Imago: extract digital evidences from images
Imago is a python tool that extracts digital evidences from images recursively. This tool is useful throughout a digital forensic investigation. If you need to extract digital evidences and you have a lot of images, through this tool you will be able to compare them easily. Imago allows to extract the evidences into a CSV file or in a sqlite database. If in a JPEG exif are present GPS coordinates, Imago can extract the longitude and latitude and it can convert them to degrees and to retrieve relevant information like city, nation, zip code… It offers also the possibility to calculate Error Level Analysis, and to detect nudity these functionalities are in BETA.
Feature
| Functionality | Status |
|---|---|
| Recursive directory navigation | ✔️ |
| file mtime (UTC) | ✔️ |
| file ctime (UTC) | ✔️ |
| file atime (UTC) | ✔️ |
| file size (bytes) | ✔️ |
| MIME type | ✔️ |
| Exif support | ✔️ |
| CSV export | ✔️ |
| Sqlite export | ✔️ |
| md5, sha256, sha512 | ✔️ |
| Error Level Analysis | ✔️ BETA |
| Full GPS support | ✔️ |
| Nudity detection | ✔️ BETA |
| Perceptual Image Hashing | ✔️ |
| aHash | ✔️ |
| pHash | ✔️ |
| dHash | ✔️ |
| wHash | ✔️ |
Install
$ pip install imago
Use
Example
$ imago -i /home/solvent/cases/c23/DCIM/ -o /home/solvent/cases/c23/ -x -s -t jpeg -d all
Where:
- -i path: is the base directory, where imago will search for file
- -o path: the output directory where imago will save the CSV file, with the extracted metadata
- -x : imago will extract EXIF metadata.
- -s: the temporary SQLite database will not be deleted after the processing.
- -t jpeg: imago will search only for jpeg images.
- -d all: imago will calculate md5, sha256, sha512 for the jpeg images.
Copyright (c) 2018 redaelli
Source: https://github.com/redaelli/
