Join Us!

WHICH TOOLS TO ANAL...
 
Notifications
Clear all

WHICH TOOLS TO ANALYZE EXIF METADATA of IMAGES & VIDEOS ?  

Page 1 / 2
  RSS
mahsanqureshi
(@mahsanqureshi)
New Member

Hello,

I am doing a project on computer forensics and I need to analyze the EXIF metadata of Images (JPEG) & Video files taken from smart phone.

I have tried the below mentioned tools. I am little bit satisfied with EXIF Pro, but GPS/Location entries of images are not accurate as shown in picture properties in mobile , i.e EXIF Pro shows slightly different location from where the photos were taken .

1. EXIF Pro. (http//www.exifpro.com/)

2. Exif Viewer (https://download.cnet.com/EXIF-Viewer/3000-2193_4-75912951.html)

3. Exif Data Viewer. (http//www.exifdataviewer.com/)

4. ExifTool by Phil Harvey

Please recommend any best EXIF tool which gives best results for analysis of Images & Videos metadata.

Thank you

Quote
Posted : 04/05/2019 10:29 am
dandaman_24
(@dandaman_24)
Active Member

Have a look at irfanview.

ReplyQuote
Posted : 04/05/2019 12:04 pm
athulin
(@athulin)
Community Legend

… but GPS/Location entries of images are not accurate as shown in picture properties in mobile , i.e EXIF Pro shows slightly different location from where the photos were taken .

And what does that mean … 'slightly different'? What is the error? Are you saying that the tool desn't convert the EXIF data correctly?

Or are you saying that the GPS data, at the time it was collected, had an error that is larger than what you should expect from consumer equipment?

If it's the original data that happens to be wrong, no tool in the world can make it right without extra work. I hope that goes without saying …

ReplyQuote
Posted : 04/05/2019 12:16 pm
mahsanqureshi
(@mahsanqureshi)
New Member

Have a look at irfanview.

Ok Thank You, I will download it

ReplyQuote
Posted : 04/05/2019 1:10 pm
mahsanqureshi
(@mahsanqureshi)
New Member

… but GPS/Location entries of images are not accurate as shown in picture properties in mobile , i.e EXIF Pro shows slightly different location from where the photos were taken .

And what does that mean … 'slightly different'? What is the error? Are you saying that the tool desn't convert the EXIF data correctly?

Yes,, there is difference of some points in GPS coordinates values int tool exif info. Tool dont show the exact GPS coordinates where the photo was taken.

ReplyQuote
Posted : 04/05/2019 2:43 pm
mahsanqureshi
(@mahsanqureshi)
New Member

Have a look at irfanview.

I have tried irfanview now, Results of EXIF Pro & IrfanView are same approximately. irfanview supports VIDEO, but I could not found EXIF options for video.

ReplyQuote
Posted : 04/05/2019 2:51 pm
mahsanqureshi
(@mahsanqureshi)
New Member

Hi,

finally I have found a better EXIF reader which also gives most appropriate EXIF GPS locations (xyz coordinates) of IMAGES & VIDEOS as well.

The tool name is MediaInfo. MediaInfo is a convenient unified display of the most relevant technical and tag data for images, video and audio files.

MediaInfo can be downloaded from this link MediaArea.net

Thank you all for you kind replies.

ReplyQuote
Posted : 06/05/2019 4:23 am
athulin
(@athulin)
Community Legend

Yes,, there is difference of some points in GPS coordinates values int tool exif info. Tool dont show the exact GPS coordinates where the photo was taken.

And how did you establish 'the exact GPS coordinates'?

By extracting the data from the EXIF, and finding that the tool didn't do a good job converting it to text? In that case, what error did it introduce? (And

Or, by using a second source for GPS coordinate? In that case, was the original error within what is expected for consumer GPS coordinates? Or was it outside?

My problem is that it looks very much like you are choosing a product based on undisclosed test information. As long as you do it on your own, I have no quarrel with that. But when you do it in public, some attention to the technical grounds for your choice would be appreciated.

Absence of it is a pretty clear signal that this is not a trustworthy recommendation – at least in my opinion.

ReplyQuote
Posted : 06/05/2019 10:17 am
mahsanqureshi
(@mahsanqureshi)
New Member

And how did you establish 'the exact GPS coordinates'?

By extracting the data from the EXIF, and finding that the tool didn't do a good job converting it to text? In that case, what error did it introduce? (And

Or, by using a second source for GPS coordinate? In that case, was the original error within what is expected for consumer GPS coordinates? Or was it outside?


Dear athulin,
Thank you for your concerns. Let me answer your questions and brief of my analysis

And how did you establish 'the exact GPS coordinates'?

There is nothing to worry, initially it was small misunderstanding. The properties of photo (LOCATION) in phone , where the photo was taken and the EXIF entries (of LOCATION) extracted by the tool “EXIFPRo 2.1” are same.

After testing several EXIF tools, I used EXIFPRo 2.1 because of its good results.

During this,. I came to know that, image properties in phone i.e location of image is shown in Decimal Degree (DD) Format i.e “34.381611, 73.464867”. However EXIF tools shows this location in Degrees, minutes, and seconds (DMS) i.e 34°22'53.8"N 73°27'53.5"E. Both are the same locations on the Google Maps.

By extracting the data from the EXIF, and finding that the tool didn't do a good job converting it to text? In that case, what error did it introduce?

Or, by using a second source for GPS coordinate? In that case, was the original error within what is expected for consumer GPS coordinates? Or was it outside?

In tool like EXIF Data Viewer , the GPS values were " GPS latitude34? 22 minutes and 53.794669 seconds north GPS longitude73? 27 minutes and 53.508187 seconds east" , The "?" was ambiguous. However the results are absolutely fine now as I have understanding of the GPS format.Most of the tools shown the very near locations of the expected results.

THE REST OF THE DETAILED ANALYSIS IS GIVEN BELOW FOR FURTHER REFERENCE

A. IMAGE (PHOTO) ANALYSIS

TOOL USED EXIFPro2.1

Original Photo
The original photo that is used for the analysis is shown in figure 1 below

Properties of the image in Phone
This figure 2 below exhibits the properties of image in phone

EXIF Properties of the image using ExifPro 2.1
The EXIF entries of the image is shown in figure 3 & figure 4 below

figure 3 below shows the metadata details, however the size of file is different as actual size shown in phone (refer to figure 2 above)

figure 4 below exhibits the GPS coordinates

Photo Location on GOOGLE MAP retrieved by EXIFPro and Image properties in Phone

Image properties of phone shows Location in Decimal Degrees (DD) i.e “34.381611, 73.464867” as shown in figure 2, while the tool "EXIFPro 2.1", gives GPS coordinates in Degrees, minutes, and seconds (DMS) i.e 34°22'53.8"N 73°27'53.5"E as shown in figure 4. This is the exact GPS location where I captured the picture as shown in Google Map in figure 5 below.

figure 5

Conclusion

Image location in phone properties and EXIF entries of location are found same on Google Map. Hence the Image GPS coordinates and other metadata evidences are established.

——-

B. VIDEO ANALYSIS

TOOL USED MediaInfo

This is the original video of riverside that was analyze as shown in fig 6 below

Properties of the VIDEO in Phone
This figure 7 below exhibits the properties of image in phone

EXIF entries of Location extracted from Video using the tool “MediaInfo”

Video properties are not found in phone except timestamp and file size as shown in figure 7, however this tools extracted the location in decimal degrees with tag “xyz” i.e +34.3809+073.4623/ " along with other several metadata information of this video as shown in fig 8 below.

figure 8 EXIF of Video

This location is shown in Google Map, and yes I found the best results as shown in figure 9

figure 9-Location of Video on Google Map

Conclusion

Video GPS coordinates with other metadata information has been established. However, the Timestamp extracted by tool is given in UTC format, if it is converted to Pakistan timezone. It gives the exact timestamp results.

….
Thanks

ReplyQuote
Posted : 07/05/2019 7:21 pm
passcodeunlock
(@passcodeunlock)
Senior Member

When it is about images forensics, I strongly suggest trying Amped Authenticate. In case of videos I suggest trying Amped Five. I'm not affiliated in any way with Amped, but from my experience they make the best tools I know into images & videos forensics.

Another good tool is the Belkasoft Evidence Center for similar tasks, but more complex and is not ment only for images & videos forensics.

ReplyQuote
Posted : 07/05/2019 9:39 pm
mahsanqureshi
(@mahsanqureshi)
New Member

When it is about images forensics, I strongly suggest trying Amped Authenticate. In case of videos I suggest trying Amped Five. I'm not affiliated in any way with Amped, but from my experience they make the best tools I know into images & videos forensics.

Another good tool is the Belkasoft Evidence Center for similar tasks, but more complex and is not ment only for images & videos forensics.

Yes I strongly agree with you passcodeunlock, I checked Amped, but no trial is available and that is a commercial software. also I have a good experience with Belkasoft and AccessDaa FTK Commercial tools as well but not available to me now. So, I had to find out the best alternate tools/methodology for doing this.

Moreover, my task is mainly to doing Social Media Investigations, so in that scenario, I had to establish the evidence of either this image was uploaded on the SNSs or not and from either this image/video was captured using the suspect device and etc. So I were just moving around to find out the the all other necessary possibilities that may help to establish the evidence, so that is why I just thought to try analysing the Image/Video Analysis in a mile wide and inch deep approach. Image/Video Forensics is itself a big and very important domain of Digital Forensics. )

ReplyQuote
Posted : 08/05/2019 1:12 am
passcodeunlock
(@passcodeunlock)
Senior Member

I agree )

ReplyQuote
Posted : 08/05/2019 10:02 am
athulin
(@athulin)
Community Legend

There is nothing to worry, initially it was small misunderstanding. The properties of photo (LOCATION) in phone , where the photo was taken and the EXIF entries (of LOCATION) extracted by the tool “EXIFPRo 2.1” are same.

Great – I thought that you maybe had discovered that one or more of the tools did not do the job. And you did, though of a different kind than I thought.

In tool like EXIF Data Viewer , the GPS values were " GPS latitude34? 22 minutes and 53.794669 seconds north GPS longitude73? 27 minutes and 53.508187 seconds east" , The "?" was ambiguous. However the results are absolutely fine now as I have understanding of the GPS format.Most of the tools shown the very near locations of the expected results.

That kind of error is always a concern – and it should not be present in a good forensic tool. Data should never be ambiguous.

I suspect some problems with the 'degree' character not being possible to show, and being replaced with a '?' … an understandable bug, though not necessarily acceptable, as any analysis report would need to explain how this is being handled. It's always better not to have to do that.

Thanks for the reply!

ReplyQuote
Posted : 08/05/2019 10:27 am
mahsanqureshi
(@mahsanqureshi)
New Member

Great – I thought that you maybe had discovered that one or more of the tools did not do the job. And you did, though of a different kind than I thought.

Thank you. )

That kind of error is always a concern – and it should not be present in a good forensic tool. Data should never be ambiguous.

I suspect some problems with the 'degree' character not being possible to show, and being replaced with a '?' … an understandable bug, though not necessarily acceptable, as any analysis report would need to explain how this is being handled. It's always better not to have to do that.

Yes, more possibly it would be Degree Symbol , because 34? 22 minutes and 53.794669 seconds north is Degree Minutes Seconds (DMS) format of GPS coordinate, here minutes and seconds are in text but Degree symbol cant be represented properly . As you said "as any analysis report would need to explain how this is being handled.", yes, because if this is questioned in the court , forensics expert witness may face tough situation while explaining this to non-technical lawyers and judges and there is always a benefit of doubt and in such cases may lead to acquittal.

AccessData FTK, BelkaSoft, Cellebrite UFED etc are well known and we all know that these tools are applicable., Such tools have builtin features to analyze EXIF.

I were just wondering , If there is there any list of forensics tools/software which are applicable in court , issued by any international authorized body ??

Thanks for the reply!.

pleasure reside my heart )

ReplyQuote
Posted : 08/05/2019 11:46 am
athulin
(@athulin)
Community Legend

I were just wondering , If there is there any list of forensics tools/software which are applicable in court , issued by any international authorized body ??

Not as far as I know.

The basis of such a list would probably need to be a large number of test suites, that focus on single issues does a tool report correct geographical coordinates correctly and unambiguously? Does it report bad coordinates in a suitable manner? … and so on for each single piece of information that we need to rely on to be correct in court time stamps, master file records, registry file entries, log files, file systems, archive file formats, document file structures, …

And as far as I know, there are no comprehensive test suites either. NIST has a Computer Forensic Tool Testing Program, and the Federated Testing Program that are interesting, but only covers some parts of the full spectrum. I've dabbled in this area myself (Sourceforce project CompForTest).

In twenty years … perhaps.

ReplyQuote
Posted : 08/05/2019 12:54 pm
Page 1 / 2
Share: