Digital Forensics - Tracking & Target Locating .Jpegs via Metadata (Exif)
In this lab I was able to locate the exact year, date and time of a digital photograph as well as the technical specifications of the camera used and pinpoint it's exact location via satellite imagery.
DISCLAIMER: This is not intended to be an instructional on how to hack for criminal purpose. Introducing unwanted network activity to another network, stealing digital files, and damaging systems is illegal and punishable under Canadian law.
The purpose of this lab was to test an ability to distinguish a false copy of a photograph and locate the source of an image to track an exact location given two different copies-- an Exif image containing metadata and a .jpeg (the original).
Though both were identical, one was falsely made with fraudulent metadata and it was my objective to decipher which was authentic.
(original photograph; location and details at time of lab were unknown)
There's a data surplus streaming through social media outlets and the internet which include location services or geotagging, either with or without the posting users knowledge. Geographical tagging allows the user to mark their coordinates in the form of metadata coded within the base-16 hex data of an image. This allows better sharing of their images with the local community for those who may also travel through their route. [below: example of base-16 hex metadata of a photograph; DSCN00A]
The lab broke down into three basic steps:
Determine if both identical images are truly the same
Repair the copy to retrieve more data. Compare the datasets, and;
Decode the data to track the location
1. FCIV Checksum; Identical Photographs but Different Hashes
When the visually identical files are run through an integrity verification process,-- it becomes apparent that they are different as each will output a different MD5 or SHA-1 hash. This is because of steganography allowing the different base-16 hex metadata to exist within the file, hiding either modified information or even other compressed or zipped files within a pixel of the image. This is a common issue with photos shared and downloaded online and running this lab on frequently shared images often uncovered hidden .txt files. The difference in hash could also be due to the image being slightly altered in dimension or tone, changing the value of the encoded metadata in even the slightest variable would offset the hash output substantially. With the hashes being computed as different, it was clear that one image was altered and one was original-- but distinguishing which required further digging.
2. File Incompatability; 2 .jpegs, Only 1 Recognized/Viewable
Another indicator for a fraudulent copy was the inability to open the recognizable filetype. This would hint that the .jpeg is a different format, and confirmation was made when examining the hex values in winHex. After repairing the header with winHex for the DSCN00A copy (which by the average photo-viewer was unrecognizable); the exif data became available. Exif files are lower quality copies of an image in an exchangeable image file format, one which allows the viewing of the geolocation header information encoded in the metadata.
To reiterate the significance of changing data in the slightest way (in this case the header for Exif-TIFF campatability), another hash was computed of the slightly modified file, pictured below.
3. Decoding The Data to Track the Location of The Photograph
Once the .jpeg was repaired and the Exif data became viewable, the photograph could be opened with photo-viewing software. The data was revealed in plaintext when utilizing a reader such as ExifReader; free software created by Takenet, to view the photographs ancillary tags.
Though using a hex conversion tool could produce the same output, it would require the copy and pasting of the entire hex code. ExifReader allowed fast and simple viewing of the photographs details [listed below]
The results were that the .jpeg had authentic embedded metadata within the Exif header which showed the date, time and year as well as location in geographical coordinates. Though the informaton is cropped; the camera information was listed in very deep technical detail as well.
This is problematic when unknowingly or unwillingly oversharing information online. Should a similar canvas be done on social media photographs; it can be quickly deciphered where the photograph originated from, from what equipment and in some cases; the owners name and personal information associated with their device on configuration (i.e. Johns Samsung S5).
All of these details aid in phase 1 of the Hacking Methodology; Information Gathering, and should be considered as a security risk at all times when posting content online.
End Result: original location; Vicolo del Canello, Arezzo, La Torre, Arezzo, AR, Tuscany, 52100, 43° 28' 2.81" N, 11° 53' 6.46" E
Hector Barquero