[Underground Security Paper no. 3]
THE DANGERS OF METADATA
BY: DIzzIE [antikopyright 2008]
This is the third Underground Security Paper designed to further
empower you to give yourself some semblance of electronic privacy. If
you haven't done so, go read over USP no. 1: Encrypting your Instant
Messaging Conversations (
http://forum.rorta.net/showthread.php?t=576)
and no. 2: Encrypting Email Communiques
(
http://forum.rorta.net/showthread.php?t=1273).
What is metadata?
To put it bluntly, metadata is hidden data that can fuck you over.
Fuck you over real hard and rough like, savvy? Often defined as "data
about data," metadata is information about a specific file that's
often included within the file itself but that's often not readily
visible or modifiable to the end-user when z is viewing the file in
the standard application that z would typically use to view the file.
In other words, metadata provides background information about a
file. Chances are that every document you create, every digital
photograph you take, every music file you download, and so on, all
have little bits of metadata which can leak vital information about
your identity.
What kind of data can metadata contain?
Embedded metadata can contain everything from your full name to
device serial numbers to even your GPS coordinates. Other more
mundane, but no less salient, bits of metadata may include the date
the file was created, when it was last modified, the names of all the
different personages who contributed to it, what applications or
appliances were used to create the file, and so on. Suffice it to say
that metadata is data that you will either want to delete entirely,
or better yet, inject false data so as to spread disinformation (see
How to Lie to People (
http://forum.rorta.net/showthread.php?t=895)
for a more in-depth look at this general strategy).
The rest of this textfile will discuss five examples of metadata in
three different common file formats (DOCs, PDFs, and JPGs), as well
as Thumbs.db files and MRU file lists (which we'll get to later on),
along with describing how you can modify that data as well as taking
preventative measures to make sure your data isn't accidentally
leaked in the first place. Be sure to read the entire textfile even
if you don't give a flying fuck about a particular file format as
potentially valuable vignettes and notes are sprinkled throughout.
PDF Files (not to be confused with pedophiles)
The metadata in PDF files can store everything from your full name
to the name of the application that the PDF file was created and/or
edited with.
Let's say you just finished working on an important file in Word and
proceed to print it to PDF using Adobe's PDF printer driver. You may
not remember that when you first installed Word you just so happened
to register it in your real name, or maybe your parents did, or maybe
the library that you're typing the document in has it registered
under their name. Surprise, surprise, that name that Word is
registered in (which is also set as the default Author) gets passed
along into the Author field of the PDF's metadata.
Open up the PDF in Adobe Acrobat and hit Ctrl-D to access to the
Document Properties window. You'll now see all sorts of fun data,
some of which you can edit from within Acrobat Professional (namely
Title, Author, Subject, and Keywords), but you will also see other
data which you will be unable to edit, at least not from within
Acrobat (the file creation/last modification date/time, the version
and name of the program used to create the PDF).
Nota Bene: Acrobat Reader doesn't even let you edit the partial data
that Acrobat Professional does, so you will need to use one of the
third party programs discussed below. If you have Acrobat Pro,
however, you will still only be able to modify or delete some of the
metadata by either editing it in the Document Properties dialog or by
going to Advanced-->PDF Optimizer-->Discard User Data-->Discard
document information and metadata-->OK.
There is a freeware program by the name of PDF Info
(
http://www.bureausoft.com/pdfinfo.exe) which lets you edit not only
the aforementioned Title/Author/Subject/Keywords fields, but also the
PDF Producer and Creator Application fields. It doesn't, however, let
you change the file creation and modification dates and times.
In order to modify the dates and times you'll need to use a hex
editor to manually change the data yourself. A simple free hex editor
for Windows is called HexEdit
(
http://www.expertcomsoft.com/download.htm) and will allow you to
perform the changes you need to the PDF file that PDF Info and
Acrobat don't allow you to (you can also always open the PDF file in
Notepad, but this can take a while and will cause slower computers
hang).
Download the free version of HexEdit, make sure the PDF file you
want to edit isn't currently open in any PDF viewer or whatnot, and
then open it in HexEdit (better yet, make a copy of the file and use
the copy to practice editing the metadata on, just to make sure you
don't fuck anything up). Press ctrl-F to bring up the Find window,
and change the search type from the default Hex to ASCII. Put in
'created' and start searching through the file. Once you find the
created date on the right-hand side, go to Edit-->Allow Changes (so
as to turn off Read Only mode), and then highlight the date on the
right-hand side, and type in your new fake date in its place (or
delete the date altogether). Click Find Next to continue searching
the file for 'created' as the metadata appears in the PDF file more
than once. Then repeat your search again for the terms 'creation,'
'modified,' and 'modify,' and similarly either replace or delete the
dates, once again being sure to repeat each search so that any
potential multiple instances of the field can be located and modified
or blanked out.
