The sun is a useful helper in investigations and geolocation verifications. Looking at shadows in pictures could reveal the moment of capture. This helps debunking false information.
Three weeks ago we showed you how to use EXIF data in pictures to receive indications on the location and precise moment of capture. Unfortunately, not all pictures contain EXIF data, or even worse: the EXIF data could be falsified. The shadow cast in pictures enables us to check if the sun position correlates with the exposure time contained in the pictures’ metadata.
Let us look at the following picture:
I claim, that this picture was taken in front of my office on April 11, 2018 at 10:30am. True or false?
An evaluation of the EXIF data confirms that the coordinates and exposure time back my claim. The following screenshots depict the results of the fotoforensic check on fotoforensics.com. Try it yourself, the picture actually contains the EXIF data.
Case closed, information verified? Not really, because I altered the EXIF data in the picture. While the coordinates were left unchanged, the exposure time was modified. To verify this, we’ll take a closer look at the picture and dissect it into it’s single pieces of information. Hereby, we will concentrate on the shadow cast by the tree on the left.
Next we will use the website suncalc.org to check the casted shadow. Suncalc uses Google Maps to diplay results and the existing satellite imagery on Google is good enough to pinpoint each tree. In the first step, tree 1 will be used as the reference point (red marking). It is important to know the precise location of your reference point, or else the final results may be distorted. Afterwards, we add the presumed exposure time. The result of this actually shows, that the cast shadow (black arrow) of tree 1 fell towards the west, and not towards tree 2 as shown in our picture.
EXIF data canbe manipuliated, however, no one can change the course of the sun. Without any doubt the exposure time in the picture’s metadata is wrong. Now, let us cross check the actual exposure time. The picture was taken on April 25, 2018 at 02:58pm.
This method can be used in many different ways. Imagine someone stands trial and presents a picture of himself containing EXIF data to prove that he or she was at a certain location at a certain time. Or it can be used to verify propaganda pictures and videos of ISIS in Syria, supposedly containing images of an attack the previous day.
MW-OSINT / 02.10.2018