SPLOIT: How to Strip Off MetaData in Images Using Python

How to Strip Off MetaData in Images Using Python

SPLOIT: How to Strip Off MetaData in Images Using Python

NOTICE: Ciuffy will be answering questions related to my articles on my behalf as I am very busy. Hope You Have Fun !!!

Hello Guys,

Welcome to my tutorial and in this tutorial, We are going to talk as well as know of the possible dangers of metadata in our day to day images.

Today's article or post is going to base on images and their metadata's.
Let's Begin !!!

INTRODUCTION TO METADATA

Metadata (metacontent) is defined as the data providing information about one or more aspects of the data, such as:

  1. Means of creation of the data
  2. Purpose of the data
  3. Time and date of creation
  4. Creator or author of the data
  5. Location on a computer network where the data was created
  6. Standards used

Metadata consists of information that characterizes data (e.g. Word documents, pictures, music files, etc). In essence, metadata answers who, what, when, where, why, and how about every facet of the data that is being characterized.

For example, a digital image may include metadata that describe how large the picture is, the color depth, the image resolution, when the image was created, and other data. A text document's metadata may contain information about how long the document is, who the author is, when the document was written, and a short summary of the document.

Metadata is data. As such, metadata can be stored and managed in a database, often called a metadata registry or metadata repository. However, without context and a point of reference, it might be impossible to identify metadata just by looking at them. For example: by itself, a database containing several numbers, all 13 digits long could be the results of calculations or a list of numbers to plug into an equation - without any other context, the numbers themselves can be perceived as the data. But if given the context that this database is a log of a book collection, those 13-digit numbers may now be identified as ISBNs - information that refers to the book, but is not itself the information within the book.

The term "metadata" was coined in 1968 by Philip Bagley, in his book "Extension of programming language concepts" where it is clear that he uses the term in the ISO 11179 "traditional" sense, which is "structural metadata" i.e. "data about the containers of data"; rather than the alternate sense "content about individual instances of data content" or metacontent, the type of data usually found in library catalogues. Since then the fields of information management, information science, information technology, librarianship, and GIS have widely adopted the term. In these fields the word metadata is defined as "data about data". While this is the generally accepted definition, various disciplines have adopted their own more specific explanation and uses of the term.

( Source: WikiPedia)

WHY METADATA CAN BE A RISK FOR YOUR PRIVACY?

Metadata within a file can tell a lot about you. Cameras record data about when and where a picture was taken and what camera was used. Office documents like pdf or Office automatically add author and company information to documents and spreadsheets. Maybe you don't want to disclose this information on the web.

( Source: Mat)

THE STORY BEHIND THE WRITING OF THIS POST

This actually happened last week and it was quite funny. My friend, Danny ( 18 years ), had a fight with his parents and left home in the middle of the night. The parents were worried the following morning and came to my neighborhood to check if Danny had spent the night with us. I was asked and replied: "No". Ofcourse, they didn't believe me because they thought Danny was my friend and I was trying to cover up for him. After several hours of asking, Danny's parents decided to report to the police.

I personally was worried for Danny since I knew he was careless and sometimes very stupid. I went to my computer, browsed Danny's online social media ( Facebook and Twitter ). Lolx, He had uploaded many selfies just during the morning . I had a chat with him and tried to convince him to come back home. He replied me saying: He wanted to live his own life, He was grown now and needed private space ... ( Yeah, Our youthful demands ). After hours of chat, Danny didn't want to come home. I told him: "Then I will have to come get you" .... He was like: "Please, You can't even hack a Television let to talk of hacking Facebook to know my location" ...

( Who was talking of hacking Facebook here )

Danny just didn't know what I meant by that. I know some programming languages and hacking tips for such people. It was going to take some time for Danny to fall into my bait ( Social Engineering Stuff). I was in deep thoughts when i received a facebook notification that Danny had uploaded a photo. I checked and other another selfie photo. ( Very cool of him ). I asked Danny's mum what phone he used.

Ladies and Gentlemen: IPhone 6 S

I know Danny is the 24 / 7 social media guy and didn't even know what a command prompt is. I downloaded his selfies and scraped them of metadata. I found a lot including his location, Modern phones ( default ) usually embed geographical data along others in photos and that if not in correct use can cause a great harm to owners. Let's view Danny's geo location coordinates using our kali machine ( exiftool )

Exiftool

We know the model name as IPhone 6 which tells us Danny used his phone. Let's scroll to the GPS data

These gps tags and coordinates are nonesense to me since am not the geography student or guy. SO, Let's view the coordinates with an online gps data viewer.

