JPEG Signature Format: Documentation & Recovery Example

JPG Signature Format: Documentation & Recovery Example

JPEG (Joint Photographic Experts Group) is a commonly used method of lossy compression for digital images, mostly for those images produced by digital photography. The degree of compression can be adjusted, allowing a tradeoff between storage size and image quality. JPEG compression is used in a number of image file formats. JPEG/Exif is the most common image format used by digital cameras and other image capture devices. JPEG/JFIF, it is the most common format for storing and transmitting photographic images on the Internet.

JPEG files (compressed images) start with an image marker which always contains the marker code hex values FF D8 FF. It does not have a length of the file embedded, thus we need to find JPEG trailer, which is FF D9.

Let's examine the example

When inspecting example.jpg file's binary data using any Hex Viewer, like Active@ Disk Editor we can see it starts with a signature FF D8 FF: JPEG Signature format - header inspection

It does not have a length of the file embedded, thus we need to find JPEG trailer, which is FF D9. After detecting this signature at the offset 0x53C (hex), 1340 (dec): JPEG Signature format - header inspection

.. we can define size of the file which is 1342 bytes.

 

More info:

JPEG files header:

typedef struct _JFIFHeader
{
  BYTE SOI[2];          /* 00h  Start of Image Marker     */
  BYTE APP0[2];         /* 02h  Application Use Marker    */
  BYTE Length[2];       /* 04h  Length of APP0 Field      */
  BYTE Identifier[5];   /* 06h  "JFIF" (zero terminated) Id String */
  BYTE Version[2];      /* 07h  JFIF Format Revision      */
  BYTE Units;           /* 09h  Units used for Resolution */
  BYTE Xdensity[2];     /* 0Ah  Horizontal Resolution     */
  BYTE Ydensity[2];     /* 0Ch  Vertical Resolution       */
  BYTE XThumbnail;      /* 0Eh  Horizontal Pixel Count    */
  BYTE YThumbnail;      /* 0Fh  Vertical Pixel Count      */
} JFIFHEAD;

SOI is the start of image marker and always contains the marker code values FFh D8h.

APP0 is the Application marker and always contains the marker code values FFh E0h.

Length is the size of the JFIF (APP0) marker segment, including the size of the Length field itself and any thumbnail data contained in the APP0 segment. Because of this, the value of Length equals 16 + 3 * XThumbnail * YThumbnail.

Identifier contains the values 4Ah 46h 49h 46h 00h (JFIF) and is used to identify the code stream as conforming to the JFIF specification.

Version identifies the version of the JFIF specification, with the first byte containing the major revision number and the second byte containing the minor revision number. For version 1.02, the values of the Version field are 01h 02h; older files contain 01h 00h or 01h 01h.

Active@ File Recovery Custom Scripting Example

This signature search can be scripted using Signatures Definition language, being used in Active@ File Recovery.
Syntax of the signature definition language you can read here.

[PRIMITIVE_JPG]
BEGIN=BEGIN.TEST.JPG
GROUP = Images and Camera RAW files
DESCRIPTION = Primitive JPG files
FOOTER=FOOTER-.TEST.JPG
EXTENSION = test.jpg
MAX_SIZE = 3221225472

[BEGIN.TEST.JPG]
\xFF\xD8\xFF = 0 | 0

[FOOTER-.TEST.JPG]
\xFF\xD9