Ghiro – Automated Image Forensics Tool

Ghiro is an Open Source software for digital photo and digital image forensics. The forensic analysis is fully automated, report data can be searched or aggregated in different perspectives.

The tool can be used in many scenarios, forensic investigators could use it on daily basis in their analysis lab but also people interested to undercover secrets hidden in images could benefit.

Ghiro - Automated image forensics tool
Ghiro – Automated image forensics tool

Some use case examples are the following:

  • If you need to extract all data and metadata hidden in an image in a fully automated way
  • If you need to analyze a lot of images and you have not much time to read the report for all them
  • If you need to search a bunch of images for some metadata
  • If you need to geolocate a bunch of images and see them in a map
  • If you have an hash list of “special” images and you want to search for them

All features can be controlled via web interface. You can upload images, bunch of images, navigate reports, get a quick or deep overview of images analysis. You can group images in cases, search for any kind of analysis data, search photo near a GPS location, administer users, view all images in the system. Main features include the following:

  • Metadata extraction – Metadata are divided in several categories depending on the standard they come from. Image metadata are extracted and categorized. For example: EXIF, IPTC, XMP.
  • GPS Localization – Embedded in the image metadata sometimes there is a geotag, a bit of GPS data providing the longitude and latitude of where the photo was taken, it is read and the position is displayed on a map.
  • MIME information – The image MIME type is detected to know the image type your are dealing with, in both contacted (example: image/jpeg) and extended form.
  • Error Level Analysis – Error Level Analysis (ELA) identifies areas within an image that are at different compression levels. The entire picture should be at roughly the same level, if a difference is detected, then it likely indicates a digital modification.
  • Thumbnail extraction – The thumbnails and data related to them are extracted from image metadata and stored for review.
  • Thumbnail consistency – Sometimes when a photo is edited, the original image is edited but the thumbnail not. Difference between the thumbnails and the images are detected.
  • Signature engine – Over 120 signatures provide evidence about most critical data to highlight focal points and common exposures.
  • Hash matching – You can provide a list of hashes and all images matching are reported.

You can read more and download this tool over here: https://github.com/ghirensics/ghiro

Share