![]() ![]() Metadata analysis can be done just with the document, even if we received it through a cloud service or email, but don’t forget to verify the hashes of the files before performing any test.ĮxifTool is a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files. #EXIFTOOL MP4 FULL#Since we may want to trace back the origin of the files and run some tests, we need a byte-copy of the device (USB stick, external HDD, SD card, etc.) where these documents were delivered to the client in order to perform a full analysis. #EXIFTOOL MP4 HOW TO#Guide the client through the steps needed to generate a hash of the files following the instructions in the “Generate the Hash of a File” section of Article #366: How to Check the Integrity of a File. In this way, we can verify the integrity of the files to make sure that what we received is identical to what the client sent. When we receive the files, we will then need to generate the hash of the received copy and compare it to the one the client sent. Therefore, we first need to ask the client to obtain the hash and communicate it to us. If, based on the replies to the questions above, the client shows they’re capable of extracting the hashes of the files, we should provide them with instructions on how to do it correctly (see next step).īefore proceeding with any action, it is required to document the hash of the first copy of the files received by the client. Did you generate a master hash of each of the files?.Did you verify the integrity of the files upon their reception?.Has any documented compression/decompression operation been performed?.How did you receive these videos (i.e., through email, external storage devices, etc.)?.What available operating system and machines are you able to use to handle the files or send them to us?.We need to gain the context about the videos/images acquisition, so please ask the client to provide the following information: Information about the delivery of the files: ask the client as much information as possible about how they got these files and how they stored them. So we should assist the client to determine if they should get in-person assistance to perform these actions or are skilled enough to do it by themselves with our remote support. Some procedures will require some technical knowledge (for example, the byte-copy method) but others are easier to perform (such as getting the hash of the files). Also mention that the acquisition and analysis procedures would require additional preparation and technical capacity from both sides (the client’s and ours), as the files should be sent in a secure way that ensures their integrity (therefore we should establish a secure communication channel with the client). If the client agrees to continue with our service, please explain to them the technical and legal implications: explain the concept of the chain of custody and specific legal requirements/procedures depending on the country’s legal code. Please keep in mind (and explain this to the client) that we might not qualify as expert witnesses despite the findings obtained from the analysis. If the client has the possibility or resources to hire a specialist or contact another organization with a forensic lab, advise them to do so (we can suggest some contacts among CiviCERT partners). This article should always be followed to avoid any alteration of the evidence collected.Įxplain to the client the Helpline’s approach, limitations, and scope regarding this kind of cases. Read Article #252: Forensic Handling of Data before proceeding with any action related to this kind of cases. Probably, you will need to reach out to a company specialized in forensics who has experience with the laws of the specific country.Ĭase 2: Malware analysis or other scenarios: Clarify the primary goal of the analysis before proceeding with further actions: does the client only want to verify the file information? Do they want to know if the video or images could have been manipulated or modified? Do they suspect that the file is infected? ![]() Videos or images have been delivered to the Helpline with a request to get information about these files to use them as digital evidence or identify malware.īesides the problems highlighted in Article #252: Forensic Handling of Data, we must also consider the Helpline’s limitations and scope regarding these cases, and that we might not qualify as expert witnesses despite the findings obtained from the analysis.Ĭase 1: Acquire and preserve evidence to present in a court: please check with the Helpline management to decide how to proceed with this kind of cases. Edit me Forensic Analysis of Videos and Images How to handle and analyze a video or image to use it as digital evidence Problem ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |