How to read EXIF data like a pro

If you want to learn how to read EXIF data the way professionals do, the gap between a casual viewer and a forensic examiner is mostly habit. Both use the same handful of tools. One person looks at the GPS coordinates and moves on. The other looks at the GPS coordinates, then checks whether they agree with the timestamp's likely sunlight, whether the thumbnail matches the full image, and whether the maker note format is consistent with the claimed camera model.

This article walks through the toolkit and the workflow. By the end, you will know what to look at, what tools to point at it, and what kinds of inconsistencies are worth flagging.

The Standard Toolkit

Reading EXIF data well does not require expensive software. Professionals tend to rely on three or four tools, used in combination.

ExifTool

Phil Harvey's ExifTool is the universal reference. It is a free command-line program that reads and writes nearly every metadata format that has ever shipped on a photograph: EXIF, IPTC, XMP, GPS, ICC profiles, maker notes from dozens of camera manufacturers, and proprietary tags from RAW formats. Most forensic image analysis ultimately involves ExifTool at some step.

Basic usage:

• exiftool photo.jpg dumps every readable tag.
• exiftool -gps:all photo.jpg prints only the GPS group.
• exiftool -a -u -g1 photo.jpg shows all tags including duplicates and unknowns, grouped by IFD location.
• exiftool -s -G photo.jpg uses short tag names with group prefixes — useful for diffing two files.

The -g1 flag is the one to learn first. It groups output by which structure inside the file each tag came from: IFD0, ExifIFD, GPS, MakerNotes, InteropIFD, XMP, IPTC. Two files with identical content but different group structures often indicate one has been re-saved by an editor.

jhead

jhead is a smaller, faster tool focused on JPEG files. It is less complete than ExifTool but easier to read for quick checks. It is the right tool when you have a directory of images and want a one-line summary per file.

Operating System Inspectors

On macOS, Preview's Inspector (Tools → Show Inspector) and the Finder's Get Info show a useful subset of EXIF data, including a map view for GPS-tagged photos. On Windows, the Properties → Details tab provides similar coverage. On Linux, gthumb and exiv2 are the common GUI and CLI options. These are fine for quick checks but never sufficient for serious analysis, because they hide maker notes and any unknown tags.

Browser Extensions and Online Viewers

Several browser extensions claim to read EXIF from images on web pages. They work, but their value drops to near zero because most large platforms now strip EXIF on upload. Online viewers are convenient but carry an obvious risk: you are uploading the photo to a stranger's server. Never use online viewers for anything you would not be comfortable handing to that stranger directly.

The Anatomy of a JPEG You Should Know

A JPEG is not one block of metadata followed by pixels. It is a sequence of marker segments, several of which can contain metadata. The ones to know:

APP0 (JFIF). Basic display information. Almost always present, rarely interesting.

APP1 (EXIF and XMP). This is the main event. EXIF lives in APP1 as a TIFF structure with several Image File Directories (IFDs). The first IFD, IFD0, holds the most general tags. ExifIFD nests inside it and holds camera-specific fields. GPSIFD holds location. XMP often lives in a separate APP1 segment using the Adobe namespace.

APP2 (ICC color profiles). Useful for verifying that the claimed device's color management is consistent.

APP13 (IPTC and Photoshop). IPTC has been the news industry's metadata standard since the 1990s. It carries copyright, byline, caption, and keywords. Photoshop also writes its own resource block here.

The fact that metadata can live in three or four different segments matters because each is set by different software. A photograph from a phone camera will have EXIF set by the OS and probably nothing else. A photograph from a photo agency will have EXIF set by the camera, IPTC set by the editor, and XMP set by Photoshop or Lightroom. Inconsistencies between these segments are often the most informative signal.

What to Look At First

A professional review tends to follow a checklist. Yours might look like this:

1. Make, Model, Software. Are these consistent with each other? An iPhone 15 Pro should report Apple as Make, a specific model number, and an iOS version. A photo claiming to be from an iPhone but listing "Adobe Photoshop" as Software has been edited.
2. DateTimeOriginal vs. DateTimeDigitized vs. ModifyDate. These three timestamps tell different stories. Original is when the shutter fired. Digitized is when the image was first saved. Modify is when the file was last written. A normal phone photo has all three identical. A scanned photograph has Digitized later than Original. An edited photograph has Modify after both.
3. GPS. If present, plot the coordinates. Check the GPS timestamp against the EXIF timestamp. They should match within a few seconds.
4. Embedded thumbnail. Older cameras and some software wrote an uncropped thumbnail even after the main image was cropped. Extract the thumbnail with exiftool -b -ThumbnailImage and compare it visually with the main image.
5. Maker notes. These are proprietary blobs each camera maker writes. They include unique camera identifiers, exposure histograms, focus modes, and dozens of other fields. ExifTool decodes most of them.

Reading GPS Coordinates

EXIF stores GPS in a slightly awkward format: degrees, minutes, and seconds, with a separate latitude reference (N or S) and longitude reference (E or W). Most tools convert this for you. ExifTool can print decimal degrees with the -c flag: exiftool -c "%+.6f" -gpslatitude -gpslongitude photo.jpg.

One subtle point: GPS coordinates have meaningful precision. A coordinate written to six decimal places resolves to about 11 centimeters. A coordinate written to two decimal places resolves to about a kilometer. If you see a photograph claiming GPS data with suspiciously few decimal places, the metadata may have been rewritten.

Identifying Forged or Altered Metadata

Anyone with ExifTool can write arbitrary values to most fields. The way you tell genuine metadata from forged metadata is by looking for internal consistency. Some signals:

• Missing maker notes. Every brand-name camera writes maker notes. A photo claiming to come from a Canon EOS R5 that contains no Canon maker notes was probably re-saved through software that stripped them.
• Generic software tags. "Adobe Photoshop CC" or "GIMP" in the Software field means the file has been through an editor.
• Thumbnail mismatch. If the embedded thumbnail differs from the main image in ways beyond resolution, the image has been edited and the thumbnail was not regenerated.
• Round-number GPS. Real GPS coordinates from a phone are noisy out to six or more decimal places. Coordinates that end in .000000 on both latitude and longitude almost certainly came from a human typing them in.
• Timestamps without a time zone. Phones write OffsetTime tags that record the time zone offset. A photo claiming a 2024 timestamp without an offset is older or has been processed.

Putting It Into Practice

The single most useful drill is to run exiftool -a -u -g1 on three files: a photo straight off your camera roll, a screenshot, and a photo you downloaded from Instagram. Compare the output. The camera roll image will have hundreds of tags across IFD0, ExifIFD, GPS, and MakerNotes. The screenshot will have a dozen tags and no GPS. The Instagram download will have a strange mix: some original tags preserved, GPS stripped, and new tags written by Instagram's pipeline.

Once you have done this exercise a few times, the patterns start to feel obvious. You will know at a glance whether a photo came straight from a phone, passed through a desktop editor, or was processed by a social platform. That intuition is what separates pros from casual viewers, and it is what makes EXIF analysis genuinely useful in journalism, research, and digital forensics.