WEBVTT 0:00:02.740000 --> 0:00:06.440000 Every file stores different types of metadata within it, ranging from 0:00:06.440000 --> 0:00:11.280000 time stamps, file type, GPS info, number of pages, etc. 0:00:11.280000 --> 0:00:14.120000 You'll be surprised at the number of different metadata types it can be 0:00:14.120000 --> 0:00:18.860000 found. In this video, we are going to cover how to extract XF data from 0:00:18.860000 --> 0:00:22.800000 photos to help us identify useful evidence by using the XF tool. 0:00:22.800000 --> 0:00:27.180000 In this video, we will also go through another tool, PyXFTool GUI to analyze 0:00:27.180000 --> 0:00:31.620000 exchangeable image file format, also referred to as XF. 0:00:31.620000 --> 0:00:35.620000 As we learned in previous content, we know what XF data is and how useful 0:00:35.620000 --> 0:00:37.820000 it can be to investigators. 0:00:37.820000 --> 0:00:40.840000 You can check more about XF from this wiki page here. 0:00:40.840000 --> 0:00:44.760000 Looking at this page, we can see that XF data is not found in photos only, 0:00:44.760000 --> 0:00:46.940000 but in different files and sound files. 0:00:46.940000 --> 0:00:50.760000 Additionally, there are some different tools that could be used to extract 0:00:50.760000 --> 0:00:52.680000 XF data from files. 0:00:52.680000 --> 0:00:57.280000 One of the most important tools in this area is XF tool by Phil Harvey. 0:00:57.280000 --> 0:01:01.620000 It supports most of the cameras and digital file types available. 0:01:01.620000 --> 0:01:04.580000 The Windows executable can be downloaded from here. 0:01:04.580000 --> 0:01:10.260000 We will also go through another tool which is a GUI or front end for the 0:01:10.260000 --> 0:01:14.620000 XF tool itself. It was front end developed using Python for XF tool and 0:01:14.620000 --> 0:01:19.380000 is easy to use. All you have to do is download it, extract it, and make 0:01:19.380000 --> 0:01:23.860000 sure that you have both the PyXF tool GUI and the XF tool.exe in the same 0:01:23.860000 --> 0:01:26.940000 directory as we can see here. 0:01:26.940000 --> 0:01:30.680000 Also, make sure it doesn't have any options passed to it. 0:01:30.680000 --> 0:01:34.280000 If the name does not have something like minus K, then rename the file 0:01:34.280000 --> 0:01:40.280000 and remove it. Now, before we go through this tool, let me show you how 0:01:40.280000 --> 0:01:44.160000 easy it is to parse XF data from photos using the XF tool itself. 0:01:44.160000 --> 0:01:48.780000 Let's assume we want to extract XF data from the photos we have here. 0:01:48.780000 --> 0:01:53.460000 All we need to do is XF tool.exe file. 0:01:53.460000 --> 0:01:58.160000 As you can see, it extracts all the XF data found within the photo we 0:01:58.160000 --> 0:02:03.320000 selected. If we go to the beginning, we can see all the information tags. 0:02:03.320000 --> 0:02:10.340000 To learn more about what each entry or tag is, you can go to the following 0:02:10.340000 --> 0:02:12.460000 website about tags. 0:02:12.460000 --> 0:02:16.200000 Here, you can check each tag and what it means from the description. 0:02:16.200000 --> 0:02:19.720000 Remember, it's your responsibility to know the tags and see if they would 0:02:19.720000 --> 0:02:22.400000 be beneficial to your case or not. 0:02:22.400000 --> 0:02:25.380000 Let's check another photo. 0:02:25.380000 --> 0:02:28.480000 Again, all we need to do is drag and drop the file, and the tool will 0:02:28.480000 --> 0:02:30.740000 extract a volume of data for you. 0:02:30.740000 --> 0:02:36.540000 We can see the size of the file. 0:02:36.540000 --> 0:02:44.400000 The final modification date, access date, as well as the creation date. 0:02:44.400000 --> 0:02:48.040000 Here's the file type, which is JPEG. 0:02:48.040000 --> 0:02:52.480000 We can also see the camera type, which is Casio Computer Company LTD, 0:02:52.480000 --> 0:02:57.540000 and beneath it, we can see the camera model, which is EXZ57. 