How to Obtain Valuable Data from Images Using Exif Extractors

Jun 18, 2019 10:56 PM
Jun 18, 2019 11:06 PM
636964696003973121.jpg

Metadata contained in images and other files can give away a lot more information than the average user might think. By tricking a target into sending a photo containing GPS coordinates and additional information, a hacker can learn where a mark lives or works simply by extracting the Exif data hidden inside the image file.

For hackers or OSINT researchers gathering digital evidence, photos can be a rich source of data. Besides what's visible in the picture itself, metadata about when and where the photo was taken can also be recoverable. This data can include the device the photo was taken on, the geolocation of the image, and other unique characteristics that can fingerprint an image as haven been taken by the same person or device.

Metadata, or the data that describes files like images or videos, is useful during reconnaissance to investigators because it's often overlooked by otherwise careful targets. If people don't know what kind of data can be retained in a particular file format, they won't know if they're putting themselves at risk by making a specific file public. While many social media platforms have largely eliminated this problem by stripping out metadata from files, there are still many images online with this data left entirely intact.

Exif Data in Images

Exchangeable image file format data, or Exif data, is information that accompanies image files and offers many fields that can be populated or left blank. The information is used by programs to understand better what is contained inside the file to aid in sorting and other functions. Available data fields in Exif are often written to by the device that took the image at the time it was shot but can also be left by processing programs like Photoshop.

Because we can often identify the model of camera used, the settings used, and supplementary information like the owner of the software that made Photoshop changes, it's possible to identify images that came from the same source. The more Exif fields are filled out by the device that shot the image or software that processed it, the easier it is to track other files made by the same process.

The full list of fields that are supported by the Exif standard is quite extensive. Aside from manufacturer-specific information, fields like the owner's name and address can be populated by image processing software without the author knowing each image they produce contains this information.

What You'll Need

While an older Null Byte article on Exif data features a dated Windows-only tool that still works, we'll focus only on a program that's pre-installed on Kali Linux, as well as a few tools that'll work on any system right from a web browser.

Option 1: Use the Exif Command Line Tool

To start, we'll be using the "exif" tool that comes pre-installed in Kali Linux. This program is the command line front-end to "libexif," and it only works on JPG file types. To see the options available to us, we can run the exif --help command to list the included options.

If you receive an error, or if you're using another OS like Debian or Ubuntu, open a new terminal window and type apt install exif to install the program and any needed dependencies. Similarly, you can install this tool by typing brew install exif on a MacOS device. Then, try exif --help again.

You can use man exif to view even more information about the tool.

~$ exif --help

Usage: exif [OPTION...] file
  -v, --version                   Display software version
  -i, --ids                       Show IDs instead of tag names
  -t, --tag=tag                   Select tag
      --ifd=IFD                   Select IFD
  -l, --list-tags                 List all EXIF tags
  -|, --show-mnote                Show contents of tag MakerNote
      --remove                    Remove tag or ifd
  -s, --show-description          Show description of tag
  -e, --extract-thumbnail         Extract thumbnail
  -r, --remove-thumbnail          Remove thumbnail
  -n, --insert-thumbnail=FILE     Insert FILE as thumbnail
      --no-fixup                  Do not fix existing tags in files
  -o, --output=FILE               Write data to FILE
      --set-value=STRING          Value of tag
  -c, --create-exif               Create EXIF data if not existing
  -m, --machine-readable          Output in a machine-readable (tab delimited) format
  -w, --width=WIDTH               Width of output
  -x, --xml-output                Output in a XML format
  -d, --debug                     Show debugging messages

Help options:
  -?, --help                      Show this help message
      --usage                     Display brief usage message

While all of the options is a lot to process, the most straightforward application of this tool is to type exif and then the path to the file you want to inspect. Below, a photo that's been processed in Photoshop retains information about the software that modified it, the computer it was modified on, and the camera it was taken on. If you get a "corrupt data" error, there may be no metadata in the file or you're scanning a file that's not a JPG.

