Thursday, 28 July 2016

Metadata can be a blessing and a curse at times, as Apple recently found with the release of their latest operating system El Capitan. The new operating system includes 51 desktop background images, but Apple forgot to scrub the EXIF metadata from one of the image files.

Analysis of the EXIF metadata reveals the following details of how the photograph was taken:


EXIF metadata reveals details of how the photograph was taken
 

The metadata also shows editing notes from Adobe Photoshop 6, including comments such as ‘Please remove some of the noise in the sky’ and ‘Overall, stars can be a touch sharper.’

The ramifications of Apple’s mistake were relatively minor, but at KordaMentha we regularly see examples of the power of metadata that are far less trivial. 

A common example is insurance fraud: someone claims insurance for stolen property and includes a photograph in their claim, but the metadata reveals the photograph was taken after the supposed theft took place!

Further reading:
Our previous post on metadata explains how a trail of metadata evidence can be left behind when a file is moved from one computer to another.

See also:
- PetaPixel's coverage of the story
- An in-depth look at the file's EXIF metadata

About the Author
Wesley is a Senior Business Analyst at KordaMentha Forensic, specialising in computer forensics and eDiscovery. KordaMentha Forensic provides computer forensic services to identify, preserve, analyse and present potential electronic evidence to support litigation, corporate and regulatory investigations involving:

- Intellectual property infringement and theft
- Corporate fraud and financial crime
- Defamation and harassment
- Identity theft
- Misuse or unauthorised access to computing or Internet resources.