![]() ![]() Is it the offset from the beginning of the EXIF data, or the offset from the beginning of the file? Offsets are relative, so make sure you know your reference point! )(Especially in disk forensics.) The second “gotcha” is to know what offset they are asking about. The hardest part is to find a good document that describes the data structure. You don’t need to convert it since we have an ASCII view on the right: 2020:09:11 10:20:37 14 bytes from 0132 we get to 3230, which is the beginning of the timestamp in ASCII. Then 4 bytes for timestamp length, then 4 for offset. Next is 0002, which means ASCII (as expected). Other tags, you will see “File change date and time” - hex value starts with 0132, and the data is in ASCII (good for us - easier to read). Look at Table 4 on page 28 (see page 39 for details) of the EXIF PDF. In my example, you can see at offset 0x0C (first line) it is 4d4d, so we know our data is in big-endian. It is either 4949 (little-endian) or 4D4D (big-endian). of the spec, you can see “TIFF header” - it is 2 bytes. Luckily, the EXIF spec is easy to find (but not so easy to read). To do that, we have to look at the EXIF technical specification - if we can’t find the spec, we have to reverse-engineer it. To do that, we need to understand the EXIF structure. The next task is to find the timestamp information. (spoiler) It’s a JPEG image that supports EXIF (embedded file meta-data). Then look for “ff d8 ff e1” - the second part of the file signature. ![]() ![]() Check Gary Kessler’s site for signature structures, and search for “ff d8”. In this case, you see ffd8 at offset 00000000. The first 2-4 bytes are how we usually identify the file signature. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |