Text only | Text with Images

ExifTool Forum

General => Metadata => Topic started by: smc2010 on November 16, 2013, 08:45:29 AM

Title: Forensic Traces?
Post by: smc2010 on November 16, 2013, 08:45:29 AM
Hi there,

I am a student, studying computer forensics at university and I've got the pleasure of testing exiftool. It's a great tool and it has helped me on numerous occasions. Now I'm looking at it from a forensic point of view. If I alter metadata in a photograph, lets say, GPS data, does Exiftool leave any trace? Something which I can look at, at hex level if need-be, and be able to know that exiftool was used?

I look forward to your replies,

Thank you.
Title: Re: Forensic Traces?
Post by: Phil Harvey on November 16, 2013, 08:52:48 AM
Use the -htmlDump option to see the structure.  You may notice differences in an ExifTool-edited image, depending on the software that wrote the original.  One obvious change is that unused space will be removed.

- Phil
Title: Re: Forensic Traces?
Post by: smc2010 on November 16, 2013, 09:48:49 AM
Thanks for the quick reply. I didn't know about -htmlDump
Title: Re: Forensic Traces?
Post by: Phil Harvey on November 16, 2013, 04:17:46 PM
I am surprised that the ExifTool -htmlDump option isn't better known.  I don't know of any other tool for visualizing the EXIF/TIFF structure, and I would have thought this would be very useful for forensics, because often a piece of software will impose a distinctive structure to the EXIF.  (Usually very different than the metadata straight from a digital camera.)

- Phil
Title: Re: Forensic Traces?
Post by: Joyce on November 09, 2014, 01:05:46 PM
How do I exactly do this?  Sorry but I am really new.
Title: Re: Forensic Traces?
Post by: Hayo Baan on November 09, 2014, 01:45:32 PM
 Just use the -HTMLDump option with exiftool and open the resulting output in a web browser. There you will see a nice dump of all the exif data, including how it is structured in the file. As Phil suggested, any software alterations will very likely (heavily) alter this structure so this should be easy to spot.

As a side note: Many Nikon DSLRs have an option to mark files so that any tampering can be determined after the fact (by the Nikon "Image Authentication" application). This is probably one of the reasons most forensics around the world shoot Nikon... Look for an option called "Image Authentication" in the camera setup menu to see if a camera offers this feature.
Title: Re: Forensic Traces?
Post by: Phil Harvey on November 09, 2014, 06:45:22 PM
The command would look something like this:

exiftool -htmldump image.jpg > out.html

...then open "out.html" in a web browser.

- Phil
Title: Re: Forensic Traces?
Post by: Alan Clifford on November 11, 2014, 09:45:01 AM
Quote from: Phil Harvey on November 09, 2014, 06:45:22 PM
The command would look something like this:

exiftool -htmldump image.jpg > out.html

...then open "out.html" in a web browser.

- Phil

Presumably

diff original_out.html changed_out.html

would give you an, albeit ugly, list of changes?
Title: Re: Forensic Traces?
Post by: Phil Harvey on November 11, 2014, 11:42:33 AM
I haven't tried diff-ing the -htmlDump output.  I do sometimes diff the -v3 output, but typically a lot changes if the offsets change at all, so you have to ignore the changed offsets if you are looking for other differences.

- Phil
Text only | Text with Images