Digital Threat Assessment Toolkit
Digital Evidence

8.2 Metadata

Photos often contain technical data called metadata. The amount of metadata embedded within a photo depends on a few variables, including the device or camera used to capture the image, and whether geo-locational services are turned on for that device. Professional photographers are interested in a variety of metadata such as ISO values, shutter speed, aperture, focal length, etc. For the purposes of digital threat assessment, time, date, and location data can be extremely useful.

The following details about metadata are important to remember:

  • Metadata is stripped from photos posted to social media (Instagram, Twitter, Facebook, etc.) for privacy reasons.
  • A photo must be in its raw, original, full-size format and not compressed in order to retain its metadata.
  • A screenshot is a copy and does not contain the metadata of the original image.
  • Metadata is retained within a photo when it is texted, emailed, or airdropped.
  • The settings in both Apple and Android devices allow the user to adjust the level of metadata that will be stored with each photo taken.

The most metadata will be viewable if taken from a smartphone with geo-locational services turned on. If this is the case, the following data can be viewed and can be helpful for investigations:

  • Date and time (down to the second) the image was captured.
  • Device that the image was captured on (e.g., iPhone, Samsung Galaxy, Google Pixel).
  • Altitude in relation to sea level of where the device was when the image was captured.
  • GPS locational coordinates (latitude and longitude) of the device when the image was captured.
  • Approximate speed in kilometers per hour that the device was traveling at the time the image was captured.

Real-Life Case Examples Illustrating the Use of Metadata

  1. A student airdrops a concerning photo of a handgun with a threatening message during an assembly to anyone within range with Airdrop turned on (Bluetooth and Wi-fi must also be enabled). Airdrop retains image metadata, because it is the original photo that is being sent, rather than a screenshot of the photo. When the principal obtained the image that was shared with students and then viewed the metadata, the principal was able to determine what device it was taken on, what time the photo was taken, and where the photo was taken. He found that the photo was taken by an iPhone 8 at 7:30 a.m. that morning with a geolocational pinpoint to a residence within the community. Using Google Maps the principal was able to obtain an approximate address of this residence and cross reference it through a search in the student database.
  2. A threatening message was sent over text message with a picture of a weapon to the vice principal at a school with the message – “I’m on my way to kill you.” The metadata below the photo revealed the exact location the photo was taken from the night before - specifically, which residence in the same community as the school. This information was given to the police and they were able to arrest the threat maker within minutes of the original text being received.

Viewing Photo Metadata

Metadata is embedded within the photo itself and it can be viewed in a variety of ways.

Perhaps the most detailed display of metadata is from a website called “Jeffrey’s Image Metadata Viewer”. Here is an example of how much metadata can be viewed below the surface with Jeffrey’s Image Metadata Viewer.

Original Photo

Metadata below the surface as seen through the website, Jeffrey’s Image Metadata Viewer

(Click image above to expand view.)

Clicking on the hyperlink depicted above: “Map via embedded coordinates at Google” will bring up a map of where this photo was taken.

To use Jeffrey’s Image Metadata Viewer visit http://exif.regex.info/exif.cgi. You will select your file, click “I am not a Robot, the click View Image Data.