After our recent post on President Obama’s official metadata, erm, photograph, I had the pleasure of exchanging some e-mails on the subject with “ZT”.
ZT and I made some assumptions about some of the metadata in the photo:
exiftool -a -u -g1 -b officialportrait.jpg
Here’s the output, significantly shortened for readability:
---- ExifTool ---- ExifTool Version Number : 7.23 ---- File ---- File Name : obama-officialportrait.jpg Exif Byte Order : Big-endian (Motorola, MM)
Now, when ZT and I saw the Exif Byte Order value, we both had an “AHA!” moment. We both made the assumption that the JPEG had been created on a Mac with the PowerPC chipset. This knowledge would color some of the potential attacks that we could consider.
I, personally, had a bad feeling about this. So did ZT, so we did our own independent analysis. In my case, I used a photo that I took with my Canon EOS 20D, popped it through some similar post processing tools and exported to JPG on my Intel Macbook Pro. Guess what the
Byte Order was? Yup, you guessed it, Big Endian. Clearly my test case
was not on a PPC or big endian platform.
ZT discovered some other items using some different methods that didn’t make sense either. I’ll let ZT share that information if he is able.
I originally thought that it was due to the processor of the camera that created the original output. I even went to far as to determine that different camera models in the EOS line used different endianness processors. I thought I was done.
I was wrong.
ZT passed along
This is a perfect example of how assumptions on metadata can steer you wrong. It is important to know what goes on behind the scenes when you attempt to utilize the information, and how it got there.
ZT, thanks for the help and for going on this particular EXIF Metadata journey with me.