In this post, we explore how forensic investigators can use digital photographs and other types of multimedia files to obtain valuable information through metadata (or Exif data) extraction, using readily-available tools such as Exiftool.
WTF is Metadata?!
Put simply, metadata (or meta-information) is "data that provides information about other data", but not the content of the data itself. Metadata is often described as "data about data".
For instance, in the context of image files, we have the image itself (i.e., the composition of pixels that make up the image), such as the photo below.
But within this file, we have some additional information, such as the File Name, the image Resolution, the Date/Time the image was created, the File Type (Format), and so on.
This metadata is automatically written or "stamped" on creation of the file, and can often include identifying information, depending on the device it was created with. Exif data essentially acts as a digital footprint for image files.
OK, But How is Metadata Useful in Forensics?
"Metadata absolutely tells you everything about somebody's life, if you have enough metadata you don't really need content... It's sort of embarrassing how predictable we are as human beings."
In early 2012, CabinCr3w, a notorious hacking group at the time, gained access to computers belonging to Alabama Department of Public Safety, leaked a bunch of confidential data, erased it from their systems, and vandalised several of their websites.
Less than a month later, the Federal Bureau of Investigation arrested a 30-year-old Linux administrator in Texas, who was later charged with the attack.
The breakthrough? A photo of the perpetrator's online girlfriend, featuring a note which reads "PwNd by w0rmer & CabinCr3w, <3 u BiTch's". This was a trademark of sorts, intentionally left behind by the attacker.
However, hidden within that file were GPS co-ordinates, pointing to the exact location of where the photo was taken (an outer-suburb of Melbourne, Australia, for those wondering.) Police swiftly discovered the woman's identity, found her Facebook profile, and ultimately identified her fiancé, Higinio Ochoa, the individual behind the cyber attack.
tl;dr? Hackerman gets v& over a
In summary, Exif data can provide a wealth of information to forensic investigations, and the methods we'll be covering in this post are still frequently used today, by both public and private sectors.
Types of Metadata
Exif, IPTC, and XMP are the three most common formats of metadata you'll find in images, with Exif being the most common.
You may already be familiar with Exif, short for Exchangeable Image File Format. As the name suggests, Exif is a standard that specifies formats for images, sound, and ancillary tags. Exif stores the juicy stuff; camera settings, model and software version, datetime, location etc.
IPTC has a lot less detail, and only stores info like datetime, creator, copyright and file description/keywords.
XMP is Adobe's format (although no longer proprietary.) This stores all sorts of stuff (camera model, datetime etc.) as well as editing info from software like Lightroom.
Exiftool - Installation & Basic Usage
Exiftool is a platform-independent Perl library plus a command-line application for reading, writing and editing meta information. The tool is entirely open-source and has readily-available binaries for Windows, Mac and Linux systems.
Users can download the tool from exiftool.org, which also includes an installation guide for most platforms. You can also use a package manager to install Exiftool, including Chocolatey, homebrew, and apt.
For those using Kali (or any other Debian-based distro), we can install Exiftool by simply running:
┌──(root㉿kali)-[~] └─$ sudo apt install exiftool
Then we can verify the install by running
Now the fun stuff - let's put Exiftool into action, and explore some of its basic usage. For the purpose of this guide, I'll be using this image, which contains a bunch of original data.
This section covers reading metadata, filtering tags, using wildcards, sorting tags alphabetically, and exporting data to different formats.
$ exiftool [ OPTIONS ] [- TAG ...] [-- TAG ...] FILE ...
We can start by extracting all metadata from the image file, by running
┌──(root㉿kali)-[~] └─$ exiftool DSCN0042.jpg ExifTool Version Number : 12.67 File Name : DSCN0042.jpg Directory : . File Size : 157 kB File Modification Date/Time : 2023:10:28 19:21:54-04:00 File Access Date/Time : 2023:10:28 19:22:03-04:00 File Inode Change Date/Time : 2023:10:28 19:22:03-04:00 File Permissions : -rwxrwx--- File Type : JPEG File Type Extension : jpg MIME Type : image/jpeg Exif Byte Order : Little-endian (Intel, II) Image Description : Make : NIKON Camera Model Name : COOLPIX P6000 Orientation : Horizontal (normal) X Resolution : 300 Y Resolution : 300 Resolution Unit : inches Software : Nikon Transfer 1.1 W Modify Date : 2008:11:01 21:15:11 # ... Rest of output
I won't include the full output here, there's a wealth of information to explore. But let's take a look at some tags that may be of interest.
Tags are handles by which the information is accessed in Exiftool. If we look at the output above, we have the tag names (
Camera Model Nameetc.) followed by their corresponding values.
