.
Yosemite is GOING TO BLOW!
Yosemite is becoming more active. News reports say that the volcano under Yosemite could blow at any moment! Then again, this time last year they called Yosemite a "ticking time bomb". If their FUD didn't cause panic last year, then let's try it again!
But even if Yosemite blows, don't worry... it will reverse global warming and send us into a thousand-year deep freeze. Which will lead to more polar bears. Good thing we have Palin back in Alaska to shoot them darn bears, dontyaknow.
As an aside, the news article about Alaska also says:
During the summer, three serious grizzly bear maulings in Anchorage had residents on edge. A sow with cubs, who later was connected by DNA to one of the maulings, was killed by state biologists. Her cubs were sent to a zoo.
Since DNA testing takes a week or longer, I have to wonder: did they kill the bear before matching the DNA, or after?
18 More Days of George Bush!
For a lame duck, he is giving away billions like there is no tomorrow. Because for him, Obama is the end of the world, and "tomorrow" ends on January 20th.
So what does Bush have to do with polar bears? Plenty! Back in 2006, the Bush Administration wanted the bears listed as "threatened" and not "endangered". The classification difference determines how much we can interfere with their environment. In December 2008, the same administration pushed the US Fish and Wildlife Service to announce "that it will deny the polar bear the appropriate and necessary protections of the Endangered Species Act (ESA)." Now this lame duck is giving away oil drilling rights in the bear's habitat. (See! It all comes back to polar bears and global warming!)
It's the Economy, Stupid!
Yes, the stupid economy. We're still in a depression. No wonder they call it a "Bear Market".
Obama Is Coming!
To some, this is a serious threat. For example, Al Qaeda endorsed McCain. So Obama already has an unpopular start.
And then there are all of the anti-Obama conspiracy idiots... Sadly, the anti-Obama crowd cannot keep their conspiracies straight. First they said Obama was not born in the USA, then their said his birth certificate was fake. I disproved findings from TechDude and Polarik.
The conspiracy crowd also said that Obama was a Muslim (not that there's anything wrong with that, but they use it to feed fear/uncertainty/doubt). Forget the fact that they also criticized Obama for his non-Muslim preacher and that the Indonesian elementary school document listing Obama's religion as "Muslim" also says that he was born in Hawaii. Uh, you can either pretend he was not born in Hawaii or you can try to argue that he is a Muslim, but the documents contradict arguing both.
Even that sad little troll, Polarik, cannot keep his story straight. For example:
- In some undated "legal" declarations (which, being undated, make me even question whether they are legal, or just more bullshit), Polarik claims different credentials than he posted in a public forum. He used to claim a "PhD is in Instructional Media and Experimental Psychology (dual major)." In the declaration, Polarik only mentions a "PhD in Instructional Systems" (not "Instructional Media").
- Polarik's declaration also doesn't mention his claim to be a handwriting expert, Masters in Statistics, and other unverifiable credentials.
- Polarik has also said that "Ron Polarik" is not his real name, except for the one posting where he claimed that it was a real name: "Ron is my real first name, and Polarik is what I got from my Father's real last name."
- Polarik has repeatedly claimed to use a pseudonym because he fears physical attack from pro-Obama supporters. Yet in his (likely fake and provably inaccurate) declaration, Polarik claims that the anonymity is to protect his employer (some unnamed government agency) and not any kind of physical retribution.
I could go on and shred his declaration, but I already did that. And yet, "Dr." Polarik still tries to tell people that Obama's birth certificate is fake.
I think the truth is a little deeper: Polar bears support Obama.
Sadly, Obama is already being promoted as the next best thing to Swiss cheese. Many worshipers are promoting Obama as if he were the Second Coming. Let's tone down the praise until after Obama starts his new job and actually accomplishes something. Remember, the last time we had a Democratic President with a Democratic Congress, Clinton was in office and they only held the majority for two years. Before that was Jimmy Carter (right President for the wrong year). Both times, the President lacked strong congressional support.
Image Ballistics and Photo Fingerprinting
Monday, December 29. 2008
The DC3 just posted all of the solutions submitted this year (click on "Challenge Results" and then "View" next to the team's name). [Update: The links have been taken down temporarily, but will return shortly.]
Challenge #402 was advanced image analysis. Most teams focused strictly on meta data. However, a few teams did use the Error Level Analyser. (Brag: Error Level Analyser was created by Noah and is based on the Error Level Analysis description found in my Black Hat paper.) One team, APWG, used Error Level Analyser and their own variant of the same algorithm.
One way to tell if an image is "original" is to see if it came from a known original source.
JPEG Fingerprinting (also called "ballistics") attempts to match meta data and file structure with a known device. For example, the JPEG meta data may include a camera make and model. Using programs like Exiftool and JPEGsnoop, this meta information can be quickly extracted.
However, there is a problem with analysis based strictly on meta data: meta data can lie. Here's a fun test: Start with a picture from a digital camera. Exiftool should list lots of juicy meta data that identifies the camera. Load the image in Photoshop, draw on it, then resave it. The new picture has your drawing on it, but meta data that still identifies the camera.
While Exiftool only extracts meta data, other tools, including JPEGsnoop, evaluate a variety of image attributes.
JPEG Fingerprinting goes much further than just the meta data. For example, the Fujifilm Finepix F10 6.3MP Digital Camera can only take pictures at 3024x2016, 2848x2136, 2048x1536, 1600x1200, or 640x480. If you have a picture at any other resolution, then you know it did not come directly from this camera -- even if the meta data says that this camera was involved in the picture creation.
More wicked is quantization tables analysis. Quantization tables (Q tables) are used by JPEGs to reduce the signal level and increase compression. Ideally the Q tables should be optimized for each image. However, this is computationally expensive -- imagine clicking on "Save As Jpeg" and then waiting 2 minutes for it to save. It is even worse with digital cameras; most cameras lack the resources for high intensity computations.
Rather than computing the Q tables as needed, most applications and cameras use hard-coded Q tables. If your camera has three quality levels (high, medium, low) then you are actually selecting one of three hard-coded Q tables stored in the camera. Photoshop actually has 13 different hard-coded Q tables (I'm ignoring Save For Web, which has even more options). And different versions of Photoshop have different Q tables.
Most applications and devices use custom Q tables. For cameras, the tables may be optimized for the CCD, manufacturer's color space, or image size. Most cameras have different Q tables -- they can even be different between different cameras in the same product line.
Unfortunately, Q tables are not always unique. Many open source tools use the same Q tables (why derive when you can reuse?), and practically everyone does "99% quality" the same way (the Q tables are all "1 1 1 1 1 ...."). But even between different cameras, the same Q tables may appear. For example, the Nikon E2500 has Q tables that match 92% quality. The exact same Q tables are used by the Seiko Epson Corp. PhotoPC 3000Z.
Ideally, you want to match the meta data, image size, and Q tables (and anything else you can find) to known samples from a real camera. If something does not match, then you know it did not come directly from the camera. And if you get a perfect match, then it is a strong indicator (but not necessarily proof) that it came from the camera.
Different digital cameras have different quality images. Some pictures may be grainy, others may have trouble with bright colors, and still others may not have a very white "white".
Let's say that you want to evaluate pictures from a digital camera before deciding on buying it. There is a web site called Digital Photography Review (DPR) that offers a gallery of pictures taken with different digital cameras. They have the images scaled to 50% (not original, but good for viewing) as well as the original images from the camera.
Ah, "original images". This is where the problem comes in. They have literally hundreds of high quality pictures that really came from the cameras. These are "original". However, of the 300+ original photos, I have found nearly 10% are not "original".
In most cases, the non-originals were saved using Photoshop. Now keep in mind, I am certainly not saying that these pictures have been edited or doctored or are forgeries. They appear to have just been saved using Photoshop. The problem is, JPEGs lose quality each time they are resaved, and these have been resaved -- they are not "original from the camera".
Here are three examples:
Then again, perhaps we should not trust the gallery images provided by the actual camera manufacturers. For example, Leica has a gallery of sample images taken by their cameras. Every one that I have checked so far was actually saved using tools like "Adobe Photoshop CS3 Macintosh" and "CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 100.". I cannot find a single sample on Leica's web site that actually came directly from a camera.
So as not to pick on Leica, the same can be said for sample pictures at Nikon. I could find no camera-originals to download, but they have a cool Flash wrapper around post-processed and resaved sample images.
