EXIF data with PowerShell
While I am currently on an extended vacation to Central America and although I am not much of picture taker nor much of a poster to social media I have decided that I need to upload some pictures for friends and family to view. I am also paranoid of people tracking me via the metadata embeded in pictures taken with digital cameras. Yes, I do have GeoTagging disabled on my phone but there is other information such as the camera model and software the device is running. All the utilities I found, and I did not look long, would only clear the GPS coordinates embeded in the metadata and not device information. I am also aware that I most attackers would not be intrested in me but I figured that writing a utility to clean the metadata would be a good project for me. So I started researching interacting with the data using Windows PowerShell. I opened a JPEG that I took on my Nexus 6P in HxD to read the raw data on the disk.
There are several things of note in the screenshot. The first is the first two bytes in which is,
0xDDF8 which is the magic bytes of JPEG files. All JPEGs will start with
0xDDF8 and end with
0xDDF9. The next bytes of note is
0x45786966 translated to ASCII as
Exif which id’s the APP1 header as being an EXIF metadata header. There are two empty bytes, and the next two bytes indicate which is the Least Significant Bit of the file. There are two options according to the EXIF standard Intel and Motorola. This file is
0x4D4D which is
MM in ASCII and Intel would be
II. Motorola is Big Endian while Intel is Little Endian. If we go down to the next red box in the ASCII column, some of my phone’s information could be seen. Using PowerShell, I read the file as bytes and converted it to ASCII, but I was unable to identify the tags used by EXIF to determine the data in a meaningful way. The tag for the Camera Maker is
0x010f=271, which I could not find. The tag for the Camera Model is
0x0110=272. At this point, I went off to Google to see if others were able to read the data from JPEGs. I found this post by mnaoumov which describes how to read an image into a .NET object and interact with the metadata using the class method GetPropertyImage.
I used that to the following PowerShell function to read the metadata that interests me.
catch block allows for the value to be set to empty if there is an error reading the property, like the property not existing in the image.
In my next post, I will discuss how I retrieved the Latitude and Longitude from the JPG and a function that will return a custom PowerShell object with metadata to the calling code.