WEBVTT 0:00:02.400000 --> 0:00:06.800000 In this video, we are going to understand how to use Gyro to extract and 0:00:06.800000 --> 0:00:10.560000 analyze XF data from photos. 0:00:10.560000 --> 0:00:14.620000 Gyro is a fully automated digital forensics tool that can be used for 0:00:14.620000 --> 0:00:16.180000 image forensics. 0:00:16.180000 --> 0:00:23.200000 You can access and download Gyro at its official website www.getgyro.org. 0:00:23.200000 --> 0:00:27.740000 The tool was created by Alessandro Tenassi and Marco Buon Cristiano. 0:00:27.740000 --> 0:00:31.440000 You can download Gyro as either a stable package release where you will 0:00:31.440000 --> 0:00:35.540000 have to setup Gyro yourself, or you can download and use the pre-configured 0:00:35.540000 --> 0:00:39.680000 appliance as either an OVA or ESXi virtual machine. 0:00:39.680000 --> 0:00:43.800000 For this video, I'm using the pre -configured virtual machine. 0:00:43.800000 --> 0:00:48.440000 I simply download the OVA file and imported it into my virtual box. 0:00:48.440000 --> 0:00:50.700000 You can find the documentation here. 0:00:50.700000 --> 0:00:53.400000 I highly recommend that you check it out, as there's lots of stuff that 0:00:53.400000 --> 0:00:56.580000 you can learn from the documentation, especially the different types of 0:00:56.580000 --> 0:01:02.700000 techniques. Here's the whole documentation about how to setup Gyro. 0:01:02.700000 --> 0:01:05.540000 Since I already have the tool downloaded and it's up and running on the 0:01:05.540000 --> 0:01:08.720000 virtual machine, let's go ahead and start using the tool. 0:01:08.720000 --> 0:01:12.600000 As soon as you open the website, you get the following webpage. 0:01:12.600000 --> 0:01:16.600000 The default username is Gyro, and the password is Gyro Manager. 0:01:16.600000 --> 0:01:23.940000 I've written them down here. 0:01:23.940000 --> 0:01:27.440000 Once logged in, we're presented with a dashboard. 0:01:27.440000 --> 0:01:32.220000 It says we have one user, that we don't have any cases, or completed analysis, 0:01:32.220000 --> 0:01:34.560000 or have any analysis waiting. 0:01:34.560000 --> 0:01:38.100000 Let's go ahead and open a case, so let's click on cases. 0:01:38.100000 --> 0:01:41.160000 If we had a case, we would see it over here. 0:01:41.160000 --> 0:01:45.500000 Let's add a new case by clicking on the Add Case screen button here. 0:01:45.500000 --> 0:01:47.660000 A new case is now open. 0:01:47.660000 --> 0:01:50.220000 Let's name it Case 1. 0:01:50.220000 --> 0:01:53.660000 Let's select the Gyro user and save our case. 0:01:53.660000 --> 0:01:56.280000 This is where you select who has access to the case. 0:01:56.280000 --> 0:02:01.620000 We now have an open case, and can now go ahead and add some photos here. 0:02:01.620000 --> 0:02:05.800000 We can add some images by uploading an image from a URL or from a folder. 0:02:05.800000 --> 0:02:07.560000 Let's go ahead and add some images. 0:02:07.560000 --> 0:02:11.400000 I'm going to select all the images in this directory and then click the 0:02:11.400000 --> 0:02:12.900000 Start Upload button. 0:02:12.900000 --> 0:02:17.120000 This will start the upload operation of the images to Gyro. 0:02:17.120000 --> 0:02:21.220000 The images are now uploaded and are currently being analyzed, which we 0:02:21.220000 --> 0:02:24.100000 can see from the status, waiting. 0:02:24.100000 --> 0:02:27.900000 If we refresh the page, we can see Gyro has completed the analysis for 0:02:27.900000 --> 0:02:30.260000 each of the uploaded images. 0:02:30.260000 --> 0:02:32.960000 Let's select an image to check what's been done. 0:02:32.960000 --> 0:02:36.780000 As you can see, selecting the image takes us to the Analysis Results page, 0:02:36.780000 --> 0:02:40.140000 which is similar to what you see on VirusTotal. 0:02:40.140000 --> 0:02:45.060000 Only VT is normally used for analyzing malicious files in general. 0:02:45.060000 --> 0:02:48.720000 As we can see here, there's a hash value that seems to be used as an identifier 0:02:48.720000 --> 0:02:53.060000 of the image. We can also see each type of analysis done, and its results 0:02:53.060000 --> 0:02:54.880000 are on the right and green. 