# Fake fabricate JPEG date created



## andwan0

I am wanting some advice from jpeg photo experts. I know that taking a photograph, the date-taken is stored in the exif embedded in the jpeg. If one wanted to fabricate/fake the date-taken then he would need to copy the file to PC, use an editor to change it. The thing is you cannot change & keep the original file. It has to be saved as a NEW jpeg file because the exif metadata is embedded with the image (hence a 2nd recompression (& larger file size).

Now, that you know about exif metadata and it can be changed, is there any way in court by law on how to tell whether a jpeg file exif metadata has been faked? The file could easily be copied back onto the camera memory.

I guess the only way is to compare the file sizes of similar photo settings to the faked photo file.... to REAL photos taken by the camera (that are still stored in memory).

Anyway other ideas or technical know-how?


----------



## dl4449

Why ??


----------



## leighthal

ditto.....why would this ever be necessary? The only reason that comes to mind is nefarious ones.


----------



## CW Jones

I feel like something illegal is going on..... why would it matter if a court could tell if the metadata was fake? I hardly believe anyone on here will bite and help in illegal activity....


----------



## MikeBcos

You can do whatever you like to the Exif data, the original file creation date is written into the file system, the Exif data is just a more readable addition to that data. You can edit and save as a copy as many times as you like, the creation date of the original file, last edited date (and that includes editing the Exif data) and last access date are embedded wthin the file itself and cannot be altered.


----------



## Josh66

There is a system out there that will hold up in court but I can't remember what it's called or who makes it.
(All I can remember is that it's very expensive.)

If you're trying to fake some exif for a case you're involved in somehow, I wouldn't do it.


----------



## mrodgers

Why is everyone jumping on this as if the OP is doing something illegal?  Perhaps he is asking because he is on the opposite side of the illegal and is trying to figure out if someone else could have done the illegal to him.

Jumping to conclusions before having the story here.....


----------



## beni_hung

Giving the benefit of the doubt is good, but even if he is looking for info to defend himself then the defense lawyer should be able to ask a local professional that could show up and hold up in court. Like a college professor for instance.


----------



## CW Jones

mrodgers said:


> Why is everyone jumping on this as if the OP is doing something illegal?  Perhaps he is asking because he is on the opposite side of the illegal and is trying to figure out if someone else could have done the illegal to him.
> 
> Jumping to conclusions before having the story here.....




first post on a forum is asking how to alter data?? If he comes back and explains WHY the data needs to be altered.... then I will take my conclusion back... until then its sketchy and seems very illegal. 

EDIT:
after re-reading it a few times... he doesn't seem to be asking HOW to do it but more is there a way to tell.... I hope the OP comes back and spreads some more light on the situation....


----------



## andwan0

Thanks, yes, found Exifer for Windows & PhotoME - Exif, IPTC & ICC Metadata Editor & AmoK Exif Sorter 2.52 (Official Website) & ExifTool by Phil Harvey (all recommended by EXIF guru Friedemann Schmidt). Found that the date created in EXIF can be modified solely, leaving the rest of the binary data intact, unaltered.

I am the defendant. The claimant submitted a document with 1 picture... to accuse about a time/date of an event from the picture alone. I was curious whether we can request for the original jpeg file and get professional experts to retrieve the date from the EXIF. Then I find out that the EXIF date can easily be modified. I just wanted to experiement and try to find anyway to know if the EXIF has been modified. From my experiement, there's no way knowing.....


----------



## Garbz

Not knowing where you are or what you are doing, but I can tell you a JPEG will not hold up in a court here in Australia, unless it was like a photo of a person standing next to a clock or something. EXIF data and even timestamps are easily modified.

There are systems in place to take photos of documents with proof including features on Nikon D200s and up which fingerprint the original RAW file so it can be seen if it has been altered in any way since it was taken with the camera.


----------



## Philarp

Hi Everyone!


I'm bringing this thread back to life as the issue of modifying EXIF data is becoming an common problem in my job. I work in insurance fraud investigations... we come accross claims where a person has suffered a genuine burglary, however when we compare the list of items they tell us have been stolen and compare it with what they advised police there is a lot more on there. So we ask for images of the stolen items. Quite often they provide images and we can quite easily tell they have taken said images AFTER the loss occured.

More and more people now realise it is quite simple to download something like "EXIF Date Changer" - this is obviously an issue for us. The post I quoted mentioned there are now systems in place that allow you to determeing if data has been altered in any way. Does anyone know what systems these are? I've spent half my morning trying to find something but have no idea.

Thanks in advance if anyone replies 






Garbz said:


> Not knowing where you are or what you are doing, but I can tell you a JPEG will not hold up in a court here in Australia, unless it was like a photo of a person standing next to a clock or something. EXIF data and even timestamps are easily modified.
> 
> There are systems in place to take photos of documents with proof including features on Nikon D200s and up which fingerprint the original RAW file so it can be seen if it has been altered in any way since it was taken with the camera.


----------



## 480sparky

O|||||||O said:


> There is a system out there that will hold up in court but I can't remember what it's called or who makes it.
> (All I can remember is that it's very expensive.)
> 
> If you're trying to fake some exif for a case you're involved in somehow, I wouldn't do it.




Nikon used to offer Image Authentication Software, but it worked only for certain Nikon cameras.  Since it got hacked a few years back, they've pulled it off the market.

But for a while, it was admissible in US courts.


----------



## snowbear

Here, in The States, a number of police departments have implemented their own computer forensic units.  Some of these may also be knowledgeable about image files.  Perhaps contacting a few of the larger departments might give you some insight.


----------



## Philarp

I can utilise the services of a forensic consultant who specialises in this field, however it's something like AU$880 for a comment. Unless I'm pretty sure that I'm looking at a fake, I dont really want to spend the $880. Suppose I'll just have to hope people are standing next to big old grandfather clocks when they take the images


----------



## unpopular

*DISCLAIMER: I am not an attorney, the following statements are not legal advice and should not be applied to any specific case without consultation with an attorney; are intended only for conjecture and are not provided for informational or educational purposes.
*
If in the US and other Common Law legal systems, and if I understand procedure right, the defendant only needs to prove that the date _can_ be manipulated not that it _had_ _been_ manipulated.

But stuff dealing with evidence and dismissal gets super confusing.


----------



## Garbz

Interesting case. I'm surprised you can consider paying out given the differences in lists. My insurance company won't pay out for anything not reported to the police. 

Also interesting you dig up this old thread, since when I last wrote Nikon's image authentication and Canon's equivalent both were still cryptographically secure. Currently I don't believe there's any system that allows you to say with 100% certainty that a digital image is authentic.


----------



## unpopular

arrrrgg! 2009?!

damn newbies and their shovels!


----------



## KmH

At least it wasn't SPAM.


----------



## unpopular

OP is prob in jail for evidence tampering.


----------



## 480sparky

KmH said:


> At least it wasn't SPAM.



Wait for it........ I'm the the floodgates have opened upstream.


----------



## bratkinson

As a former mainframe computer consultant and one with 30 years fooling around with PCs and internal programming therein, I can state unequivocally that there is no BIT of information on the computer I cannot change from a zero to a one or vice versa...all without leaving any evidence of having been changed.  The only exception is ROM (Read Only Memory) data in a chip, to which, I could probably create a replacement ROM and no one would be the wiser.


----------



## panblue

bratkinson said:


> As a former mainframe computer consultant and one with 30 years fooling around with PCs and internal programming therein, I can state unequivocally that there is no BIT of information on the computer I cannot change from a zero to a one or vice versa...all without leaving any evidence of having been changed.



OK, Q: How do you hide the fact that you scrubbed a hard-drive with a scrubber then deleted the scrubber app?
You need a scrubber to scrub the fact you used a scrubber, then scrubbed it


----------



## unpopular

typically you deep erase on a separate bootable partition.... srub the drive, burn the boot disk you used to scrub the drive with.


----------



## panblue

unpopular said:


> typically you deep erase on a separate bootable partition.... srub the drive, burn the boot disk you used to scrub the drive with.



Say you are running Windows..you delete your Event logs then use Eraser, System Ninja, CCcleaner etc. Then you uninstall those apps. How would you erase the fact you had used those apps?  This is something I pondered in the past and bratkinson's post piqued my interest. It seems 'chicken and egg' ..even a harddrive reformat (of all partitions) wouldn't actually _clean_ the 'deleted' erasing apps from the drive, no?

_typically you deep erase on a separate bootable partition  _I find this hard to understand as erasing is specific to the drive requiring cleaning. Say you wish to scrub C: and D: is the recovery partition which does not contain user data; only OS.


----------



## 2WheelPhoto

Who would anyone lie about a date on a pic!?

"honey, that pic of the blonde in my lap with her high heels in the air facing me while driving was BEFORE you and i were in a relationship"

"well then, why has the dome light only been broken since _*wednesday!*_?"


----------



## Philarp

unpopular said:


> arrrrgg! 2009?!
> 
> damn newbies and their shovels!





Sorry! I filled the post with smiley faces and crap in the hope of appeasing all your forum regulars. I will now discard my shovel and cease digging up long burried threads! 

Got a wealth of information I can use so thanks all. Especially that last post re blondes with legs in the air. I'd never thought of altering them myself. This information is going to be more useful than I thought!!!


