Photo Forensics

Remember what it was like in the 90’s when you needed to take a picture?  My family almost always used disposable cameras with film or Polaroid cameras with self-developing film.  Jump ahead 20 years and film is only being used by professional photographers, while everyone else is using digital photos and storage.

One major difference is that now digital forensic examiners can gain a ton of information about the pictures you created with your iPhone or digital camera from “metadata”.

Metadata is a broad term that generally refers to “data about data”.  Imagine your trendy Pink Floyd T-shirt is data and the tag on your shirt is metadata.  You can learn a lot about your T-shirt by reading that tag, and the same applies to metadata within files and images.

Image files have a specific type of metadata called “EXIF” data which stands for exchangeable image file format.  Name an image file type and it probably has EXIF data: JPEG, PNG, JPG, TIFF, GIF, etc.

I know what you’re thinking: “Gee Matt, that sure sounds boring, why should I care?”.  Here are some reasons to care:

  • GPS data
  • Original Creation Date/Time
  • Make
  • Model

 

Take the image below for example:

gf

 

I took this image with my phone several years ago while visiting San Francisco.  I have no idea what the date or time was, the phone I used, nor do I remember where in the city this was, but my forensic instincts tell me I can find out.  I took a peek at the EXIF data contained within this image and found the following items:

 

Creation Date/Time: October 3, 2011 11:16:19
Make: Apple
Model: iPhone 3GS
GPS Altitude: 34.9 m Above Sea Level
GPS Position: 37 deg 47′ 24.00″ N, 122 deg 24′ 44.40″ W

 

This image was taken with my iPhone 3GS, was then transferred to my iPhone 5, then to my iPhone 6, and then to my iPhone 6s.  After several years and several migrations, the image EXIF remained intact and I can now use it to determine things about the image that I had completely forgotten or didn’t know.

Using the GPS coordinates I was able to locate the fire hydrant at the corner of Taylor St and Bush St in San Francisco.  I took a screen shot from Google Maps to prove it:

map

Now, imagine how useful this information might be in an investigation or litigation case.  Also consider, this is not a complete list of metadata that can be obtained from images, it’s just the most interesting.