JPEG (Joint Photographic Experts Group) is a commonly used method of lossy compression for digital images, mostly for those images produced by digital photography.
The degree of compression can be adjusted, allowing a tradeoff between storage size and image quality.
JPEG compression is used in a number of image file formats.
JPEG/Exif is the most common image format used by digital cameras and other image capture devices.
JPEG/JFIF, it is the most common format for storing and transmitting photographic images on the Internet.
JPEG files (compressed images) start with an image marker which always contains the marker code hex values FF D8 FF. It does not have a length of the file embedded, thus we need to find JPEG trailer, which is FF D9.
Let's examine the example
When inspecting example.jpg file's binary data using any Hex Viewer, like Active@ Disk Editor we can see it starts
with a signature FF D8 FF:
It does not have a length of the file embedded, thus we need to find JPEG trailer, which is FF D9. After detecting this signature at the offset
0x53C (hex), 1340 (dec):
.. we can define size of the file which is 1342 bytes.
typedef struct _JFIFHeader
{
BYTE SOI[2]; /* 00h Start of Image Marker */
BYTE APP0[2]; /* 02h Application Use Marker */
BYTE Length[2]; /* 04h Length of APP0 Field */
BYTE Identifier[5]; /* 06h "JFIF" (zero terminated) Id String */
BYTE Version[2]; /* 07h JFIF Format Revision */
BYTE Units; /* 09h Units used for Resolution */
BYTE Xdensity[2]; /* 0Ah Horizontal Resolution */
BYTE Ydensity[2]; /* 0Ch Vertical Resolution */
BYTE XThumbnail; /* 0Eh Horizontal Pixel Count */
BYTE YThumbnail; /* 0Fh Vertical Pixel Count */
} JFIFHEAD;
SOI is the start of image marker and always contains the marker code values FFh D8h.
APP0 is the Application marker and always contains the marker code values FFh E0h.
Length is the size of the JFIF (APP0) marker segment, including the size of the Length field itself and any thumbnail data contained in the APP0 segment. Because of this, the value of Length equals 16 + 3 * XThumbnail * YThumbnail.
Identifier contains the values 4Ah 46h 49h 46h 00h (JFIF) and is used to identify the code stream as conforming to the JFIF specification.
Version identifies the version of the JFIF specification, with the first byte containing the major revision number and the second byte containing the minor revision number. For version 1.02, the values of the Version field are 01h 02h; older files contain 01h 00h or 01h 01h.
This signature search can be scripted using Signatures Definition language, being used in Active@ File Recovery. Syntax of the signature definition language you can read here.
[PRIMITIVE_JPG] BEGIN=BEGIN.TEST.JPG GROUP = Images and Camera RAW files DESCRIPTION = Primitive JPG files FOOTER=FOOTER-.TEST.JPG EXTENSION = test.jpg MAX_SIZE = 3221225472 [BEGIN.TEST.JPG] \xFF\xD8\xFF = 0 | 0 [FOOTER-.TEST.JPG] \xFF\xD9
This document is available in PDF format,
which requires Adobe® Acrobat® Reader
(Free download):