MetaDetective
Evidence Deploy Protocols FAQ GitHub →
UNIT: OSINT-INTEL
CASE #MD-2.0.0-2026
PYTHON 3 / EXIFTOOL
AGPL-3.0
zero python dependencies
single file deployment
github.com/franckferman
/MetaDetective
Classified Case Active

Unleash Metadata Intelligence

Every file has a story.
MetaDetective reads it.

v2.0.0 zero deps Python 3 exiftool AGPL-3.0
Open the Case View on GitHub
The Suspect

Metadata. Hidden inside every document, image, and file your targets publish. Authors. Software versions. GPS coordinates. Internal hostnames. Creation dates. All embedded. All exposed. MetaDetective surfaces it.

Evidence Room

REF: MD-CAP-2.0.0
01
Exhibit A

Metadata Extraction

Powered by exiftool. 25+ fields extracted from documents, images, and media - authors, software, creation dates, internal hostnames, serial numbers, hyperlinks.

02
Exhibit B new

HEIC / HEIF Support

iPhone and iPad photos carry sub-meter GPS precision. MetaDetective now reads HEIC and HEIF natively - a direct line to geolocation from a single image file.

03
Exhibit C

Direct Web Scraping

Crawl target sites directly. No search engine in the middle, no IP blocks. Multithreaded, configurable depth, rate-limited, extension-filtered.

04
Exhibit D

GPS Intelligence

DMS to decimal degrees conversion, Nominatim reverse geocoding with caching, direct map links. Physical location from a single file.

05
Exhibit E new

Export: HTML / TXT / JSON

HTML for client reports. TXT for archiving. JSON for piping into jq, databases, or custom tooling. Structured. Predictable. Scriptable.

06
Exhibit F new

Selective Parsing

--parse-only Author Creator limits extraction to exactly what you need. Less noise. Faster output. Cleaner downstream pipelines.

Field Deployment

REF: MD-DEPLOY-2.0.0

One file. Zero Python dependencies. Deploy anywhere Python 3 and exiftool are available.

curl
pip
git clone
docker
field terminal 
# Fastest - one curl, no pip, no clone
$ curl -O https://raw.githubusercontent.com/franckferman/MetaDetective/stable/src/MetaDetective/MetaDetective.py
$ python3 MetaDetective.py -h

# Install exiftool if needed
$ sudo apt install libimage-exiftool-perl   # Debian / Ubuntu / Kali
$ brew install exiftool                        # macOS
$ python3 -m venv MetaDetectiveEnv
$ source MetaDetectiveEnv/bin/activate
$ pip install MetaDetective
$ metadetective -h
$ git clone https://github.com/franckferman/MetaDetective.git
$ cd MetaDetective
$ python3 src/MetaDetective/MetaDetective.py -h
$ docker pull franckferman/metadetective
$ docker run --rm -it franckferman/metadetective -h

# Mount a local directory
$ docker run --rm -v $(pwd)/loot:/data franckferman/metadetective -d /data

Investigation Protocols

REF: MD-OPS-2.0.0
protocol_01 :: directory analysis 
# Singular deduplicated view
$ python3 MetaDetective.py -d ./loot/

# PDF and DOCX only, filter noise
$ python3 MetaDetective.py -d ./loot/ -t pdf docx -i admin anonymous

# Per-file formatted display
$ python3 MetaDetective.py -d ./loot/ --display all --format formatted
protocol_02 :: export + pivot 
# JSON, targeted fields only
$ python3 MetaDetective.py -d ./docs/ \
    --parse-only Author Creator \
    -e json -o ~/results/

# Pivot with jq
$ jq '.unique.Author' ~/results/MetaDetective_Export-*.json
protocol_03 :: web recon 
# Scan without downloading
$ python3 MetaDetective.py --scraping --scan \
    --url https://target.com/

# Download PDFs, depth 2, 8 threads
$ python3 MetaDetective.py --scraping \
    --url https://target.com/ \
    --download-dir ~/loot/ \
    --extensions pdf docx --depth 2 --threads 8
protocol_04 :: GPS / HEIC 
# iPhone photos - extract GPS
$ python3 MetaDetective.py -d ./photos/ \
    -t heic heif jpg \
    --parse-only 'GPS Position' 'Map Link'

# HTML report with reverse geocoding
$ python3 MetaDetective.py -f photo.heic -e html

Interrogation Room

REF: MD-QA-2.0.0
Metadata is information embedded inside files - not visible in the document but readable by tools. A PDF can expose the author's real name, the machine it was created on, the software version, when it was last modified. An image can expose GPS coordinates, camera model, serial number. A single leaked document can map an Active Directory or reveal an executive's home address.
Metagoofil relies on Google to find files - which means rate limiting, CAPTCHAs, and IP blocks. MetaDetective scrapes target sites directly. No search engine dependency, no infrastructure tax. It also extracts more fields, supports HEIC, JSON export, and selective parsing that Metagoofil never had.
In the field, you don't always have pip access or internet connectivity. A single .py file means one curl command and you're operational. The only dependency is exiftool, which ships with Kali and most security distributions. This is a deliberate design choice.
It filters extraction at the source. Instead of processing all 25+ fields, --parse-only Author Creator tells MetaDetective to only look for those two fields. Less noise, cleaner output, easier to pipe downstream. Especially effective combined with -e json and jq.
Documents: PDF, DOCX, ODT, XLS, XLSX, PPTX, RTF. Images: JPEG, PNG, TIFF, PSD, SVG, BMP, HEIC, HEIF. Email: EML, MSG, PST. Video: MP4, MOV. If exiftool can parse it, MetaDetective can analyze and present it.
With --display singular: {"unique": {"Author": ["name1", "name2"]}} - deduplicated values per field, ready to pivot. With --display all: {"files": [{...}, ...]} - one object per file. Both include tool version and generation timestamp.
Case Open

Open the investigation.

Available on GitHub, PyPI, and Docker Hub.

GitHub PyPI Docker Hub