Thursday, December 27, 2012

The Value of Metadata in Digital Images

I'm excited to say I have a guest author on the Digital Forensics blog today! Simon has graciously offered to post this article on image metadata and its value to digital investigations. Thanks Simon!

This is my first article on digiforensics, so first of all, I'd like to thank Ken for the opportunity. I should probably introduce myself. I'm Simon and I'm currently studying Computer Forensics BSc at University. Recently, I received a lecture from a guy talking about cell site analysis and how so many cases these days involve mobile phones. So it got me thinking.

Firstly, it's hard to find anyone who doesn't own a mobile phone. Secondly, it's hard to find someone who doesn't upload pictures to social media sites such as Facebook, Twitter, Myspace (yes, people still use Myspace!) The average user doesn't realize the risks involved by simply uploading a picture from a smartphone onto the internet.

I use the term 'picture' rather than 'image' because an 'image' in the forensic sense
Is a bit for bit copy of a digital drive. Anyway, back on topic. Have you heard of John
McAfee? You should have. He's the brains behind the McAfee anti-virus software empire that
was founded way back in 1987.

In recent months, John McAfee was wanted by police regarding a murder investigation of
his neighbour. We'll use this as a mini case study. Let us pretend we have a serial killer
on the loose. Unless we find out the whereabouts of this guy, who knows what will happen.

What should we do? Search his computer? Search his house? Ok, that’s fine. But what about social media? Let’s look at his Facebook, his Twitter. Hell, if he has World of Warcraft, let’s look at his WoW chat logs. Well, it soon emerged that he had posted a picture of himself online. So it made me think. Can we find out where this guy is? Just by looking into the picture metadata?

Whilst this can be done on Windows using EXIF Viewer, however I find the Macintosh software 'File Viewer' is a great piece of software for this kind of thing. In order to find this guy, we need to analyse the photograph. Luckily for us, Mr. McAfee left his location on when he took his picture, meaning that his geographical location is embedded into the photographs metadata.

Simply dragging the photograph into the File Viewer presents us with the following screen:

If we look at the MAC  information (Modified, Last Opened/Accessed & Created) you’ll see that the data just shows when I opened it up on my laptop. So ignore this. This case study is just so you can see the concept behind it. I’m not really following the ACPO guidelines here guys.

It’s important to note the Tiff Metadata e.g DateTime, Make & Model of device that captured the picture. Notice this is the original time that the photo was taken. Now I scrolled down and found the geotag information (GPS metadata):

This clearly states the Latitude & Longitude the picture was taken. From here, we can simply use our web browser to go to and insert the latitude & longitude using this syntax:

From here, we get a satellite view of where the picture was taken.

Needless to say, John McAfee was arrested in Guatemala earlier this month. [Source] 

I hope this article has been interesting and eye opening. I’m sure there are many people who are aware of this, but if not, it’s just nice to see that metadata can be an incredible source of information for an investigator.