In recent years, many paranormal enthusiasts have adopted digital devices as their primary means to collect audio, video and still photographs. Digital cameras, in particular, have taken hold as the dominant format for the hobbyist photographer as well as the professional - despite their rocky start as pixel-mangling orb collectors. In this article I'm going to discuss a commonly used aspect of the digital photograph, specifically the metadata that is embedded in nearly all of the digital photographs we see today.
Metadata specifications were designed to provide a standard way of embedding important information within a file to better facilitate the sharing and distribution of that media file. EXIF (Exchangeable Image File Format) is one type of metadata, but not the only type, commonly embedded in digital photographs. The EXIF specification includes a number of tags for storing specific bits of information about a media file. XMP (EXtensible Metadata Platform) is another example of metadata that can be inserted into a digital photograph and other media types. Extracting Metadata Information
There are a number of applications available that can extract and display EXIF and other metadata information within an image. Image editing programs, for example, often include functionality to display some or all of this data. One need only to use Google to find an program that will suit their needs. For this article, I will be using the exiftool command-line utility to extract and write metadata. Exiftool can typically be obtained on most any system that includes Perl.
Example: Using exiftool to print out all non-binary metadata about an image (some output snipped for brevity):
me@linux:~/test> exiftool -a -u -g1 original.jpg
... Snipped ...
---- IFD0 ----
Image Description :
Make : SONY
Camera Model Name : DSC-F828
Orientation : Horizontal (normal)
X Resolution : 72
Y Resolution : 72
Resolution Unit : inches
Modify Date : 2006:04:15 20:55:48
Y Cb Cr Positioning : Co-sited
---- ExifIFD ----
Exposure Time : 1/30
F Number : 2.0
Exposure Program : Program AE
ISO : 100
Exif Version : 0220
Date/Time Original : 2006:04:15 20:55:48
Create Date : 2006:04:15 20:55:48
Components Configuration : YCbCr
Compressed Bits Per Pixel : 8
Exposure Compensation : 0
Max Aperture Value : 2.0
... Snipped ... Spotting Edited Photos
When a photo is modified, some of this metadata information may be altered or removed - and sometimes new information is added. Knowing some of the tags that various image editing applications may add to a photo can help one in determining if the photograph has been edited. A good example is the popular Photoshop application, which often embeds a number of its own tags in a modified image. Unfortunately, the absence of altered metadata tags is not always a reliable means of proving that an image has not been modified. Since, as we'll see later, one could simply "fix" the metadata after a photo has been altered so that it looks just like the original.
The embedded thumbnail image may also provide some clues about the original image. Many modern digital cameras embed a thumbnail image within the larger image. These embedded images are typically used by various file browsing applications, like Windows Explorer or Konqueror, to display a thumbnail of the larger image when browsing your photo collection. Interestingly, some image editing applications do not update the embedded thumbnail image when saving the image. Thus, one may often view the thumbnail to get a better idea of what the original image looked like before it was edited.
The following command will extract the embedded thumbnail image and copy it to a file called thumb.jpg. You could then view thumb.jpg and compare it to the original.
me@linux:~/test> exiftool -b -ThumbnailImage modified.jpg > thumb.jpgThe Trouble With Metadata
In many ghost hunting books I've read, I have often seen EXIF and other metadata compared to a negative produced by 35mm film. The purpose is typically to suggest that while a negative can help verify the authenticity or correctness of the developed image, the EXIF metadata can serve a similar function for the digital format. Unfortunately, the reality is that quite often this is not the case. While still valuable information for analyzing digital photographs, the trouble with most metadata is that this information can be manipulated as easily as the digital photograph itself.
Example: Altering metadata
Let's say we have a digital image called original.jpg captured using a digital SLR camera. We then make a copy of the image, modify it and call it modified.jpg.
Depending on the application used to edit the image, the EXIF data may be changed, added to or sometimes completely removed. Popular applications such as Photoshop or the GIMP (GNU Image Manipulation Program) may add their own metadata to an image while preserving much of the original data.
Using the exiftool and diff utilities, one could type to following command to view the changes in metadata between the two image files:
me@linux:~/test> diff <(exiftool -a -u original.jpg) <(exiftool -a -u modified2.jpg)
7a8,11
> JFIF Version : 1.1
> Resolution Unit : inches
> X Resolution : 72
> Y Resolution : 72
65,67c69,70
< Modify Date : 2006:04:15 20:55:48
< Thumbnail Offset : 2498
< Thumbnail Length : 15105
---
> Thumbnail Offset : 2484
> Thumbnail Length : 7653
73c76
< Thumbnail Image : (Binary data 15105 bytes, use -b option to extract)
---
> Thumbnail Image : (Binary data 7653 bytes, use -b option to extract)
I realize that this output probably looks a bit cryptic to those who are not familiar with the diff utility, but I'll explain what it all means. The first thing one might notice from this output is that, surprisingly, very little metadata was actually changed by the image editing program. The application did, however, add a new metadata group called JFIF and the Modify Date tag has been removed. The other data, such as thumbnail information, is not as critical since one would need both the original and the modified file in order to see that this data has changed.
This is just one example. Other image editing applications will add, modify or delete different metadata - leaving different "fingerprints" on the altered file. Test this out for yourself. If you find anything interesting, please send me an email and let me know.
Now, to fix modified.jpg so that the metadata matches original.jpg. What we will end up doing is copying the metadata from the original photo to the modified photo. The problem is that this process will also overwrite the embedded thumbnail image with the one from the original file, so we will first need to save the thumbnail from the modified image so we can re-embed it later:
me@linux:~/test> exiftool -b -ThumbnailImage modified.jpg > thumb.jpg
Now, copy all the metadata from the original to the modified image:
me@linux:~/test> exiftool -TagsFromFile original.jpg -all:all modified.jpg
1 image files updated
Re-embed the thumbnail image saved from the modified image:
me@linux:~/test> exiftool '-ThumbnailImage<=thumb.jpg' modified.jpg
1 image files updated
Rip out the JFIF tags added by the image editing program:
me@linux:~/test> exiftool -JFIF:All= modified.jpg
1 image files updated
If Photoshop was used, these tags can also be removed as well:
me@linux:~/test> exiftool -Photoshop:All= modified.jpg
1 image files updated
Now, let's compare the images again:
me@linux:~/test> diff <(exiftool -a -u original.jpg) <(exiftool -a -u modified.jpg)
55,56c55,56
< Thumbnail Offset : 2498
< Thumbnail Length : 15105
---
> Thumbnail Offset : 2502
> Thumbnail Length : 7653
62c62
< Thumbnail Image : (Binary data 15105 bytes, use -b option to extract)
---
> Thumbnail Image : (Binary data 7653 bytes, use -b option to extract)
There is now little difference between the original and altered photo, and certainly nothing left that we could use to identify fraud. Attributes related to the thumbnail have changed, of course, but as I mentioned before, without access to the original file this difference cannot be detected.
I suppose I should make a note here that neither I nor AGHOST condone the intentional manipulation of any sort of data for the purposes of deceiving the public. The purpose of this section is simply to show that the metadata contained in an image can be manipulated as easily as the image itself, and thus should not be trusted as the sole means to verify the authenticity of a photograph. As I mentioned earlier, EXIF and other metadata types were designed to facilitate the sharing of media files and other data. The specification does not (as far as I know) include any sort of data integrity functionality for the metadata itself.
Fortunately, detecting photo fakery is a very well-studied problem.
New software to detect image manipulation is constantly being developed and becoming more accessible, and there are also many other techniques which can be used to detect altered photos. I'm interested in knowing what techniques other groups are using to analyze photo evidence. As always, please feel free to post a comment or shoot me an email and share your ideas.
Understanding EXIF
Original Photo
Modified Photo
2 comments:
Awesome article! Thanks for writing this!
A well-written article. Your conclusions are valid with respect to the content of the meta information, but the structure provides a signature which can often be used to determine if an image has been altered (but can't be used to prove emphatically that it hasn't). Use the exiftool -htmldump feature to see what I'm talking about.
Post a Comment