ExifTool basics for DFIR

Introduction to EXIF Data

Exchangeable Image File Format (EXIF) data is a standard that specifies the formats for images, sound, and ancillary tags used by digital cameras and other systems. This metadata is mainly associated with images and provides critical information like camera settings, timestamps, and geolocation information. Traditionally it is used to help photographers catalogue images, ensure colour balance etc.

Like lots of modern technology, this has evolved beyond its original scope and, in DFIR, we use it to include a range of metadata elements from Windows PE (Portable Executable) and Linux ELF (Executable and Linkable Format) files. This expanded functionality opens new avenues in cybersecurity and digital analysis, offering deeper insights into file structures and origins. In this article, we will give an overview of using Exiftool for DFIR purposes.

Understanding ExifTool

ExifTool is a powerful, versatile tool for manipulating metadata within various file types, including image, audio, and video files. Its capabilities extend to both reading and editing metadata, making it an indispensable tool for digital professionals.

Windows PE Header: An Overview

The Windows Portable Executable (PE) header is a fundamental component of Windows, originally specified in the 1980s. The term is used to describe the structure of Windows executables and Dynamic Link Libraries (DLLs), as well as some other file types (SYS, MUI, FON etc). The PE header includes a range of detailed information, such as the machine type, the number of sections, the size of the executable, and the entry point for the code. It is divided into multiple sections, a Microsoft MS-DOS stub, the PE signature, the COFF file header, and an optional header. Each serves distinct purposes in the executable's lifecycle. The COFF Header provides basic information about the file, while the Optional Header delves into specifics like memory allocation and entry points. This structure allows the operating system to correctly load and manage the executable, playing a key role in the functionality and security of Windows applications. Understanding the nuances of the Windows PE header is vital for software developers, security analysts, and digital forensic experts, as it provides insights into how applications interact with the Windows operating system at a fundamental level.

Insights into Windows PE Metadata

Analysing the metadata in the PE header is often a goldmine of DFIR information. Even though it is possible to modify pretty much every field, there are some which are frequently overlooked. As a result, you can use this data to identify things like timestamp manipulation, an example here is when the compilation timestamp is after the file creation timestamp, find unusual language settings or even simply hunt for unusual compilation packages.

Linux ELF Header

The Executable and Linkable Format (ELF) is Linux's counterpart to Windows PE. The ELF header is essential for understanding the architecture, type, and memory layout of Linux executable files. You can read more about the ELF format in a previous article: https://www.linkedin.com/pulse/linux-incident-response-elf-files-taz-wake-lrt3e/

Linux ELF Metadata Unveiled

Metadata in Linux ELF files provides valuable information about the binary, such as its version, dependencies, and compilation details, crucial for compatibility and debugging purposes. However, it should be noted that ELF headers contain less DFIR-useful information than PE file headers.

Utilising exiftool on Windows PE and Linux ELF Images

exiftool can be effectively used to extract and analyze metadata from both Windows PE and Linux ELF images. This functionality is crucial in digital forensics and cybersecurity, aiding in the examination of executables for investigative purposes.

PE Header Metadata

The examples above use ExifTool to analyse the PE header for a file called ExplorerSuite.exe. The exact fields that would be useful will depend entirely on the investigation, but some key points include:

• The File MACB timestamps are extracted from the underlying filesystem. The content here will depend on the filesystem you are using to investigate the file. In the first example above, the file was copied to a Linux partition on 3 January and analysed using the Ubuntu version of the tool. The second example is on the same file, moved to a Windows partition and then analysed with a Windows version of the tool. Note that each tool shows different timestamps - the Linux tool doesn't show the creation time and the Windows tool doesn't show the metadata (inode) change time. It also shows the difference in how NTFS and XFS manage timestamps when a file is copied. This is a very good example of why it is important to validate your tools.
• The timestamp entry is set when the file is compiled. You might be able to determine malicious timestamp manipulation by comparing this to the filesystem timestamps, compilation should be more or less the same time the file is created, so if you have MACB timestamps which pre-date the compilation timestamp this is unusual. In Windows, this should also match the timestamp in the Shimcache.
• At the end of the output is a collection of fields that can hold useful hints. For example, the Character Set can indicate if a non-standard alphabet has been used. The File Description and File Version are often completed by legitimate applications but less often completed by malicious ones. You can also look for typos or inconsistencies in the Product Name, Company Name, etc., fields.
• Lastly, look for things that stand out within your organisation. For example, the string "This installation was built with Inno Setup" or references to Delphi, might be rare for legitimate applications in your environment.

As the examples above show, the data returned by an ELF file can be significantly less useful during an incident investigation. However, it is important to note this can vary depending on the binary and the nature of your incident. It is still useful, and important, to check files during an investigation.