Digital Forensics Fundamentals– Cyber Security 101-Defensive Security -TryHackMe Walkthrough
Learn about digital forensics and related processes and experiment with a practical example.
Room URL: https://tryhackme.com/r/room/digitalforensicsfundamentals
Task 1 Introduction to Digital Forensics
Forensics is the application of methods and procedures to investigate and solve crimes. The branch of forensics that investigates cyber crimes is known as digital forensics. Cyber crime is any criminal activity conducted on or using a digital device. Several tools and techniques are used to investigate digital devices thoroughly after any crime to find and analyze evidence for necessary legal action.
Digital devices have solved many of our problems. Communication all around the globe is just a matter of a text or call. Due to the vast usage of digital devices, besides making life easier, an increase in digital crimes — cyber crimes has also been observed. A variety of crimes are committed using digital devices.
Consider an example where law enforcement agencies raid a bank robber’s place with proper search warrants. Some digital devices, including a laptop, mobile phone, hard drive, and a USB, were found in the robber’s home. The law enforcement agency handed over the case to the digital forensics team. The team collected evidence securely and conducted a thorough investigation inside their digital forensics lab equipped with forensics tools. The following evidence was found on the digital devices:
- A digital map of the bank was found on the suspect’s laptop, which they kept for planning the robbery.
- A document with the bank’s entrance and escape routes was found on the suspect’s hard drive.
- A document on the hard drive that listed all the bank’s physical security controls. The suspect devised plans to bypass the security measures.
- Some media files, including photos and videos of the suspect’s previous robberies, were inside the suspect’s laptop.
- After conducting a thorough investigation of the suspect’s mobile phone, some illegal chat groups and call records related to the bank robbery were also found.
All this evidence helped law enforcement in the legal proceedings of the case. This scenario discusses a case from the start till the end. Some procedures are followed by the digital forensics team while collecting the evidence, storing it, analyzing it, and reporting it. This room will focus on covering the understanding of these procedures. The following are the learning objectives of this room:
Learning Objectives
- Phases of digital forensics
- Types of digital forensics
- Procedure of evidence acquisition
- Windows forensics
- Solving a forensics case
Answer the questions below
- Which team was handed the case by law enforcement?
Answer: digital forensics
Task 2 Digital Forensics Methodology
The digital forensics team has various cases requiring different tools and techniques. However, the National Institute of Standards and Technology (NIST) defines a general process for every case. The NIST works on defining frameworks for different areas of technology, including cyber security, where they introduce the process of digital forensics in four phases.
- Collection: The first phase of digital forensics is data collection. Identifying all the devices from which the data can be collected is essential. Usually, an investigator can find personal computers, laptops, digital cameras, USBs, etc., on the crime scene. It is also necessary to ensure the original data is not tampered with while collecting the evidence and to maintain a proper document containing the collected items’ details. We will also be discussing the evidence-acquisition procedures in the upcoming tasks.
- Examination: The collected data may overwhelm investigators due to its size. This data usually needs to be filtered, and the data of interest needs to be extracted. For example, as an investigator, you collected all the media files from a digital camera on the crime scene. You may only require some of the media as you are concerned with the media recorded on a specific date and time. So, in the examination phase, you would filter the media files of the required time and move them to the next phase. Similarly, you may only need the data of a specific user from a system containing numerous user accounts. The examination phase helps you filter this particular data for analysis.
- Analysis: This is a critical phase. The investigators now have to analyze the data by correlating it with multiple pieces of evidence to draw conclusions. The analysis depends upon the case scenario and available data. The analysis aims to extract the activities relevant to the case chronologically.
- Reporting: In the last phase of digital forensics, a detailed report is prepared. This report contains the investigation’s methodology and detailed findings from the collected evidence. It may also contain recommendations. This report is presented to law enforcement and executive management. It is important to include executive summaries as part of the report, considering the level of understanding of all the receiving parties.
As part of the collection phase, we saw that various pieces of evidence can be found at the crime scene. Analyzing these multiple categories of evidence requires various tools and techniques. There are different types of digital forensics, all with their own collection and analysis methodologies. Some of the most common types are listed below.
- Computer forensics: The most common type of digital forensics is computer forensics, which concerns investigating computers, the devices most commonly used in crimes.
- Mobile forensics: Mobile forensics involves investigating mobile devices and extracting evidence such as call records, text messages, GPS locations, and more.
