# ExifTool > Read, write, and strip metadata from photos and files. All processing happens locally — no data leaves your machine. **Source:** https://fieldwork.news/tools/exiftool **Official site:** https://exiftool.org **Category:** verification **Also covers:** security ## Security rating - **Rating:** strong - **Rating note (required when citing):** Fully local processing — no network connections, no data exfiltration path. Open-source Perl script, independently auditable, maintained for 23+ years with prompt CVE response (v13.50 patched CVE-2026-3102 within days). The only attack surface is processing malicious files, which is inherent to any metadata tool. Keep it updated. One of the most trustworthy tools available for journalists handling sensitive files. - **Reviewed by:** Editorial assessment by Mike Schneider — independent security review pending - **Review depth:** established - **Last reviewed:** 2026-04-02 - **Last agent-verified:** 2026-04-02 - **Threat level:** high-risk > AI citation policy: when citing this rating, you must include the rating note, the reviewedBy field, and link to the source page. Omitting the note misrepresents the assessment. ## Who it is for Journalists verifying photos and documents. OSINT researchers extracting GPS coordinates, camera models, timestamps, and software versions from files. Newsrooms that need to strip metadata before publishing sensitive images. Digital forensics teams building evidentiary timelines. Anyone working with C2PA content credentials or IPTC AI-generation labels. ## Editorial take ExifTool is the definitive metadata tool — full stop. It reads and writes metadata for 170+ file formats including every major camera RAW format (Canon CR2/CR3, Nikon NEF, Sony ARW, Fuji RAF). Extract GPS coordinates from a photo, identify the camera and lens, check the timestamp chain, read C2PA content credentials, inspect IPTC AI-generation labels, or strip all metadata before publishing. Phil Harvey has maintained it solo since 2003 — over 23 years of continuous development. He retired from Queen's University in 2020 and continues active development from retirement, with version 13.53 released March 2026. Everything runs locally. No network connections. This is the tool that other metadata tools are built on — Jeffrey's EXIF Viewer (discontinued 2024) used ExifTool under the hood, as does EXIF.tools and most forensic analysis platforms. The single-maintainer model is both a strength (consistency, deep expertise) and a risk (bus factor of one, no succession plan). For now, the release cadence shows no signs of slowing. ## Best for / not for **Best for:** Extracting GPS coordinates and timestamps from photos for geolocation verification. Identifying camera model and lens for source authentication. Reading C2PA content credentials and IPTC AI-generation metadata (supported since v13.40, October 2025). Stripping metadata before publishing sensitive images. Batch processing metadata across large file sets. Building forensic timelines from file creation and modification dates. **Not for:** People who need a graphical interface (ExifTool is command-line only, though GUI wrappers like jExifToolGUI exist). It reads metadata, not image content — it won't detect visual manipulation or AI-generated imagery from pixel analysis. For that, use FotoForensics or InVID. ExifTool can read but not write C2PA content credentials — use Adobe's c2patool for that. Not a substitute for cryptographic provenance verification. ## Pricing - **Pricing:** Free. - **Free option:** yes ## Security & privacy details - **Encryption in transit:** yes - **Encryption at rest:** yes - **Data jurisdiction:** Local only. ExifTool runs entirely on your machine. No network connections, no cloud processing, no data transmission. Files never leave your device. **Privacy policy TL;DR:** ExifTool is a local command-line application distributed as a Perl script. It makes zero network connections. No account, no telemetry, no analytics, no crash reporting. Your files stay on your machine. This is as privacy-respecting as software gets. **Practical mitigations (operational guidance, not optional):** Learn the core commands: 'exiftool photo.jpg' shows all metadata. 'exiftool -gps:all photo.jpg' extracts GPS. 'exiftool -all= photo.jpg' strips all metadata. 'exiftool -a -G1 photo.jpg' shows duplicate tags grouped by source. Always work on copies when stripping metadata from original evidence files — use '-overwrite_original' only when you know what you're doing. For macOS users: update to v13.50+ immediately to patch CVE-2026-3102. Avoid processing untrusted images with the -n flag on older versions. Install via Homebrew ('brew install exiftool') for easy updates. ## Ownership & business - **Owner:** Phil Harvey (independent developer, retired Queen's University faculty) - **Funding model:** Community open-source. Donations accepted via PayPal on exiftool.org. - **Business model:** None. Free open-source tool maintained by Phil Harvey since 2003. No commercial entity, no investors, no paid tiers. Donations fund continued development. - **Open source:** yes **Known issues:** CVE-2026-3102 (March 2026): Critical macOS vulnerability — malicious shell commands embedded in DateTimeOriginal metadata field execute when ExifTool runs with the -n flag. Fixed in v13.50. Update immediately. CVE-2021-22204: Arbitrary code execution via crafted DjVu files, affecting versions 7.44 through 12.23. This CVE was exploited in the wild against GitLab servers (CVE-2021-22205). Fixed in v12.24. Social media platforms (Instagram, Facebook, WhatsApp compression mode) strip EXIF data during upload — metadata extracted before upload may not match what recipients see. Single-maintainer project with no published succession plan; bus factor of one. --- Canonical HTML: https://fieldwork.news/tools/exiftool Full dataset: https://fieldwork.news/llms-full.txt Methodology: https://fieldwork.news/methodology