----------



## sapper6fd

If someone took a phot after the fact and submitted it for evidence, they wouldnt need to alter the EXIF data.  Jsut set their cameras date and time to the point in the past, take the photo, and no one is the wiser.


----------



## panblue

sapper6fd said:


> If someone took a phot after the fact and submitted it for evidence, they wouldnt need to alter the EXIF data.  Jsut set their cameras date and time to the point in the past, take the photo, and no one is the wiser.



..and are all cameras' time/date stamps true and accurate in any case.


----------



## 480sparky

sapper6fd said:


> If someone took a phot after the fact and submitted it for evidence, they wouldnt need to alter the EXIF data.  Jsut set their cameras date and time to the point in the past, take the photo, and no one is the wiser.




So my D7000 will be able to fake a photo taken in, say, 2004?


----------



## bratkinson

As far as changing data goes and not leaving any 'tracks', simply put the hard drive into another computer as a secondary drive.  Any mainframers out there would instantly recognize: IHEZAP and SUPERZAP programs...


----------



## sapper6fd

480sparky said:
			
		

> So my D7000 will be able to fake a photo taken in, say, 2004?



Sure it can. But anyone dumb enough to believe a camera took a photo 5 years before its release is a fool. I'm pretty sure I can change the date / time in my D90's menu options and take a digital photo with a time stamp from 1904.

Sent from my iPhone using PhotoForum


----------



## unpopular

I love this thread. it's juts kind of meandering around going nowhere.

I'm guessing KMH is planning to use it as an example of why he normally closes threads from the dead.


----------



## sapper6fd

unpopular said:


> I love this thread. it's juts kind of meandering around going nowhere.
> 
> I'm guessing KMH is planning to use it as an example of why he normally closes threads from the dead.



4895 posts....  How many of them were useful?  You sure are quick to jump in and start slamming people and trolling away (post above is a great example), never quick in jumping in to help people out though - or so I've noticed.  you should put some troll hair on that donkey avatar.


----------



## Overread

unpopular said:


> I love this thread. it's juts kind of meandering around going nowhere.
> 
> I'm guessing KMH is planning to use it as an example of why he normally closes threads from the dead.



Actually we use it as a reference to list names of members who clearly don't read all of a thread (or at least the first and last pages) to remain up to date and who only post based on the title or first post.

I then stick needles in voodoo dolls of those members! *yes printed out IPaddresses and web-names do work on voodoo apparently *


----------



## pixmedic

Overread said:


> unpopular said:
> 
> 
> 
> I love this thread. it's juts kind of meandering around going nowhere.
> 
> I'm guessing KMH is planning to use it as an example of why he normally closes threads from the dead.
> 
> 
> 
> 
> Actually we use it as a reference to list names of members who clearly don't read all of a thread (or at least the first and last pages) to remain up to date and who only post based on the title or first post.
> 
> I then stick needles in voodoo dolls of those members! *yes printed out IPaddresses and web-names do work on voodoo apparently *
Click to expand...


we miss the Hatted Husky..


----------



## unpopular

sapper6fd said:


> unpopular said:
> 
> 
> 
> I love this thread. it's juts kind of meandering around going nowhere.
> 
> I'm guessing KMH is planning to use it as an example of why he normally closes threads from the dead.
> 
> 
> 
> 
> 4895 posts....  How many of them were useful?  You sure are quick to jump in and start slamming people and trolling away (post above is a great example), never quick in jumping in to help people out though - or so I've noticed.  you should put some troll hair on that donkey avatar.
Click to expand...


ehm. learn to use your spot meter, meter for the hilights, expose at latitude.

yadda yadda yadda. you won't take any of that advice either. PHOTOGRAPHY IS HARD!


----------



## unpopular

Overread said:


> unpopular said:
> 
> 
> 
> I love this thread. it's juts kind of meandering around going nowhere.
> 
> I'm guessing KMH is planning to use it as an example of why he normally closes threads from the dead.
> 
> 
> 
> 
> Actually we use it as a reference to list names of members who clearly don't read all of a thread (or at least the first and last pages) to remain up to date and who only post based on the title or first post.
> 
> I then stick needles in voodoo dolls of those members! *yes printed out IPaddresses and web-names do work on voodoo apparently *
Click to expand...


Oh. I've been keeping up. In fact I was one of the early people to reply.

Huh. Maybe you should add yourself to that list


----------



## unpopular

Philarp said:


> Hi Everyone!
> 
> 
> I'm bringing this thread back to life as the issue of modifying EXIF data is becoming an common problem in my job.




OH WAIT! THERE IT IS!

No wonder it all seemed so random.


----------

