EXIF forensics tool

A photo can carry its own little receipt. If location services were on when a phone saved a JPEG image file, the file may include Exchangeable Image File Format data with latitude, longitude, date, time, camera model, and exposure settings tucked inside it. (exiftool.org) That hidden record is called Exchangeable Image File Format, usually shortened to EXIF. The standard has been around since the 1990s, and it was built so cameras could store technical details alongside the picture instead of in a separate logbook. (loc.gov) The catch is that EXIF is uneven. Some apps strip it out when you upload or edit an image, some phones never saved GPS coordinates in the first place, and metadata can be changed later, so investigators treat it as a lead rather than a final verdict. (exiftool.org) (whereisthisplace.net) That is why image investigations usually start with extraction, not interpretation. A tool reads the tags first, then an analyst checks whether the time stamps, device details, and coordinates line up with everything else visible in the image. (osint.link) Refloow Geo Forensics is built for that first pass. Its GitHub repository describes it as an open-source desktop tool that extracts EXIF data from batches of JPEG images, maps any GPS points it finds, and rebuilds a chronological timeline from the embedded dates. (github.com) The “batch” part is the useful bit. Reading one image in a command line tool is easy, but an incident folder can hold dozens or hundreds of files, and plotting them together can show whether they came from one street corner, one route, or several unrelated places. (github.com) (exiftool.org) The map view turns raw coordinates into something you can scan in seconds. A pair of numbers like 40.7128 and -74.0060 means little in a spreadsheet, but as pins on a map they can reveal clusters, outliers, and jumps that deserve a second look. (refloow.com) (opencagedata.com) The timeline view does the same thing for time. If ten images claim they were taken within 14 minutes on March 3 but the locations jump across a city, that mismatch can signal a bad device clock, edited metadata, or files pulled from different events. (github.com) (osint.link) Refloow’s repository says the app runs locally as a desktop program rather than sending images to a remote server. That matters when the pictures involve private homes, protest scenes, or case evidence that an investigator does not want uploaded just to read metadata. (github.com) (darkwebinformer.com) This does not replace old-fashioned verification. Groups that do open-source intelligence still combine metadata with shadows, landmarks, road signs, weather, and satellite imagery, because a convincing file can still carry false tags and a stripped file can still be genuine. (stateofsurveillance.org) (osint.link) So the real value is speed and triage. A lightweight EXIF tool can tell you which JPEG images have coordinates, which ones share the same device trail, and which timestamps fit together before you spend hours on the harder work of proving what happened. (github.com) (refloow.com)