Monday, April 16, 2007

Vista tags

Today I set out to play with Vista tags a bit. If you're not yet familiar with the idea of tagging, get a gmail account and check it out - they're referred to as "labels". However, they are tags, which is intended to speed up searching capabilities when trying to find messages. Microsoft caught on and released this feature with Vista, and it's something that has a certain forensic value considering a lot of what forensic examiners deal with are explicit images. Tagging was added it seems only for Office documents and JPEG's for one reason or another. I suppose it's due to the XMP specification support only being in JPEG's TIFF's and the new office document format.
Tagging also has ties to saved searches - a cool feature with its own forensic value.
For a real quick overview of Vista tags check out lifehacker.

I decided to start with JPEG files since EXIF metadata is pretty well documented. First, I grabbed a few random pictures I had laying around from when I was doing some work in my basement and threw them on to a vista enterprise test box. I added a few simple tags like: basement, stairs, wall. After this I pulled the jpeg in to a hex editor and noticed immediate changes. Other than metadata actually being displaced, the major addition to a tagged JPEG is the addition of Adobe XMP metadata using the RDF framework. The offset doesn't appear to be static, however it has an easily recognizable identifier. The identifier is an xml header used for XMP:

I'm not going to bother going in to the XMP specification here, if you want to read more, read the specification here

Continuing on..Vista gives the user the ability to use multiple tags per file and stores them in a series of RDF arrays.

Here's what a Vista user sees:

And this is what the xml looks like behind the scenes (Hex removed) and I apologize ahead of time for the formatting issues, I guess xml is processed by I had to reverse some of the brackets to get this to post, and lost indentation.

>?xpacket begin='' id='W5M0MpCehiHzreSzNTczkc9d'?>
>xmp:xmpmeta xmlns:xmp="adobe:ns:meta/">
>rdf:RDF xmlns:rdf="">
>rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="">
>rdf:Bag xmlns:rdf="">
>rdf:li>stairs, wall>/rdf:li>

>rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b"xmlns:MicrosoftPhoto="">
>rdf:Bag xmlns:rdf="">
>rdf:li>stairs, wall>/rdf:li>

>rdf:Description xmlns:xmp="">

>rdf:Description xmlns:MicrosoftPhoto="">
>rdf:Description xmlns:dc="">
>rdf:Seq xmlns:rdf="">
>rdf:Alt xmlns:rdf="">
>rdf:li xml:lang="x-default">testing>/rdf:li>

I've tried to use bold faced text to highlight the tags I used. When using a metadata processing tool, unless something converts the XMP element identifiers for you you'll see something similar to what exiftool spits out:
[XMP] Subject : Basement, stairs, wall
[XMP] Last Keyword XMP : Basement, stairs, wall
[XMP] Rating : 4
[XMP] Rating Percent : 75
[XMP] Creator : me
[XMP] Description : testing
[XMP] Artist : me
[XMP] User Comment : cool huh?

Most metadata parsers I tried wouldn't pull out this information since they haven't been updated to parse XMP metadata, and the MicrosoftPhoto specific tags. Note that exiftool is written in perl and has submodules that are available, one is Image::ExifTool::XMP
Which gets loaded as required when parsing XMP data. Harlan Carvey mentions perl and forensics quite a bit, and I definitely think it plays an important role and this is just another reason to try it.

There is one more thing worth mentioning about tags and the choice to add metadata directly to files - The user can easily remove this information.

That's all I've got on tags for the time being - anyone have something to add?