More actions
Created page with "== ExifTool CTF Quick Reference == === Introduction === ExifTool, created by Phil Harvey, is an extremely powerful command-line application and Perl library for reading, writing, and manipulating '''metadata''' in a vast range of file types. Metadata is "data about data" – information embedded within a file that describes its properties, origin, creator, location, and more. In CTFs, ExifTool is indispensable for: * Extracting hidden flags or clues embedded in metadat..." |
No edit summary |
||
| Line 109: | Line 109: | ||
* Try extracting thumbnails/previews with <code>-b -ThumbnailImage</code>, <code>-b -PreviewImage</code> etc. - sometimes they differ from the main image or contain hidden info. | * Try extracting thumbnails/previews with <code>-b -ThumbnailImage</code>, <code>-b -PreviewImage</code> etc. - sometimes they differ from the main image or contain hidden info. | ||
* Check uncommon tags or MakerNotes if standard tags yield nothing. | * Check uncommon tags or MakerNotes if standard tags yield nothing. | ||
[[Category:Tool]] | |||
[[Category:Forensics]] | |||
Revision as of 17:31, 2 May 2025
ExifTool CTF Quick Reference
Introduction
ExifTool, created by Phil Harvey, is an extremely powerful command-line application and Perl library for reading, writing, and manipulating metadata in a vast range of file types. Metadata is "data about data" – information embedded within a file that describes its properties, origin, creator, location, and more.
In CTFs, ExifTool is indispensable for:
- Extracting hidden flags or clues embedded in metadata comments, author fields, GPS coordinates, etc.
- Identifying the software used to create or modify a file, which might hint at specific vulnerabilities or techniques.
- Analyzing file properties beyond simple extensions (e.g., confirming image dimensions, document authors).
- Extracting embedded images like thumbnails or previews.
It supports a huge number of file formats (images like JPEG, PNG, GIF; documents like PDF, Office; audio/video like MP3, MP4, AVI) and understands thousands of different metadata tags (EXIF, IPTC, XMP, GPS, MakerNotes, and many more).
Basic Reading
Goal: View all metadata found in a file.
exiftool <filename>
- This outputs all extracted metadata groups and tags with human-readable descriptions.
Goal: View metadata with shorter tag names (often easier to parse).
# Show only tag names (keys), not descriptions exiftool -s <filename> # Show very short tag names (keys) and values only exiftool -S -s <filename>
Reading Specific Tags
Goal: Extract only the value(s) of specific metadata tags.
# Get the value of the 'Comment' tag exiftool -Comment <filename> # Get GPS Latitude and Longitude exiftool -GPSLatitude -GPSLongitude <filename> # Get Author and Creator Tool exiftool -Author -CreatorTool <filename> # Get a tag from a specific group (e.g., EXIF Make) exiftool -EXIF:Make <filename>
- Use the exact tag name (case-sensitive). Find tag names using the basic `exiftool <filename>` command or check the ExifTool Tag Name documentation.
- Common CTF tags:
Comment,UserComment,Author,Copyright,Description,Title,Subject,Keywords,GPSPosition,Software,Make,Model.
Searching / Filtering
Goal: Filter output or search within metadata.
# Use grep to find keywords (e.g., 'flag' case-insensitive) in the output exiftool <filename> | grep -i 'flag' # Use ExifTool's conditional processing to print only files containing a specific comment exiftool -if '$Comment =~ /password/' -Comment <directory>
- Combining `exiftool` with `grep` is often the quickest way to search metadata.
- The
-ifoption allows complex Perl-based conditions.
Output Formatting
Goal: Get metadata in structured formats or extract binary data.
# Output in JSON format exiftool -j <filename> # Output in XML/RDF format exiftool -X <filename> # Extract binary data for a specific tag (e.g., Thumbnail) to a file exiftool -b -ThumbnailImage <filename> > thumbnail.jpg # Extract binary data for common preview/thumbnail tags exiftool -b -PreviewImage <filename> > preview.jpg exiftool -b -JpgFromRaw <filename> > preview.jpg
-j(JSON) and-X(XML) are useful for scripting.-bis essential for extracting embedded images or data streams.
Writing / Removing Metadata (Use with Caution!)
Goal: Modify or delete metadata tags. (Less common for *finding* flags, but good general knowledge).
# Write a comment (creates backup file by default) exiftool -Comment="This is my secret message" <filename> # Remove a specific tag exiftool -Comment= <filename> # Remove ALL metadata (DANGEROUS - may corrupt some files) exiftool -all= <filename> # Prevent backup file creation when writing exiftool -overwrite_original -Comment="No backup needed" <filename>
- ExifTool creates backup files (
filename_original) by default when writing. Use-overwrite_originalto prevent this. - Removing all metadata (
-all=) can sometimes damage files or remove essential structural information. Be careful!
Other Useful Options
-r: Recursively process files in subdirectories.-ext <extension>: Process only files with specific extensions (e.g.,-ext jpg -ext png). Add--extto include files with no extension.-p <format_string>: Create custom output formats using tag names (e.g.,exiftool -p '$FileName: $ImageWidth x $ImageHeight' <filename>).-FileTypeCode,-MIMEType: Display file type information.-fast/-fast2: Speed up processing by skipping certain tags or parts of files.
CTF Tips
- Always run
exiftool <filename>first to see everything. - Pay close attention to
Comment,UserComment,Description,Author,Copyright,Software,GPS...tags. - Use
-s -Sfor cleaner output when searching for specific known tags. - Use
| grep -i 'keyword'extensively to search the full output. - Try extracting thumbnails/previews with
-b -ThumbnailImage,-b -PreviewImageetc. - sometimes they differ from the main image or contain hidden info. - Check uncommon tags or MakerNotes if standard tags yield nothing.