A Complete Guide to JPEG Forensic Analysis
Every JPEG carries six forensic signals beyond what you see in a photo viewer. This guide covers all of them and explains what they reveal in combination.
Every JPEG carries six forensic signals beyond what you see in a photo viewer. This guide covers all of them and explains what they reveal in combination.
Three methods now exist for identifying AI-generated images. Two of them fail when the creator says nothing. This article covers all three — and goes deep on the forensic signals that work regardless of what any label says.
Whether you can read metadata from a received photo depends on the channel, not the tool. Email and AirDrop pass the file unchanged. Messaging apps re-encode — EXIF is gone, but a compression signature takes its place.
JPEG, WebP, PNG, HEIC, AVIF, and camera RAW files embed a firmware-generated thumbnail before any editing software has touched them. When software re-saves the image without updating the thumbnail, the mismatch is forensic evidence — one of 60+ forensic checks snapWONDERS runs automatically on every photo and video.
MakerNote is the manufacturer-written EXIF block that standard stripping tools typically leave intact — carrying lens serial numbers, shutter counts, burst UUIDs, and capture context that survives a standard privacy scrub. Its absence from a known device is equally revealing.
How to tell if a photo has been edited: forensic analysis reads compression signatures, manufacturer metadata baselines, and thumbnail mismatches across JPEG, WebP, PNG, and video.
Stripping EXIF metadata doesn’t make a photo anonymous. DQT quantisation tables and Huffman coding tables are baked into the JPEG compression — a permanent camera fingerprint that survives every standard metadata strip. Two of the 60+ forensic checks snapWONDERS reads from every image.
