Enter EXIF – An introduction to image file meta data

Photographs have become a ubiquitous part of the way we communicate. The estimated 3 billion smartphone users on the planet have both ready access to a digital camera, and the means to store and disseminate…

Photographs have become a ubiquitous part of the way we communicate. The estimated 3 billion smartphone users on the planet have both ready access to a digital camera, and the means to store and disseminate their images.

Messaging app SnapChat estimates that over 4 billion images are sent using their service each day, while in 2016 Instagram estimated that over 95 million images were uploaded daily.

So, it should come as no surprise that photographs can prove to be an invaluable part of investigations. And while much can be gleaned from the image itself, often “looking under the hood” can reveal more than meets the eye.

Enter EXIF

EXIF tags are an easy place to start. EXIF stands for “Exchangeable Image File Format”. It is a standard that defines a series of metadata tags that are embedded within images, most commonly JPEG and TIFF images.

In addition to the usual file system metadata that accompanies digital images, EXIF tags provide information relating to both the image and the device used to capture it. This can include:

  • Camera make and model
  • Date and timestamps
  • Geolocation data
  • Camera configuration, such as aperture and flash settings

Not surprisingly, the availability of this rich metadata has raised privacy concerns, resulting in social networking sites such as Instagram and Facebook stripping out EXIF tags from images uploaded by users.

It is quite easy to view the metadata captured in EXIF tags. For example, if you have any images taken on a digital camera, phone, or tablet saved onto a Windows PC, you can right-click on the photo, select Properties:

Then click on the Details tab in the Window that appears:

In the example above, you can see EXIF tags relating to the camera’s make and model, as well as some basic settings used to take the photograph.

One of the most common uses of EXIF tags is to establish the geographic location where a photograph was taken. Drawn from the device’s GPS connection, geolocation tags have been employed in conjunction with date and time metadata to establish the whereabouts of individuals at a specific time.

Similarly, tags that identify a camera’s make, model, and, in some cases, serial number can be used to attribute a photograph to a particular individual.

While EXIF tags are not impervious to manipulation or removal, there is undoubtedly value in examining this metadata, particularly when images are collected directly from the source device.

Finding the needle

While it is straightforward to view EXIF tags within a single photograph, how do you handle the hundreds, if not thousands of images that reside on the average mobile device?

Forensic and eDiscovery platforms, such as Nuix Workstation, can assist. These systems can process large volumes of unstructured data to extract, report on, and search document metadata.

Other features of these products can also help you to analyse this data. For example, Workstation can visualise geolocation tags on a map. This allows investigators to quickly identify patterns or relationships, such as movements of an individual.

This can be used in conjunction with other features, including the ability to automatically identify images with a high prevalence of skin tone (useful for pinpointing potentially illicit or inappropriate photographs), images that contain faces, and even the ability to classify images according to objects they depict, such as guns, drugs or cars.

The old cliché that “a picture paints a thousand words” can hold true in investigations. With the right toolkit, delving below the surface of digital photographs can certainly tell a captivating story.

For expert eDiscovery advice speak to

John Porter | TIMG eDiscovery Consultant

+61 2 9305 9500 or [email protected]