Benjamin, Creator Of Metadata Interrogator

Ben, tell us a bit about yourself and how you got into digital forensics.

Hello! So in terms of background, I come from predominantly a law enforcement background, although I’ve also worked in counter-fraud in the private sector too. I’ve been lucky enough to work in a number of roles in a variety of countries, and I feel that it’s given me a broad insight into our field and the challenges we face.I started working in proper investigations at that strange time when everything was just starting to go ‘online’ – the move to dynamic web pages and online services. At that time, I had a lot of colleagues who rejected the idea of digital investigations/forensics (“the internet is never going to take off!”), and so due to just having a love of tech, I was always given any case that had a technical/digital element to it – and that was really how I began in digital forensics!

As the years have gone on, everyone now agrees that the majority of investigations have a digital element. Unfortunately, there are a lot of investigators who struggle to get to grips with the technical side of things and I know of dozens of occasions where some really simple digital forensics (such as metadata analysis!) would have pushed a case on, but it all got held up due to everything having to be sent to labs etc.

As such, I decided to create some tools which would be easy to use and understand by all, with the hope of furthering front line capabilities.

You've recently created Metadata Interrogator – tell us about the tool and what it does.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

I’ve found metadata invaluable throughout my career – it has given me invaluable intelligence in many cases, and singlehandedly helped close others. If anyone is in doubt (or wants a good case study) of the power of metadata, it’s worth reading up on the McAfee and Vice metadata fiasco!

The Metadata Interrogator is software designed to extract any and all metadata from as many file types as possible in a way that’s easy to use and understand by all. It’s completely portable, works offline and provides analysis functions such as graphical timelines, offline geolocation and file comparison.

Not only does it try to read the metadata, but it also tries to infer other information as well. Even if some of the metadata has been removed, there are still elements which, when put together, will help identify things like the device used to create the photo. Furthermore, the Metadata Interrogator was built with counter-fraud and law enforcement specifically in mind so helps highlight suspicious or anomalous metadata such as fields relating to image editing software.

Whilst there are many tools available that extract metadata, I wasn’t able to find something that did exactly what I needed. For instance, many have geolocation to translate metadata coordinates into place names, but they all connect to the internet – which is no good from a security point of view. Mostly though, I just wanted something with a good GUI which would try and extract metadata from anything I threw at it.

What feedback have you had so far, and what's new in the latest updates?

I’ve had some really good feedback so far! It’s been great to know that people have found it useful. I’m really keen to get it out there, and for practitioners to give me feedback or suggestions for what they’d like to see.

The newest update has a new graphical timeline (see below) and a lot of improvements to the file comparison and data set analysis functionalities.

I’m currently in the process of gathering as many files as possible with metadata so that I can create signatures for what ‘normal’ metadata looks like from that device, which will hopefully highlight tampering on files even if it has been minor. I’ll also shortly be releasing Linux and Mac versions!

You also run a digital document analysis training course – what does that entail, and what can students expect to learn from it?

I created the Digital Document Forensics online course to give a really practical approach to digital document forensics (DDF) using tried and tested methodologies that can be used immediately in investigations. I wanted to create something that would be practically useful for ‘front-line’ investigators who are operating now, rather than just something which is a theoretical ‘nice to know’. That said, I’ve made sure that I don’t gloss over any of the needed technical or theoretical parts – no one likes receiving intel from someone who doesn’t know how they got it!

Students can expect to learn how to analyse a wide variety of files/documents (especially Images, PDFs and Microsoft files) with the goal of uncovering any information which may help push on an investigation. They’ll also be trained in email header analysis, hashing/evidencing and writing a professional report of their findings.

It was designed for those working in counter fraud, investigations and customer/user verification, and doesn’t assume the student has any pre-existing knowledge. You get a nice certificate too!

If you’re interested, you can find the course here.

In your opinion, what's the "next big thing" in digital forensics?

I’d say the next big thing (although it is already upon us) is the so called ‘deepfakes’ – faked photos and videos which have been heavily edited but look pretty much indistinguishable from the real thing. This was once the preserve of very dedicated individuals and security services, but the technology around this has become something that can be used by anyone with a decent computer.

I think the impact of this has been understated at the moment – let’s take the ever present paparazzi (as a small software creator I’m constantly being hounded by them) – what good would their photos be if you could easily create an absolutely believable picture of celebrity X doing heinous act Y?

It’ll be like when Daniel Radcliffe (the Harry Potter actor) always wore the same clothes – eventually the paparazzi couldn’t earn anything by taking pictures of him as the pictures could have been taken at any time and showed nothing new.

Obviously this effect will spread to hard news and similar, and we’ll need to think of new ways to digitally sign and verify media.

When you're not working, what do you enjoy doing in your spare time?

In the three and a half minutes a day I’m not working or sleeping, I obsess over making a perfect espresso and enjoy watching my favourite teams lose at ice hockey.

Any final comments?

Thank you for the chance to ramble on! I really do hope people find the Metadata Interrogator useful, and I’d love any and all comments and suggestions.

Lastly, I’d like to put out a bit of a request – I’ve put the metadata interrogator out under the restriction of ‘free for personal use’. I’m happy for lone investigators, hobbyists and similar to use it to their hearts content. All I’d ask is that if you work for a big company and do find it useful (feel free to give it a try first!) then please get in touch before using it on a commercial scale.

You can find out more about Metadata Interrogator and download a copy here.

Leave a Comment

Latest Videos

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_g6nTjfEMnsA

Tips And Tricks Data Collection For Cloud Workplace Applications

Forensic Focus 7 hours ago

In this episode of the Forensic Focus podcast, Si and Desi explore the cutting-edge technology of deepfake videos and image manipulation. In addition to discussing the latest technological developments and efforts being made to detect manipulated media, they also examine the associated legal and ethical implications.

Show notes:

Boris Johnson image - https://www.theguardian.com/politics/2023/jan/10/spot-the-difference-boris-johnson-appears-scrubbed-from-photo-posted-by-grant-shapps

Deep Fake Neighbour Wars - https://m.imdb.com/title/tt21371376/

Stalin image - https://www.history.com/news/josef-stalin-great-purge-photo-retouching

Nvidia eye contact AI - https://www.polygon.com/23571376/nvidia-broadcast-eye-contact-ai and https://www.youtube.com/watch?v=xl87WTDrReo

Birthday problem - https://en.wikipedia.org/wiki/Birthday_problem

Same frightening woman in AI images - https://petapixel.com/2022/09/09/the-same-frightening-woman-keeps-appearing-in-ai-generated-images/

Inherent mysogeny of AI portraits - https://www.theguardian.com/us-news/2022/dec/09/lensa-ai-portraits-misogyny

Midjourney - https://www.midjourney.org/

Deepfake porn legality - https://www.theverge.com/2022/11/25/23477548/uk-deepfake-porn-illegal-offence-online-safety-bill-proposal and https://www.technologyreview.com/2021/02/12/1018222/deepfake-revenge-porn-coming-ban/

AIATSIS - https://aiatsis.gov.au/cultural-sensitivity

Fake tiger porn story - https://www.dailydot.com/unclick/tiger-porn-britain-law/

Group photo with no blinking - https://www.countrylife.co.uk/comment-opinion/curious-questions-group-photo-179102

Emma Watson deefake audio - https://www.thetimes.co.uk/article/ai-4chan-emma-watson-mein-kampf-elevenlabs-9wghsmt9c

Domestika - https://www.domestika.org/en/courses/981-introduction-to-interviewing-the-art-of-conversation

Investigative Interviewing - https://www.amazon.co.uk/dp/0199681899?ref=ppx_pop_mob_ap_share

Forensic Focus events calendar - https://www.forensicfocus.com/events/

Si Twitter - https://twitter.com/si_biles

In this episode of the Forensic Focus podcast, Si and Desi explore the cutting-edge technology of deepfake videos and image manipulation. In addition to discussing the latest technological developments and efforts being made to detect manipulated media, they also examine the associated legal and ethical implications.

Show notes:

Boris Johnson image - https://www.theguardian.com/politics/2023/jan/10/spot-the-difference-boris-johnson-appears-scrubbed-from-photo-posted-by-grant-shapps

Deep Fake Neighbour Wars - https://m.imdb.com/title/tt21371376/

Stalin image - https://www.history.com/news/josef-stalin-great-purge-photo-retouching

Nvidia eye contact AI - https://www.polygon.com/23571376/nvidia-broadcast-eye-contact-ai and https://www.youtube.com/watch?v=xl87WTDrReo

Birthday problem - https://en.wikipedia.org/wiki/Birthday_problem

Same frightening woman in AI images - https://petapixel.com/2022/09/09/the-same-frightening-woman-keeps-appearing-in-ai-generated-images/

Inherent mysogeny of AI portraits - https://www.theguardian.com/us-news/2022/dec/09/lensa-ai-portraits-misogyny

Midjourney - https://www.midjourney.org/

Deepfake porn legality - https://www.theverge.com/2022/11/25/23477548/uk-deepfake-porn-illegal-offence-online-safety-bill-proposal and https://www.technologyreview.com/2021/02/12/1018222/deepfake-revenge-porn-coming-ban/

AIATSIS - https://aiatsis.gov.au/cultural-sensitivity

Fake tiger porn story - https://www.dailydot.com/unclick/tiger-porn-britain-law/

Group photo with no blinking - https://www.countrylife.co.uk/comment-opinion/curious-questions-group-photo-179102

Emma Watson deefake audio - https://www.thetimes.co.uk/article/ai-4chan-emma-watson-mein-kampf-elevenlabs-9wghsmt9c

Domestika - https://www.domestika.org/en/courses/981-introduction-to-interviewing-the-art-of-conversation

Investigative Interviewing - https://www.amazon.co.uk/dp/0199681899?ref=ppx_pop_mob_ap_share

Forensic Focus events calendar - https://www.forensicfocus.com/events/

Si Twitter - https://twitter.com/si_biles

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_i41eg24YGZg

Deepfake Videos And Altered Images - A Challenge For Digital Forensics?

Forensic Focus 13th February 2023 10:30 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...