A fugitive on the run from a murder charge got caught because a magazine forgot to clean a photo. An "elite" hacker who taunted the FBI got his front door handed to them by a picture of his girlfriend. Both men understood encryption. Both men understood operational security. Both men were undone by a few bytes of text quietly riding along inside a JPEG that neither of them remembered was there.

That is the seduction of EXIF metadata. It is the laziest win in the whole of OSINT, the richest single clue a careless target ever leaves you, and the most over-trusted scrap of data in the entire discipline. People treat a GPS tag like a confession. It is not. It is unsigned, attacker controllable plaintext that anybody can edit or wipe in the time it takes to read this sentence, and by 2026 the easy wins are mostly gone. Every major social platform strips it on upload, so a clean image proves nothing, and a dirty one is trivially faked. The thesis of this whole article fits in one line. Metadata is a lead, never a verdict. Master it, corroborate it against the pixels and the world, and know exactly when it is lying to you.

Open any photo from a real camera or phone and there is a second document stapled to the picture you can see. EXIF holds the camera make and model, the lens, the exposure, the timestamps and, if location was on, the GPS coordinates. IPTC and XMP hold captions, copyright and editing history. The MakerNotes hold manufacturer specific blocks that casual scrubbers miss entirely, serial numbers, shutter counts, internal thumbnails, the kind of thing that ties an image to one specific physical camera body. There is even a fully formed lower resolution thumbnail baked inside most files, and we will come back to that one because it is a gift.

None of it is signed. None of it is verified. All of it was written by the device, which means all of it can be rewritten by anyone. Hold that thought through everything that follows.

Forget the pretty websites for a moment. The ground truth tool is ExifTool, Phil Harvey's command line reader and writer, sitting at version 13 in 2026 and quietly powering almost every online viewer you have ever pasted a photo into. Learn the real thing and you stop trusting someone else's web wrapper to decide what you get to see.

Dump the lot, grouped and labelled, with exiftool -G1 -a -s -ee photo.jpg. That shows you the family each tag belongs to, the duplicate tags a lazy tool hides, and any nested embedded data. Want only the location? exiftool -n -GPSLatitude -GPSLongitude -GPSAltitude -GPSImgDirection photo.jpg, where -n hands you raw decimal degrees you paste straight into a map. Or just exiftool photo.jpg | grep -i gps to see position, altitude, speed and bearing in one shot. When you have a whole folder or a seized drive, surface only the geotagged files with exiftool -r -if '$gpslatitude' -filename -gpsposition -createdate -csv DIR/ > geo.csv and let it churn through thousands while you make tea.

And always read the MakerNotes. A scrubber that strips the obvious GPS tag will often leave the serial number sitting in the manufacturer block, and a serial number is how the academic forensics people tie a stack of images back to a single camera. There is real published work on source camera identification from exactly these fields, and it works because nobody remembers the MakerNotes are there.

The Thumbnail Is A Second Photo

Here is the move that feels like cheating. Most JPEGs and RAW files store one or more embedded preview images inside the metadata, and those previews are frequently not updated when the visible photo is cropped or edited. The person crops their face out of the frame. The thumbnail still has the face.

Extract them and look. exiftool -b -ThumbnailImage photo.jpg > thumb.jpg and exiftool -b -PreviewImage photo.jpg > preview.jpg. Now lay the thumbnail next to the full frame. If they disagree, the difference is the original uncropped scene, the thing your target thought they had removed. The whole picture they deleted can be living on inside the picture they kept. Always pull the thumbnail before you decide an image has nothing to give you.

Timestamps Lie In Lockstep

There are three EXIF dates and people only ever read one. DateTimeOriginal is capture. CreateDate is when it was digitised. ModifyDate is the last time the file was written. When those three diverge, something edited the file, and that divergence is itself a clue. Modern phones also stamp an OffsetTime or OffsetTimeOriginal tag carrying the device's UTC offset, which quietly hands you the shooter's time zone.

But none of it is true just because it is consistent. The timestamp is whatever the camera's clock was set to, and a wrong clock, accidental or deliberate, makes every date wrong together, in perfect agreement, looking utterly trustworthy. So you test the time against the one clock nobody can edit, the sun. Feed the object height, the shadow length, the date and the rough time into Bellingcat's Shadow Finder or into SunCalc and ask whether that lighting is even physically possible at that place on that day. A consistent set of EXIF dates is not a true date. The shadows do not have a settings menu.

Geolocate Without GPS, Because There Won't Be Any

This is the part that separates 2026 from the playbook everyone half remembers. Stop expecting a GPS tag. Instagram, Facebook, X, LinkedIn, Snapchat and Reddit all strip metadata on upload, so a photo you pulled off social media is supposed to be clean. A scrubbed image is the default state of the modern internet, not the fingerprint of a careful operator, and reading too much into its absence is how amateurs talk themselves into a story.

So you start from the pixels, the way Bellingcat taught the entire field. Reverse image search the scene first. Then chip away at the visible clues, the signage and the language on it, the architecture, the vegetation, the licence plates, the direction of the sun and the shadows, and confirm each one against satellite and Street View. As a lead generator only, the CERTH Geolocalizer bundled into the InVID and WeVerify plugin will estimate a location from image content with no EXIF at all. Treat its guess as a hint that tells you where to start looking, never as the answer. The model points a direction. Your eyes close the case.

If the file is clean or you simply do not trust it, move to forensics. Upload to FotoForensics, Neal Krawetz's site, for Error Level Analysis and a clean metadata dump. Cross check it against Forensically at 29a.ch, which adds clone detection, noise analysis, a magnifier and its own metadata reader.

Now the warning that matters more than the tools. ELA is suggestive, never conclusive. Hany Farid, who is about as authoritative as image forensics gets, demonstrated that ELA mislabels authentic and altered images at broadly similar rates. It is a way to decide where to look harder, not a verdict to publish. Anyone waving an ELA heatmap around as proof of Photoshop is telling you they have not read the literature. What you can lean on a little harder is the software trail. A Software tag reading Adobe Photoshop, or a JPEG whose quantisation and structure are inconsistent with a straight off the camera capture, is a solid flag the file was re saved after the shutter clicked.

The New Layer: C2PA Content Credentials

Here is where the story turns, because the industry's answer to "metadata is unsigned and worthless" has arrived, and you need to know it. C2PA Content Credentials are cryptographically signed provenance, a tamper evident manifest that records who made a file, on what device or software, whether generative AI touched it, and what was edited along the way. This is not theory. The Google Pixel 10 now signs every photo at the moment of capture in hardware, reaching C2PA Assurance Level 2, and OpenAI and Google have bolted C2PA and SynthID into their AI image pipelines.

Check whether a file even carries one with exiftool -G1 -a photo.jpg, which surfaces the JUMBF block if a manifest is present. For a readable view, drop the file into the official Content Credentials Verify tool, which runs in your browser without uploading anything and lays out the creator, the capture device, the AI involvement and the edit history. For the raw signed manifest, the assertions, the ingredients, the actual cryptographic chain that the polished interface hides, reach for c2patool, the official open source CLI. Think of it as the ExifTool of provenance.

Now validate, do not venerate. A present and valid signature proves the file matches what the signer claims and has not been altered since signing. It does not prove the scene in front of the lens was real, and a missing manifest proves precisely nothing, because here is the fatal irony of 2026. The same social platforms that strip your EXIF strip C2PA too, re encoding the image on upload and snapping the provenance chain at the exact moment of sharing. We solved the signing problem and then kept the one habit that destroys it.

Scrub Before You Publish

Tradecraft cuts both ways, and the photo you publish is a photo your own target gets to investigate. So clean your own house. Strip everything with exiftool -all= -overwrite_original photo.jpg, adding -r for a folder. Keep your colour fidelity while you do it with exiftool -all= --icc_profile:all= -overwrite_original photo.jpg. Kill only location with exiftool -gps:all= -overwrite_original photo.jpg. For a quick batch clean before publication, ExifPurge does the job on Windows and Mac.

Then verify the scrub, because naive tools lie to you. Run exiftool -G1 -a -s photo.jpg again and confirm the GPS, the serial number and, above all, the embedded thumbnail and MakerNotes are actually gone, because those are exactly what lazy scrubbers leave behind. On a phone, do not trust the platform to save you. On iOS the share sheet has Options where you toggle Location off before sending. On Android the camera has a Save location switch you turn off. And know your upload path, because the same app both strips and leaks depending on how you hand it the file. WhatsApp's "send as document", Telegram's "send as file" and a Discord attachment dragged in through the file manager preserve metadata byte for byte, while the inline photo picker in all three compresses and strips it. Discord cleans JPEG but is sloppier on PNG and explicitly does not touch video, so a phone clip can still be carrying device model, date and GPS straight to anyone who downloads it.

A Coordinate Is Not A Conviction

This is the part most people get dangerously wrong, and it is the reason the whole article exists. A GPS tag is a claim, not a fact. It fails or drifts indoors. It can log the last outdoor fix from streets away. It can be fully manufactured by a fake GPS app in about four taps. A plausible coordinate is not a confirmed one, and treating one as gospel is how investigations end up confidently, publicly wrong.

Look at how the real cases actually closed. When John McAfee was a fugitive in 2012, Vice ran a photo of him taken on an iPhone and forgot to scrub it, the EXIF GPS placed him at a specific spot in Guatemala, and he was located within roughly forty eight hours. That same year the alleged Anonymous hacker Higinio "w0rmer" Ochoa posted a defacement image of his girlfriend, also shot on an iPhone, whose embedded GPS pointed at her home in a Melbourne suburb and walked the FBI to his door. The metadata gave the lead. It did not give the conviction. In both cases investigators corroborated the coordinate against the wider record, the Facebook trail, the known associates, the physical reality, before anyone moved. That corroboration is not a formality you skip when you are in a hurry. It is the difference between an arrest and a libel suit.

We have said it on Secjuice before and it is the spine of everything we do. OSINT is not evidence until you have corroborated it into evidence. A field in a file is a hypothesis to test against the pixels and the world, and if the only thing tying your target to a place is a string of digits a child could forge, you do not have a location. You have a guess wearing a uniform.

Know The Line You Are Standing On

One last thing an infosec audience should not need telling, and yet. Pulling metadata out of a publicly posted image is generally fair game. Acting on a home address you derived from it, turning up, making contact, publishing it, is the precise point where research becomes harassment, stalking or doxxing, and the law varies by jurisdiction and increasingly has teeth. Geolocating a person's residence is exactly how the McAfee and Ochoa stories ended in arrests, and the same power that catches a fugitive stalks a stranger. The tool does not know which one you are. You do.

So strip the magic out of it. Metadata is not an oracle, it is a witness with no memory and no obligation to tell the truth, and in 2026 it stays silent more often than it speaks. You pull everything with the real tool, you read the thumbnail your target forgot about, you test the clock against the shadows, you check the new signed layer and you remember the same platforms that strip it strip everything, and when a coordinate drops a pin on a map you treat it as the first question of the investigation and never the last word. The people who get this right are not the ones who trust the tag. They are the ones who go and prove it wrong before they believe it.

Now go and read what nobody meant to leave you.