PDA

View Full Version : Altering metadata in digital photos



Chris P
04-06-2013, 01:58 PM
My bad guy is up to no good, which is good for me since I'd have nothing to write about if he behaved himself. He's taken my MC's girlfriend and two other friends hostage, and periodically sends photos of the hostages holding that day's newspaper.

If he wanted the authorities to think the picture was taken on a different day than it actually was, it's simple enough for him to use an old newspaper, but what about the metadata recorded with the picture? Right-clicking and trying to alter the date and time on the photo doesn't work, but I'm sure a baddie as badass as mine has software that can crack that. But is there more deeply encrypted metadata he might not know about or that cannot be cracked?

Another option is to change the date and time on the camera, as some of my photos after changing a dead battery record the picture as being taken in the wee hours on January 1st. What if the photo was taken with a cell phone? Would he be able to alter the day and time there, or would the info from the cell signal override that?

Worse comes to worst, I'll have him print out the photos instead of sending electronically (but I don't want to because I want my MC to win in the end).

Priene
04-06-2013, 02:31 PM
If he wanted the authorities to think the picture was taken on a different day than it actually was, it's simple enough for him to use an old newspaper, but what about the metadata recorded with the picture? Right-clicking and trying to alter the date and time on the photo doesn't work, but I'm sure a baddie as badass as mine has software that can crack that. But is there more deeply encrypted metadata he might not know about or that cannot be cracked?

He could plausibly (http://en.wikipedia.org/wiki/Exchangeable_image_file_format) mess up the exif metadata when he uses an older image editor:


The derivation of Exif from the TIFF file structure using offset pointers in the files means that data can be spread anywhere within a file, which means that software is likely to corrupt any pointers or corresponding data that it doesn't decode/encode. For this reason most image editors damage or remove the Exif metadata to some extent upon saving.

He could take the photo, doctor it in some way, save it, then realise he hasn't changed the metadata. So he googles how to edit the metadata and changes that. Job done, only the earlier act of saving has corrupted a pointer to manufacturer specific metadata which happens to include a datetime code, so the metadata editor can't now find or change it. Later on, though, a someone (they'd have to be an expert) searching through the raw data of the image file could discover the unchanged but inaccessible metadata.

Cath
04-06-2013, 02:41 PM
Have him screenshot the picture. The exif on the original goes away.

I think there are ways to copy or duplicate in Lightroom or photoshop that would have the same effect. Let me do some digging.

Chris P
04-06-2013, 02:57 PM
He could take the photo, doctor it in some way, save it, then realise he hasn't changed the metadata. So he googles how to edit the metadata and changes that. Job done, only the earlier act of saving has corrupted a pointer to manufacturer specific metadata which happens to include a datetime code, so the metadata editor can't now find or change it. Later on, though, a someone (they'd have to be an expert) searching through the raw data of the image file could discover the unchanged but inaccessible metadata.

The analyzer would be an expert, for sure; the bad guy wants the authorities to know he has these hostages, only he wants them to think he had the hostages in places at times he didn't actually have them there, and the good guys will put their best on the case. When you say "corrupted," do you mean the date code was scrambled, or does it corrupt something else, then when saved both the old and new date codes are preserved, with the oldest of course being the more accurate?

And thanks Cath. That might work too, although I'd have to decide if he cared about the date stamp on the screen shot.

Priene
04-06-2013, 03:27 PM
The analyzer would be an expert, for sure; the bad guy wants the authorities to know he has these hostages, only he wants them to think he had the hostages in places at times he didn't actually have them there, and the good guys will put their best on the case. When you say "corrupted," do you mean the date code was scrambled, or does it corrupt something else, then when saved both the old and new date codes are preserved, with the oldest of course being the more accurate?


Imagine that the only way to find the treasure is via a treasure map. The first save destroys the map, but the treasure is still there.

The crucial bit is this


The derivation of Exif from the TIFF file structure using offset pointers in the files means that data can be spread anywhere within a fileThis means metadata is not always stored at a set place in the file, and software wanting to retrieve the software must first look at another part of the file to find out where the metadata is. That's called a pointer. If the pointer gets overwritten, as might happen during the first save if the image editor was unaware of the format being used by the camera manufacturer. The image editor might, for instance, when saving just write a load of zeroes over parts of the file that it doesn't know what to do with. The pointer would get overwritten, and any other image editor software would no longer be able to know of the existence of the metadata. But the metadata itself could still be there, inaccessible to an image editor but still there to eyeball in an a byte editor.


EDIT: Actually, you might need only one save. The image editor might not know about some of the manufacturer's metadata and might overwrite any pointers it didn't know what to do with. So the act of changing metadata would actually preserve some.

Chris P
04-06-2013, 04:17 PM
This means metadata is not always stored at a set place in the file, and software wanting to retrieve the software must first look at another part of the file to find out where the metadata is. That's called a pointer. If the pointer gets overwritten, as might happen during the first save if the image editor was unaware of the format being used by the camera manufacturer. The image editor might, for instance, when saving just write a load of zeroes over parts of the file that it doesn't know what to do with. The pointer would get overwritten, and any other image editor software would no longer be able to know of the existence of the metadata. But the metadata itself could still be there, inaccessible to an image editor but still there to eyeball in an a byte editor.


