Metadata – The information you never wanted to share

Some of the worst accidents on the Internet happen due to silly mistakes. Such as leaving metadata within files when you shouldn’t.

What is Metadata?

Metadata can be best defined as

Data that provides information about other data.

According to Wikipedia

Oftentimes this information is added by the software that is used to view or modify the file. This is all done in the background. When you take a picture, your camera automatically adds information to the file such as when the picture was taken, where (GPS coordinates), shutter speed, aperture etc. In most cases this data can be useful, in other cases it can be detrimental – if, for example, anonymity is what you are trying to achieve.

In this post, we are only interested in the metadata of files (there is metadata within practically everything), but images are a great starting point.

Image Metadata

If you are familiar with image metadata, acronyms such as IPTC, XMP and EXIF might sound familiar. They together make up the metadata header of picture files.

Image Metadata Header
|       XMP       |  = Extensible Metadata Plattform
|  -------------  |
|  |   IPTC    |  | = International Press Telecommunications Council
|  -------------  |
|      EXIF       | = Exchangeable Image File

These is, however, just one example of metadata structure. We will now look at the actual information contained within files.
Viewing and Manipulating a File’s Metadata

Every modern file explorer, such as Microsoft’s software with the same name, Apple’s finder and Linux files program is by default able to show you the metadata contained within a file.

However, it was never displayed to me in a structured enough way and I wanted to look under the hood (and make more use of the command line). That’s what exiftool allows you to do.
Not only can you see a file’s metadata, you can also directly manipulate it.

For all the Linux users, use the following command to install it on your computer:

$ sudo apt-get install exiftool

Once the installation is done, you should be able to run it straightaway.

Viewing a File’s Metadata

Seeing a file’s metadata structure and the information is quite easy with exiftool. Simply enter exiftool within the shell. It will instantly display it’s information on the file, in this case a PDF file:

$ exiftool "Cybercrime legislation EV6.pdf"
ExifTool Version Number         : 9.74
File Name                       : Cybercrime legislation EV6.pdf
Directory                       : .
File Size                       : 3.0 MB
File Modification Date/Time     : 2017:03:05 10:33:37-05:00
File Access Date/Time           : 2017:03:05 10:33:55-05:00
File Inode Change Date/Time     : 2017:03:05 10:33:41-05:00
File Permissions                : rw-r--r--
File Type                       : PDF
MIME Type                       : application/pdf
PDF Version                     : 1.6
Linearized                      : Yes
Page Mode                       : UseOutlines
XMP Toolkit                     : Adobe XMP Core 4.0-c316 44.253921, Sun Oct 01 2006 17:14:39
Format                          : application/pdf
Creator                         : ITU
Title                           : Understanding cybercrime: Phenomena, challenge and legal response
Description                     :
Create Date                     : 2012:09:25 19:12:14+02:00
Creator Tool                    : International Telecommunication Union
Modify Date                     : 2012:09:26 08:34:08+02:00
Metadata Date                   : 2012:09:26 08:34:08+02:00
Producer                        : Acrobat Distiller 10.1.2 (Windows)
Keywords                        :
Document ID                     : uuid:90d8f05e-3477-4d9a-b6dc-f7f90a2efa5b
Instance ID                     : uuid:e2465235-ce94-4dd1-9472-772f00677202
Has XFA                         : No
Page Count                      : 366
Page Layout                     : OneColumn
Subject                         :
Author                          : ITU

Here is the metadata for an image:

$ exiftool 46230064.jpg
ExifTool Version Number         : 9.74
File Name                       : 46230064.jpg
Directory                       : .
File Size                       : 93 kB
File Modification Date/Time     : 2017:03:05 17:00:14-05:00
File Access Date/Time           : 2017:03:05 17:00:14-05:00
File Inode Change Date/Time     : 2017:03:05 17:00:14-05:00
File Permissions                : rw-r--r--
File Type                       : JPEG
MIME Type                       : image/jpeg
Image Width                     : 1024
Image Height                    : 1047
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:4:4 (1 1)
Image Size                      : 1024x1047

Now, let’s add a comment to the image.

$ exiftool -comment="This is my comment for this file" 46230064.jpg
1 image files updated
$ exiftool 46230064.jpg
File Type                       : JPEG
MIME Type                       : image/jpeg
Comment                            : This is my comment for this file
Image Width                     : 1024
Image Height                    : 1047

As we can see, the comment is now part of the files metadata.

# Other image metadata fields one can write to

For more fields, search the exiftool man page or website.

How to Remove Metadata

Let’s now, try to remove all of the image’s metadata. We can do that using

$ exiftool -all= 46230064.jpg

The -all= sets all non-optional metadata to null, thereby removing the data. Re-run $ exiftool 46230064.jpg and you will that the comment we have added previously is missing. However, all of the other information is still there, because it seems to be the minimal metadata required for an image.

Having a basic understanding of metadata and the type of information it holds, is immensely valuable for a hacker. Oftentimes, people forget the vital information that is hidden within it. And that rarely ends well, such as this hacker who posted a picture of his girlfriend’s breast online and forgot to wipe the GPS metadata off the image (while the FBI was searching for him).

Further Resources

Ideas Pursued

Can you add EXIF data to a non-image file?

Supposedly exiftool does not allow to add EXIF metadata to non-image files.

$ exiftool EXIF:Artist="New_Artist" virtual.pdf

0 image files updated
1 image files unchanged 

However, I will continue to tinker with it, maybe using an API instead of the program, circumventing certain restrictions.

How can you add metadata to locked fields?

As far as I could figure out, with exiftool you can only manipulate certain fields while others remain locked. However, I imagine there must be a way around to writing to these fields as well. As soon as I find anything out, I will post it here.