EXIF and Container Metadata Forensics

A standard smartphone JPEG contains three metadata systems: EXIF in the APP1 marker segment, XMP in a second APP1 or APP13 segment, and sometimes IPTC in an APP13 Photoshop IRB block. Each was designed by a different organisation for a different purpose, and none was designed with forensic use in mind. The result is that a single file may carry three timestamps for the same moment, and they need not agree.

When an examiner opens a file, the first step is to dump all metadata layers together, not just EXIF. Tools such as ExifTool (Phil Harvey) can output all recognised tags from every layer in a single pass. The second step is to look for internal contradictions before drawing any conclusions about external consistency.

EXIF contains over 200 defined tags. For forensic purposes, roughly a dozen carry the most evidentiary weight.

Timestamps: EXIF defines three date-time fields. DateTimeOriginal is the moment the shutter opened, as reported by the camera's internal clock. DateTimeDigitized is the moment the image was converted to digital form (identical to DateTimeOriginal for in-camera capture; differs for scanned film). DateTime is the last modification time and is updated by some software on save. Cameras do not embed UTC offset information in standard EXIF; the OffsetTimeOriginal and OffsetTime tags were added later and are absent from older devices. This creates a timezone ambiguity: a timestamp reading 14:32:07 may be local time in any timezone.

Device identity: The Make and Model tags contain the manufacturer and model name as a string, exactly as configured in the camera firmware. The Software tag records the firmware version for in-camera JPEGs or the application name and version for processed files. A file claiming to come from a Canon EOS R5 that shows Software: Adobe Photoshop 25.0 has been resaved by Photoshop; this is not tampering in itself, but it means the original camera file was not preserved. The CameraSerialNumber tag, when present, links the file to a specific physical unit.

GPS data: The GPS IFD sub-block records latitude, longitude, altitude, speed, direction, and the GPS timestamp (in UTC, unlike the main EXIF timestamps). GPS accuracy depends on the device's fix quality at capture; typical smartphone GPS accuracy is 3 to 5 metres under open sky and significantly worse indoors or in urban canyons. The GPSProcessingMethod tag records whether the position came from GPS hardware, a cell-tower fix, or a Wi-Fi fix, each of which has a different accuracy profile.

No editing tool preserves all metadata unchanged. Every resave, crop, format conversion, or platform upload modifies something. The forensic question is not whether metadata was changed, but whether the changes are consistent with the stated history of the file.

Adobe Photoshop adds an XMP history block (xmpMM:History) that records each save operation with the application version, the date, and a unique instance ID. It also updates the EXIF DateTime field and typically retains DateTimeOriginal unchanged. The MakerNote block is usually preserved in size but is sometimes relocated and its internal offsets become invalid, which manifests as garbled proprietary data on Canon and Nikon files.

Social media platforms (Instagram, WhatsApp, X/Twitter) strip most metadata on upload and re-encode the image at a lower quality. The output file typically retains no EXIF beyond basic orientation, no GPS, and no MakerNote. The software tag changes to the platform's processing pipeline. This stripping is a privacy feature, but it also destroys provenance. An image recovered from a social media platform carries almost no metadata evidence of its original source.

AI image generators (Stable Diffusion, Midjourney, DALL-E) produce files with no EXIF DateTimeOriginal, no MakerNote, and software tags that identify the generator or are absent entirely. Some generators embed a PNG tEXt chunk with the prompt and seed parameters. The absence of a MakerNote and the presence of a software tag naming a generative model is a strong indicator of synthetic origin, though it is not proof: a generated image that is printed and rephotographed will acquire genuine camera EXIF from the rephotographing device.

Metadata cross-validation is a structured comparison of the information from all layers against each other and against external reference data. The goal is to identify contradictions that the file's claimed history cannot explain.

Internal cross-checks within a file: compare EXIF DateTimeOriginal against XMP xmp:CreateDate (they should match if the file was only processed in a tool that preserves EXIF); compare EXIF Make/Model against the MakerNote structure (Canon files should have a Canon-format MakerNote starting with the ASCII string "Canon"); compare GPS latitude and longitude against the GPS timestamp UTC (the GPS time and EXIF time should agree within seconds for an image captured with an active GPS fix); compare file system ctime/mtime from the forensic acquisition image against EXIF DateTime.

External cross-checks: sun angle and shadow direction visible in the image can be compared against the calculated solar position for the GPS coordinates and EXIF timestamp, using tools such as SunCalc or PhotoDNA sun analysis plugins. Weather records can corroborate or contradict lighting conditions. Cell tower connection logs can bracket a device's location against the GPS claim. If the image was uploaded to a platform, the platform's receipt timestamp provides an upper bound for the file's existence.

Video files do not use EXIF. Their metadata lives in the container format's structural atoms or tags. In MP4 and MOV files (ISO 14496-12 / QuickTime), the mvhd (movie header) atom contains creation_time and modification_time fields stored as seconds since 1 January 1904 (QuickTime epoch). The tkhd (track header) atom repeats these fields per track. A transcoding tool that re-muxes the video will overwrite these fields with the transcoding time, not the original recording time.

The encoder string (in the ftyp or udta atoms) identifies the software that wrote the container. A file whose mvhd creation_time matches the claimed recording date but whose encoder string names a desktop transcoding application has been remuxed. The original recording timestamp should be sought in any embedded metadata block (some smartphone cameras write a GPS location atom in the udta box) or in the original file acquisition if available.

For audio-visual authenticity, metadata cross-validation extends to the audio track. An Electric Network Frequency (ENF) analysis of the audio can provide an independent timestamp reference. If the ENF signature places the recording at a time inconsistent with the container timestamps, one or both are wrong. This analysis is covered separately in Electric Network Frequency Analysis.

The Coalition for Content Provenance and Authenticity (C2PA) published its first technical specification in 2021 and released version 2.0 in 2023. The standard defines a provenance manifest that is bound to the file content by a cryptographic signature. The manifest records a chain of assertions: who captured the file, on what device, at what time, and what subsequent operations (crop, colour grading, AI upscaling) were performed and by which software. Each step in the chain is signed by its actor using a certificate from a trusted issuer.

The key property is tamper evidence. If the pixel content of the image changes after signing, the signature fails verification. If the manifest itself is altered, the signature fails. An examiner verifying a C2PA file receives a definitive answer: the manifest is either valid (the content matches the signed state) or it is not. This is qualitatively different from EXIF forensics, where the absence of tampering indicators is never proof of integrity, only the absence of detected modification.

C2PA adoption is growing but uneven. Leica, Sony, Canon, and Nikon have announced or shipped cameras with C2PA signing. Adobe's Content Credentials infrastructure signs files on export from Photoshop and Lightroom. The Associated Press, BBC, and Reuters have begun requiring C2PA-signed images for wire distribution. AI platforms including Adobe Firefly and OpenAI embed C2PA manifests identifying content as AI-generated. The practical forensic implication is that the presence of a valid C2PA manifest in a submitted file is strong provenance evidence, while its absence means only that the file predates adoption or was processed by a non-adopting tool.