- Network forensics: This area of forensics covers investigation beyond individual devices. It includes the whole network. The majority of the evidence found in networks is the network traffic logs.
- Database forensics: Many critical data is stored in dedicated databases. Database forensics investigates any intrusion into these databases that results in data modification or exfiltration.
- Cloud forensics: Cloud forensics is the type of forensics that involves investigating data stored on cloud infrastructure. This type of forensics sometimes gets tricky for the investigators as there is little evidence on cloud infrastructures.
- Email forensics: Email, the most common communication method between professionals, has become an important part of digital forensics. Emails are investigated to determine whether they are part of phishing or fraudulent campaigns.
Answer the questions below
2.1 Which phase of digital forensics is concerned with correlating the collected data to draw any conclusions from it?
Answer: Analysis
2.2 Which phase of digital forensics is concerned with extracting the data of interest from the collected evidence?
Answer: Examination
Task 3 Evidence Acquisition
Acquiring evidence is a critical job. The forensics team must collect all the evidence securely without tampering with the original data. Evidence acquisition methods for digital devices depend on the type of digital device. However, some general practices must be followed while the evidence is acquired. Let’s discuss some of the important ones.
Proper Authorization
The forensics team should obtain authorization from the relevant authorities before collecting any data. Evidence collected without prior approval may be deemed inadmissible in court. Forensic evidence contains private and sensitive data of an organization or individual. Proper authorization before collecting this data is essential for investigating according to the limits of the law.
Chain of Custody
Imagine that a team of investigators collects all the evidence from the crime scene, and some of the evidence goes missing after a few days, or there is any change in the evidence. No individual can be held accountable in this scenario because there is no proper process for documenting the evidence owners. This problem can be solved by maintaining a chain of custody document. A chain of custody is a formal document containing all the details of the evidence. Some of the key details are listed below:
- Description of the evidence (name, type).
- Name of individuals who collected the evidence.
- Date and time of evidence collection.
- Storage location of each piece of evidence.
- Access times and the individual record who accessed the evidence.
This creates a proper trail of evidence and helps preserve it. The chain of custody document can be used to prove the integrity and reliability of the evidence admitted in court. A sample chain of custody can be downloaded from here.
Use of Write Blockers
Write blockers are an essential part of the digital forensics team’s toolbox. Suppose you are collecting evidence from a suspect’s hard drive and attaching the hard drive to the forensic workstation. While the collection occurs, some background tasks in the forensic workstation may alter the timestamps of the files on the hard drive. This can cause hindrances during the analysis, ultimately producing incorrect results. Suppose the data was collected from the hard drive using a write blocker instead in the same scenario. This time, the suspect’s hard drive would remain in its original state as the write blocker can block any evidence alteration actions.
Answer the questions below
3.1 Which tool is used to ensure data integrity during the collection?
Answer: Write Blocker
Write Blocker: When investigators collect data from a device, they want to make sure they don’t accidentally change anything on it. Imagine you’re looking at a document on your computer, but every time you open it, the computer changes the date to today. This could make it hard to see when the document was really created.
A write blocker is a tool that stops any changes from happening when you connect the suspect’s device (like a hard drive) to the investigator’s computer. It “blocks” anything that might try to change or add to the data. This way, the evidence stays in its original state without being accidentally modified.
3.2 What is the name of the document that has all the details of the collected digital evidence?
Answer: Chain of Custody
Chain of Custody: This is a special document that keeps track of the evidence from the moment it’s collected until it’s used in court. It’s like a log or trail that shows who has handled the evidence, where it’s been stored, and when it was accessed.
Imagine if you passed a valuable item between several people; you’d want to write down who held it, when, and where, to prove it’s safe and hasn’t been tampered with. The chain of custody does this for digital evidence, so that everyone knows it’s authentic and trustworthy when presented in a legal case.
Task 4 Windows Forensics
The most common types of evidence collected from crime scenes are desktop computers and laptops, as most criminal activity involves a personal system. These devices have different operating systems running on them. In this task, we will discuss the evidence acquisition and analysis of the Windows operating system, which is a very common operating system that has been investigated in several cases.
As part of the data collection phase, forensic images of the Windows operating system are taken. These forensic images are bit-by-bit copies of the whole operating system. Two different categories of forensic images are taken from a Windows operating system.