Save and close the PDF file in HexEdit, and open it in Acrobat. Hit
Ctrl-D and look over the new created/modified dates. If the dates are
the same as those in your original PDF file, it means that you didn't
find and replace (or delete) all of the metadata.
Nota Bene: Remember to make sure that your forged dates make sense.
In other words, don't pick outlandish years like 3010 or well known
dates like 09-11-2001. Furthermore, make sure that your dates match
up and are sequential. In other words, all instances of the creation
date should match, including the time, and all modification dates
should be later than the file creation dates, and likewise match up.
Keep in mind that at this point you've only changed the
creation/modification dates found in the PDF's metadata. The file's
external dates will need to be further modified. . To modify the
external creation date of the file, modify your system clock to
reflect your desired creation time (which should match the creation
date you specified in the PDF), and then copy the PDF files to
another folder (be sure to copy them, not cut or move, as neither of
those will change the creation date). To change the modification
date, run the files through Touch (
http://www.dizzy.ws/Touch.zip), a
light Python script written by Bitplane that will spoof the
modification date at various intervals. Your creation and
modification dates should now have been successfully changed to
reflect the date/time you indicated in your system clock.
If by this point you're wondering why the fuck you should piss away
all this time putzing over a few dates, consider our aforementioned
example of the library. Let's say that you are typing up an anonymous
communique from the library, and unbeknownst to you, the library's
name gets embedded into the PDF file since that's the name their copy
of Word was registered with. Once your PDF is forensically analyzed
by the piggies, they'll see that it was composed at Dumbfuck Library
at 23:23 on February 3rd, 2003 (incidentally, you should never spoof
a date that looks like that, can you tell why?). Surveillance footage
will then be examined at that library around that date and time, and
all of the sudden your anonymous communique now has a face attached
to it. When that footage is further linked to you walking outside to
the parking lot, that face now has an address procured from looking
up the license plate registration information. So yes, dates fucking
matter.
Or if you prefer a less dramatic example, let's say you're
submitting a report for work or school, and you submit it a few hours
past the deadline. If your teacher complains, tell them the email
servers or the submission form must be laggy, and try showing them
the document creation dates as evidence. Or what if your fuck buddy
finds pictures of you with another fuck buddy? Just show zir the file
creation dates which then go towards proving that the pics were taken
when you weren't together.
DOC Files
Microsoft Word file metadata is probably the most famous type of
metadata due to all the news stories about dumbass politicians and
fat cat capitalists and the like
(
http://www.nytimes.com/2005/11/07/business/07link.html?ei=5090&en=98e
8af679a0797f4&ex=1289019600&pagewanted=print) fucking up and leaving
damning metadata in their DOC files (I especially love the bit where
an anti-P2P tirade allegedly authored by California's attorney
general was found to be authored by a member of the MPAA). The data
may include everything from the names of all the different authors
who worked on the file, to lines of text and comments that have been
deleted in previous revisions of the document in question.
To reduce the amount of metadata in your DOC files, be sure that the
Fast Save (Tools-->Options-->Save-->uncheck Allow Fast Saves and
Background Saves) and Track Changes (Tools-->make sure 'Track
Changes' isn't selected) options in Word are turned off, and that
Word automates the deletion of at least some personal information
(Tools-->Options-->Security-->enable 'remove personal information
from file properties on save.'). You can also download the Remove
Hidden Data tool plug-in (
http://tinyurl.com/2qaax), which will
automate the deletion of some metadata, but not any of the date/time
stamps, which you'll have to modify manually by changing your system
clock to reflect your desired time/date, and then opening the
document in question and then saving it again (to spoof the last
modified/saved dates), or pasting the contents into a new file (to
spoof the file creation date). Finally, open up the DOC file in a hex
editor (just like you did with the PDF file), and comb through it too
ascertain that there is no extraneous metadata left floating about.
And of course, the obvious third choice is to simply stop using DOC
files.
JPG Files
Aside from the fact that JPGs can contain information about the
program that they were created with (for instance, if the file says
'ducky' in the first few lines when opened up in a hex editor, it was
created with an Adobe application--that or someone made it look like
it was created with an Adobe application ;)), the gravest danger of
JPGs lies in those that have Exchange image file format (Exif)
metadata (as well as other metadata), namely photographs taken either
with a digital camera or with a camera phone (though not all camera
phones currently embed Exif data into their images, this trend may
soon be changing, as was the case with digital cameras years earlier).
The newer your digital camera is, the less privacy you have. Newer
cameras leak everything from serial numbers to even the GPS
coordinates of the camera's location when the photo was taken. Though
don't worry, older cameras still leak plenty of metadata as well,
ranging from the camera's model to the date the photo was taken.