0:02:54.880000 --> 0:02:57.400000 Here is the localization analysis. 0:02:57.400000 --> 0:03:01.040000 From the results, we can say that this picture truly has some GPS coordinates 0:03:01.040000 --> 0:03:07.000000 in it. Also, here's the Air Level Analysis, or ELA, which is useful to 0:03:07.000000 --> 0:03:09.520000 detect if modifications were done. 0:03:09.520000 --> 0:03:13.180000 This technique was presented at Black Hat, and it works on compressed 0:03:13.180000 --> 0:03:16.880000 images only, for example, JPG or PNG. 0:03:16.880000 --> 0:03:21.500000 From the documentation, the main idea is that an image in its original 0:03:21.500000 --> 0:03:24.420000 form has unique levels of compression. 0:03:24.420000 --> 0:03:27.640000 The analyzed image is received, and differences in compression levels 0:03:27.640000 --> 0:03:31.880000 are calculated. If differences are detected, a probability of edits are 0:03:31.880000 --> 0:03:37.020000 high. Gyro calculates air levels and detects differences between them. 0:03:37.020000 --> 0:03:40.800000 Let's go ahead and check the Signature Results, which the developers describe 0:03:40.800000 --> 0:03:44.820000 as, Signature provides evidence about most critical data to highlight 0:03:44.820000 --> 0:03:47.520000 focal points and common exposures. 0:03:47.520000 --> 0:03:52.280000 Signature Engine to highlight common exposure on over 120 signatures. 0:03:52.280000 --> 0:03:54.680000 Let's check the Static page from here. 0:03:54.680000 --> 0:03:59.940000 As you can see, we have the file name, its size, and its dimensions, plus, 0:03:59.940000 --> 0:04:03.300000 we can see the data was analyzed, as well as any comments that the photographer 0:04:03.300000 --> 0:04:06.060000 or designer of the image added here. 0:04:06.060000 --> 0:04:08.460000 You can even add your own tags here. 0:04:08.460000 --> 0:04:10.540000 Let's check the File Type page. 0:04:10.540000 --> 0:04:13.520000 It only shows us what file type was detected. 0:04:13.520000 --> 0:04:17.220000 If we move on to the hashes page, we find all the calculated hashes for 0:04:17.220000 --> 0:04:21.540000 the image. This is very useful when you build a huge database, and you 0:04:21.540000 --> 0:04:24.540000 want to search for a picture based on its hash value. 0:04:24.540000 --> 0:04:30.820000 As you can see, the MD5 hash value is the one used as an ID for this photo. 0:04:30.820000 --> 0:04:34.040000 On the Strings page, we can see all the strings that were found inside 0:04:34.040000 --> 0:04:37.740000 the image. This is similar to running the Linux Strings command against 0:04:37.740000 --> 0:04:43.420000 the image. Strings are very useful, do not underappreciate their usefulness. 0:04:43.420000 --> 0:04:47.160000 As you can see, we can even hex dump the image and see the content of 0:04:47.160000 --> 0:04:49.000000 the image in hexadecimal. 0:04:49.000000 --> 0:04:53.160000 If we go to the XF page, we see all the XF tags we mentioned in previous 0:04:53.160000 --> 0:04:58.560000 videos. We can see what type of camera was used, its model, and what software 0:04:58.560000 --> 0:05:02.440000 was used. Here, we can see the thumbnail details. 0:05:02.440000 --> 0:05:10.120000 Let's check other pages, such as XMP or this page for thumbnails. 0:05:10.120000 --> 0:05:13.720000 Here we can see the thumbnail for the image and details like size, type, 0:05:13.720000 --> 0:05:17.820000 and dimensions. Also, if you click on the image, it will open the thumbnail 0:05:17.820000 --> 0:05:22.120000 for us. Let's close it and move on. 0:05:22.120000 --> 0:05:25.620000 One awesome feature of Gyro is the map page. 0:05:25.620000 --> 0:05:29.180000 As you can see, this page can directly pinpoint where this photo was taken 0:05:29.180000 --> 0:05:34.300000 on the map. The ELA page shows the results of the ELA analysis, which 0:05:34.300000 --> 0:05:35.980000 I explained before. 0:05:35.980000 --> 0:05:40.660000 If there's been any modifications, this page will give you an idea. 0:05:40.660000 --> 0:05:44.560000 The signatures are high, medium, and low, and provide evidence about most 0:05:44.560000 --> 0:05:51.920000 critical data. Let's go back to cases and select another image. 