0:02:57.540000 --> 0:03:00.500000 If we scroll down a bit, we can see the camera that was used for this 0:03:00.500000 --> 0:03:06.200000 photo, as well as the software used, Microsoft Pro Photo Tools. 0:03:06.200000 --> 0:03:08.400000 Let's scroll down further. 0:03:08.400000 --> 0:03:12.620000 We see lots of data, like the creator of this photo, Greg Reeser, based 0:03:12.620000 --> 0:03:14.280000 on the Creator Tag. 0:03:14.280000 --> 0:03:17.740000 We can also see the city and country, which are Pacific Palisades and 0:03:17.740000 --> 0:03:19.960000 the United States respectively. 0:03:19.960000 --> 0:03:23.860000 The artist tag tells us who the artist is that took the photo, Greg Reeser, 0:03:23.860000 --> 0:03:28.060000 and the Creator Tool Tag tells us that it was done using Microsoft Pro 0:03:28.060000 --> 0:03:33.360000 Photo Tools. Here we have the GPS data. 0:03:33.360000 --> 0:03:38.080000 We first have the GPS latitude degree, and below it, its reference direction. 0:03:38.080000 --> 0:03:42.280000 Same for the GPS longitude, and beneath it, its reference direction. 0:03:42.280000 --> 0:03:46.840000 Below that is the exact GPS position for the person that took this photo. 0:03:46.840000 --> 0:03:50.000000 As we can see, there are lots of data that can be extracted from files 0:03:50.000000 --> 0:03:54.900000 using XF tool. Let's go ahead and close this photo and move on. 0:03:54.900000 --> 0:03:58.820000 Let's check this photo of our friend. 0:03:58.820000 --> 0:04:03.640000 We can see that the file size is 1,424 kilobytes. 0:04:03.640000 --> 0:04:10.120000 And we also have the file modification, access, and creation time stamps 0:04:10.120000 --> 0:04:14.980000 here. As you can see, the file type is JPEG. 0:04:14.980000 --> 0:04:19.200000 The image has a description saying, with Andrea Perlow, the person that 0:04:19.200000 --> 0:04:22.040000 took the photo added this description to it. 0:04:22.040000 --> 0:04:26.160000 If we look here, we can see that the photo is taken using a Samsung camera, 0:04:26.160000 --> 0:04:29.120000 which I suspect is the guy's mobile phone. 0:04:29.120000 --> 0:04:35.320000 We can make sure of that by checking its camera model, which shows SMA710F. 0:04:35.320000 --> 0:04:40.140000 A bit further down, we can see that no flash was used to take this photo. 0:04:40.140000 --> 0:04:44.680000 Let's check the GPS coordinates for this photo. 0:04:44.680000 --> 0:04:49.060000 As you can see, we have the GPS latitude, longitude, and GPS position 0:04:49.060000 --> 0:04:54.840000 here. Let's take the GPS position and check it using Google Maps. 0:04:54.840000 --> 0:04:58.120000 This will help us identify where the person in the photo was when he took 0:04:58.120000 --> 0:05:17.480000 this photo. I'm going to remove the DEG from the position coordinates. 0:05:17.480000 --> 0:05:21.140000 By zooming the focus, we see that the photo was taken in Yankee Stadium 0:05:21.140000 --> 0:05:23.600000 in the Bronx, New York City, USA. 0:05:23.600000 --> 0:05:29.060000 We know from the photo that the person on the right is Andrea Perlow, 0:05:29.060000 --> 0:05:30.980000 one of Italy's midfield legends. 0:05:30.980000 --> 0:05:32.820000 But who's that to his left? 0:05:32.820000 --> 0:05:36.040000 Knowing that Andrea plays the New York Football Club, we can understand 0:05:36.040000 --> 0:05:40.380000 that this photo was taken at the Yankee Stadium where Andrea plays football. 