Tool Review – ExifTool
The EXchangable Image File format (EXIF) is a method that image files use to store data about the image. It's often referenced in relation to the image files producted by digital cameras. These files often store data about the camera that took the photo, the settings of the camera, whether or not the flash went off and other data. This is very useful in categorizing the images.
ExifTool is a neat little tool that allows you to dig into this information. It's available for Windows, Linux and Mac, and lets you look inside your photos. Let's look at an example. This is what results in my running the tool against a photo that I took on a recent trip:
$ exiftool dsc_6497.jpg ExifTool Version Number : 7.42 File Name : dsc_6497.jpg Directory : . File Size : 5.9 MB File Modification Date/Time : 2009:02:15 17:50:13 File Type : JPEG MIME Type : image/jpeg Exif Byte Order : Big-endian (Motorola, MM) Make : NIKON CORPORATION Camera Model Name : NIKON D200 Orientation : Horizontal (normal) X Resolution : 300 Y Resolution : 300 Resolution Unit : inches Software : f-spot version 0.5.0.3 Modify Date : 2009:02:15 17:50:13 Y Cb Cr Positioning : Co-sited Exposure Time : 1/320 F Number : 7.1 Exposure Program : Aperture-priority AE ISO : 100 Exif Version : 0221 Date/Time Original : 2009:01:25 23:44:02 Create Date : 2009:01:25 17:44:02 Components Configuration : YCbCr Compressed Bits Per Pixel : 4 Exposure Compensation : 0 Max Aperture Value : 5.7 Metering Mode : Multi-segment Flash : No Flash Focal Length : 400.0 mm Maker Note Version : 2.10 Color Mode : Color Quality : Fine White Balance : Sunny Focus Mode : AF-C Flash Setting : Normal Flash Type : White Balance Fine Tune : -2 Color Balance 1 : 1.8359375 1.35546875 1 1 Program Shift : 0 Exposure Difference : 0 Warning : Bad NikonPreview directory Flash Exposure Compensation : 0 ISO Setting : 100 Image Boundary : 0 0 3872 2592 Flash Exposure Bracket Value : 0.0 Exposure Bracket Value : 0 Crop Hi Speed : Off (3904x2616 cropped to 3904x2616 at pixel 0,0) Serial Number : Image Authentication : Off Tone Comp : Auto Lens Type : D VR Lens : 80-400mm f/4.5-5.6 Flash Mode : Did Not Fire AF Area Mode : Dynamic Area AF Point : Center AF Points In Focus : Center Shooting Mode : Continuous, Auto ISO Auto Bracket Release : Manual Release Color Hue : Mode1 Light Source : Natural Shot Info Version : 0207 Vibration Reduction : On (1) Hue Adjustment : 0 Noise Reduction : Off WB RGGB Levels : 470 256 256 347 Lens Data Version : 0201 Exit Pupil Position : 128.0 mm AF Aperture : 5.7 Focus Position : 0x03 Focus Distance : 59.57 m Lens ID Number : 101 Lens F Stops : 5.67 Min Focal Length : 80.0 mm Max Focal Length : 403.2 mm Max Aperture At Min Focal : 4.5 Max Aperture At Max Focal : 5.7 MCU Version : 107 Effective Max Aperture : 5.7 Sensor Pixel Size : 6.05 x 6.05 um Image Data Size : 6218124 Image Count : 26181 Deleted Image Count : 1307 Shutter Count : 27488 Flash Info Version : 0101 External Flash Flags : (none) Flash Commander Mode : Off Flash Control Mode : Off Flash Group A Control Mode : Off Flash Group B Control Mode : Off Flash Group A Exposure Comp : 0 Flash Group B Exposure Comp : 0 Image Optimization : Custom Multi Exposure Version : 0100 Multi Exposure Mode : Off Multi Exposure Shots : 0 Multi Exposure Auto Gain : Off High ISO Noise Reduction : Off User Comment : (c) Josh More www.starmind.org Sub Sec Time : 55 Sub Sec Time Original : 55 Sub Sec Time Digitized : 55 Flashpix Version : 0100 Color Space : sRGB Exif Image Width : 3872 Exif Image Height : 2592 