Sunday Round up for this week, hope you enjoy it. Please contact me if you would like to be featured on security-sleuth.com :)Read More
This post looks at using Ghiro for automated forensic analysis of images. This is something I have been meaning to do for some time but I kept putting it off in favour of other projects bad move on my part. The great thing about Ghiro is unlike many other Security or Forensics tools its extremely easy to setup and use, making it perfect for everyone but this especially helps out Forensic investigators which may not be from a technical background and have a lot of images to analyse quickly.
As stated above Ghiro is quite easy to setup, you can download it from Git here. Once you have downloaded the Git Repository completing the setup requires you to start up some services essential for running Ghiro or you can do it the even easier way and download the Virtual appliance which is an .ova image and import it into some virtualisation software like Virtualbox or VMware which will then setup a prebuilt, preconfigured machine just for using Ghiro.
For this tutorial I used the .ova image so the setup effort was virtually 0. on startup you should see some screens which look like the below:
one setup simply enter the machines IP in the browser to get started you should see a login window like the below:
The dashboard is the first image you will be greeted with upon logging into Ghiro. Like any good dashboard it supplies a quick overview of open cases, lists all image successes / failures, recently analysed files and a user count. The dashboard s sort of splunk-ish which gives it a nice familiar feel for anybody who has spent any great deal of time trawling through dashboards.
Using Ghiro to analyse images
Ghiro is extremely simple to get started create a case, once you have created a case you can add images to the case. Heres what my inaugural case file looks like:
you can then either upload images from any machine which can access the page or add images via URL. Once the images are loaded Ghiro will start running its analysis against your saved images in a short period of time (literally less than a minute) you will have a detailed image analysis report for each image.
Below are some screenshots of Navigating Ghiros image analysis pages, note the hand geo-tagging features these are highly useful in creating timelines for your investigations.
I was able to find an image that still had all of its metadata intact heres segments of the report output which reveals some information about how it was created:
As you can see its pretty easy to pull up a wealth of information about an image - with a large set of images you can piece together a lot of information from somebody's image metadata.
Some issues with Ghiro
There were some minor issues with Ghiro but they are easily fixable here are the issues I encountered while using Ghiro:
When using the Add image from URL option there were some caveat’s with attempting to add images from certain photo hosting sites, some image hosting sites block the download attempts (flickr was quite good at this) so you may have to acquire these manually - depending on what you are investigating this may mean extra overhead for you to establish their authenticity / integrity of the image you are using.
Also these failed calls may crash the analysis engine which does all the cool work behind the scenes for you to fix this you simply need to restart the process which you can do by running the following command on the Ghiro server:
$ python /var/www/ghiro/manage.py process &
If your worried about playing with processes I noticed restarting the Ghiro server would also fix this issue.
Ghiro also intermittently would not be reachable by the web his happened about 2 -3 times but it quickly resolved itself.
Although this is far from an extensive tutorial on the inner works of image forensics which I’m sure I’ll cover in more detail soon. Ghiro provides a quick, easy and cost effective way to image forensics on almost any scale I hope you find this a useful addition to your toolbox if it isn't there already.
As always please let me know if found this article useful or if you didn't, Don’t forget to like this post or leave a comment below to let me know another area you would be interested in reading about. Thanks for your continued support! Until next time!