Yeah, I have a question…

Day 7 was the final lesson day where we learned about artifacts related to internet history, the thumb cache, and Microsoft OneDrive. We also covered EXIF data and how it can be provided relevant information to a case.

Exchangeable Image File Format (EXIF) Data

EXIF data is a type of metadata and is information that is captured and embedded in a file that was created using a digital camera or recording device. It reference important information about the file that can include:

• Make, model and serial number of the camera used.
• Owner of the camera
• GPS information of where the media was captured
• Date of capture
• Last modified time

If EXIF data is generated for a file, it will be located within the file itself. JPEG files containing EXIF data will have a file signature of 0xFFD8 and the EXIF data will be perpended before the original file signature. Below is an example of a photo with EXIF data is shown in HxD Hex Editor.

Viewing EXIF data in Windows 11 can be done simply by going to the Details tab in the Properties of a file containing EXIF data.

EXIF data can provide an examiner with a great deal of information. EXIF data can be altered but only with specific technical knowledge that the average user would not usually know. As examiners it is our responsibility to be able to manually find EXIF data to validate any third party tool used to parse the it out.

As stated above, day 7 was our last lesson day. The next couple of days will consist of testing the knowledge we have learned so far. This means this will probably be the last post I do for the course. I will may do one at the end for my overall thoughts about the course itself just to wrap everything up.