In contrast, Kodak and their Kodak Gallery has no sample pictures (but lots of things you can buy) and I could find no way to browse images at http://www.kodakgallery.com/. One would think that with two different web locations that are both titled "Kodak Gallery", that this camera manufacturer want people to see samples from their cameras. One would be wrong.
But all is not lost: galleries at Canon and Casio really do have straight-from-the-camera samples.
Challenge #402 was advanced image analysis. Most teams focused strictly on meta data. However, a few teams did use the Error Level Analyser. (Brag: Error Level Analyser was created by Noah and is based on the Error Level Analysis description found in my Black Hat paper.) One team, APWG, used Error Level Analyser and their own variant of the same algorithm.
JPEG Ballistics
One way to tell if an image is "original" is to see if it came from a known original source.
JPEG Fingerprinting (also called "ballistics") attempts to match meta data and file structure with a known device. For example, the JPEG meta data may include a camera make and model. Using programs like Exiftool and JPEGsnoop, this meta information can be quickly extracted.
However, there is a problem with analysis based strictly on meta data: meta data can lie. Here's a fun test: Start with a picture from a digital camera. Exiftool should list lots of juicy meta data that identifies the camera. Load the image in Photoshop, draw on it, then resave it. The new picture has your drawing on it, but meta data that still identifies the camera.
While Exiftool only extracts meta data, other tools, including JPEGsnoop, evaluate a variety of image attributes.
Size Matters
JPEG Fingerprinting goes much further than just the meta data. For example, the Fujifilm Finepix F10 6.3MP Digital Camera can only take pictures at 3024x2016, 2848x2136, 2048x1536, 1600x1200, or 640x480. If you have a picture at any other resolution, then you know it did not come directly from this camera -- even if the meta data says that this camera was involved in the picture creation.
Q Table Matching
More wicked is quantization tables analysis. Quantization tables (Q tables) are used by JPEGs to reduce the signal level and increase compression. Ideally the Q tables should be optimized for each image. However, this is computationally expensive -- imagine clicking on "Save As Jpeg" and then waiting 2 minutes for it to save. It is even worse with digital cameras; most cameras lack the resources for high intensity computations.
Rather than computing the Q tables as needed, most applications and cameras use hard-coded Q tables. If your camera has three quality levels (high, medium, low) then you are actually selecting one of three hard-coded Q tables stored in the camera. Photoshop actually has 13 different hard-coded Q tables (I'm ignoring Save For Web, which has even more options). And different versions of Photoshop have different Q tables.
Most applications and devices use custom Q tables. For cameras, the tables may be optimized for the CCD, manufacturer's color space, or image size. Most cameras have different Q tables -- they can even be different between different cameras in the same product line.
Unfortunately, Q tables are not always unique. Many open source tools use the same Q tables (why derive when you can reuse?), and practically everyone does "99% quality" the same way (the Q tables are all "1 1 1 1 1 ...."). But even between different cameras, the same Q tables may appear. For example, the Nikon E2500 has Q tables that match 92% quality. The exact same Q tables are used by the Seiko Epson Corp. PhotoPC 3000Z.
All Together
Ideally, you want to match the meta data, image size, and Q tables (and anything else you can find) to known samples from a real camera. If something does not match, then you know it did not come directly from the camera. And if you get a perfect match, then it is a strong indicator (but not necessarily proof) that it came from the camera.
Applied Ballistics
Different digital cameras have different quality images. Some pictures may be grainy, others may have trouble with bright colors, and still others may not have a very white "white".
Let's say that you want to evaluate pictures from a digital camera before deciding on buying it. There is a web site called Digital Photography Review (DPR) that offers a gallery of pictures taken with different digital cameras. They have the images scaled to 50% (not original, but good for viewing) as well as the original images from the camera.
Ah, "original images". This is where the problem comes in. They have literally hundreds of high quality pictures that really came from the cameras. These are "original". However, of the 300+ original photos, I have found nearly 10% are not "original".
In most cases, the non-originals were saved using Photoshop. Now keep in mind, I am certainly not saying that these pictures have been edited or doctored or are forgeries. They appear to have just been saved using Photoshop. The problem is, JPEGs lose quality each time they are resaved, and these have been resaved -- they are not "original from the camera".
Here are three examples:
- Fujifilm FinePix S100 FS. The first picture shows a golden mirror hanging on a red wall. The original image is huge (3840x2880), but it shows a lot of grain and noise. The original was actually saved using "Adobe Photoshop CS3 Windows". Considering that the resave should remove noise, this is really a horrible picture. Then again, all of the other original gallery pictures from this camera do not show as much noise -- so maybe the noise was added using Photoshop or emphasized by Photoshop. (Probably not, but it is an option since the image is not "original".)
- Kodak DCS Pro SLR/c. The first picture is a wonderfully clean image of a Ferris wheel. The problem is, this original was actually saved using Adobe Photoshop CS Windows.
- Leica M8. The first picture is a stunning black-and-white cityscape. However, it has meta data saying that it was saved using Photoshop 3.0. The other black-and-white sample image also says Photoshop 3.0. However, the color samples each lack this Photoshop meta data. I suspect that Photoshop was used to create the black-and-white images from color images.
Then again, perhaps we should not trust the gallery images provided by the actual camera manufacturers. For example, Leica has a gallery of sample images taken by their cameras. Every one that I have checked so far was actually saved using tools like "Adobe Photoshop CS3 Macintosh" and "CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 100.". I cannot find a single sample on Leica's web site that actually came directly from a camera.
So as not to pick on Leica, the same can be said for sample pictures at Nikon. I could find no camera-originals to download, but they have a cool Flash wrapper around post-processed and resaved sample images.
In contrast, Kodak and their Kodak Gallery has no sample pictures (but lots of things you can buy) and I could find no way to browse images at http://www.kodakgallery.com/. One would think that with two different web locations that are both titled "Kodak Gallery", that this camera manufacturer want people to see samples from their cameras. One would be wrong.
But all is not lost: galleries at Canon and Casio really do have straight-from-the-camera samples.
Individual Forensics
Saturday, December 27. 2008
About once a month I get an email query with questions like:
Over a decade ago I made a policy of not working with individuals. I'll work with big companies, small companies, and mom-and-pop stores, but not individuals. It has been my experience that individuals enter the contract with a very biased viewpoint. If they want forensic services, then they already suspect wrong-doing. If the results do not support their beliefs, then many individuals feel cheated; they may refuse to pay ("but you didn't find anything!") or will publicly attack your reputation ("He sucks because he didn't find porn on my son's computer and I know it is there!"). Individuals also commonly ignore privacy and legal issues (do you have the legal right to conduct a warrant-less search on your son's or husband's computer?).
While individuals are likely to disagree with the forensic results, companies -- even small ones -- are much more open. If they suspect an employee of posting confidential information and learn that it is not coming from their suspect (or even from any employee), then companies are very interested. From my viewpoint, legal departments are the best groups to work with -- they find everything interesting and valuable.
Ironically, I know a few people who only work with individuals or very small companies. Most of these people focus on repairing Windows systems. As one of them put it, by the time their clients think that there might be something wrong with their computer, there is definitely something wrong. It's kind of like when your car starts making a loud pinging sound and blowing out black smoke. The problem has been around for a long time -- it is only gotten bad enough for the driver to become concerned.
As for the questions above...
In my experience: if you think your husband is cheating on you, then he probably is. You shouldn't be looking at his computer. You should be contacting a divorce attorney, squirreling away money, and then consider talking to him about it. I mean, seriously, if you suspect an affair then your suspicion is probably not limited to computer evidence.
Alright... if you didn't take the picture then you either found it in a publication (too low quality to analyze) or on the Web. If it is real, then why was it released on the web first? I mean, think about it, if you just took a real picture of a UFO then you would send it to FOX News or CNN. Or you would contact one of those investigative groups that actually review pictures of ghosts and UFOs.
If the picture is of a celebrity, then again ask yourself "where did this picture come from?" If it started on the web then it is probably fake. If it started in a tabloid (including FOX), then it might be photoshopped.
However, in that really rare instance where you are the photographer, then I would consider evaluating the original photo. But keep in mind: I am very good at detecting fakes and I reserve the right to publicly out fakes and the people behind them. (And even under this rare case, do not just mail me the photos. I have other rules, like "no porn" and "must pay my fee up front".)
