Using Exiftool to Extract Metadata from Image Files
"A picture is worth a thousand words", and it might also include your personal data.
In this post, we explore how forensic investigators can use digital photographs and other types of multimedia files to obtain valuable information through metadata (or Exif data) extraction, using readily-available tools such as Exiftool.
WTF is Metadata?!
/ˈmɛtəˌdeɪtə/
Put simply, metadata (or meta-information) is "data that provides information about other data", but not the content of the data itself. Metadata is often described as "data about data".
For instance, in the context of image files, we have the image itself (i.e., the composition of pixels that make up the image), such as the photo below.
But within this file, we have some additional information, such as the File Name, the image Resolution, the Date/Time the image was created, the File Type (Format), and so on.
This metadata is automatically written or "stamped" on creation of the file, and can often include identifying information, depending on the device it was created with. Exif data essentially acts as a digital footprint for image files.
OK, But How is Metadata Useful in Forensics?
"Metadata absolutely tells you everything about somebody's life, if you have enough metadata you don't really need content... It's sort of embarrassing how predictable we are as human beings."
In early 2012, CabinCr3w, a notorious hacking group at the time, gained access to computers belonging to Alabama Department of Public Safety, leaked a bunch of confidential data, erased it from their systems, and vandalised several of their websites.
Less than a month later, the Federal Bureau of Investigation arrested a 30-year-old Linux administrator in Texas, who was later charged with the attack.
The breakthrough? A photo of the perpetrator's online girlfriend, featuring a note which reads "PwNd by w0rmer & CabinCr3w, <3 u BiTch's". This was a trademark of sorts, intentionally left behind by the attacker.
However, hidden within that file were GPS co-ordinates, pointing to the exact location of where the photo was taken (an outer-suburb of Melbourne, Australia, for those wondering.) Police swiftly discovered the woman's identity, found her Facebook profile, and ultimately identified her fiancé, Higinio Ochoa, the individual behind the cyber attack.
tl;dr? Hackerman gets v& over a jpg.
In summary, Exif data can provide a wealth of information to forensic investigations, and the methods we'll be covering in this post are still frequently used today, by both public and private sectors.
Types of Metadata
Exif, IPTC, and XMP are the three most common formats of metadata you'll find in images, with Exif being the most common.
You may already be familiar with Exif, short for Exchangeable Image File Format. As the name suggests, Exif is a standard that specifies formats for images, sound, and ancillary tags. Exif stores the juicy stuff; camera settings, model and software version, datetime, location etc.
IPTC has a lot less detail, and only stores info like datetime, creator, copyright and file description/keywords.
XMP is Adobe's format (although no longer proprietary.) This stores all sorts of stuff (camera model, datetime etc.) as well as editing info from software like Lightroom.
Exiftool - Installation & Basic Usage
Exiftool is a platform-independent Perl library plus a command-line application for reading, writing and editing meta information. The tool is entirely open-source and has readily-available binaries for Windows, Mac and Linux systems.
Installing Exiftool
Users can download the tool from exiftool.org, which also includes an installation guide for most platforms. You can also use a package manager to install Exiftool, including Chocolatey, homebrew, and apt.
For those using Kali (or any other Debian-based distro), we can install Exiftool by simply running:
┌──(root㉿kali)-[~]
└─$ sudo apt install exiftoolThen we can verify the install by running which exiftool.
Basic Usage
Now the fun stuff - let's put Exiftool into action, and explore some of its basic usage. For the purpose of this guide, I'll be using this image, which contains a bunch of original data.
This section covers reading metadata, filtering tags, using wildcards, sorting tags alphabetically, and exporting data to different formats.
$ exiftool [ OPTIONS ] [- TAG ...] [-- TAG ...] FILE ...Extracting Metadata
We can start by extracting all metadata from the image file, by running exiftool <path>.
┌──(root㉿kali)-[~]
└─$ exiftool DSCN0042.jpg
ExifTool Version Number : 12.67
File Name : DSCN0042.jpg
Directory : .
