Combing Through Video Faster Using DFIR and OSINT Skills

Guest blog post by Jeff Lomas (@BleuBloodHound). Jeff is a detective and digital forensic examiner for a large metropolitan police department in Las Vegas where he has worked for the past 11 years. Jeff executes search warrants on every imaginable digital devices for other detectives and turns the data extracted from these devices into actionable intelligence for other investigators.

Introduction

Digital forensics or DFIR investigations have increased over the past 10 years, especially in the areas of smartphone and video forensics. Analysts and investigators have benefited from the amount of video evidence present on digital devices and the Internet, but the amount of data available is overwhelming. Digital forensic examiners have many technical skills that give them the ability to find solutions to going through data quickly, and analysts involved with OSINT are skilled at developing digital intelligence from various sources. This walkthrough shows how examiners and OSINT analysts can learn from each other.

The Scenario

In this scenario, we have an analyst who requested data be extracted from a smartphone. The forensic examiner used Magnet Acquire and AXIOM to extract the data and process it for viewing by the analyst. The analyst believes their suspect viewed video online related to a crime and they want to collect these videos and quickly decide which ones they can develop intelligence from.

Magnet Acquire and AXIOM

Before we go further, I want to sincerely thank Magnet for giving me a trial license to use AXIOM! Magnet’s Acquire tool can be used to extract data from hard drives and smartphones and it’s free to anyone who asks for it. AXIOM on the other hand is a paid tool and well worth the money because it presents the data in such a way that examiners and analysts alike can both understand.

Back to the Scenario. The image below is a snippet of how many artifacts Magnet’s analysis of the extracted data produced. You can see there are over 51,000 artifacts, but the reality is you will probably see closer to 500,000 artifacts on a device used on a daily basis! AXIOM allows us to quickly sort these results by typing in the upper right-hand search bar. In this case, I played the role of analyst and typed in “YouTube” which showed me results from various sources such as URL’s found on the device with the term “YouTube” in it.

From here, I can click on “Web Related” and go through the URLs and further refine my search by searching for the string “youtube.com/watch?v=” because this is what a normal YouTube video URL is formatted. Using AXIOM, I can now highlight these items I want and export them to an Excel or CSV file using AXIOM’s reporting function.

Now that I have my data in a spreadsheet format, it will look similar to this:

I only tagged a few items for exporting but now you can start to see we have a list to search for.

Analyzing the Data Quickly

In the real world, this list is probably hundreds of lines long and consists of video from more than just YouTube. The next step is to preserve the videos as potential evidence, transcribe the video content, and use keyword searches to identify which videos give us the most relevant data.

Youtube-dl

Youtube-dl is a command line tool that has been around for a while and works on Mac, Windows, and Unix/Linux. You can download it here:

https://ytdl-org.github.io/youtube-dl/index.html

We are going to use youtube-dl to download videos and grab their respective subtitles. This requires the use of the immensely popular ffmpeg command line video tool. It can be downloaded here:

https://www.ffmpeg.org/

You’ll also need to download and install Python 2.7 or 3.7 if you don’t already have one of them installed. When installing, make sure you install these tools globally. There are many tutorials available on how to do this and this will make your life easier.

This youtube-dl tutorial is unique in the fact that it focuses on how we can use the tool to grab video as evidence and search through the video. I have identified several commands that I find useful in a forensic/evidence gathering situation:

id (use only video ID in file name)
sleep-interval [SECONDS] (number of seconds)
min-sleep-interval [SECONDS]
max-sleep-interval [SECONDS]
write-auto-sub (YouTube only, grabs available subtitles)
write-sub (gets subtitles from other sites)
all-subs (gets all subtitles)
convert-subs FORMAT (supports srt, ass, vtt, arc)
batch-file path to batch file’ (can create a txt file with links in there)
skip-download (does not download video-you’ll see why further down)

Some of these descriptions are self-explanatory, but I’ll share some of my favorite scripts and what I would expect the tool to do.

youtube-dl --id --write-auto-sub --convert-subs srt [URL]

Every script will start with “YouTube” and every command will start with 2 dashes. This command says I want youtube-dl to download the video and name the file the same as the end of the URL. If you look back to our Excel file, you will see the first entry as https://m.youtube.com/watch?v=1xvR4A33LO8. The file name will be “1xvR4A33LO8” so I can match the downloaded video later with the link. Otherwise, it could be named with the title the site named the video. Next, I want to use the write-auto-sub feature youtube-dl uses specifically for YouTube, and then I want to convert to “srt” which is the most basic of all subtitle formats and easiest to read.

So let’s go big and grab 100 videos from YouTube at once:

youtube-dl --id --write-auto-sub --convert-subs srt --min-sleep-interval 1 --max-sleep-interval 10 --batch-file [path to batch file]

You can see I just built on from the first script, but added the min and max intervals. This makes youtube-dl wait a random number of seconds (1-10 seconds in this case) between downloading videos so YouTube doesn’t flag us or present a dreaded captcha. The batch file path we pointed it to is simply a simple text document created by copying and pasting our URLs into the text document. I like to put my batch file in the same folder I run youtube-dl at so the videos and subtitles will all be in the same folder. In the case of a very large number of videos and a mediocre internet connection, consider the flag “skip-download” to this so you can download just the subtitles and search through them to determine which video you would like to download for further analysis.

Break Out the Text Editor

You probably saw this coming. Use whatever text editor you’re comfortable with, but make sure the tool can search recursively or at least in a single folder structure. I typically gather all of my srt files into one folder and then select the option “Find in Files…”. The result will look something like this using Sublime Text editor:

Great! Now I can quickly identify which videos I want to further investigate based on my keyword searches!

Downsub.com

Sometimes our tools don’t work so it’s always good to have a back-up plan. Downsub.com is a website dedicated to giving users subtitles to popular sites like YouTube. Downsub is as easy as 1 (enter the site), 2 (press download), 3 (select which subtitle you want):

You’ll notice here you can select srt or txt. The txt file is much cleaner to read than the srt, but it does not give you a reference of what point in the video the subtitles come from. Downsub can also translate from English to a wide range of other languages in case you are not a native English speaker.

Translating Foreign Languages

You will inevitably run into videos that are in a language you aren’t familiar with. OSINT can help with this too! Whether you get the srt or txt files from youtube-dl or downsub, you can open these files with a Chrome web browser, and Chrome will ask you if you want to translate. From here, you can translate and then save the files in English. Don’t try to use the Google Translate site for this task as there is a character limit.

Last Resort for Subtitles

Let’s say you have video(s) that you can’t get subtitles for, they’re in a foreign language, and you don’t have the time/money for a professional transcriber. Google Docs has a feature called Voice Typing that types what you speak. In most cases, you will need a quiet room, a good external microphone for your computer, and a good audio source to accomplish this. Yes, there other solutions out there but they are fairly expensive.

That’s It!

To sum it up, we:

  • Filtered through a mobile forensic report for video evidence
  • Created an Excel/CSV file with relevant data
  • Used youtube-dl to download videos and subtitles (or downsub)
  • Searched the subtitles using keywords
  • Identified relevant videos to continue our assessment/investigation

We can use this method to quickly grab videos and search through them without spending hours watching them, thus enabling us to quickly pivot on this data and produce intelligence for our clients in a timely manner.