The tool can be used to search for images that contain GPS coordinates (geo-tags) embedded by the device that took the image. The metadata is contained in the Exchangeable Image File (EXIF) metadata format. EviGator is targeting the tool forensic investigators who need to quickly review large numbers of images to identify those relevant to a case. When images are found to contain geo-tags, the tool will display a map of the recovered coordinates.
TAG Examiner, which runs on Windows operating systems, automatically process folders containing images. It can attack images to refine the reports that it produces, and those reports can be in HTML format containing embedded maps. The software is also available in a restricted-feature free web version called TAG View, which displays geo-tag information from within an image file.
TAG Examiner joins iPhorensic, an existing tool in the EviGator portfolio, which is used to recover data from iPhone and iPod Touch backup files.
The tool would have come in handy for the SANS Institute, which in February analyzed over 15 000 images from popular image hosting site Twitpic. It used a script to analyze the EXIF information, and found 400 images that included the location of the camera at the time the image was taken. 102 of those images included the name of the photographer.