EXIF metadata is structured data embedded inside digital image files at the moment of capture — recording the GPS coordinates where the photo was taken, the device that took it, the exact timestamp, camera settings, and in some cases the software used to edit it. For OSINT investigators, EXIF data is a high-value pivot source: a single photograph can confirm a subject’s location, establish a timeline, identify a device, and open entirely new investigative pathways.
Quick Answer: Every digital photo contains hidden metadata created automatically by the capturing device. The most investigatively valuable fields are GPS coordinates (exact location where the photo was taken), timestamp (date and time of capture), device identifier (make, model, and sometimes serial number of the camera or phone), and software (editing applications used after capture). EXIF data is extracted using tools like ExifTool, Jeffrey’s EXIF Viewer, or Metadata2Go — and every piece of extracted data is a potential pivot identifier for the next phase of the investigation.
EXIF in one sentence: A photograph is not just an image — it is a document, and like every document it carries metadata that can identify where it came from, when it was created, and what created it.
The limitation that makes EXIF investigation conditional rather than universal: most major social media platforms strip EXIF data when photos are uploaded. Images shared directly — via email, messaging apps that preserve metadata, direct file downloads, or from sources that don’t strip metadata — retain their EXIF data intact. Understanding when EXIF data is likely to be present and when it has been stripped is as important as knowing how to extract it.
⚠️ Legal Notice: Extracting EXIF metadata from images you have legitimately obtained is legal — the data is embedded in the file itself. Obtaining images through unauthorized access to accounts, devices, or systems to extract their metadata may violate the Computer Fraud and Abuse Act (18 U.S.C. § 1030). This guide covers metadata extraction from lawfully obtained images only and does not constitute legal advice.
Why This Guide Is Reliable
inet-investigation.com publishes research-based guides built on primary government sources, investigative practice, and public records law. This article is part of the OSINT series and connects to Phase 4 (pivoting) of the 8-Phase OSINT Investigation Framework — EXIF data is a pivot source, and every identifier it contains is a new search entry point.
Where This Guide Fits
For the complete investigation process: OSINT Workflow: The 8-Phase Investigation Framework
For what to do with EXIF identifiers once extracted: OSINT Pivoting: How to Follow Data Connection
For protecting your own EXIF data during investigations: OPSEC for Investigators
What EXIF Metadata Actually Is
EXIF stands for Exchangeable Image File Format. It is a standard for embedding metadata in image files — specifically JPEG, TIFF, and RAW formats — that was established by the Japan Electronic Industries Development Association in 1995 and has been built into virtually every digital camera and smartphone camera ever since.
When you take a photo, the capturing device writes a structured block of data into the image file alongside the pixel data. This block contains dozens of fields describing the circumstances of capture. The image you see and the metadata describing how it was created are stored together in the same file — invisible in normal image viewing, but accessible to any tool that knows how to read it.
Why EXIF exists: The original purpose was to allow photo editing software and printing services to automatically apply the correct settings — color space, orientation, resolution — when processing images. The investigative usefulness is a byproduct of a system designed for technical image processing.
The EXIF Fields That Matter Most for Investigators
Not all EXIF fields carry equal investigative value. These are the high-priority fields:
GPS Coordinates
The most powerful EXIF field for investigators. When GPS is enabled on a smartphone at the time of capture, the device embeds the precise latitude and longitude — sometimes accurate to within a few meters — of where the photo was taken.
What it reveals:
- The exact location where the photo was taken
- Whether the claimed location matches the actual location
- A property address, business location, or geographic area that can be pivoted to property records, court records, and business registrations
Format: GPS data appears as decimal degrees or degrees/minutes/seconds. Both formats can be entered directly into Google Maps or Google Earth to display the location.
Pivot use: GPS coordinates → Google Maps (confirm location type) → county assessor (confirm property ownership) → business registration search (confirm what operates at that address) → street view (confirm visual match to image background)
Timestamp
EXIF timestamps record the date and time of capture — typically in the device’s local time zone, though some fields record UTC.