I get a couple of queries like this each year. This is actually a very good question. It really depends on the type of forensics, your location, and the amount you are willing to pay.
For example, if you are interested in evaluating what happened on a Windows box, then I know a few people -- but they only work locally. The cost to fly them out for evaluating your system is likely prohibitive to you. They will want you to cover lodging, transportation, meals, and lost wages while they are out of the office. And that is on top of whatever they charge you. (Also, nearly all of them want 50%-100% up front.)
For image analysis, I don't know anyone who works with individuals. The same goes for network analysis.
On the other hand, if you have strong reasons to suspect a crime -- particularly concerning child pornography -- then the FBI are definitely the right way to go. (Just don't expect to ever get your hardware back since they will want to hold onto the evidence.)
Then again, if you suspect a crime (any kind of crime), then I strongly recommend consulting an attorney first. "He who smelt it dealt it" applies just as well to people reporting crimes as it does to farts. Your attorney will explain to you any risks and options. For example, if you suspect that one of your employees has stored child porn on his work computer, then you must report it to the police. However, since it is your computer (you own or manage the asset), you are in possession of child porn (a felony). Your attorney will help you report this without getting you in trouble.
Some types of computer forensics don't require an advanced knowledge of computers. You might want to check out books like Computer Forensics for Dummies, Steal This Computer Book, and Your Secrets Are My Business.
I think my husband is cheating on me. Could you look at his computer and find out?
I saw a picture of a ghost (or UFO or Elvis or celebrity in a compromising position). Can you tell me if it is real?
Do you know anyone who provides forensic services to individuals?
Over a decade ago I made a policy of not working with individuals. I'll work with big companies, small companies, and mom-and-pop stores, but not individuals. It has been my experience that individuals enter the contract with a very biased viewpoint. If they want forensic services, then they already suspect wrong-doing. If the results do not support their beliefs, then many individuals feel cheated; they may refuse to pay ("but you didn't find anything!") or will publicly attack your reputation ("He sucks because he didn't find porn on my son's computer and I know it is there!"). Individuals also commonly ignore privacy and legal issues (do you have the legal right to conduct a warrant-less search on your son's or husband's computer?).
While individuals are likely to disagree with the forensic results, companies -- even small ones -- are much more open. If they suspect an employee of posting confidential information and learn that it is not coming from their suspect (or even from any employee), then companies are very interested. From my viewpoint, legal departments are the best groups to work with -- they find everything interesting and valuable.
Ironically, I know a few people who only work with individuals or very small companies. Most of these people focus on repairing Windows systems. As one of them put it, by the time their clients think that there might be something wrong with their computer, there is definitely something wrong. It's kind of like when your car starts making a loud pinging sound and blowing out black smoke. The problem has been around for a long time -- it is only gotten bad enough for the driver to become concerned.
Answering Questions
As for the questions above...
I think my husband is cheating on me. Could you look at his computer and find out?
In my experience: if you think your husband is cheating on you, then he probably is. You shouldn't be looking at his computer. You should be contacting a divorce attorney, squirreling away money, and then consider talking to him about it. I mean, seriously, if you suspect an affair then your suspicion is probably not limited to computer evidence.
I saw a picture of a ghost (or UFO or Elvis or celebrity in a compromising position). Can you tell me if it is real?
Alright... if you didn't take the picture then you either found it in a publication (too low quality to analyze) or on the Web. If it is real, then why was it released on the web first? I mean, think about it, if you just took a real picture of a UFO then you would send it to FOX News or CNN. Or you would contact one of those investigative groups that actually review pictures of ghosts and UFOs.
If the picture is of a celebrity, then again ask yourself "where did this picture come from?" If it started on the web then it is probably fake. If it started in a tabloid (including FOX), then it might be photoshopped.
However, in that really rare instance where you are the photographer, then I would consider evaluating the original photo. But keep in mind: I am very good at detecting fakes and I reserve the right to publicly out fakes and the people behind them. (And even under this rare case, do not just mail me the photos. I have other rules, like "no porn" and "must pay my fee up front".)
Do you know anyone who provides forensic services to individuals?
