Join Us!

Restoring stripped ...
 
Notifications
Clear all

Restoring stripped EXIF data  

  RSS
hcso1510
(@hcso1510)
Active Member

I saw this question in another forum and thought I would bring it to the experts. My knowledge of computer forensics is pretty limited so please be easy on me if I seem uneducated in what I'm asking.

"If a digital image contained Lat/Long coordinates within its Metadata and an individual ran it through some sort of EXIF stripper to remove it could it be recovered?"

I'm assuming a great deal would depend on what action the EXIF stripping program was executing to make the location data viewable? Do these EXIF strippers actually strip the data, do they change some sort of file extention, or possibly modify a string of data? Is this info something that can be found through the SQLite database, modified, and ultimately recovered?

Thanks in advance for any responses.

Quote
Posted : 22/11/2014 10:24 am
jaclaz
(@jaclaz)
Community Legend

"If a digital image contained Lat/Long coordinates within its Metadata and an individual ran it through some sort of EXIF stripper to remove it could it be recovered?"

No.

If data are stripped, they are stripped, and gone to the heaven of bytes, wherever it is, forever, may they R.I.P. 😯 .

Seriously, you can consider the (BTW, and for a number of reasons, "stupid") JPEG format as a sort of "zip archive" with inside it a number of files, of which some are mandatory and some are optional

Typically an EXIF stripper does remove the actual bytes containing the data (if you prefer after having gone through an EXIF stripper usually the filesize becomes smaller, so there is no way that they can be recovered

BUT there are tens or maybe hundreds of tools that are said to "strip metadata" and the "some sort of EXIF stripper" is way too vague to allow for an actual answer, it is entirely possible that the one or the other tool "leaves behind" some data, and as well it is possible to add to an image "custom" metadata and one (or the other) tool may simply miss them.

jaclaz

ReplyQuote
Posted : 22/11/2014 1:33 pm
trewmte
(@trewmte)
Community Legend

Ed

There is also more on this subject here

http//www.forensicfocus.com/Forums/viewtopic/t=9071/postdays=0/postorder=asc/start=0/

ReplyQuote
Posted : 22/11/2014 5:18 pm
hcso1510
(@hcso1510)
Active Member

Thanks for the replies!

ReplyQuote
Posted : 23/11/2014 6:23 am
mscotgrove
(@mscotgrove)
Senior Member

Sometimes when 'data' has been stripped it can be reconstructed from other information. This is often true of indexing type information. EXIF is normally descriptive and so unlikely to be stored elsewhere in the file. ie When it has gone, it has gone.

ReplyQuote
Posted : 23/11/2014 4:19 pm
Igor_Michailov
(@igor_michailov)
Senior Member

Sometimes when 'data' has been stripped it can be reconstructed from other information. This is often true of indexing type information. EXIF is normally descriptive and so unlikely to be stored elsewhere in the file. ie When it has gone, it has gone.

+1

ReplyQuote
Posted : 23/11/2014 4:44 pm
jhup
 jhup
(@jhup)
Community Legend

One can theorize that a badly written app that supposed to wipe the EXIF APP1 block in a jpeg image does not do it properly, and leaves remnants.

I have yet to see one.

ReplyQuote
Posted : 24/11/2014 5:39 pm
Share: