Digital Forensics: What OSINT Experts Can Find in Your Images

What OSINT Actually Means

Open Source Intelligence — OSINT — refers to the practice of collecting and analyzing information from publicly available sources to produce actionable intelligence. The "open source" in the name means publicly accessible, not open-source software. OSINT practitioners use information that anyone could theoretically access: social media posts, public records, news articles, domain registration data, satellite imagery, and — critically for this discussion — metadata embedded in photos and documents.

OSINT is practiced by law enforcement agencies, intelligence services, investigative journalists, corporate security teams, penetration testers, and academic researchers. It's also practiced by stalkers, private investigators, insurance fraud investigators, and people conducting background checks outside formal legal channels. The tools and techniques are the same regardless of the practitioner's purpose. And photo metadata is one of the richest sources of OSINT data available — precisely because most people don't know they're creating it.

The Core OSINT Toolkit for Photo Metadata

Before understanding what OSINT analysts can find, it's worth understanding what tools they use. These are not classified or specialized government tools — they're freely available to anyone with an internet connection.

ExifTool

Developed by Phil Harvey and maintained continuously since 2003, ExifTool is the gold standard for metadata extraction. It reads every metadata format — EXIF, IPTC, XMP, GPS, MakerNotes — from every common image and document format. Running ExifTool on a single image file produces a complete inventory of every metadata field present. In our testing, ExifTool on an unmodified iPhone photo produces over 60 lines of metadata output. Law enforcement agencies worldwide use ExifTool as a primary forensic tool. It's free, accurate, and available for Windows, macOS, and Linux.

Jeffrey's Exif Viewer

A web-based interface for ExifTool that allows anyone to upload an image or paste a URL and receive a formatted display of all EXIF fields. No installation required. The GPS fields are automatically converted to a clickable Google Maps link. This means extracting GPS from a photo and viewing the location on a map takes about thirty seconds with no technical knowledge whatsoever.

Maltego

Maltego is a more sophisticated OSINT platform that aggregates information from multiple sources and visualizes relationships. It can ingest EXIF data from photos and correlate it with social media profiles, domain registration records, and other data sources to build comprehensive profiles of individuals. Professional investigators use Maltego to connect metadata across multiple files and sources — building a picture that no single data point would reveal.

Forensically

Forensically is a browser-based forensic image analysis tool that goes beyond metadata to analyze the image itself. It can detect image manipulation, identify compression artifacts, and reveal information about editing history that isn't captured in EXIF fields. For investigators trying to determine whether an image has been tampered with, Forensically provides analysis that pure EXIF reading can't.

GPS Triangulation and Movement Pattern Analysis

The most immediately dangerous metadata for most people is GPS coordinates. But sophisticated OSINT analysts don't just look at GPS from a single photo — they combine GPS data across multiple photos to build movement patterns.

In our research into documented OSINT investigations, we found a consistent analytical approach: collect multiple geotagged photos associated with a target, extract GPS coordinates and timestamps from each, and map the resulting points in chronological order. The result is effectively a location timeline — showing where the subject was at each moment a photo was taken.

From this timeline, analysts can derive: home address (photos taken early morning and late evening, repeatedly, at the same coordinates), workplace (photos taken during business hours at a consistent location), regular locations (gym, places of worship, schools), travel patterns (GPS coordinates from vacation photos), and social connections (locations that match other identified individuals' home or work addresses).

None of this requires any technical sophistication beyond running ExifTool on a set of images and plotting the results on a map. The analytical value comes from having multiple data points, not from having advanced tools.

Device Fingerprinting Through MakerNotes

Beyond GPS, OSINT analysts use camera and device information in EXIF to link multiple photos to a single physical device — and through that device, to a single person.

The mechanism is MakerNotes — the proprietary section of EXIF that camera manufacturers use to store device-specific information. For dedicated cameras (Canon, Nikon, Sony, Fujifilm), MakerNotes typically include the camera's serial number. This is a unique identifier that ties every photo taken with that camera together, regardless of who is behind it or what name the photos are published under.

For smartphones, the situation is more complex. iPhones don't embed serial numbers in MakerNotes. But they embed a consistent set of device-specific parameters — internal image processing identifiers, scene analysis flags, hardware capability signatures — that together create a fingerprint. In practice, two photos taken on the same iPhone can be linked through MakerNote analysis even without a serial number, because the combination of parameters is highly device-specific.

The investigative application: if an anonymous source leaks documents and the photos of those documents can be linked to a specific device, and that device can be linked to a known individual (through metadata in other publicly available photos taken on the same device), the source's identity is potentially compromised.

