When Metadata steers you wrong…

han-solo.jpgAfter our recent post on President Obama’s official metadata, erm, photograph, I had the pleasure of exchanging some e-mails on the subject with “ZT”.
ZT and I made some assumptions about some of the metadata in the photo:

exiftool -a -u -g1 -b officialportrait.jpg

Here’s the output, significantly shortened for readability:

---- ExifTool ----
ExifTool Version Number         : 7.23
---- File ----
File Name                       : obama-officialportrait.jpg
Exif Byte Order                 : Big-endian (Motorola, MM)

Now, when ZT and I saw the Exif Byte Order value, we both had an “AHA!” moment. We both made the assumption that the JPEG had been created on a Mac with the PowerPC chipset. This knowledge would color some of the potential attacks that we could consider.
I, personally, had a bad feeling about this. So did ZT, so we did our own independent analysis. In my case, I used a photo that I took with my Canon EOS 20D, popped it through some similar post processing tools and exported to JPG on my Intel Macbook Pro. Guess what the
Byte Order was? Yup, you guessed it, Big Endian. Clearly my test case
was not on a PPC or big endian platform.
han-solo.jpgZT discovered some other items using some different methods that didn’t make sense either. I’ll let ZT share that information if he is able.
I originally thought that it was due to the processor of the camera that created the original output. I even went to far as to determine that different camera models in the EOS line used different endianness processors. I thought I was done.
I was wrong.
ZT passed along this link with comments from Phil Harvey, the author of EXIFtool. To distill the conversation down, it appears that any software (whether it is post processing or firmware) can set the Exif Byte Order, regardless of the endianness of the system. It is merely a way to make sure it is processed the same on any device, and can be implemented in either direction by the whim of the software creator.
This is a perfect example of how assumptions on metadata can steer you wrong. It is important to know what goes on behind the scenes when you attempt to utilize the information, and how it got there.
ZT, thanks for the help and for going on this particular EXIF Metadata journey with me.

Larry Pesce

Larry’s core specialties include hardware and wireless hacking, architectural review, and traditional pentesting. He also regularly gives talks at DEF CON, ShmooCon, DerbyCon, and various BSides. Larry holds the GAWN, GCISP, GCIH, GCFA, and ITIL certifications, and has been a certified instructor with SANS for 5 years, where he trains the industry in advanced wireless and Industrial Control Systems (ICS) hacking. Larry’s independent research for the show has led to interviews with the New York Times with MythBusters’ Adam Savage, hacking internet-connected marital aids on stage at DEFCON, and having his RFID implant cloned on stage at Shmoocon. Larry is also a Principal Instructor and Course Author for the SANS Institute for SEC617: Wireless Penetration Testing and Ethical Hacking and SEC556: IoT Penetration Testing. When not hard at work, Larry enjoys long walks on the beach weighed down by his ham radio, (DE KB1TNF), and thinking of ways to survive the impending zombie apocalypse.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.