JPG metadata

You may have some luck if you delve into exif data.
There are plenty of tools out there to access this data (search "exif data viewer").
It is information provided by the camera about exposure, aperture etc. Timestamps and sometimes even location data is also present.

The time stamp within the exif data will be when the picture was taken - so long as it has not been tampered with. It should be far more accurate than MAC times.

You may already know this but keep in mind all this type of data can be forged, so try to find other slices of evidence that can help to support your claims if this is some kind of assignment.

Hope that helps you out a bit.

EDIT I forgot to mention the reason MAC times are not as reliable as exif. It is because they will normally only indicate when the file was added to the file system. The picture could have been taken months ago and only moved to the PC yesterday!

Some info and suitable apps are in this thread.
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=6937

jaclaz

Caveat Remember that EXIF times are dependant on the time and date set on the camera that took the picture. If the camera is improperly set, maliciously or not, the EXIF times and dates may be meaningless.

M. W. "Bill" Picone
dba Southwest Digital Forensics
Riverside, CA USA

I'd delve into the EXIF specifications which will help you pick apart Meta Data

http//www.exif.org/specifications.html

Tools like IrfanView and WinHex can aid you. Alternatively, there is an EnCase script to pull out the Meta-Data……I think its one of the default scripts. Make sure you know which tags it pulls out though.

Off the top of my head I think 'DateTimeOriginal' is the 'date taken' in a 'DSC' picture.

Dates and times when a file -regarless of type- was created can never be guaranteed as being 100% correct, because dates and times are dependent on a wide range of other things such as;

- time setting of the device that created the file, e.g a camera,
- how file systems handles dates and times,
- whether or not file was moved to and from other file systems other than that where it was created first,
- number of times it was transferred,
- possibility of alteration on purpose,

Unless you guarantee you have kept track of all of the above properly till you had that particular file, you can never be a 100% percent sure.

As some of the posters have already mentioned, there are a few tools out there that can extract meta data.

Camera EXIF/IPTC times are only useful if you can verify that the camera that took the photos has the correct time. Alternatively, a couple of our users have said that they look at the photos to see if any external date time information is present in the photos ( a clock, calendar, position of sun/shadows) to determine if the EXIF date/time is accurate.

Our product Adroit Photo Forensics was designed to work with EXIF dates as well and as such you have two options to view the photos of interest Grouping and TimeLines.

First you can group the photos by EXIF day, month or year. Second we have a zoomable time line feature that allows you to view photos not only by file system date/time but also by EXIF date/times. You can try out the demo at our website http//digital-assembly.com.

It should be noted that EXIF date/times are more often then not the only date time information that one can retrieve if a photo has been deleted and recovered.

[…]
It should be noted that EXIF date/times are more often then not the only date time information that one can retrieve if a photo has been deleted and recovered.

Unless one also takes the content of the photo into consideration.

I have been able to determine the approximate time of outdoor pictures, using shadow length, direction and location.