I saw this question in another forum and thought I would bring it to the experts. My knowledge of computer forensics is pretty limited so please be easy on me if I seem uneducated in what I'm asking.


"If a digital image contained Lat/Long coordinates within its Metadata and an individual ran it through some sort of EXIF stripper to remove it could it be recovered?"

I'm assuming a great deal would depend on what action the EXIF stripping program was executing to make the location data viewable? Do these EXIF strippers actually strip the data, do they change some sort of file extention, or possibly modify a string of data? Is this info something that can be found through the SQLite database, modified, and ultimately recovered?


Thanks in advance for any responses.
_________________
Ed

I'm not a cellular technology expert, but I did stay at a Holiday Inn Express last night. 

- hcso1510

"If a digital image contained Lat/Long coordinates within its Metadata and an individual ran it through some sort of EXIF stripper to remove it could it be recovered?"

No.

If data are stripped, they are stripped, and gone to the heaven of bytes, wherever it is, forever, may they R.I.P. .

Seriously, you can consider the (BTW, and for a number of reasons, "stupid") JPEG format as a sort of "zip archive" with inside it a number of files, of which some are mandatory and some are optional:

• the actual image compressed data is mandatory
• the thumbnail preview is optional (and can be stripped)
• the EXIF data is optional and contains in itself any number of (still optional) metadata fields (and can be stripped, selectively or "as a whole"), see here for a good reference:
  www.sno.phy.queensu.ca.../exiftool/
  www.sno.phy.queensu.ca.../EXIF.html

Typically an EXIF stripper does remove the actual bytes containing the data (if you prefer after having gone through an EXIF stripper usually the filesize becomes smaller, so there is no way that they can be recovered

BUT there are tens or maybe hundreds of tools that are said to "strip metadata" and the "some sort of EXIF stripper" is way too vague to allow for an actual answer, it is entirely possible that the one or the other tool "leaves behind" some data, and as well it is possible to add to an image "custom" metadata and one (or the other) tool may simply miss them.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

Ed

There is also more on this subject here:

www.forensicfocus.com/...c/start=0/
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 

Thanks for the replies!
_________________
Ed

I'm not a cellular technology expert, but I did stay at a Holiday Inn Express last night. 

Sometimes when 'data' has been stripped it can be reconstructed from other information. This is often true of indexing type information. EXIF is normally descriptive and so unlikely to be stored elsewhere in the file. ie When it has gone, it has gone.
_________________
Michael Cotgrove
www.cnwrecovery.com
www.goprorecovery.co.uk 

- mscotgrove

Sometimes when 'data' has been stripped it can be reconstructed from other information. This is often true of indexing type information. EXIF is normally descriptive and so unlikely to be stored elsewhere in the file. ie When it has gone, it has gone.

+1
_________________
Computer, Cell Phone & Chip-Off Forensics

linkedin.com/in/igormikhaylovcf 

One can theorize that a badly written app that supposed to wipe the EXIF APP1 block in a jpeg image does not do it properly, and leaves remnants.

I have yet to see one.