Difference between pages "GIF" and "Forensic corpora"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
m
 
Line 1: Line 1:
The '''Graphics Interchange Format''' ('''GIF''') (SM) format is a lossless [[image format]].  GIF images use internal [[LZW]] compression to reduce file size.  CompuServe created this format, which is a bitmap image format allowing 256 different colors to be selected from a 24-bit color palette (RGB).  GIF also allows for animations by sequencing through multiple GIF image data inside a single file.
+
This page describes large-scale corpora of forensically interesting information that are available for those involved in forensic research.
  
"The Graphics Interchange Format(c) is the Copyright property of CompuServe Incorporated. GIF(sm) is a Service Mark property of CompuServe Incorporated."
+
=Disk Images=
  
== Format ==
+
''The Garfinkel Used Hard drive Collection Project.'' Between 1998 and 2006, Garfinkel acquired 1250+ hard drives on the secondary market. These hard drive images have proven invaluable in performing a range of studies such as the  developing of new forensic techniques [13]  and the sanitization practices of computer users.
  
GIF files consist of a [[header]], image data, optional [[metadata]], and a [[footer]]. The header consists of a signature and a version, each 3 bytes long.  The signature is <tt>47 49 46</tt> (hex) / <tt>GIF</tt> (text).  The versions are either <tt>38 37 61</tt> or <tt>38 39 61</tt> (hex) / <tt>87a</tt> or <tt>89a</tt> (text) respectively.  The footer or trailer (as identified in the format specification) is usually <tt>3B</tt> (hex).
+
=Network Packets=
  
Common file extensions are .gif and .GIF
+
''The DARPA Intrusion Detection Evaluation.'' In 1998, 1999 and 2000 the Information Systems Technology Group at MIT Lincoln Laboratory created a test network complete with simulated servers, clients, clerical workers, programmers, and system managers. Baseline traffic was collected. The systems on the network were then “attacked” by simulated hackers. Some of the attacks were well-known at the time, while others were developed for the purpose of the evaluation.  
  
== Metadata ==
+
=Email messages=
  
GIF89a files can contain [[metadata]] in [[text]] format.  GIF metadata is contained in sections identified as a Comment Extension, a Plain Text Extension, and an Application Extension.  All extension sections begin with the Extension Introducer <tt>21</tt> (hex).
+
''The Enron Corpus'' of email messages that were seized by the Federal Energy Regulatory Commission during its investigation of Enron [11].
  
Comment Extensions are optional and more than one may be present.  They were designed to allow including comments about the graphic, credits, descriptions or other types of non-control/non-graphic data.  The beginning of this block has the Extension Introducer and a Comment Label <tt>FE</tt> (hex).  Comment data has a sequence of sub-blocks between 1 and 255 bytes in length, with the size in a byte before the data.  Comment Extensions should appear either before or after the control and graphic data blocks.
+
=Log files=
 
+
Plain Text Extensions are optional and more than one may be present.  They were designed to allow rendering of textual data as a graphic.  The beginning of this block has the Extension Introducer and a Comment Label <tt>01</tt> (hex).  Plain text data has a sequence of sub-blocks between 1 and 255 bytes in length, with the size in a byte before the data.
+
 
+
Application Extensions are optional. They were designed to allow applications to insert application specific data inside a GIF. The beginning of this block has the Extension Introducer and an Application Extension Label <tt>FF</tt> (hex). 
+
 
+
== External Links ==
+
 
+
* [http://en.wikipedia.org/wiki/GIF Wikipedia: GIF]
+
* [http://www.w3.org/Graphics/GIF/spec-gif89a.txt W3.Org: GRAPHICS INTERCHANGE FORMAT SPECIFICATION]
+
 
+
[[Category:File Formats]]
+

Revision as of 17:08, 4 February 2007

This page describes large-scale corpora of forensically interesting information that are available for those involved in forensic research.

Disk Images

The Garfinkel Used Hard drive Collection Project. Between 1998 and 2006, Garfinkel acquired 1250+ hard drives on the secondary market. These hard drive images have proven invaluable in performing a range of studies such as the developing of new forensic techniques [13] and the sanitization practices of computer users.

Network Packets

The DARPA Intrusion Detection Evaluation. In 1998, 1999 and 2000 the Information Systems Technology Group at MIT Lincoln Laboratory created a test network complete with simulated servers, clients, clerical workers, programmers, and system managers. Baseline traffic was collected. The systems on the network were then “attacked” by simulated hackers. Some of the attacks were well-known at the time, while others were developed for the purpose of the evaluation.

Email messages

The Enron Corpus of email messages that were seized by the Federal Energy Regulatory Commission during its investigation of Enron [11].

Log files