Photo Exif data became hot news a little while back, when it was
discovered that the person who uploaded photos of the seventh Harry
Potter book didn't bother to clean out the Exif data
(
http://entertainment.timesonline.co.uk/tol/arts_and_entertainment/boo
ks/article2104250.ece?print=yes), thus leading to the discovery of
the camera's serial number. If z had ever bothered to register the
camera, or had ever sent the camera in for repairs or upgrades, then
zir name and address would be easily traceable. Good thing that zir
camera didn't have the geolocation capability ;).
There are shitloads of non-free programs which can provide you with
a fancy GUI to edit or view your Exif data (PowerExif and Exif Farm
come to mind, with PowerExif being especially useful in that it
offers you both batch processing and plenty of suggestions of
different variables you could replace existent ones with, for
instance different model names/numbers), but the job can be done
using free software, with only a slightly higher learning curve. Now
while I haven't been able to find a free program with a candy-assed
GUI that can handle both batch editing and removal of metadata
(though feel free to poke around yourself
http://www.photo-
freeware.net/exif-data-tools.php) there is a command line utility
that does the job quite well.
Nota Bene: If you just want to remove all Exif data from a set of
photos, you can even more easily run them through the GUI-based (and
aptly titled) Exif Tag Remover
(
http://www.rlvision.com/exif/about.asp).
If, on the other hand, you want to tweak your Exif data to report
spoofed information so as to fuck with anyone who may want to track
you, you'll need to use the command-line ExifTool
(
http://www.sno.phy.queensu.ca/~phil/exiftool/) (there's also a basic
GUI interface
(
http://freeweb.siol.net/hrastni3/foto/exif/exiftoolgui.htm)
available for ExifTool, which you can try playing around with if you
prefer that to the command line).
The first thing you'll want to do is get a read-out of all the Exif
data the image contains. Download the zip file with the latest
version of Exif tool, extract the file exiftool(-k).exe somewhere,
and drag a sample JPG photograph onto it. A command-line window will
pop up which will display all of the available data. If you want to
output the data to a textfile, make another copy of exiftool(-k).exe
and rename it to exiftool.exe. Next, click on Start-->Run-->type
'cmd' to bring up the command prompt. Type 'cd "directory where
exiftool.exe is" (for example, cd "c:\program files\exiftool"), and
then type: exiftool "file path of your image or folder of images" >
info.txt (making sure that there is no trailing slash at the end of
the directory or file path, i.e. "\my photos" instead of "\my
photos\") and you should get a read-out of the available metadata in
a file called info.txt in the same directory that exiftool.exe is
located.
After you see all of the available data you can start picking which
data you'll want to modify (preferably the camera make, model, serial
number, GPS coordinates, software, and all of the date/time fields).
Alternatively, if you just want to delete all the metadata and don't
want to use the aforementioned Exif Tag Remover, you would simply
type: exiftool -overwrite_original -all= "file path to either the
folder or the image to clean". Once you find the fields that you
would like to modify, you'll need to look-up the tag name
(
http://search.cpan.org/~exiftool/Image-ExifTool-
7.21/lib/Image/ExifTool/TagNames.pod) and then proceed to craft a
command that will modify all of the pertinent fields.
Here's a sample command you could execute:
exiftool -overwrite_original -make=moo -model=poo -software=goo -
cameraserialnumber=2323 -alldates-="0:2:3 5:0:0" "C:\whatever\my
photos"
This command will overwrite the original photos, change the camera
make (the brand), the model, and the camera software name (which can
reveal the camera brand), as well as modify the serial number and
move all the dates in the Exif data back two months, three days, and
five hours. Some cameras use the 'serialnumber' tag instead of
'cameraserialnumber', so if you receive an error in ExifTool, try the
other tag.
Nota Bene: While the ExifTool command discussed above will modify
all of the dates found within the Exif data fields of the image, it
will not modify the actual file creation/modification date. To modify
the creation date of the file, modify your system clock prior to
copying over the photos from your camera or phone. If you already
copied the files over, go ahead and copy them to another folder (be
sure to copy them, not cut or move, as neither of those will change
the creation date), and then run them through ExifTool. Your creation
and modification dates should now have been successfully changed to
reflect the date/time you indicated in your system clock. To change
the modification date without running ExifTool, run the files through
Touch (
http://www.dizzy.ws/Touch.zip), a light Python script written
by Bitplane that will spoof the modification date at various
intervals. (If you've been reading the entire text, this procedure
should be ringing a bell, as it's the same thing you should have done
to modify a PDF file's time/date stamps as well, the same procedure
works for any other file).
