Computer Laboratory

Technical reports

Reconstructing compressed photo and video data

Andrew B. Lewis

February 2012, 148 pages

This technical report is based on a dissertation submitted June 2011 by the author for the degree of Doctor of Philosophy to the University of Cambridge, Trinity College.

Some figures in this document are best viewed in colour. If you received a black-and-white copy, please consult the online version if necessary.

Abstract

Forensic investigators sometimes need to verify the integrity and processing history of digital photos and videos. The multitude of storage formats and devices they need to access also presents a challenge for evidence recovery. This thesis explores how visual data files can be recovered and analysed in scenarios where they have been stored in the JPEG or H.264 (MPEG-4 AVC) compression formats.

My techniques make use of low-level details of lossy compression algorithms in order to tell whether a file under consideration might have been tampered with. I also show that limitations of entropy coding sometimes allow us to recover intact files from storage devices, even in the absence of filesystem and container metadata.

I first show that it is possible to embed an imperceptible message within a uniform region of a JPEG image such that the message becomes clearly visible when the image is recompressed at a particular quality factor, providing a visual warning that recompression has taken place.

I then use a precise model of the computations involved in JPEG decompression to build a specialised compressor, designed to invert the computations of the decompressor. This recompressor recovers the compressed bitstreams that produce a given decompression result, and, as a side-effect, indicates any regions of the input which are inconsistent with JPEG decompression. I demonstrate the algorithm on a large database of images, and show that it can detect modifications to decompressed image regions.

Finally, I show how to rebuild fragmented compressed bitstreams, given a syntax description that includes information about syntax errors, and demonstrate its applicability to H.264/AVC Baseline profile video data in memory dumps with randomly shuffled blocks.

Full text

PDF (3.5 MB)

BibTeX record

@TechReport{UCAM-CL-TR-813,
  author =	 {Lewis, Andrew B.},
  title = 	 {{Reconstructing compressed photo and video data}},
  year = 	 2012,
  month = 	 feb,
  url = 	 {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-813.pdf},
  institution =  {University of Cambridge, Computer Laboratory},
  number = 	 {UCAM-CL-TR-813}
}