Digital image forensics with Ghiro

Ghiro is an open source tool for image analysis and metadata extraction.  You can install it in a dedicated server or download the .ova appliance for Virtualbox or VMware. Either way you get a web interface to upload images and observe a deep overview of the embedded metadata, like EXIF, IPTC , XMP, GPS coordinates, etc.

The default web interface username is ghiro and the password ghiromanager they should be changed straight away, specially as the appliance can be remotely accessed with SSH if you uploaded it to a server.

You can use this tool to compare two images that look the same to the human eye and find out if one of them has been modified by comparing digital signatures, the hashes tab shows the image MD5, SHA1, CRC32, SHA256, and SHA512 hashes. The Error Level Analysis will let you know if the image was edited and MIME information shows extended data about the file you are dealing with, for example, if a jpeg or png.

Ghiro image forensics appliance

Ghiro image forensics appliance

You can extract metadata to find out what device was used to take the photo and if any GPS coordinates were automatically added, like many digital cameras do, in which case an embedded map in Ghiro shows you the exact location of where the picture was taken.

Other metadata that Ghiro can extract is photo resolution,  focal length and name of the software used to edit the photo if any. A case management tab lets you group images and assign users and permissions to cases.

This is a scalable professional image forensics tool of benefit for amateurs and professionals alike, it can  detect fake photos, and allows a team of people to work in complex cases with a multiple user dashboard, saving projects, searching for specific image hashes and displaying understandable reports.

Visit Ghiro homepage

Leave a Reply

Your email address will not be published. Required fields are marked *