Imago Forensics - Imago Is A Python Tool That Extract Digital Evidences From Images


Imago is a python tool that extract digital evidences from images recursively. This tool is useful throughout a digital forensic investigation. If y'all involve to extract digital evidences in addition to y'all convey a lot of images, through this tool y'all volition last able to compare them easily. Imago allows to extract the evidences into a CSV file or inwards a sqlite database. If inwards a JPEG exif are introduce GPS coordinates, Imago tin extract the longitude in addition to latitude in addition to it tin convert them to degrees in addition to to recall relevant information similar city, nation, nada code... Imago offers also the possibility to calculate Error Level Analysis, in addition to to notice nudity these functionalities are inwards BETA.

Setup

Setup via pip
  1. Install imago:
$ pip install imago
  1. Once installed, 1 novel binary should last available: :
$ imago 
And in addition to thus it should output the imago's banner

Requirements:
python 2.7 exifread 2.1.2 python-magic 0.4.15 argparse 1.4.0 pillow 5.2.0 nudepy 0.4 imagehash 4.0 geopy 1.16.0 

Usage
usage: imago.py [-h] -i INPUT [-x] [-g] [-e] [-n] [-d {md5,sha256,sha512,all}]                 [-p {ahash,phash,dhash,whash,all}] [-o OUTPUT] [-s]                 [-t {jpeg,tiff}]  optional arguments:   -h, --help            demonstrate this assistance message in addition to leave of absence   -i INPUT, --input INPUT                         Input directory path   -x, --exif            Extract exif metadata   -g, --gps             Extract, parse in addition to convert to coordinates, GPS exif                         metadata from images (if any)It industrial plant exclusively alongside JPEG.   -e, --ela             Extract, Error Level Analysis image,It industrial plant exclusively alongside                         JPEG. *BETA*   -n, --nude            Detect Nudity, It industrial plant exclusively alongside JPEG, *BETA*   -d {md5,sha256,sha512,all}, --digest {md5,sha256,sha512,all}                         Calculate perceptual picture hashing   -p {ahash,phash,dhash,whash,all}, --percentualhash {ahash,phash,dhash,whash,all}                         Calculate hash digest   -o OUTPUT, --output OUTPUT                         Output directory path   -s, --sqli            Keep SQLite file later the computation   -t {jpeg,tiff}, --type {jpeg,tiff}                         Select the image, this flag tin last JPEG or TIFF, if                         this declaration it is non provided, imago volition procedure                         all the picture types(i.e. JPEG, TIFF)   
The exclusively required declaration is -i which is the base of operations directory from which imago volition kickoff to search for picture file. You should also render at to the lowest degree 1 type of extraction (i.e. exif, data, gps, digest).

Example:
$ imago -i /home/solvent/cases/c23/DCIM/ -o /home/solvent/cases/c23/ -x -s -t jpeg -d all
Where:
  • -i path: is the base of operations directory, where imago volition search for file
  • -o path: the output directory where imago volition relieve the CSV file, alongside the extracted metadata
  • -x : imago volition extract EXIF metadata.
  • -s: the temporary SQLite database volition non last deleted later the processing.
  • -t jpeg: imago volition search exclusively for jpeg images.
  • -d all: imago volition calculate md5, sha256, sha512 for the jpeg images.

Features:
Functionality Status
Recursive directory navigation
file mtime (UTC)
file ctime (UTC)
file atime (UTC)
file size (bytes)
MIME type
Exif support
CSV export
Sqlite export
md5, sha256, sha512
Error Level Analysis ✔ BETA
Full GPS support
Nudity detection ✔ BETA
Perceptual Image Hashing
aHash
pHash
dHash
wHash