We hope you are familiar with metadata, especially as it exists in email messages and word processing files. If not, then a brief refresher is in order. There are a couple of different types of metadata, but the most common definition is data that is stored internal to the file (you can’t see it without knowing how to look at it) and is not explicitly defined by the user. The application (for example, word processing) inserts within the file information such as the author, last time printed, fonts used, and creation date. But what about image files such as those taken with digital cameras? What metadata do those files contain?
Digital photos can be an electronic-evidence heaven. Digital-image files typically contain information about the date and time the photo was taken, camera settings such as aperture and shutter speed, the camera’s manufacturer make and model (and often the serial number), and, in the case of smartphones, the GPS coordinates of the place where the photo was taken (pure evidentiary gold in many cases). This metadata is called Exif (exchangeable image file format) and is a standard that specifies formats for files recorded by digital cameras. None of this information is added by the user at the time of file creation. As you can see, the information could be extremely valuable, especially in litigation.
Why Photo Metadata Is Significant
Now that we’ve established that metadata does exist in digital-image files, should you care? It depends on whether you are the originator or the recipient of the information. The availability of metadata may pose hazards if the metadata is revealed through social media channels. Here’s a real-world example. Adam Savage is a host of the popular science program, “MythBusters,” on the Discovery Channel. He posted on Twitter a picture of his automobile parked in front of his house. Even though Savage is a “science” guy, he apparently didn’t know or simply forgot that the photo revealed more information than the fact that he drives a Toyota Land Cruiser.
Embedded in the picture was a geotag, which provided the latitude and longitude of where the photo was taken. Because Savage tweeted “Now it’s off to work,” a burglar would know that he was not at home and the geotag would also pinpoint where he lived. Fortunately, Savage dodged a bullet that time.
Attorney Sharon D. Nelson is president and John W. Simek is vice president of Sensei Enterprises Inc., a legal technology, computer forensics, and information security firm based in Fairfax, Va.
Then there’s the story of the leaked Harry Potter and The Deathly Hallows book. Someone took a digital photo of every page and posted the entire book on BitTorrent networks such as Pirate Bay. The photographer has not been identified but did leave behind a lot of electronic breadcrumbs. The metadata tells us that the camera he (we suspect it was a man because of how the hand and fingers visible in many of the photos look) used a Canon EOS Digital Rebel 300D camera that was running firmware version 1.0.2. The camera serial number is 0560151117. Canon identified the camera as being three years old and said it had never been serviced. By now, the camera is probably at the bottom of a river somewhere, and thus unavailable to help lead the authorities to the owner.
Probably the most famous Exif story is that of John McAfee. While on the run from authorities in Belize in connection with a murder investigation, he allowed a journalist from a website to photograph him, and the picture was then posted on the website complete with its Exif data. It turned out he was in Guatemala, where he was promptly detained and later deported to the United States.
Currently, photos posted to Facebook or Twitter are stripped of their Exif metadata. On the other hand, Google+ preserves it.
Identifying and Eliminating Metadata
We have many more metadata stories, but you get the picture (bad pun). Digital-image metadata is not readily perceptible by the casual viewer. Perhaps that is why we still find a plethora of metadata in the electronic evidence we analyze for clients’ cases. So, how can you identify what metadata exists in the electronic file, and is there a way to clear it out?
Viewing a digital image’s metadata requires that you open the image in a piece of software that can readily show you the metadata values. You probably don’t even need to spend any money to do so. If you are running Windows 7, you can use the included Windows Live Photo Gallery or Windows Photo Viewer. Once the file is open, click on File and then Properties to see many of the metadata values, including GPS location information if it exists.
If you don’t want to distribute the Exif data with the file, you can get rid of it or at least change it. The function to modify the data as well as remove it is included in your Windows environment. If you right click on a file and click on Properties and then Details, you have the opportunity to change or delete much of the embedded metadata. There is even a Remove Properties and Personal Information link at the bottom of the panel. You can use this hyperlink for an individual file or for all files in a folder. Once you click on the hyperlink, you can create a copy with all possible properties removed or selectively remove specific properties.
There is also a free Windows utility, QuickFix, that will strip GPS and other metadata from the image file. We encourage you to give it a try, especially because it’s free and supports drag and drop. Finally, you can install a product like Litéra’s Metadact-e, which will clean metadata from document files as well as image files.
No matter which approach you take, don’t just focus on the metadata in your word processing and spreadsheet files. Those digital photographs can hold valuable nuggets as well. Just ask John McAfee.