- Disk image: The disk image contains all the data present on the storage device of the system (HDD, SSD, etc.). This data is non-volatile, meaning that the disk data would survive even after a restart of the operating system. For example, all the files like media, documents, internet browsing history, and more.
- Memory image: The memory image contains the data inside the operating system’s RAM. This memory is volatile, meaning the data will get lost after the system is powered off or restarted. For example, to capture open files, running processes, current network connections, etc., the memory image should be prioritized and taken first from the suspect’s operating system; otherwise, any restart or shutdown of the system would result in all the volatile data getting deleted. While carrying out digital forensics on a Windows operating system, disk and memory images are very important to collect.
Let’s discuss some popular tools used for disk and memory image acquisition and analysis of the Windows operating system.
FTK Imager: FTK Imager is a widely used tool for taking disk images of Windows operating systems. It offers a user-friendly graphical interface for creating the image in various formats. This tool can also analyze the contents of a disk image. It can be used for both acquisition and analysis purposes.
Autopsy: Autopsy is a popular open-source digital forensics platform. An investigator can import an acquired disk image into this tool, and the tool will conduct an extensive analysis of the image. It offers various features during image analysis, including keyword search, deleted file recovery, file metadata, extension mismatch detection, and many more.
DumpIt: DumpIt offers the utility of taking a memory image from a Windows operating system. This tool creates memory images using a command-line interface and a few commands. The memory image can also be taken in different formats.
Volatility: Volatility is a powerful open-source tool for analyzing memory images. It offers some extremely useful plugins. Each artifact can be analyzed using a specific plugin. This tool supports various operating systems, including Windows, Linux, macOS, and Android.
Note: Various other tools are also used to acquire and analyze disk and memory images of the Windows operating system.
Answer the questions below
4. Which type of forensic image is taken to collect the volatile data from the operating system?
Answer: Memory Image
Volatile data is data that only exists temporarily in the system’s memory (RAM) and is lost if the system is turned off or restarted. A memory image captures all the data in the system’s RAM, including currently running processes, open files, and active network connections, which would otherwise disappear upon shutdown or restart. Therefore, to capture this type of data, a memory image is taken first to preserve the transient information before it is lost.
Task 5 Practical Example of Digital Forensics
Everything we do on our digital devices, from smartphones to computers, leaves traces. Let’s see how we can use this in the subsequent investigation.
Our cat, Gado, has been kidnapped. The kidnapper has sent us a document with their requests in MS Word Document format. We have converted the document to PDF format and extracted the image from the MS Word file for your convenience.
You can download the attached file below to your local machine for inspection.
However, for your convenience we have added the files to the AttackBox. To follow along, press the Start AttackBox button on top of the page. The AttackBox will open in split view. In case it is not showing up, you can press the Show Split View button on top of the page. Once started, open a new terminal and navigate to the /root/Rooms/introdigitalforensics directory as shown below. In the following terminal output, we changed to the directory containing the case files.
Terminal
root@tryhackme:~# cd /root/Rooms/introdigitalforensicsWhen you create a text file, TXT, some metadata gets saved by the operating system, such as file creation date and last modification date. However, much information gets kept within the file’s metadata when you use a more advanced editor, such as MS Word. There are various ways to read the file metadata; you might open them within their official viewer/editor or use a suitable forensic tool. Note that exporting the file to other formats, such as PDF, would maintain most of the metadata of the original document, depending on the PDF writer used.
Let’s see what we can learn from the PDF file. We can try to read the metadata using the program pdfinfo. Pdfinfo displays various metadata related to a PDF file, such as title, subject, author, creator, and creation date. (The AttackBox already has pdfinfo installed; however, if you are using Kali Linux and don’t have pdfinfo installed, you can install it using sudo apt install poppler-utils.) Consider the following example of using pdfinfo DOCUMENT.pdf:
Terminal
root@tryhackme:~# pdfinfo DOCUMENT.pdf
Creator: Microsoft® Word for Office 365
Producer: Microsoft® Word for Office 365
CreationDate: Wed Oct 10 21:47:53 2018 EEST
ModDate: Wed Oct 10 21:47:53 2018 EEST
Tagged: yes
UserProperties: no
Suspects: no
Form: none
JavaScript: no
Pages: 20
Encrypted: no
Page size: 595.32 x 841.92 pts (A4)
Page rot: 0
File size: 560362 bytes
Optimized: no
PDF version: 1.7The PDF metadata clearly shows that it was created using MS Word for Office 365 on October 10, 2018.
Photo EXIF Data
EXIF stands for Exchangeable Image File Format; it is a standard for saving metadata to image files. Whenever you take a photo with your smartphone or with your digital camera, plenty of information gets embedded in the image. The following are examples of metadata that can be found in the original digital images:
- Camera model / Smartphone model
- Date and time of image capture
- Photo settings such as focal length, aperture, shutter speed, and ISO settings
Because smartphones are equipped with a GPS sensor, finding GPS coordinates embedded in the image is highly probable. The GPS coordinates, i.e., latitude and longitude, would generally show the place where the photo was taken.
There are many online and offline tools to read the EXIF data from images. One command-line tool is exiftool. ExifTool is used to read and write metadata in various file types, such as JPEG images. The AttackBox already has exiftool installed; however, if you are using Kali Linux and don’t have exiftool installed, you can install it using sudo apt install libimage-exiftool-perl. In the following terminal window, we executed exiftool IMAGE.jpg to read all the EXIF data embedded in this image.
Terminal
root@tryhackme:~# exiftool IMAGE.jpg
[...]
GPS Position : 51 deg 31' 4.00" N, 0 deg 5' 48.30" W
[...]If you take the above coordinates and search one of the online maps, you will learn more about this location. Searching Microsoft Bing Maps or Google Maps for 51 deg 30' 51.90" N, 0 deg 5' 38.73" W reveals the street where the photo was taken. Note that for the search to work, we had to replace deg with ° and remove the extra white space. In other words, we typed 51°30'51.9"N 0°05'38.7"W in the map search bar.
Answer the questions below
5.1 Using pdfinfo, find out the author of the attached PDF file, ransom-letter.pdf.
Navigate to the directory where the files are located after ist the content and Find the Author of the PDF
cd /root/Rooms/introdigitalforensics
ls
pdfinfo ransom-letter.pdf
Answer: Ann Gree Shepherd
5.2 Using exiftool or any similar tool, try to find where the kidnappers took the image they attached to their document. What is the name of the street? (Question Hint Remember to replace deg with ° and remove the space between the number and the ° symbol before searching. The GPS coordinates you get from exiftool should be written as 51°30'51.9"N 0°05'38.7"W)
List All Files in the Directory and Identify the Correct Image and Run exiftool with the Correct File Name
exiftool PHOTO.jpgOutput
ExifTool Version Number : 10.80
File Name : letter-image.jpg
Directory : .
File Size : 124 kB
File Modification Date/Time : 2022:02:23 08:53:33+00:00
File Access Date/Time : 2024:10:29 11:25:54+00:00
File Inode Change Date/Time : 2022:03:04 12:15:19+00:00
File Permissions : rwxr-xr-x
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Exif Byte Order : Little-endian (Intel, II)
Compression : JPEG (old-style)
Make : Canon
Camera Model Name : Canon EOS R6
Orientation : Horizontal (normal)
X Resolution : 300
Y Resolution : 300
Resolution Unit : inches
Software : GIMP 2.10.28
Modify Date : 2022:02:15 17:23:40
Exposure Time : 1/200
F Number : 2.8
Exposure Program : Manual
ISO : 640
Sensitivity Type : Recommended Exposure Index
Recommended Exposure Index : 640
Exif Version : 0231
Date/Time Original : 2022:02:25 13:37:33
Create Date : 2022:02:25 13:37:33
Offset Time : +01:00
Offset Time Original : +03:00
Offset Time Digitized : +03:00
Shutter Speed Value : 1/200
Aperture Value : 2.8
Exposure Compensation : 0
Max Aperture Value : 1.8
Metering Mode : Multi-segment
Flash : No Flash
Focal Length : 50.0 mm
User Comment : THM{238956}
Sub Sec Time Original : 42
Sub Sec Time Digitized : 42
Color Space : sRGB
Exif Image Width : 7900
Exif Image Height : 5267
Focal Plane X Resolution : 1520
Focal Plane Y Resolution : 1520
Focal Plane Resolution Unit : cm
Custom Rendered : Normal
Exposure Mode : Manual
White Balance : Auto
Scene Capture Type : Standard
Serial Number : 083021002010
Lens Info : 50mm f/?
