Many people still seem to not be aware of EXIF data and the information it provides anyone that wants to view it. EXIF data is attached to image files as well as other files and provides all sorts of details from file creation time to exact GPS coordinates. This is the type of data that was extracted from an image uploaded by Vice Magazine that gave away John McAfee’s location when he escaped Belize. On Backtrack Linux there are numerous tools to extract EXIF data including exiftool which is written in Perl and easy to use. Below we will describe exiftool, which is located in /pentest/misc/exiftool/ or /usr/bin, and provide examples to show how easy it is to use.
The pdfid script in Backtrack Linux is a PDF forensics tool that will quickly provide you an overview of a PDF files potential threats and pdfid provides a way to disarm those threats. PDFid is written in Python and is located in /pentest/forensics/pdfid/. The current version of pdfid is 0.0.11 and was released April 28th, 2010. Below we describe the basic functionality of pdfid and also explain some of the PDF terminology that will help those not as familiar with a PDF files structure the ability to find value with the pdfid.py Python script.
Xplico is a NFAT or Network Forensics Analysis Tool that is designed to either capture traffic in real time sessions or to provide an interface to upload PCAP (Packet Capture Data) files for analysis. The current version in Backtrack Linux 5 release 3 is 0.7 however the latest Xplico version is Xplico 1.0.1. I believe there are some dependencies required in the later versions of Xplico so I will write an updated article once Backtrack 6 comes up and the latest version of Xplico can easily be installed.
We have had a couple requests to write a post about readpst which is included in the default path of Backtrack 5 and also located in the Backtrack menu underneath Forensics/Forensics Analysis Tools. The readpst application will read PST files which are also known as Microsoft Outlook Personal Folders and convert them to mbox, MH, or KMail formats. There are various other switches that can be used to output each email into a separate file, include attachments, modify contact formats, be recursive, etc. I will explain basic functionality below along with a couple of the formats and various switches.
The bulk_extractor tool is one of the tools on Backtrack that a single article is not going to do it a lot of justice but hopefully after reading the below you will be able to see the benefits and understand basic usage of this amazing tool. The bulk_extractor actually reminds me of various tools such as Power Grep for Windows that can be used in penetration tests to locate private data worth being called out in a deliverable. By no means will the below be a complete howto for the bulk_extractor but again it will attempt to shed some light on its purpose and some easy ways it can be used.