Wednesday, January 30, 2013

Backtrack Forensics: exiftool

Menu: Forensics -> Forensic Analysis Tools
Directory: /pentest/misc/exiftool/
Official Website:
License: GNU GPL v1 or above

exiftool is a perl script, which can extract, and in some files even edit EXIF metadata information. There is an awful lot long list what information can be extracted from these, if you ever worked with any tool, which open JPEG files, you probably saw all of these. Today probably the most sensitive information, might be the location data in the picture. The list of all supported tags, their format, etc... can be found on the official website, it's so long, that could easily fill a book in itself. However not only images supports EXIF info, here is a list of file formats, which the tool supports (r - supports read, w - supports write):

         File Types
3FR r | EIP r | LNK r | PAC r | RWZ r
3G2 r | EPS r/w | M2TS r | PAGES r | RM r
3GP r | ERF r/w | M4A/V r | PBM r/w | SO r
ACR r | EXE r | MEF r/w | PDF r/w | SR2 r/w
AFM r | EXIF r/w/c | MIE r/w/c | PEF r/w | SRF r
AI r/w | EXR r | MIFF r | PFA r | SRW r/w
AIFF r | F4A/V r | MKA r | PFB r | SVG r
APE r | FFF r/w | MKS r | PFM r | SWF r
ARW r/w | FLA r | MKV r | PGF r | THM r/w
ASF r | FLAC r | MNG r/w | PGM r/w | TIFF r/w
AVI r | FLV r | MOS r/w | PICT r | TTC r
BMP r | FPX r | MOV r | PMP r | TTF r
BTF r | GIF r/w | MP3 r | PNG r/w | VRD r/w/c
CHM r | GZ r | MP4 r | PPM r/w | VSD r
COS r | HDP r/w | MPC r | PPT r | WAV r
CR2 r/w | HDR r | MPG r | PPTX r | WDP r/w
CRW r/w | HTML r | MPO r/w | PS r/w | WEBP r
CS1 r/w | ICC r/w/c | MQV r | PSB r/w | WEBM r
DCM r | IDML r | MRW r/w | PSD r/w | WMA r
DCP r/w | IIQ r/w | MXF r | PSP r | WMV r
DCR r | IND r/w | NEF r/w | QTIF r | WV r
DFONT r | INX r | NRW r/w | RA r | X3F r/w
DIVX r | ITC r | NUMBERS r | RAF r/w | XCF r
DJVU r | J2C r | ODP r | RAM r | XLS r
DLL r | JNG r/w | ODS r | RAR r | XLSX r
DNG r/w | JP2 r/w | ODT r | RAW r/w | XMP r/w/c
DOC r | JPEG r/w | OFR r | RIFF r | ZIP r
DOCX r | K25 r | OGG r | RSRC r |
DV r | KDC r | OGV r | RTF r |
DVB r | KEY r | ORF r/w | RW2 r/w |
DYLIB r | LA r | OTF r | RWL r/w |

Not bad, eh? :) Let's see it's very basic usage:

./exiftool - prints the man page
./exiftool -ver - prints the current version

To most simple run, is just specifying the filename, and it will print all the EXIF data information:
./exiftool /root/sample.jpg

We can update any EXIF tag (in case the filetype metadat writing supported), with the -TAG= option. I update the ISO value for testing:
./exiftool -ISO=300 /root/sample.jpg
You can see on the new output that the value has been updated. When we do an update the original file is backed up, with a "_original" string added to the file. In this case it's "sample.jpg_original"

We can also delete a TAG information, if we don't assign any value. The special, ALL tag will delete all tags.
./exiftool -all= /root/sample.jpg
As you can see, now all meta information has been deleted.

There are tons of other options, like exporting/importing tags from CSV, print unsupported tags, print results to a file, recursively process a whole directory, faster processing of JPEG images, and much, much more...

No comments: