JPEGsnoop by Calvin Hass provides a deep insight into the internals of JPEG files. Also the program identifies digital cameras and image editing software by their characteristic quantization tables.
JPEGsnoop by Calvin Hass surely was not developed with forensic applications in mind. However, the program provides some functionality which can help during an investigation.
JPEGsnoop decodes the marker segments in a JPEG file. Among those are DQT segments which define the quantization tables (for a full protocol please see here).
*** Marker: DQT (xFFDB) ***
Define a Quantization Table.
OFFSET: 0x00000014
Table length = 67
----
Precision=8 bits
Destination ID=0 (Luminance)
DQT, Row #0: 5 3 3 5 7 12 15 18
DQT, Row #1: 4 4 4 6 8 17 18 17
DQT, Row #2: 4 4 5 7 12 17 21 17
DQT, Row #3: 4 5 7 9 15 26 24 19
DQT, Row #4: 5 7 11 17 20 33 31 23
DQT, Row #5: 7 11 17 19 24 31 34 28
DQT, Row #6: 15 19 23 26 31 36 36 30
DQT, Row #7: 22 28 29 29 34 30 31 30
Approx quality factor = 84.93 (scaling=30.13 variance=1.05)
The program can also search other fies (not necessarily pictures) for that table. For example this could be helpful in tieing a photo taken by a cell phone to a copy of the firmware. Of course this depends on a static quantization table. Also the firmware file has neither to be encrypted nor compressed.
JPEGsnoop derives signatures from quantization tables. Right now the program's internal database consists of more than 3,100 entries covering digital cameras and image editing software. New entries can be defined within JPEGsnoop. Optionally they will be submitted to the program's author for inclusion into the internal database.
The author's website shows several quantization tables, clearly laid out. It's also possible to compare quantization tables.
Finally JPEDsnoop attempts to detect whether an image has been edited based on EXIF data and quantization tables :
*** Searching Compression Signatures ***Signature: 0155D875C95B74D0F3C5835A62516F48 Signature (Rotated): 01D38A25358EB7649A254E19F1D46600 File Offset: 0 bytes Chroma subsampling: 2x2 EXIF Make/Model: NONE EXIF Makernotes: NONE EXIF Software: NONE Searching Compression Signatures: (3314 built-in, 1 user(*) ) EXIF.Make / Software EXIF.Model Quality Subsamp Match? ----------------------- ---------------- ------------ -------------- CAM:[NIKON ] [E2500 ] [FINE ] No CAM:[Nokia ] [N73 ] [ ] No CAM:[OLYMPUS OPTICAL CO.,LTD] [C2000Z ] [ ] No CAM:[OLYMPUS OPTICAL CO.,LTD] [C3040Z ] [ ] No CAM:[PENTAX ] [PENTAX Optio 550] [ ] No CAM:[SEIKO EPSON CORP. ] [PhotoPC 3000Z ] [ ] No SW :[IJG Library ] [085 ] SW :[Picasa ] [085 (Normal)] SW :[ZoomBrowser EX ] [medium ] The following IJG-based editors also match this signature: SW :[GIMP ] [085 ] SW :[IrfanView ] [085 ] SW :[idImager ] [085 ] SW :[FastStone Image Viewer ] [085 ] SW :[NeatImage ] [085 ] SW :[Paint.NET ] [085 ] SW :[Photomatix ] [085 ] SW :[XnView ] [085 ] ASSESSMENT: Image is processed/edited This may be a new software editor for the database. If this file is processed, and editor doesn't appear in list above, PLEASE ADD TO DATABASE with [Tools->Add Camera to DB]
