Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

PII Found in Image Files (.tif, .png, .jpg, .btmp)

            When PII is found in image files, it is harder to redact than in text-based files. The following is a case-study for scrubbing image files of PII. This workflow is conducted in Windows.

  1. After running bulk_extractor, check the pii.txt file. If PII is found, it will display here. The document will show you the filepaths and the PII found (here redacted with xxxs). This allows you to determine the filetypes containing PII. In this case, it is a TIF image.
  2. Open the disk image in FTK Imager. Expand the evidence tree to find the file and click on it. This opens the hex file and associated text string in FTK’s main window.
  3. Because this is an image, you need to determine that the PII string is really in the text or metadata and not a mistake in bulk_extractor. Press CTRL+F to search for the PII in the text string. If it is present, it will be highlighted in blue (here redacted). Now, you know that the PII string is present in the text.
  4. Because FTK is write-blocked, you need to open the file in a different tool. Right click on the file in FTK’s evidence tree and export it to an external folder.
  5. Next, open XnViewMP.
  6. When the application opens, you will see three windows: the folder tree, the filepath and folder view, and Preview. Click File>Open to open the folder containing the extracted image(s). The image(s) will appear in the folder view.
  7. Click on the image to open it in Preview. Determine that the PII is not visually present in the image. WHAT IF IT IS.
  8. Browse through the tabs on the left (Preview, etc.) to determine whether PII is present. WHAT IF IT IS.
  9. If the PII is not visible on the image or in the associated text, you will need to reformat the image to scrub the PII from extant metadata. Right-click on the image and select Convert into>JPEG. Converting an image into a JPEG condenses the amount of available metadata space, and should automatically delete the PII. Once you convert, the .jpeg file will appear in the folder.
  10. Next, open Super Hex Editor. Click File>Open and open the .jpeg image file. You will see the hex file and text displayed.
  11. Click Edit>Find. Paste the hexadecimal string or PII text into the Find box (here redacted).

  12. Click Find First. If nothing appears, you have successfully scrubbed the PII from your .jpeg file.
  13. Next step!
  • No labels

Confluence Documentation | Web Privacy Policy | Web Accessibility