0:05:40.380000 --> 0:05:46.200000 Another useful website that I recommend you bookmark is Jeffree's image 0:05:46.200000 --> 0:05:47.580000 metadata viewer. 0:05:47.580000 --> 0:05:53.360000 Let's give it a try. 0:05:53.360000 --> 0:06:02.560000 Before we can proceed though, we need to fill this new recapture here 0:06:02.560000 --> 0:06:23.260000 to prove we're not a robot. 0:06:23.260000 --> 0:06:25.860000 Let's proceed. Now that all is good, let's proceed. 0:06:25.860000 --> 0:06:28.800000 Let's click the View Image Data button. 0:06:28.800000 --> 0:06:34.860000 As you can see, the XF data extracted and displayed. 0:06:34.860000 --> 0:06:38.180000 Here we can see the date and time of the original photo, and below that, 0:06:38.180000 --> 0:06:40.600000 we see the creation date too. 0:06:40.600000 --> 0:06:45.260000 We can also see the camera type, which is a cannon, and that the photographer 0:06:45.260000 --> 0:06:47.880000 didn't use flash. 0:06:47.880000 --> 0:06:51.020000 Here we see some of the camera settings and details. 0:06:51.020000 --> 0:07:00.820000 We can even see the owner's name too. 0:07:00.820000 --> 0:07:03.920000 As you can see here, these are all the file formats that are supported 0:07:03.920000 --> 0:07:06.360000 by Jeffree's image metadata viewer. 0:07:06.360000 --> 0:07:08.960000 If you notice, it is not for photos only. 0:07:08.960000 --> 0:07:13.060000 You can even upload PDF and PPTX files too. 0:07:13.060000 --> 0:07:15.540000 Now let's use the Pi XF tool GUI. 0:07:15.540000 --> 0:07:19.100000 As I mentioned before, this is a front end for the XF tool that's written 0:07:19.100000 --> 0:07:23.060000 in Python. The developer has developed it so we can add geotags to his 0:07:23.060000 --> 0:07:27.580000 photo. That is, add GPS locations to his photo, plus we can use it to 0:07:27.580000 --> 0:07:32.760000 read XF data. Don't forget to download Phil Harvey's XF tool from here 0:07:32.760000 --> 0:07:36.980000 too. As mentioned at the beginning of this video, to download the new 0:07:36.980000 --> 0:07:41.140000 tool, all we need to do is extract the Pi XF tool GUI to a directory, 0:07:41.140000 --> 0:07:44.780000 and then copy the XF tool.exe to it. 0:07:44.780000 --> 0:07:50.700000 Now let's go to the pixftool GUI.exe and double click on it to start. 0:07:50.700000 --> 0:07:54.260000 As we can see, it has a simple interface. 0:07:54.260000 --> 0:07:58.660000 Let's go ahead and load some images by clicking on the load images button. 0:07:58.660000 --> 0:08:06.040000 Let's select all of the photos that we have in the PIX directory and click 0:08:06.040000 --> 0:08:10.040000 open. We can see that the tool displays the thumbnail for the photos we 0:08:10.040000 --> 0:08:14.960000 have loaded. By selecting the photo, the tool will call the XF tool in 0:08:14.960000 --> 0:08:18.540000 the background and extract all the information it could get from the photo. 0:08:18.540000 --> 0:08:23.720000 If we select the XF radio button, only the data that is related to the 0:08:23.720000 --> 0:08:26.560000 XF category is extracted and displayed. 0:08:26.560000 --> 0:08:29.980000 This can be helpful when you need to focus on a small amount of data rather 0:08:29.980000 --> 0:08:32.000000 than going through the whole list of data. 0:08:32.000000 --> 0:08:36.060000 Here we have the image description saying, Dortmund and something about 0:08:36.060000 --> 0:08:40.040000 a canal. We have the camera maker type, which is Canon, and the model 0:08:40.040000 --> 0:08:43.320000 name is Canon EOS 600D. 0:08:43.320000 --> 0:08:48.260000 If we select the GPS location radio button, only the extracted data for 0:08:48.260000 --> 0:08:50.980000 the GPS and location will be presented. 