|
Figure 29: how the degradation of an image in RAM looks like. From left to
right: 5 seconds, 30 seconds, 60 seconds and 5 minutes.
The following method will not be explained in this course, since it requires
advanced reversing and RAM memories destruction skills. It will suffice to
know that the “cold” term relates to the technique in use for the extraction: using
a spray atomizer, the RAM temperature is brought to -50°C (Figure 30), this way
data will be kept for some minutes or until static current runs through the
memory.
Figure 30: demonstration of the Cold Boot RAM Extraction method
7.7 Metadata & EXIF Data
In IT, metadata are elements within files, usually not visible for the final
user, that contain various data to allow the programs they interact with to
function properly. Metadata may contain information about your identity and are
traceable in different formats: pictures, documents, video, etc…
The story of w0rmer, codename of Higinio O. Ochoa III is quite famous in
the IT world . Self-proclaimed as one of the Anonymous movement members
who violated the USA law enforcement website, he was identified through a
picture posted by his girlfriend, with this quote: “PwNd bu w0rmer &
CabinCr3w <3 u BiTch’s!”. In that case, FBI found the girl using the picture
metadata (later identified as EXIF Data).
With no doubt, imaging is one of the resources that made IT great in time.
Nowadays, we are used to different formats ( JPG, PNG, TIFF and so on); each
of them has its own characteristics and is good for different scenarios.
The EXIF Data are metadata residing in media formats (images and some
videos) that reveal additional, and quite interesting, information: you can
identify the unique code of the device who took the picture (the machine ID), as
well as brand and model, time, resolution and, if present, even GPS coordinates.
7.7.1 How to view the EXIF Data
The next generation image viewers pre-installed in the Operating Systems
can show the images metadata in different formats. On Debian with GNOME 3,
the official image viewer contains a sidebar showing the metadata gathered from
an image by default. If not present, you can enable it on this menu: View ->
Sidebar (or pressing CTRL+F9).
7.7.1.1 MAT: Metadata Anonymisation Toolkit
Certainly, one of the most popular metadata management programs in the IT
world is MAT: Metadata Anonymisation Toolkit
[103]
. This tool is pre-installed on
different GNU/Linux distros and available in most of the repositories: you can
also find the git repo
[104]
s and the stable sources
[105]
.
You can install it on Debian by using the command:
$ sudo apt-get install mat
MAT can manage different formats and is available in CLI and, most
commonly, in GUI versions. Such programs allows you to put one or more files
into a list, then you can access their metadata fingerprint with a double-click
(Figure 31).
Figure 31: details of a test image with MAT
In this example, you can see many data related to the picture, including GPS
coordinates, resolution, ISO, smartphone model and so on.
MAT also offers a convenient function for Metadata removal; such feature
can be enabled by clicking the “Scour” button.
Why don’t you try with some of your pictures? Try using a
camera/smartphone, then try again with an online image. You can also try with
different types of extensions or even files.
Please note that, when testing images from Internet (and especially from
social networks), it may happen that Metadata are not read. It may be caused by
the site upload code, which could further compress the image in terms of format
and resolution, in order to save space on their server and external bandwidth.
Keep in mind, however, that each service may store the original files you
uploaded.
Do you want to quickly erase EXIF Data from a JPG? Convert it into .PNG!
This format doesn’t support the EXIF Data as a standard.
7.7.1.2 Alternate software for Metadata
We only mentioned MAT because it’s opensource and quite reliable for our
purposes. However, there are alternate programs that work with the Metadata;
the following list includes some of them with a short description of their
features:
-
Free Photo Viewer
[106]
( Windows) - FPV allows to extract information for
images in the JPEG and RAW formats. It also allow to fetch data like aperture,
ISO value, focal length, time stamp, flash settings and so on. FVP also comes
with a simple image organizer.
-
IrfanView
[107]
( Windows/OSX
[108]
/Linux
[109]
) - Available both in 32 and
64bit version, it’s one of the oldest programs for who works in this field. It opens
a huge number of extensions (also MP3, EPS, PSD, SWF and so on) and can be
enhanced with plug-ins.
-
Photo ( OSX) - An embedded application of the Apple Operating Systems.
Opening any photo, you can use the cmd+i shortcut or right-click -> Get Info.
You can add custom metadata, like faces, description and keywords, but you
cannot modify the existing ones.
-
Image Browser ( Windows) - WIB is embedded in every Microsoft
Operating System. To access the image properties, right-click -> Properties ->
Summary Tab.
-
ExifPilot
[110]
( Windows/OSX/Linux): command line tool, developed in
PERL. It allows to open any kind of Metadata.
-
GeoSetter
[111]
( Windows): I think this is one of the best tools around.
Unfortunately, it’s only available for Windows, but does amazing things: besides
opening a vast number of digital extensions, it allows to change the geo-
coordinates (including altitude), the IPTC values and much more. It’s with no
doubt one of the best tools to modify EXIF Data, since you can manipulate them
to look convincing (instead of covering up data).
-
ExifEditorApp
[112]
( OSX): available for Apple OSs, this app allows to
change EXIF and IPTC metadata.
-
ExifDateChange
[113]
( Windows): this tool is exclusively available for
Microsoft OS, and comes both in free and paid versions. It’s conveniently
available in portable version as well.
Naturally, the list is not limited to the above; many more are available, such
as Batch Purifier LITE
[114]
, EXIFCleaner
[115]
, PhotoME
[116]
and so on. Just look
up! Before we proceed, I must remind you that removing Metadata is not the
ultimate solution to all your problems: the file you work on may be manipulated
with Steganography, watermarks and other non-standard metadata. Furthermore,
some of the programs we’re going to mention allow to manage only the surface
Do'stlaringiz bilan baham: | 
