Enter EXIF – An introduction to image file meta data
Photographs have become a ubiquitous part of the way we communicate. The estimated 3 billion smartphone users on the planet have both ready access to a digital camera, and the means to store and disseminate…
Photographs have become a ubiquitous part of the way we communicate. The estimated 3 billion smartphone users on the planet have both ready access to a digital camera, and the means to store and disseminate their images.
Messaging app SnapChat estimates that over 4 billion images are sent using their service each day, while in 2016 Instagram estimated that over 95 million images were uploaded daily.
So, it should come as no surprise that photographs can prove to be an invaluable part of investigations. And while much can be gleaned from the image itself, often “looking under the hood” can reveal more than meets the eye.
EXIF tags are an easy place to start. EXIF stands for “Exchangeable Image File Format”. It is a standard that defines a series of metadata tags that are embedded within images, most commonly JPEG and TIFF images.
In addition to the usual file system metadata that accompanies digital images, EXIF tags provide information relating to both the image and the device used to capture it. This can include:
- Camera make and model
- Date and timestamps
- Geolocation data
- Camera configuration, such as aperture and flash settings
Not surprisingly, the availability of this rich metadata has raised privacy concerns, resulting in social networking sites such as Instagram and Facebook stripping out EXIF tags from images uploaded by users.
It is quite easy to view the metadata captured in EXIF tags. For example, if you have any images taken on a digital camera, phone, or tablet saved onto a Windows PC, you can right-click on the photo, select Properties:
Then click on the Details tab in the Window that appears:
In the example above, you can see EXIF tags relating to the camera’s make and model, as well as some basic settings used to take the photograph.
One of the most common uses of EXIF tags is to establish the geographic location where a photograph was taken. Drawn from the device’s GPS connection, geolocation tags have been employed in conjunction with date and time metadata to establish the whereabouts of individuals at a specific time.
Similarly, tags that identify a camera’s make, model, and, in some cases, serial number can be used to attribute a photograph to a particular individual.
While EXIF tags are not impervious to manipulation or removal, there is undoubtedly value in examining this metadata, particularly when images are collected directly from the source device.
Finding the needle
While it is straightforward to view EXIF tags within a single photograph, how do you handle the hundreds, if not thousands of images that reside on the average mobile device?
Other features of these products can also help you to analyse this data. For example, Workstation can visualise geolocation tags on a map. This allows investigators to quickly identify patterns or relationships, such as movements of an individual.
This can be used in conjunction with other features, including the ability to automatically identify images with a high prevalence of skin tone (useful for pinpointing potentially illicit or inappropriate photographs), images that contain faces, and even the ability to classify images according to objects they depict, such as guns, drugs or cars.
The old cliché that “a picture paints a thousand words” can hold true in investigations. With the right toolkit, delving below the surface of digital photographs can certainly tell a captivating story.