Exif's Image File Directory - Forensics Perspective (Part 1)

Exif IFD Tags



Exif data contains different exif tags and each exif tag has its own value (eg. time, data, GPS etc). Exif tags are used to encode additional information related to an image when the image is generated or captured by the digital cameras.

NOTE :There are many exif tags in exif's image file directory but I will cover the most important once from which one can find evidences.

Tags

1. ExposureTime

Exposure time is measured in seconds (eg. 1/500 (0.002 sec)). The main purpose of an exposure time is to describe the brightness of an image or the amount of light a sensor receives.

Evidence :
You can find out whether the photograhp is taken in brightness or darkness. If the exposure time is around 10 to 30 seconds then you can consider it as a night time photography and if the exposure time is around 1100 to 1125 seconds you can consider it as a day time photography.

NOTE :Exposure timings are not always between the above mentioned values, they can set as per the needs of modification. It is easy to identify a modified photograph by looking at the photo.

2. DateTimeOriginal

For digital cameras, this tag stores the date and time the picture was taken or recorded. The format is "YYYY:MM:DD HH:MM:SS" with time shown in 24-hour format and the date and time separated by one blank character (hex 20). When date and time are unknown, all the character spaces except colons (":") may be filled with blank characters. The character string length is 20 bytes including NULL for termination. When the field is left blank, it is treated as unknown.

Evidence :
You can identify what was the exact time the picture was taken and on what date it was taken.

3. DateTimeDigitized

This tag indicates the date and time when the image was stored as digital data (not captured). For example, an image was captured by a digital camera and at the same time the file was recorded (stored), then the DateTimeOriginal and DateTimeDigitized will have the same contents. The format is "YYYY:MM:DD HH:MM:SS" with time shown in 24-hour format and the date and time separated by one blank character (hex 20).

Evidence :
You can identify two things here :
1. Whether the captured photo is stored (saved) or not.
2. If it is stored (saved) then what is the time difference between the photo captured and stored.

4. ApertureValue

Aperture is used for many things but some of the most important ones are brightness or exposure of your images. Aperture controls the brightness of the image that passes through the lens and falls on the image sensor. It is expressed as an f-number (written as "f/" followed by a number), such as f/1.4, f/2, f/2.8, /f4, f/5.6, f/8, f/11, f/16, f/22, or f/32. Aperture stop of a photographic lens can be adjusted to control the amount of light reaching the film or image sensor. In combination with variation of shutter speed, the aperture size will regulate the film's or image sensor's degree of exposure to light.

Evidence :
You can find out whether any kind of modification is done on the light while capturing the photo or not, darker the photo more the aperture value.

5. SubjectDistance

It shows the distance between the focal plane of a camera and the subject being photographed. It is measured in meters and if the numerator of the recorded value is hex FFFFFFFF then the distance is considered as infinity and if the numerator is 0 then the distance is considered as unknown. For example taking a photograhp of a moon the distance would be infinity and in case of taking a selfie the distance would be 0.

Evidence :
You can identify that how many meters of distance was there when the photograph was taken.

6. LightSource

Lighting includes the use of both artificial light sources like lamps and light fixtures, as well as natural illumination by capturing daylight. Daylighting (using windows, skylights, or light shelves) is sometimes used as the main source of light during daytime in buildings.

The specification defines these values :
0 = Unknown
1 = Daylight
2 = Fluorescent
3 = Tungsten (incandescent light)
4 = Flash
9 = Fine weather
10 = Cloudy weather
11 = Shade
12 = Daylight fluorescent (D 5700 - 7100K)
13 = Day white fluorescent (N 4600 - 5400K)
14 = Cool white fluorescent (W 3900 - 4500K)
15 = White fluorescent (WW 3200 - 3700K)
17 = Standard light A
18 = Standard light B
19 = Standard light C
20 = D55
21 = D65
22 = D75
23 = D50
24 = ISO studio tungsten
255 = Other light source

Evidence :
It is easy to identify that the photograhpy is taken at a day time.

7. Flash

A flash is a device used in photography producing a flash of artificial light (typically 1/1000 to 1/200 of a second) at a color temperature of about 5500 K to help illuminate a scene. A major purpose of a flash is to illuminate a dark scene. Flash units are commonly built directly into a camera. Bit 0 indicates the flash firing status, bits 1 and 2 indicate the flash return status, bits 3 and 4 indicate the flash mode, bit 5 indicates whether the flash function is present and bit 6 indicates "red eye" mode.

