Inspection and Sanitization Guidance for Exchangeable Image Format (EXIF)

Abstract: Exif is structured, tagged metadata contained within some media file formats. This data is used by digital camera manufacturers and applications that process digital images to provide additional information about media files. The metadata includes manufacturer specific information such as the make, model and lens information of the device that generated the file; image information (e.g., date/time of capture) and geolocation information (e.g., latitude/longitude) can also be recorded. Exif data is found in two image standards: Joint Photographic Experts Group (JPEG) File Interchange Format (JFIF) (as defined in International Standards Organization/International Electrotechnical Commission (ISO/IEC) 10918-1) and TIFF Revision 6.01. The Exif format is also defined for audio files in the format of Resource Interchange File Format (RIFF) Waveform Audio File Format (WAVE). This guidance document examines the Exif specifications for data attack, data hiding, and data disclosure risks that exist within the metadata structure. It provides a breakdown of each component of Exif metadata and provides recommendations that can help assure that Exif data is not only compliant with the specifications, but also free of risk.

Date Published:

Last Reviewed: 02 January 2018

Identifier: CTR-U-OO-108403-18

Dissemination Control: N/A

Length: 37 page(s)

Format: pdf

Type: Reference/Overview; Report

Tags: data protection