In a time when deepfakes and easy-to-use photo-altering software are common, being able to check the authenticity and context of a photo is not only helpful but also necessary for journalistic integrity.

You can change source photos to change the facts, trick people, or frame people in a deceptive way.

To determine where a digital image originated and whether it is real, journalists need to go beyond merely examining it and utilise forensic methods like EXIF data analysis and Error Level Analysis (ELA). This skill is essential for high-stakes investigations where photographic evidence is crucial to the story.

👁️ Goals for learning

• Learn how to get and understand Exchangeable Image File Format (EXIF) metadata.

• Learn how to find important geographical (GPS) and temporal (date/time) information in an image file.

• Learn the basics of Error Level Analysis (ELA) and how to use it to find fake digital documents.

• Establish a standard method to maintain the Chain of Custody for photographic evidence.

💡 Basic ideas

Important words

• EXIF data:

  • The Exchangeable picture File Format is a standard for storing metadata in digital picture files like JPEG and TIFF. It has details about the camera, settings, date and time, and sometimes GPS locations.

• Metadata:

  • Data that tells you about other data. In OSINT, it’s often file information that isn’t visible.

• Error Level Analysis (ELA):

  • A forensic method that looks at the small variances in the JPEG compression error rate across an image to find image manipulation. These differences are usually uniform in an untreated image but not in a manipulated one.

• Chain of custody:

  • The chronological record or paper trail that shows the seizure, custody, control, transfer, analysis, and disposal of physical or electronic evidence.

• Stenography:

  • The act of hiding a file, message, image, or video inside another file, message, image, or video. Sometimes, ELA can show this.

⚠️ Important for journalists: Ethical and legal limits

Privacy and consent
EXIF data might include very private information, such as the exact GPS coordinates (latitude and longitude) of where a photo was shot. This could put a source at risk or reveal a private location.

Ethical duty
Always hide or remove sensitive EXIF data before publishing to ensure privacy and source security.

The “Public Domain” limit
You can only use data that is available to everyone and can be shared legally. Don’t ever try to guess login information or get into private systems by looking at the filename or other metadata.

Things to think about legally
Verification is Required: All forensic results, including EXIF and ELA, are merely technical results. Before you report these as facts, you need to back them up with journalistic methods like interviews, records, and independent checks.

Disclaimer: Depending on where you live, using forensic tools and techniques on publicly available data could have legal consequences. Always talk to your news organisation’s lawyers about the best methods to handle, keep, and report digital evidence.

🛠️ The Method: Putting it into action step-by-step

Tools and setup needed

ExifTool Command-Line tool: The standard for reading, creating, and altering metadata in almost any file type. Put it on a separate OSINT Virtual Machine (VM) or Secure Operating System.

Browser Extension for dedicated browser: For rapid tests, use Exif Viewer extensions like FOCA for desktop or simple web viewers. Only use on photographs that don’t need a lot of detail; command-line tools are more dependable.

Online ELA Tool from FotoForensics: A tool on the web for rapid, basic ELA and signature analysis. Use only for photographs that are available to the public and are not sensitive.

Secure VM OS: A dedicated machine, like Tails or a regular OS that has been hardened with security settings. It is essential to keep personal information separate from investigative work.

👷‍♀️ How to put it into practice

Scenario 1: Checking an image’s source and time

Aim: Find out where and when a key piece of photographic evidence was made and what device was used.

Download the image safely: Directly save the original image file to your safe VM or isolated storage. Don’t take a screenshot of the picture because it makes a new file with new metadata.

To run ExifTool, open your terminal in the folder where the image is stored and type in the basic command.

Bash

# Command to generate SHA-256 hash on most Linux/macOS systems
sha256sum original_image.jpg > hash_log.txt

Important EXIF interpretation: Look over the output for the most useful fields:

• GPS Latitude and Longitude: The exact place where the snapshot was taken. Use a tool like latlong.net to find the coordinates.

• Date/time original/create date: The exact time the shutter was pressed. Be careful with your timezone settings!

• Make and model: This tells you what kind of device it is (for example, Nikon D850 or Apple iPhone 17).

• Software: This can refer to editing software (like Adobe Photoshop 2024), which clearly indicates that something has been changed.

Table of actionable EXIF data:

Scenario 2: Evaluating an image for digital alteration (ELA)

Goal: Find out if a part of the picture (such as a person or an object) was added or changed digitally.

1. Upload to ELA tool: Use a trusted online ELA tool like FotoForensics or a desktop program like GIMP with a plugin to upload the image.

2. Look at the ELA output: The ELA tool will create a new image that displays the error levels, typically using different colours or intensities. The error level over the whole image should be quite even and bright.

3. Modified/manipulated areas: The error level will be very different (typically considerably darker or lighter/sharper) in areas that have been cut, added to, or modified because of re-compression or a different original compression signature.

4. Examine: Look for a clear, sharp line between a bright area (the original image) and a dark or dull area (the inserted element or heavy re-save), especially around the edges of things or words that you think might be there.

💾 Keeping data safe: The audit trail

For all digital evidence in journalism, it is necessary to establish a Chain of Custody.

• Original file isolation: Move the file you just downloaded right away to a secure storage folder where it can’t be changed by mistake.

• Hash generation: Create a cryptographically secure hash of the original file and all subsequent files, such as the ELA picture. The SHA-256 hash is the standard.

