Toggle search
Toggle menu
6
11
66
Brunnerne
Toggle preferences menu
Toggle personal menu
Not logged in
Your IP address will be publicly visible if you make any edits.

ExifTool

From Brunnerne
More actions
Revision as of 17:31, 2 May 2025 by Brunn (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

ExifTool CTF Quick Reference

Introduction

ExifTool, created by Phil Harvey, is an extremely powerful command-line application and Perl library for reading, writing, and manipulating metadata in a vast range of file types. Metadata is "data about data" – information embedded within a file that describes its properties, origin, creator, location, and more.

In CTFs, ExifTool is indispensable for:

  • Extracting hidden flags or clues embedded in metadata comments, author fields, GPS coordinates, etc.
  • Identifying the software used to create or modify a file, which might hint at specific vulnerabilities or techniques.
  • Analyzing file properties beyond simple extensions (e.g., confirming image dimensions, document authors).
  • Extracting embedded images like thumbnails or previews.

It supports a huge number of file formats (images like JPEG, PNG, GIF; documents like PDF, Office; audio/video like MP3, MP4, AVI) and understands thousands of different metadata tags (EXIF, IPTC, XMP, GPS, MakerNotes, and many more).

Basic Reading

Goal: View all metadata found in a file. 

exiftool <filename>
  • This outputs all extracted metadata groups and tags with human-readable descriptions.

Goal: View metadata with shorter tag names (often easier to parse). 

# Show only tag names (keys), not descriptions
exiftool -s <filename>

# Show very short tag names (keys) and values only
exiftool -S -s <filename>

Reading Specific Tags

Goal: Extract only the value(s) of specific metadata tags. 

# Get the value of the 'Comment' tag
exiftool -Comment <filename>

# Get GPS Latitude and Longitude
exiftool -GPSLatitude -GPSLongitude <filename>

# Get Author and Creator Tool
exiftool -Author -CreatorTool <filename>

# Get a tag from a specific group (e.g., EXIF Make)
exiftool -EXIF:Make <filename>
  • Use the exact tag name (case-sensitive). Find tag names using the basic `exiftool <filename>` command or check the ExifTool Tag Name documentation.
  • Common CTF tags: Comment, UserComment, Author, Copyright, Description, Title, Subject, Keywords, GPSPosition, Software, Make, Model.

Searching / Filtering

Goal: Filter output or search within metadata. 

# Use grep to find keywords (e.g., 'flag' case-insensitive) in the output
exiftool <filename> | grep -i 'flag'

# Use ExifTool's conditional processing to print only files containing a specific comment
exiftool -if '$Comment =~ /password/' -Comment <directory>
  • Combining `exiftool` with `grep` is often the quickest way to search metadata.
  • The -if option allows complex Perl-based conditions.

Output Formatting

Goal: Get metadata in structured formats or extract binary data. 

# Output in JSON format
exiftool -j <filename>

# Output in XML/RDF format
exiftool -X <filename>

# Extract binary data for a specific tag (e.g., Thumbnail) to a file
exiftool -b -ThumbnailImage <filename> > thumbnail.jpg

# Extract binary data for common preview/thumbnail tags
exiftool -b -PreviewImage <filename> > preview.jpg
exiftool -b -JpgFromRaw <filename> > preview.jpg
  • -j (JSON) and -X (XML) are useful for scripting.
  • -b is essential for extracting embedded images or data streams.

Writing / Removing Metadata (Use with Caution!)

Goal: Modify or delete metadata tags. (Less common for *finding* flags, but good general knowledge). 

# Write a comment (creates backup file by default)
exiftool -Comment="This is my secret message" <filename>

# Remove a specific tag
exiftool -Comment= <filename>

# Remove ALL metadata (DANGEROUS - may corrupt some files)
exiftool -all= <filename>

# Prevent backup file creation when writing
exiftool -overwrite_original -Comment="No backup needed" <filename>
  • ExifTool creates backup files (filename_original) by default when writing. Use -overwrite_original to prevent this.
  • Removing all metadata (-all=) can sometimes damage files or remove essential structural information. Be careful!

Other Useful Options

  • -r : Recursively process files in subdirectories.
  • -ext <extension> : Process only files with specific extensions (e.g., -ext jpg -ext png). Add --ext to include files with no extension.
  • -p <format_string> : Create custom output formats using tag names (e.g., exiftool -p '$FileName: $ImageWidth x $ImageHeight' <filename>).
  • -FileTypeCode, -MIMEType : Display file type information.
  • -fast / -fast2 : Speed up processing by skipping certain tags or parts of files.

CTF Tips

  • Always run exiftool <filename> first to see everything.
  • Pay close attention to Comment, UserComment, Description, Author, Copyright, Software, GPS... tags.
  • Use -s -S for cleaner output when searching for specific known tags.
  • Use | grep -i 'keyword' extensively to search the full output.
  • Try extracting thumbnails/previews with -b -ThumbnailImage, -b -PreviewImage etc. - sometimes they differ from the main image or contain hidden info.
  • Check uncommon tags or MakerNotes if standard tags yield nothing.
Retrieved from "https://wiki.brunnerne.dk/index.php?title=ExifTool&oldid=51"