Scenario

Our suspect seems very careful with leaving traces behind, especially when it comes to tracking him down and identifying locations visited. In this lab, we will use the evidence found on his USB, which we found recently in one of the motels he was staying in. We will focus this time on extracting and analyzing EXIF data instead of file headers like we did in previous labs. We will also see how useful EXIF data is when analyzing files and especially photos. Analyzing EXIF data is extremely important especially in our case since we want to track down our suspect. EXIF data analysis is not useful just for tracking, but if you have a child abuse/pornography case or any other case that involves digital photos.

Goals

• Extract and analyze EXIF data from files of interest

• Extract and analyze EXIF data from photos

• Identify GPS coordinates using EXIF data

What you will learn

• How to use different tools to analyze EXIF data

• How to identify location and time when a photo was taken

• Generate a report of your findings

Recommended tools

• ExifReader, www.takenet.or.jp/~ryuuji/minisoft/exifread/english/

• Exiftool, https://www.sno.phy.queensu.ca/~phil/exiftool/

SOLUTIONS

Task 1: Discover File Types using Exiftool

In this part of the lab we are only required to extract the file type from the files we have on the suspect's USB [you can find the suspect's files at C:\DFP\Labs\Module3\Lab4]. I will be using Windows but you can use Linux to solve it easily too.

Let's now leverage exiftool's -filetype flag to extract the file type from the suspect's files. Simply open a cmd.exe terminal and execute the below, against each file in the Lab4 folder.

# cd C:\DFP\Tools\Metadata
# "exiftool(-k).exe" -filetype C:\DFP\Labs\Module3\Lab4\2D3Fa2a

Note: the output has been modified to fit this report without affecting the final understanding required.

2D3Fa2a File Type : PDF

AW3DXW File Type : JPEG

Mx#234 File Type : PPT

XFaWxVa File Type : PDF

ZC2f2d2 File Type : XLSX

Alternatively, on Linux, you could do the following, to speed things up:

# find -type f -print -exec exiftool -filetype {} \;

The command above searches for all files within the current working directory and prints the name of the file that was filtered based on the results of the exiftool utility (those results contain the file type). If you noticed, we asked exiftool to specifically print the File Type and not all of the EXIF information. So, as you can see, by now we have two basic ways of identifying a file; one using the Linux "file" command and the other using the "exiftool" utility.

Task 2: Analyzing File's EXIF Data

In this part, we were asked to extract the Tool Version, File Size, File Creation Date, File Type, Producer, Creator and Author, and finally the Product information out of the files we found. For understanding purposes, we will focus on the five different files below:

1. 2D3Fa2a
2. AW3DXW
3. Mx#234
4. XFaWxVa
5. and ZC2f2d2

The basic way of using the exiftool utility on Windows, is similar to the command used below:

# "exiftool(-k).exe" C:\DFP\Labs\Module3\Lab4\2D3Fa2a

As we saw in the previous part of the lab, this was a PDF file, and we found the following interesting information:

From the snapshot, we can gather the following useful information:

1. File Size: 140 KB
2. File Creation Date: 2017:08:11 04:45:30-07:00
3. File Type: PDF
4. Producer: Microsoft® Word 2016
5. Creator and Author: Ali Hadi
6. Product: Microsoft® Word 2016

Now, let us move on to checking the rest of the files and see what we found in each:

# "exiftool(-k).exe" C:\DFP\Labs\Module3\Lab4\AW3DXW

It was found that this is a JPEG image file with lots of useful information. Let us write down the basics:

1. File Size: 859 KB
2. File Creation Date: 2008:03:14 13:59:26.54
3. File Type: JPEG
4. Creator: Corbis

Those were only the basics, but we found other useful information such as the following:

1. Since we are dealing with an image, we found an "Artist" tag, not an author, and in this file, it also leads to "Corbis."
2. The "Thumbnail Offset" tag is extremely useful. The thumbnail could be used to check whether the original image was modified or not. So, we can extract it and compare it with the original image.
3. The "XMP Toolkit" tag describes the toolkit used, which we found here was "Adobe XMP Core 4.2-c020 1.124078, Tue Sep 11 2007 23:21:40".
4. We also found the "Date/Time Digitized" which was "2008:03:14 11:31:48.98-07:00". This gives us an idea when this image was stored in its digital format.
5. Maybe the "Copyright Notice" is useful too in cases related to photos. Anyway, we found the "© Corbis. All Rights Reserved." in this image.
6. We also found a "URL" within this image, which was "http://pro.corbis.com/search/searchresults.asp?txt=42-17167222&openImage=42-17167222".
7. Finally, we can see the image width and height, which are 1024 and 768 respectively.

Let us move on to our third file.

# "exiftool(-k).exe" C:\DFP\Labs\Module3\Lab4\Mx#234

The results could be seen in the snapshot below.

Here we have the following useful information:

1. File Size: 381 KB
2. File Creation Date: 2017:08:11 12:34:53
3. Modification Date: 2017:08:11 12:34:57
4. File Type: PPT
5. Author:

First, the "Title" tag shows "PowerPoint Presentation," maybe not very useful, but it is good to check too. The "Software" used to create it was "Microsoft Office PowerPoint," has no hidden slides and the "Presentation Target" is a "Widescreen." Another important detail here is that we could also see the file was last modified by the author himself. So, the "Last Modified By" tag could come handy in other investigations, keep that in mind.

