How to Verify When a Photo Was Taken (and Spot a Faked Date)

Quick answer: To verify a photo's date, open it in a free EXIF viewer and compare the three timestamps EXIF records: DateTimeOriginal (when the shutter fired), CreateDate, also called DateTimeDigitized (when the file was first written), and ModifyDate (the last time it was saved). On a genuine fresh capture all three are nearly identical. If they disagree in a suspicious way, or if DateTimeOriginal is missing while ModifyDate is recent, the date may have been altered. GPS time, file order in a sequence, and content credentials add confidence. Use the EXIF viewer to read the timestamps and our Photo Forensics tool to dig deeper.

When a photo's date matters for an insurance claim, a legal dispute, a warranty deadline, or a "when did this damage happen" argument, you cannot just trust the date the file claims. EXIF dates are editable in seconds with free tools, so a date alone is not evidence. This guide is about legitimate verification: how to read the timestamps a photo carries, what a normal pattern versus a tampered pattern looks like, and how to cross-check the date against signals that are harder to fake. It is framed strictly for detection, not for altering anything.

The three EXIF timestamps

EXIF stores three separate date fields, and the relationship between them is the single most useful thing you can read.

• DateTimeOriginal is meant to record the moment the shutter fired. This is the "when was this taken" date.
• CreateDate (the EXIF tag DateTimeDigitized) records when the image was first digitized or written to a file. On a digital camera this is the same instant as DateTimeOriginal.
• ModifyDate records the last time the file was saved. Any re-save, edit, or export updates it.

The normal pattern. A photo taken on a phone or camera and never edited has DateTimeOriginal, CreateDate, and ModifyDate all within a second or two of each other. That tight agreement is what an untouched capture looks like.

Suspicious patterns. Watch for these:

• DateTimeOriginal missing, ModifyDate recent. If the shutter date is gone but the file was saved recently, the original capture data may have been stripped or the file may have been generated or re-exported rather than captured.
• ModifyDate earlier than DateTimeOriginal. A file cannot logically be saved before it was taken. This usually means one of the fields was edited by hand.
• Round or identical fake-looking values. Dates set to midnight exactly, or all fields forced to the same arbitrary day, can indicate a manual edit.
• A Software tag that names an editor. If DateTimeOriginal looks clean but the Software field reads "Adobe Photoshop" or a metadata tool, the dates passed through software that could have rewritten them.

Read all three in our EXIF viewer. For background on the fields, see how to see when a photo was taken.

Cross-checks beyond the EXIF date

Because EXIF dates are editable, the strongest verification compares them against signals that a casual faker is unlikely to align.

GPS timestamp. When Location Services were on, the camera also writes a GPS block that includes its own UTC date and time, taken from satellite time. Compare the GPS date with DateTimeOriginal. They should match (allowing for time-zone offset). If the EXIF says one day and the embedded GPS time says another, one of them was changed, and GPS time is the harder one to forge.

Sun position and shadows. The length and direction of shadows encode the time of day and the season for a given location. If a photo claims to be a winter afternoon but shows short overhead shadows consistent with summer noon, the claimed date is inconsistent with the scene. This is a sanity check, not a precise clock, but it catches dates that are wildly wrong.

Surrounding photos in a sequence. Cameras and phones assign file names and numbers in order (IMG_0412, IMG_0413). If the photo in question carries a date that breaks the monotonic order of the frames around it, or sits in a folder whose neighbors are all months apart from it, the date is worth questioning.

File system dates. The operating system's created and modified timestamps on the file are weak (they reset on copy and download), but a file system date that predates the claimed DateTimeOriginal is a contradiction that deserves a second look.

Why a burned-in timestamp is harder to fake

EXIF lives in the file header, separate from the pixels, which is exactly why it is easy to rewrite. A timestamp burned into the pixels at the moment of capture is a different matter. To change it, someone has to edit the image itself: paint out the old digits and render new ones that match the font, lighting, and compression of the original. That leaves the kind of traces covered in how to tell if a photo has been edited, and a careful look with Error Level Analysis in the Photo Forensics tool can often reveal the patch.

This is why, for photos where the date may be challenged later, the most defensible approach is to capture with the date stamped onto the image at the shutter. You can add a timestamp to a photo at the moment you take it, so the date lives in the pixels and in the EXIF together. For more on how courts and adjusters treat these, see are timestamp photos legal evidence.

Content credentials

C2PA Content Credentials add a cryptographic layer on top of all of this. A growing number of cameras, including recent iPhone models, can attach a signed capture credential that records when and with what device the image was made. Because the manifest is signed, altering the recorded date breaks the signature. Drop the file into contentcredentials.org/verify or read how to check content credentials (C2PA) to see whether a credential is present and intact. When it is, it is the strongest date evidence available.

Honest limits

No method here is a guarantee. EXIF dates can be edited in seconds, so a clean-looking set of timestamps proves only that nobody bothered to make them disagree, not that the date is true. GPS time can be absent if Location was off. Content credentials are opt-in and are stripped by many platforms on upload, so their absence proves nothing. A re-export through a messaging app can quietly normalize all three EXIF dates and erase the very mismatches you were looking for. The reliable approach is to combine signals: read the three timestamps, cross-check GPS and the photo sequence, look for editing traces, and seek the original file and its content credentials from the source. Treat a single suspicious signal as a reason to investigate, not a verdict, and for any photo whose date you may need to prove later, stamp the date at capture so the evidence is baked in from the start.