قالب وردپرس درنا توس
Home / Tips and Tricks / Using Exif Extractors to Obtain Valuable Data from Images «Null Byte :: WonderHowTo

Using Exif Extractors to Obtain Valuable Data from Images «Null Byte :: WonderHowTo



Metadata contained in images and other files can reveal much more information than the average user thinks. By getting a target to send a photo with GPS coordinates and additional information, a hacker can easily find out where a marker lives or works by extracting the Exif data hidden in the image file.

For hackers or OSINT researchers collecting digital evidence, photos can be a rich source of data. In addition to what can be seen in the picture itself, metadata about when and where the photo was taken can also be restored. This data may include the device on which the photo was taken, geolocation of the image, and other unique features that may be used to fingerprint an image taken by the same person or device.

Metadata or data, such as images or videos, are helpful in educating investigators, who are often overlooked by otherwise cautious targets. If users do not know what type of data can be stored in a particular file format, they do not know if they are at risk by publishing a particular file. While many social media platforms have largely resolved this issue by removing metadata from files, there are still many images online that keep this data completely intact.

Exif Data in Images

Interchangeable data in image file format or Exif data, is information that is enclosed with image files and offers many fields that can be filled in or left blank. The information is used by programs to better understand what is in the file to aid sorting and other functions. Available data fields in Exif are often described by the device where the image was taken at the time of recording. However, they can also be used by programs like Photoshop.

Because we can often identify the camera model and settings you are using. Additional information, such as the owner of the software that made Photoshop changes, allows you to identify images that come from the same source. The more Exif fields are filled in by the device that captured the image, or by the software that processed it, the easier it is to track other files created using the same procedure.

The full list of fields supported by the Exif standard is quite extensive . Apart from proprietary information, fields such as the name and address of the owner may be filled in by the image processing software without the author knowing that each image created by them contains this information.

What You Need

During an older The null-byte article on Exif data contains a dated Windows tool that still works. We focus only on a program preinstalled under Kali Linux, as well as on some tools that can be run on any system directly from the Internet browser.

Option 1: Using the Exif Command-Line Tool

To start, we use the Kali Linux preinstalled tool " exif". This program is the command line frontend for libexif and works only with JPG file types. To display the available options, you can execute the command exif –help to list the options contained.

If you receive an error message or use another operating system such as Debian or Ubuntu Open a new terminal window and enter apt install exif to install the program and any required dependencies. Likewise, you can install this tool by typing brew install exif on a MacOS device. Then try again exif –help .

With man exif you can see even more information about the tool.

  ~ $ exif --help

Usage: exif [OPTION...] file
-v, --version Displays the software version
-i, --ids Show ids instead of tag names
-t, --tag = day Select day
--ifd = IFD Select IFD
-l, --list-tags Lists all EXIF ​​tags
- |, --show-mnote Show the contents of the MakerNote tag
- Remove Remove tag or ifd
-s, --show-description Displays the description of the tag
-e, --extract-thumbnail extract thumbnail
-r, --remove-thumbnail Remove Thumbnail
-n, --insert-thumbnail = FILE file as thumbnail image
--no-fixup Does not fix existing tags in files
-o, --output = FILE Write data to the FILE
--set-value = STRING value of the tag
-c, --create-exif Generates EXIF ​​data if it does not exist
-m, --machine-readable output in a machine-readable (tab-delimited) format
-w, --width = WIDTH Width of the output
-x, --xml-output Output in XML format
-d, --debug Show debugging messages

Help Options:
-?, --help Displays this help message
--usage Show Short Usage Message 

While all options are hard to process, the simplest application of this tool is to enter exif and then the path to the file you want to check. A photo edited in Photoshop stores information about the software that changed it, the computer it was modified on, and the camera it was shot on. If the "Corrupt Data" error occurs, the file may not contain metadata or you may be scanning a file that is not a JPG.

