Contents
Potentially a great deal. A photo straight from a camera or phone can carry the make and model of the device, the lens and exposure settings, the exact date and time of capture, the software that last saved it, and, if location services were switched on, the GPS coordinates of where the photographer stood. EXIF is the richest and fastest read in image forensics. The catch is that it only reveals any of this if it survived the trip to you, and none of it is trustworthy on its own.
What is EXIF, and what does it record?
EXIF (Exchangeable Image File Format) is a block of tags that a camera or phone writes into a photo at the moment of capture, defined by a published industry standard, the CIPA DC-008 Exif specification. The standard sets out what a compliant device records: make and model, lens and exposure settings, the date and time, GPS coordinates when location was enabled, and a proprietary block called the MakerNote where manufacturers keep device-specific details. The MakerNote in particular can be surprisingly detailed, holding serial numbers, shutter counts, lens identifiers and focus data that the core standard never specifies, which is why two files from the same model often carry recognisably similar MakerNote structures. A metadata viewer reads the whole block in seconds, which is why it is almost always the first thing an investigator looks at.
What does each field tell an investigator?
Each tag answers a different question, and read together they sketch a surprisingly complete account of a photo’s origin.
| EXIF field | What it can reveal |
|---|---|
| Make and Model | the camera or phone that wrote the file |
| DateTimeOriginal | when the shutter fired |
| GPS | where the photo was taken, if location was on |
| Software | whether the file has passed through an editor |
| Lens and exposure | focal length, aperture, ISO and shutter, and whether the capture is plausible |
| MakerNote | proprietary device data, model-specific and hard to fake in full |
The power is in the combination. A timestamp and GPS together place a device at a time and a location; the make, model and MakerNote corroborate which device it was; the Software field shows whether the file has been through an editor since capture. None of these fields requires special access to read, because the whole point of the standard is that any compliant viewer can surface them, which is what makes metadata the cheapest evidence in the discipline and the first an analyst reaches for.
Two fields tend to do the heaviest lifting. The timestamp in DateTimeOriginal is set when the shutter fires, so it can anchor a photo to a moment, and it can be checked against the file’s own modification date for consistency. The GPS block, present whenever location services were on, can pin the capture to within a few metres, which is often the single most revealing thing a casual photographer leaves behind. The lens and exposure values are quieter but useful: an aperture, shutter speed and ISO that make no physical sense for the scene are a sign the file is not quite what it claims to be.
Is metadata a forensic signal in its own right?
Yes, and researchers treat it as more than a convenience. Fan, Chen and Kot (2017) built a tamper-detection method around the white-balance mode recorded in the EXIF header, using the metadata itself as the forensic signal. More recently, Yang, Zhou, Baracchi and colleagues (Journal of Imaging, 2026) read the entire EXIF block as a structured pattern for source-camera identification, an approach that catches forgeries which change the obvious Make field but leave the related fields inconsistent with it. That cross-referencing is the core of careful metadata analysis: an investigator does not just read the fields, they check that the fields agree, that the timestamp suits the location, that the Software tag matches the file’s history, and that the MakerNote belongs to the camera the Make field names.
Can you trust what it says?
Not on its own. Ordinary EXIF carries no cryptographic signature, so every field in it can be rewritten, deleted or invented. Free command-line tools such as ExifTool can rewrite or strip every tag in a single command, and most social platforms strip metadata on upload, which is why so many shared images reach you carrying none at all. The weakness was named at the birth of sensor forensics, when Lukáš, Fridrich and Goljan (2006) set the EXIF header aside precisely because of “the credibility of information that can be easily replaced.” Because it is this easy to change, a photo that arrives with no metadata is uninformative rather than suspicious, and a field that says exactly what you were hoping to see still needs corroboration. The full account of forged and stripped metadata, and how to spot it, is in can EXIF data be faked?.
So what is surviving metadata actually worth?
It is the best lead in the toolkit and the weakest proof. In the Forensics Media team’s review of the major image-forensics toolkits, metadata was the single most widely bundled signal, present in around three-quarters of them, more than any pixel-level method, precisely because it is so quick and rich to read. Its value, though, is as a starting point that other evidence has to confirm. Surviving EXIF can tell you which camera, when and where in seconds, and most casual fakes never think to clean it up, so it catches a great many of them. What it cannot do is settle a question by itself, because every byte of it could have been typed by hand. Read it first and believe it last, then check the device claim against the harder signals in how to tell what camera took a photo.
Sources
- CIPA (2023). Exchangeable image file format for digital still cameras: Exif Version 3.0. Standard CIPA DC-008-2023.
- Fan, Chen, Kot (2017). EXIF-white balance recognition for image forensic analysis. Multidimensional Systems and Signal Processing. DOI: 10.1007/s11045-015-0377-9
- Yang, Zhou, Baracchi, Shullani, Zou, Piva (2026). Forensic Analysis for Source Camera Identification from EXIF Metadata. Journal of Imaging 12(3):110. DOI: 10.3390/jimaging12030110
- Lukáš, Fridrich, Goljan (2006). Digital Camera Identification from Sensor Pattern Noise. IEEE Transactions on Information Forensics and Security 1(2):205-214. DOI: 10.1109/TIFS.2006.873602