Romero Lab 1 Part 2 - Exif Tools
Class: CYBR-405
Notes:
Q1
Using the image file "DSCN0012.jpg", look up the GPS coordinates of that picture and answer below where it was taken.
Run the following:
$ exiftool DSCN0012.jpg
The output would look something like this:
| Data | Value |
|---|---|
| ... | ... |
| Image Size | |
| Megapixels | 0.307 |
| Scale Factor To 35 mm Equivalent | 4.7 |
| Shutter Speed | 1/178 |
| Thumbnail Image | (Binary data 6339 bytes, use -b option to extract) |
| GPS Date/Time | 2008:10:23 14:28:17.24Z |
| GPS Latitude | 43 deg 28' 1.76'' N |
| GPS Longitude | 11 deg 53' 7.42" E |
| Auto Focus | On |
| Circle Of Confusion | 0.006 mm |
| Field Of View | 65.5 deg |
| Focal Length 35 mm Equiv | |
| GPS Position | 43 deg 28' 1.76" N, 11 deg 53' 7.42" E |
| Hyperfocal Distance | 1.24 m |
| Light Value | 12.5 |
From this, we know that the GPS Position of the image is 43 deg 28' 1.76" N, 11 deg 53' 7.42" E. Now lets look that location up
Answer:
Using exiftool on this image, we determined the GPS position to be 43 deg 28' 1.76" N, 11 deg 53' 7.42" E. By converting these coordinates into an address using a coordinate converter, we found that the location of the picture is precisely Via Madonna Laura, Arezzo, Tuscany, 52100, Italy.
Q2
Using the file explorer (not the command line) write below what the picture is.
Answer:
By examining the image file on the file explorer or using feh, I can observe that the image accurately corresponds to the apparent GPS position. I can see some trees and bushes following what appears to be a path where some of the tree leaves have fallen. On the left side, we can see a bit more of the blue-white sky and what seems to be a stone house or structure. There are also some lanterns following the path. This aligns with the coordinates indicated by exiftool, as it appears that this is near a green zone and there is a path for walking.
Q3
What kind of camera was used to take the pictures?
This is the output from the previous exiftool command:
| Data | Value |
|---|---|
| Exiftool Version Number | 13.50 |
| File Name | DSCN0029.jpg |
| Directory | . |
| File Size | 150 kB |
| File Modification Date/Time | 2026:03:10 21:16:40-05:00 |
| File Access Date/Time | 2026:03:11 00:00:12-05:00 |
| File Inode Change Date/Time | 2026:03:10 21:16:40-05:00 |
| File Permissions | -rw-rw-r-- |
| File Type | JPEG |
| File Type Extension | jpg |
| MIME Type | image/jpeg |
| Exif Byte Order | Little-endian (Intel, II) |
| Image Description | |
| Make | NIKON |
| Camera Model Name | COOLPIX P6000 |
| Orientation | Horizontal (normal) |
| X Resolution | 300 |
| Y Resolution | 300 |
| Resolution Unit | inches |
| Software | Nikon Transfer 1.1 W |
| Modify Date | 2008:11:01 21:15:09 |
| Y Cb Cr Positioning | Centered |
| Exposure Time | 1/65 |
| F Number | 5.6 |
| Exposure Program | Program AE |
| IS0 | 64 |
| Exif Version | 0220 |
| Date/Time Original | 2008:10:22 16:46:53 |
| Create Date | 2008:10:22 16:46:53 |
| Components Configuration | Y, Cb, Cr, - |
| Exposure Compensation | 0 |
| Max Aperture Value | 2.7 |
| Metering Mode | Multi-segment |
| Light Source | Unknown |
| Flash | Off, Did not fire |
| Focal Length | 22.1 mm |
| Maker Note Version | 2.10 |
| Color Mode | Color |
| ... | ... |
Here we see the camera used was a Nikon Coolpix P6000 Digital Camera
Answer:
Upon examining several of the pictures with exiftool I determined that the camera used to capture these images is a Nikon Coolpix P6000 Digital Camera.
Q4
After removing the EXIF data from the photo, what data is left? And is it important?
To remove the EXIF data from the image file we run:
$ exiftool -all= DSCN0012.jpg
Output:
1 image files updated
- What that command does is it takes all the points of EXIF data in the image and replaces it with a blank space.
Now to check what data is left we just use exiftool again:
$ exiftool DSCN0012.jpg
You will see that the only data remaining is:
| Data | Value |
|---|---|
| ExifTool Version Number | 13.50 |
| File Name | DSCN0012.jpg |
| Directory | - |
| File Size | 144 kB |
| File Modification Date/Time | 2026:03:11 00:13:04-05:00 |
| File Access Date/Time | 2026:03:11 00:13:04-05:00 |
| File Inode Change Date/Time | 2026:03:11 00:13:04-05:00 |
| File Permissions | -rw-rw-r-- |
| File Type | JPEG |
| File Type Extension | jpg |
| MIME Type | image/jpeg |
| Image Width | 640 |
| Image Height | 480 |
| Encoding Process | Baseline DCT, Huffman coding |
| Bits Per Sample | 8 |
| Color Components | 3 |
| Y Cb Cr Sub Sampling | YCbCr4:2:2 (2 1) |
| Image Size | |
| Megapixels | 0.307 |
| Is it important? | |
| Yes, the remaining data is still important. Even after removing the EXIF metadata, the file still contains basic file metadata and image structure information, such as the file type, dimensions, encoding method, color components, and timestamps from the filesystem. This information can still be useful in a forensic investigation because it helps identify the format of the file, its resolution, compression method, and when it was modified or accessed. |