You might not realize it, but your files say a lot about your identity. Whenever you take a picture on a digital camera or cell phone, essential information called metadata is written into the image file. This data can include things like the model of camera, whether or not the flash fired, date, time, and even GPS coordinates.
EXIF data is a specific subset of metadata found in images taken with a camera. As part of a forensic investigation, this information could leave critical clues about the timing and location about certain events. In fact, EXIF data is regularly used in criminal cases to prove or disprove a witness account of events.[1]
Analyzing EXIF data
One of the easiest ways to analyze the metadata in a photo is through a free application called Exiftool. This program will run on both Mac or PC through the command line
There are also a variety of online tools to perform the same actions without having to download a separate executable. For instance, http://metapicz.com/ and http://regex.info/exif.cgi both will pull out all the possible information fields.
Document Metadata
Photos are not the only type of file to contain metadata. Microsoft Office documents are known for saving information such as the name of the user who created the document, the user who last saved the document, and the software version used. While this might seem irrelevant at first, a savvy attacker can use this information to identify users, roles, and a company’s username format. For example, a malicious outside user might see marketing documents available on a website that are all saved by the same person, jsmith. This could then be used to either attempt to guess the password of “jsmith” or send out a malicious newsletter appearing to be from a who normally sends these types of emails.
At RSM, we use a combination of internally developed tools and a freeware tool called FOCA to easily analyze large sets of metadata for patterns. For individual documents, a quick check in the document properties or an online tool like https://metashieldanalyzer.elevenpaths.com/ will easily provide the metadata.
Hidden Text and Files
Aside from metadata, the way that image files are created and viewed make them perfect places to deliberately hide extra information. Take the following picture for example:
At first glance, this seems to be innocuous. The metadata does not include anything useful and the image displays normally on all web browsers. However, if you use the ‘strings’ command on Linux to look for possible words within the file a clear sentence appears!
Text is not the only thing that can be embedded within picture file – it’s possible to actually combine a JPG or PNG image with an extractable archive in ZIP or RAR format. The reason for this peculiar behavior is something known as the “magic numbers”. [2] A typical JPG has very clear starting and ending headers that let an image viewer application know how to process the data within. Any data after the closing bytes is effectively ignored by the program, making it a perfect location to add in additional information. If this “extraneous” information contains the starting and ending bytes for a ZIP file, a file utility like 7ZIP or WinRAR will simply ignore all the irrelevant JPG data and read only the portion that appears to be an archive.
Try it!
The following is an image file. Can you find all three flags hidden within it?
[1] http://lens.blogs.nytimes.com/2015/11/05/when-photographs-become-evidence/?_r=1
[2] https://en.wikipedia.org/wiki/List_of_file_signatures