File Size : 157 kB
File Modification Date/Time : 2023:10:28 19:21:54-04:00
File Access Date/Time : 2023:10:28 19:22:03-04:00
File Inode Change Date/Time : 2023:10:28 19:22:03-04:00
File Permissions : -rwxrwx---
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
Exif Byte Order : Little-endian (Intel, II)
Image Description :
Make : NIKON
Camera Model Name : COOLPIX P6000
Orientation : Horizontal (normal)
X Resolution : 300
Y Resolution : 300
Resolution Unit : inches
Software : Nikon Transfer 1.1 W
Modify Date : 2008:11:01 21:15:11
# ... Rest of outputI won't include the full output here, there's a wealth of information to explore. But let's take a look at some tags that may be of interest.
/taɡ/
Tags are handles by which the information is accessed in Exiftool. If we look at the output above, we have the tag names (File Name,Camera Model Nameetc.) followed by their corresponding values.
As you can see in the first few lines, we can find out the make and model of the camera that took the photograph, as well as the software version present at the time:
Make : NIKON
Camera Model Name : COOLPIX P6000
Software : Nikon Transfer 1.1 WWe can find out the original date and time the photograph was created:
Date/Time Original : 2008:10:22 17:00:07
Create Date : 2008:10:22 17:00:07More importantly, the metadata also includes the original GPS co-ordinates:
GPS Date/Time : 2008:10:23 14:57:41.37Z
GPS Latitude : 43 deg 27' 52.04" N
GPS Longitude : 11 deg 52' 53.32" E
GPS Position : 43 deg 27' 52.04" N, 11 deg 52' 53.32" EPretty useful stuff, right? But let's dive deeper, and look at how we can quickly filter these tags.
Include / Exclude Specific Tags
To include or exclude tags, we can use - and -- syntax by specifying a particular tag (i.e., -FileName.)
This is useful if you want to filter out the data and grab a particular piece of information without searching through the entire output.
Using a singular hyphen (-) allows you to include a specific tag, as follows:
┌──(root㉿kali)-[~]
└─$ exiftool DSCN0042.jpg -GPSPosition
GPS Position : 43 deg 27' 52.04" N, 11 deg 52' 53.32" E
┌──(root㉿kali)-[~]
└─$ exiftool DSCN0042.jpg -CreateDate
Create Date : 2008:10:22 17:00:07Using double hyphens (--), we can also exclude specific tags, like so:
┌──(root㉿kali)-[~]
└─$ exiftool DSCN0042.jpg --FileName
ExifTool Version Number : 12.67
Directory : .
File Size : 157 kB
File Modification Date/Time : 2023:10:28 19:21:54-04:00
File Access Date/Time : 2023:10:28 19:22:03-04:00
File Inode Change Date/Time : 2023:10:28 19:22:03-04:00
File Permissions : -rwxrwx---
File Type : JPEG
File Type Extension : jpg
# ... Rest of outputAs shown above, the File Name tag is no longer present in the output. You can take this a step further by using wildcards, which we'll cover next.
For a comprehensive list on all possible tags, use exiftool list.
Using Wildcards
Exiftool supports wildcard filtering. Let's say you want to include all the tags that include "GPS". This is entirely possible by using the -*GPS* parameter (similar to using something like grep GPS):
┌──(root㉿kali)-[~]
└─$ exiftool DSCN0042.jpg -*GPS*
GPS Date/Time : 2008:10:23 14:57:41.37Z
GPS Latitude : 43 deg 27' 52.04" N
GPS Longitude : 11 deg 52' 53.32" E
GPS Position : 43 deg 27' 52.04" N, 11 deg 52' 53.32" EVice versa, we can also exclude tags by using something like --*File*, ignoring all tags containing "File":
┌──(root㉿kali)-[~]
└─$ exiftool DSCN0042.jpg --*File*
ExifTool Version Number : 12.67
Directory : .