By now you should have a nicely spoofed series of photos, but why
stop there? There are a variety of programs available that will allow
you to insert GPS coordinates into the photo's metadata (a recent fad
that's been dubbed 'geotagging' that we can use to spread a wee bit
of the old disinformation ;)). Grab the free PhotoMapper
(
http://software.copiks.com/photomapper/), and input the custom
latitude/longitude coordinates you want, and then press 'Tag selected
images.' If you now open your spoofed photos in our old friend
ExifTool, you should see brand spanking new GPS metadata fields
complete with your bogus coordinates :).
If you need to get the GPS latitude/longitude coordinates to inject
into the image, head on over to Google Maps (
http://maps.google.com),
find a location you want the photos to appear to be from, and click
the 'Link to this page' link in the top-right corner. Copy the URL
that appears and you should see a &ll=23.2323,46.4646 variable in the
URL. The first number is the latitude and the second is the
longitude. Plug those into PhotoMapper and hit 'Tag selected images.'
Your photos should now have the spoofed GPS coordinates in them :).
Thumbs.db
Whenever you view files as thumbnails in Windows (View--
>Thumbnails), a hidden Thumbs.db file is created which stores the
names of the files and a small thumbnail image of all of the files in
the folder, so long as they are photo or video files. Even after you
delete or move the files from that particular folder, the Thumbs.db
file retains the thumbnail version of all images that were in that
folder. Ever send a folder of images to someone, deleting any files
you don't want them to see? Well, they can still see them by using a
free Thumbnail Viewer (
http://www.itsamples.com/software/tdv.html).
Since the Thumbs.db file is a hidden system file, you need to enable
viewing hidden files in order to be able to locate it. Open up any
file folder, and go to Tools-->Folder Options-->View-->select 'Show
hidden files and folders' and uncheck 'Hide protected operating
system files.' Now simply drag the Thumbs.db file onto Thumbnail
Viewer, and you'll see all of the thumbnails and filenames imbedded
in the db file. In order to disable this grave privacy violation, go
to Tools-->Folder Options-->View-->check 'Do not cache thumbnails' (a
feature that's insanely enabled by default).
Nota Bene: In Windows Vista, the thumbs file is no longer stored in
each folder but is instead saved in a centralized location:
%sysroot%\Users\%profile%\AppData\Local\Microsoft\Windows\Explorer\,
with each file being called thumbcache_xxx.db, where xxx is a varying
number.
Finally, to delete all of the Thumbs.db files, either use the
Thumbnail Database Cleaner
(
http://www.itsamples.com/software/tdc.html), or simply go to Start--
>Search-->For Files or Folders...-->All files and folders-->put in
'Thumbs.db' in the 'All or part of the file name' field-->select the
location to Look in: (it's best to scan all of your drives)-->hit
Search. Then just delete all of the found results.
MRU Files
Finally, while Most Recently Used (MRU) files aren't often mentioned
in metadata discussions, they most certainly fit the metadata
definition of being "data about data," so a brief note on them is in
order. MRU files contain lists of the most recently viewed files in a
wide array of applications (from word processors to media players).
Lucky for us, there is a free, easy to use program (which should be a
welcome sight after dealing with ExifTool), MRU-Blaster
(
http://www.javacoolsoftware.com/mrublaster.html), which will scan
your drives for a wide variety of MRU file lists and then delete them
all.
Wrapping Up
If it isn't fucking obvious by now, metadata is highly dangerous. If
you're not careful it can lead not only to potentially embarrassing
situations but can also be used as forensic evidence against you for
whatever reason. The least possible course of action you should
undertake, particularly if you're pressed for time, is the outright
deletion of all available metadata in your files. If, on the other
hand, you have some time to kill, it would behoove you to go ahead
and forge all of the data to your advantage. Make it look like you
used a different camera, operating system, and software application
on a different date at different time.
Also keep in mind that while most of the examples in this text have
been fairly Windows-centric, metadata is a significant problem on all
operating systems, with similar tools likewise existing for different
OSes that do similar jobs to the ones discussed in this guide. In
other words, don't think that just because the guide mainly discussed
Windows tools that the problem of metadata doesn't apply to you.
Stay sharp, and keep your head down. As Freddy N once wrote,
If you don't want your eyes and mind to fade,
Pursue the sun while walking in the shade.
And once again, be sure to check out the two earlier textfiles in
the Underground Security Paper series:
USP no.1: Encrypting Instant Messaging Conversations
(
http://forum.rorta.net/showthread.php?t=576)
USP no. 2: Encrypting Email Communiques
(
http://forum.rorta.net/showthread.php?t=1273)
For more knowledge check out www.rorta.net & www.dizzy.ws. Send
comments to xcon0 @t y@hoo d/0|t c\0|m.
