Digital Forensics: Metadata

Digital Forensics is one of the most important cybersecurity areas, being a branch of forensic science on the recovery, collection and investigation of evidence on digital devices and storage media in relation to cybercrime.

In this blog, i will give a short introduction on what metadata is and provide some tools that you can use to extract and analyse metadata too. This blog will contain some digital forensic tools that are available on the SIFT Workstation created by the SANS Institute. To play around with some of the tools you can visit the link here: https://www.sans.org/tools/sift-workstation/

Metadata quite simply, can be seen as data that can provide information about other data.

Metadata is extremely important to collect for evidence as it can contain vital information of crime activity such as time, location, when something was accessed and much more. Therefore, evidence must be preserved carefully in order to avoid tampering of such evidence that can be later used in court.

3 fun tools that you can use to extract and analyse metadata are as follows:

1. Exiftool

Exiftool is a command line tool written by Phil Harvey in Perl.

It is one of the most used metadata tools as it can read, write and edit metadata information in an easy way. It supports multiple image and file formats including one’s from cameras such as Nikon, Casio and Canon. It can convert output in many languages and automatically backs up the original image so evidence can be maintained.

To examine metadata in raw format you would type ‘exiftool [image file]’.

Exiftool Test.jpg is a picture taken on a Pixel 4a phone

In the example above, we examined an image named ‘Test.jpg’. It included metadata information such as the date of when the image was taken which was May the 5th 2021. We can also see that the picture was taken on a Google Pixel 4a and that the file was recently accessed on the 20th October 2021. Other metadata features include the Image Height and Width, Shutter Speed and much more. Unfortunately, my picture does not show the GPS Coordinates of where the picture was taken but it may be possible to find on a picture taken on a real camera!

2. FireEye Redline

FireEye Redline is a great security endpoint tool created by the cybersecurity company ‘Fireye’. This tool allows forensic investigators to investigate memory and files of a specified host for Windows 10 systems. The tool collects information on the running processes from memory, registry data, system metadata, files, network information, event logs, services, tasks, browser history and much more in order to create a proper threat assessment.

As a result, the tool allows for a series of scripts that will automate collection of forensic data from a system. There are 3 types of collectors that are available within the tool.

1. Standard Collector — Configures scripts to gather the minimum data for an analysis including memory2. Comprehensive Collector — Gather most of the data that Redline collects and analyses. This option is usually used for a full analysis which is what most digital forensic investigators use. This includes memory, disk, network and system information.3. IOC Collector — Collects data from Indicators of Compromise. This includes hashes, domain names, IP’s that are suspicious.

To use this tool, in this blog as an example we will first select the standard collector option for a semi disk analysis of our target windows VM before analysing.

We will get the option to acquire memory which should always be checked. ‘Edit your script’ allows us to edit what we want to collect including browser data and disk/system information. We can then specify the collector location which we will save in our Music Directory within the folder ‘Collector’.

After this, the scripts for gathering information on our host system will be saved in our ‘collector folder’. Running the ‘RunRedlineAudit.bat’ script will start the collection of our forensic evidence we want collected of our target machine. The collected data/evidence will be saved in a new folder called ‘Sessions’ where we can now analyse our target system through the finished file ‘AnalysisSession1.mans’.

Opening our ‘AnalysisSession1.mans’ file via Redline we can take a look at the data collected for us from this comprehensive collector. We have multiple options, in this case we will click on ‘I am Investigating a Host Based on an External Investigative Lead’ for further analysis.’

We can now find the forensic evidence collected by Redline including system metadata, timeline, browser data, logs registry and much more. More options can be provided when doing a comprehensive collector analysis such as device and network information and deleted files!

3. SquirrelGripper.pl

This tool is created from cheeky4n6monkey (Adrian Leong), and is available on the SANS SIFT Workstation VM with a multitude of other forensic tools. Squirrelgripper is a script written in pearl that extracts exif metadata from a directories file into an SQL Database.

We can see the options via the help options by typing squirrelgripper.pl -h.

If you have issues getting the tool to work you may need to install DBD::SQLite and DBI via the commands: ‘sudo cpan DBD::SQLite’ and ‘sudo cpan DBI’ on your workstation beforehand.

For our example, we will create a new database called ‘test.sqlite’ with case ‘CaseABC’ to the files in the database with tags ‘fraud-docs’. We are getting the files that we are extracting metadata from in the directory: /home/sansforensics/Squirreltest with 7 test files as seen above.

The command used in this demonstration: ‘squirrelgripper.pl -newdb -db test.sqlite -case caseABC -tag fraud-docs -dir /home/sansforensics/Squirreltest’

To access our new ‘test.sqlite’ database we can use sqlitebrowser via the command ‘sudo apt-get install sqlitebrowser’ and browse through the files. We are able to see File Type, path of the file name ‘AbsFileName’, the date/time data was extracted, case tag field and user tag field.

For table specifics we can select other tables such as the JPEGFiles table to see picture metadata. It includes a multitude of metadata features such as user comments, GPScoordinates, date of image creation, file size and much more. Other tables include XLSXFiles, DOCXFiles, PDFfiles, PPTXfiles for more metadata information that can be extracted from the tool squirrel gripper.

Thanks for reading my blogpost! For more digital forensic tools to analyse metadata and other artifacts, you can check out SIFT Workstation created by the SANS Institute.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ben Lee

I focus on Malware, RE, DFIR. This blog is used to improve my understanding of these concepts and show my progress.