MIME Type : image/jpeg
Exif Byte Order : Little-endian (Intel, II)
Image Description :
Make : NIKON
Camera Model Name : COOLPIX P6000
Orientation : Horizontal (normal)
X Resolution : 300
Y Resolution : 300
Resolution Unit : inches
Software : Nikon Transfer 1.1 W
Modify Date : 2008:11:01 21:15:11
# ... Rest of outputSorting Tags
In some cases, you may want to sort all tags alphabetically for better readability. Exiftool provides a -Sort flag, which we can use to do just that.
┌──(root㉿kali)-[~]
└─$ exiftool DSCN0042.jpg -SortExporting to JSON, CSV, HTML etc.
You may wish to export the data to a file for use in a different application, like a text-editor or browser. Exiftool provides several flags for exporting to different formats, such as -json, -csv and -h (html).
# Export to JSON
┌──(root㉿kali)-[~]
└─$ exiftool -json DSCN0042.jpg
# Export to CSV
┌──(root㉿kali)-[~]
└─$ exiftool -csv DSCN0042.jpg
# Export to HTML
┌──(root㉿kali)-[~]
└─$ exiftool -h DSCN0042.jpg
# Export to XML
┌──(root㉿kali)-[~]
└─$ exiftool -X DSCN0042.jpg
# Export to PHP
┌──(root㉿kali)-[~]
└─$ exiftool -php DSCN0042.jpg
# Export to TSV
┌──(root㉿kali)-[~]
└─$ exiftool -t DSCN0042.jpgUsing Exiftool with Multiple Files
In many cases, you may be analysing an entire directory of files.
This could include several sub-directories, and hundreds or even thousands of photographs, and there's no way we're going to inspect them one-by-one.
To extract the data from all files in a directory, we can use the -Directory flag.
┌──(root㉿kali)-[~]
└─$ exiftool -Directory ~/Documents/PhotographsIn addition, if we want to extract data recursively (search all sub-directories), we can add the -r flag.
┌──(root㉿kali)-[~]
└─$ exiftool -Directory -r ~/Documents/PhotographsYou can also ignore certain sub-directories by adding the -i flag.
┌──(root㉿kali)-[~]
└─$ exiftool -Directory -r ~/Documents/Photographs -i thumbnails/Filtering Files by Extension
Let's say you have a bunch of different files, and you only want Exiftool to search for images with the .jpg extension. This can be done with the ext parameter, and by specifying a format.
If you remember, we can include and exclude specific tags using - and -- respectively. The same applies here.
Let's say we want to include all jpg files. We can use -ext to specify the format (notice the singular hyphen):
┌──(root㉿kali)-[~]
└─$ exiftool -Directory -r ~/Documents/Photographs -ext jpgTo exclude a particular extension, we can use --ext:
┌──(root㉿kali)-[~]
└─$ exiftool -Directory -r ~/Documents/Photographs --ext pngThe Result
Putting all of this together, we can easily grab of the all GPS data for each image in a directory of hundreds of files, and output that data to a .json file for further analysis.
┌──(root㉿kali)-[~]
└─$ exiftool -GPS* -Directory -r ~/10.10.3.90/ftp/public/ -ext jpg -jsonYou're now equipped with all the basics of reading data with Exiftool. Grats!
For more information about Exiftool's command-line, check the official documentation. I've also included a handful of resources at the bottom of this post, as well as a quick guide on how to scrub metadata and protect your privacy.
Practical Challenge
Now you've got the grips of Exiftool, here's a practical challenge to test your digital forensic skills. Below, you can find two images. Try answering the following questions (and earn yourself a virtual cookie.)
- Can you identify the model of the smartphone used to take these photos?
- Using the GPS co-ordinates, can you identify the exact location these photos were taken? Try getting the name of each city.
- Bonus: Can you get the names of both buildings?
How To Protect Your Privacy
By this stage, you should have a pretty good idea of how metadata can really, for lack of a better expression, get you fucking rekt.
