Forensicsexifmetadataforensicsimage-analysisraw-formats

exifprobe

Exifprobe reads image files from digital cameras and reports the structure and metadata contained within them. It supports various formats including TIFF, JPEG, EXIF, and multiple raw camera formats.

Description

Exifprobe is a tool designed to analyze image files produced by digital cameras, including several raw file formats. It examines the file structure and extracts auxiliary data and metadata, making it particularly useful in forensics investigations.

The program supports a wide range of formats beyond standard TIFF, JPEG, and EXIF, such as MRW, CIFF/CRW, JP2/JPEG2000, RAF, X3F, and most TIFF-derived raw formats like DNG, ORF, CR2, NEF, K25/KDC/DCR, and PEF. This comprehensive format support enables detailed inspection of camera-generated files.

It is often used alongside exifgrep, which selects and reformats exifprobe's output for easier analysis.

How It Works

Exifprobe parses image file structures, identifying sections, segments, IFD entries, and MakerNotes. It decodes metadata tags, reports offsets, values in hex/decimal, and handles raw/uninterpreted data dumps. MakerNote interpretation is dynamically selected based on camera make/model or forced via options, with support for unicode and expanded tag details.

Installation

bash
sudo apt install exifprobe

Flags

-hprint this help message
-Vprint program version and copyright
-RReport mode: only tagnames and decimal values, indented, inline
-SStructure mode: everything, offset values not inline (default)
-LList mode: list all tags and values (only); no structure
-ZZero (turn off) all output flags
-atoggle print addresses in hex and decimal
-Dtoggle print enabled addresses, tag numbers and values in decimal only
-Xtoggle print enabled addresses, tag numbers and values in hex only
-Itoggle indent (after address -> before -> none)
-itoggle "inline" print of IFD values
-ntoggle printing of filename at start of each output line
-ctoggle use of color to highlight certain sections
-uprint all 16 bits of unicode data
-p[items]toggle print identifiers for sections, segments, IFD entries, etc.
-e[items]toggle print IFD entry items like tagname, value, offset
-M[len|a]hex/ascii dump 'len' (or all) bytes of unknown MakerNotes
-A[len|a]hex/ascii dump 'len' (or all) bytes of unknown APPn segments
-U[len|a]hex/ascii dump 'len' (or all) bytes of UNDEFINED data of unknown format
-B[len|a]hex/ascii dump 'len' (or all) bytes of binary images or invalid JPEG data
-N[num]force noteversion 'num' for MakerNote interpretation
-m[name]force use of maker 'name' to select MakerNote interpretation routines
-l[model]force use of 'model' to select MakerNote interpretation routines
-O[offset]start processing at 'offset' in file
-C[make]+[model]print makes matching 'make', models matching 'model' (substrings)

Examples

Print the help message for exifprobe
exifprobe -h
Print program version and copyright
exifprobe -V
Run in Report mode: only tagnames and decimal values, indented, inline
exifprobe -R image.jpg
Run in Structure mode: everything, offset values not inline (default)
exifprobe -S image.jpg
Run in List mode: list all tags and values only, no structure
exifprobe -L image.jpg
Toggle print addresses in hex and decimal
exifprobe -a image.jpg
Toggle print identifiers for sections, segments, etc.
exifprobe -p image.jpg
Hex/ascii dump bytes of unknown MakerNotes
exifprobe -M image.jpg
Updated 2026-04-16kali.org ↗