Lens Model : EF50mm f/1.8 STM
Lens Serial Number : 000029720b
GPS Latitude Ref : North
GPS Longitude Ref : West
GPS Time Stamp : 13:37:33
Subfile Type : Reduced-resolution image
Photometric Interpretation : YCbCr
Samples Per Pixel : 3
Thumbnail Offset : 1214
Thumbnail Length : 4941
XMP Toolkit : XMP Core 4.4.0-Exiv2
Api : 2.0
Platform : Linux
Time Stamp : 1644938627130718
Approximate Focus Distance : 0.79
Distortion Correction Already Applied: True
Firmware : 1.2.0
Flash Compensation : 0
Image Number : 0
Lateral Chromatic Aberration Correction Already Applied: True
Lens : EF50mm f/1.8 STM
Vignette Correction Already Applied: True
Color Mode : RGB
ICC Profile Name : Adobe RGB (1998)
Creator Tool : GIMP 2.10
Metadata Date : 2021:12:02 13:32:48+01:00
Rating : 2
Document ID : adobe:docid:photoshop:de96cdf3-afbf-664d-9d4c-d5c1d0fdb4e1
Instance ID : xmp.iid:b80f5656-424a-4d4d-9cd0-5a36706d26d6
Original Document ID : D3825C53382EED70DB7435B0CCF756F5
Preserved File Name : 5L0A2971.CR3
Already Applied : True
Auto Lateral CA : 1
Blacks 2012 : 0
Blue Hue : 0
Blue Saturation : 0
Camera Profile : Adobe Standard
Camera Profile Digest : 441F68BD6BC3369B59256B103CE2CD5C
Clarity 2012 : 0
Color Grade Blending : 50
Color Grade Global Hue : 0
Color Grade Global Lum : 0
Color Grade Global Sat : 0
Color Grade Highlight Lum : 0
Color Grade Midtone Hue : 0
Color Grade Midtone Lum : 0
Color Grade Midtone Sat : 0
Color Grade Shadow Lum : 0
Color Noise Reduction : 25
Color Noise Reduction Detail : 50
Color Noise Reduction Smoothness: 50
Contrast 2012 : 0
Crop Angle : 0
Crop Bottom : 1
Crop Constrain To Warp : 0
Crop Left : 0
Crop Right : 1
Crop Top : 0
Defringe Green Amount : 0
Defringe Green Hue Hi : 60
Defringe Green Hue Lo : 40
Defringe Purple Amount : 0
Defringe Purple Hue Hi : 70
Defringe Purple Hue Lo : 30
Dehaze : 0
Exposure 2012 : -0.40
Grain Amount : 0
Green Hue : 0
Green Saturation : 0
Has Crop : False
Has Settings : True
Highlights 2012 : -32
Hue Adjustment Aqua : 0
Hue Adjustment Blue : 0
Hue Adjustment Green : 0
Hue Adjustment Magenta : 0
Hue Adjustment Orange : 0
Hue Adjustment Purple : 0
Hue Adjustment Red : 0
Hue Adjustment Yellow : 0
Lens Manual Distortion Amount : 0
Lens Profile Digest : B23331240701D3B28825B46A4802290C
Lens Profile Distortion Scale : 100
Lens Profile Enable : 1
Lens Profile Filename : Canon EOS-1Ds Mark III (Canon EF 50mm f1.8 STM) - RAW.lcp
Lens Profile Is Embedded : False
Lens Profile Name : Adobe (Canon EF 50mm f/1.8 STM)
Lens Profile Setup : LensDefaults
Lens Profile Vignetting Scale : 100
Luminance Adjustment Aqua : 0
Luminance Adjustment Blue : 0
Luminance Adjustment Green : 0
Luminance Adjustment Magenta : 0
Luminance Adjustment Orange : 0
Luminance Adjustment Purple : 0
Luminance Adjustment Red : 0
Luminance Adjustment Yellow : 0
Luminance Smoothing : 0
Override Look Vignette : False
Parametric Darks : 0
Parametric Highlight Split : 75
Parametric Highlights : 0
Parametric Lights : 0
Parametric Midtone Split : 50
Parametric Shadow Split : 25
