Forensic Traces?

smc2010 · November 16, 2013, 08:45:29 AM

Hi there,

I am a student, studying computer forensics at university and I've got the pleasure of testing exiftool. It's a great tool and it has helped me on numerous occasions. Now I'm looking at it from a forensic point of view. If I alter metadata in a photograph, lets say, GPS data, does Exiftool leave any trace? Something which I can look at, at hex level if need-be, and be able to know that exiftool was used?

I look forward to your replies,

Thank you.

Phil Harvey · November 16, 2013, 08:52:48 AM

Use the -htmlDump option to see the structure. You may notice differences in an ExifTool-edited image, depending on the software that wrote the original. One obvious change is that unused space will be removed.

- Phil

smc2010 · November 16, 2013, 09:48:49 AM

Thanks for the quick reply. I didn't know about -htmlDump

Phil Harvey · November 16, 2013, 04:17:46 PM

I am surprised that the ExifTool -htmlDump option isn't better known. I don't know of any other tool for visualizing the EXIF/TIFF structure, and I would have thought this would be very useful for forensics, because often a piece of software will impose a distinctive structure to the EXIF. (Usually very different than the metadata straight from a digital camera.)

- Phil

Joyce · November 09, 2014, 01:05:46 PM

How do I exactly do this? Sorry but I am really new.

Hayo Baan · November 09, 2014, 01:45:32 PM

Just use the -HTMLDump option with exiftool and open the resulting output in a web browser. There you will see a nice dump of all the exif data, including how it is structured in the file. As Phil suggested, any software alterations will very likely (heavily) alter this structure so this should be easy to spot.

As a side note: Many Nikon DSLRs have an option to mark files so that any tampering can be determined after the fact (by the Nikon "Image Authentication" application). This is probably one of the reasons most forensics around the world shoot Nikon... Look for an option called "Image Authentication" in the camera setup menu to see if a camera offers this feature.

Phil Harvey · November 09, 2014, 06:45:22 PM

The command would look something like this:

exiftool -htmldump image.jpg > out.html

...then open "out.html" in a web browser.

- Phil

Alan Clifford · November 11, 2014, 09:45:01 AM

Quote from: Phil Harvey on November 09, 2014, 06:45:22 PM
The command would look something like this:

exiftool -htmldump image.jpg > out.html

...then open "out.html" in a web browser.

- Phil

Presumably

diff original_out.html changed_out.html

would give you an, albeit ugly, list of changes?

Phil Harvey · November 11, 2014, 11:42:33 AM

I haven't tried diff-ing the -htmlDump output. I do sometimes diff the -v3 output, but typically a lot changes if the offsets change at all, so you have to ignore the changed offsets if you are looking for other differences.

- Phil

News:

Forensic Traces?