Relevant timestamp fields:
DateTimeOriginal— when the shutter was pressedDateTimeDigitized— when the image was digitized (same as original for digital cameras)DateTime— when the file was last modified (may differ from capture time if the image was edited)What it reveals:
- The date and time a photo was actually taken — which may contradict a claimed timeline
- Whether the image was edited after capture (if
DateTimediffers significantly fromDateTimeOriginal)- Time zone inference from the timestamp combined with GPS coordinates
Pivot use: Timestamp + GPS → establish subject’s location at a specific time → cross-reference with claimed alibi, claimed travel, or documented events during the same period
Device Identifier
EXIF records the make and model of the capturing device — “Apple iPhone 15 Pro,” “Samsung Galaxy S24,” “Canon EOS R5.”
What it reveals:
- The type of device used
- In some cases, enough to narrow down individual device identification when combined with other metadata fields
- Consistency across multiple images (same device used across a series of photos confirms they came from the same source)
More specific identifier — serial number: Some cameras embed the camera body’s serial number in EXIF data (Canon and Nikon cameras commonly do this). A serial number is a unique identifier that, combined with manufacturer records or camera registration databases, can link a specific image to a specific physical device.
Pivot use: Device model → narrow the search for associated accounts and platform activity → camera serial number → manufacturer registration records (if accessible)
Software
Records the application used to process or edit the image after capture.
What it reveals:
- Whether the image was edited and with which software
- The software version, which may indicate the approximate period of editing
- Inconsistency between claimed original capture and evidence of editing
Common values:
Adobe Photoshop CC 2023— edited in PhotoshopLightroom Classic 12.0— processed in LightroomGIMP 2.10— edited in GIMP- The absence of a software field, or a field matching the camera manufacturer’s own processing software, suggests minimal post-processing
Other Investigatively Useful Fields
MakeandModel— Camera manufacturer and model. Combined with serial number, can uniquely identify a device.
LensModel— The specific lens used. Combined with camera body, narrows device identification further.
ArtistorCopyright— Some cameras and software allow users to set their name or copyright notice to be embedded in every image. When set, this field contains the photographer’s stated name.
ImageDescription— A text field that can contain anything the user or software wrote. Sometimes contains location names, subject descriptions, or other identifying text.
UserComment— Similar to ImageDescription. May contain notes added by editing software or the photographer.
GPSAltitude— Elevation above sea level at the point of capture. Useful for corroborating location claims and for geolocation analysis.
GPSSpeedandGPSTrack— Speed and direction of travel at the time of capture. Recorded by some smartphones when in motion.
FlashPixVersion,ColorSpace,PixelXDimension,PixelYDimension— Technical image parameters. Less investigatively useful directly but can contribute to device fingerprinting across multiple images.When EXIF Data Is Present and When It Isn’t
This is the most important practical knowledge for working with EXIF in investigations. Assuming EXIF data is present when it has been stripped — or assuming it’s absent when it may be present — wastes time and misses evidence.
Platforms That Strip EXIF Data
Strip GPS and most EXIF on upload:
- Facebook / Instagram (Meta)
- Twitter / X
- WhatsApp (in most configurations)
- Snapchat
- TikTok
- Imgur
Why they strip it: User privacy protection, reduced file size, and liability reduction. The stripping typically happens server-side at upload — the platform stores the image without the original EXIF data.
Practical implication: An image downloaded from any of these platforms will have its EXIF data stripped or significantly reduced. Investigating EXIF on social media downloads is generally not productive.
Sources Where EXIF Data Is Often Preserved
Direct file sharing:
- Email attachments
- iMessage and SMS (in some configurations)
- Telegram (when shared as a file rather than as a photo)
- Direct download links from websites
- Files shared via Dropbox, Google Drive, or similar services when the original file is shared rather than a platform-processed version
Website images:
- Images embedded directly in websites (not run through a CDN that strips metadata)
- Images on personal websites and blogs
- Press releases and document uploads that haven’t been processed through a stripping service
Documents containing images:
- PDFs may contain embedded images with preserved EXIF data
- Word and PowerPoint documents may contain images with original metadata
Original files:
- Any image file received as the original capture (e.g., a RAW file, an original JPEG before upload to any platform)
- Files from devices shared directly (USB, AirDrop between devices, camera SD card)
How to Quickly Check Whether EXIF is Present
Before spending time analyzing EXIF data, confirm that the file has metadata worth analyzing:
- Run the image through Jeffrey’s EXIF Viewer or ExifTool
- Check for
GPSLatitude/GPSLongitudefields- Check for
DateTimeOriginal- If only a handful of technical fields are present and GPS and timestamp are missing, the image has likely been stripped
A stripped image typically shows only
FileSize,FileType,MIMEType,ImageWidth,ImageHeight, and basic technical parameters. A metadata-rich image shows dozens of fields including GPS, timestamp, and device information.Tools for Extracting EXIF Data
ExifTool (Command-Line, Free)
ExifTool is the gold standard for EXIF extraction — comprehensive, accurate, and capable of reading metadata from virtually every image format in existence. Written by Phil Harvey, maintained actively, and used by professional investigators, forensic analysts, and security researchers worldwide.
Installation:
- Windows: Download the Windows executable from exiftool.org — no installation required, runs as a standalone executable
- macOS:
brew install exiftoolvia Homebrew, or download the macOS package from exiftool.org- Linux:
sudo apt install libimage-exiftool-perl(Debian/Ubuntu) or equivalentBasic usage:
Extract all metadata from a single image:
exiftool image.jpgExtract only GPS data:
exiftool -gps:all image.jpgExtract GPS in decimal format (easier for mapping):
exiftool -n -gpslatitude -gpslongitude image.jpgExtract specific fields:
exiftool -DateTimeOriginal -Make -Model -GPSLatitude -GPSLongitude image.jpgProcess all images in a folder:
exiftool /path/to/folder/Export all metadata to a text file:
exiftool image.jpg > metadata.txtStrip all metadata from an image (OPSEC use):
exiftool -all= image.jpgExifTool’s advantage: It reads every metadata standard — EXIF, IPTC, XMP, and dozens of proprietary formats — and returns all fields. Browser-based tools often miss proprietary metadata fields that ExifTool catches.
Jeffrey’s EXIF Viewer (Browser-Based, Free)
Jeffrey’s EXIF Viewer at exif.regex.info/exif.cgi provides a clean, well-formatted display of EXIF data with integrated Google Maps display for GPS coordinates. No installation required.
How to use:
- Visit the URL
- Upload a local image file or paste a direct image URL
- The tool displays all EXIF fields with GPS shown on a map if coordinates are present
Best for: Quick analysis without command-line access, and for the Google Maps integration that visualizes GPS coordinates immediately.
Limitation: Web-based tools require uploading the image to a third-party server. For sensitive investigations, use ExifTool locally rather than uploading images to external services.
Metadata2Go (Browser-Based, Free)
Metadata2Go.com supports a wider range of file types beyond images — PDFs, audio files, video files, and documents — and extracts all available metadata fields.
Best for: Analyzing file types beyond images, particularly PDFs that may contain embedded image metadata or document creation metadata.
ExifTool Online Viewers (Various)
Multiple websites provide browser-based ExifTool wrappers:
All parse and display EXIF data from uploaded images. The same privacy caveat applies — for sensitive investigations, use ExifTool locally.
Google Maps / Google Earth
Not an EXIF tool, but the essential companion for GPS coordinate analysis:
Google Maps: Paste decimal GPS coordinates directly into the search bar to display the location. Click “Street View” to compare the image background to the actual location.
Google Earth Pro: Provides 3D terrain and historical imagery. Historical imagery is particularly useful — if the GPS coordinates from an old image place the subject at a location, Google Earth’s historical imagery can confirm what that location looked like at the time of capture.