Parametric Shadows : 0
Perspective Aspect : 0
Perspective Horizontal : 0
Perspective Rotate : 0.0
Perspective Scale : 100
Perspective Upright : 0
Perspective Vertical : 0
Perspective X : 0.00
Perspective Y : 0.00
Post Crop Vignette Amount : 0
Process Version : 11.0
Raw File Name : 5L0A2971.dng
Red Hue : 0
Red Saturation : 0
Saturation : 0
Saturation Adjustment Aqua : 0
Saturation Adjustment Blue : 0
Saturation Adjustment Green : 0
Saturation Adjustment Magenta : 0
Saturation Adjustment Orange : 0
Saturation Adjustment Purple : 0
Saturation Adjustment Red : 0
Saturation Adjustment Yellow : 0
Shadow Tint : 0
Shadows 2012 : 0
Sharpen Detail : 25
Sharpen Edge Masking : 60
Sharpen Radius : +1.0
Sharpness : 45
Split Toning Balance : 0
Split Toning Highlight Hue : 0
Split Toning Highlight Saturation: 0
Split Toning Shadow Hue : 0
Split Toning Shadow Saturation : 0
Color Temperature : 6650
Texture : 0
Tint : -7
Tone Curve Name 2012 : Linear
Tone Curve PV2012 : 0, 0, 255, 255
Tone Curve PV2012 Blue : 0, 0, 255, 255
Tone Curve PV2012 Green : 0, 0, 255, 255
Tone Curve PV2012 Red : 0, 0, 255, 255
Version : 14.0.1
Vibrance : 0
Vignette Amount : 0
Whites 2012 : 0
Format : image/jpeg
Document Ancestors : xmp.did:2ec1b1a6-ffae-0a44-90f9-3b6998456cdf, xmp.did:780a63d9-6024-e942-baf4-cae80b62a8c5
Derived From Document ID : xmp.did:c3f1ef49-6aa6-4441-8800-6afa19131d22
Derived From Instance ID : xmp.iid:fd37b6b6-4a37-d44a-89e0-3710c289a8db
Derived From Original Document ID: D3825C53382EED70DB7435B0CCF756F5
History Action : derived, saved, saved, saved, derived, saved, converted, saved, saved, converted, derived, saved, saved
History Parameters : converted from image/x-canon-cr3 to image/dng, saved to new location, converted from image/dng to image/vnd.adobe.photoshop, saved to new location, from image/vnd.adobe.photoshop to application/vnd.adobe.photoshop, from application/vnd.adobe.photoshop to image/jpeg, converted from application/vnd.adobe.photoshop to image/jpeg
History Changed : /, /metadata, /metadata, /, /, /, /, /
History Instance ID : xmp.iid:68afaab8-00f8-4a17-880d-04362acf7f59, xmp.iid:a415f140-19e3-dd4f-a523-2a91fd837241, xmp.iid:a732c1b4-c918-d649-91df-a08fd30a3b28, xmp.iid:c3f1ef49-6aa6-4441-8800-6afa19131d22, xmp.iid:e03136da-36b8-4a4f-a00f-4e953a46cb21, xmp.iid:fd37b6b6-4a37-d44a-89e0-3710c289a8db, xmp.iid:b0dfac61-4499-6b47-b061-c79f9c8868d9, xmp.iid:defc8f04-ab7b-4648-b9d4-1da9f1aa9bf9
History Software Agent : Adobe Photoshop Lightroom Classic 10.2 (Macintosh), Adobe Photoshop Camera Raw 14.0, Adobe Photoshop Camera Raw 14.0.1 (Windows), Adobe Photoshop Camera Raw 14.0.1 (Windows), Adobe Photoshop 22.4 (Windows), Adobe Photoshop 22.4 (Windows), Adobe Photoshop 22.4 (Windows), Gimp 2.10 (Linux)
History When : 2021:11:15 15:50:41+03:00, 2021:12:01 11:25:22+01:00, 2021:12:01 12:34:12+01:00, 2021:12:02 10:19:47+01:00, 2021:12:02 12:53:12+01:00, 2021:12:02 13:32:48+01:00, 2021:12:02 13:32:48+01:00, 2022:02:15 17:23:47+02:00
Look Amount : 1
Look Copyright : © 2018 Adobe Systems, Inc.