-$ exif /Users/skickar/Downloads/Vacaynev-28.jpg

EXIF tags in '/Users/skickar/Downloads/Vacaynev-28.jpg' ('Intel' byte order):
--------------------+----------------------------------------------------------
Tag                 |Value
--------------------+----------------------------------------------------------
Manufacturer        |Canon
Model               |Canon EOS 60D
X-Resolution        |300
Y-Resolution        |300
Resolution Unit     |Inch
Software            |Adobe Photoshop Lightroom 5.6 (Macintosh)
Date and Time       |2016:11:25 17:45:11
Compression         |JPEG compression
X-Resolution        |72
Y-Resolution        |72
Resolution Unit     |Inch
Exposure Time       |1/100 sec.
F-Number            |f/4.0
Exposure Program    |Manual
ISO Speed Ratings   |640
Exif Version        |Exif Version 2.3
Date and Time (Origi|2016:11:25 02:56:54
Date and Time (Digit|2016:11:25 02:56:54
Shutter Speed       |6.64 EV (1/99 sec.)
Aperture            |4.00 EV (f/4.0)
Exposure Bias       |0.00 EV
Maximum Aperture Val|3.00 EV (f/2.8)
Metering Mode       |Pattern
Flash               |Flash did not fire, compulsory flash mode
Focal Length        |17.0 mm
Sub-second Time (Ori|00
Sub-second Time (Dig|00
Color Space         |sRGB
Focal Plane X-Resolu|5728.177
Focal Plane Y-Resolu|5808.403
Focal Plane Resoluti|Inch
Custom Rendered     |Normal process
Exposure Mode       |Manual exposure
White Balance       |Auto white balance
Scene Capture Type  |Standard
FlashPixVersion     |FlashPix Version 1.0
--------------------+----------------------------------------------------------
EXIF data contains a thumbnail (16091 bytes).

Information can also include geolocation data, as exact coordinates, which is supplied by the device that took the photo. If the photo was taken on a phone, there is a much higher chance that it includes geotags.

As it is in the output above, we've learned that the person who created this file is using a Canon EOS 60D camera, has a lens with a focal length of 17.0 mm, worked on the file in Lightroom, and uses a Mac computer. That's a lot from a simple image file!

Option 2: Use Jeffrey's Image Metadata Viewer Web App

If you're using a browser, there are two great free websites to extract Exif data. First, let's start with Jeffrey Friedl's Image Metadata Viewer over at exif.regex.info. The site does not use HTTPS, unfortunately. If you don't mind that, you can see the simple design is easy to use and supports a vast variety of formats, unlike the command line tool which only works with JPG files. So you can scan RAW images files like CR2 and DNG, PNG, and TIFF, to name a few.

Upload a file or add its public URL, check the CAPTCHA, and hit "View Image Data."

636964659467696183.jpg

Once you scan a file, you should see a decent amount of information if it came from a smartphone. In my example below, a photo that's over two years old contained a GPS location.

636896867241827060.jpg

The actual amount of data captured takes up several pages and is quite extensive.

EXIF

Make    samsung
Camera Model Name   SM-G920I
Software    G920IDVS3EPK1
Modify Date 2016:12:13 12:56:36
2 years, 3 months, 18 days, 15 hours, 41 minutes, 18 seconds ago
Y Cb Cr Positioning Centered
Exposure Time   1/24
F Number    1.90
Exposure Program    Program AE
ISO 200
Exif Version    0220
Date/Time Original  2016:12:13 12:56:36
2 years, 3 months, 18 days, 15 hours, 41 minutes, 18 seconds ago
Create Date 2016:12:13 12:56:36
2 years, 3 months, 18 days, 15 hours, 41 minutes, 18 seconds ago
Shutter Speed Value 1/24
Aperture Value  1.90
Brightness Value    0.27
Exposure Compensation   0
Max Aperture Value  1.9
Metering Mode   Spot
Flash   No Flash
Focal Length    4.3 mm
Image Size  5,312 × 2,988
Maker Note Unknown  (98 bytes binary data)
User Comment
Flashpix Version    0100
Color Space sRGB
Exposure Mode   Auto
White Balance   Auto
Focal Length In 35mm Format 28 mm
Scene Capture Type  Standard
Image Unique ID A16LLIC08SM A16LLIL02GM
GPS Version ID  2.2.0.0
GPS Latitude Ref    North
GPS Latitude    34.040833 degrees
GPS Longitude Ref   West
GPS Longitude   118.255000 degrees
GPS Altitude Ref    Below Sea Level
GPS Altitude    0 m
GPS Time Stamp  20:56:27
GPS Date Stamp  2016:12:13
2 years, 3 months, 19 days, 4 hours, 37 minutes, 54 seconds ago
Image Width 512
Image Height    288
Compression JPEG (old-style)
Orientation Rotate 90 CW
Resolution  72 pixels/inch
Thumbnail Length    11,484
Thumbnail Image (11,484 bytes binary data)
MakerNotes

Unknown 0x0001  0,100
Unknown 0x0002  73,728
Unknown 0x000c  0
Unknown 0x0010  undef
Unknown 0x0040  0
Unknown 0x0050  1
Unknown 0x0100  0
Samsung Trailer 0x0a01 Name Image_UTC_Data
Time Stamp  2016:12:13 12:56:36-08:00
2 years, 3 months, 18 days, 14 hours, 41 minutes, 18 seconds ago
File — basic information derived from the file.

File Type   JPEG
MIME Type   image/jpeg
Exif Byte Order Little-endian (Intel, II)
Encoding Process    Baseline DCT, Huffman coding
Bits Per Sample 8
Color Components    3
File Size   3.5 MB
File Type Extension jpg
Image Size  5,312 × 2,988
Y Cb Cr Sub Sampling    YCbCr4:2:2 (2 1)
Composite
This block of data is computed based upon other items. Some of it may be wildly incorrect, especially if the image has been resized.

GPS Latitude    34.040833 degrees N
GPS Longitude   118.255000 degrees W
GPS Altitude    0 m Above Sea Level
Aperture    1.90
GPS Date/Time   2016:12:13 20:56:27Z
2 years, 3 months, 18 days, 14 hours, 41 minutes, 27 seconds ago
GPS Position    34.040833 degrees N, 118.255000 degrees W
Megapixels  15.9
Shutter Speed   1/24
Light Value 5.4
Scale Factor To 35 mm Equivalent    6.5
Circle Of Confusion 0.005 mm
Field Of View   65.5 deg
Focal Length    4.3 mm (35 mm equivalent: 28.0 mm)
Hyperfocal Distance 2.11 m

Option 3: Use Ver Exif's Web App

Our second website, Ver Exif at verexif.com, spits out all of the Exif data after a scan, but it also comes with an option to strip metadata out of images. Removing the metadata is useful if you want to make sure an image you're sending doesn't contain data you didn't intend to send.

636896871029171041.jpg

To view Exif information, upload a file or add its public URL, then hit "View Exif." In my example, passing the same photo into this website, the output is much less, but it generates a handy map of where the photo was taken. The information is accurate, but not as big of a data dump as the Image Metadata Viewer web app.

636964671037852365.jpg

Interestingly, after I passed the test photo through the "Remove Exif" data option, I uploaded it to the first website to see if the metadata was truly removed. It turns out I can still tell it was taken on a Samsung device, so I don't recommend using this tool to strip metadata from your photos.

636896874053077661.jpg

Option 4: Use the EXIF Viewer Chrome Extension

In Google Chrome, you can install the EXIF Viewer extension, which will let you pull up the Exif data from any photo you load into the browser.

Using browser add-ons to extract Exif data is even simpler than using a web-based tool. After installing and enabling the plug-in, we can right-click any image in the browser and select "Show EXIF data" to reveal any information the image contains.

To test this out, I found a random image on a photo-sharing website and looked through the metadata provided by EXIF Viewer to find the type of camera that was used to take it.

636896882706983839.jpg

Option 5: Use the Exif Viewer Firefox Add-On

You could also install the Exif Viewer add-on for Firefox, developed by Alan Raskin, which allows similar functionality as the Chrome extension above. After installing and enabling the add-on, right-click on an image in your browser, then click on "Exif Viewer."

A pop-up window appears, where there's a slew of metadata to sort through. You can see the link to the image; in the GPS section you get links to open up the location on Google Maps, Bing Maps, and Mapquest; and all of the other helpful information in the Exif data.

636964689161133665.jpg

In general, browser extensions are a great way to tackle extracting Exif data, because you can also open photos in a browser window and use an extension to read the data inside.

Metadata Reveals the Story Behind a Photo

While a photo may yield valuable information, the real value may be in what's encoded in the metadata. Accessing this data is easier than ever, so it's essential to be aware of what information you may be giving away when you send a photo.

While many social media platforms and photo-hosting services do you the favor of stripping out this data, not all do. It's important to make sure you're not leaking this data if you don't intend to, and these tools can quickly help you identify any ways you might be leaking your location or other private data in photos you want to share online. Most importantly, make sure to disable geo-encoding on your phone if you don't want GPS coordinates burned into every image you take.

I hope you enjoyed this guide to extracting hidden metadata from image files! If you have any questions about this tutorial on image OSINT or you have a comment, ask below or feel free to reach me on Twitter @KodyKinzie.

Cover photo by Justin Meyers/Null Byte; Screenshots by Kody/Null Byte

Comments

No Comments Exist

Be the first, drop a comment!