ExifTool
ExifTool
One-liner: A command-line tool for reading, writing, and manipulating metadata (especially EXIF) in files like images and PDFs.
π― What Is It?
ExifTool is a widely used metadata utility (by Phil Harvey) that can extract embedded metadata from many file formats. In OSINT and DFIR, itβs commonly used to pull out identifiers and context that creators didnβt intend to share (e.g., camera info, timestamps, GPS coordinates, author/copyright fields).
π€ Why It Matters
- OSINT pivoting: Metadata can expose usernames, emails, device model, software versions, or locations.
- Forensics: Helps validate timelines and determine if a file was edited/processed.
- Security: Metadata can leak sensitive operational details (locations, internal usernames, tooling).
π¬ How It Works
Core Principles
- Many file types support embedded metadata blocks (EXIF/IPTC/XMP).
- Tools can parse these blocks without βopeningβ the file in the normal application.
- Metadata is often copied forward when files are re-shared, resized, or reposted (not always).
Technical Deep-Dive
Common usage patterns:
# Dump all metadata
exiftool image.jpg
# Show only GPS-related fields
exiftool -gps:all image.jpg
# Show the field groups (EXIF/IPTC/XMP)
exiftool -G image.jpg
# Output as JSON (useful for scripting)
exiftool -j image.jpg
π‘οΈ Detection & Prevention
How to Detect
- Detect uploads containing EXIF/GPS fields at web gateways or DLP tooling.
- In IR, inspect suspicious images/docs for embedded authoring data.
How to Prevent / Mitigate
- Strip metadata before sharing externally (e.g., βRemove location dataβ options, export settings, or metadata-scrubbing tools).
- Enforce secure defaults in MDM/endpoint tooling for camera/location tagging where appropriate.
π Types/Categories
| Type | Description | Example |
|---|---|---|
| EXIF | Camera/photo metadata | GPS, camera make/model |
| XMP | Extensible metadata (Adobe/common) | Editing history, creator tool |
| IPTC | Publishing/news metadata | Copyright, captioning |
π€ Interview Angles
Common Questions
- "What kinds of metadata can leak from images?"
- "How would you validate whether an image contains GPS coordinates?"
STAR Story
Situation: A suspected data leak involved screenshots shared publicly.
Task: Determine if shared files exposed internal identifiers.
Action: Extracted metadata, identified authoring tool/user fields, and recommended metadata stripping controls.
Result: Reduced future leakage and improved sharing guidance.
β Best Practices
- Treat metadata as untrusted input (it can be forged).
- Always record hashes of original files before modifying them.
β Common Misconceptions
- "Social media always strips metadata" (it depends on the platform and workflow).