the home of online investigations

Joseph Mifsud: Rush for the EXIF

October 26, 2018

By Raphael Satter

I write about cybersecurity for The Associated Press, but like other reporters I pitch in on other investigative tracks too. That includes occasional forays into covering the fallout from Russia’s 2016 election interference. On Monday, I published a story on Joseph Mifsud, the enigmatic Maltese academic who is alleged to have dropped publicly known hint of Russian interference in the 2016 vote. Mifsud has since gone to ground and, while I couldn’t locate him, I did speak to his lawyer, whose office supplied me with a photo of the man.

The picture shows Mifsud in what appears to be an office somewhere, wearing a white collared shirt and clasping a pen in his right hand, looking up at the camera with a serious, slightly quizzical look. On the table: a signed power of attorney document and the May 17 edition of Zurichsee-Zeitung, a Swiss-German newspaper. Also on the table, off to the side, is what appears to be a copy of the Democratic National Committee’s lawsuit against the Russian government, WikiLeaks, the Trump campaign, and many others (including Mifsud) resting under a pair of eyeglasses. It’s just barely visible, but Mifsud’s name appears to be highlighted in pink. On a chair to Mifsud’s right is a dark blazer and a stylish attache case.

Stephan Roh, Mifsud’s lawyer, said he was providing me with the image for verification purposes and asked me not to publish it. His office suggested I look at the EXIF to verify that the photo was in fact taken in Zurich (and not, for example, in Moscow.) So I did. EXIF data (the acronym stands for Exchangeable File Image Format) is far from cast-iron; it can pretty easily edited. But it’s always worth examining. In this case, the photographer seems to have made things easy. GPS data embedded in the EXIF suggested the picture was taken with an iPhone at 47.375300 North, 8.537433 East and 409.3445378 meters above sea level. The website LatLong.net gives Zurich’s coordinates as 47.376888 North and 8.541694 East; “The Book of Cities”gives its altitude as 408 meters. I found the EXIF timestamp, around noon on May 21, 2018, consistent with the newspaper on the table (even if the paper was by then five days old.) Satisfied with a cursory verification, I included a brief reference to the metadata in my story.

But soon after publishing I learned that the EXIF data can be mined for much more — and the folks at Bellingcat have shown, once again, that crowdsourcing is a fantastic way of seeking help. Within minutes of the open source experts picking up my request for help, users were cross-referencing version histories, poring over the brightness levels and even counting the number of pixels to see what kind of an iPhone had shot the picture.

My appeal for help that was rebroadcast by Bellingcat (I misspelled “note”)

One user geolocated the photo to downtown Zurich; another provided an address that was only one door down from Roh’s law firm.

This was very close; the law firm’s address is Seidengasse 15

A third user picked up on the program name, 11.3.1, and said it was a reference to iOS 11.3.1, an update to the iPhone’s operating system that was released on April 24, 2018 — a month before the photo’s date. (iOS 12, the operating system’s next iteration, was released in September.) So far, so logical. But a verification trick that was new to me was using pixel counts to determine the iPhone model.

The size of some images can be used to reverse engineer smartphone model numbers

The EXIF data did in fact identify the camera as an iPhone 6, although I didn’t post that until a few minutes later.

Pixel counting is clever, but this user really impressed me when we got to arguing about whether the brightness of the light recorded in the EXIF data made sense. A fifth user said the f-stop (2.2) shutter speed (1/33) and ISO (100) suggested that the photo was taken outdoors — which obviously isn’t consistent with the indoor (albeit well-lit) shot of Mifsud that I had. So the pixel-counter ran an experiment:

Nothing beats a field test

A sixth user referred us to a digital photography website to buttress the point. And, just to make sure, the user who’d matched the coordinates to the Seidengasse address checked the weather that day around noon. It was sunny.

seventh user pointed me to a site I didn’t know existed: Jeffrey’s Image Metadata Viewer. The site is useful for extracting EXIF data from photos which I eventually did here (note that I painted over the entire image in black before uploading it, which explains the reference to Paint.net in the metadata.)

A selection of EXIF data extracted using Jeffrey’s Image Metadata Viewer:

I learned a lot from this brief crowdsourcing episode— and I hope this will be useful for other EXIF sleuths. Meanwhile, if you have other photos of Joseph Mifsud, please send them my way.

This article was first published to Medium and is being reprinted here with permission. The author has no affiliation with Bellingcat.

Raphael Satter

Raphael Satter is a Europe-based journalist who covers cybersecurity for The Associated Press.

Join the Bellingcat Mailing List:

Enter your email address to receive a weekly digest of Bellingcat posts, links to open source research articles, and more.

Support Bellingcat

You can support the work of Bellingcat by donating through the below link:

9 Comments

  1. Ron

    Why are you concerned about Joseph Mifsud to this extent? You have been told by his lawyer that is fine and alive. What else are you trying to expose? I don’t understand. Are you trying to find the exculpatory evidence to exonerate George Papadopoulos? I do hope so.

    Good article though, I guess. Definitely, interesting.

    Reply
  2. Servus

    There is something strange about this photo, it’s probably just too good. The Swiss layer, Mr Stephan Roth, tries to plant a rumour that Mifsud is a western secret agent, maybe Italian maybe some other countries as well, that is a part of a larger plot against Mr Trump. And here is a photo of the “secret agent ” surrounded by some object stressing his active interest in the plot….

    Maybe it would be interesting to have a forensic expert look at the photo and try to establish if the person on the photo is alive.

    I would also try to recreate the room with correct distances, light source placement etc. and make a photo with exact the same iPhone and camera settings and then try to compare the shades and shapes with the provided original.

    Many things in the AP story (BTW great journalistic work) astonishes me, but mostly Mr Roth’s role and activities. How come a notoriously broke Mr Mifsud, chased for theft of relatively small amounts of money can afford a Swiss lawyer? How come this lawyer has only a very sporadic contact with his client but is ready to sue anybody accusing Mr Mifsud of being a Russian spy, ready to spent money to protect his client’s good name and… at the same time writes a book with allegation that Mr Mifsud is a spy for Italian and maybe other unspecified secret services plotting against Trump. So against this backdrop, isn’t’ this photo just too much?

    Maybe Mr Mifsud was used just once to transmit information to Papadopoulos and then became a liability, the man could not be trusted to keep a secret, the source of the information?

    And why there is an immediate note in here by “Ron” trying to question interest in Mr Mifsud and suggest that the right course of action is to find “exculpatory evidence to exonerate” Mr Papadopoulos, already sentenced for lying to FBI under oath?

    The question is, why would anybody care about Papadopoulos ?

    Reply
    • Giovanni Aaron Disch

      I life in Zürich and I make investigation. Zürich was, and is and will be a city full of people in high position how are criminal.

      Reply
  3. Mark S

    The AP article proves itself to be completely empty, though perhaps this is irrelevant to the points here. Its principal thesis seems to come from Gaiser, one of few people who seem actually to have studied Mifsud. It develops the thought that he moves through the dismal phases of his feckless career in the academic-diplomatic demimonde – which must include thousands exactly like him – by crashing, leaving (ludicrously small) bills and fleeing. Then – surprise! – he resurfaces … as the breathing organism must. It’s like an entrepreneur with a series of failed startups, resurfacing in Miami, but then later in Vegas. The phases are developed in detail and made to seem sinister when it is more like the standard-issue biography a mediocrity inadequate to his own field.

    Finally you come back to the one who seems to grasp the essence of the matter, Gaiser, and he says, what was obvious, that Mifsud is a total non-entity who can’t possibly explain anything. But, worried we might lose the sinister possibility that keeps the “maybe… maybe” of a conspiracy theory going in the fevered mind, you quote the student who bailed, no doubt sensibly, after three weeks and who cannot possibly know anything.

    Reply
    • C. Scott Ananian

      Even if it can be altered, the more details that are consistent the greater the cost of the forgery. So it is evidence, if nothing else than of cost, ie “how important someone feels that an airtight alibi is” (if you feel this is a forgery). And in any large conspiracy, there will inevitably be slip ups and loose ends, because human nature, so it is worth pulling on all the threads just to check.

      So yes, nothing is perfect evidence. The fact that the details check out doesn’t tell us much, perhaps—but if some of the details *didn’t* check out, that would have been very interesting!

      Reply
  4. Giovanni Aaron Disch

    I life in Zürich and I make investigation. Zürich was, and is and will be a city full of people in high position how are criminal.

    Reply
  5. Chad McGrath

    Great article. You mentioned you used Paint on what I assume to be a .jpg image, so it’s very unlikely that the original image was hidden underneath another layer or anything like that. It might be worth you mentioning to use caution when redacting files like that by blurring, drawing over or otherwise obscuring the original content. Things like this can sometimes be partially or perfectly reversed.

    Reply

Leave a Reply

  • (will not be published)