In December 2012 a journalist published one photo of John McAfee, on the run from Belize police. One photo. Inside the JPEG sat an unstripped GPS tag from an iPhone 4S — 15°39'29.4"N, 88°59'31.8"W — a poolside in Parque Nacional Río Dulce, Guatemala. McAfee tried to claim the data was faked. Two days later he confirmed he was, in fact, in Guatemala. NPR ran the autopsy. That is IMINT.EXIF in two paragraphs: a file you treat as a picture is also a confession.
Imagery Intelligence used to mean satellites and analysts with light tables. Today most of the signal lives in the container around the pixels — and most investigators still ignore it. If you're skipping metadata, you're throwing away free evidence.
What EXIF actually is — and what it isn't
People say "EXIF" when they mean three different things. Untangling them is step one, because every serious tool reads all three.
EXIF tells you what the camera did. Make, model, lens, ISO, aperture, shutter, the GPS chip's last fix, the exact timestamp the sensor fired. IPTC describes the picture as content: who shot it, who owns it, captions, keywords, copyright. XMP is Adobe's extensible XML wrapper that swallows both and adds custom fields — including, very usefully, an edit history written by Photoshop, Lightroom or Capture One. A clean breakdown of the three standards lives here.
Why care about the distinction? Because the device leaks via EXIF, the agency leaks via IPTC, and the editor leaks via XMP. Three sources, three different stories. A photo can have a stripped EXIF block but still carry XMP custom tags from the photographer's Lightroom catalog. A photo can have wiped GPS but still hold an IPTC byline that names the freelancer who shot it. Read all three or don't bother.
What you actually pull from a file
On a typical raw photo straight off a phone or DSLR, expect to extract:
- GPS latitude, longitude, altitude, direction of capture, sometimes speed
- Device make, model, firmware, serial number (rare but real on some Canons and Nikons)
- Lens identifier and focal length
- Capture timestamp with timezone offset, plus separate "modify" and "digitized" dates
- Software field — "Adobe Photoshop 25.0", "GIMP 2.10", "Snapseed 2.21" — a fingerprint of who touched it last
- Color profile, ICC tags, white balance presets
- An embedded thumbnail (this one matters — see below)
On a video file the haul is bigger. Container-level metadata, codec, bitrate, plus telemetry tracks — GoPro writes a dedicated GPMF stream with GPS, accelerometer, gyroscope and temperature at high frequency. DJI drone footage carries home-point coordinates, gimbal angles and sometimes the operator's name. iPhone .MOV files embed location and the model that captured the clip. None of that survives a re-encode, but plenty of it survives a "share original".
The platforms problem
This is where the field gets messy and most beginners get confused. The headline answer: Instagram, Facebook and X strip EXIF on the public version of the file. The longer answer matters more.
Instagram runs every upload through resize, recompress and convert — what your followers download is metadata-naked. Facebook has stripped public metadata since 2012 after privacy pressure. X does the same on upload. A 2025 platform-by-platform test confirms the current state. But — and this is the important part — the platform itself ingests your full original before stripping. Meta keeps your real coordinates server-side for ad targeting; the public photo just doesn't expose them to other users.
For an investigator, that means:
- A photo scraped from public Instagram is almost always useless metadata-wise. Don't waste cycles.
- Telegram preserves EXIF when the sender attaches the file as "document" instead of "photo". If you have access to the original Telegram channel attachment and the operator was sloppy, you have everything.
- Flickr historically preserves full EXIF by default. Still does, for accounts that haven't actively scrubbed.
- Email attachments, Discord file uploads, Dropbox/Google Drive shares — all generally preserve. People forget this constantly.
- Anything obtained through "download original" buttons, archive ZIPs, or direct device dumps is the gold layer.
If the only copy you have was reposted through three platforms, give up on EXIF and move to FotoForensics, reverse image search, and chronolocation. That's a different tradecraft.