The EXIF Investigation Workflow
Step 1 — Obtain the Image Legitimately
Source matters before analysis begins. The image must have been obtained through lawful means:
- Direct sharing by the subject (email, messaging)
- Public posting without authentication requirement
- Website download from publicly accessible pages
- Document attachment from publicly available filings
Step 2 — Preserve the Original File
Before doing anything else, preserve the original file in unmodified form. Copy it and work from the copy. The original — with its original metadata intact — may be needed as evidence. Any modification, including viewing in some software, can alter the
DateTimefield.Best practice: Store the original with a hash value recorded:
exiftool -FileSize -ImageSize image.jpg sha256sum image.jpg (Linux/macOS) certutil -hashfile image.jpg SHA256 (Windows)The hash confirms the file hasn’t been modified since it was obtained.
Step 3 — Extract All Metadata
Run ExifTool on the file and capture the full output:
exiftool image.jpg > image_metadata.txtReview all fields. The full output often contains investigatively relevant information in fields that aren’t visible in a quick scan — copyright notices, image descriptions, software names, and proprietary fields vary by device.
Step 4 — Extract and Map GPS Coordinates
If GPS fields are present:
Convert to decimal format if needed: Degrees/minutes/seconds format:
37° 46' 26.4" N, 122° 25' 11.7" WDecimal format:37.7740, -122.4199To convert: Decimal = degrees + (minutes/60) + (seconds/3600). Southern latitudes and western longitudes are negative.
ExifTool can output decimal directly:
exiftool -n -gpslatitude -gpslongitude image.jpgMap the coordinates: Paste into Google Maps search bar. Confirm what the location actually is — residential, commercial, institutional, undeveloped land.
Cross-reference the location against the image background: Open Street View at the GPS coordinates and compare to the photo background. Buildings, terrain, signage, and vegetation visible in the image should be consistent with the mapped location.
Step 5 — Verify the Timestamp
Check
DateTimeOriginal— this is the most reliable timestamp, set by the camera at the moment of capture.Check
DateTime— if this differs significantly fromDateTimeOriginal, the file was modified after capture. Document the discrepancy.Time zone awareness: EXIF timestamps are typically stored in the camera’s local time, not UTC. GPS data often includes a UTC timestamp in
GPSDateStampandGPSTimeStampfields — compare these withDateTimeOriginalto determine the local time zone at capture.Cross-reference the timestamp with other information:
- Does the timestamp match the subject’s claimed location or activity at that time?
- Does the timestamp match the GPS location (is it plausible to be at that location at that time)?
- Does the timestamp match the lighting in the image (is it noon when the timestamp says 2am)?
Step 6 — Extract Device Information
Record the
Make,Model, andLensModelfields. If a serial number is present (common in Canon and Nikon cameras), record it separately — it is a unique identifier.Consistency analysis across multiple images: If you have multiple images attributed to the same subject, compare device metadata. Consistent device makes and models across images support attribution to the same person. Different devices across images claimed to be from the same source warrant explanation.
Step 7 — Pivot From Every Identifier
Every piece of extracted EXIF data becomes a new search entry point:
GPS coordinates →
- Google Maps (location type)
- County property assessor (ownership)
- Business registration search (what operates there)
- Street view comparison (visual corroboration)
- Reverse address lookup (people-search corroboration)
Timestamp →
- Cross-reference with claimed timeline
- Social media posts from the same period
- Court records from the same period
- Travel records or claimed alibis
Device make/model →
- Narrow platform account searches (iOS vs Android can indicate which platforms are primary)
- Camera serial number → manufacturer registration
- Cross-reference device across multiple images
Software →
- Identify editing tools used
- Version numbers help date the editing period
- Inconsistency between claimed original and evidence of processing
Artist/Copyright field →
- Photographer’s stated name → identity research
- Company name → business registration search
- Copyright date → timeline information
Metadata in Other File Types
EXIF is specific to images, but metadata exists in other file types investigators regularly encounter:
PDF Metadata
PDFs contain their own metadata standard. Investigatively relevant fields:
Author— the name of the document’s creator, often set to the user account name on the computer used to create it
Creator— the application used to create the original document (Word, InDesign, etc.)
Producer— the application used to convert the document to PDF
CreationDate— when the document was created
ModDate— when the document was last modified
Title,Subject,Keywords— user-entered or application-generated descriptive fieldsExtract PDF metadata with ExifTool:
exiftool document.pdfInvestigative use: A PDF’s Author field often contains the Windows username of the person who created it — sometimes a real name, sometimes a network username that can be researched. The Creator and Producer fields reveal the software environment. CreationDate and ModDate establish a timeline.
Microsoft Office Document Metadata
Word, Excel, and PowerPoint documents carry rich metadata:
Author— document creatorLastModifiedBy— last person to edit the documentCreatedDateTime— creation timestampModifiedDateTime— last modification timestampRevisionNumber— how many times the document has been savedTotalEditingTime— total time spent editing the documentExtract with ExifTool:
exiftool document.docxInvestigative use:
LastModifiedBysometimes reveals a different person from the stated author — useful in document authenticity investigations. The combination ofAuthor,LastModifiedBy, and timestamps can establish a document’s provenance and history.Audio and Video Metadata
Audio files (MP3, WAV) carry ID3 tags including artist, album, title, date, and sometimes GPS coordinates for recordings.
Video files (MP4, MOV) carry metadata including GPS coordinates (if location services were enabled on the recording device), device information, timestamp, and duration.
Extract with ExifTool:
exiftool video.mp4Video EXIF is particularly useful for smartphone-recorded video — the same GPS and device fields present in photos apply.
A Complete EXIF Investigation Example
Scenario: An image is received as an email attachment, purportedly showing a subject at a business meeting in New York on March 15, 2024. The subject is claiming this alibi in a civil dispute.
Step 1 — Obtain and preserve. Save the image from the email attachment. Copy to investigation folder. Calculate SHA-256 hash and record it.
Step 2 — Extract metadata.
exiftool alibi_photo.jpg > alibi_metadata.txtStep 3 — Review the output. Key fields returned:
DateTimeOriginal: 2024:03:15 14:32:11 GPSLatitude: 33.4484 GPSLongitude: -112.0740 Make: Apple Model: iPhone 15 Pro Software: 17.3.1Step 4 — Map the GPS coordinates. 33.4484, -112.0740 → Google Maps → Phoenix, Arizona. Not New York.
Step 5 — Verify the timestamp.
DateTimeOriginalis March 15, 2024 at 14:32 — consistent with the claimed meeting time, but the location is Phoenix, not New York.Step 6 — Corroborate. Street View at the GPS coordinates shows a commercial building in Phoenix. The background of the alibi photo is compared — architectural style, vegetation, and signage are consistent with Phoenix, not New York.
Step 7 — Document. The image metadata places the subject in Phoenix, Arizona at 14:32 on March 15, 2024 — contradicting the claimed New York alibi. The GPS coordinates, timestamp, and Street View comparison are all documented with screenshots and source citations.
Step 8 — Pivot. GPS coordinates → county assessor search → identifies the commercial building as the subject’s Phoenix office location, registered to their LLC. This corroborates the Phoenix location independently of the EXIF data.
Protecting Your Own EXIF Data (OPSEC Application)
During investigations, you create files — screenshots, downloaded images, photographs of physical evidence. These files carry their own EXIF data, which can reveal your location, device, and identity.
Before sharing any file created during an investigation:
Strip all metadata:
exiftool -all= file.jpgFor multiple files:
exiftool -all= /path/to/folder/*.jpgVerify the stripping worked:
exiftool stripped_file.jpgThe output should show only basic file properties with no GPS, timestamp of original capture, or device information.
Specific OPSEC concerns:
- Screenshots taken on a device with location services enabled may embed GPS coordinates
- Screen recordings may contain device metadata
- Images captured during fieldwork contain precise GPS coordinates by default on most smartphones
- Documents created on your computer contain your Windows or macOS username in the Author field
→ For complete OPSEC guidance: OPSEC for Investigators
Common Mistakes
Assuming all images contain EXIF data. The most common mistake. Images from social media platforms are almost always stripped. Check first before investing analysis time.
Not preserving the original file. Modifying a file before recording its hash compromises the chain of custody. Preserve originals unmodified.