EDIT: Actually, you might need only one save. The image editor might not know about some of the manufacturer's metadata and might overwrite any pointers it didn't know what to do with. So the act of changing metadata would actually preserve some.

Haha! Got it! Good explanation. Is it possible that someone who thought he knew what he was doing (but really didn't) intentionally overwrite the pointer, but mistakenly think he was overwriting the metadata itself? I need something I can plausibly have happen but still be simple enough for the average reader (or even writer :-p) to follow.

Priene
04-06-2013, 11:21 PM
Haha! Got it! Good explanation. Is it possible that someone who thought he knew what he was doing (but really didn't) intentionally overwrite the pointer, but mistakenly think he was overwriting the metadata itself? I need something I can plausibly have happen but still be simple enough for the average reader (or even writer :-p) to follow.

You'd probably be best to show it in reverse. The expert calls the MC in and shows him Photoshop or whatever with the existing metadata including the date 16/01/2013. Then he opens up the same file in something geeky like HxD (http://mh-nexus.de/en/graphics/HxDShotLarge.png), which shows the hex values of each byte in the file on the left and and their text value (if any) on the right. The hero would see J a n - 0 8 - 2 0 1 3 and maybe M a n y u i S p e e d o P h o n e on the right, which led the expert to conclude that the photo must have been doctored, as the dates don't match and there's no surviving pointer to these strings.

Duncan J Macdonald
04-08-2013, 02:26 AM
May I remind everyone of the 'Evil Overlord Checklist'? Don't make this any harder than you need to.

What devices write the metadata?

1) The camera. Set the date on the camera to the date you want, and disable GPS (if the camera is so equipped). Might be reasonable for the Bad Guy to get an old-model camera from a pawn shop that has limited capabilities.

2) The computer where the files are downloaded. Set the date on the computer. If a Windows Box, start in Safe Mode without LAN support to disable the OS from looking for the network time stamp.

Result is the metadata saying what you want it to say without having to have mad haxxor ski1z.

King Neptune
04-08-2013, 03:04 AM
While DJM has an excellent point, if the photo had already been taken, then that wouldn't work. One important question is: Does he want the date stamp to be earlier or later? If he realizes a week later that he wants it to have been taken n January 8, then all he has to do is, in a full featured image editing program, select the whole picture, which will include only the visible parts of it, and paste that as a new image. The metadata will show the creation time when he did that. Then he has to destroy all copies of the original and all references to the original, which isn't as easy.
Another question is which format the photo was saved in, because different ones contain different data. It was my understanding that cellphone cameras use JPG as the default format.

Chris P
04-08-2013, 11:55 AM
He would want to have the date stamp be older (or scrubbed entirely), since there would be no way to get next week's newspapers for the hostages to hold. What I've decided he wants is for the authorities to think he was in a certain place earlier than he said he was, causing them to construct a false trail of his whereabouts. "The hostage was on a rooftop holding January 31st's Seattle Times with the Space Needle in the background, proving he was in Seattle on the 31st" when he was actually there on February 5th. By mixing and matching the dates, he can also form a fictitious path of Seattle on the 31st, Chicago on the 3rd, Atlanta on the 5th when it was actually Chicago on the 31st, Atlanta on the 3rd and Seattle on the 5th. But that's all beside the point here.

If he was planning this, then he would simply change the date on the camera, as Duncan said. But I need some way for him to mess up, which could be that the computer he downloaded it to had the correct date. All this would do, however, is cause the authorities to say the photo was taken on the proper day, but not downloaded until later. In that way, Priene's suggestion of two different programs reading different metadata from the same file might be a better choice. Hmmm, this is turning out to be more difficult than I thought, especially describing in a way that doesn't zoom over this poor author's head.

I've also used weather cues (evidence of rain, cloudiness, etc) to betray the discrepancy, but something techy and whizz-bang might make for a better story.

Any other possibilities are welcomed.

Cath
04-08-2013, 01:40 PM
What about a element within the photo? Say it's dry and sunny on Jan 31st, but there's snow before the photo is taken. Or a blimp advertising a sporting event dor 31st is in the background?

cbenoi1
04-08-2013, 04:12 PM
I was thinking about something biological which, left untreated, can be monitored visually. Like a rash.

How about period pimple(s) on the MC girlfriend's face. Without access to make-up or acne medication, the pattern will evolve on its own slow pace (usually over a span of a few days). It's something the kidnapper is oblivious to, but an astute detective might pick up on that. It's the kind of information that's "in your face" all the time... |8-}

-cb

ETA: if the other hostages are also female, their ovulation periods can be staggered over time. The police can then sort the pictures out and put them in their proper time order.

