Digital Forensics: Metadata

1. Exiftool

Exiftool is a command line tool written by Phil Harvey in Perl.

Exiftool Test.jpg is a picture taken on a Pixel 4a phone

2. FireEye Redline

FireEye Redline is a great security endpoint tool created by the cybersecurity company ‘Fireye’. This tool allows forensic investigators to investigate memory and files of a specified host for Windows 10 systems. The tool collects information on the running processes from memory, registry data, system metadata, files, network information, event logs, services, tasks, browser history and much more in order to create a proper threat assessment.

1. Standard Collector — Configures scripts to gather the minimum data for an analysis including memory2. Comprehensive Collector — Gather most of the data that Redline collects and analyses. This option is usually used for a full analysis which is what most digital forensic investigators use. This includes memory, disk, network and system information.3. IOC Collector — Collects data from Indicators of Compromise. This includes hashes, domain names, IP’s that are suspicious.


This tool is created from cheeky4n6monkey (Adrian Leong), and is available on the SANS SIFT Workstation VM with a multitude of other forensic tools. Squirrelgripper is a script written in pearl that extracts exif metadata from a directories file into an SQL Database.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ben Lee

Ben Lee


I focus on Malware, RE, DFIR. This blog is used to improve my understanding of these concepts and show my progress.