I ran this photo through the exiftool to help me investigate a photo that looked like it was very likely photoshopped/edited. I am still learning the exiftool, particularly to know what data to look for that would hint that an image has been manipulated. Please keep in mind that I am doing many other tests aside from using the exiftool, but I would like to max out the use of this tool to help me determine if I have an original photo at hand.
I attached my results below, and I was wondering if anyone can pin point anything that would flag this image as potentially being edited. Some good indications that this has not been edited is that there is no file history and it was taken with a Nikon D5 which does not have any softening filters (which would be noted anyway when opened in Capture NX).
*Please note I deleted the File Name and Directory for privacy purposes.
PH Edit: Remove Filename/Directory from .txt file
On a quick inspection I don't see any obvious evidence of editing, but it is much easier for me to tell if it has been edited if I can see the -htmldump output.
[BTW, you didn't delete the FileName/Directory, so I did this for you.]
- Phil
Thank you Phil. Though I had a look at your response already I apologize for not replying to this sooner.
Can you tell me how to run the -htmldump command via cmd? Also, can you tell me what to look for in the -htmldump output that will me determine if a file is an original?
The command is:
exiftool -htmldump FILE > out.html
Then look at out.html with a web browser.
Look at the brown areas (unused data) and compare them with a known original image. Cameras usually add extra unused data that other applications do not.
- Phil
Thanks Phil. I've successfully run the -htmldump command.
So, essentially what your saying is if I take a known original image and run -htmldump to see what unused data it outputs, I can then compare an unknown image (from the same type of camera) by running -htmldump command to see if it spits out the same unused data as the known original camera?
I've attached two screen shots that show some of the htmldump output. Is there any other info I could use from the htmldump to see if I have an unaltered original jpg file straight from the camera?
There are lots of other things that can get changed when a file is edited. Often the trailer is removed. Look for any changes in structure, or added/changed tags.
- Phil
As always, thanks for the quick response.
Can you confirm with my above comment thats what you meant about checking the brown unused data? Essentially your saying I should compare unused data from a known original file to the unused data from an unknown file?
Also can you confirm what you mean by "Often the the trailer is removed".
Yes, that's what I meant. You'll notice the brown is removed if you edit with ExifTool.
The trailer is everything that comes after the JPEG EOI. Typically cameras will write a trailer containing a preview image, and most (all?) image editors will discard the trailer.
- Phil
So then by looking at the "htmldump02.jpg" file I provided, its safe to say that the image was opened by an image editor since nothing shows up after the JPEG EOI? Would something as simple as Windows Photo Viewer remove that info, or something more along the lines of Photoshop?
Also, regarding matching the unused data. If the known and unknown file came from the same camera but not the cameras did not have the same firmware updates, I would assume the unused data would be different?
Quote from: AL10 on February 20, 2018, 03:57:41 AM
So then by looking at the "htmldump02.jpg" file I provided, its safe to say that the image was opened by an image editor since nothing shows up after the JPEG EOI?
No. You need to compare this with an original image.
QuoteWould something as simple as Windows Photo Viewer remove that info, or something more along the lines of Photoshop?
Anything that edits the image is likely to remove the trailer.
QuoteAlso, regarding matching the unused data. If the known and unknown file came from the same camera but not the cameras did not have the same firmware updates, I would assume the unused data would be different?
Perhaps, yes. But most firmware updates don't change this.
- Phil
Since I know the exiftool can manipulate a lot of metadata, does that mean it can alter the -htmldump file? If it cant, then can the htmldump file be manipulated in any other way?
I don't understand your question. ExifTool generates the htmlDump based on the data in the image file. ExifTool can edit the image file, and yes, may change the structure you see in the dump.
- Phil
Hi Phil. You understood my question correctly and answered it correctly. Thanks!