For this reason, it's a good idea to scrub your files clean of any identifying metadata, especially those you plan to share on the internet (i.e., social media platforms, blog posts, instant messengers.)
This is how you don't get v& over a .jpg.
But first, an experiment.
Do Social Media Platforms Scrub EXIF Data?
To protect the privacy of their users, many social media platforms will automatically scrub metadata from images and photographs (as well as other types of files.)
But which ones don't?
To test this, I went through the most common platforms/apps, uploaded some images with identifying Exif data (both web and mobile), and re-downloaded them to check which images still had the data in-tact.
Here are the results for each platform.
| Platform | Photo (Mobile) | Photo (Web) |
|---|---|---|
| Discord | ✔️ | ✔️ |
| Facebook Messenger | ✔️ | ✔️ |
| GitHub (Comments) | N/A | ❌ |
| Imgur | ✔️ | ✔️ |
| ✔️ | ✔️ | |
| Medium | ✔️ | ✔️ |
| Microsoft Teams | ✔️ | ❌ |
| ✔️ | ✔️ | |
| Tumblr | ✔️ | ✔️ |
| ✔️ | ✔️ | |
| ✔️ | ✔️ |
✔️ = Metadata scrubbed, ❌ = Metadata in-tact
Using Exiftool to Overwrite / Scrub Metadata
Exiftool provides the ability to overwrite tags in image files, allowing us to replace the metadata values, or remove them completely.
For instance, to change the device make and model, we can use:
┌──(root㉿kali)-[~]
└─$ exiftool -Make="Potato" -Model="Jacket" DSCN0042.jpgAs shown, simply adding a hyphen (-) followed by a tagName allows to you select a specific tag. Then we can simply replace the value by using = followed by the new value (just like setting a variable.)
By default, Exiftool creates a copy of the image to preserve the original metadata (DSCN0042.jpg_original.)
If we run Exiftool on the image once more and select the -Make and -Model tags, we can see the new values have been applied.
┌──(root㉿kali)-[~]
└─$ exiftool -Make -Model DSCN0042.jpg
Make : Potato
Camera Model Name : JacketBut what if you want to completely scrub all possible metadata from an image file? We can simply use -all to select all tags:
┌──(root㉿kali)-[~]
└─$ exiftool -all= DSCN0042.jpgHere, we select all tags with -all, and specify an empty value by simply adding = (without a following value, null.)
Just like before, we can also use -Directory to scrub/overwrite tags for all images in a specified directory.
┌──(root㉿kali)-[~]
└─$ exiftool -all= -Directory -r ~/Documents/PhotographsAs you can see, all identifying data has now been scrubbed from the image, and we're left with the generic tags.
┌──(root㉿kali)-[~]
└─$ exiftool -a DSCN0042.jpg
ExifTool Version Number : 12.69
File Name : DSCN0042.jpg
Directory : .
File Size : 142 kB
File Modification Date/Time : 2023:10:29 18:00:12+00:00
File Access Date/Time : 2023:10:29 18:00:13+00:00
File Creation Date/Time : 2023:10:29 00:21:54+01:00
File Permissions : -rw-rw-rw-
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
Image Width : 640
Image Height : 480
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:2 (2 1)
Image Size : 640x480
Megapixels : 0.307There's a whole lot more we can do with Exiftool, but now you have the basics of reading and writing tags under your belt, and you're ready to explore images in the wild.
Good luck, anon. o7
Further Resources
Want to learn more? In a future post, we'll be exploring what sort of information we can obtain from other types of files, such as .pdf and .doc.
But for now, you can find a handful of resources below.
Answers to Practical Challenge:
- Sony I4213 (Xperia 10 Plus)
- Molenbeek-Saint-Jean, Belgium & Saint-Josse-ten-Noode, Belgium
- Sint-Remigiuskerk & Belfius Bank en Verzekeringen in Place Charles Rogier