Experience the ultimate flexibility with the Isolation API, allowing you to securely Quisque pellentesque id ultrices lacus ornare elit vitae ullamcorper. Learn More

Intelligence analysts, law enforcement, legal investigators, and investigative journalists all analyze metadata stored with digital images to gather insights about people, events, and locations worldwide. How does it work?

 

To illustrate a typical workflow for you, Authentic8's Open Source Intelligence (OSINT) team has created a Flash Report based on a real-world example. The overview, titled What is Exif Data?, explains how to distill relevant information from Exchangeable Image File Format (Exif) data.

The document describes how to use specialized tools to extract information about where an image was taken, the camera make and model, and other details. For the Flash Report, our analysts used the FotoForensics app and a photo of a container vessel from a ship-spotting forum.

Image (metadata) analysis has long been a staple of intelligence collection by federal agencies such as the NSA, CIA, DEA, and FBI, as well as numerous other law enforcement, public safety, and digital forensics experts.

More recently, corporate security and protective intelligence professionals, private investigators, investigative journalists, and fact-checking outlets routinely conduct image research and metadata analysis.

Recent examples where Exif data analysis played a crucial role:

And before you ask - yes, Exif data can also be manipulated, replaced, or stripped from digital pictures altogether. Several social media platforms have begun to remove Exif data from images or replace it with their own (tracking) code.

Where to mine Exif data

User-uploaded digital camera and smartphone images in online forums, including on the dark web, and blog pictures often still contain Exif data. This makes them go-to sources for Open Source Intelligence (OSINT) researchers and investigators.

What prompted social media services to remove Exif data? There are mainly two reasons. The first is obvious - the second, not so much, but online researchers better be aware of it.

The first reason most social media services give for stripping Exif data from user-uploaded pictures is to protect member privacy and prevent abuse.

Flash report: how to use Exif data for OSINT

Get the flash report "What is Exif Data?" and learn how to extract and incorporate Exif data into your research here.

Exif data of family photos taken at home, for example, can open the door for doxxing, the publication of private information (such as the residential address) of people against their will, for example of critical journalists, or for cyberstalking.

The second, lesser-known reason is that Exif data can be used to hide malware in image files to launch a multi-stage attack on the device where the picture is viewed.

Security researcher Shyam Sundar Ramaswami recently documented an example found in the wild on the Cisco Umbrella blog. In this case, the exploit code was hidden in the Exif data header of a JPEG image. His warning: "JPG malware is not that common, but it can be very nasty."

How to conduct secure image research?

Many security professionals and OSINT analysts use Silo for Research (Toolbox) instead of a regular browser when conducting online investigations that involve the collection and analysis of image metadata. They chose Silo for Research for mainly three reasons:

  • With its managed attribution capabilities, Silo for Research enables analysts to mask their online identity on websites while gathering or examining material to prevent compromising their investigation.
  • While they may not always find the metadata they're looking for in a digital photo, researchers must always be prepared for nasty surprises. Web isolation with Silo prevents any web-borne code, such as Exif headers spiked with malware, from touching or fingerprinting the local machine.
  • Silo for Research makes it easy for investigators to efficiently collaborate online using a wide range of tools, while maintaining oversight and, in forensics, the chain of custody.

Silo for Research enables researchers to deploy relevant image analysis web apps without risking attribution or exploit should one of these apps be compromised.

The tools at their disposal range from FotoForensics (our Flash Report example) to the Image Verification Assistant, which features image tampering detection algorithms, metadata analysis, GPS Geolocation, EXIF Thumbnail extraction and integration with reverse image search via Google.

About the Author

A8 Team
A8 Team
Contribution Team U.S.A.

Authentic8 Team is a group of cybersecurity enthusiasts, investigation sleuths, top-notch engineers, news junkies, policy wonks and all-around fervent writers hell-bent on bringing you the best darn blog in the industry. 

Related Resources

Flash Report
Flash Report

What is exif data?

When a digital image is captured, metadata is stored as exif data, which can be useful for analysis — to find image location, camera model and more

Flash Report
Flash Report

What is Shodan?

Get an overview of Shodan, a search engine for internet-connected devices, how it works and its uses in online investigations

Guide
Guide

21 OSINT research tools for threat intelligence

Authentic8 engineers curated a list of the 21 most widely used OSINT research tools for cybersecurity researchers, analysts and other security professionals

Close
Close