Reconnaissance with Images

June 28, 2012 by

Gathering data on a target is extremely important if we plan to execute an attack in a more efficient manner. A typical attack scenario starts with a long reconnaissance process. In this case "reconnaissance" refers to the gathering of information in any and all possible manners regarding a particular object of interest. We can gather information from websites online, dumpster-diving offline, and also through the classic act of social engineering. Online information gathering emerged after millions of people all over the world started participating in social networking sites like Orkut, Facebook, Twitter etc. People started to maintain a virtual image of themselves, which may, or may not, be similar to their real-world image. In this article, we shall see the social implications of these dual personas and how they can lead to the exploitation of vanity. We shall also look into how someone's life can be affected and the risks of geo-localization. This article also features various tools used to perform reconnaissance with the images.

Social networks like Twitter, Facebook etc. are exploiting human vanity. The Y2K syndrome highlighted global fears that there might be something out in the virtual universe that would take control of our lives—something like the implantation of GPS chips in our skin, for example. Well, it's not "something" that takes control of our lives, instead we ourselves blithely send out various pieces of personal information in an attempt to project ourselves as something special within the virtual universe.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

A Classic Example of Information Leakage Through Social Networking Sites

In the above image, we can glean a lot of indirect information regarding the whereabouts of the person. Mr. XYZ was at "Annamalai International Hotel" in a place called "Pondicherry" eight hours ago, and he is using a Windows phone! It's well known that the interface shown in the above image is from Facebook.

Possible Attack Scenario:

It's a reasonably valid assumption that this person uses his mobile device to check email, and to access other online accounts. Suppose I am his friend on the social networking site. Through a socially engineered attack, I can gather information regarding his habits and other personal updates by monitoring the feeds on the site. In addition, because his email ID is listed in his profile, I can probably send him a crafted mail that can gain me backdoor access to his phone through the available exploits. Or I can potentially steal his credentials; the possibilities depend on my creativity. The scenario above provides just one example where an image can speak for the individual.

EXIF Data and Images:

Smartphones and digital cameras (including scanners) use a standard format for images and recorded sounds. This standard is called exchangeable image file format. This information may include details about the camera model, shutter speed, focal length, etc. Most importantly, it contains GPS information about where the image was taken. By default almost all smartphones have GPS data activated. The camera setup asks the user to set it during the pre-initial setup. People tend not to remember to wipe off the GPS location data for every photo they shoot. Thus, GPS information is embedded in almost all images taken.

Social and Security Issues

When a member of the press releases an interview with a hacker (or another wanted criminal) offers a promise of anonymity during the telecast, that offer is not always valid. Any image that is uploaded from the interview might help an investigation by allowing examiners to track the GPS location where the image was taken. An untrained member of the press staff who publishes the image on the net might not be aware of the fact that he should have stripped off the EXIF data that's hidden in the image.

With this back ground let's see various online and offline tools to extract metadata from an image:

  1. Jeffrey's Exif viewer

    Type of tool: Online

    URL: http://regex.info/exif.cgi

    Input options to the tool

Basic Information provided by the viewer

This is a very basic EXIF data viewer. It shows the specifications of an image with respect to the camera. The information gained from this tool tells us the date and time when the image was taken. It also tells us which camera has been used for the image.

This information is vital if we are going to find a lost camera belonging to a particular person. If we have a database of EXIF data from public images on the internet, a lost camera can be found by comparing the EXIF data of the owner's image and the stolen image.


    Type of tool: Online

    URL: http://exifdata.com

    Input interface of this tool

    Metadata shown

    This tool offers a lot of details and can be considered advanced. It reveals every tiny bit of metadata found embedded the images as you can see from the above example—that image was taken from an Apple iphone 4. Such easily available information will definitely make any attack very efficient.

    In the image below we see the geo-localization of information. As mentioned before, the default settings of smartphones keeps the GPS settings switched ON. As a result, when an image is taken, its geo-local information (like longitude, latitude, and height above the sea level) gets embedded in the image. This comes in very handy when trying to pinpoint the exact location of a criminal who might be absconding from law.

    GPS Position Exactly Displayed

  1. Opanda IExif Tool

    Type of tool: Freeware

    Download URL: http://www.opanda.com/en/iexif/index.html

Summary of Metadata on Opanda

Opanda is a very advanced tool. It allows for the categorization of various kinds of metadata that can be found in an image. It categorizes data into GPS and IPTC sections. The summary includes all the details, and this tool is very organized compared to all other tools. It also delivers optimum performance with respect to various images.

One added advantage of this tool is that it also allows us to edit EXIF data within the image. This is very helpful when we would want to strip off the metadata. We can either change and mask our information, or delete the information altogether.

  1. Windows Image Property Viewer

    Tool type: general, built-in operating system feature

    The above figure shows how to strip off general metadata

This method for viewing metadata is designed for a layman who isn't very adept at using advanced tools and technology. These interfaces also don't strip off a huge amount of metadata information like Opanda. Thus, this is one of the least used methods when it comes to stripping or viewing EXIF data.

  1. Writing a Custom PHP Script:

The following image shows a script in PHP which will capture the EXIF data from an image. It returns the time and date when the image was taken, the GPS coordinates of the location where the image was taken, and also tries to read from the headers of the image.


FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

In this article we have reviewed the hidden information that pictures can reveal to a forensic expert. Undoubtedly, hidden metadata provides the truth in the age-old quote: "A picture is worth a thousand words." I have tried my best to show you both faces of the coin, i.e. the advantages to both reading the metadata and also to stripping off the metadata. As many people spend time projecting a new virtual image onto the public Internet, they are unaware of just how much information they are unintentionally revealing about themselves. A stalker can find all this information and can still trouble you and invade your privacy. Thus any uploading interface should be embedded with scripts to strip the image being uploaded of metadata so that the user's privacy is not compromised. With these words, I advise all readers to keep a close watch on the amount of information you reveal online.


Karthik is a cyber security researcher at Infosec Institute and works for Cyber Security and Privacy Foundation (a non-profit organization) as a researcher, in India. He finds deep interest in Information security as a whole, and is particularly interested in VA/PT and serving to the cause for Nation's Security.