0:05:51.920000 --> 0:05:56.120000 All of these details have been extracted from the image itself. 0:05:56.120000 --> 0:06:00.340000 As mentioned before, file type shows the type. 0:06:00.340000 --> 0:06:03.460000 Hashes show the hashes calculated for this image. 0:06:03.460000 --> 0:06:07.660000 Strings shows the strings found within the image and hex dump of the image. 0:06:07.660000 --> 0:06:13.860000 On the XF page, we see the image, thumbnail details, and finally, the 0:06:13.860000 --> 0:06:17.820000 GPS coordinates below. 0:06:17.820000 --> 0:06:20.920000 The thumbnail can be found here, and I guess you know who this fellow 0:06:20.920000 --> 0:06:28.180000 is. The map will show us where this photo was taken, which is New York. 0:06:28.180000 --> 0:06:45.980000 We can even zoom into the map using the plus button. 0:06:45.980000 --> 0:06:49.300000 Let's see if this photo has been modified in some way or another. 0:06:49.300000 --> 0:06:51.740000 This image has also been modified. 0:06:51.740000 --> 0:06:55.680000 The analysis shows us some x -ray of the original photo. 0:06:55.680000 --> 0:06:59.880000 And the signatures page shows us the categories of signatures detected. 0:06:59.880000 --> 0:07:02.440000 Let's go back to the case page. 0:07:02.440000 --> 0:07:06.360000 As a reminder, you can see the status, the owner of the images, and the 0:07:06.360000 --> 0:07:08.240000 date of submission. 0:07:08.240000 --> 0:07:11.620000 If we go to the not-owned page, we can find all the photos that have been 0:07:11.620000 --> 0:07:15.540000 added to this case, but not by the user gyro. 0:07:15.540000 --> 0:07:18.680000 The thumbnails page will give us the thumbnails for all the photos in 0:07:18.680000 --> 0:07:21.480000 this case, and displayed on this page. 0:07:21.480000 --> 0:07:25.180000 Again, the map page is superb. 0:07:25.180000 --> 0:07:28.040000 It now shows us all of the places that the photos related to this case 0:07:28.040000 --> 0:07:31.440000 were taken. This is quite a handy and helpful tool. 0:07:31.440000 --> 0:07:36.060000 If there are any favorite images, they will be shown here. 0:07:36.060000 --> 0:07:39.280000 The search page is also very useful, especially when you want to search 0:07:39.280000 --> 0:07:40.540000 for a needle in a haystack. 0:07:40.540000 --> 0:07:45.440000 That is, searching for an image in a pile or a huge database of images. 0:07:45.440000 --> 0:07:49.060000 As you can see here, there are different search options. 0:07:49.060000 --> 0:07:52.100000 Let's find something useful to search for. 0:07:52.100000 --> 0:08:01.540000 For example, let's copy this MD5 hash value for this image, and then try 0:08:01.540000 --> 0:08:05.940000 searching for it. 0:08:05.940000 --> 0:08:09.880000 Let's select the MD5 hash type from this dropdown list, and paste the 0:08:09.880000 --> 0:08:11.460000 hash value here. 0:08:11.460000 --> 0:08:14.520000 Now, we'll click the green search button below. 0:08:14.520000 --> 0:08:19.540000 As you can see, we have found the image that its MD5 hash value matches, 0:08:19.540000 --> 0:08:21.060000 the hash we searched for. 0:08:21.060000 --> 0:08:23.100000 What a great tool! 0:08:23.100000 --> 0:08:29.880000 We can see its thumbnail or the map for the place that it was taken. 0:08:29.880000 --> 0:08:32.040000 Let's go back to the dashboard. 0:08:32.040000 --> 0:08:35.780000 Again, we see that we have only one user here and a single case named 0:08:35.780000 --> 0:08:41.400000 Case 1. Here is how many open cases we have, and here we can see the last 0:08:41.400000 --> 0:08:43.660000 analysis that was completed. 0:08:43.660000 --> 0:08:48.520000 Here are some resources for you to check, especially the paper presented 0:08:48.520000 --> 0:08:59.200000 at Black Hat. And this concludes the video lesson on Image Document Analysis 0:08:59.200000 --> 0:09:03.860000 Using Gyro. I hope you found the video useful and saw the greatness of 0:09:03.860000 --> 0:09:06.840000 using Gyro for your image forensic analysis. 0:09:06.840000 --> 0:09:07.880000 Thanks for joining us.