Image (PNG) Forensic Analysis

1. IMAGE FORENSIC
ANALYSIS(PNG)

2. Who am i?
 Name : Parth Parmar
 Profession : Working as a security engineer @ Paladion Networks Bangalore
 Security researcher and part time CTF player.
 Area of interests : Pentesting , Forensic, Partial Mentalist.

3. Agenda
 Introduction to PNG
 Understanding underlying structure of PNG
 Plaid CTF 2015
 PNG Forensic analysis

4. What is PNG?
 Portable Network Graphics is a raster graphics file format that
supports lossless data compression.
 PNG was created as an improved, non-patented replacement for Graphics
Interchange Format (GIF), and is the most widely used lossless image
compression format on the Internet.
 PNG was designed for transferring images on the Internet, not for
professional-quality print graphics, and therefore does not support non-
RGB color spaces such as CMYK.

5. Structure of PNG
 A PNG file starts with an 8-byte signature

6. Chunks
 Chunks contains information about image.
 A chunk consists of four parts: length (4 bytes), chunk type/name (4 bytes),
chunk data (length bytes) and CRC (cyclic redundancy code/checksum; 4
bytes). The CRC is a network-byte-order CRC-32 computed over the chunk
type and chunk data, but not the length.

7. Chunks
 A decoder must be able to interpret critical chunks to read and render a PNG
file.
 IHDR must be the first chunk; it contains (in this order) the image's width,
height, bit depth, color type, compression method, filter method, and
interlace method (13 data bytes total).
 PLATE contains the palette; list of colors.
 IDAT contains the image, which may be split among multiple IDAT chunks.
Such splitting increases filesize slightly, but makes it possible to generate a
PNG in a streaming manner. The IDAT chunk contains the actual image data,
which is the output stream of the compression algorithm
 IEND marks the image end.

8. Plaid CTF 2015
 In plaid CTF 2015 there was a task in forensics called as Uncorrupt PNG.

9. Forensic Analysis
 Normal PNG header
 Corrupted PNG header

10. Repairing Header no success 

11. Let’s analyze again..!!

12. Repairing Header A little Success..

13. Further analysis IDAT chunks

14. Locha Offset ;)
 Corrupted Offset
 Repaired Offset

15. DOS -> UNIX conversion

16. Focusing on 0x0D 0x0A
 Now we knew that there is some problem with 0x0D and 0x0A.
 So we started analyzing all 0x0A values and tried to replace it with 0x0D
0x0A.
 But only particular value need to be changed in order to match CRC at the
and of every chunk.

17. Tedious work to do 
 We tried to replace all the 0x0A with 0x0D 0x0A.
 And we found particular spots which opened half of the image.


18. CTF over 
 Till we figured half of the image CTF was over.
 But still we kept researching and then in write ups we found that
professionals have created a python script to brute force image chunks and
check for CRC matching.
 Voila…!!!

19. Open SourceTools Used.
 PNG Check
 PNG Utils
 HexEditor

20. Thank you Folks..!!
Questions