Chapter 20 — Exercises
Thirty problems in seven groups, mixing concept checks, hands-on labs (parse EXIF by hand, recover the embedded thumbnail, convert GPS and the 1904 epoch, surface a "redacted" PDF, analyze a video, build the timeline, write the report, and calculate-and-verify a hash), and judgment questions. Hands-on labs assume a practice image and the ExifTool/MediaInfo/FotoForensics toolset from Appendix J — Practice Images and Lab Setup. (answer in Appendix) = worked solution in Answers to Selected. ⭐ = stretch. Always work on a hashed copy extracted from your verified image — never the original. ExifTool, ELA, and "Save As" all write, and merely opening a file updates access times; the original is sacred.
Group A — The two files in one
20.1 Explain, in your own words, why every photograph, video, and document is "two files at once." Name the visible file and the invisible file, and give one example of a question that only the invisible file can answer. Then explain why a camera-original JPEG that contains no EXIF at all is a finding rather than a non-event — and the one innocent explanation you must rule out before calling it suspicious. (answer in Appendix)
20.2 Walk the segment structure of a JPEG by hand. Starting from the two-byte marker FF D8, name in order the markers you expect to meet — SOI, APP0, APP1, DQT, SOF0, DHT, SOS, EOI — and state what each contributes. For any marker segment except SOI/EOI/the scan, where is the segment length stored, how many bytes is it, what byte order is it in, and does that length include itself? Finally: what is true of any bytes that appear after FF D9, and why does that fact matter twice in this chapter (carving and steganography)?
20.3 Build the "where metadata lives" map from memory. For each of JPEG, PNG, HEIC, DOCX, legacy DOC, PDF, MP4/MOV, and AVI, name (a) the container's signature or magic bytes and (b) the structure the metadata actually lives in. Then state the unifying insight: which three image families share the TIFF/EXIF block, which two media families share the ISOBMFF box structure, and what DOCX/XLSX/PPTX really are underneath.
Group B — Reading the EXIF bytes
20.4 A JPEG begins with the bytes FF D8 FF E1 2A 7C 45 78 69 66 00 00 4D 4D 00 2A 00 00 00 08. Decode it field by field: identify SOI, the APP1 marker, the APP1 length (give the decimal value), the "Exif\0\0" identifier, the byte order, the TIFF magic number, and the offset to IFD0. State the file offset at which IFD0 begins, and explain the rule for what TIFF offsets are measured from. How does this header differ from the little-endian (II) example in the chapter, and why would mis-reading the byte order corrupt every value you extract? (answer in Appendix)
20.5 Parse a single 12-byte IFD entry: 10 01 02 00 09 00 00 00 3A 01 00 00 from a little-endian (II) TIFF block. Break it into its four fields (Tag, Type, Count, Value/Offset), name the tag (hint: 0x0110), name the data type, state how many bytes the value occupies, and explain why this entry stores an offset rather than the value inline. At TIFF offset 0x013A you would expect to find what kind of data, and how would you know where it ends?
20.6 Convert an EXIF GPS reading to decimal degrees. The GPS IFD holds Latitude [(51,1), (30,1), (0,1)] with LatitudeRef = N, and Longitude [(0,1), (7,1), (39,1)] with LongitudeRef = W. Show the degrees + minutes/60 + seconds/3600 arithmetic for each, apply the hemisphere sign rule, and give the final signed decimal pair rounded to six places. Drop it on a map in your head — roughly what city is this? (d) The same GPS IFD holds GPSAltitude = (32, 1) with GPSAltitudeRef = 0; give the altitude in meters and state what the ref byte encodes — and what a ref value of 1 would mean. (answer in Appendix)
20.7 Recover the timezone. A photo's DateTimeOriginal reads 2024:11:03 08:00:00 (local, no zone). Its GPSDateStamp/GPSTimeStamp read 2024:11:03 00:00:00 UTC. (a) Compute the UTC offset and name a region consistent with it. (b) Explain why this works — which field carries a zone and which does not. (c) Give two reasons the two clocks might disagree by something other than a clean timezone offset, and state how you would report the recovered zone given that risk.
20.8 ⭐ Lab — the thumbnail integrity tell. On a practice phone photo, run exiftool -b -ThumbnailImage img.jpg > thumb.jpg and open the extracted thumbnail; confirm it matches the full image. Now load the full image into an editor, crop out a visible object, "Save As," and re-extract the thumbnail. Report whether the thumbnail updated to match the crop. Explain in two sentences why a thumbnail that disagrees with the visible image is direct evidence of post-capture editing, and which IFD the thumbnail lives in. Why is this same artifact described in the chapter as a gift to the recovery technician?
Group C — EXIF as evidence, and its limits
20.9 Reconstruct the chapter's "two-handed finding" table. List at least four EXIF observations that support a photo's authenticity and, beside each, the corresponding cautionary fact that prevents you from treating it as proof. Then write the one-sentence reporting rule the contrast produces — the sentence you would recite under cross-examination before quoting any EXIF field.
20.10 A photo arrives in your case with no Make, Model, lens, or GPS data — only image dimensions and a generic Software string. The retaining attorney wants you to testify that the absence of camera metadata proves the image is "fake" or "doctored." (a) Explain why absence of EXIF is not evidence of forgery. (b) Name the single most common innocent cause of stripped EXIF. (c) Write the sentence you would actually put in the report about this image's origin. (answer in Appendix)
20.11 ⭐ An image's BodySerialNumber exactly matches the serial engraved on a camera seized from the suspect and logged in the chain of custody. A colleague wants to write: "This photograph was taken by the suspect's camera." (a) State what the serial match genuinely supports and the one-command reason you cannot treat it as conclusive on its own. (b) Name two independent, harder-to-forge artifacts you would seek to corroborate the binding of image to device. (c) Rewrite the colleague's sentence so it survives cross-examination, keeping the real weight while disclosing the limit.
Group D — Document metadata: who, when, and how
20.12 A report.docx will not reveal its secrets until you treat it as what it is. (a) What kind of file is a .docx, and what is its signature in hex and ASCII? (b) Name the two parts under docProps/ that answer most authorship questions, and state which one holds dc:creator vs cp:lastModifiedBy and which holds TotalTime and Template. (c) Why is the distinction between dc:creator and cp:lastModifiedBy "often the whole game" in an eDiscovery or fraud matter? (answer in Appendix)
20.13 A contract's docProps/app.xml reports TotalTime = 3 (minutes) and a Template path of \\CORP-FS01\Templates\MergerAgreement.dotx, while the party producing it swears it was an independent three-week negotiation drafted on a personal laptop. Identify the two distinct anomalies and explain, for each, what story it breaks. Then name one further OOXML part you would open to look for the names and timestamps of everyone who edited the document, even if changes were accepted. Finally, explain what the rsid values in settings.xml/document.xml let you reconstruct about the number of distinct editing sessions, even after every tracked change has been accepted.
20.14 Lab — open the envelope. On a practice .docx, copy it, rename the copy to .zip, and extract it (or use unzip -l). (a) List the parts you find under docProps/ and word/. (b) Read core.xml and record dc:creator, cp:lastModifiedBy, dcterms:created, dcterms:modified, and cp:revision. (c) Look inside word/media/ — if an image is present, run ExifTool on it and report any capture time, software, or GPS it carries. Explain why an image pasted into a memo can betray more than the memo's own metadata, and tie this to the "examine the parts, not just the whole" mistake.
20.15 Lab — the redaction that wasn't. You receive filing.pdf in which a settlement figure and a name appear under solid black rectangles. (a) Run grep -a -c "%%EOF" filing.pdf and state what the count tells you. (b) Run pdftotext -layout filing.pdf - and explain why text beneath a drawn black box is frequently recovered intact. (c) Explain the incremental update mechanism — where new revisions are written relative to the original %%EOF, and what /Prev does — and why earlier revisions (form fields before they were filled, "removed" text) survive in one physical file. Tie this to the theme deleted ≠ destroyed. (answer in Appendix)
20.16 ⭐ A legacy .doc (signature D0 CF 11 E0 A1 B1 1A E1) is central to a fraud matter. (a) Name the container format those bytes identify and the two streams where its summary metadata lives. (b) Explain the historical "fast save" behavior and why it makes legacy .doc notorious for leaking deleted text still present in the binary. (c) What chain of people and machines can a single old .doc name, and which tools (one CLI, one Python library) would you use to extract it? Compare the forensic value of this "rolling author list" to the OOXML rsid trail.
Group E — Detecting manipulation
20.17 A photo submitted as a "camera original" carries a Software tag of Adobe Photoshop 25.0, a ModifyDate earlier than its CreateDate, and an IFD1 thumbnail that shows an object missing from the visible image. Before you run a single pixel-level test, list the manipulation signals already present in the metadata pass, rank them by strength, and explain why the metadata pass is always the first and cheapest test. Which of the three signals is the hardest for a forger to explain away, and why? Then state the one limitation that applies to the entire metadata pass — the reason it can never, on its own, prove an image is authentic.
20.18 Explain Error Level Analysis precisely. (a) What does ELA actually compute, step by step (resave, subtract, amplify)? (b) Why does a region with a different compression history stand out? (c) Name three perfectly innocent features of an image that produce bright ELA responses and are routinely mistaken for tampering. (d) Write the one sentence about ELA's evidentiary status that belongs in every report — the sentence that distinguishes a "direction-finder" from "proof." (answer in Appendix)
20.19 Two JPEG analyses go deeper than ELA. (a) Explain how a JPEG's quantization tables (DQT) can contradict a claimed origin — give the example of a file whose tables match a desktop editor but whose EXIF claims a camera. (b) Explain double JPEG compression: what happens to the DCT coefficient histogram when an image is decompressed, edited, and recompressed at a different quality, and why this "JPEG ghost" is harder for a forger to defeat than ELA. Which test would you reach for when an examiner needs evidence sturdier than a glowing ELA map? (c) Both tests read the encoder's fingerprint rather than the pixels; explain why that makes them harder for a forger who works only on the visible image to anticipate and defeat.
20.20 ⭐ Build a defensible manipulation finding. You suspect an image has had an object inserted from another photograph. (a) Distinguish copy-move (clone) forgery from splicing, and name the detection approach for each (block/keypoint matching vs. seam/noise/lighting analysis). (b) You obtain: a clone-detector hit on a duplicated region, a noise-floor discontinuity along one edge, and a Software tag naming an editor. Write the finding sentence that convergence supports — and the sentence you must add stating what no single one of those tests proves alone. (c) Why does the arrival of AI-generated media (Chapter 35) make this convergence discipline more important, not less?
Group F — Steganography and video
20.21 Steganography hides the existence of data; encryption hides only its content. (a) List the five common image data-hiding locations from the chapter (appended data, LSB, JPEG coefficient, metadata stuffing, palette/alpha). (b) For each, name a detection approach. (c) Why is "anything after a JPEG's FF D9 or a PNG's IEND" both the cheapest and one of the most reliable checks? State what you do once you find such trailing bytes. (d) Explain why steganography is, for the examiner and incident responder, primarily an exfiltration and concealment concern, and why this chapter teaches only its detection. (answer in Appendix)
20.22 Lab — carve the stowaway. On a practice image named vacation.jpg, run xxd vacation.jpg | tail and binwalk vacation.jpg. Suppose the tail shows ... ffd9 504b 0304 1400 .... (a) Identify the two signatures visible and explain what they mean together. (b) State precisely where the picture ends and where the hidden content begins. (c) Carve the appended object out and identify it with file. (d) Explain why this is a detection-and-extraction exercise that requires no knowledge of any embedding tool — and contrast it with LSB stego, which usually does.
20.23 A PNG passes every signature-based stego check (stegdetect, zsteg -a find nothing obvious by name), yet you remain suspicious. (a) Explain how statistical analysis catches LSB-replacement embedding that has no tool signature — what does LSB replacement do to the distribution of "pairs of values," and which classic test (name it) detects the flattening? (b) Name one tool that automates several such tests and scores an image's likelihood of carrying an LSB payload. (c) State the honest limit: what does steganalysis tell you, and what does it almost never give you without the embedding tool and key?
20.24 Convert the 1904 epoch. An MP4's moov/mvhd box reports creation_time = 3822147843. (a) Name the epoch this counts from and the constant (in seconds) separating it from the Unix epoch. (b) Convert the value to a UTC date and time, showing the subtraction. (Sanity check: it should land in February 2025.) (c) Name the moov child boxes besides mvhd that also carry creation/modification times, and the Apple-specific udta atoms that store a date and a GPS string. Why must you tell ExifTool to interpret QuickTime dates as UTC? (answer in Appendix)
20.25 A clip's MediaInfo output shows Writing application: Lavf61.7.100 and Writing library: x264 core 164, with a variable frame rate. (a) What do Lavf and x264 tell you about the file's history, and is this consistent with a straight camera original? (b) Name two further MediaInfo fields you would read for evidentiary value (one a timestamp, one an identity). (c) Explain why I-/P-/B-frames and GOP structure matter when an edit splices or removes frames, and where the deeper authenticity analysis lives in this book. (d) Why are surveillance/DVR exports the hardest case on every axis?
20.26 Lab — analyze this clip. On a practice video, run mediainfo --Full clip.mp4 and exiftool -api QuickTimeUTC=1 -time:all -G1 clip.mp4. Report the container Format and major brand, the Encoded date, the Writing application and Writing library, the codec and profile, the resolution, and the frame-rate mode. (a) From the writing application and library alone, judge whether the clip is plausibly a straight device original or a transcode, and say why. (b) Convert the moov/mvhd creation_time to UTC and compare it against the Encoded date and the file-system MAC times — what does agreement suggest, and what would a disagreement be a thread to pull on? (c) Name one field you would treat as strong evidence of the recording device and one you would treat as weak, and justify each. (d) The clip plays at a variable frame rate where you expected a constant one; explain why VFR is itself a clue worth noting.
Group G — Judgment, the report, and the progressive project
20.27 Write the report (anchor case #4, clinical). From a hashed working copy you have established, for one recovered image: Make/Model = Apple / iPhone 13; a decoded BodySerialNumber matching a seized device; DateTimeOriginal 2024:03:14 21:07:42 (local) with SubSecTimeOriginal = 38; GPSDateStamp/GPSTimeStamp 2024:03:15 04:07:40 UTC; GPS 37.808325, −122.41845; thumbnail matching the full image; exiftool -validate clean; ELA uniform with edges only; file-system creation time after DateTimeOriginal and inside the possession window. Write a ~150-word Findings paragraph that answers "when, where, and on what device was this image created?" without characterizing content or asserting intent, states the recovered timezone, and pairs every load-bearing conclusion with its limitation. A competent cross-examiner should find nothing to impeach. (answer in Appendix)
20.28 ⭐ The insufficient-evidence finding. A contested image exists only as a screenshot of a social-media post: no EXIF, recompressed by at least two apps, no embedded thumbnail, no GPS. Counsel presses you to state when and where it was taken and whether it is authentic. (a) Explain why each technique in this chapter fails or is fatally weakened on this artifact. (b) Write the professional finding this evidence actually supports. (c) Argue, in two sentences, why "the evidence is insufficient to reach a conclusion" is a competent finding rather than a failure — and tie it to the chapter's limitations theme.
20.29 Lab — calculate and verify the hash. You will extract a derived artifact and prove the extraction altered nothing upstream. (a) Record sha256sum work/IMG_0421.jpg and note the digest. (b) Extract the thumbnail with exiftool -b -ThumbnailImage work/IMG_0421.jpg > thumb.jpg, then hash the source again and confirm it is byte-for-byte unchanged — ExifTool's read path does not modify the file, whereas any write operation (for example -DateTimeOriginal=) creates an _original backup precisely so the prior state is preserved. (c) Hash thumb.jpg and write a chain-of-custody line in the form: "ThumbnailImage extracted from IMG_0421.jpg (SHA-256 …), drawn from image EX-07.E01 (SHA-256 …), tool ExifTool 12.xx." (d) Explain why a derived artifact you intend to cite needs its own hash and provenance line, which appendix holds the worksheet, and how this enacts the second theme, the original is sacred.
20.30 Progressive project — the media-and-document layer. Add this chapter's evidence to your Forensic Case File (running since Chapter 5). (1) Recurse the image's user data with exiftool -csv -r -DateTimeOriginal -CreateDate -GPSPosition -Make -Model -Software -Creator -Producer into one spreadsheet; sort by time and by device to surface clusters and outliers. (2) For the case-relevant photos, record device/serial, capture time with sub-seconds, GPS converted to decimal degrees with the local-vs-UTC offset reconciled, and the thumbnail-vs-image comparison. (3) For contested documents, record dc:creator vs cp:lastModifiedBy, dates, revision, TotalTime, and Template (or the SummaryInformation streams of legacy .doc); for PDFs, compare /Info against XMP, count %%EOF, and check beneath "redactions." (4) Run a restrained manipulation pass (-validate, quantization/Software check, ELA) recording each result as a lead with its caveat. (5) Hash every extracted artifact into your chain-of-custody worksheet (Appendix F), and save the CSV, thumbnails, ELA outputs, and a sourced findings table into the case-file folder. List the artifacts you extracted and their SHA-256 hashes in your submission. The capstone in Chapter 38 assembles the whole file.
Self-check. You have mastered this chapter when you can take a single photo, video, or document and, without guessing, state what device made it, when, where, and whether it has been altered — each answer sourced to a specific field or test, each paired with its limit, and none overstated. If you can parse a JPEG's EXIF by hand, recover an embedded thumbnail, convert GPS and the 1904 epoch, surface text from beneath a "redaction," and write the anchor-case findings paragraph in 20.27 so that a cross-examiner finds nothing to impeach, you are ready for Chapter 21 — Timeline Analysis, where every timestamp you gathered here is fused with file-system, registry, and log times into one super-timeline — and where the contradictions between them reveal what really happened.