Bash

# Command to generate SHA-256 hash on most Linux/macOS systems
sha256sum original_image.jpg > hash_log.txt

Comprehensive logging: Log every single action in a contemporaneous audit log:

• Date and time of file download.

• Source URL or method of acquisition.

• The SHA-256 hash of the original file.

• Every tool used (ExifTool version, FotoForensics URL/date).

• The results of the analysis (e.g., “EXIF data shows GPS coordinates...”, “ELA output is consistent with a re-saved original”).

🧠 Verification and analysis for reporting

Strategy for corroboration

Technical data is not proof; it is evidence. It has to be verified.

1. Geospatial corroboration: If the EXIF data gives you coordinates, utilise at least two different mapping services (like Google Earth/Maps and Bing Maps, or a satellite imagery resource like Sentinel Hub) to make sure the photo matches the real area and features (such as buildings and unique landmarks).

2. Temporal corroboration: Check the EXIF timestamp against local weather reports, aircraft logs, or publicly recorded activities for that date and time to ensure the photo could have been taken then.

3. Manipulation corroboration: whether ELA suggests manipulation, use a second analysis tool that is completely different from the first one (such a desktop ELA software) to process the image and check whether the abnormality happens again. A convincing manipulation finding must be robust enough to endure independent, expert examination.

Connecting data to story

It is important for clarity and effect to turn raw technical discoveries into verifiable journalistic facts.

🤖 AI Assistance in analysis

AI and LLMs can help with processing textual metadata, but they need to be used very carefully.

Summarising large documents or log files: If your OSINT operation generates extensive text-based logs, such as a large ExifTool output with thousands of items, you can use an LLM to quickly summarise the most important information.

Example Prompt using the R.A.F.T model:

Role: Metadata Analyst / Investigative Team Contributor

Audience: Lead Investigative Journalist / Editorial Board

Format: Data-Driven Analytical Report based on a provided CSV log of EXIF data.

Topic/Task: Analyze the provided EXIF data (CSV log) to identify trends in image capture, editing, and timeline anomalies. Ensure all foreign-language metadata for camera models and software is translated and presented in English.

Your analysis must address the following four deliverables:

Top Camera Models: List the five most frequently used camera models (from the ‘Model’ field).

Software Analysis: Examine the ‘Software’ field entries. Consolidate related software versions (e.g., ‘Adobe Photoshop CC 2021’ and ‘Adobe Photoshop CC 2022’ should be grouped under ‘Adobe Photoshop CC’) and identify the single most common editing tool used.

Timeline Anomalies (Grouping Data): Group the image records by ‘Date/Time Original’ and flag any records where the ‘Modify Date’ is more than three (3) months after the ‘Original Date’.

Summary: Based on your findings from deliverables 1, 2, and 3, provide a concise, two-paragraph summary outlining the dominant equipment (cameras), the primary post-processing software used, and any significant timeline anomalies noted. This summary should be suitable for inclusion in a preliminary investigative report.

⚠️ IMPORTANT WARNING: The risk of hallucination and privacy

Risk of hallucination: LLMs are likely to see things that aren’t there. Never say that something an AI found or summarised is true without having a human evaluate it against the original data.

Privacy concern: Don’t put private, sensitive, or confidential data from a source into public LLM platforms like ChatGPT or Gemini Public. You could lose your sources and your research if this data is used to train the model. Use AI technologies that have been checked out by the institution, or solely with data that is available to the public.

🚀 Next steps and practice

Exercise to practise

• Look for a current news shot of a big breaking story. Click the right mouse button and save the picture.

• Use ExifTool to get all of the metadata.

• Find the GPS coordinates. If you find them, put them on a map.

• Use FotoForensics (or a similar ELA tool) to look at the picture. Look for any bright or dark spots that don’t match up. This could mean that a logo, text, or item was copied into the picture.

• Write down what you found and make a SHA-256 hash of the original file.

📖 More advanced resources

1. ExifTool Documentation: The official manual is the best place to find information about every tag and command.

2. Forensic Wiki on ELA: A thorough, technical look at the principles and limits of Error Level Analysis.

3. Jeffrey’s Image Metadata Viewer: A great web viewer that often shows metadata fields that aren’t very well known.

✅ Important things to remember and investigative principles

• EXIF is like a fingerprint: When you see an image in the Exchangeable Image File Format, think of it as the image’s embedded, non-repudiable fingerprint. It has information about the time, place, and device.

• ELA is the truth detector: Error Level Analysis is the most essential tool you have that doesn’t harm files to find digital manipulation by looking for differences in compression.

• Stop at the Hash: The first thing you should do when you get a file is to make and record its SHA-256 hash to ensure a verifiable Chain of Custody.

• Check everything: Technical information (such as EXIF coordinates and ELA anomalies) is not a fact; it needs to be checked against at least two separate journalistic sources.

• Privacy first: Never share sensitive EXIF data (particularly GPS) without the source’s clear permission or a strong public interest reason.

👁️ Coming next week…

🌐 Pinpointing location with subtle visual clues
Next week, we’re diving into the essential art and science of geolocation—pinpointing a location using only subtle visual clues in an image. In a crisis or breaking news situation, knowing the exact time and place a piece of media was created is paramount. This tutorial will empower you to become a visual intelligence detective, transforming common image elements into solid geographic evidence.