Metadata contained in images and other files can give away a lot more information than the average user might think. By tricking a target into sending a photo containing GPS coordinates and additional information, a hacker can learn where a mark lives or works simply by extracting the Exif data hidden inside the image file.
For hackers or OSINT researchers gathering digital evidence, photos can be a rich source of data. Besides what?s visible in the picture itself, metadata about when and where the photo was taken can also be recoverable. This data can include the device the photo was taken on, the geolocation of the image, and other unique characteristics that can fingerprint an image as haven been taken by the same person or device.
Metadata, or the data that describes files like images or videos, is useful during reconnaissance to investigators because it?s often overlooked by otherwise careful targets. If people don?t know what kind of data can be retained in a particular file format, they won?t know if they?re putting themselves at risk by making a specific file public. While many social media platforms have largely eliminated this problem by stripping out metadata from files, there are still many images online with this data left entirely intact.
Exchangeable image file format data, or Exif data, is information that accompanies image files and offers many fields that can be populated or left blank. The information is used by programs to understand better what is contained inside the file to aid in sorting and other functions. Available data fields in Exif are often written to by the device that took the image at the time it was shot but can also be left by processing programs like Photoshop.
Because we can often identify the model of camera used, the settings used, and supplementary information like the owner of the software that made Photoshop changes, it?s possible to identify images that came from the same source. The more Exif fields are filled out by the device that shot the image or software that processed it, the easier it is to track other files made by the same process.
The full list of fields that are supported by the Exif standard is quite extensive. Aside from manufacturer-specific information, fields like the owner?s name and address can be populated by image processing software without the author knowing each image they produce contains this information.
What You?ll Need
While an older Null Byte article on Exif data features a dated Windows-only tool that still works, we?ll focus only on a program that?s pre-installed on Kali Linux, as well as a few tools that?ll work on any system right from a web browser.
Option 1: Use the Exif Command Line Tool
To start, we?ll be using the ? exif? tool that comes pre-installed in Kali Linux. This program is the command line front-end to ? libexif,? and it only works on JPG file types. To see the options available to us, we can run the exif ? help command to list the included options.
If you receive an error, or if you?re using another OS like Debian or Ubuntu, open a new terminal window and type apt install exif to install the program and any needed dependencies. Similarly, you can install this tool by typing brew install exif on a MacOS device. Then, try exif ? help again.
You can use man exif to view even more information about the tool.
See the full code box at null-byte.wonderhowto.com
While all of the options is a lot to process, the most straightforward application of this tool is to type exif and then the path to the file you want to inspect. Below, a photo that?s been processed in Photoshop retains information about the software that modified it, the computer it was modified on, and the camera it was taken on. If you get a ?corrupt data? error, there may be no metadata in the file or you?re scanning a file that?s not a JPG.
See the full code box at null-byte.wonderhowto.com
Information can also include geolocation data, as exact coordinates, which is supplied by the device that took the photo. If the photo was taken on a phone, there is a much higher chance that it includes geotags.
As it is in the output above, we?ve learned that the person who created this file is using a Canon EOS 60D camera, has a lens with a focal length of 17.0 mm, worked on the file in Lightroom, and uses a Mac computer. That?s a lot from a simple image file!
Option 2: Use Jeffrey?s Image Metadata Viewer Web App
If you?re using a browser, there are two great free websites to extract Exif data. First, let?s start with Jeffrey Friedl?s Image Metadata Viewer over at exif.regex.info. The site does not use HTTPS, unfortunately. If you don?t mind that, you can see the simple design is easy to use and supports a vast variety of formats, unlike the command line tool which only works with JPG files. So you can scan RAW images files like CR2 and DNG, PNG, and TIFF, to name a few.
Upload a file or add its public URL, check the CAPTCHA, and hit ?View Image Data.?
Screenshots by Kody/Null Byte
Once you scan a file, you should see a decent amount of information if it came from a smartphone. In my example below, a photo that?s over two years old contained a GPS location.
Screenshots by Kody/Null Byte
The actual amount of data captured takes up several pages and is quite extensive.
Option 3: Use Ver Exif?s Web App
Our second website, Ver Exif at verexif.com, spits out all of the Exif data after a scan, but it also comes with an option to strip metadata out of images. Removing the metadata is useful if you want to make sure an image you?re sending doesn?t contain data you didn?t intend to send.
Screenshots by Kody/Null Byte
To view Exif information, upload a file or add its public URL, then hit ?View Exif.? In my example, passing the same photo into this website, the output is much less, but it generates a handy map of where the photo was taken. The information is accurate, but not as big of a data dump as the Image Metadata Viewer web app.
Screenshots by Kody/Null Byte
Interestingly, after I passed the test photo through the ?Remove Exif? data option, I uploaded it to the first website to see if the metadata was truly removed. It turns out I can still tell it was taken on a Samsung device, so I don?t recommend using this tool to strip metadata from your photos.
Screenshots by Kody/Null Byte
Option 4: Use the EXIF Viewer Chrome Extension
In Google Chrome, you can install the EXIF Viewer extension, which will let you pull up the Exif data from any photo you load into the browser.
Using browser add-ons to extract Exif data is even simpler than using a web-based tool. After installing and enabling the plug-in, we can right-click any image in the browser and select ?Show EXIF data? to reveal any information the image contains.
To test this out, I found a random image on a photo-sharing website and looked through the metadata provided by EXIF Viewer to find the type of camera that was used to take it.
Screenshots by Kody/Null Byte
Option 5: Use the Exif Viewer Firefox Add-On
You could also install the Exif Viewer add-on for Firefox, developed by Alan Raskin, which allows similar functionality as the Chrome extension above. After installing and enabling the add-on, right-click on an image in your browser, then click on ?Exif Viewer.?
A pop-up window appears, where there?s a slew of metadata to sort through. You can see the link to the image; in the GPS section you get links to open up the location on Google Maps, Bing Maps, and Mapquest; and all of the other helpful information in the Exif data.
Screenshots by Kody/Null Byte
In general, browser extensions are a great way to tackle extracting Exif data, because you can also open photos in a browser window and use an extension to read the data inside.
Metadata Reveals the Story Behind a Photo
While a photo may yield valuable information, the real value may be in what?s encoded in the metadata. Accessing this data is easier than ever, so it?s essential to be aware of what information you may be giving away when you send a photo.
While many social media platforms and photo-hosting services do you the favor of stripping out this data, not all do. It?s important to make sure you?re not leaking this data if you don?t intend to, and these tools can quickly help you identify any ways you might be leaking your location or other private data in photos you want to share online. Most importantly, make sure to disable geo-encoding on your phone if you don?t want GPS coordinates burned into every image you take.
I hope you enjoyed this guide to extracting hidden metadata from image files! If you have any questions about this tutorial on image OSINT or you have a comment, ask below or feel free to reach me on Twitter @KodyKinzie.
Don?t Miss: How to Hide MacOS Payloads Inside Photo Metadata
Originally published at https://null-byte.wonderhowto.com on June 18, 2019.
