My backups are different size to orginal files - Metadata messed up in Windows?

Started by Andrew543, October 30, 2015, 07:18:52 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Andrew543

October 30, 2015, 07:18:52 PM
I just discovered that most of my photos that are backed up on an external hard drive have a slightly different file size to the originals.  After comparing a number of different pairs of files using Winmerge I found most of the differenes seem to be at the beginning of the file (where the XMP/EXIF metadata is stored I think) but also I found some files that contain a large amount of extra data at the END of the file.  Both images appear the same still as far as the photo is concerned, but I am worried that this might be a virus so would like to find an answer for these differences.

I'm not sure if this is the best place to post this, but if not, hopefully someone might be able to direct me to another forum/website that is more appropriate for this unusual situation.

I have attached a screenshot of my Winmerge results in case it is of use.  This example shows one particular difference I have noticed with most or all of them:  the part circled in red it always in one file but not the other.  This is always at the start of the file.  The screenshot also shows that the file on the left as a lot of extra data at the end of the file.  These are 7 meg files to give an idea of how much "extra data" as shown by that yellow bar really is.

Phil Harvey

#1
October 30, 2015, 09:33:50 PM
I doubt it is a virus, but you should figure out what software is editing your images and prevent it from doing so.  If you take a look at the XMP that is added, you may be able to determine the software (look at the xmptk string).

If you send me a pair of files (original and modified) I will take a look, but it will be a couple of days because I am away this weekend.  My email is philharvey66 at gmail.com

- Phil
...where DIR is the name of a directory/folder containing the images.  On Mac/Linux/PowerShell, use single quotes (') instead of double quotes (") around arguments containing a dollar sign ($).

Phil Harvey

#2
January 18, 2016, 08:10:42 PM
I got the images, thanks.

One of these files has been modified by Microsoft software (probably Windows).  It has restructured the EXIF, added some padding, and some XMP.

- Phil
...where DIR is the name of a directory/folder containing the images.  On Mac/Linux/PowerShell, use single quotes (') instead of double quotes (") around arguments containing a dollar sign ($).

Andrew543

#3
January 18, 2016, 11:46:32 PM
OK thanks a lot for taking a look!

It would have been Windows as I haven't done anything with any other software - only move the files/folders in Windows Explorer.

Obviously I would like to avoid it happening in the future so am wondering why Windows would do such a thing and if there is any way to prevent it happening again? (don't use Explorer???!)

Is it anything to be concerned about, and if so would you recommend using any software to "repair" the files?

Phil Harvey

#4
January 20, 2016, 07:34:00 PM
I'm not a Windows expert, so I can't help with preventing this problem.

As for repairing, I can't help there either.  In principle, the OffsetSchema tag could be used to recover the corrupted makernote offsets, but I don't know of anything that will do this.  ExifTool may be used to fix these offsets (independently of OffsetSchema), but only for some common makes.

- Phil
...where DIR is the name of a directory/folder containing the images.  On Mac/Linux/PowerShell, use single quotes (') instead of double quotes (") around arguments containing a dollar sign ($).
Print
Go Up Pages1
User actions