Exif Metadata from original senders source

Started by Newbie123, March 13, 2019, 09:33:45 PM

Previous topic - Next topic

Newbie123

Hi Guys,

I would like to know if there is a way to find out the original Exif Metadata information that was send to my phone as a video through WhatsApp, I believe the Metadata has been played with by the sender who is my employee, he has told me a few little tricks he is able to do on his phone in the past and I believe he forgot about telling me this one. It's real important I find this out only due to the fact he is blaming another employee for something who now has his job on the line.

1) Device it was originally taken from
2) If it has been modified?
3) Original date and time taken
4) Geo location

and any other information you think that will help me get to the bottom of this.

FYI This information will not be used as to make my last decision it will just be used to help with other evidence I am collection.

Thanks heaps I'll be waiting to hear from you.

Newbie123

Quote from: Newbie123 on March 13, 2019, 09:33:45 PM
Hi Guys,

I would like to know if there is a way to find out the original Exif Metadata information that was send to my phone as a video through WhatsApp, I believe the Metadata has been played with by the sender who is my employee, he has told me a few little tricks he is able to do on his phone in the past and I believe he forgot about telling me this one. It's real important I find this out only due to the fact he is blaming another employee for something who now has his job on the line.

1) Device it was originally taken from
2) If it has been modified?
3) Original date and time taken
4) Geo location

and any other information you think that will help me get to the bottom of this.

FYI This information will not be used as to make my last decision it will just be used to help with other evidence I am collection.

Thanks heaps I'll be waiting to hear from you
Sorry just to add to this the video was sent from a Android to my iPhone and I'm currently using ExifTool on my Mac OSX

Phil Harvey

Run ExifTool on the video to see what it says with this command:

exiftool -a -G1 FILE

If you don't want to post the results, email them to me: philharvey66 at gmail.com

- Phil
...where DIR is the name of a directory/folder containing the images.  On Mac/Linux/PowerShell, use single quotes (') instead of double quotes (") around arguments containing a dollar sign ($).

StarGeek

If you run
exiftool -g1 -a -s FILE
on the file, replacing FILE with the full path to the file, exiftool will list all the info that is embedded in the file.  Just look down the list for something that looks like it's the make/model of the camera.

That said, a lot of apps will strip any embedded metadata.  I just did a quick google search and it appears that WhatsApp does strip away the metadata, though I haven't checked it myself.

If the metadata is gone, then it's gone.  It can't be recovered.
* Did you read FAQ #3 and use the command listed there?
* Please use the Code button for exiftool code/output.
 
* Please include your OS, Exiftool version, and type of file you're processing (MP4, JPG, etc).

Newbie123

Yes I have tried that but it is still bringing up the same info as previous, it won't even show the time I actually received it on my iPhone only the time I synced it with my Mac.

Phil Harvey

OK, try this command.  It will list all of the date/time tags available on a Mac.  For an MOV video on MacOS, you should see something like this:

> exiftool -a -G1 -time:all -api requestall=2 ../pics/Apple_iPhoneXS.mov
[ExifTool]      Now                             : 2019:03:14 09:12:35-04:00
[System]        File Modification Date/Time     : 2018:10:29 10:47:56-04:00
[System]        File Access Date/Time           : 2019:03:14 09:11:36-04:00
[System]        File Inode Change Date/Time     : 2018:10:29 10:47:56-04:00
[MacOS]         File Creation Date/Time         : 2018:10:29 10:47:40-04:00
[MacOS]         MD Item Content Creation Date   : 2018:10:29 10:47:40-04:00
[MacOS]         MD Item Content Creation Date Ranking: 2018:10:28 20:00:00-04:00
[MacOS]         MD Item Content Modification Date: 2018:10:29 10:47:56-04:00
[MacOS]         MD Item Date Added              : 2018:10:29 10:48:43-04:00
[MacOS]         MD Item Date Added Ranking      : 2018:10:28 20:00:00-04:00
[MacOS]         MD Item FS Content Change Date  : 2018:10:29 10:47:56-04:00
[MacOS]         MD Item FS Creation Date        : 2018:10:29 10:47:40-04:00
[MacOS]         MD Item Interesting Date Ranking: 2018:10:28 20:00:00-04:00
[QuickTime]     Create Date                     : 2018:10:10 15:20:22
[QuickTime]     Modify Date                     : 2018:10:10 15:20:39
[Track1]        Track Create Date               : 2018:10:10 15:20:22
[Track1]        Track Modify Date               : 2018:10:10 15:20:39
[Track1]        Media Create Date               : 2018:10:10 15:20:22
[Track1]        Media Modify Date               : 2018:10:10 15:20:39
[Track2]        Track Create Date               : 2018:10:10 15:20:22
[Track2]        Track Modify Date               : 2018:10:10 15:20:39
[Track2]        Media Create Date               : 2018:10:10 15:20:22
[Track2]        Media Modify Date               : 2018:10:10 15:20:39
[Track3]        Track Create Date               : 2018:10:10 15:20:22
[Track3]        Track Modify Date               : 2018:10:10 15:20:39
[Track3]        Media Create Date               : 2018:10:10 15:20:22
[Track3]        Media Modify Date               : 2018:10:10 15:20:39
[Track4]        Track Create Date               : 2018:10:10 15:20:22
[Track4]        Track Modify Date               : 2018:10:10 15:20:39
[Track4]        Media Create Date               : 2018:10:10 15:20:22
[Track4]        Media Modify Date               : 2018:10:10 15:20:39
[QuickTime]     Creation Date                   : 2018:10:10 16:20:22+01:00
[XMP-xmp]       Modify Date                     : 2018:10:10 15:20:39Z
[XMP-xmp]       Metadata Date                   : 2018:10:14 19:50:53+01:00
[XMP-xmpMM]     History When                    : 2018:10:14 19:50:53+01:00


This is all the date/time information that ExifTool can provide, so hopefully this gives you what you want.

- Phil
...where DIR is the name of a directory/folder containing the images.  On Mac/Linux/PowerShell, use single quotes (') instead of double quotes (") around arguments containing a dollar sign ($).

Newbie123

Bigs-MacBook-Air:~ bigboss$  exiftool -a -G1 -time:all -filecreatedate /Users/bigboss/Pictures/Photos\ Library.photoslibrary/resources/proxies/derivatives/03/00/316/UNADJUSTEDNONRAW_thumb_316.jpg
[System]        File Modification Date/Time     : 2019:03:11 22:22:30+11:00
[System]        File Access Date/Time           : 2019:03:15 00:15:54+11:00
[System]        File Inode Change Date/Time     : 2019:03:11 22:22:30+11:00
[MacOS]         File Creation Date/Time         : 2019:03:11 22:22:30+11:00
[ICC-header]    Profile Date Time               : 2005:04:01 01:01:01
[MacOS]         File Creation Date/Time         : 2019:03:11 22:22:30+11:00

This is all it gave me, I think WhatsApp must have deleted the metadata but still it won't show me when I received the video

Phil Harvey

You ran ExifTool on a JPG thumbnail image, not on a video file.  A video should have extension MOV or MP4.

- Phil
...where DIR is the name of a directory/folder containing the images.  On Mac/Linux/PowerShell, use single quotes (') instead of double quotes (") around arguments containing a dollar sign ($).