The Research On Header Missing JPEG File Recovery

As a key technology in computer forensic, data recovery is one of effective ways to combat high-tech crime. However, traditional techniques always fail in the circumstances of damaged file system or anti-forensics challenges etc. File carving is a kind of data recovery techniques that don’t rely on file system meta-information, and it makes up for a lack in traditional recovery techniques and gradually becomes a hot subject in digital forensic. JPEG files are widely used, and now they become crucial evidence document in digital forensic for the large amounts of information that they reflect. But current technology is not effective in file fragment and damaged cases, especially for header missing JPEG files, which make many recovered ones can’t be present to the court. There is a focus on header missing of JPEG file recovery and display method. Based on depth analysis and summary of existing file carving technology, this paper emphasizes on following three key technologies for header missing JPEG file research.(1) Firstly, in the process of constructing artificial header, a method of approximate quantization table estimated is proposed for important decoding parameter quantization table. The proposed method is based on over-truncated phenomenon in mismatched decoding of JPEG to estimate original quantization table. The experiment results show the effectiveness of the proposed method.(2) Secondly, a decoding method is proposed for JPEG data without Restart Marker. Through theoretical analysis and experimental verification, this paper solves the JPEG data decoding problem without Restart Marker relying on self-synchronization attribution of JPEG data stream. Experiment results prove the practicability of the proposed method.(3) Finally, a recovery and display method is proposed for header missing of JPEG file fragment combining research results above. In this scheme, the JPEG data is decoded correctly by estimating the decoding parameters, and then it can be displayed correctly through algorithms of width estimate, mismatched position and color adjustment. Experiments results show that the proposed method can correctly decode and display the JPEG file fragments without header and Restart Marker.This paper researches the key technology of header missing JPEG file recovery. The experiment results indicate that the proposed method about fragmentary JPEG file recovery is workable.