A practical example of Digital Forensics

Everything we do on our digital platforms, such as on laptops or mobile devices, we always leave traces. However, sometimes clearing all does not mean that you have cleared everything from your devices so that no one can trace you. Here I will show a practical example of how we will investigate a digital forensics investigation.

Scenario 1: your loving cat "Meow" has been kidnapped. You received a document where the kidnapper requested some ransom, which is in MS Word format. For your convenience, we have converted the document to PDF format and extracted the image from the MS Word file.

So we saved the letter and zip file in our kali Linux system (local machine) and made the folder directory where we saved the file.

Open Terminal:

root# cd /root/Rooms

root# cd introdigitalforensics

root# ls

letter-image.jpg? ransom-letter.doc? ransom-letter.pdf? ransom-letter-2.zip

Typically local machines like ubuntu or Debian pdfinfo are by default installed but suppose you are using kali Linux and it's not installed. In that case, you need to install it manually. The command is :

# sudo apt install popular-utils.

Let's start with the finding:

The Operating System saves specific metadata, such as the file creation date and the last change date, when you create a text file with the extension TXT. However, much information is preserved within the file's metadata when you use a more sophisticated editor, like MS Word. There are several ways to read the file information; you may either open them in their native viewer or editor or utilize an appropriate forensic program. It should be noted that depending on the PDF writer used, exporting the file to other formats, such as PDF, will keep the majority of the metadata of the original document.

Let's see what we can get from the PDF document. First, using the application pdfinfo, we may attempt to read the metadata. Various PDF file-related metadata are displayed by Pdfinfo, including title, subject, author, creator, and creation date.?

root: pdfinfo ransom-letter.pdf

Title: we have your meow

Author: Ann ghost

Creator: Microsoft? Word for Office 365

Producer: Microsoft? Word for Office 365

CreationDate: Wed Oct 10 21:47:53 2018 EEST

ModDate: Wed Oct 10 21:47:53 2018 EEST

Tagged: yes

UserProperties: no

Suspects: no

Form: none

JavaScript: no

Pages: 20

Encrypted: no

Page size: 595.32 x 841.92 pts (A4)

Page rot: 0

File size: 560362 bytes

Optimized: no

PDF version: 1.7

The PDF metadata clearly shows that it was created using MS Word for Office 365 on October 10, 2018.

Photo EXIF Data

EXIF stands for Exchangeable Image File Format, a standard for saving metadata to image files. Plenty of information gets embedded in the image whenever you take a photo with your smartphone or digital camera. The following are examples of metadata that can be found in the original digital images:

Camera model / Smartphone model

Date and time of image capture

Photo settings such as focal length, aperture, shutter speed, and ISO settings

Because smartphones are equipped with a GPS sensor, finding GPS coordinates embedded in the image is highly probable. The GPS coordinates, i.e., latitude and longitude, would generally show the place where the photo was taken.

Many online and offline tools can read the EXIF data from images. One command-line tool is?exiftool. ExifTool is used to read and write metadata in various file types, such as JPEG images. however, if you are using Kali?Linux?and don't have?exiftool?installed, you can install it using?

#sudo apt install libimage-exiftool-perl.

so let's find out about the image the kidnapper sent along with the zip files. So, first, open your Terminal and check whether the tool is installed. if not installed, then install with the above command.

after that, open the terminal window and type the following commands and see:

root: exiftool letter-image.jpg

after running the program, you will receive details about software, dates,how many times the author tried to modify the information, version of the application,primary platform where kidnappers run the application etc.

If you take the above coordinates and search one of the online maps, you will learn more about this location. So now, if we take the help of google Maps and check the coordinates, we can find out the sender's location and which camera model he used for this photograph.

so now we can send all the details to our local police officers, and we will see the kidnappers behind the jail. This is how primary digital forensics works, and with the help of some commands, we can easily track down the culprit and solve issues digitally.