Let us check the fourth file:

# "exiftool(-k).exe" C:\DFP\Labs\Module3\Lab4\XFaWxVa

Here we have the following useful information:

1. File Size: 140 KB
2. File Creation Date: 2017:08:11 05:32:41-07:00
3. Modification Date: 2017:08:11 05:32:41-07:00
4. File Type: PDF
5. Software: Microsoft Office Word
6. Pages: 1

Now, a 1-page document might not always be malicious, but for example if the pdf document was supposed to be a proposal, then a one-page document is truly "suspicious".

Our final file is:

# "exiftool(-k).exe" C:\DFP\Labs\Module3\Lab4\ZC2f2d2

Here we have the following useful information:

1. File Size: 9.7 KB
2. File Creation Date: 2006:09:16 00:00:00Z
3. Modification Date: 2017:08:11 12:36:15Z
4. File Type: XLSX
5. Application: Microsoft Excel
6. Sheets: 2 (Sheet1 and Sheet2)

Task 3: Extracting Photos EXIF Data and Discovering GPS Coordinates

For this task, I won't be using the "exiftool" utility to solve the task, but another tool named "ExifReader" [located at C:\DFP\Tools\Metadata\exifr300_e]. I'm going to do that for two reasons; the first is that there always will be different ways and tools to solve a problem, and second, is to introduce you to ExifReader.

In this task, we have a couple of photos [located at C:\DFP\Labs\Module3\Lab4\pics] and we want to get an idea of the following:

1. What manufacturer does the camera belong to?
2. What is the camera model?
3. Was the flash used to take the photo or not?
4. If the camera was from a cellular phone, was it the rear or the front camera that was used?
5. What are the GPS coordinates of the camera at the time the photo was taken if any was found?
6. When was the photo taken?
7. What are the photo resolutions and was a thumbnail generated or not?

So, let us get started. We discovered six photos, let us check each one of them and see. Using ExifReader is very simple, all you need to do is either use the "open" button and navigate to the location where the photo of interest is found and select it, or just drag-and-drop the photo on top of the application and it will open it for you.

[IMPORTANT NOTE:]

The photos used in this task are only used to help understand the importance of EXIF information found in photos. The photos and people names used do not derive from a real crime or investigation. No harm is meant, this is for educational purposes only.

Opening the first photo "DSCN0025.jpg":

From the snapshots above, we can clearly answer the questions required:

1. From the "Make" tag, we can identify the camera manufacturer: Nikon

2. From the "Model" tag, we can identify the camera model: COOLPIX P6000

3. The "Flash" tag gives us an idea whether the flash was used or not, here it wasn't

4. It doesn't seem that this is a camera of a cellular phone

Now regarding GPS information, let us check that part:

1. Based on the "GPS Latitude" tag, we found: "43 deg 2806.114'" North

2. Based on the "GPS Longitude" tag, we found "11 deg 5253.8859999'" East

3. The photo was taken at "2008:10:23 14:41:49" and yes there was a thumbnail embedded within this photo.

4. The width and height of the photo are "640x480"

If you take these GPS coordinates and use Google Maps, you could identify the location where the photo was taken. This is extremely helpful in crime scenes or in cases where photos could be used to locate the suspect.

Now, if you noticed when checking the results, there are tags or item names that are unknown. This I believe is due to the fact that the tool has not been updated for a very long time. Now if we go back to exiftool and run it against our photo, we shall get more clear details and results.

You can save all the information you extracted to a Text or CSV file as seen in the snapshot below:

Let us move on to another sample.

Let us open another sample and check it out. This time I am going to open the photo "iphone_hdr_NO.jpg":

From the photos, we can see the following:

1. Image ImageWidth and ImageHeight are 3264 and 2448 respectively.

2. The camera manufacturer is Apple, and its Model is iPhone 6.

3. The Software used is 8.3.

4. The photo was created on 2015:04:10 20:12:23, based on the DateTimeOriginal tag.

5. The flash was not used here too.

Now let us check the GPS and additional information from the second snapshot:

1. The GPS coordinates seem to be Latitude "40 deg 2649.1'" North, and Longitude "3 deg 4329.11'" West.

2. We can see that this photo was taken from a back camera.

Before I move to solving Task #4, I want to show you what I found when opening the image02206.jpg using ExifReader:

Yes, as you noticed, I was not able to extract anything useful from the photo and if I didn't check another tool, I would have been fooled that this photo does not contain any EXIF data, while in reality it does. This is another example of why you should not rely on a single tool and it is far better to verify your work using another approach or tool.

Run exiftool against image02206.jpg and see for yourself...

Task 4: Generating a Data Sheet Report of Extracted Data

We have finished analyzing the evidence and let's say we want to generate a report with all the EXIF data we found within each file. We can do this using a lots of ways, and I already mentioned one in task #3 while using the ExifReader application. This time we will be generating reports using the exiftool utility.

The first approach is to generate a single report for each photo we have. This could be done using the following command (from within the photo's directory):

# "C:\DFP\Tools\Metadata\exiftool(-k).exe" -a -u -g1 -w %f.txt *.jpg

This will produce the following output:

6 image files read
6 output files created

And if you check the files, you will find that a .txt file has been created having the same file name as the one of each photo.

Finally, let us generate a single report with all the information within it, specifically let us make it a Comma-Separated Value (CSV) file. We could easily do that with the exiftool utility like this:

# "C:\DFP\Tools\Metadata\exiftool(-k).exe" *.jpg -csv > report.csv

This will produce a single file called "report.csv" that holds all the EXIF data found in each photo. You can use your favorite reader (ex: Microsoft Excel) to open and analyze the contents.

References:

Code Page, https://en.wikipedia.org/wiki/Code_page