As you can see in the first few lines, we can find out the make and model of the camera that took the photograph, as well as the software version present at the time:
Make : NIKON Camera Model Name : COOLPIX P6000 Software : Nikon Transfer 1.1 W
We can find out the original date and time the photograph was created:
Date/Time Original : 2008:10:22 17:00:07 Create Date : 2008:10:22 17:00:07
More importantly, the metadata also includes the original GPS co-ordinates:
GPS Date/Time : 2008:10:23 14:57:41.37Z GPS Latitude : 43 deg 27' 52.04" N GPS Longitude : 11 deg 52' 53.32" E GPS Position : 43 deg 27' 52.04" N, 11 deg 52' 53.32" E
Pretty useful stuff, right? But let's dive deeper, and look at how we can quickly filter these tags.
Include / Exclude Specific Tags
To include or exclude tags, we can use
-- syntax by specifying a particular tag (i.e.,
This is useful if you want to filter out the data and grab a particular piece of information without searching through the entire output.
Using a singular hyphen (
-) allows you to include a specific tag, as follows:
┌──(root㉿kali)-[~] └─$ exiftool DSCN0042.jpg -GPSPosition GPS Position : 43 deg 27' 52.04" N, 11 deg 52' 53.32" E ┌──(root㉿kali)-[~] └─$ exiftool DSCN0042.jpg -CreateDate Create Date : 2008:10:22 17:00:07
Using double hyphens (
--), we can also exclude specific tags, like so:
┌──(root㉿kali)-[~] └─$ exiftool DSCN0042.jpg --FileName ExifTool Version Number : 12.67 Directory : . File Size : 157 kB File Modification Date/Time : 2023:10:28 19:21:54-04:00 File Access Date/Time : 2023:10:28 19:22:03-04:00 File Inode Change Date/Time : 2023:10:28 19:22:03-04:00 File Permissions : -rwxrwx--- File Type : JPEG File Type Extension : jpg # ... Rest of output
As shown above, the
File Name tag is no longer present in the output. You can take this a step further by using wildcards, which we'll cover next.
For a comprehensive list on all possible tags, use
Exiftool supports wildcard filtering. Let's say you want to include all the tags that include "GPS". This is entirely possible by using the
-*GPS* parameter (similar to using something like
┌──(root㉿kali)-[~] └─$ exiftool DSCN0042.jpg -*GPS* GPS Date/Time : 2008:10:23 14:57:41.37Z GPS Latitude : 43 deg 27' 52.04" N GPS Longitude : 11 deg 52' 53.32" E GPS Position : 43 deg 27' 52.04" N, 11 deg 52' 53.32" E
Vice versa, we can also exclude tags by using something like
--*File*, ignoring all tags containing "File":
┌──(root㉿kali)-[~] └─$ exiftool DSCN0042.jpg --*File* ExifTool Version Number : 12.67 Directory : . MIME Type : image/jpeg Exif Byte Order : Little-endian (Intel, II) Image Description : Make : NIKON Camera Model Name : COOLPIX P6000 Orientation : Horizontal (normal) X Resolution : 300 Y Resolution : 300 Resolution Unit : inches Software : Nikon Transfer 1.1 W Modify Date : 2008:11:01 21:15:11 # ... Rest of output
In some cases, you may want to sort all tags alphabetically for better readability. Exiftool provides a
-Sort flag, which we can use to do just that.
┌──(root㉿kali)-[~] └─$ exiftool DSCN0042.jpg -Sort
Exporting to JSON, CSV, HTML etc.
You may wish to export the data to a file for use in a different application, like a text-editor or browser. Exiftool provides several flags for exporting to different formats, such as
# Export to JSON ┌──(root㉿kali)-[~] └─$ exiftool -json DSCN0042.jpg # Export to CSV ┌──(root㉿kali)-[~] └─$ exiftool -csv DSCN0042.jpg # Export to HTML ┌──(root㉿kali)-[~] └─$ exiftool -h DSCN0042.jpg # Export to XML ┌──(root㉿kali)-[~] └─$ exiftool -X DSCN0042.jpg # Export to PHP ┌──(root㉿kali)-[~] └─$ exiftool -php DSCN0042.jpg # Export to TSV ┌──(root㉿kali)-[~] └─$ exiftool -t DSCN0042.jpg
Using Exiftool with Multiple Files
In many cases, you may be analysing an entire directory of files.
This could include several sub-directories, and hundreds or even thousands of photographs, and there's no way we're going to inspect them one-by-one.
To extract the data from all files in a directory, we can use the
┌──(root㉿kali)-[~] └─$ exiftool -Directory ~/Documents/Photographs
In addition, if we want to extract data recursively (search all sub-directories), we can add the
┌──(root㉿kali)-[~] └─$ exiftool -Directory -r ~/Documents/Photographs
You can also ignore certain sub-directories by adding the
┌──(root㉿kali)-[~] └─$ exiftool -Directory -r ~/Documents/Photographs -i thumbnails/
Filtering Files by Extension
Let's say you have a bunch of different files, and you only want Exiftool to search for images with the
.jpg extension. This can be done with the
ext parameter, and by specifying a format.
