The situation arose the other day where I wanted to view the metadata from a group of images as well as see the geographic location of where those images were taken, if they contained GPS information. I looked and found some very good tools that either displayed the metadata of image files, such as NirSoft’s ExifDataView, but didn’t map the location. I also found some good scripts that would take the GPS coordinates contained in the images and map them in Google Maps. Since I didn’t immediately find a tool that did both extract the metadata and map the location, I decided to write my own.
Seeing as how I am a huge Microsoft PowerShell fan, that was my language of choice to write my ImageMapper tool.
There were a few criteria that I felt the tool must meet.
- Extract metadata from image files
- Extract GPS coordinates
- Create CSV file containing all metadata and GPS coordinates
- Create a KML file with placemarks for all images that contained GPS coordinates
- Extract zip archives of images
- Recursively get images from primary folder and subfolder
- Compute forensic hash values for each image file
What I came up with is ImageMapper.ps1 which can be found on my GitHub repository.
ImageMapper requires only the path to a folder of images or zip file to be specified when executing the script. A destination and filename for the KML and CSV file can be specified via the -Target and -TargetFileName parameters, respecively.
However, if no target is specified the reports and extracted image files, if necessary, will be placed in a folder on the user’s desktop utilizing the target filename specified. If no target filename is specified then the current date is utilized.
PS> ./ImageMapper.ps1 -Source C:\ImageFiles.zip -Target C:\Evidence\ -TargetFileName Case-001
Initially the script determines if a zip file or folder of images was specified as the source and create the two output files (KML and CSV). If the source is a zip file the script will extract those images into a folder contained within the target location.
Note: at this point extracting the image files from the zip will impact the file creation time and the last accessed time of the files. Therefore timestamps should be determined utilizing other tools.
PowerShell does provide the ability to obtain limited information from the file contained within the zip archive allowing for the modified date to be obtained prior to extraction, thus providing useful forensic timestamps.
The metadata is then extracted from each image. The extracted metadata includes information relevant to the file itself such as timestamps, size, owner, etc. Photo specific information is also extracted (when available). This information could include camera model, resolution, ISO speed, focal length, lens model and maker, aperture, program mode as well as a host of other fields. Not all files will contain data for all fields.
Once the metadata is extracted the hash values for each file are calculated. The script currently calculates MD5, SHA1, and SHA256 hash values. These hash values could be easily changed to any of the supported hash types offered by the PowerShell hashfile commandlet.
Once the hash values are calculated the file is checked for GPS information. A new system.drawing.bitmap object is created for each file and the object checked for GPS data. The directional information, degrees, minutes, and seconds for both latitude and longitude are extracted as well as the altitude and distance from sea level.
Once the GPS information has been extracted the latitude and longitude are converted to decimal format for use in the KML file and Google Earth. In addition to the placemark created for each image containing GPS data some file information is added to the description for each placemark including file timestamps, hash values, file path, etc.
The above processes are completed for each file and the information logged in the appropriate file. Once the script is complete you should be left with at least a CSV and KML file as well as an images folder containing the individual image files if a zip file was used as the source.
The ImageMapper script is still a work in progress; however, it satisfied the needs at the time and showed just what can be done with Microsoft PowerShell when it comes to files that are being analyzed.