Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Snipping Leaks SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Snipping Leaks

ISC reader Phil asked a great question earlier today: "I'm wondering if there are data leakage concerns with screenshot tools such as MS Snipping Tool, if such tools have metadata in any of the formats they support".

Well, yes, they do.

Screenshots taken with the MS Snipping Tool and saved in JPG format contain both an EXIF and XMP header. You can look at what's in there for example with Phil Harvey's excellent ExifTool (

The leakage is nowhere near as extensive as what is often found in MS Office documents, but it is definitely present. Among lots of information that describe the geometry of the screenshot taken, the more interesting fields include the name of the user who created the "snip", as well as the time stamp. The name is the full user name as configured for the respective windows account. If you want to surreptitiously post an image somewhere under a pseudonym, that's definitely a point to keep in mind ;).

EXIF and XMP tags can be readily removed - again using ExifTool, a simple "exiftool -ALL= image.jpg" will remove all meta tags from the image. Exiftool is friendly enough to create a backup named image.jpg_original, in the rare case something goes wrong in the process.

If you use other screen capture tools and have information on the meta data that gets stored together with the capture, please comment below or via our contact form.



367 Posts
ISC Handler
Nov 30th 2012

Sign Up for Free or Log In to start participating in the conversation!