King Neptune
04-08-2013, 11:09 PM
He would want to have the date stamp be older (or scrubbed entirely), since there would be no way to get next week's newspapers for the hostages to hold. What I've decided he wants is for the authorities to think he was in a certain place earlier than he said he was, causing them to construct a false trail of his whereabouts. "The hostage was on a rooftop holding January 31st's Seattle Times with the Space Needle in the background, proving he was in Seattle on the 31st" when he was actually there on February 5th. By mixing and matching the dates, he can also form a fictitious path of Seattle on the 31st, Chicago on the 3rd, Atlanta on the 5th when it was actually Chicago on the 31st, Atlanta on the 3rd and Seattle on the 5th. But that's all beside the point here.

If he was planning this, then he would simply change the date on the camera, as Duncan said. But I need some way for him to mess up, which could be that the computer he downloaded it to had the correct date. All this would do, however, is cause the authorities to say the photo was taken on the proper day, but not downloaded until later. In that way, Priene's suggestion of two different programs reading different metadata from the same file might be a better choice. Hmmm, this is turning out to be more difficult than I thought, especially describing in a way that doesn't zoom over this poor author's head.

I've also used weather cues (evidence of rain, cloudiness, etc) to betray the discrepancy, but something techy and whizz-bang might make for a better story.

Any other possibilities are welcomed.

I don't know all that many cellphone cameras, but the ones I have seen used JPG format and got their date from the cellphone, which gets the date from the network, so one cannot change the camera's date.

There's a sneaky way to change things. Change the file format to TXTY and open the file in Notepad, search through for the date, edit the date save and close. Then change to a JPG extension again, and Viola! the metadata will be what you wanted. TXT files are wonderful things.

If you want him to mess it up, then have him accidentally delete a few lines from the middle of the file.

You might want to experiment with this method before you write it. I once delete some damaged parts of a JPG file that I wanted to save, and it was fine, except that part of the picture was gone.

L M Ashton
04-10-2013, 06:03 AM
I don't know all that many cellphone cameras, but the ones I have seen used JPG format and got their date from the cellphone, which gets the date from the network, so one cannot change the camera's date.
Not true.

I tested this using my iPhone 4s. I have the setting for setting time and date automatically off. I changed the date to the year 2000. I took a photo. Yup, it shows the year 2000 for when the photo was taken. I looked after I uploaded it to my computer to verify.

It took me all of five seconds to do this.

ETA: I just did this with an Android phone, too. Also all of five seconds to change the date to the year 2005, also set the automatic date and time setting to off.

The phone cameras take their date from the mobile phone. Change the date on the mobile phone, and you've changed the date for the pictures you take. Dead easy.

King Neptune
04-10-2013, 04:22 PM
Not true.

I tested this using my iPhone 4s. I have the setting for setting time and date automatically off. I changed the date to the year 2000. I took a photo. Yup, it shows the year 2000 for when the photo was taken. I looked after I uploaded it to my computer to verify.

It took me all of five seconds to do this.

ETA: I just did this with an Android phone, too. Also all of five seconds to change the date to the year 2005, also set the automatic date and time setting to off.

The phone cameras take their date from the mobile phone. Change the date on the mobile phone, and you've changed the date for the pictures you take. Dead easy.

That's good to know,m but it does not appear to be possible on all cell phones, or maybe it is, and I just couldn't find it.

L M Ashton
04-10-2013, 04:28 PM
I'm pretty sure I've been able to do this with every mobile phone with camera that I've had in the last however many years since they've been out. We've had quite a few different makes and models in our home - the husband is a mobile apps developer, so needs them for testing.

Now, how common it is to know where to find these settings? That I can't answer. I suspect that most people who don't know just haven't bothered to look because it didn't matter to them. Whereas I know, when I'm travelling to another time zone, that there will be a delay between arriving in the new time zone and when the phone will be updated automatically to the new time, so I change it manually mid-flight.

King Neptune
04-10-2013, 06:14 PM
I'm pretty sure I've been able to do this with every mobile phone with camera that I've had in the last however many years since they've been out. We've had quite a few different makes and models in our home - the husband is a mobile apps developer, so needs them for testing.

Now, how common it is to know where to find these settings? That I can't answer. I suspect that most people who don't know just haven't bothered to look because it didn't matter to them. Whereas I know, when I'm travelling to another time zone, that there will be a delay between arriving in the new time zone and when the phone will be updated automatically to the new time, so I change it manually mid-flight.

It would be easy to change the time zone, but I don't see a way to edit the date, but I don't have a camera on this phone, so it might be something else that isn't on here.

L M Ashton
04-11-2013, 05:43 AM
https://plus.google.com/photos/109432237775203772570/albums/5865353033797885969/5865353049733377154?banner=pwahttps://lh4.googleusercontent.com/-kiLOgckTB1E/UWXrhdOcrII/AAAAAAAAAtM/-5226WieOF0/s645/Screenshot_2005-04-11-06-36-28.png
https://lh4.googleusercontent.com/-mM3tfbL-SZE/UWYRu6h7JwI/AAAAAAAAAtc/cx2a39o7cEE/s861/date+ipad.PNG

https://plus.google.com/photos/109432237775203772570/albums/5865353033797885969/5865395062379849474?banner=pwa