From: verexif.com

From: regex.info

( I told you Danny was stupid ) ... I informed his parents about his location which was later sent to the Police.

( FBI @ Danny's Ghetto )

Danny was home the following day and everyone was happy. His parents gave me an IPhone 6 S as a token of their appreciation. Danny on the other hand is still upset with me though for doing what I did but am sure he will get around and realize how much he is been loved.

STRIPPING METADATA FROM IMAGES IN PYTHON

Our python script is going to be less than 25 lines ( No External Library ).
Let's begin !!!!

SCREENSHOT OF SCRIPT

Line 1: We import three modules from python which are Image, os, sys

Line 3: Ask user for image file path

Line 5: If statement, If the path specified in Line 3 is a file, then do this:

  1. Get the directory and file name from the path specified
  2. From Line 9 - Line 15 simply creates a new image without the metadata.
  3. Line 17 saves the new file in the directory in which the metadata image file was except this time, "Exif_Stripped_", has been appended to prevent original file overwrite.
  4. Line 19 prints a confirmation message with the path to the newly created image without metadata.
  5. Line 20 exits the script and returns Integer 0 to the caller which simply means successful ( We can create our own custom error codes ).

Line 21: Else Statement, If the file specified does not exist or its a directory then print "Image Path Does not Exist !!!!". Exits the script and returns Integer 1 to the caller which means "File Not Found" i.e in our program.

SCREENSHOT OF EXECUTION

The tags have been succesfully stripped and a new file has been created.

CONCLUSION

Hope we had fun and don't be like Danny. Always strip tags and information from your images before uploading, It helps to keep us safe and also prevent too much information disclosure. Thanks for your time and Hope to see you soon.

( Help Link: Article Reference )

Image via kwejk.pl

# Sergeant

19 Comments

I love extracting Exif data... it is amazing what you can find out. Thank you for sharing this so I didn't have to. :P

But seriously, well done, and I am continually impressed by your knowledge.

Cracker:

Thanks Cracker ... Really appreciate your feedback

# Sergeant

Sergeant

Pretty Cool Write Up....I Love It, Keep It Up.

Just wanna ask, in creating the script to strip of Metadata, is it okay to include the "shebang" to indicate the interpreter to use (as with other scripting posts I've read on here)....or it isn't necessary?

Phoenix

Phoenix:

Omitting shebangs does nothing to the program. The shebang line in any script determines the script's ability to be executed like an standalone executable without typing python beforehand in the terminal or when double clicking it in a file manager(when configured properly). It isn't necessary but generally put there so when someone sees the file opened in an editor, they immediately know what they're looking at. - StackOverflow

# Sergeant

Eye-opening, right to the point, and the points are a lot.

This manner of explaining is always impressive, as it provides a very strong demonstration and poses the bases for further reading and understanding, GG.

Time for me to indetify data in that sea of hex bytes...

Ciuffy:

Thanks Ciuffy ...

( Hope time will allow us to do all our heart desires )

# Sergeant

Luckily, I seldom post photos but for those that do and forget to strip the metadata, LOL.

Daddy:

They are screwed :) and you too ( I seldom post photos ) .. You still post but take precaution and strip information before posting. I don't want Daddy as someone's target.

# Sergeant

Wow man !
Excellent post !

In fact I got so excited I immediately downloaded 5 of my friends' pics from facebook who most probably haven't even heard about metadata and tried to extract metadata with 'Opanda Exif 2' but sadly, it showed nothing else other than some IPTC RMF tag.

Does facebook automatically strip off the metadata nowadays ? Or more likely, am I doing something wrongly ?

Facebook has been stripping exif data from pics for awhile now.

Cool ( I mean not cool for an attacker ) ... Never heard of that.

# Sergeant

What about Twitter, Google apps (YouTube), and other such social things?

These tech giants will be doing the same i guess :)

# Sergeant

Coool !!!!

A quick question: Can this be performed on windows too ?

Yup, i think so since the modules imported are python internal modules. Both Windows and Linux and i guess Mac and ...

# Sergeant

I have been following your tutorials on facebook and i have to say, they are awesome. A quick question: Where do you learn all this from stuff from? ....

Share Your Thoughts

  • Hot
  • Latest