Some of the worst accidents on the Internet happen due to silly mistakes. Such as leaving metadata within files when you shouldn’t.
What is Metadata?
Metadata can be best defined as
Data that provides information about other data.
According to Wikipedia
Oftentimes this information is added by the software that is used to view or modify the file. This is all done in the background. When you take a picture, your camera automatically adds information to the file such as when the picture was taken, where (GPS coordinates), shutter speed, aperture etc. In most cases this data can be useful, in other cases it can be detrimental – if, for example, anonymity is what you are trying to achieve.
In this post, we are only interested in the metadata of files (there is metadata within practically everything), but images are a great starting point.
If you are familiar with image metadata, acronyms such as IPTC, XMP and EXIF might sound familiar. They together make up the metadata header of picture files.
Image Metadata Header ------------------- | XMP | = Extensible Metadata Plattform | ------------- | | | IPTC | | = International Press Telecommunications Council | ------------- | |-----------------| | EXIF | = Exchangeable Image File -------------------
These is, however, just one example of metadata structure. We will now look at the actual information contained within files.
Viewing and Manipulating a File’s Metadata
Every modern file explorer, such as Microsoft’s software with the same name, Apple’s finder and Linux files program is by default able to show you the metadata contained within a file.
However, it was never displayed to me in a structured enough way and I wanted to look under the hood (and make more use of the command line). That’s what exiftool allows you to do.
Not only can you see a file’s metadata, you can also directly manipulate it.
For all the Linux users, use the following command to install it on your computer:
$ sudo apt-get install exiftool
Once the installation is done, you should be able to run it straightaway.
Viewing a File’s Metadata
Seeing a file’s metadata structure and the information is quite easy with exiftool. Simply enter exiftool
$ exiftool "Cybercrime legislation EV6.pdf" ExifTool Version Number : 9.74 File Name : Cybercrime legislation EV6.pdf Directory : . File Size : 3.0 MB File Modification Date/Time : 2017:03:05 10:33:37-05:00 File Access Date/Time : 2017:03:05 10:33:55-05:00 File Inode Change Date/Time : 2017:03:05 10:33:41-05:00 File Permissions : rw-r--r-- File Type : PDF MIME Type : application/pdf PDF Version : 1.6 Linearized : Yes Page Mode : UseOutlines XMP Toolkit : Adobe XMP Core 4.0-c316 44.253921, Sun Oct 01 2006 17:14:39 Format : application/pdf Creator : ITU Title : Understanding cybercrime: Phenomena, challenge and legal response Description : Create Date : 2012:09:25 19:12:14+02:00 Creator Tool : International Telecommunication Union Modify Date : 2012:09:26 08:34:08+02:00 Metadata Date : 2012:09:26 08:34:08+02:00 Producer : Acrobat Distiller 10.1.2 (Windows) Keywords : Document ID : uuid:90d8f05e-3477-4d9a-b6dc-f7f90a2efa5b Instance ID : uuid:e2465235-ce94-4dd1-9472-772f00677202 Has XFA : No Page Count : 366 Page Layout : OneColumn Subject : Author : ITU
Here is the metadata for an image:
$ exiftool 46230064.jpg ExifTool Version Number : 9.74 File Name : 46230064.jpg Directory : . File Size : 93 kB File Modification Date/Time : 2017:03:05 17:00:14-05:00 File Access Date/Time : 2017:03:05 17:00:14-05:00 File Inode Change Date/Time : 2017:03:05 17:00:14-05:00 File Permissions : rw-r--r-- File Type : JPEG MIME Type : image/jpeg Image Width : 1024 Image Height : 1047 Encoding Process : Baseline DCT, Huffman coding Bits Per Sample : 8 Color Components : 3 Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1) Image Size : 1024x1047
Now, let’s add a comment to the image.
$ exiftool -comment="This is my comment for this file" 46230064.jpg 1 image files updated $ exiftool 46230064.jpg ... File Type : JPEG MIME Type : image/jpeg Comment : This is my comment for this file Image Width : 1024 Image Height : 1047 ...
As we can see, the comment is now part of the files metadata.
# Other image metadata fields one can write to Title Description Keywords Info Copyright
For more fields, search the exiftool man page or website.
How to Remove Metadata
Let’s now, try to remove all of the image’s metadata. We can do that using
$ exiftool -all= 46230064.jpg
The -all= sets all non-optional metadata to null, thereby removing the data. Re-run $ exiftool 46230064.jpg and you will that the comment we have added previously is missing. However, all of the other information is still there, because it seems to be the minimal metadata required for an image.
Having a basic understanding of metadata and the type of information it holds, is immensely valuable for a hacker. Oftentimes, people forget the vital information that is hidden within it. And that rarely ends well, such as this hacker who posted a picture of his girlfriend’s breast online and forgot to wipe the GPS metadata off the image (while the FBI was searching for him).
- Metadata on Wikipedia
- Exiftool by Phil Harvey
- Use exiftool to remove all metadata information from photos within the current directory
Can you add EXIF data to a non-image file?
Supposedly exiftool does not allow to add EXIF metadata to non-image files.
$ exiftool EXIF:Artist="New_Artist" virtual.pdf 0 image files updated 1 image files unchanged
However, I will continue to tinker with it, maybe using an API instead of the program, circumventing certain restrictions.
How can you add metadata to locked fields?
As far as I could figure out, with exiftool you can only manipulate certain fields while others remain locked. However, I imagine there must be a way around to writing to these fields as well. As soon as I find anything out, I will post it here.