Techniques worth knowing
The thumbnail trick
Here's the one that catches careless editors. JPEG files embed a small thumbnail in the EXIF block. When someone crops or alters a photo in a basic tool, the visible image gets re-encoded — but the thumbnail isn't always rebuilt. Result: you load the file, extract the thumbnail, and see the original uncropped frame. Faces that were edged out. Backgrounds that were redacted. License plates the editor thought they killed. Treat every "edited" image as potentially carrying a confession in its thumbnail.
Date divergence
EXIF carries multiple timestamps: DateTimeOriginal (when the sensor fired), CreateDate (typically the same), and ModifyDate (last write). When these diverge by hours or days, something edited the file. Combine that with the Software field and you have a name plus a time of intervention.
GPS to map, fast
The unsexy workhorse. Pull GPSLatitude, GPSLongitude, drop into Google Earth, OpenStreetMap, or a chronolocation tool. Five seconds, done. The mistake is treating this as the end of the investigation rather than the start — verify the location with reverse image search, building shape, terrain, and shadow direction before you commit. EXIF coordinates can be spoofed, and operators in active conflict zones routinely fake them.
Bulk extraction at scale
One file is a curiosity. A scraped folder of 4,000 is an investigation. ExifTool handles this with exiftool -r -j /path/to/folder — recursive, JSON output, ready to pipe into jq or a database. Phil Harvey's documentation covers tag groups, custom output formats, and the -plot flag added in 2025 that generates SVG visualizations of tag values across a corpus.
Editing-software fingerprints
The Software tag, HistorySoftwareAgent in XMP, and the IPTC OriginatingProgram field all record what touched the file. A photo claiming to be unedited with "Adobe Photoshop 24.5 Macintosh" in its history is a photo that lied to you.
The toolkit, ranked by what it actually buys you
ExifTool is non-negotiable. It is the reference implementation for reading EXIF, IPTC, XMP, GPS, GeoTIFF, ICC profiles, Photoshop IRB, and the maker notes of basically every camera brand on Earth. CLI-first, scriptable, the only tool you need if you can only have one.
FotoForensics by Hacker Factor (Dr. Neal Krawetz) is the browser-based companion for verification work. It runs Error Level Analysis — re-saves the JPEG at 95% quality and surfaces compression-level deltas that often expose pasted regions. ELA is not a magic forgery detector and Krawetz has been clear about its limits, but used alongside metadata it tightens a verdict.
Jimpl is the upload-and-read tool for fast triage. Drop the file, get a structured view of EXIF/IPTC/XMP without installing anything. Useful when you're in the field on a borrowed laptop.
Beyond what's catalogued on osintbay, the working set includes Jeffrey's Image Metadata Viewer for second opinions, Metapicz and metadata2go for browser-based extraction, JPEGsnoop for byte-level JPEG forensics, Pic2Map for instant GPS-to-map, MediaInfo for video container streams, and the InVID/WeVerify browser plugin for video keyframes, magnification and reverse image search in one bundle.
Counter-OSINT: assume your target reads this too
Operators in 2026 know about EXIF. The hacker known as W0rmer learned this the hard way back in 2012 — he sent a photo of his girlfriend with intact EXIF, and that single file walked the FBI to her house in Australia and from there to him. Today the playbook is to strip metadata before publishing, run images through scrubbers like ExifTool's -all= flag, or take screenshots of screenshots to launder origin data.
Which means: when you find clean metadata on a sophisticated target's file, treat it as either a mistake (they exist, constantly) or a plant. Cross-reference the GPS with reverse image search, building geometry, weather records and shadow direction. Trust nothing in isolation. EXIF is a starting hypothesis, not a verdict.
Where to keep learning
The metadata corner of OSINT moves slowly and rewards depth. Phil Harvey's ExifTool docs are the canonical reference. Bellingcat's online investigation toolkit catalogues the working set. On the social side, follow @hatless1der, @cyb_detective, @sector035 and @i_am_osint — they post real-world EXIF finds before the rest of the field even hears about them.
The discipline is unglamorous. It will not get you a Bellingcat byline by itself. But on every serious investigation, the metadata layer is either the first crack or the final confirmation. The McAfee photo wasn't decoded by satellite imagery or a leaked source — it was decoded by someone who right-clicked "Properties".