Notifications
Clear all

Photo Metadata

10 Posts
6 Users
0 Likes
3,171 Views
(@trewmte)
Posts: 1877
Noble Member
Topic starter
 

Photo Metadata

Conducting a simple experiment

1) A photo (image0300.jpg) of a cat taken using the camera on a Nokia 6303

2) I used Opanda Professional to examine the photo's metadata

3) Then I produced a working copy of the original photo of the cat (test 1) and removed the metadata using a known app called JPEG & PNG Stripper

4) I produced a second working copy of the original photo of the cat (test 2) and using the Remove Exif function in Opanda I removed the metadata

At this stage of the experiment I noted the following facts

- The image0300.jpg photo 891021-bytes

- Test 1 deleted metadata from image0300.jpg 886616-bytes

- Test 2 deleted metadata from image0300.jpg 886667-bytes

From these facts it is noted that JPEG & PNG Stripper and Opanda Remove Exif do not produce an identical number of bytes after removal of metadata associated with the original image0300.jpg.

5) Using a standard file compare app for comparison of test 1 (886616-bytes) and test 2 (886667-bytes) side by side that JPEG & PNG Stripper alters metadata using a different treatment to that adopted by Opanda Remove Exif

- In the original image0300.jpg the jpg signature is FF D8 FF E1

- It is noted following the use of Opanda Remove Exif that the jpg signature is now represented as FF D8 FF E0

- It is noted following the user of JPEG & PNG Stripper that the jpg signature is now represented as FF D8 FF DB

- It is also noted the compared raw data has marked changes in the hex representation in test 1 and test 2 ( and also both are different when compared with the original) although all three images do not appear to display any impairment, meaning all three images visually look the same.

 
Posted : 01/05/2012 2:23 am
(@bithead)
Posts: 1206
Noble Member
 

So it seems that much like steganography, you can make quite a few changes to the EXIF of a JPEG without visually altering the file. Interesting test.

Was this purely for your own edification or was there a reason for the test?

 
Posted : 01/05/2012 2:34 am
(@joethomas)
Posts: 65
Trusted Member
 

I would say that it is likely that the programs are removing the metadata and recompressing the data with different compression factors.

 
Posted : 01/05/2012 12:54 pm
Redcelica67
(@redcelica67)
Posts: 130
Estimable Member
 

Interesting work Greg. I agree with Joe about the compression factors…..

 
Posted : 01/05/2012 1:36 pm
(@trewmte)
Posts: 1877
Noble Member
Topic starter
 

Thanks for the replies. I think I am going to need help from FF members to find some answers; I shall share all results with the FF, so that if any major discovery is uncovered that everyone can use the findings. For the record I am not being paid to do this investigation. The work is as result from a recent case where this matter arose that I noted, as a side channel issue, due to the fact that no one in the case had answers as to why so many images had no metadata, other than to offer the very reasonable suggestion that the handset didn't include metadata when the image was created/stored on the handset.

I wanted to understand if metadata had deliberately been removed (because of the obvious candidates of 'anonymity' or 'concealment') which apps that delete metadata left behind a signature involved in the deletion and/or whether the deleted metadata could be replaced by other data, perhaps message to be communicated in a clandestine fashion.

So it seems that much like steganography, you can make quite a few changes to the EXIF of a JPEG without visually altering the file. Interesting test.

BitHead, this is one of the thoughts that I had too. So astute of you to pick up on that.

Was this purely for your own edification or was there a reason for the test?

There is always a bit of edification, but the reason is regarding saved and deleted images from mobiles.

I would say that it is likely that the programs are removing the metadata and recompressing the data with different compression factors.

Joe, good point and I am confirming which compression system for each app is being applied

Interesting work Greg. I agree with Joe about the compression factors…..

Thanks David.

———————

Using Winhex I obtained the following data from the address range 00000000 - 00000080

00000000 - 00000080 original image0300.jpg

FFD8FFE1111245786966000049492A00
080000000D000F01020006000000AA00
0000100102000D000000B00000001A01
050001000000BE0000001B0105000100
0000C600000028010300010000000200
00003101020008000000CE0000001302
03000100000001007F3F698704000100
0000DE00000001A40300010000000000
000002A40300010000000000FFFF03A4

FF D8 FF E1 11 12 45 78 69 66 00 00 49 49 2A = ÿØÿá Exif II*

00000000 - 00000080 image0300.jpg test 1 (JPEG & PNG Stripper)

FFD8FFDB0043000504030304040404040
5070605050507070707080C0F110C090B
0B0F161311110F11121211151A1413171
C1D1A18211811131F1F1F1D222422171C
241E1F1E1EFFDB0043010505050706070
E08080E1E1411141E1E1E1E1E1E1E1E1E
1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E
1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E
1E1E1E1E1E1E1EFFC00011

FF D8 FF DB 00 43 = ÿØÿÛ C

00000000 - 00000080 image0300.jpg test 2 (Opanda Reove Exif)

FFD8FFE000104A46494600010201012C012
C0000FFFE001F2020202020202020202020
20202020202020202020202020202020202
0FFDB004300050403030404040404050706
05050507070707080C0F110C090B0B0F161
311110F11121211151A1413171C1D1A1821
1811131F1F1F1D222422171C241E1F1E1EFF
DB0043010505050706070E08080E1E14111
41E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E
1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E
1E1E1E1E1E1E1E1E1E1E1E1E1E1E1EFF

FF D8 FF E0 00 10 4A 46 = ÿØÿà JFIF

I shall post screen prints tomorrow.

Once again thanks.

 
Posted : 02/05/2012 1:50 am
(@trewmte)
Posts: 1877
Noble Member
Topic starter
 

During the operation of deleting the exif detail Opanda Remove Exif does not produce a tracefile / log of any deletion process. However, JPEG & PNG Ripper does. This is the message generated by this app during deletion.

[start]
[scanning "C\Documents and Settings\Administrator\Desktop\metadata\Test Meta 5\Image0300.jpg"]
C\Documents and Settings\Administrator\Desktop\metadata\Test Meta 5\Image0300.jpg [read file ok and shrunk by 4 KB]
[scanned 1 image files, total 870 KB, shrunk 1 files, saved 4 KB, avg 4 KB, errors 0, warnings 0]

By the way I am creating a file so if anyone would like a copy of the free apps, log files, photos (before and after), research material etc, then let me know.

 
Posted : 02/05/2012 10:56 am
cyrus
(@cyrus)
Posts: 26
Eminent Member
 

If you find the start of the image in the file (marked by FF DA) is the data the same in all 3 from then on?

From the bytes you have shared I can see where the extra 51 bytes comes from. If you look for standard jpg markers FFD8 (indicates a table follows) you can see the final FF D8 marker and following data match. I would assume the data from here is also the same as the original image?

00000000 - 00000080 image0300.jpg test 1 (JPEG & PNG Stripper)

FFD8FFDB00430005040303040404040405070605050507070707080C0F110C090B
0B0F161311110F11121211151A1413171C1D1A18211811131F1F1F1D222422171C
241E1F1E1EFFDB0043010505050706070E08080E1E1411141E1E1E1E1E1E1E1E1E1E1E1E1E1E
1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E
1E1E1EFFC00011

00000000 - 00000080 image0300.jpg test 2 (Opanda Reove Exif)

FFD8FFE000104A46494600010201012C012C0000FFFE001F202020202020202020
2020202020202020202020202020202020202020FFDB004300050403030404040
40405070605050507070707080C0F110C090B0B0F161311110F11121211151A14
13171C1D1A18211811131F1F1F1D222422171C241E1F1E1EFFDB0043010505050
706070E08080E1E1411141E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E
1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1EFF

Opanda seems to remove any meta data and just add a blank JFIF field to the image, where as JPEG & PNG stripper seems to remove metadata fields altogether.

On a side note, I did some (brief) work looking into this area before. It may not help in this case, but you can use the quantisation tables (marked by FF D8) to identify if an image has been edited, and possibly even to match it to a device (even without metadata), although it is questionable if this would be reliable evidence.

A great paper on the topic http//www.dfrws.org/2008/proceedings/p21-kornblum.pdf
and the software mentioned that uses the tables to determine the if the image is edited http//www.impulseadventure.com/photo/jpeg-snoop.html

 
Posted : 30/07/2012 11:39 am
(@armresl)
Posts: 1011
Noble Member
 

I don't know if this helps you or not, but if the picture was posted online at all, most major photo sites get rid of a lot of the metadata automatically so you can't find the GPS or some other information from EXIF.

During the operation of deleting the exif detail Opanda Remove Exif does not produce a tracefile / log of any deletion process. However, JPEG & PNG Ripper does. This is the message generated by this app during deletion.

[start]
[scanning "C\Documents and Settings\Administrator\Desktop\metadata\Test Meta 5\Image0300.jpg"]
C\Documents and Settings\Administrator\Desktop\metadata\Test Meta 5\Image0300.jpg [read file ok and shrunk by 4 KB]
[scanned 1 image files, total 870 KB, shrunk 1 files, saved 4 KB, avg 4 KB, errors 0, warnings 0]

By the way I am creating a file so if anyone would like a copy of the free apps, log files, photos (before and after), research material etc, then let me know.

 
Posted : 31/07/2012 1:46 am
(@trewmte)
Posts: 1877
Noble Member
Topic starter
 

Cyrus and armresl thanks for your replies. Sorry for not responding earlier. I had read your posts and thought I had replied. I am working on this simple experiment project and will post further results soon based upon your observations. Once again, thanks.

 
Posted : 14/08/2012 1:43 am
(@trewmte)
Posts: 1877
Noble Member
Topic starter
 

The work is still ongoing as I am working to try as many tools as possible for this simple experiment to see what we learn when a photo has its metadata modified or erased.

Cat Test 1 - with Exif
http//fotoforensics.com/analysis.php?id=4bb96975cace8da69bd82c53874952c1e1b76bbc.891021

Cat Test 2 - metadata removed using JPEG & PNG Stripper
http//fotoforensics.com/analysis.php?id=84994ec3ab61f0ff6f4c28f61e5dc3720f4df7d4.886616

Cat Test 3 - metadata removed using Opanda
http//fotoforensics.com/analysis.php?id=45e5f3658815658c80468ae8fc75bda96cc2c0ca.886667

The analysis tool used is available online at Foto Forensics, which I understand is a site to replicate the work of Pete Ringwood (errorlevelanalysis.com) whom has retired.

Remember to select each of the fields ELA, JPEG %, Metadata, Original.

 
Posted : 18/02/2013 1:33 pm
Share: