Skip to main content

Metadata Analysis: Learn How to Verify the Consistency of Image Sequences

Marco Fontani

July 14, 2020

Reading time: 5 min

Hello dear friends, welcome to this week’s tip! Today we’re dedicating some room to metadata analysis with Amped Authenticate. In particular, we’ll deal with two cases where metadata were altered to change the acquisition date. But the forger was not clever enough, and we’ll catch him! Curious? Keep reading!

Contents hide
Using Metadata Analysis to Evaluate Image Order
Shutter Count
Advanced Metadata Analysis with Apple’s RunTimeValue
Final Note

We dedicated several posts on our blog to metadata analysis. In the blog and in our training, we always emphasize two facts:

  1. metadata are a great resource, as they add lots of information to what’s simply shown in pixels;
  2. at the same time, they should not be blindly trusted because they can easily be altered, sometimes right from Windows’ “File Property” panel!

screenshot of details tab within image properties showing camera model and "Iphone 6 Plus" writing highlighted and a message "This is editable!"

However, the fact that metadata can be altered doesn’t imply that villains are safe. Making a fully consistent manipulation of metadata is less trivial than it seems, especially if the analyst is equipped with Amped Authenticate!

We’ve shown in our blog posts that you can use the sun position and the weather to cross-check dates. You can also compare GPS and device-clock time info to spot inconsistencies. We’ve also seen that you can effectively use Amped Authenticate’s JPEG Quantization Tables database to cross-check Make and Model metadata.

But today, we’re feeling geeky! Let’s take a look at two more ways to cross-check the sequential order of images.

Using Metadata Analysis to Evaluate Image Order

Shutter Count

Let’s use a sample case. A suspect provides these two pictures to prove that yes, he had been both in Tomar (Portugal) and Sevilla (Spain) in late July 2014. But, contrary to what the prosecutor says, he was first in Sevilla and then in Tomar. The suspect claims this is proved by the pictures’ names and metadata, both suggesting that the Sevilla image is precedent to the Tomar image. Below we show the pictures and the relevant metadata (click on pictures to enlarge them).

screenshot of Amped Authenticate interface showing two images side-by-side: on the left an image of the city of Sevilla marked as Evidence Image; on the right and image of Tomar marked as Reference Image.

Screenshot of Amped Authenticate software displaying a metadata comparison between two JPEG images captured with a Nikon D50 camera. The EXIF data includes fields like modify date, exposure time, FNumber, and software version. Highlighted differences between the evidence and reference image metadata are shown in a zoomed-in view, indicating discrepancies in date, exposure settings, and camera software. Ideal for forensic image authentication and digital tampering analysis.

Well, pictures are indeed taken from the same camera model (using PRNU Identification, we could also check that it was the very same exemplar). Moreover, filenames and metadata actually suggest that the Sevilla picture (on the left) was taken two days before the Tomar picture.

But scrolling down the list of metadata, we notice something strange.

Screenshot from Amped Authenticate software showing EXIF metadata comparison between two Nikon JPEG images. The highlighted “ShutterCount” field indicates a discrepancy—15464 for the evidence image and 14964 for the reference image—suggesting differing usage levels. Additional metadata like lens type, exposure settings, and image optimization values are also compared, helping verify image authenticity and potential tampering in digital forensic investigations.

Let’s perform a deeper metadata analysis to uncover inconsistencies between the two image files.

Ha! What’s that? The ShutterCount metadata is used by many digital cameras to store the number of shots taken, much like the odometer in your car. Every time you take a shot, the counter increases by one. It’s in the [MakerNote] category, which means it’s not something “universally standard,” it’s instead a manufacturer’s choice. Unfortunately for our suspect, the Nikon D50 camera uses it. And it’s telling us that the picture on the left was taken AFTER the picture on the right. Not only: 15464 – 14964 = 500. So that camera has taken other 499 images between these two. We may kindly suggest the prosecutor to ask the suspect to provide these pictures.

Advanced Metadata Analysis with Apple’s RunTimeValue

“Okay”, you may think, “but the forger was not very smart in the example above”! He could have looked and realized that there was this ShutterCount metadata, the name is actually self-explicatory. Well, true… but, you know, people get arrested based on fingerprints, when everyone knows that gloves would be enough to rule them out! It’s just hard to keep everything into account, even the things you know.

Now let’s look at another case. We have a witness who claims to have reached a square with her bicycle right before two people met. She saw the full meeting happen. The witness provides the two pictures below, saying that she captured first the one on the left, upon arrival, and then the one on the right, a few minutes later, when the meeting began.

Screenshot from Amped Authenticate software showing forensic comparison between two JPEG images taken by an Apple iPhone 6 and iPhone 6 Plus. The left image highlights a witness's bicycle, while the right image points to two individuals meeting. Both images have identical resolution (3264x2448) and 95% JPEG quality. Used in digital forensics to verify visual evidence consistency in surveillance or crime scene analysis.

As in the previous case, the filename and datetime metadata are indicated as proof of truth. Upon inspection, datetime metadata actually seem to suggest that the bicycle picture is antecedent to the meeting picture by a couple of minutes.

Screenshot from Amped Authenticate showing a side-by-side EXIF metadata comparison of two JPEG images taken with Apple iPhone 6 and iPhone 6 Plus. Highlighted fields include modify date, exposure time, ISO, and other photographic settings, with differences noted in timestamps and ISO values.

But you already know we’ll find something strange, don’t you? So we keep scrolling the metadata and… aha! This is where metadata analysis truly shines. Even minor details can contradict stated timelines.

Amped Authenticate screenshot showing metadata comparison of two JPEG images taken with Apple iPhone 6 and iPhone 6 Plus, focusing on MakerNotes fields: RunTimeFlags, RunTimeValue, RunTimeEpoch, and RunTimeScale. The highlighted section emphasizes differences in RunTimeValue between the two images, useful for verifying capture timing and device behavior in forensic image analysis and tampering detection.

One more cool MakerNotes metadata! This RunTimeValue was introduced by Apple devices some time ago: it tells the amount of time that has passed since the last boot of the telephone (standby time is not counted for). You can find some more details here and here. By looking at those huge numbers we already understand that something’s not right: the value of the bicycle image is larger than the other, while we would expect the opposite. Translating that value into seconds requires you to divide the RunTimeValue by the RunTimeScale. However, in the Composite metadata, you will find the translations already done for you by ExifTool and faithfully reported by Amped Authenticate (to answer a quite common question: yes, this is the meaning of Composite metadata, they are information derived from other metadata in the image, just like in this case, and they are not written in the image).

Amped Authenticate interface comparing metadata of two JPEG images taken with Apple iPhone 6 Plus, highlighting the [Composite] RunTimeSincePowerUp tag. The evidence image shows a runtime of "3 days 2:20:49" while the reference image displays "3 days 2:20:32", emphasizing a time difference of 17 seconds since the device was powered on. Useful in digital forensics for verifying photo capture sequence and device activity.

And so, we discovered that the bicycle image had been actually shot (at least) 17 seconds LATER than the meeting picture!

Final Note

This weekʼs takeaway is: never give up! Scroll through all that metadata. Thorough metadata analysis can lead to valuable discoveries or, at the very least, help you learn something new!

 Marco Fontani

Marco Fontani is the Forensics Director at Amped Software, a software company developing image and video forensic solutions for law enforcement agencies worldwide. He earned his MSc in Computer Engineering in 2010 and his Ph.D. in Information Engineering in 2014. His research focused on image watermarking and multimedia forensics. He participated in several research projects funded by the EU and EOARD, and authored/co-authored over 30 journal and conference proceedings papers. He has experience in delivering training to law enforcement and provided expert witness testimony on several forensic cases involving digital images and videos. He is a former member of the IEEE Information Forensics and Security Technical Committee, and he actively contributed to the development of ENFSI’s Best Practice Manual for Image Authentication.

Subscribe to our Blog

Receive an email notification when a new blog post is published and don’t miss out on our latest updates, how-tos, case studies and much more content!