Timestamp Analysis

Timestamps in EXIF data carry more analytical value than most people appreciate. The primary capture timestamp records the exact date and time a photo was taken. But it also implicitly records the device's timezone — which can reveal geographic location independent of GPS.

OSINT analysts use timestamp analysis for several purposes. Alibi verification: if a photo's EXIF timestamp contradicts a claimed location at a specific time, the metadata becomes evidence. Pattern analysis: consistent timestamps across multiple photos (e.g., photos always taken between 7 and 9 AM on weekdays) reveal daily routines. Timeline reconstruction: in investigations involving multiple parties, photo timestamps can establish who was where and when, and whether narratives are consistent with the evidence.

There's also the GPS timestamp to consider. Unlike the camera clock timestamp, the GPS timestamp is sourced directly from GPS satellite signals and is therefore extremely accurate — accurate to sub-second precision. If a photo's GPS timestamp doesn't match its camera timestamp, it can indicate tampering with the camera clock or location spoofing — itself an investigative signal.

Case Examples: Metadata in Real Investigations

The John McAfee Case

In 2012, anti-virus software pioneer John McAfee was wanted for questioning in connection with a neighbor's death in Belize. He went into hiding and denied knowing his location. When Vice magazine published a story about him including photos taken by their journalists, one of those photos contained intact GPS metadata showing his location in Guatemala. The metadata was discovered by a reader shortly after publication. McAfee was located and subsequently arrested. Vice published a correction acknowledging the error.

This case is notable because the privacy failure wasn't McAfee's — it was the journalists'. The lesson for anyone working with sensitive sources: stripping metadata is a professional responsibility, not just personal protection.

Document Metadata in Corporate Litigation

In multiple high-profile corporate legal disputes, PDF document metadata has revealed information that parties intended to conceal. Author names, revision histories, comment trails, and editing timestamps embedded in documents submitted as evidence have established timelines, contradicted testimony, and revealed authorship that parties claimed was unknown. Our article on what metadata is and how it works covers the broader landscape of file metadata beyond just photos.

Social Media OSINT in Background Investigations

Commercial background investigation services routinely use social media OSINT to build profiles of individuals. Geotagged photos are a primary source. In documented cases, investigators have determined home addresses, workplace addresses, relationship networks, financial indicators (from high-value items visible in home photos), and health information (from gym photos, medical facility photos) — all from metadata in publicly posted social media photos.

The Metadata Trail: Combining Multiple Photos

The most powerful OSINT technique isn't what can be found in a single photo — it's what can be inferred from many photos combined. This is sometimes called "metadata aggregation" and it's a serious concern for anyone who regularly shares photos publicly.

Each individual geotagged photo reveals a point in time and space. A collection of such photos reveals a pattern. That pattern can be analyzed for regularity (home, work, regular locations), for anomalies (unexpected locations, unusual times), and for relationships (shared locations with other identified individuals).

In our research, we found that as few as 10-15 geotagged photos associated with a person are sufficient for a skilled analyst to identify their home address with high confidence, their workplace with moderate confidence, and their daily routine with some confidence. This is not a massive dataset — it's fewer photos than most social media users post in a month.

What Metadata Doesn't Reveal

In the interest of accuracy and fairness, it's worth noting what metadata analysis can't do. EXIF data doesn't reveal your name, your face, or your relationships — those require separate analytical steps that go beyond file metadata. Metadata analysis can establish that two files came from the same device, but connecting that device to a specific person requires additional evidence. And metadata can be spoofed — timestamps can be modified, GPS coordinates can be altered — which means metadata evidence requires corroboration in serious investigations.

Results of OSINT analysis vary significantly based on the quality and quantity of available data. A person who has shared five geotagged photos over their entire lifetime is much harder to profile through metadata analysis than someone who shares dozens of photos weekly.

Defense Strategies

The most effective defense against metadata-based OSINT is, simply, removing metadata before sharing. Our MetaClean image tool strips all EXIF data — GPS, device model, timestamps, MakerNotes — from photos before they leave your device. For PDF documents, our PDF metadata tool removes author information, revision history, comments, and other embedded document data.

For those who work with sensitive sources or operate in high-risk environments, a more comprehensive approach includes disabling Location Services for camera apps at the OS level, using dedicated devices for sensitive photography (so device fingerprints don't link sensitive content to personal use patterns), reviewing all files with ExifTool before sending, and being aware that even cleaned files may reveal information through image content — not just metadata.