Today, we’ll discuss a very well known tool written by Phil Harvey. ExifTool is an extensively used tool to look at metadata from various types of files. It supports reading metadata from common file formats such as GPS, image files from many different digital cameras, video files, Microsoft Office files and many more. It’s freely available and can be downloaded from www.exiftool.org.
Once we download the tool and install it to our machine, we can run the command ‘exiftool’.
If we can get an overview of the tool, we’ll know that we installed it correctly. The overview shows a lot of the options and capabilities of exiftool. You should see something like the screenshot below.
Now that we know it’s up and running, we can use the command ‘exiftool’ followed by the path to our file of interest. In this instance, I created a Microsoft Word document called “Test Doc 1.docx” for the purposes of this blog. The command is shown below.
Once we run exiftool without any options, we can see a lot of data being read and shown to the user. We can see the size, modified accessed and created times, the author and so much more. It will read tons of information based on what the file format is.
For the purposes of our blog, we’ll focus on the modified Date/Time stamps. So we’ll use the grep command to display only the metadata associated with Dates. This shows us the timestamps of the original file as if a user were to have created it.
Now that we’ve looked at our original timestamps, we can use the ‘touch’ command to change the timestamp to the current date and time. You can see the command below.
We can run the exiftool command again. Again, it’s important to note that we haven’t actually double clicked on the file or interacted with it in any way. We just used a terminal command to ‘touch’ the file. You can see below that the timestamps are now changed to when the touch command was run.
During this instance with the file, I accessed the file by opening it up. However, no changes were made, and then I closed the file. You can see that the File Inode timestamp was changed.
Next, I opened the document and made a change in the document by typing in a sentence. I then closed the document within the same minute as opening it up.You can see that all three timestamps were updated.
Another thing to note is that you can use the touch command to specify a specific date and time for the file. In the example below we use the ‘-t’ option to specify a date of 11:50 pm. This is to show that a user can modify metadata to a specific date or time without ever opening up or interacting with the file.
After using the ‘-t’ option, we can see that the timestamps have been modified. Note that the Inode timestamp has not changed. Therefore if you come across a discrepancy like this in your investigations, it’s something you’ll want to investigate further.
With this blog, we only scratched the surface of using ExifTool to look at just a small set of metadata associated with a file. If we truly wanted to know if the file’s metadata or timestamps were modified by a user in an attempt to conceal or thwart an investigation, we would need access to additional artifacts located on the local machine. We could look at Terminal history, applications that were used, when applications were opened, or anything that was deleted.
This article was written by ArcPoint Forensics. To learn more about ArcPoint Forensics, visit arcpointforensics.com.