Sometimes it’s easy to get lost in what your tool is trying to tell you. When we look at the EXIF data for the picture shown on the left, we can see several timestamps. We have Original, Digitized, EXIF and Device timestamps. How can you make sense of all of this? Sometimes it can be as easy as using more than one tool; other times you may have to create test data. The example on the right is ExifTool parsing the original photo, not the one on the left, which is pulled from my device. Why are we showing you both? So, you learn what you can trust in your tool. A photo was sent to my device. The screenshot on the right from ExifTool shows the original metadata. I opened the MMS and saved the image to my device. The EXIF parsed by Oxygen (the left image) shows the original timestamps as well as my device time:

Created (Device time): when the photo was saved on my device

Last modified (Device time): the last time the photo was modified

Last accessed (Device time): the last time the photo was viewed or accessed

The metadata all reflects the original device that took the photo, which is also shown by ExifTool. Now where this can get confusing is the Coordinates and Address. Notice how Oxygen states “Device owner’s geodata”? This is where Heather was when she opened and saved that photo! This is not only close to where Heather was when she received the photo but shows the train tracks of Amtrak that run right behind Arbor Point Apartments in New Castle County, Delaware. When we first saw this, we were confused. We thought the metadata  meant the photo was taken there (on the Amtrak tracks), but it doesn’t. It is where the user of the device was located when that photo was saved/created on their device. This could really help an investigation if location and pictures matter!

Remember, location services may be turned off, and you may get little to no metadata, depending on the device that took the photo and the settings on the device. If you are questioning what you are seeing or even not seeing, export the photo and look at the EXIF in a second tool. If you find images that are of interest, try ExifTool. It’s a free way to verify what you believe the tool is telling you. This program is on your VM in C:\ProgramData\chocolatey\bin.