I get a couple of queries like this each year. This is actually a very good question. It really depends on the type of forensics, your location, and the amount you are willing to pay.
For example, if you are interested in evaluating what happened on a Windows box, then I know a few people -- but they only work locally. The cost to fly them out for evaluating your system is likely prohibitive to you. They will want you to cover lodging, transportation, meals, and lost wages while they are out of the office. And that is on top of whatever they charge you. (Also, nearly all of them want 50%-100% up front.)
For image analysis, I don't know anyone who works with individuals. The same goes for network analysis.
On the other hand, if you have strong reasons to suspect a crime -- particularly concerning child pornography -- then the FBI are definitely the right way to go. (Just don't expect to ever get your hardware back since they will want to hold onto the evidence.)
Then again, if you suspect a crime (any kind of crime), then I strongly recommend consulting an attorney first. "He who smelt it dealt it" applies just as well to people reporting crimes as it does to farts. Your attorney will explain to you any risks and options. For example, if you suspect that one of your employees has stored child porn on his work computer, then you must report it to the police. However, since it is your computer (you own or manage the asset), you are in possession of child porn (a felony). Your attorney will help you report this without getting you in trouble.
Some types of computer forensics don't require an advanced knowledge of computers. You might want to check out books like Computer Forensics for Dummies, Steal This Computer Book, and Your Secrets Are My Business.
Graphic Content, Parental Supervision Advised
Tuesday, December 23. 2008
In computer forensics, it is not uncommon to come across a corrupt file. If you can repair the corruption, then you can access the data. Unfortunately, some file formats are more difficult to repair than others. For example, a plain text file may simply require identifying a splice around missing data. In contrast, graphic file formats (and audio and video, for that matter) can be extremely complicated.
One of the challenges from this year's DC3 Forensic Challenge concerned corrupt header reconstruction. The DC3 provided GIF, JPEG, and BMP files that each had some form of header corruption. The goal was to rebuild the header and create a valid image. Earlier this month, I was told by the DC3 that I had successfully recovered each file. In fact, they compared my recovered files with the original (pre-corruption) files and they turned out to be identical. My secret was not to find "a" header that worked. Rather, I recreated the headers based on the remainder of the file's data.
Back in 2005, I created a tool for analyzing image format structures. The program, imgana, dissected GIF and JPEGs. Keep in mind, this program does not view pictures. Instead, it identifies the file structure, meta information, and abnormalities.
The GIF format is relatively simple. The big parts are the header, global and optional local color tables (GCT and LCT), and the compressed data segments. The catch with a GIF is that a single corrupt byte can (and likely will) damage the everything after it.
Knowing this, if you have a corrupt GIF header, then you just need to replace the header structure. When you see the GCT, the header must define the GCT size. The most difficult part is identifying the image size. However, if you can decode the encrypted data, then you can identify likely sizes. For example, if it decodes 100 pixels, then the resolution is either 1x100, 2x50, 4x25, 5x20, 10x10, 20x5, 25x4, 50x2, or 100x1.
With GIF, every segment is a different size. The header consists of 13 bytes. The header defines the size of the GCT, which comes next. Finally, there are the data blocks. Each block has a type, size, and actual data. For example, a type 0x21 subtype 0xfe is a text comment, and Netscape contents use subtype 0xff. Following the all of this is a graphics control block, image block, and image data. (And multiple blocks for animated GIFs.)
GIF requires you to decode all of the different fields in order to check the structure. In contrast, the SWF format (used by Flash applications) is much simpler. It consists of a series of tag-length-data blocks. Even if you don't know what the tag means, you can still read the length and know how many data bytes are associated with the tag. Parsing an SWF and checking the structure is relatively simple.
With SWF, some of the data sets are further associated with subtag-sublength-subdata sets. The total size of the subsets should be equal to the full set size. (Macromedia wasn't checking this boundary condition and that led to some exploits back in December 2000.) However, even if you don't recognize the tag and subsets, you can still know how many bytes are in the outer tag.
Sadly, JPEG really looks like a format designed by committee (because it was). It is one of the most idiotic file formats I have ever come across.
What brings about this rant: Recently I have been rebuilding imgana to look for more structural information buried in JPEGs. There is a public program called Exiftool that extracts meta information from GIF, JPEG, and other formats. If you just need to view the meta information, then this is absolutely the best program I have come across. However, it doesn't do everything I need, so I originally built imgana and now I am revising my tool.
Here is the quick list of things I dislike about JPEGs:
The JPEG file format uses inconsistent internal structures, confusing offsets, and lacks basic decisions such as endianness. There is also a significant amount of wasted space -- either from unused bytes or information redundancy.
Keep in mind, none of these issues are associated with the actual compression and image storage algorithms. GIF's use of dynamic tables is very creative and efficient, and JPEG's frequency-based compression is just cool. However, in hindsight the algorithm information could have been stored in less complex and more efficient formats.
Having said all of that, I cannot wait to look at PNGs...
One of the challenges from this year's DC3 Forensic Challenge concerned corrupt header reconstruction. The DC3 provided GIF, JPEG, and BMP files that each had some form of header corruption. The goal was to rebuild the header and create a valid image. Earlier this month, I was told by the DC3 that I had successfully recovered each file. In fact, they compared my recovered files with the original (pre-corruption) files and they turned out to be identical. My secret was not to find "a" header that worked. Rather, I recreated the headers based on the remainder of the file's data.
Back in 2005, I created a tool for analyzing image format structures. The program, imgana, dissected GIF and JPEGs. Keep in mind, this program does not view pictures. Instead, it identifies the file structure, meta information, and abnormalities.
Generalized GIF Structure
The GIF format is relatively simple. The big parts are the header, global and optional local color tables (GCT and LCT), and the compressed data segments. The catch with a GIF is that a single corrupt byte can (and likely will) damage the everything after it.
Knowing this, if you have a corrupt GIF header, then you just need to replace the header structure. When you see the GCT, the header must define the GCT size. The most difficult part is identifying the image size. However, if you can decode the encrypted data, then you can identify likely sizes. For example, if it decodes 100 pixels, then the resolution is either 1x100, 2x50, 4x25, 5x20, 10x10, 20x5, 25x4, 50x2, or 100x1.
With GIF, every segment is a different size. The header consists of 13 bytes. The header defines the size of the GCT, which comes next. Finally, there are the data blocks. Each block has a type, size, and actual data. For example, a type 0x21 subtype 0xfe is a text comment, and Netscape contents use subtype 0xff. Following the all of this is a graphics control block, image block, and image data. (And multiple blocks for animated GIFs.)
Generalized SWF Format
GIF requires you to decode all of the different fields in order to check the structure. In contrast, the SWF format (used by Flash applications) is much simpler. It consists of a series of tag-length-data blocks. Even if you don't know what the tag means, you can still read the length and know how many data bytes are associated with the tag. Parsing an SWF and checking the structure is relatively simple.
With SWF, some of the data sets are further associated with subtag-sublength-subdata sets. The total size of the subsets should be equal to the full set size. (Macromedia wasn't checking this boundary condition and that led to some exploits back in December 2000.) However, even if you don't recognize the tag and subsets, you can still know how many bytes are in the outer tag.
Generalize JPEG Format
Sadly, JPEG really looks like a format designed by committee (because it was). It is one of the most idiotic file formats I have ever come across.
What brings about this rant: Recently I have been rebuilding imgana to look for more structural information buried in JPEGs. There is a public program called Exiftool that extracts meta information from GIF, JPEG, and other formats. If you just need to view the meta information, then this is absolutely the best program I have come across. However, it doesn't do everything I need, so I originally built imgana and now I am revising my tool.
Here is the quick list of things I dislike about JPEGs:
- Endian. Most file formats either use big endian or little endian. In big endian, the highest order byte comes first; little endian starts with the smallest-order byte. For JPEGs, they couldn't make up their mind. The image may specify big or little endian -- so the JPEG program must support both.
But even more bothersome: JPEG does not call it "big or little endian". They call it "MM" for Motorola (because Motorola processors use big endian), or "II" for Intel (because they usually use little endian). Why don't they also have "AA" for AMD or "HP" for Hewlett-Packard? Choosing the endian based on a company shows nothing more than a political influence.
Note to the JPEG committee: Next time you revise the format, just choose an endian. Either is fine, but please make a decision.
- Inconsistent blocking. JPEG tries to use a tag-length-data format. However, they don't stick with it. Most of the meta data uses tag-length-data, but then they forget it for the image data stream (which flows more like the GIF data without the blocking).
- Inconsistent subtypes. Within the JPEG file are optional application data areas. Some use big endian, while others allow selecting the endian. Yes: Even if the meta data uses Intel-endian, other application data may use Motorola-endian.
Similarly inconsistent, some meta data uses a tag-length-data structure, while others use fixed or dynamic data divisions. And even the different application data areas are not self-contained. For example, the Flashpix multi-part sections (denoted by "FPXR") work together and not independent... even though they are listed in independent application sections.
- Overly complicated additions. With regards to Flashpix, Phil Harvey -- the author of Exiftool -- said it best:
The FlashPix file format, introduced in 1996, was developed by Kodak, Hewlett-Packard and Microsoft. Internally the FPX file structure mimics that of an old DOS disk with fixed-sized "sectors" (usually 512 bytes) and a "file allocation table" (FAT). No wonder the format never became popular.
There is no standardized format for application data. Every application type is totally different, and most are overly complex.
- Wasted data space. Alright, so meta data like "camera model" and "was a flash used?" is stored in tag-length-data blocks. But JPEG isn't even consistent with the data! If the data size is less than 8 bytes, then the next 8 bytes contain the actual data. Otherwise the next 8 bytes contain an offset to the data.
Some meta data consists of 1-2 bytes of information. This means, there are 2-3 bytes of wasted space. And that offset value? It is from the start of the application data marker. This is fine if you are memory mapping the data, but horrible if you are streaming the information. I still don't understand why JPEG thought this was better than just using tag-length-data and actually having the data in the data area...
The confusing use of offsets is bound to cause problems. For example, the Canon EOS-1D Mark II digital camera is supposed to have a 'make' (tag 0x010f) of "Canon" and a 'model' (0x0110) of "Canon EOS-1D Mark II". However, the camera specifies the wrong offset. The make is "Canon " (the first part of the model's string and not null-terminated), model is "EOS-1D Mark II" (with 6 bytes of crap after it), and there is an unused string "Canon" in the data area. (Here is an example camera image. The offset data contains "Canon\0Canon EOS-1D Mark II\0". The first null-terminated "Canon" string is unused; the make and model are both wrong by six bytes.)
Again, "Dear JPEG Committee", next time either always use offsets or never use offsets. Don't mix and match. "Consistent" is better than "better".
Oh, and those data lengths? They are from the start of the tag (the thing you already read), so be sure to subtract 2 bytes to get the real data length. Considering the amount of unused bytes in a JPEG, this is an ideal format for hiding steganographic information -- without disturbing the image itself.
- Multiple images. Finally, a JPEG file may contain multiple JPEG images. One is the big file that you see, another is an optional thumbnail, and then different application data sections may include their own thumbnail or preview images. Moreover, each of those sub-images could include other sub-images. Want to really hide data? Place an image in a JPEG in a JPEG in a JPEG. I don't know any tool (besides my own) that can easily extract this. (And yes, I have already come across a few examples.)
Of course, I could understand it if every image was at a different size. However, I have observed that most preview and thumbnail images are the same size -- the exact same data. Since there is no data reuse between application sections, a single JPEG may (and usually does) contain multiple copies of the same image.
The JPEG file format uses inconsistent internal structures, confusing offsets, and lacks basic decisions such as endianness. There is also a significant amount of wasted space -- either from unused bytes or information redundancy.
Keep in mind, none of these issues are associated with the actual compression and image storage algorithms. GIF's use of dynamic tables is very creative and efficient, and JPEG's frequency-based compression is just cool. However, in hindsight the algorithm information could have been stored in less complex and more efficient formats.
Having said all of that, I cannot wait to look at PNGs...
(Page 1 of 49, totaling 244 entries)
» next page
Calendar
|
January '09 |
|
||||
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
| 1 | 2 | 3 | ||||
| 4 | 5 | 6 | 7 | 8 | 9 | 10 |
| 11 | 12 | 13 | 14 | 15 | 16 | 17 |
| 18 | 19 | 20 | 21 | 22 | 23 | 24 |
| 25 | 26 | 27 | 28 | 29 | 30 | 31 |
