ExifTool: Extract Hidden Metadata from Images, Video, and Documents

When investigating media files, we run them through ExifTool. ExifTool digs up crucial metadata. The metadata reveals where the photo was taken, what device took it, what software edited it, and when it was created.

ExifTool has been around since 2003. No other tool matches its capabilities. Investigators rely on it. Metadata tells a story, and ExifTool helps you read it.

What ExifTool Reads

ExifTool handles more than just images. It's a file metadata tool that works with over 100 formats, including JPEG, PNG, HEIC, Canon, Nikon, and Sony camera RAW files, PDF, DOCX, XLSX, MP4, MOV, MP3.

Investigators focus on key fields: GPS coordinates and altitude, device make and model, lens info, software version, creation and modification timestamps, author and copyright details, and device serial numbers. These fields show up across different metadata blocks in the same file.

The main blocks are EXIF, IPTC, and XMP. EXIF has technical data from the camera, like timestamps and GPS. IPTC is an older standard for captions and credits, added by humans. XMP is Adobe's format, used by editing software. A file can have all three. Discrepancies between them are often valuable information.

That's it.

Installation

Setup is minimal on every platform.

To get started with ExifTool, you'll need to install it on your system.

For Windows, grab the standalone executable from exiftool.org, rename it to exiftool.exe, and add it to your system's PATH.

For macOS, you can install ExifTool using Homebrew with the command brew install exiftool, or download the macOS package from exiftool.org, which includes a GUI and the command-line tool.

For Linux, ExifTool is available in most distribution repositories; install it using your package manager with a command like apt install libimage-exiftool-perl, noting the package name may vary depending on your distro. Alternatively, for the latest version, download the tarball from exiftool.org and install from source.

Core Commands for Investigators

Using Exiftool for Metadata Extraction

Running exiftool on a file dumps all metadata to the terminal:

exiftool filename.jpg

The output can be piped to grep to extract specific information. For example, to extract GPS data, use:

exiftool filename.jpg | grep -i gps

To extract date and time information, use:

exiftool filename.jpg | grep -i "date\|time"

For structured output, use the -json flag:

exiftool -json filename.jpg

This gives a clean JSON array, easy to integrate into Python scripts or Node pipelines. Exiftool supports JSON, Python, and Node.

To process entire directories, use the recursive flag:

exiftool -r /path/to/evidence/

Combining with -json and output redirection results in a single structured record for all files.

When you know what you need, you can pull only those fields. For example:

exiftool -GPSLatitude -GPSLongitude -DateTimeOriginal -Make -Model filename.jpg

This approach is faster and keeps terminal output readable during live sessions.

GPS and Location Intelligence

GPS fields in smartphone images are directly actionable metadata. Exiftool extracts coordinates as follows: exiftool -n -GPSLatitude -GPSLongitude filename.jpg These coordinates are instantly usable in Google Maps, QGIS.

Smartphone images often carry more than just latitude, longitude. GPSAltitude gives elevation in meters. GPSSpeed records movement velocity at capture time. GPSImgDirection records the compass bearing the camera was facing.

Missing GPS data has its own story. Some camera apps, social platforms strip GPS. People who sanitize their files also remove GPS.

Device Make, Model often survive stripping. They confirm device type. The Software field reveals if GPS was removed by an app or platform.

Authenticity and Forensic Signals

Metadata - where manipulation leaves its traces. Timestamps usually tell a straightforward story. A file has multiple time stamps: when it was created and modified on the file system, DateTimeOriginal, CreateDate, and sometimes ModifyDate. When they all match, the file's history looks clean. When they don't, it's a sign that the file was edited.

The Software field gets overlooked, yet it's a valuable clue. The camera's firmware signs its name. Adobe Photoshop leaves a version number with every save. Other editing tools do the same; GIMP, Snapseed, Lightroom, mobile apps all leave behind distinct markers. Social media platforms like Facebook and Telegram alter images when you upload them. This can erase or replace EXIF data and add XMP fields that reveal the platform's processing.

Some cameras, Canon, Nikon, Sony, include the device's serial number in EXIF data as SerialNumber or InternalSerialNumber. This helps investigators. If multiple images have the same serial number, they were taken with the same camera. That's a useful lead.

Limitations and Caveats

Metadata limitations start with social media. Download an image from these platforms, and you'll likely get platform-generated metadata at best. Often, there's nothing useful.

ExifTool shines on original files. Get a file straight from the source, a device, an email attachment, or a file-sharing service that doesn't alter it, and you can trust the metadata.

Metadata can be fake. EXIF fields can be edited. A motivated person can set any GPS coordinate, time stamp, or other data they want. So, a coordinate in an image is a lead, not proof. Verify with visual clues. Does the environment match the claimed location? Does the sun angle fit the time of day? Use metadata to start your investigation, not end it.

Screenshots cause problems. A screenshot's metadata comes from the device that took it, not the content being captured. If someone sends you a screenshot of a photo, ExifTool will tell you about their phone. That's all you get.

Verdict

ExifTool is a must-have. It handles more file formats and digs deeper into their metadata than any other tool, free or paid. Nothing matches its combination of reliability, and scriptability.

Media investigations rely on it for verifying image provenance, extracting GPS locations from smartphone photos, linking devices through serial numbers, and detecting manipulation via timestamps and software logs. These scenarios pop up all the time.

The learning curve is the only downside. Spend an hour with the docs and some test files. Once ExifTool pays off, like revealing a crucial GPS coordinate, exposing a Photoshop edit, or connecting two files to the same device, it's a permanent addition to your toolkit.

Best for digital forensics analysts, OSINT investigators handling media evidence, journalists verifying image and document authenticity. Download from exiftool.org; it is free, open source, and actively maintained.