Do I have an original file at hand?

AL10 · November 07, 2017, 12:53:33 AM

I ran this photo through the exiftool to help me investigate a photo that looked like it was very likely photoshopped/edited. I am still learning the exiftool, particularly to know what data to look for that would hint that an image has been manipulated. Please keep in mind that I am doing many other tests aside from using the exiftool, but I would like to max out the use of this tool to help me determine if I have an original photo at hand.
I attached my results below, and I was wondering if anyone can pin point anything that would flag this image as potentially being edited. Some good indications that this has not been edited is that there is no file history and it was taken with a Nikon D5 which does not have any softening filters (which would be noted anyway when opened in Capture NX).
*Please note I deleted the File Name and Directory for privacy purposes.

PH Edit: Remove Filename/Directory from .txt file

Phil Harvey · November 07, 2017, 07:05:10 AM

On a quick inspection I don't see any obvious evidence of editing, but it is much easier for me to tell if it has been edited if I can see the -htmldump output.

[BTW, you didn't delete the FileName/Directory, so I did this for you.]

- Phil

AL10 · January 13, 2018, 07:42:48 PM

Thank you Phil. Though I had a look at your response already I apologize for not replying to this sooner.

Can you tell me how to run the -htmldump command via cmd? Also, can you tell me what to look for in the -htmldump output that will me determine if a file is an original?

Phil Harvey · January 14, 2018, 09:04:26 AM

The command is:

exiftool -htmldump FILE > out.html

Then look at out.html with a web browser.

Look at the brown areas (unused data) and compare them with a known original image. Cameras usually add extra unused data that other applications do not.

- Phil

AL10 · February 19, 2018, 01:57:25 AM

Thanks Phil. I've successfully run the -htmldump command.

So, essentially what your saying is if I take a known original image and run -htmldump to see what unused data it outputs, I can then compare an unknown image (from the same type of camera) by running -htmldump command to see if it spits out the same unused data as the known original camera?

I've attached two screen shots that show some of the htmldump output. Is there any other info I could use from the htmldump to see if I have an unaltered original jpg file straight from the camera?

Phil Harvey · February 19, 2018, 07:12:20 AM

There are lots of other things that can get changed when a file is edited. Often the trailer is removed. Look for any changes in structure, or added/changed tags.

- Phil

AL10 · February 19, 2018, 12:57:40 PM

As always, thanks for the quick response.

Can you confirm with my above comment thats what you meant about checking the brown unused data? Essentially your saying I should compare unused data from a known original file to the unused data from an unknown file?

Also can you confirm what you mean by "Often the the trailer is removed".

Phil Harvey · February 19, 2018, 04:53:45 PM

Yes, that's what I meant. You'll notice the brown is removed if you edit with ExifTool.

The trailer is everything that comes after the JPEG EOI. Typically cameras will write a trailer containing a preview image, and most (all?) image editors will discard the trailer.

- Phil

AL10 · February 20, 2018, 03:57:41 AM

So then by looking at the "htmldump02.jpg" file I provided, its safe to say that the image was opened by an image editor since nothing shows up after the JPEG EOI? Would something as simple as Windows Photo Viewer remove that info, or something more along the lines of Photoshop?

Also, regarding matching the unused data. If the known and unknown file came from the same camera but not the cameras did not have the same firmware updates, I would assume the unused data would be different?

Phil Harvey · February 20, 2018, 08:16:42 AM

Quote from: AL10 on February 20, 2018, 03:57:41 AM
So then by looking at the "htmldump02.jpg" file I provided, its safe to say that the image was opened by an image editor since nothing shows up after the JPEG EOI?

No. You need to compare this with an original image.

QuoteWould something as simple as Windows Photo Viewer remove that info, or something more along the lines of Photoshop?

Anything that edits the image is likely to remove the trailer.

QuoteAlso, regarding matching the unused data. If the known and unknown file came from the same camera but not the cameras did not have the same firmware updates, I would assume the unused data would be different?

Perhaps, yes. But most firmware updates don't change this.

- Phil

AL10 · February 25, 2018, 07:10:24 PM

Since I know the exiftool can manipulate a lot of metadata, does that mean it can alter the -htmldump file? If it cant, then can the htmldump file be manipulated in any other way?

Phil Harvey · February 25, 2018, 07:56:25 PM

I don't understand your question. ExifTool generates the htmlDump based on the data in the image file. ExifTool can edit the image file, and yes, may change the structure you see in the dump.

- Phil

AL10 · February 25, 2018, 08:21:00 PM

Hi Phil. You understood my question correctly and answered it correctly. Thanks!

ExifTool Forum

News:

Do I have an original file at hand?

AL10

Phil Harvey

AL10

Phil Harvey

AL10

Phil Harvey

AL10

Phil Harvey

AL10

Phil Harvey

AL10

Phil Harvey

AL10