Digital Evidence EXIF Data
EXIF (Exchangeable Image File) data is another layer of metadata. As you may recall from our article on metadata, it serves as a library card of sorts, that categorizes specific data about a piece of digital evidence we are working with, that help in authentication and identification of its origin. EXIF data is another layer beyond that metadata, and it’s specific to photographs and video footage. It provides an additional level of detail, that helps confirm certain aspects of the digital evidence we are recovering and analyzing, however, like anything else that is human-made, it’s susceptible to manipulation. In this article, we explain the good and the bad about EXIF, and how you can use it to improve your operation.
What Does EXIF Contain?
EXIF data in digital cameras, and camera applications (think cell phones), include the camera model, serial number, exposure setting, date and time of the picture, GPS coordinates and ID, latitude and longitude, altitude, GPS timestamp, image description, what software supports the application, and the author. In video cameras, some of this data translates, and there are additional categories of data captured such as, aperture, exposure, light sensitivity, white balance, and if a “scene mode” was used and what that mode is labeled.
There are some portions of EXIF data that can be manipulated by the user, so they can’t be viewed as reliable on their own merits, that being the image description, date and time, author, and in some cases the GPS timestamp can be changed through the settings long before photographs are produced, which leads to skewed data results upon initial examination. There also savvy users who know how to remove EXIF data prior to disseminating photographs or video, so when you analyze the file, you come up with a lot of blanks. Further, there are some models of devices out there that require a full configuration by the user prior to deployment, and if that user doesn’t take those steps, the device can still be used for photographic purposes, but the fields of data draws blanks.
Much of these considerations are changing with time, and the need for a full configuration ahead of using a device is becoming a rarity, and blanket removal of metadata is being reduced as a function, because there have been issues with copyright infringement on the part of photographers raised that drawback to this issue, and consequently, liability sometimes falls to the device manufacturer indirectly. Any business is going to take that concern seriously, and find ways to reduce its exposure to lawsuits where the idea that they support intellectual property thieves becomes a statement. But, that doesn’t mean that workarounds won’t be tried, tested, and eventually adopted. This leads to our business in data, which is to make sure that as we analyze this data, that we keep cognizant of trends, and what types of signatures we should be looking for that might suggest those trends are in play. This is a great way to ensure your digital evidence hasn’t been manipulated, so that the data you glean from it can be connected to a crime or suspect.
What Does This Data Tell Us?
The types of data contained in EXIF can be quite helpful in pinpointing where the evidence came from. The GPS features we mentioned, collectively are referred to as “geo-tag data” and in recent years there was large scale scare that some people with nefarious intentions used geo-tag data to stalk unsuspecting social media users. In fact, there were several well publicized instances of violence that were attributed to the use of this data. Many services that have been created since that time, like Instagram and Pinterest, try to remove that data, and prevents downloading of the images users post. However, some of this data can still be recovered when inspecting the elements of the web page the images are presented on. And this is where it can become of interest for law enforcement. With a third-party service such as those mentioned previously, when they scan images sent to them for upload, they preserve the geo-tag data. For one, you could submit subpoena if needed, and recover all associated data with an image. However, while that may be necessary for the formality of the case, you could very well inspect the web page data, find the location of where a particular photo was taken, and see if that location can be used to rule exonerate a suspect, or if it confirms their involvement.
When it comes to recovering devices, we don’t have a webpage to inspect. But we do have the device, and learning it’s functionality can help us piece together what the data is telling us. Say for example that you’ve recovered a digital camera from a modelling agency photographer that you believe has photographs that could prove their location during a crime. In analyzing the evidence, you can see that the photographs have GPS data that doesn’t align with where the crime occurred. However, the locations contained in the photographs seem to match the area of the crime. At this point, analysis of the device is necessary, to confirm if there has been manipulation of the device’s GPS function. And there probably is. But while this doesn’t describe our best scenario with geo-tagged data, it certainly shows how clean cut the analysis of said data is, and how it’s very useful in developing theories of criminal behavior, but also presents elements of premeditation we didn’t consider in the past.
In a digital data-heavy investigation, such as child pornography, you may be recovering tens of thousands of images, and in these situations, manipulation of data ahead of time tends to be forgotten, and that’s helpfully for investigators, as each photo can provide EXIF data that locates where it was taken, which can lead to identifying victims to include runaway or missing juveniles, and that’s a huge win for all of us.
You may also find in examining EXIF data that some photos have an owner tag attached. And this can be useful too, in that it identifies an owner of the photograph or the camera. Be cautious with this information, as it may be that the device was stolen, and thus you have an additional charge involved. This is another example of how EXIF data makes evidence and how it applies to a case clear cut.
It’s important to note that attempting to review this data on scene is not a good practice to develop. Always recover the device(s) first, then review them and their respective data in a controlled environment. Advanced digital evidence management systems have the ability to pull EXIF data from files automatically and store it in your digital evidence management system. This data is now organized, categorized, and searchable. Check if your digital evidence management system has the ability to import EXIF data automatically and how you can use it in your own investigations.
EXIF data acts as a second layer of data in digital evidence that we can use to obtain exacting information concerning a crime, and also can serve as a way to eliminate suspects. While it can be manipulated, those manipulations can be discovered just as easily as untouched data, and that can help us prove our cases even better. Especially if you serve in an investigative function, you must become aware of EXIF data and how it can help you.
Be safe out there!