Mac OSX GPS Photo Forensics Tutorial
Forensicon Tutorial and Walkthrough
Extracting GPS metadata from Mac OSX Terminal Command Line using MDLS command
Forensicon’s President, Lee Neubecker provides an overview of how anyone can use the Macintosh OSX terminal native command line to extract embedded metadata contained within photos or videos. The “mdls” command extracts the following fields from photos where such information exists. Smart phones having location services turned on will often include the GPS data, including, longitude, latitude, and altitude.
Sample iPhone 5 Smartphone Embedded Metadata within JPG Photos
List of fields extracted from the command: mdls <targetfilename>, or in this case: mdls IMG_0001.JPG <carriage return>
| Field Name | Sample output from iPhone |
| kMDItemAcquisitionMake | “Apple” |
| kMDItemAcquisitionModel | “iPhone 5″ |
| kMDItemAltitude | 294.3473053892216 |
| kMDItemAperture | 2.275007124536905 |
| kMDItemBitsPerSample | 32 |
| kMDItemColorSpace | “RGB” |
| kMDItemContentCreationDate | 2013-12-23 19:01:40 +0000 |
| kMDItemContentModificationDate | 2013-12-23 19:01:40 +0000 |
| kMDItemContentType | “public.jpeg” |
| kMDItemContentTypeTree | (“public.jpeg”, “public.image”, “public.data”,”public.item”, “public.content”) |
| kMDItemCreator | “7.0.1” |
| kMDItemDateAdded | 2014-11-11 15:18:32 +0000 |
| kMDItemDisplayName | “IMG_0001.JPG” |
| kMDItemEXIFVersion | “2.2.0” |
| kMDItemExposureMode | 0 |
| kMDItemExposureProgram | 1 |
| kMDItemExposureTimeSeconds | 0.002 |
| kMDItemFlashOnOff | 0 |
| kMDItemFNumber | 2.1 |
| kMDItemFocalLength | 4.12 |
| kMDItemFSContentChangeDate | 2013-12-23 19:01:40 +0000 |
| kMDItemFSCreationDate | 2013-12-23 19:01:40 +0000 |
| kMDItemFSCreatorCode | “” |
| kMDItemFSFinderFlags | 0 |
| kMDItemFSHasCustomIcon | (null) |
| kMDItemFSInvisible | 0 |
| kMDItemFSIsExtensionHidden | 0 |
| kMDItemFSIsStationery | (null) |
| kMDItemFSLabel | 0 |
| kMDItemFSName | “IMG_0001.JPG” |
| kMDItemFSNodeCount | (null) |
| kMDItemFSOwnerGroupID | 20 |
| kMDItemFSOwnerUserID | 254 |
| kMDItemFSSize | 2254495 |
| kMDItemFSTypeCode | “” |
| kMDItemGPSDateStamp | “2013:12:23″ |
| kMDItemHasAlphaChannel | 0 |
| kMDItemISOSpeed | 32 |
| kMDItemKind | “JPEG image” |
| kMDItemLastUsedDate | 2014-11-11 15:35:37 +0000 |
| kMDItemLatitude | 42.54081333333333 |
| kMDItemLogicalSize | 2254495 |
| kMDItemLongitude | -83.81125 |
| kMDItemOrientation | 1 |
| kMDItemPhysicalSize | 2256896 |
| kMDItemPixelCount | 7990272 |
| kMDItemPixelHeight | 3264 |
| kMDItemPixelWidth | 2448 |
| kMDItemProfileName | “sRGB IEC61966-2.1″ |
| kMDItemRedEyeOnOff | 0 |
| kMDItemResolutionHeightDPI | 72 |
| kMDItemResolutionWidthDPI | 72 |
| kMDItemTimestamp | “18:01:38″ |
| kMDItemUseCount | 2 |
| kMDItemUsedDates | “2014-11-11 06:00:00 +0000″ |
| kMDItemWhiteBalance | 0 |
- To perform the metadata analysis, the user must first copy the image to the Mac OSX.
- Then, launch the terminal program.
- After that, use the Change Directory command “cd” and the list commands “ls” to verify the terminal is in the same location as the photo filename copied.
- After that, the user simply types the command: mdls <filename.ext> which will output the file’s metadata contents similar to that above and as shown in the video tutorial.
- This information can be useful, especially if an inappropriate photo was taken on a smartphone, or if someone is harassing a person via social media smartphone applications.