If you remember, we can include and exclude specific tags using
-- respectively. The same applies here.
Let's say we want to include all
jpg files. We can use
-ext to specify the format (notice the singular hyphen):
┌──(root㉿kali)-[~] └─$ exiftool -Directory -r ~/Documents/Photographs -ext jpg
To exclude a particular extension, we can use
┌──(root㉿kali)-[~] └─$ exiftool -Directory -r ~/Documents/Photographs --ext png
Putting all of this together, we can easily grab of the all GPS data for each image in a directory of hundreds of files, and output that data to a
.json file for further analysis.
┌──(root㉿kali)-[~] └─$ exiftool -GPS* -Directory -r ~/10.10.3.90/ftp/public/ -ext jpg -json
You're now equipped with all the basics of reading data with Exiftool. Grats!
For more information about Exiftool's command-line, check the official documentation. I've also included a handful of resources at the bottom of this post, as well as a quick guide on how to scrub metadata and protect your privacy.
Now you've got the grips of Exiftool, here's a practical challenge to test your digital forensic skills. Below, you can find two images. Try answering the following questions (and earn yourself a virtual cookie.)
- Can you identify the model of the smartphone used to take these photos?
- Using the GPS co-ordinates, can you identify the exact location these photos were taken? Try getting the name of each city.
- Bonus: Can you get the names of both buildings?
How To Protect Your Privacy
By this stage, you should have a pretty good idea of how metadata can really, for lack of a better expression, get you fucking rekt.
For this reason, it's a good idea to scrub your files clean of any identifying metadata, especially those you plan to share on the internet (i.e., social media platforms, blog posts, instant messengers.)
This is how you don't get v& over a
But first, an experiment.
Do Social Media Platforms Scrub EXIF Data?
To protect the privacy of their users, many social media platforms will automatically scrub metadata from images and photographs (as well as other types of files.)
But which ones don't?
To test this, I went through the most common platforms/apps, uploaded some images with identifying Exif data (both web and mobile), and re-downloaded them to check which images still had the data in-tact.
Here are the results for each platform.
|Platform||Photo (Mobile)||Photo (Web)|
✔️ = Metadata scrubbed, ❌ = Metadata in-tact
Using Exiftool to Overwrite / Scrub Metadata
Exiftool provides the ability to overwrite tags in image files, allowing us to replace the metadata values, or remove them completely.
For instance, to change the device make and model, we can use:
┌──(root㉿kali)-[~] └─$ exiftool -Make="Potato" -Model="Jacket" DSCN0042.jpg
As shown, simply adding a hyphen (
-) followed by a tagName allows to you select a specific tag. Then we can simply replace the value by using
= followed by the new value (just like setting a variable.)
By default, Exiftool creates a copy of the image to preserve the original metadata (
If we run Exiftool on the image once more and select the
-Model tags, we can see the new values have been applied.
┌──(root㉿kali)-[~] └─$ exiftool -Make -Model DSCN0042.jpg Make : Potato Camera Model Name : Jacket
But what if you want to completely scrub all possible metadata from an image file? We can simply use
-all to select all tags:
┌──(root㉿kali)-[~] └─$ exiftool -all= DSCN0042.jpg
Here, we select all tags with
-all, and specify an empty value by simply adding
= (without a following value, null.)
Just like before, we can also use
-Directory to scrub/overwrite tags for all images in a specified directory.
┌──(root㉿kali)-[~] └─$ exiftool -all= -Directory -r ~/Documents/Photographs
As you can see, all identifying data has now been scrubbed from the image, and we're left with the generic tags.
┌──(root㉿kali)-[~] └─$ exiftool -a DSCN0042.jpg ExifTool Version Number : 12.69 File Name : DSCN0042.jpg Directory : . File Size : 142 kB File Modification Date/Time : 2023:10:29 18:00:12+00:00 File Access Date/Time : 2023:10:29 18:00:13+00:00 File Creation Date/Time : 2023:10:29 00:21:54+01:00 File Permissions : -rw-rw-rw- File Type : JPEG File Type Extension : jpg MIME Type : image/jpeg Image Width : 640 Image Height : 480 Encoding Process : Baseline DCT, Huffman coding Bits Per Sample : 8 Color Components : 3 Y Cb Cr Sub Sampling : YCbCr4:2:2 (2 1) Image Size : 640x480 Megapixels : 0.307
There's a whole lot more we can do with Exiftool, but now you have the basics of reading and writing tags under your belt, and you're ready to explore images in the wild.
Good luck, anon. o7
Want to learn more? In a future post, we'll be exploring what sort of information we can obtain from other types of files, such as
But for now, you can find a handful of resources below.
Answers to Practical Challenge:
- Sony I4213 (Xperia 10 Plus)
- Molenbeek-Saint-Jean, Belgium & Saint-Josse-ten-Noode, Belgium
- Sint-Remigiuskerk & Belfius Bank en Verzekeringen in Place Charles Rogier