Forensic analysis of JPEG images

gpanther — Mon, 11 Jan 2010 16:07:00 +0000

Recently I became aware of the Hackerfactor blog, especially the posts related to discovering image manipulation. It is interesting to read what one can deduce from an image, even when one doesn’t use such “obvious” information sources like image metadata (I say “obvious” because it seems that it isn’t obvious at all for most people – but at least it can sanitized automatically). So here are the links to the tools he recommends:

You might also find this paper interesting.

All in all, the most interesting thing for me was the fact professional image manipulators (ok, I just made that word up, meaning “people who know keyboard shortcuts in Photoshop”) repeatedly re-save the same image in lossy formats like JPEG, thus compounding the loss of quality. Then again, one should never underestimate human stupidity.

Picture taken from Elsie esq.’s photostream with permission.

The leaked Microsoft COFEE product

gpanther — Mon, 09 Nov 2009 12:09:00 +0000

So, the Microsoft COFEE (Computer Online Forensic Evidence Extractor) tool was leaked. I took a quick look at it, and – as expected – there is nothing “magical”, “secret” or “backdoorish” about it (even though I love the picture which comes with the Gizmodo article, the text itself is complete and utter BS – COFEE isn’t a tool “that helps law enforcement grab data from password protected or encrypted sources” as the article claims).

So what is Microsoft COFEE?

it is a collection of information gathering tools which are either built into Windows (ie. net, arp, ipconfig) or can be freely downloaded from the Microsoft website (ie. pslist)
it contains a simple case-management software which helps users prepare a USB stick that need to be inserted in the target computer and manage the collected information
the software on the USB stick is executed either using the autorun mechanism or by manually launching it. There is no built-in functionality to bypass passwords or other protection mechanisms
It also contains a detailed analysis of the registry / filesystem fingerprint of each tool (this is important if the other party argues that running the tool caused modifications on the system which are pertinent to the case)

Conclusion: there is no magical pixie dust here, move along! (in fact, it is quite similar with the winenum Metasploit script).

PS/Update: regarding the “defense” against these tools: first of all, they all seem to be user-mode tools. This means that they probably have limited capability of detecting kernel-mode rootkits. Also – from what I’ve seen – they are all public tools, so there is a good chance that there exists malware out there there which “defends” itself against these software. Again, no magic.

Now before you conclude that this is utterly useless – if I were a IT forensicator :-p, I would prefer having this data compared to no data at all. It will give you some basic idea of the system (or the network for that matter if ran on every PC) which may enable you to come back with a very precise target in mind.

Picture taken from raddaqii’s photostream with permission.

forensics – Grey Panthers Savannah

Forensic analysis of JPEG images

The leaked Microsoft COFEE product