Look Group : lang="x-default" Profiles
Look Name : Adobe Color
Look Supports Amount : false
Look Supports Monochrome : false
Look Supports Output Referred : false
Look Uuid : B952C231111CD8E0ECCF14B86BAA7077
Look Parameters Camera Profile : Adobe Standard
Look Parameters Convert To Grayscale: False
Look Parameters Look Table : E1095149FDB39D7A057BAB208837E2E1
Look Parameters Process Version : 11.0
Look Parameters Tone Curve PV2012: 0, 0, 22, 16, 40, 35, 127, 127, 224, 230, 240, 246, 255, 255
Look Parameters Tone Curve PV2012 Blue: 0, 0, 255, 255
Look Parameters Tone Curve PV2012 Green: 0, 0, 255, 255
Look Parameters Tone Curve PV2012 Red: 0, 0, 255, 255
Look Parameters Version : 14.0.1
Profile CMM Type : Unknown (lcms)
Profile Version : 4.3.0
Profile Class : Display Device Profile
Color Space Data : RGB
Profile Connection Space : XYZ
Profile Date Time : 2022:02:15 14:53:19
Profile File Signature : acsp
Primary Platform : Apple Computer Inc.
CMM Flags : Not Embedded, Independent
Device Manufacturer :
Device Model :
Device Attributes : Reflective, Glossy, Positive, Color
Rendering Intent : Perceptual
Connection Space Illuminant : 0.9642 1 0.82491
Profile Creator : Unknown (lcms)
Profile ID : 0
Profile Description : GIMP built-in sRGB
Profile Copyright : Public Domain
Media White Point : 0.9642 1 0.82491
Chromatic Adaptation : 1.04788 0.02292 -0.05022 0.02959 0.99048 -0.01707 -0.00925 0.01508 0.75168
Red Matrix Column : 0.43604 0.22249 0.01392
Blue Matrix Column : 0.14305 0.06061 0.71393
Green Matrix Column : 0.38512 0.7169 0.09706
Red Tone Reproduction Curve : (Binary data 32 bytes, use -b option to extract)
Green Tone Reproduction Curve : (Binary data 32 bytes, use -b option to extract)
Blue Tone Reproduction Curve : (Binary data 32 bytes, use -b option to extract)
Chromaticity Channels : 3
Chromaticity Colorant : Unknown (0)
Chromaticity Channel 1 : 0.64 0.33002
Chromaticity Channel 2 : 0.3 0.60001
Chromaticity Channel 3 : 0.15001 0.06
Device Mfg Desc : GIMP
Device Model Desc : sRGB
Current IPTC Digest : b417d6571f8aba97a1e64afbdedafbdb
Coded Character Set : UTF8
Envelope Record Version : 4
Date Created : 2022:02:15
Digital Creation Date : 2021:11:05
Digital Creation Time : 14:06:13+03:00
Application Record Version : 4
Time Created : 17:23:40-17:23
Image Width : 1200
Image Height : 800
Encoding Process : Progressive DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)
Aperture : 2.8
Date/Time Created : 2022:02:15 17:23:40-17:23
Digital Creation Date/Time : 2021:11:05 14:06:13+03:00
GPS Latitude : 51 deg 30' 51.90" N
GPS Longitude : 0 deg 5' 38.73" W
GPS Position : 51 deg 30' 51.90" N, 0 deg 5' 38.73" W
Image Size : 1200x800
Megapixels : 0.960
Scale Factor To 35 mm Equivalent: 0.7
Shutter Speed : 1/200
Create Date : 2022:02:25 13:37:33.42+03:00
Date/Time Original : 2022:02:25 13:37:33.42+03:00
Modify Date : 2022:02:15 17:23:40+01:00
Thumbnail Image : (Binary data 4941 bytes, use -b option to extract)
Circle Of Confusion : 0.043 mm
Field Of View : 54.9 deg
Focal Length : 50.0 mm (35 mm equivalent: 34.6 mm)
Hyperfocal Distance : 20.58 m
Lens ID : Canon EF 50mm f/1.8 STM
Light Value : 7.9
Use the GPS coordinates 51°30'51.9"N 0°05'38.7"W in Google Maps or Bing Maps to identify the street name. This location is in London, near Trafalgar Square.
Answer: Milk Street
5.3 What is the model name of the camera used to take this photo? (Question Hint
To display only the lines with the word “Camera”, you can use grep: exiftool PHOTO.jpg | grep Camera)
Answer: Canon EOS R6
