Cатсн²² (in)sесuяitу / ChrisJohnRiley

After listening to a recent episode of the Pauldotcom podcast, I took some time to look at a tool that was discussed called exiftool. This tool is used to extract or edit the hidden metadata information from files. Although this sort of data might seem trivial and somewhat uninteresting, you’d be surprised what a wealth of information it can be especially when it comes to forensic data recovery.

This data can contain a great deal of interesting facts, including references to the machine the document was authored on, or in the case of image files, the model of camera. If you’re using a more modern camera (I used a Canon Powershot A720IS as an example) it can include a great deal of important detail, including if the flash was used, what the zoom factor was, exposure time, ISO level, and if the time delay was used. Also a lot of professional photographers use the Metadata to store important facts about the pictures they take. Including location, photographer name and assignment details. If only the camera serial number was included in all images, image forensics would be a step closer to catching the bad guys. As it is, we’ll just have to take what we can get. Sometimes you can get lucky and find a “Owner’s name” or “Camera Body No.” if the user is relying on set software products for managing their camera.

So next time you see a file, remember that there is more to it than just meets the eye.

ExifTool by Phil Harvey, and ExiftoolGUI (windows only)