I saw this question in another forum and thought I would bring it to the experts. My knowledge of computer forensics is pretty limited so please be easy on me if I seem uneducated in what I'm asking.
"If a digital image contained Lat/Long coordinates within its Metadata and an individual ran it through some sort of EXIF stripper to remove it could it be recovered?"
I'm assuming a great deal would depend on what action the EXIF stripping program was executing to make the location data viewable? Do these EXIF strippers actually strip the data, do they change some sort of file extention, or possibly modify a string of data? Is this info something that can be found through the SQLite database, modified, and ultimately recovered?
Thanks in advance for any responses.
"If a digital image contained Lat/Long coordinates within its Metadata and an individual ran it through some sort of EXIF stripper to remove it could it be recovered?"
No.
If data are stripped, they are stripped, and gone to the heaven of bytes, wherever it is, forever, may they R.I.P. 😯 .
Seriously, you can consider the (BTW, and for a number of reasons, "stupid") JPEG format as a sort of "zip archive" with inside it a number of files, of which some are mandatory and some are optional
- the actual image compressed data is mandatory
- the thumbnail preview is optional (and can be stripped)
- the EXIF data is optional and contains in itself any number of (still optional) metadata fields (and can be stripped, selectively or "as a whole"), see here for a good reference
http//
http//
Typically an EXIF stripper does remove the actual bytes containing the data (if you prefer after having gone through an EXIF stripper usually the filesize becomes smaller, so there is no way that they can be recovered
BUT there are tens or maybe hundreds of tools that are said to "strip metadata" and the "some sort of EXIF stripper" is way too vague to allow for an actual answer, it is entirely possible that the one or the other tool "leaves behind" some data, and as well it is possible to add to an image "custom" metadata and one (or the other) tool may simply miss them.
jaclaz
Ed
There is also more on this subject here
http//www.forensicfocus.com/Forums/viewtopic/t=9071/postdays=0/postorder=asc/start=0/
Thanks for the replies!
Sometimes when 'data' has been stripped it can be reconstructed from other information. This is often true of indexing type information. EXIF is normally descriptive and so unlikely to be stored elsewhere in the file. ie When it has gone, it has gone.
Sometimes when 'data' has been stripped it can be reconstructed from other information. This is often true of indexing type information. EXIF is normally descriptive and so unlikely to be stored elsewhere in the file. ie When it has gone, it has gone.
+1
One can theorize that a badly written app that supposed to wipe the EXIF APP1 block in a jpeg image does not do it properly, and leaves remnants.
I have yet to see one.