05.Image Analysis Exiftool Linux
π― Lesson Objective
Learn how to extract and analyze metadata from digital images using tools such as:
-
exiftool -
exif
To understand:
-
When and where the image was taken
-
Type of device used
-
Camera settings
-
Whether the image was modified
-
And other valuable information in digital forensics investigations.
π§ What is EXIF?
EXIF = Exchangeable Image File Format\ Itβs a standard format for storing metadata within image files (especially JPG, JPEG, TIFF).
| Type | Example |
|---|---|
| Camera used | iPhone 13, Canon EOS |
| Capture time | 2025:07:20 18:35:11 |
| Camera settings | ISO, Shutter Speed, Aperture |
| Geolocation | GPS coordinates |
| Software used | Photoshop, Camera App |
π Practical Example for Image Analysis
exiftool image.jpg
Sample Output:
File Name : image.jpg
Make : Apple
Model : iPhone 13
Date/Time Original : 2025:07:20 18:35:11
GPS Latitude : 30 deg 2' 40.20" N
GPS Longitude : 31 deg 14' 8.40" E
Software : Adobe Photoshop 25.0
π§ Importance of Image Analysis in Digital Forensics
-
An image may seem ordinary, but hidden EXIF data can reveal:
-
When and where it was taken
-
Type of phone or camera
-
If it was modified
-
If GPS location is embedded
In some cases, metadata was a crucial piece of evidence to confirm or deny a suspect's involvement.
π§° Tools Used
| Tool | Function |
|---|---|
stat |
Displays file system metadata (creation/modification/access) |
exif |
Shows basic EXIF data only |
exiftool |
The most powerful tool for detailed EXIF, IPTC, and XMP analysis |
π§ Installing the Tools
sudo apt update
sudo apt install exif exiftool
π Navigate to the Target Image
cd ~/Desktop/DigitalForensics
π€ Run exiftool on the Image
exiftool trip_photo.jpg
β
Key Output from exiftool:
| Metadata Type | Example | Description |
|---|---|---|
Date/Time Original |
2024:06:30 09:00:00 | Time the photo was taken |
Modify Date |
2024:07:02 15:45:30 | Last time the file was modified |
Make / Model |
Samsung / Galaxy S22 Ultra | Type of phone or camera |
Software |
G998BXXU9EWF3 | Software or OS used |
Orientation |
Rotate 90 CW | Image orientation while capturing |
GPS Latitude/Longitude |
34.0211, -6.8343 | GPS location at capture |
ISO / Exposure Time |
ISO 100 / 1/125 sec | Technical camera settings |
π Comparison: stat vs exiftool
| Tool | Data Extracted | Typical Usage |
|---|---|---|
stat |
File system data (Access, Modify) | Identify date of access/transfer/editing |
exiftool |
Original image capture metadata (EXIF) | Understand time, location, device used |
π Important Security Notes
-
Apps like WhatsApp and Facebook automatically strip EXIF data from uploaded images.
-
Criminals may delete metadata before sharing images.
-
Some editing software (like Photoshop) may retain or alter EXIF data.
π Using GPS Metadata
-
Identify the exact geographic location of the image
-
Link the image to:
-
Crime scene location
-
Suspectβs movement history
-
Nearby surveillance cameras
If GPS data is missing, tools like Google Images or TinEye can be used for visual location identification.
π΅οΈββοΈ Applied Case Study
Image: trip_photo.jpg\
EXIF Analysis:
-
Capture date: June 30, 2024 β 09:00 AM
-
Device: Samsung Galaxy S22 Ultra
-
Location: Casablanca, Morocco (via GPS)
-
Modification: No signs of editing
Conclusion:
-
The image was captured with a specific device at a specific time and place.
-
The device matches what was found with the suspect.
-
Thus, the image serves as authenticated digital evidence.
β Quick Summary
| Aspect | Tool | Practical Value |
|---|---|---|
| File timestamps | stat |
Creation and modification dates on the system |
| Capture time & location | exiftool |
Original image metadata |
| Geolocation | EXIF or Reverse Image Search | Determine the place |
| Device type | Make / Model |
Match with suspectβs device |
| Contextual analysis | Comprehensive analysis | Combine digital, temporal, and spatial evidence |