  - $ exif /Users/skickar/Downloads/Vacaynev-28.jpg

EXIF tags in "/Users/skickar/Downloads/Vacaynev-28.jpg" (byte order "Intel"):
-------------------- + ----------------------------- -----------------------------
Day | value
-------------------- + ----------------------------- -----------------------------
Manufacturer | Canon
Model | Canon EOS 60D
X-Resolution | 300
Y-resolution | 300
Resolution unit | inch
Software | Adobe Photoshop Lightroom 5.6 (Macintosh)
Date and time | 2016: 11: 25 17:45:11
Compression | JPEG compression
X-Resolution | 72
Y-resolution | 72
Resolution unit | inch
Exposure time | 1/100 sec.
F number | f / 4.0
Exposure program | Manually
ISO sensitivity | 640
Exif version | Exif version 2.3
Date and time (Origi | 2016: 11: 25 02:56:54
Date and time (digit | 2016: 11: 25 02:56:54
Shutter speed | 6.64 EV (1/99 sec.)
Aperture | 4.00 EV (f / 4.0)
Exposure compensation | 0.00 EV
Maximum opening value | 3.00 EV (f / 2.8)
Measurement mode | template
Flash | Flash did not fire, mandatory flash mode
Focal length | 17.0 mm
Time under one second (Ori | 00
Time under one second (Dig | 00
Color space | sRGB
Focal Plane X-Resolu | 5728.177
Focal Plane Y-Resolu | 5808.403
Focal plane Resoluti | inch
Custom Rendered | Normal process
Exposure mode | Manual exposure
White balance | Automatic white balance
Scene shooting type | default
FlashPixVersion | FlashPix Version 1.0
-------------------- + ----------------------------- -----------------------------
EXIF data contains a thumbnail (16091 bytes). 

Information may also contain geolocation data as exact coordinates provided by the device that took the photo. If the photo was taken on a phone, it is much more likely to contain geotags.

As stated in the previous issue, the person who created this file uses a Canon EOS 60D camera. has a lens with a focal length of 17.0 mm, has worked in Lightroom on the file and uses a Mac computer. That's a lot from a simple image file!

Option 2: Use Jeffrey's Image Metadata Viewer Web Application

If you use a browser, there are two great free sites for extracting Exif data. Let's start with Jeffrey Friedl's Image Metadata Viewer at exif.regex.info. Unfortunately the site does not use HTTPS. If you do not mind, you can see that the simple design is easy to use and supports a variety of formats, unlike the command-line tool, which only works with JPG files. So you can scan RAW image files like CR2 and DNG, PNG and TIFF just to name a few.

Upload a file or add your public URL, review CAPTCHA and click "View Image Data".

When you scan a file, you should see a decent amount of information when it comes from a smartphone. In my example below, a photo older than two years contained a GPS location.

The amount of data actually collected spans multiple pages and is quite large. [19659014] EXIF

Make Samsung
Camera Model Name SM-G920I
Software G920IDVS3EPK1
Modification date 2016: 12: 13 12:56:36
2 years, 3 months, 18 days, 15 hours, 41 minutes, 18 seconds ago
Y Cb Cr positioning centered
Exposure time 1/24
F number 1.90
Exposure program AE
ISO 200
Exif version 0220
Date / time of the original 2016: 12: 13 12:56:36
2 years, 3 months, 18 days, 15 hours, 41 minutes, 18 seconds ago
Creation date 2016: 12: 13 12:56:36
2 years, 3 months, 18 days, 15 hours, 41 minutes, 18 seconds ago
Shutter speed value 1/24
Aperture value 1.90
Brightness value 0.27
Exposure compensation 0
Maximum opening value 1.9
Measuring mode Spot
Flash No flash
Focal length 4.3 mm
Image size 5,312 × 2,988
Maker Note Unknown (98 bytes of binary data)
user comment
Flashpix version 0100
Color space sRGB
Exposure mode Auto
White balance car
Focal length in 35 mm format 28 mm
Scene shooting standard
Unique image ID A16LLIC08SM A16LLIL02GM
GPS version ID 2.2.0.0
GPS Latitude Ref North
GPS latitude 34.040833 degrees
GPS longitude west
GPS longitude 118.255000 degrees
GPS altitude reference below sea level
GPS height 0 m
GPS timestamp 20:56:27
GPS date stamp 2016: 12: 13
2 years, 3 months, 19 days, 4 hours, 37 minutes, 54 seconds ago
Image width 512
Picture height 288
Compression JPEG (old style)
Turn orientation 90 CW
Resolution 72 pixels / inch
Thumbnail Length 11,484
Thumbnail (11,484 bytes of binary data)
Makernotes

Unknown 0x0001 0.100
Unknown 0x0002 73,728
Unknown 0x000c 0
Unknown 0x0010 undef
Unknown 0x0040 0
Unknown 0x0050 1
Unknown 0x0100 0
Samsung Trailer 0x0a01 Name Image_UTC_Data
Timestamp 2016: 12: 13 12: 56: 36-08: 00
2 years, 3 months, 18 days, 14 hours, 41 minutes, 18 seconds ago
File – Basic information derived from the file.

File type JPEG
MIME type image / jpeg
Exif Byte Order Little Endian (Intel, II)
Encoding Process Baseline DCT, Huffman Encoding
Bits per sample 8
Color components 3
File size 3.5 MB
File type extension jpg
Image size 5,312 × 2,988
Y Cb Cr subsampling YCbCr4: 2: 2 (2 1)
composite
This data block is calculated based on other elements. Some of them may be wrong, especially if the size of the image has changed.

GPS latitude 34.040833 degrees N
GPS longitude 118.255000 degrees W
GPS altitude 0 m above sea level
Aperture 1.90
GPS date / time 2016: 12: 13 20: 56: 27Z
2 years, 3 months, 18 days, 14 hours, 41 minutes, 27 seconds ago
GPS position 34.040833 degrees N, 118.255000 degrees W
Megapixels 15.9
Shutter speed 1/24
Light value 5.4
Scaling factor up to 35 mm equivalent 6.5
Circle of confusion 0,005 mm
Field of view 65.5 degrees
Focal length 4.3 mm (equivalent 35 mm: 28.0 mm)
Hyperfocal Distance 2,11 m

Option 3: Using Ver Exif's Web App

On our second website, Ver Exif at verexif.com, all Exif data is spit out after a scan however, also an option available to remove metadata from images. Removing the metadata is useful if you want to make sure that an image you send does not contain data that you did not want to send.

To view Exif information, upload a file, or add your public URL, and then click View Exif. In my example, the same photo will not be displayed as often on this site, but a handy map will be created to indicate where the photo was taken. The information is accurate but not as extensive as the Image Metadata Viewer web application.

Interestingly enough, after I passed the test photo via "Exif Remove" data option, I uploaded it to the first site to see if the metadata really did It turns out that I can still say it was shot on a Samsung device, so I recommend that you do not use this tool to remove metadata from your photos.

Option 4: Use EXIF ​​Viewer's Chrome Extension

In Google Chrome, you can install the EXIF ​​Viewer extension, which will export the Exif data from each photo which you can download to the browser.

Using Browser Add-ons Extracting Exif data is even easier than using a web-based tool after installing and activating the Plug-i ns, we can right-click on any image in the browser and select "View EXIF ​​data" to see all the information in the image.

To test this, I found a random image on a photo -sharing website and looked in the metadata provided by EXIF ​​Viewer for the type of camera that was used for the recording.

Option 5: Use the Exif Viewer Firefox Add-On

You can also use the Exif Viewer add-on developed by Alan Raskin install for Firefox, which provides features similar to the Chrome extension above. After installing and activating the add-on, right-click an image in your browser and then click "Exif Viewer".

A pop-up window with a series of sorting metadata appears. You can see the link to the picture; The GPS section links to opening your location on Google Maps, Bing Maps, and Mapquest. and all other helpful information in the Exif data.

In general, browser extensions are an excellent way to simplify the extraction of Exif data, since you can also open photos in a browser window and use an extension to read data contained therein.

Metadata reveals the story behind a photo

While a photo may provide valuable information, the true value may lie in the data encoded in the metadata. Accessing this data is easier than ever. Be sure to pay attention to what information you may reveal when sending a photo.

Many social media platforms and photo hosting services prefer not to remove all these data. Make sure you do not lose this data if you do not intend to. These tools help you quickly determine how you might lose your location or other private data in photos that you want to share online. Most importantly, disable geocoding on your phone if you do not want to have GPS coordinates burned into each captured image.

I hope you liked this guide to extracting hidden metadata from image files! If you have any questions or comments about this tutorial for image OSINT, please contact me at Twitter @KodyKinzie .

Do not miss: MacOS Payloads Inside Photo Metadata

Cover photo by Justin Meyers / Null Byte; Screenshots of Kody / Null Byte




Source link