News:

2023-03-15 Major improvements to the new Geolocation feature

Main Menu

Viewing EXIF Data To Determine If A Photograph Has Been Modified Or Not

Started by Metalsech, June 03, 2020, 08:54:17 PM

Previous topic - Next topic

Metalsech

Hi everyone, I am hoping that some of you on this forum will have the expertise to help me and answer my questions, of which there are quite a few. Word of warning - things are about to get detailed!

I am very interested in finding out if EXIF data stored within a photograph file can be utilised to conclusively prove (or prove beyond reasonable doubt) that the image has not been modified after intial export from a smartphone or digital camera, taking into account the fact that it is possible to manipulate EXIF data after making alterations to the picture e.g. In Photoshop or Paintshop Pro. I have performed some detailed analysis of EXIF metadata extracted from a smartphone photograph I have taken on my Samsung S9 extracted sent via E-Mail to my computer, and an exact copy of the file which I purposely opened in Paintshop Pro, slightly modified then saved. Quite a number of differences are apparent, some more dramatic than others. A summary of the differences is as follows:

- Color encoding in basic file information - In original file there is a warning stating that there is Colour space tagged as sRGB without an embedded color profile. In the modified file this gives an Embedded Color Profile of sRGB.
- Image size related fields - The picture is a vertical photograph. In the original file the value is height x width. In the modified version although the numbers are the same they are switched, it shows width x height.
- In the modified file the XMP tag is visible with lots of information in, mostly relating to camera flash settings and GPS. In the original file this tag is missing/invisible.
- EXIF Image Size and Y Cb Cr Sub Sampling in EXIF tag - In the modified file these fields are present, in the original they are not.
- Orientation in the EXIF tag of the original file says Rotate 90 CW. In the modified file it says Horizonal (normal).
- Software in the EXIF section of the original file says what I assume is the actual camera software (a long ID of letters and numbers). In modified file this says the program I used to make the modification, Paintshop Pro 17.00
- Scene Type in the EXIF section of the original file says Unknown (%01%00%00%00). In the modified file it says Directly Photographed.
- In the modified file the JFIF tag is visible with fields JFIF Version and Resolution. This tag is missing on original file.
- The original file contains the MakerNotes tag with fields Samsung Trailer 0x0a01 Name, Time Stamp, Samsung Trailer 0x0aa1 Name and Samsung Trailer 0x0aa1. This is missing in the Modified file.
- Composite tag of the modified file includes several fields not present in original file – Flash, GPS Latitude Ref and GPS Longitude Ref, echoing the types of data found in the XMP tag.
- The original file includes the ExifTool tag at the end with three fields called Warning referring to different numbered Unknown APP segments. This is missing in the modified file.
- The modified file includes a long section called ICC Profile at the end populated with many fields. This is missing from the original file.
- The date and time fields throughout the EXIF data e.g. Create date, Modified Date etc are the same between the original and modified files, however the length of time in the past/future shown underneath is different.
- The size of the file has dropped significantly in modified file. The modified file is less than half the size of the original. Assume this is because of better compression in Paintshop Pro.
- EXIF and Composite tag field order are completely jumbled up between the original and modified versions.
- Thumbnail Length and Thumbnail Image values in the EXIF tag of the modified file are less than a third of the same values in the original file. Assuming this may be again due to compression of PSP.
- Y Cb Cr Sub Sampling field in the File tag of the modified file is in a different position to where it's situated on original file.

I have all sorts of queries about the above, but these can be briefly summarised as follows:

- Why do some/all of the above differences occur when the original file is modified and re-saved?
- Are any of the above differences conclusive and could be used to 100% determine whether a photo has been modified or not after initial extract from digital camera or smartphone? In other words, the difference would always occur no matter what, and could not be updated to look like the original metadata after modification is complete, even with a high level of expertise.
- Which of the above differences could be be purposely updated after modification to of the file using EXIF editing software - if so which and how difficult would it be to do this?
- What do any/all of the above mentioned tags and fields mean - what exact data is stored in them and for what purpose?

Any assistance, or advice on webpages/videos which could help answer these queries would be greatly appreciated.  :)

Phil Harvey

Quote from: Metalsech on June 03, 2020, 08:54:17 PM
- Why do some/all of the above differences occur when the original file is modified and re-saved?

Because most image manipulation programs don't preserve all metadata.  Typically, they remove what they don't understand.

Quote- Are any of the above differences conclusive and could be used to 100% determine whether a photo has been modified or not after initial extract from digital camera or smartphone?

No.  You can never say that an image has not been modified with 100% certainty.  But you can often say with 100% certainty that the file is not original.

Quote- Which of the above differences could be be purposely updated after modification to of the file using EXIF editing software

In theory, all of them.  But ExifTool will not write all of these.

Quote- if so which and how difficult would it be to do this?

Fairly simple for anyone with a programming background.

Quote- What do any/all of the above mentioned tags and fields mean - what exact data is stored in them and for what purpose?

You're asking for me to write a book here, and I don't have the time.

QuoteAny assistance, or advice on webpages/videos which could help answer these queries would be greatly appreciated.  :)

I suggest browsing some digital forensic analysis web sites, and reading the relevant metadata standards documents.

- Phil
...where DIR is the name of a directory/folder containing the images.  On Mac/Linux/PowerShell, use single quotes (') instead of double quotes (") around arguments containing a dollar sign ($).

Metalsech

Hey Phil, thanks for your detailed response.

Please can you clarify your response to the 100% certainty question. You mentioned "No.  You can never say that an image has not been modified with 100% certainty.  But you can often say with 100% certainty that the file is not original." What do you mean by the second sentence - how can you say that the file is not original - what EXIF metadata would prove this?

You mention that some of the tags would not be writeable by ExifTool. Which out of the tags or tag types mentioned does this apply to please? I'm thinking that if any of the tags vanish in the modified version and ExifTool isn't capable of adding them back in then it's likely lots of other similar tools would also have the same issue with these particular tags. Therefore even though not conclusive, if these particular tags are present it would be a good sign that the image had probably not been tampered with in Photoshop or another modification tool. Would you agree with this train of thought?

The other thing that could be used as evidence that the image probably hasn't been messed with is the sheer number of differences which occur. Someone would have to be extremely savvy to set it back exactly how it should be prior to modification - adding in new tags that have vanished, altering the order of them, changing some of the values back.

Phil Harvey

Quote from: Metalsech on June 04, 2020, 05:58:24 AM
how can you say that the file is not original - what EXIF metadata would prove this?

There are various ways, but often the structure of the EXIF will change (use the -htmlDump option on an original and edited file to see what I mean).

QuoteYou mention that some of the tags would not be writeable by ExifTool. Which out of the tags or tag types mentioned does this apply to please?

Here is the list.

QuoteIf these particular tags are present it would be a good sign that the image had probably not been tampered with in Photoshop or another modification tool. Would you agree with this train of thought?

You would have to run some tests.  But something like this could indicate an edited file.

Also take a look at the exifTool JPEGDigest tag, because the quantization tables will likely change if the image is recompressed.

- Phil
...where DIR is the name of a directory/folder containing the images.  On Mac/Linux/PowerShell, use single quotes (') instead of double quotes (") around arguments containing a dollar sign ($).