Values for bit 0 indicating whether the flash fired :
0 = Flash did not fire
1 = Flash fired

Values for bits 1 and 2 indicating the status of returned light :
00 = No strobe return detection function
01 = reserved
10 = Strobe return light not detected
11 = Strobe return light detected

Values for bits 3 and 4 indicating the camera's flash mode :
00 = unknown
01 = Compulsory flash firing
10 = Compulsory flash suppression
11 = Auto mode

Values for bit 5 indicating the presence of a flash function :
0 = Flash function present
1 = No flash function

Values for bit 6 indicating the camera's red-eye mode :
0 = No red-eye reduction mode or unknown
1 = Red-eye reduction supported

Not all combinations make sense though. The specification defines these combined values :
hex 0000 = Flash did not fire
hex 0001 = Flash fired
hex 0005 = Strobe return light not detected
hex 0007 = Strobe return light detected
hex 0009 = Flash fired, compulsory flash mode
hex 000D = Flash fired, compulsory flash mode, return light not detected
hex 000F = Flash fired, compulsory flash mode, return light detected
hex 0010 = Flash did not fire, compulsory flash mode
hex 0018 = Flash did not fire, auto mode
hex 0019 = Flash fired, auto mode
hex 001D = Flash fired, auto mode, return light not detected
hex 001F = Flash fired, auto mode, return light detected
hex 0020 = No flash function
hex 0041 = Flash fired, red-eye reduction mode
hex 0045 = Flash fired, red-eye reduction mode, return light not detected
hex 0047 = Flash fired, red-eye reduction mode, return light detected
hex 0049 = Flash fired, compulsory flash mode, red-eye reduction mode
hex 004D = Flash fired, compulsory flash mode, red-eye reduction mode, return light not detected
hex 004F = Flash fired, compulsory flash mode, red-eye reduction mode, return light detected
hex 0059 = Flash fired, auto mode, red-eye reduction mode
hex 005D = Flash fired, auto mode, return light not detected, red-eye reduction mode
hex 005F = Flash fired, auto mode, return light detected, red-eye reduction mode

Evidence :
If a flash is used in a photography, you can find out whether it was a dark place or a place with lesser light.

8. Focal Length

Focal length tells us the angle of view, how much of the scene will be captured and the magnification and how large individual elements will be. The longer the focal length, the narrower the angle of view and the higher the magnification. The actual focal length of the lens is measured in mm (millimeter).

Evidence :
It is easy to identify from which angle the photograph is taken.

9. SubjectArea

It indicates the location and area of the main subject in the overall scene. It relates to the primary object that’s photographed or the primary point of interest onto which the photographer's lens is focused. It could be person, sky, tree, object, eyes, moon etc.

The subject location and area are defined by Count values as follows :
Count = 2 : Indicates the location of the main subject as coordinates. The first value is the X coordinate and the second is the Y coordinate.
Count = 3 : The area of the main subject is given as a circle. The circular area is expressed as center coordinates and diameter. The first value is the center X coordinate, the second is the center Y coordinate, and the third is the diameter.
Count = 4 : The area of the main subject is given as a rectangle. The rectangular area is expressed as center coordinates and area dimensions. The first value is the center X coordinate, the second is the center Y coordinate, the third is the width of the area, and the fourth is the height of the area.

NOTE : The coordinate values, width and height are expressed in relation to the upper left as origin, prior to rotation processing as per the Rotation tag.

Evidence :
The only evidence you can retrieve from this is, what is the actual thing that is being subjected (getting captured).

10. MakerNote :

It contains manufacturer specific information. A tag for manufacturers of Exif writers to record any desired information. The contents are up to the manufacturer, but this tag should not be used for any other than its intended purpose.

Evidence :
You can collect many evidences from this tag like flash was on or off, what was the camera name, how the photo was recorded (jpeg, png, tiff etc.), whether the photograph was zoomed or not, were there any kind of effects applied, what was the focus range, what was the exposure mode, maximum and minimum values of focal length, maximum and minimum value of aperture, photograph's zoom source and target widths, focal type and focal length, exposure time, distance of the upper and lower focus, image type, camera's firmware version, file number of the photograph, camera's model ID and owner name.


To Be Continued...

Comments

Post a Comment

Popular posts from this blog

Introduction - Part 1

Image
Digital Forensics is a branch of forensic science that uses scientific knowledge or methods to gather evidence and solve crimes. It has some scientifically proven methods to preserve, collect, validate, identify, analyze, interpret, document and present the digital evidence. The main aim of a digital forensic investigation is to find facts and recreate the truth of an event. Digital Forensics has three main categories : Acquisition Analysis Presentation 1. Acquisition : Acquisition means collecting the digital media to examine. It includes optical media, hard drives, storage cards from camera, mobile phones, embedded chips from devices etc. The collected evidence should be treated delicately and a duplicate should be made of the collected evidence to maintain the record. 2. Analysis : In this category a media is actually examined with appropriate analysis methods. It includes file content examination, file system analysis, statistical analysis etc. and finally the results a...
Read more

Exif Data - Introduction

Image
Exchangeable Image File Format Exif Data is a metadata that is generated and stored by your camera whenever you take a photo and this data is embedded within your images and includes information about GPS coordinates (location), that is why many websites are stripping the exif data from the uploaded images due to privacy concern. Apart from your GPS coordinates exif stored many sensitive information and some of them are Camera Model Name, Modify Date, Date/Time Original, Create Date, File Source, Camera Firmware Version, Owner Name, Image Type etc. and all this information is then processed by Exif/DCF reader of the website, if not stripped by the server. This type of information is formatted according to the TIFF specification and may be found in JPG, TIFF, PNG, JP2, PGF, MIFF, HDP, PSP and XCF images, as well as many TIFF-based RAW images and even some AVI and MOV videos. The EXIF meta information is organized into different Image File Directories (IFD’s) within an image. Exif...
Read more