EXIF Scrubbing: Hey, Harry! Know your Tool and Wash your Hands.

Those of us at the PhishMe blog would like to remind everyone of a very important lesson from our parents (and restaurants bathrooms). “Wash your hands”. The motto should be repeated by the camera man of those Harry Potter pictures reported on earlier in the week. Looks like a little Exif meta data wasn’t cleaned off the photos… or was it? What’s better than washing your hands? Setting up someone else to look like the dirty one; two Exif editors quickly came to our attention. While it’s much more plausible that someone would just shoot pics and forget about the Exif data attached to them, it’s not impossible that the data may have been edited to incriminate someone else. 

Simply reading the Exifer home page though reminds me of another important lesson: “Know your tool”… (maybe that was also in a bathroom somewhere too though). In short, tools often leave a footprint -  whether it’s a user-agent tag in the popular Paros tool, or not so steathly NMAP scans. If you have a way to dig deeper and see what the tool is doing, you should.  In this case, don’t just relay on a EXIF viewer. Use a hex editor and get a different view of the picture. When it comes time to track down the bad guys, keep a look out for tell-tale signs.

What a difference a tool makes.

-b3nn 

Update:
More fun with EXIF data. Looks like RSnake (who we worship for XSS and WebApp goodness) left an untampered thumbnail behind on one of his posts. The story also links to a nice online EXIF Viewer… anyone checking out our EXIF data?

Post a comment or leave a trackback: Trackback URL.