- 
	
- 
	EXIF-Forensics
 
- 
	
| EXIF Forensics By: Janet Smith While digital forensics creates particular investigative challenges, I relish when a case involves digital photos. Often, these are integral to solving my investigation. A photo may involve contraband, a subject, a victim, a program, or even a weapon. In cases I'm not at liberty to discuss, these photos led to the smoking gun, so to speak. In these cases, every piece of file metadata is valuable. Metadata is data about data. When a digital photo is involved, an often overlooked informative type of metadata is Exchangeable Image File Format (EXIF) data. It helps me unearth details within image files. Not only do they shed light on the origin, authorship, and alteration history of photos, but they can lead to locations, help cluster information, and provide helpful insights. In this article, I explain EXIF data and give some of the information it can provide in detail. I conclude by listing several software tools that I've used in one form or another to help analyze EXIF data. What is EXIF Data? I heard of EXIF during a national white-collar crime center course during a side discussion. EXIF is a metadata standard used by digital cameras, smartphones, scanners, and many other devices. When a photo is captured or edited, devices automatically embed EXIF data into the image file. This data provides valuable information about the image, such as the camera make, model, date, and time of the photo, exposure settings, location (if GPS-enabled), and more. It was just the clue that I needed. The data embedded within JPEG, TIFF, and some RAW image formats is critical, but tools help us to view, analyze, and extract EXIF data. Types of Information Available in EXIF Data In my case, the EXIF metadata was essential, and here is why. Date and Time Information The date and time of my key photo's image were critical to my event timeline. However, I didn't have the original cell phone yet. We noted that verifying the camera or device's date and time settings would be necessary if we got the phone, as they may not always be accurate. Device Information The good news is we had some key information models to make. Knowing which device captured a photo can help establish the authenticity and origin of the image. Camera Settings EXIF data records exposure time, aperture, ISO speed, focal length, and whether someone used a flash. These details can provide clues about the lighting and environment at the capture time, which can be relevant in verifying the photo's context. However, they weren't pertinent to my case. GPS Location The perpetrator took the photo from a cell phone that was GPS-enabled. It included the latitude, longitude, and altitude, which gave me a starting point. This data was extremely valuable to my case because it helped pinpoint specific dates/times and a critical location. Editing History Some EXIF metadata entries indicate whether an image was edited or manipulated, including the software used for modification. There didn't appear to be any in my case. Orientation and Thumbnail Data EXIF data includes image orientation (portrait or landscape), which can be helpful when reconstructing evidence. Additionally, EXIF metadata may contain thumbnails, smaller versions of the original image. |