Tuesday, November 25, 2008

Hex Dump

Many folks are getting hex dumps from various computer and cell phone forensic software packages. One question came in about reading the header of an image file and what the stuff means. The question was related to determining if the image contained a thumbnail. So, here it goes.

Here's the hex dump of Rick's famous underground auto show pic.

Most people refer to these pictures as simply JPEGs, but it can also be referred to as an image file containing JPEG-compressed data. To be proper, it can be referred to as a JFIF image - JPEG File Interchange Format (notice the JFIF in the top row - right). The JFIF definition allows the file to contain a thumbnail version of the image - which many programs "carve" out of the larger file.

So, look at the header to see if the image contains a thumbnail:
Bytes 0-1 = the start of the image marker = always FF D8
Bytes 2-3 = the application maker = always FF E0

... with these two verified - we've got an image file with JPEG compression (a Tiff would start with either 4D 4D or 49 49, a BMP would start with 42 4D, and so on), we move forward ...

Byte 18 contains the thumbnail width and byte 19 contains the thumbnail height. In our case, the values are 00 and 00 (third and fourth from the left on the second row), meaning there is no thumbnail.

If you are running into these questions a lot, you may want to invest in Graphics File Formats: Reference and Guide by Wayne Brown and Barry Shepherd.

No comments: