The full text is 9112 words and 23 figures
Estimated reading time: 23 minutes
In the intelligence investigation, we know that the photos contain many important details of geolocation, however, in addition to the visual clues on the surface of the photos, in fact, there are other important information hidden in the image files, which also contain key clues, the most important of which is exIF data.
For intelligence investigations, EXIF is an informational gold mine because it contains information about cameras, settings, and even location data. Although, usually most platforms remove EXIF data from images, EXIF data is still a source of information that we cannot ignore.
In this article, Fu Yunjun will lead everyone to explore the intelligence code hidden in JPEG images.
Intelligence analysis tools
There are some tools that can be used to extract data from JPEG image files for intelligence analysis, and in the previous tweet, Fu Yunjun also introduced 8 types of tools to you, you can click the link below to understand.
Forensically – This is a very simple web-based image forensic tool that runs in a browser and simply loads the image using Open File to start analyzing. The Metadata, Geotags, and String Extraction tabs are useful for accessing the data we need.
Exiftool - This is a simple but very powerful tool for extracting metadata from many different file types, not just images. It runs on Windows, Mac, and Linux. It's not as easy to use as Forensically, but it's more effective for viewing recovered metadata.
Bless – Bless is a hex editor that allows you to view the structure of a file in its most original form. HxD is also a good Windows basic hex viewer, but any hex editor can be used for this purpose. Using a hex reader is the most comprehensive way to check the structure of a file, and it will allow us to check the metadata very precisely.
The secret in JPEG
Each type of file has its own digital signature – this is how computers distinguish between .doc and .exe. In Windows, the operating system looks at the extension at the end of a file (for example, .pdf, . xls) to decide what program to use to run the file.
What's more important is the file signature, each of which begins with a hex file signature, telling the operating system what type of file it is. exe files begin with signature 4D 5A, .docx files begin with signature 50 4B 03 04, JPEG image files begin with FF D8, and so on.
This means that when the computer reads the data, it sees "FF D8" at the beginning of the file and knows that it is a JPEG. The end of the file is marked with the corresponding "FF D9". As a simple example, let's take a look at the following picture, here's how the computer presents the image to you:
This is how the computer sees the same image. By opening it with a hex viewer, we can see the file like a computer. Note that it starts with the file signature FF D8, indicating that it is a JPEG:
And the file ends with FF D9, which indicates the end of the JPEG:
So what does this have to do with EXIF and other file data that we might be interested in?
Just as there are specific hexadecimal characters that indicate the beginning and end of a JPEG file, there are other hexadecimal patterns in the file that indicate where to find a particular type of information. These are all located in the header of the file, which is the first part of the file, before the main data related to the actual image itself. Here's a complete list of all the useful JPEG codes, but we're only interested in a few:
FF E1 – The beginning of any EXIF data in the file.
FF E2 – ICC (International Color Consortium) profile information. An ICC profile is a set of properties that determine how a particular device displays colors. This can be important for OSINT because the ICC profile usually remains unchanged even if most websites delete EXIF data. For some devices, such as Apple products, you can sometimes still use this information to determine the manufacturer of the device.
FF ED – Photoshop and IPTC data. This tag represents the beginning of Photoshop's processing of the generated metadata. IPTC data contains other data, such as copyright information, photographer details, and titles. Even if it is not modified, this data is usually not present in the photo, but when it is, it is very useful.
This is easier to see with a practical example, so let's explore the secrets of the JPEG photo with a web photo that still holds EXIF data.
Photos with EXIF data
The photo below, which did not delete exifics data, was taken from a CNN article.
Photo by Brent Steaton/Getty Pictures
Let's save it first and upload it to Forensically, here's what the Metadata tab shows:
There are a lot of useful details inside. The ImageDescription field is also populated, so when we upload this photo to the blog, it automatically populates the title field. There are other pieces of information in the String Extraction tab:
The large amount of data in this JPEG header makes it a good test object for checking files using a hex editor. The following are the files in hexadecimal format:
Notice how exific data is visible in the right column. We know that the EXIF part of a JPEG starts with FF E1, so we can Ctrl+F find this part of the file. It starts right after the file is signed:
Next we can check the ICC profile by searching for FF E2, but we won't find it in this particular image. But the FF ED fields (Photoshop and IPTC data) exist, so we know that the file may have been processed by Photoshop:
The hexadecimal view of the file provides the highest level of detail, but is not always the easiest to read. Forensically does a great job of extracting and displaying most of the data, but in my opinion, ExifTool does a better job. Here's how it renders some metadata selections:
Because the photo is already processed by Photoshop, the creation and modification timestamps of photoshop activities are embedded in the image. These Photoshop editing timestamps are different from the creation/modification/access timestamps you can find on all files on your computer — these timestamps come from the device's own file system and are not essentially part of the file header itself.
We can easily view and extract EXIF information using the EXIF Viewer, but as you know, there may not be many web images that contain rich raw EXIF data anymore.
So what to do? While raw images with large amounts of EXIF data are rare, by knowing how to dig deeper into the photo data, we can still find useful fragments of raw data that are something that exifer removal tools tend to overlook.
Some major social platforms delete EXIF data in their own unique ways, which may actually make it easier to identify the source of the image.
Some major platforms remove metadata in a way
Almost every major platform removes metadata, but they all do it in different ways. For example, IPTC conducted comprehensive testing of many popular social media and image hosting platforms to understand how each platform handles EXIF and IPTC data. Each file is processed differently:
Sometimes we can see how the platform splits data. For example, if we look at this bike sold on Ebay, we can look at a hex view of the file and even tell them what software to use to do this:
We saw the "Handled by eBay with ImageMagick" greeting where the EXIF FF E1 field began! ImageMagick is a common EXIF removal tool. At least we now know how to tell if an image was borrowed from Ebay!
However, not all websites leave such a visible trail when they delete metadata, and each site handles it differently. Next, we can understand how some popular social networking platforms handle image metadata and add their own salient features in the process.
The file name for this image is:
88004843_10111606095638101_261759268640784384_o.jpg
This special file naming format stems from Facebook's unique way of storing its billions of images.
But the file name of each image on Facebook actually represents a specific block on a particular cluster of hard drives in Facebook's vast ecosystem, rather than having anything to do with its source account. The result of this is that the Facebook image file name is very unique.
Let's use ExifTool to see the file itself:
ExifTool Version Number : 10.80
File Name : 84068253_10111506635776461_6848249074852823040_o.jpg
Directory : .
File Size : 371 kB
File Permissions : rw-rw-r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
Profile CMM Type :
Profile Version : 2.0.0
Profile Class : Display Device Profile
Color Space Data : RGB
Profile Connection Space : XYZ
Profile Date Time : 2009:03:27 21:36:31
Profile File Signature : acsp
Primary Platform : Unknown ()
CMM Flags : Not Embedded, Independent
Device Manufacturer :
Device Model :
Device Attributes : Reflective, Glossy, Positive, Color
Rendering Intent : Perceptual
Connection Space Illuminant : 0.9642 1 0.82491
Profile Creator :
Profile ID : 29f83ddeaff255ae7842fae4ca83390d
Profile Description : sRGB IEC61966-2-1 black scaled
Blue Matrix Column : 0.14307 0.06061 0.7141
Blue Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract)
Device Model Desc : IEC 61966-2-1 Default RGB Colour Space - sRGB
Green Matrix Column : 0.38515 0.71687 0.09708
Green Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract)
Luminance : 0 80 0
Measurement Observer : CIE 1931
Measurement Backing : 0 0 0
Measurement Geometry : Unknown
Measurement Flare : 0%
Measurement Illuminant : D65
Media Black Point : 0.01205 0.0125 0.01031
Red Matrix Column : 0.43607 0.22249 0.01392
Red Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract)
Technology : Cathode Ray Tube Display
Viewing Cond Desc : Reference Viewing Condition in IEC 61966-2-1
Media White Point : 0.9642 1 0.82491
Profile Copyright : Copyright International Color Consortium, 2009
Chromatic Adaptation : 1.04791 0.02293 -0.0502 0.0296 0.99046 -0.01707 -0.00925 0.01506 0.75179
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Current IPTC Digest : 2aa1d117b0d20226dcefbb16249a023f
Original Transmission Reference : GggUWrgwZ9hSQFQXeGJa
Image Width : 1504
Image Height : 1505
Encoding Process : Progressive DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 1504x1505
Megapixels : 2.3 The vast majority of this data is related to the color settings of the image. Even the seemingly interesting Profile ID field refers to non-unique color profile settings, not specific content like user profiles. However, what makes this Facebook image unique is the IPTC Digest hash:
Current IPTC Digest :
2aa1d117b0d20226dcefbb16249a023f
This is a unique hash value derived from the IPTC data associated with the image. We can't access the IPTC data itself, but the hash value is still useful because it's a form of uniqueness. This data field is widely misreported as another form of "Facebook tracking, or even some sort of steganography.
To be sure, Facebook can track you in a number of ways, but that's not one of them. IPTC abstracts are more akin to a form of copyright mark, but that's about it.
The useful information that researchers need to know is that if we take the image from Facebook and change the file name, the original IPTC summary remains unchanged in the metadata.
This is what happens when we rename the file name above to someimage.jpg and run it again via Exiftool. The result is the same:
Current IPTC Digest :
However, if we change one pixel in the image and resave it, all the original metadata is lost:
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Image Width : 1504
Image Height : 1505
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 1504x1505
Megapixels : 2.3 Therefore, this is not a very effective way to track.
Twitter also removed metadata, but it did retain the ICC profile field (FF E2) and photoshop metadata field (FF ED) when uploading files from Apple devices. Here's an example of an old photo of Quiztime posted by Julia Bayer:
Open the image in forensics and select String Extraction to extract information from the FF E2 and FF ED fields:
There are still some original metadata out there that have not been removed. Exiftool makes it easier to read:
ExifTool Version Number : 10.80
File Name : EP4i4PqUUA86HSg.jpeg
Directory : .
File Size : 284 kB
File Modification Date/Time : 2020:02:18 19:34:40+00:00
File Access Date/Time : 2020:02:18 19:34:40+00:00
File Inode Change Date/Time : 2020:02:18 19:34:40+00:00
File Permissions : rw-rw-r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 72
Y Resolution : 72
Profile CMM Type : Apple Computer Inc.
Profile Version : 4.0.0
Profile Class : Display Device Profile
Color Space Data : RGB
Profile Connection Space : XYZ
Profile Date Time : 2017:07:07 13:22:32
Profile File Signature : acsp
Primary Platform : Apple Computer Inc.
CMM Flags : Not Embedded, Independent
Device Manufacturer : Apple Computer Inc.
Device Model :
Device Attributes : Reflective, Glossy, Positive, Color
Rendering Intent : Perceptual
Connection Space Illuminant : 0.9642 1 0.82491
Profile Creator : Apple Computer Inc.
Profile ID : ca1a9582257f104d389913d5d1ea1582
Profile Description : Display P3
Profile Copyright : Copyright Apple Inc., 2017
Media White Point : 0.95045 1 1.08905
Red Matrix Column : 0.51512 0.2412 -0.00105
Green Matrix Column : 0.29198 0.69225 0.04189
Blue Matrix Column : 0.1571 0.06657 0.78407
Red Tone Reproduction Curve : (Binary data 32 bytes, use -b option to extract)
Chromatic Adaptation : 1.04788 0.02292 -0.0502 0.02959 0.99048 -0.01706 -0.00923 0.01508 0.75168
Blue Tone Reproduction Curve : (Binary data 32 bytes, use -b option to extract)
Green Tone Reproduction Curve : (Binary data 32 bytes, use -b option to extract)
IPTC Digest : d41d8cd98f00b204e9800998ecf8427e
Image Width : 1604
Image Height : 2048
Encoding Process : Progressive DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 1604x2048
Megapixels : 3.3 The image still retains the metadata that it was created using apple devices:
Profile Creator : Apple Computer Inc.
Profile ID : ca1a9582257f104d389913d5d1ea1582
Profile Description : Display P3
Profile Copyright : Copyright Apple Inc., 2017 Although Twitter removed most of the image metadata after the FF E1 (EXIF) field, it retained the other metadata fields. This may seem to apply only to Apple devices, but it's only a small piece of information that may help prove or refute image attribution and is often overlooked.
Reddit also keeps the same metadata for photos from Apple devices. Here's the photo on the front page:
Although all other data has been deleted, we see traces of the same Apple origin in this image:
Profile CMM Type : Apple Computer Inc.
Profile Version : 4.0.0
Profile Class : Display Device Profile
Color Space Data : RGB
Profile Connection Space : XYZ
Profile Date Time : 2017:07:07 13:22:32
Profile File Signature : acsp
Primary Platform : Apple Computer Inc.
CMM Flags : Not Embedded, Independent
Device Manufacturer : Apple Computer Inc.
Device Model :
Device Attributes : Reflective, Glossy, Positive, Color
Rendering Intent : Perceptual
Connection Space Illuminant : 0.9642 1 0.82491
Profile Creator : Apple Computer Inc.
Profile ID : ca1a9582257f104d389913d5d1ea1582
Profile Description : Display P3
Profile Copyright : Copyright Apple Inc., 2017 Artificial intelligence-generated images
In previous tweets, Fu Yunjun also introduced to you how to recognize artificial intelligence-generated pictures, which can be read by clicking the following link:
There are many standard metadata fields in this photo (all starting with "FF"), but they are all blank and don't actually contain any data. This is certainly unusual, as most real profile images contain at least some JPEG header information, which is almost completely blank. Therefore, based on this, it can be judged that the photo is artificially generated, rather than a real photo.
Well, today's exploration will end here, and next time Fu Yunjun will lead everyone to learn more interesting and valuable intelligence knowledge.
This article is the original content of Fuyun and its unauthorized reproduction is prohibited
Fu Yun original IP image design, original do not steal, infringement will be investigated
Cover source: sebweo.com
END