I was asked not too long ago about how to extract metadata from inside a file. Easy, I said. I then proceeded to walk through how to use EnCase’s View File Structure feature to see inside certain file types. Too much work, he said. Can you script that so I can do that to several hundred files, he said. Don’t have to, I said…
ExifTool is a extremely powerful command line utility that has been around since 2003. It is still actively maintained and has grown to encompass so many metadata types beyond EXIF that it has well outgrown its name. It also has some very powerful formatting and processing capabilities in it, making bulk extraction of just the data you want an easy task.
Let’s look at some examples of how to use it.
exiftool vs jpeg:
Irfanview has long been my go to program for viewing images; one of the main reasons for that is the way it extracts EXIF data. For our sample it produces 38 data points. Below are the ones I found interesting. The rest were photography related, such as f/stop, expose time, etc or JPEG stats, such as resolution, etc.
Make – Apple
Model – iPhone 5s
DateTime – 2014:06:05 10:06:24
DateTimeOriginal – 2014:06:05 10:06:24
DateTimeDigitized – 2014:06:05 10:06:24
Flash – Not fired
SensingMethod – One-chip color area sensor
SceneType – Other
But, ExifTool against the same file produces 72 data points. Almost all the fields are the same, but there are a couple that appear to be interpreted slightly differently and ExifTool is producing some data that isn’t mentioned at all by Irfanview.
Make : Apple
Camera Model Name : iPhone 5s
Modify Date : 2014:06:05 10:06:24
Date/Time Original : 2014:06:05 10:06:24
Create Date : 2014:06:05 10:06:24
Flash : No Flash
Sensing Method : One-chip color area
Scene Type : Directly photographed
Lens Make : Apple
Lens Model : iPhone 5s back camera 4.12mm f/2.2
Run Time Since Power Up : 5 days 2:24:57
Create Date : 2014:06:05 10:06:24.066
Date/Time Original : 2014:06:05 10:06:24.066
exiftool vs executables:
There is a lot of really good info in executable files, and with ExifTool you don’t need a debugging skillz to get to it. Again, keep in mind, I’m trimming the output down to what is “forensically interesting”.
File Type : Win32 EXE
Machine Type : Intel 386 or later, and compatibles
Time Stamp : 2006:06:02 06:45:17-04:00
PE Type : PE32
Subsystem : Windows command line
File Version Number : 9.7.8.0
Product Version Number : 9.7.8.0
File Flags : Debug
File OS : Windows NT 32-bit
Object File Type : Executable application
Comments : ExifTool EXE for Windows
Company Name : Phil Harvey
File Description : Read and Write meta information
File Version : 9.7.8.0
Internal Name : ExifTool
Legal Copyright : Copyright (c) 2003-2014, Phil Harvey
Original Filename : exiftool(-k).exe
Product Name : ExifTool
Product Version : 9.7.8.0
Build Date : 2014:12:12 13:37:12
Bundled Perl Version : ActivePerl 5.8.7
Home Page : http://owl.phy.queensu.ca/~phil/exiftool/
And, since .dll files are structurally identical to .exe files, we get very similar data from them.
File Type : Win32 DLL
Machine Type : Intel 386 or later, and compatibles
Time Stamp : 2010:11:20 07:08:57-05:00
PE Type : PE32
OS Version : 6.1
Subsystem : Windows GUI
File Version Number : 6.1.7601.17514
Product Version Number : 6.1.7601.17514
File OS : Windows NT 32-bit
Object File Type : Dynamic link library
Company Name : Microsoft Corporation
File Description : Multi-User Windows USER API Client DLL
File Version : 6.1.7601.17514 (win7sp1_rtm.101119-1850)
Internal Name : user32
Legal Copyright : © Microsoft Corporation. All rights reserved.
Original Filename : user32
Product Name : Microsoft® Windows® Operating System
Product Version : 6.1.7601.17514
exiftool vs office documents:
The internal metadata inside office documents has been key evidence in more cases than can be counted. Extracting this data is incredibly easy with ExifTool.
File Type : PPTM
MIME Type : application/vnd.ms-powerpoint.presentation.macroEnabled
Zip Compression : Deflated
Zip Modify Date : 1980:01:01 00:00:00
Zip CRC : 0x19cd1595
Total Edit Time : 23.0 hours
Application : Microsoft Office PowerPoint
Titles Of Parts : Horizon, Slide 1, More Slides, Blah
Title : Slideshow Title
Creator : John C Public
Last Modified By : John C Public
Revision Number : 35
Create Date : 2011:10:31 13:13:39Z
Modify Date : 2011:10:31 16:33:17Z
exiftool vs the masses:
The real beauty of ExifTool is how well it can operate in large numbers of files and in how customizable the output can be. I’m going to list just a few samples here that are really just scratching the surface. The switches I use most are:
-TAG or -–TAG Extract or exclude specified tag
-tagsFromFile SRCFILE Copy tag values from file
-b (-binary) Output metadata in binary format
-csv[=CSVFILE] Export/import tags in CSV format
-d FMT (-dateFormat) Set format for date/time values
-j[=JSONFILE] (-json) Export/import tags in JSON format
-t (-tab) Output in tab-delimited list format
-T (-table) Output in tabular format
-ext EXT (-extension) Process files with specified extension
-i DIR (-ignore) Ignore specified directory name
-if EXPR Conditionally process files
-o OUTFILE (-out) Set output file or directory name
-P (-preserve) Preserve date/time of original file
-password PASSWD Password for processing protected files
-r (-recurse) Recursively process subdirectories
-config CFGFILE Specify configuration file name
Run ExifTool against large numbers of files in bulk. Can recurse subdirectories if the target is a directory. Can specify multiple filetypes using -ext switch instead of file mask.
>exiftool *.*
>exiftool -r directory
>exiftool -ext docx -ext pptx *.*
Control which tags are displayed by -naming them and exclude them by -–naming them; wildcards are acceptable. The names presented in the output are not the actual tags but a prettied up description, though generally the tag is the same minus the spaces. Add a -s switch to see actual tag names if you need them. The full list of tags is here. You can also conditionally select files to process using the -if switch. The condition has to be in quotes with double on outside and single on inside for Windows and reverse that with single on outside for Linux/Mac.
>exiftool -creator -lastmodifiedby *.docx
>exiftool -*date* -–linksuptodate *.docx
>exiftool -alldates -if “$mimetype =~ /officedocument/i” *.*
Control the output format with -T, -csv, -json. You can redirect into a file and then update that file using “-csv=FILE” or “-json=FILE”. If you want a specific date format you can, though the default is the very sortable and easy to work with.
>exiftool -json -d “%A the %d of %B at %I:%M%p”*.*
>exiftool -*date* -*time* -creator -lastmodifiedby -–linksuptodate -ext docx -ext xlsx -ext pptx -csv=metadata.csv -r z:export
I can keep going with different examples like this for weeks and still not hit all of the features. Go play with it. It should be one of your favorite tools.