Autopsy newbie here… (also to DF)… I know that there is a ton of possible EXIF data that can be present, as can be seen with exiftool.
Is there a way in Autopsy to have it look for specific EXIF tags? If so, are there plug-ins that try to use something like Python’s geopy to look up a location based on the GPS data, if present?
And yes, I know that the GPS data is not always reliable, etc. I am more curious about whether such data can be requested by the ingest modules.
I don’t know if the following links help answer your question but have you looked at:
Note that in the upcoming 4.17.0 release the EXIF Parser module is renamed to be Picture Analyzer
Thank you… I am trying to absorb so much right now, I appreciate the help…
I’ve found the GENERATE REPORT function creates great results when a GOOGLE EARTH KML report output is produced. The resultant .KML file is opened with Google Earth to map the EXIF geolocations contained in images in the case dataset. It also exports the images to a folder where they can be quickly viewed with the viewer contained within Windows.
The file for Google Earth is in the REPORT folder inside whatever report name you used in the “ReportKML.kml” file.
Be patient when importing the file into Google Earth…it takes time to map all the locations and generate the map. Don’t use the online Google Earth, instead download and install it on your PC so it runs natively. You will need a internet connection for this to function. All the photo EXIF geolocations will be in the Temporary Places area on the left side of the Google Earth screen. Double-clicking on one of them will navigate to the location on the map. You can right-click to see the original image file that contains the EXIF data.
I hope this helps. Bob
Thanks Bob… This is exactly what I figured should be possible. Although my own experience writing a Python script to generate the addresses found quickly that the EXIF data is not very consistent… I found images that had Lat/Long, but without the orientation, which is useless! It said my images from Rhode Island were taken in Argentina! Still, I figure that everything is “best effort”, at least for an amateur like me.
Geolocations (latitude/logitude) are usually expressed as positive
values in the northern and eastern hemispheres. Therefore United States
locations are positive latitudes and NEGATIVE longitudes.
Don’t be surprised if some firmware and/or software use other standards.
I’ve found some cameras produce images with EXIF data that is in the
opposite longitude hemisphere, i.e. images in Arizona mapped in the
Indian ocean! Simply editing the longitude to add the - (negative) sign
corrected the location.
Be careful not to confuse the order of the numbers. Some systems use
longitude, latitude instead of the customary latitude, longitude.
Often a photo taken outdoors will reveal the error…if the location
maps to an ocean you should see water or a ship - - NOT land.
When geolocation data is given as 0,0 (latitude, longitude) all those
photos will map to the ocean east of Africa.
My favorite URLs for working with geolocations:
Calculate and map bearing angles and distances between two points
Best Regards,
Bob