Written by Edward L. Labarge   


Investigators in all forms of law enforcement—whether local, state, or federal—routinely come across digital photographs while executing search warrants or permissive searches. These digital images may have been identified on a cellular telephone, computer, digital camera, or other form of digital media. It is common practice to look and sort through the seized images for ones that may be pertinent to the investigation at hand. A majority of the time, this process will be done back at the station. Digital images that don’t have evidentiary value are discarded… But wait: don’t forget the old saying, “A picture is worth a thousand words.” Just because a digital image doesn’t depict the photographic evidence you were looking for doesn’t mean it lacks value. Digital pictures often contain metadata also known as Exchangeable Image File Format (EXIF).

EXIF data can provide a treasure trove of information to investigators, including:

  • Camera model
  • Camera serial number
  • Exposure setting
  • Date and time picture was taken
  • GPS coordinates
  • GPS version ID
  • Latitude and longitude
  • Altitude
  • GPS timestamp
  • Image description
  • Software
  • Author

Examining EXIF information found in the digital images seized during the course of an investigation may provide that smoking gun you were looking for. For example, thousands of digital images may be seized during the investigation of a child pornography case. While examining the EXIF information, you would find metadata that includes the camera make and model—and even the serial number used to produce the child pornography. If the person of interest in this example gave law enforcement consent to search his residence, this might result in the discovery of a camera that matches the serial number found in the EXIF data. In this scenario, it would be extremely difficult—if not impossible—for the suspect to refute that type of information.

Here’s another example: The EXIF data from child-pornography images might reveal the GPS coordinates of the images’ origins. Not all digital photographs contain GPS coordinates; GPS coordinates are typically found with pictures taken from cellular telephones, but an increasing number of digital cameras are now GPS enabled, as well.

It is important to remember that EXIF is digital information that can easily be corrupted; therefore, do not try to analyze it in the field and only work with EXIF data in a certified computer crime lab. Forensic examiners should adhere to the same level of precautions they do with any other piece of digital evidence.

Common forensic tools such as Forensic Toolkit from AccessData, EnCase from Guidance Software, and ILook from Perlustro will be able to examine EXIF data. However, if for some reason your department or crime lab is looking for free, open-source alternatives, there is a program by the name of exiftool that easily extracts EXIF data. Exiftool can be found at http://search.cpan.org/dist/Image-ExifTool

Remember, catching a criminal in the digital age requires investigators to step out of the box and to think of creative and effective ways to use technology to their benefit. No matter how smart a criminal is, there is always a clue, we just have to find it. Examining EXIF data is a simple and valuable trick for law enforcement to pursue in concert with other traditional forms of investigative endeavors.

About the Author
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it served as the District Chief of the United States Marine Corps Criminal Investigation Division, Marine Corps Air Station in the Beaufort, South Carolina office, from 2008-2010. In early 2010, Edward transitioned to the Naval Criminal Investigative Service (NCIS) as a special agent working felony-level crimes.

< Prev

Product News

Six interchangeable LED lamps

highlight the features of the OPTIMAX Multi-Lite Forensic Inspection Kit from Spectronics Corporation. This portable kit is designed for crime-scene investigation, gathering evidence, and work in the forensic laboratory. The LEDs provide six single-wavelength light sources, each useful for specific applications, from bodily fluids to fingerprints. The wavelengths are: UV-A (365 nm), blue (450 nm), green (525 nm), amber (590 nm), red (630 nm), and white light (400-700 nm). The cordless flashlight weighs only 15 oz. To learn more, go to: www.spectroline.com