Picture Forensics With Ghiro ApplianceSumit Shrivastava@NullMumbai

Myself

▪ Sumit Shrivastava – Security Analyst @ Network Intelligence India Pvt. Ltd.

▪ 2+ years of work experience in the field of Digital Forensics and Assessment

▪ Certifications– Computer Hacking and Forensics Investigator v8, EC‐Council– Certified Professional Forensics Analyst, IIS Mumbai– Certified Professional Hacker NxG, IIS Mumbai– Certified Information Security Consultant, IIS Mumbai– Certified Information Security Expert – Level 1, Innobuzz Knowledge Solutions

Today’s Special

▪ Introduction to Digital Forensics

▪ Digital Forensics Terminology

▪ Steganography

▪ Picture Forensics

▪ GhiroAppliance for Picture Forensics

Introduction to Digital Forensics

▪ What is digital forensics?– Digital Forensics is branch of Forensics science which deals with the examination 

of digital evidence, in a manner that the evidence is acceptable in court of law.

▪ Why digital forensics is requires?– Rise in Cyber crimes– Trace back the criminals– Preventive measures against the incidents

Terminologies

▪ Digital Evidence – Digital Evidence is the digital data stored on thedigital medium in any form which can be used in the court of lawduring trial

▪ Suspect – A person or a group of people thought of committing thecrime

▪ Accused – A person or a group of people who are charged with or ona trial for committing a crime

▪ Digital Fingerprint – MD5 / SHA1 hashes of the hard disk.

▪ Chain of Custody – A chronological document or paper trail,highlighting the seizure, custody, control, and transfer of evidence

▪ Security Incident – A warning that expresses the threat toinformation, computer security, or policies relating to computersecurity. This warning could also be pointing up that the threat isalready occurred.

Steganography

▪ The practice of concealing messages or information within othernon‐secret text or data.

▪ Origin– Steganos (Greek – covered)– + graphy (English)– = Steganographia (Modern Latin) ‐> Steganography (late 16th Century)

▪ The first recorded of this term was in 1499 by Johannes Trithemius inhis Steganographia, a treatise on cryptography and steganography,disguised as the ‘book of magic’.

Steganography Demo

Windows does that for me! 

Ghiro Appliance

▪ Ghiro is a digital picture forensics tool

▪ Fully Automated

▪ Open Source

▪ Developed by ‐Alessandro Tanasi & Marco Buoncristiano

▪ Current Version – 0.2.1

▪ Available as– Package– Virtual Appliance

Ghiro – Main Features

▪ Metadata Extraction – Metadata are divided in several categoriesdepending on standard they come from. For Example: EXIF, IPTC,XMP.

▪ GPS Location – Some images contain the geotags in the metadata,which defines the geo location where the image was shot

▪ MIME Format – It defines the type of image that is underexamination. For Example: image/jpeg, image/png, image/bmp.

▪ Error Level Analysis – ELA identifies the areas that are at differentcompression levels. The entire picture should be roughly at samecompression level. If a difference is detected, then it likely indicates adigital modification

▪ Thumbnail Extraction – The thumbnails and data related to them areextracted and stored for review.

▪ Thumbnail Consistency – Sometimes, when the original image isedited, the thumbnail does not change. This detects the differencebetween the thumbnail and the image in question

▪ Signature Engine – Over 120 signature provide evidence about mostcritical data to highlight focal points and common exposures.

▪ Hash Matching – While looking for an image, where only hash isprovided, this feature is of great help. It searches for all the imagewith that matches the provided hash.

Links and References

▪ Wikipedia

▪ ForensicsFocus

▪ Ghiro official website ‐ http://www.getghiro.org/

▪ Ghiro Download Links:– https://github.com/ghirensics/– http://www.getghiro.org/

Let’s put Ghiro into action

Thank You

Follow me @invad3rsam