ExifTool

Read, write, and strip metadata from photos and files. All processing happens locally — no data leaves your machine.

Open source

Strong

https://exiftool.org · Reviewed 2026-04-02 · Editorial assessment by Mike Schneider — based on public security research and audits

What should journalists know about ExifTool?

ExifTool is the definitive metadata tool — full stop. It reads and writes metadata for 170+ file formats including every major camera RAW format (Canon CR2/CR3, Nikon NEF, Sony ARW, Fuji RAF). Extract GPS coordinates from a photo, identify the camera and lens, check the timestamp chain, read C2PA content credentials, inspect IPTC AI-generation labels, or strip all metadata before publishing. Phil Harvey has maintained it solo since 2003 — over 23 years of continuous development. He retired from Queen's University in 2020 and continues active development from retirement, with version 13.53 released March 2026. Everything runs locally. No network connections. This is the tool that other metadata tools are built on — Jeffrey's EXIF Viewer (discontinued 2024) used ExifTool under the hood, as does EXIF.tools and most forensic analysis platforms. The single-maintainer model is both a strength (consistency, deep expertise) and a risk (bus factor of one, no succession plan). For now, the release cadence shows no signs of slowing.

Best for

Extracting GPS coordinates and timestamps from photos for geolocation verification. Identifying camera model and lens for source authentication. Reading C2PA content credentials and IPTC AI-generation metadata (supported since v13.40, October 2025). Stripping metadata before publishing sensitive images. Batch processing metadata across large file sets. Building forensic timelines from file creation and modification dates.

Not for

People who need a graphical interface (ExifTool is command-line only, though GUI wrappers like jExifToolGUI exist). It reads metadata, not image content — it won't detect visual manipulation or AI-generated imagery from pixel analysis. For that, use FotoForensics or InVID. ExifTool can read but not write C2PA content credentials — use Adobe's c2patool for that. Not a substitute for cryptographic provenance verification.

Security & Privacy

Encryption in transit Yes

Data is scrambled while being sent to their servers

Encryption at rest Yes

Data is scrambled when stored on their servers

Data jurisdiction Local only. ExifTool runs entirely on your machine. No network connections, no cloud processing, no data transmission. Files never leave your device.

Where servers are located — affects which governments can request your data

Security rating Strong

ExifTool is a local command-line application distributed as a Perl script. It makes zero network connections. No account, no telemetry, no analytics, no crash reporting. Your files stay on your machine. This is as privacy-respecting as software gets.

How to protect yourself:

Learn the core commands: 'exiftool photo.jpg' shows all metadata. 'exiftool -gps:all photo.jpg' extracts GPS. 'exiftool -all= photo.jpg' strips all metadata. 'exiftool -a -G1 photo.jpg' shows duplicate tags grouped by source. Always work on copies when stripping metadata from original evidence files — use '-overwrite_original' only when you know what you're doing. For macOS users: update to v13.50+ immediately to patch CVE-2026-3102. Avoid processing untrusted images with the -n flag on older versions. Install via Homebrew ('brew install exiftool') for easy updates.

Fully local processing — no network connections, no data exfiltration path. Open-source Perl script, independently auditable, maintained for 23+ years with prompt CVE response (v13.50 patched CVE-2026-3102 within days). The only attack surface is processing malicious files, which is inherent to any metadata tool. Keep it updated. One of the most trustworthy tools available for journalists handling sensitive files.

Who Owns This

Owner Phil Harvey (independent developer, retired Queen's University faculty)

Funding Community open-source. Donations accepted via PayPal on exiftool.org.

Business model None. Free open-source tool maintained by Phil Harvey since 2003. No commercial entity, no investors, no paid tiers. Donations fund continued development.

Known issues

CVE-2026-3102 (March 2026): Critical macOS vulnerability — malicious shell commands embedded in DateTimeOriginal metadata field execute when ExifTool runs with the -n flag. Fixed in v13.50. Update immediately. CVE-2021-22204: Arbitrary code execution via crafted DjVu files, affecting versions 7.44 through 12.23. This CVE was exploited in the wild against GitLab servers (CVE-2021-22205). Fixed in v12.24. Social media platforms (Instagram, Facebook, WhatsApp compression mode) strip EXIF data during upload — metadata extracted before upload may not match what recipients see. Single-maintainer project with no published succession plan; bus factor of one.

Pricing

Free.

This is an editorial assessment based on publicly available information as of 2026-04-02, using our published methodology. Independent security review is pending. Security posture can change at any time. This is not a guarantee of safety.

Something wrong or outdated? Report it.