Introduction

We covered an introduction to digital forensics. We talked about what is considered as a digital evidence, what’s collected in the crime scene, what is the chain of custody and how digital evidence is stored, processed and analyzed. We took a practical example of analyzing the metadata of files formatted in PDF and JPG. We extracted EXIF data from the image and metadata from the PDF document. This was part of “intro to cybersecurity” track in TryHackMe.

Digital Forensics Explained

I started by explaining that digital forensics is a branch of defensive security, much like traditional forensic science that you might see at a crime scene. However, instead of dealing with physical evidence like DNA, I focused on digital assets such as laptops, disks, USB drives, smartphones, and tablets. My main goal in digital forensics is to extract digital evidence from these assets. I mentioned that investigations can be carried out in both the public sector (by governments) and the private sector (by companies, often for corporate violations like information theft).

My Digital Forensic Process

I then walked through the crucial steps involved in a digital forensic investigation:

  1. Legal Authorization: The very first and most important step is to obtain legal permission to access the crime scene and any digital assets involved.
  2. Chain of Custody: This is a vital document that I use to record all digital items found at the crime scene. It also lists the names of all authorized individuals, such as the forensic team and legal team, who are allowed to handle the evidence. Maintaining the integrity of this chain is paramount; if an unauthorized person accesses the evidence, the chain is “broken,” and the evidence could become inadmissible in court.
  3. Collection and Transportation: Once collected, digital assets are placed in a secure container and transported to a specialized digital forensic lab.
  4. Creating a Forensic Copy: In the lab, I create a forensic copy (also known as an image or clone) of the original evidence. To ensure that the copy is an exact replica and that the evidence’s integrity is maintained, I calculate hashes (like SHA256) for both the original and the copy. This confirms their contents are identical. After this, the original evidence is returned to secure storage, and all subsequent analysis is performed on the copy. I mentioned that tools like FTK Imager and Cellebrite can be used for this process.
  5. Analysis: Finally, I analyze the copied data to extract the relevant evidence.

Practical Example

To illustrate the process, I presented a scenario: a cat was kidnapped, and the kidnapper sent a ransom note as an MS Word document, which was then converted to a PDF, and an image was extracted from it. My evidence, in this case, consisted of a PDF file and an image file, and my goal was to extract metadata from them. I explained that metadata is information embedded within a file, such as creation date, modification date, author, operating system, and for images, details like camera model, time taken, and sometimes even GPS coordinates.

Analyzing the PDF (Ransom Letter)

I used the following command on the terminal to extract metadata from the PDF file:

  • pdfinfo ransom_letter.pdf

From this, I extracted details like the title (“Ransom Letter”), the author (“Ann Greb,” though I noted this might not be the real name), and the creator (Microsoft Word 2016, indicating the original software). The creation and modification dates were also crucial timestamps that I extracted.

Analyzing the Image

For the image, I used a command similar to:

  • exiftool image.jpg

This command helps extract EXIF data, which is a type of metadata specific to images. I found timestamps, camera information (e.g., Canon EOS R6), and the software used (like Adobe Systems, suggesting potential editing). Most importantly, I extracted GPS Coordinates (e.g., 51 deg 31' 2.23" N, 0 deg 5' 48.28" W). I demonstrated how these coordinates could be entered into Google Maps to pinpoint the physical location where the photo was taken, which in this example, turned out to be “Milk Street” in London.

I concluded by emphasizing that timestamps and technical details like camera models are incredibly important in digital forensics, as they can be correlated with other findings during an investigation.

TryHackMe Room Answers

Consider the desk in the photo above. In addition to the smartphone, camera, and SD cards, what would be interesting for digital forensics?

 

It is essential to keep track of who is handling it at any point in time to ensure that evidence is admissible in the court of law. What is the name of the documentation that would help establish that?

Using pdfinfo, find out the author of the attached PDF file.

Using exiftool or any similar tool, try to find where the kidnappers took the image they attached to their document. What is the name of the street?

 

What is the model name of the camera used to take this photo?

 

Video Walkthrough

 
 
About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles