Restoring stripped ...
 
Notifications
Clear all

Restoring stripped EXIF data

7 Posts
6 Users
0 Reactions
14.9 K Views
hcso1510
(@hcso1510)
Posts: 303
Reputable Member
Topic starter
 

I saw this question in another forum and thought I would bring it to the experts. My knowledge of computer forensics is pretty limited so please be easy on me if I seem uneducated in what I'm asking.

"If a digital image contained Lat/Long coordinates within its Metadata and an individual ran it through some sort of EXIF stripper to remove it could it be recovered?"

I'm assuming a great deal would depend on what action the EXIF stripping program was executing to make the location data viewable? Do these EXIF strippers actually strip the data, do they change some sort of file extention, or possibly modify a string of data? Is this info something that can be found through the SQLite database, modified, and ultimately recovered?

Thanks in advance for any responses.

 
Posted : 22/11/2014 11:24 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

"If a digital image contained Lat/Long coordinates within its Metadata and an individual ran it through some sort of EXIF stripper to remove it could it be recovered?"

No.

If data are stripped, they are stripped, and gone to the heaven of bytes, wherever it is, forever, may they R.I.P. 😯 .

Seriously, you can consider the (BTW, and for a number of reasons, "stupid") JPEG format as a sort of "zip archive" with inside it a number of files, of which some are mandatory and some are optional

  • the actual image compressed data is mandatory
  • the thumbnail preview is optional (and can be stripped)
  • the EXIF data is optional and contains in itself any number of (still optional) metadata fields (and can be stripped, selectively or "as a whole"), see here for a good reference
  • http//www.sno.phy.queensu.ca/~phil/exiftool/
    http//www.sno.phy.queensu.ca/~phil/exiftool/TagNames/EXIF.html

Typically an EXIF stripper does remove the actual bytes containing the data (if you prefer after having gone through an EXIF stripper usually the filesize becomes smaller, so there is no way that they can be recovered

BUT there are tens or maybe hundreds of tools that are said to "strip metadata" and the "some sort of EXIF stripper" is way too vague to allow for an actual answer, it is entirely possible that the one or the other tool "leaves behind" some data, and as well it is possible to add to an image "custom" metadata and one (or the other) tool may simply miss them.

jaclaz

 
Posted : 22/11/2014 2:33 pm
(@trewmte)
Posts: 1877
Noble Member
 

Ed

There is also more on this subject here

http//www.forensicfocus.com/Forums/viewtopic/t=9071/postdays=0/postorder=asc/start=0/

 
Posted : 22/11/2014 6:18 pm
hcso1510
(@hcso1510)
Posts: 303
Reputable Member
Topic starter
 

Thanks for the replies!

 
Posted : 23/11/2014 7:23 am
(@mscotgrove)
Posts: 938
Prominent Member
 

Sometimes when 'data' has been stripped it can be reconstructed from other information. This is often true of indexing type information. EXIF is normally descriptive and so unlikely to be stored elsewhere in the file. ie When it has gone, it has gone.

 
Posted : 23/11/2014 5:19 pm
Igor_Michailov
(@igor_michailov)
Posts: 529
Honorable Member
 

Sometimes when 'data' has been stripped it can be reconstructed from other information. This is often true of indexing type information. EXIF is normally descriptive and so unlikely to be stored elsewhere in the file. ie When it has gone, it has gone.

+1

 
Posted : 23/11/2014 5:44 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

One can theorize that a badly written app that supposed to wipe the EXIF APP1 block in a jpeg image does not do it properly, and leaves remnants.

I have yet to see one.

 
Posted : 24/11/2014 6:39 pm
Share: