![fdcsupport.org.aufdcsupport.org.au/pdf/What-is-a-family-day-care-educator... · 2017-04-07[Content_Types].xml pict image/pict jpeg image/jpeg png image/png wmf image/x-wmf vml application/vnd.openxmlformats-officedocument.vmlDrawing](https://static.fdocuments.us/doc/165x107/5a9fd7587f8b9a8e178d4075/contenttypesxml-pict-imagepict-jpeg-imagejpeg-png-imagepng-wmf-imagex-wmf.jpg)
Image (PNG) Forensic Analysis
20
IMAGE FORENSIC ANALYSIS(PNG)
-
Upload
cysinfo-cyber-security-community -
Category
Technology
-
view
554 -
download
0
Transcript of Image (PNG) Forensic Analysis
IMAGE FORENSIC ANALYSIS(PNG)
Who am i?
Name : Parth Parmar Profession : Working as a security engineer @ Paladion Networks
Bangalore Security researcher and part time CTF player. Area of interests : Pentesting , Forensic, Partial Mentalist.
Agenda
Introduction to PNG Understanding underlying structure of PNG Plaid CTF 2015 PNG Forensic analysis
What is PNG?
Portable Network Graphics is a raster graphics file format that supports lossless data compression.
PNG was created as an improved, non-patented replacement for Graphics Interchange Format (GIF), and is the most widely used lossless image compression format on the Internet.
PNG was designed for transferring images on the Internet, not for professional-quality print graphics, and therefore does not support non-RGB color spaces such as CMYK.
Structure of PNG
A PNG file starts with an 8-byte signature
Chunks
Chunks contains information about image. A chunk consists of four parts: length (4 bytes), chunk type/name (4
bytes), chunk data (length bytes) and CRC (cyclic redundancy code/checksum; 4 bytes). The CRC is a network-byte-order CRC-32 computed over the chunk type and chunk data, but not the length.
Chunks
A decoder must be able to interpret critical chunks to read and render a PNG file.
IHDR must be the first chunk; it contains (in this order) the image's width, height, bit depth, color type, compression method, filter method, and interlace method (13 data bytes total).
PLATE contains the palette; list of colors. IDAT contains the image, which may be split among multiple IDAT
chunks. Such splitting increases filesize slightly, but makes it possible to generate a PNG in a streaming manner. The IDAT chunk contains the actual image data, which is the output stream of the compression algorithm
IEND marks the image end.
Plaid CTF 2015 In plaid CTF 2015 there was a task in forensics called as Uncorrupt
PNG.
Forensic Analysis Normal PNG header
Corrupted PNG header
parth
Repairing Header no success
Let’s analyze again..!!
Repairing Header A little Success..
Further analysis IDAT chunks
Locha Offset ;)
Corrupted Offset
Repaired Offset
DOS -> UNIX conversion
Focusing on 0x0D 0x0A
Now we knew that there is some problem with 0x0D and 0x0A. So we started analyzing all 0x0A values and tried to replace it with
0x0D 0x0A. But only particular value need to be changed in order to match CRC
at the and of every chunk.
Tedious work to do
We tried to replace all the 0x0A with 0x0D 0x0A. And we found particular spots which opened half of the image.
CTF over Till we figured half of the image CTF was over. But still we kept researching and then in write ups we found that
professionals have created a python script to brute force image chunks and check for CRC matching.
Voila…!!!
Open SourceTools Used. PNG Check PNG Utils HexEditor
Thank you Folks..!!
Questions
![Gameboy Advance: iss-de - Deutsch...Gameboy Advance: iss-de German manual [Index] [1] DSCN0949.JPG DSCN0950.png DSCN0954.png DSCN0955.png DSCN0956.png DSCN0957.png DSCN0958.png DSCN0959.png](https://static.fdocuments.us/doc/165x107/5f266ceceb0d265fef10f12f/gameboy-advance-iss-de-deutsch-gameboy-advance-iss-de-german-manual-index.jpg)