0:08:50.980000 --> 0:08:54.760000 As you can see, we have the latitude, longitude, and we can even see the 0:08:54.760000 --> 0:08:57.480000 country, which is Doychlan, Germany. 0:08:57.480000 --> 0:09:00.020000 We can also see the state and the city too. 0:09:00.020000 --> 0:09:04.600000 To add the extracted information to your report, to generate a report 0:09:04.600000 --> 0:09:07.840000 from all the details we obtained here, all we need to do is right-click 0:09:07.840000 --> 0:09:11.620000 on the photo and select export metadata. 0:09:11.620000 --> 0:09:14.500000 A simple window appears where we have the option to select all the types 0:09:14.500000 --> 0:09:17.140000 of metadata to extract from this photo. 0:09:17.140000 --> 0:09:20.720000 We can even select what type of report to export to. 0:09:20.720000 --> 0:09:26.300000 For this test, let's select export all metadata and we'll export it to 0:09:26.300000 --> 0:09:29.220000 TXT. Then click OK. 0:09:29.220000 --> 0:09:33.100000 When asked, click OK, telling the tool that this is truly what you want 0:09:33.100000 --> 0:09:37.580000 to export. If we go to the folders directory, we can see a text file with 0:09:37.580000 --> 0:09:40.440000 the same name of the photo has been created for us. 0:09:40.440000 --> 0:09:44.220000 If we open it, we will see all the XF data metadata that was found within 0:09:44.220000 --> 0:09:46.920000 the photo has been exported to this file. 0:09:46.920000 --> 0:09:52.880000 Let's export to another type. 0:09:52.880000 --> 0:09:57.300000 Let's select all information, and this time, export the metadata to XML 0:09:57.300000 --> 0:10:00.420000 format and then click OK. 0:10:00.420000 --> 0:10:04.840000 Please note that when you export to CSV, it will export all the photos 0:10:04.840000 --> 0:10:07.560000 selected, not just a single photo. 0:10:07.560000 --> 0:10:12.640000 If we go back to our photos directory, we see we have a new file with 0:10:12.640000 --> 0:10:16.680000 the photos name, but with the .xml extension. 0:10:16.680000 --> 0:10:18.620000 Let's edit the file. 0:10:18.620000 --> 0:10:22.780000 As you can see, we have all the XF data extracted and placed within XML 0:10:22.780000 --> 0:10:27.300000 tags. This is useful in case you want to take it and import it into another 0:10:27.300000 --> 0:10:32.040000 tool or you want to write your own parser that will parse based on some 0:10:32.040000 --> 0:10:41.560000 specific tags. Let's select another photo and display some of its data. 0:10:41.560000 --> 0:10:43.720000 Let's select this one. 0:10:43.720000 --> 0:10:48.160000 Since we're still on the GPS location tab, we can see the GPS data for 0:10:48.160000 --> 0:10:52.680000 this photo. If we select the All radio button, we will be presented with 0:10:52.680000 --> 0:10:57.020000 all the data extracted from this photo. 0:10:57.020000 --> 0:11:00.680000 And selecting any photo from the left will display its extracted data 0:11:00.680000 --> 0:11:05.960000 on the right. After watching this video, I hope you understand why XF 0:11:05.960000 --> 0:11:09.880000 data is useful and how to extract XF data from photos. 0:11:09.880000 --> 0:11:12.880000 There are lots of tools and web pages that can help you with XF data, 0:11:12.880000 --> 0:11:15.800000 especially understanding the tags that are available. 0:11:15.800000 --> 0:11:19.180000 Continue to explore the site sand tools referenced in this video to strengthen 0:11:19.180000 --> 0:11:22.780000 your understanding of specific tags, especially those that are new to 0:11:22.780000 --> 0:11:28.780000 you. And this concludes our video lesson on extracting and analyzing XF 0:11:28.780000 --> 0:11:30.760000 data. Thanks for joining us.