Interoperability Index : R98 - DCF basic file (sRGB) Interoperability Version : 0100 Sensing Method : One-chip color area File Source : Digital Camera Scene Type : Directly photographed CFA Pattern : [Green,Red][Blue,Green] Custom Rendered : Normal Exposure Mode : Auto Digital Zoom Ratio : 1 Focal Length In 35mm Format : 600 mm Scene Capture Type : Standard Gain Control : None Contrast : Normal Saturation : Normal Sharpness : Hard Subject Distance Range : Unknown GPS Version ID : 2.2.0.0 Compression : JPEG (old-style) Thumbnail Offset : 3388 Thumbnail Length : 9164 Subject : Bird Viewing Area Image Width : 3872 Image Height : 2592 Encoding Process : Baseline DCT, Huffman coding Bits Per Sample : 8 Color Components : 3 Y Cb Cr Sub Sampling : YCbCr4:2:2 (2 1) Aperture : 7.1 Blue Balance : 1.355469 Image Size : 3872x2592 Lens ID : AF VR Zoom-Nikkor 80-400mm f/4.5-5.6D ED Lens : 80-400mm f/4.5-5.6 D VR Red Balance : 1.835938 Scale Factor To 35 mm Equivalent: 1.5 Shutter Speed : 1/320 Thumbnail Image : (Binary data 9164 bytes, use -b option to extract) Circle Of Confusion : 0.020 mm Depth Of Field : 6.28 m (56.59 - 62.87) Field Of View : 3.4 deg (3.55 m) Focal Length : 400.0 mm (35 mm equivalent: 600.0 mm) Hyperfocal Distance : 1125.03 m Light Value : 14.0 Date/Time Original : 2009:01:25 23:44:02.55
As you can see, there is a lot of data here. Far more than you might expect to be in a simple picture. Moreover, I've bolded some of the more interesting information. A photographer might be interested in knowing that I used a Nikon d200 to take this photo. I also apparently used an AF VR Zoom-Nikkor 80-400mm f/4.5-5.6D ED lens. Note that there is technical data about not just the focal length and aperture used, but also the maximal and minimal settings for the lens. Note as well that the date appears in numerous places. Now things are getting interesting, as there's a way to verify that I took the photo when I claim to have done.
After all, I might have fabricated evidence.
So sure, this is good to know, in case I am claiming to have captured Bigfoot, but that doesn't happen very often in business. However, information leaks do.
Let's take a quick trip over to Wikileaks and see what we can find:
Over here, we find a nice report titled "UN finds 217 sex abuse claims against blue helmets". Downloading the fairly nondescript file "OIOS-20070130-01.pdf", we get:
$ exiftool OIOS-20070130-01.pdf ExifTool Version Number : 7.42 File Name : OIOS-20070130-01.pdf Directory : . File Size : 221 kB File Modification Date/Time : 2009:02:19 22:44:11 File Type : PDF MIME Type : application/pdf PDF Version : 1.5 Page Count : 17 Creator Tool : PrimoPDF http://www.primopdf.com Metadata Date : 2008:04:09 12:54:16-04:00 Document ID : uuid:a3ec6d39-037e-4672-945b-25ce88970721 Format : application/pdf Description : United Nations Organization Mission in the Democratic Republic of the Congo Modify Date : 2008:04:09 12:54:16-04:00 Create Date : 2007:04:12 17:16:25Z Title : Allegations of sexual exploitation and abuse in the Ituri region, Bunia [ID Case No. 0618-05] Creator : PrimoPDF http://www.primopdf.com Author : Date : 01/30/2007 Keywords : monuc, congo, bunia, sexual, exploitation, abuse, ituri Subject : United Nations Organization Mission in the Democratic Republic of the Congo Producer : AFPL Ghostscript 8.54
So, we've learned when the file was created (back in April 2007), but it was modified in April 2008. Interesting. We also learn that it originally had a more interesting description and title than "OIOS-20070130-01.pdf".
But Wikileaks scrubs data in an effort to remain anonymous (well, mostly). What about other information out there? How about we do a quick Google search on intitle:"rfp"+filetype:doc+response, looking for responses to RFPs that might be available. Suppose this searched turned up a document titled "KonnSv11.doc" that just might be an RFP response from a large multinational company that knows a little something about connectivity. Wonder what this document can tell us?
$ exiftool KonnSv11.doc
ExifTool Version Number : 7.42
File Name : KonnSv11.doc
Directory : .
File Size : 508 kB
File Modification Date/Time : 2009:02:12 22:51:53
File Type : DOC
MIME Type : application/msword
Title : COMPANY IPCM RFP Response
Subject : Ver.1.0
Author : Tikeo Homado
Keywords :
Template : NormalAnglais
Last Saved By : Tikeo Homado
Revision Number : 18
Software : Microsoft Word 8.0
Total Edit Time : 6.9 hours
Last Printed : 2000:03:21 02:34:00
Create Date : 2000:04:20 02:06:00
Modify Date : 2000:04:21 09:39:00
Page Count : 1
Word Count : 13019
Char Count : 70516
Security : 0
Company : COMPANY
Lines : 1221
Paragraphs : 1012
Char Count With Spaces : 91437
App Version : 8 (0e84)
Scale Crop : 0
Links Up To Date : 0
Shared Doc : 0
Hyperlinks Changed : 0
Title Of Parts : COMPANY IPCM RFP Response
Heading Pairs : Title, 1
Code Page : 932
PIDGUID : {91F4D900-FDF2-14D0-BEF0-DC9E29819138}
Hyperlinks : joeLogo2.gif
Comp Obj User Type Len : 20
Comp Obj User Type : Microsoft Word ��
So, we get the name of the person who worked on the RFP. In this case, the same name is listed in the RFP, but it's not unusual for companies to have an RFP team, with a project manager in charge. Might it be useful to get the names of the key project managers at a competing company? Also, note that we have learned how much time they put into writing the RFP. If, after a few searches, you can find out how much time your competitors spend on responses, might that not be useful?
Let's look at one last example. If we do a search on intitle:"salary"+filetype:xls, we might expect to find a lot of spreadsheets containing salary data. We might even be right. Were we to find such a file and run our handydandy little tool against it, we might even see:
$ exiftool Salary\ info\ over\ 75000.xls ExifTool Version Number : 7.42 File Name : Salary info over 75000.xls Directory : . File Size : 131 kB File Modification Date/Time : 2009:02:11 23:10:49 File Type : XLS MIME Type : application/vnd.ms-excel Author : sgermon Last Saved By : nshoedinger Software : Microsoft Excel Last Printed : 2008:03:10 13:56:03 Create Date : 2006:12:11 15:48:19 Modify Date : 2008:10:09 12:38:55 Security : 0 Company : JANEDOE App Version : 11 (270f) Scale Crop : 0 Links Up To Date : 0 Shared Doc : 0 Hyperlinks Changed : 0 Title Of Parts : Contract; Benefits, CoDist, 'Contract & Benefits'!Print_Titles Heading Pairs : Worksheets, 2, Named Ranges, 2 Code Page : 1152
The interesting bit here is that the author and the person who last edited the document are different. So, we know that two people know the salaries in excess of $75,000 for this organization. Those names also look a lot like network username names, so we probably also have email addresses and with a bit of work, possibly accounts that we could use to access certain systems. Perhaps these names even have access to the financial data, given that they know salaries.
So, a few questions for you:
- What information are your clients putting out on the Internet about themselves? About you?
- What information are your competitors putting out there?
- What information are you accidentally leaking when you send files around?
- Did you know that exiftool can also be used to SET data as well as read it? Interesting, no?
Do you think you might want to do something about that?
Important Note
It is important to note here that search engines make public a lot of information that probably was not intended to be made public. It may or may not be illegal to access all of this data, but it should be OK to run tools like this against data that you own and find out what you're leaking.
For my part, I modified some of the data in the exif reports listed above. The format is correct, but it seems wrong to me to propogate someone's data security mistake just to make a point, especially when the point can be made without doing so. If you start playing with these techniques, I implore you to remember that people on the Internet are still people, and people make mistakes. There's generally no need to make these mistakes worse for them.
Please, be kind.