Using only a single EXIF tool. Different tools read different metadata standards. ExifTool is the most comprehensive, but cross-referencing with a second tool catches fields that one tool may display differently.
Confusing
DateTimewithDateTimeOriginal.DateTimeis when the file was last modified.DateTimeOriginalis when the photo was taken. These can differ significantly if the file was edited after capture.Taking GPS coordinates at face value without Street View corroboration. GPS data can be spoofed or manipulated. Cross-reference with the visual content of the image — if the GPS says Phoenix but the background shows snow-covered mountains, the data warrants scrutiny.
Ignoring non-GPS metadata fields. The timestamp, device, software, and copyright fields are all investigatively useful even when GPS data is absent.
Uploading sensitive investigation images to online EXIF tools. Online tools require uploading the image to a third-party server. For sensitive investigations, use ExifTool locally.
Frequently Asked Questions
Can EXIF data be faked? Yes — EXIF fields can be modified using ExifTool or other software. GPS coordinates, timestamps, and device information can all be altered. This is why EXIF data should be treated as a lead requiring corroboration rather than as conclusive evidence on its own. Corroboration through Street View comparison, independent records, and consistency analysis is essential.
What happens to EXIF data when a photo is shared on WhatsApp? WhatsApp strips EXIF data from photos shared as photos. However, when files are shared as “documents” rather than photos in WhatsApp, the original file with EXIF intact may be preserved. The behavior varies by platform version and sharing method.
Can I extract EXIF from a screenshot? Screenshots typically contain minimal metadata — the device that took the screenshot, the timestamp of the screenshot, and basic file information. They do not contain GPS coordinates from the content being screenshotted, nor the original capture metadata of any image shown in the screenshot.
Does EXIF data survive printing and rescanning? No. Printing a photo destroys the digital file’s EXIF data. Scanning the printed photo creates a new file with the scanner’s metadata — it does not recover the original EXIF data.
Are RAW files different from JPEGs for EXIF purposes? RAW files typically contain more metadata than JPEGs — camera manufacturers embed additional proprietary metadata fields in RAW files. ExifTool reads most RAW formats and extracts all available metadata.
Is EXIF data admissible as evidence? In many jurisdictions, digital metadata has been accepted as evidence in civil and criminal proceedings. The admissibility depends on chain of custody — demonstrating the file was not modified after acquisition — authentication of the extraction method, and the expert qualifications of whoever interprets it. Consult a legal professional for evidence admissibility questions specific to your jurisdiction.
Final Thoughts
EXIF metadata is the hidden layer of every digital image — a structured record of where, when, and how it was created, embedded invisibly in the file and accessible to anyone with the right tool.
For investigators, it represents a category of evidence that subjects rarely consider. Most people are entirely unaware that the photos they share contain precise GPS coordinates, device identifiers, and timestamps. A single image can confirm a location, establish a timeline, identify a device, and open investigative pathways that no amount of keyword searching would have revealed.
The discipline is in the approach: preserve the original, extract comprehensively, cross-reference every identifier, treat EXIF data as a lead requiring corroboration rather than as proof, and pivot from every piece of extracted information into the broader investigation.
EXIF data doesn’t lie — but it can be altered. Corroborate everything.
Where to Go Next
For the pivot techniques EXIF identifiers feed into: OSINT Pivoting: How to Follow Data Connections Across Systems
For protecting your own EXIF data during investigations: OPSEC for Investigators: How to Stay Anonymous While Researching
For the complete investigation process: OSINT Workflow: The 8-Phase Investigation Framework
For documenting EXIF-based findings: How to Build an OSINT Report
Related Guides
- OSINT Workflow: The 8-Phase Investigation Framework
- OSINT Pivoting: How to Follow Data Connections
- OPSEC for Investigators
- Google Dorking for Investigators
- OSINT Tools for Beginners
- OSINT for Advanced Investigators
Disclaimer: This article is for informational purposes only and does not constitute legal advice. EXIF metadata extraction from lawfully obtained images is legal. Obtaining images through unauthorized means to extract metadata may violate applicable law. Evidence admissibility varies by jurisdiction — consult a legal professional for evidence-related questions.