Digital Forensics Dispatch

Exif Data: What is it?

July 2, 2020

Exif stands for “Exchangeable Image File Format data” and contains information about a file. Exif is commonly referred to as “data about data.”

Gerd Meissner of Security Boulevard recently reported on a release from Authentic8’s Open Source Intelligence (OSINT) team which details the analysis of Exif data from image files. The Exif data is a type of metadata about the file. Exif data can be manipulated, replaced or stripped from digital pictures, and many social media platforms strip the Exif data from images or “replace it with their own (tracking) code. One of the reasons that social media platforms strip this data is “to protect member privacy and prevent abuse,” and another reason is that “Exif data can be used to hide malware in image files.” A review of file metadata can often reveal information about a specific file that a standard user would be unable to see. In some cases, Exif data can reveal the modification made to the photos, such as editing in photo editing software.

Exif data from a digital image can contain information such as dates, times, file size, location details, and much more. The release from Authentic8 walks through some the processes of using specific software to analyze the Exif data. In an example using a tool called Exiftool, the analysis of a photo revealed information about the image file such as the date and time that the original image was created, which is not always apparent to a user especially if a photo has been moved or copied. Additionally, Exiftool revealed the make and model of the camera used to capture the photo. In the test image, it was determined that the make of the device used to take the photo was Apple and the camera model was an iPhone 6s. The Exif data can even reveal which camera lens was being used on the iPhone. In this case the Exif data reveals that the back camera lens was used to take the picture. Other information such as the latitude and longitude can be found in Exif metadata as well. In this test case, the latitude and longitude coordinates can be plotted in a GPS software tool like Google Earth or can even be typed in to Google Maps and the approximate location of where the photo was taken can be determined.

Other fields, such as if the camera flash was fired when a picture was taken, can be determined. Depending on the device used to take the photo, information about the specific device can be determined from the Exif data. With a test photo that was analyzed, it was determined that it was taken using an iPhone 6s. However, the specific version of software that the device was running can also be found in the software field and in this case the iPhone 6s was running version 12.4. The software field is also helpful in determining what software was used in the creation of the image. In another example, an image was reviewed that was created using Photoshop. The Software field reveals that Adobe Photoshop 21.0 was used and that it was the Windows version of Photoshop.

The information that is contained within a single digital image can be quite helpful in various scenarios and cases. Often, the Exif data is used to determine if photos have been altered in some way, or to see where or when the photo was taken. All this information can be found in the Exif data if that data still exists, making this artifact of great importance when performing digital forensic investigations.

Email:    Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensics