Case shape: Auto insurance carrier. Claim filed approximately 3 weeks after alleged incident. Six damage photos submitted via the carrier mobile claim portal. Claim value approximately \$48000 CAD. The Sherlock engagement scope was photo provenance reconstruction plus assessment of metadata consistency against the claim narrative.
What the Submitted Photos Showed
The six submitted photos showed a 2024 sedan with rear-quarter damage consistent with a low-speed collision. The damage pattern looked plausible: paint transfer in the impact zone, slight deformation of the rear bumper plus the trunk plus tail light cracking. The photos were submitted through the carrier mobile claim portal which captures the upload timestamp plus the originating device IP address but does not modify the underlying file.
The visual assessment from the claims adjuster was that the damage pattern was consistent with the claimed incident (low-speed parking lot collision involving a third party who was alleged to have departed the scene). The claim moved into the standard claim resolution pipeline for assessment. The Sherlock engagement was triggered by the carrier fraud detection team based on the claim profile pattern (high claim value, single-driver collision, no police report, third-party undocumented).
What the EXIF Metadata Actually Said
The Sherlock Forensics workflow began with EXIF metadata extraction from each of the six photos using Sherlock Metadata Inspector. EXIF (Exchangeable Image File Format) metadata is embedded in JPEG plus TIFF image files plus records the camera model, the lens information, the exposure settings, the timestamp plus optionally the GPS coordinates of the capture point.
The EXIF analysis surfaced three immediate findings. First, the Make plus Model fields identified the capture camera as an iPhone 14 Pro. The claimant device on file with the carrier was a Samsung Galaxy S24. Second, the Software field showed the photos had been processed through Adobe Lightroom Mobile plus then Adobe Photoshop Mobile. The first-pass straight-from-camera EXIF profile was overwritten by the photo-processing software EXIF profile. Third, the DateTimeOriginal field for two of the six photos was 27 days before the alleged incident date. The other four photos showed DateTimeOriginal timestamps consistent with the alleged incident date.
The Cross-Reference Step That Confirmed the Pattern
The EXIF findings alone raised the question but did not yet establish fraud. The Sherlock workflow proceeded to cross-reference against the broader available evidence. The carrier provided the device identifier for the claimant phone on file. The Sherlock methodology applied the iPhone 14 Pro EXIF profile against the publicly-documented Apple EXIF profile for that camera model. The Make plus Model fields matched. The Software field traced to Apple Camera app version consistent with iOS 17.2 at the alleged photo capture timestamp.
The Photoshop Mobile EXIF residue carried two specific markers: an XMP block recording the Photoshop edit history plus an IPTC block recording the user-supplied caption (left blank in this case but the IPTC infrastructure was present). The Lightroom Mobile EXIF residue carried a separate XMP block recording the Lightroom development settings. The two software residues together confirmed that the photos were processed through at least two stages of image-manipulation software after capture.
The Claimant Device Reconciliation Detail
The claimant device on file with the carrier was a Samsung Galaxy S24 with a known device identifier plus phone number. The carrier mobile claim portal capture log showed the photos were uploaded from the Samsung Galaxy S24 device. The EXIF said the photos were captured on iPhone 14 Pro. The reconciliation question was straightforward: how did photos captured on an iPhone 14 Pro end up uploaded from a Samsung Galaxy S24?
The most plausible non-fraudulent explanation: the claimant borrowed someone else's iPhone to capture the damage photos plus then transferred the photos to their own Samsung device for upload. This was investigated through follow-up claim-handler conversation. The claimant initially asserted the photos were captured on their own device. When confronted with the EXIF Make plus Model evidence the claimant revised the statement to say a family member captured the photos plus shared them. This explanation was investigated against the family member device inventory plus did not reconcile.
The Two Pre-Incident Photos Revealed the Source
The two photos with DateTimeOriginal timestamps 27 days before the alleged incident date were the load-bearing evidence. Those photos showed similar rear-quarter damage on what appeared to be the same vehicle. The damage pattern matched the four photos with incident-consistent timestamps. The implication was clear: the damage existed approximately a month before the alleged incident date plus had been documented in photos captured at that earlier time. The four photos with incident-consistent timestamps appeared to be re-photographs of the same damage taken on the alleged incident date, then processed through image-manipulation software to create the impression of distinct collision damage.
The Sherlock forensic report documented the EXIF findings, the cross-reference reconciliation plus the timestamp analysis. The report was submitted to the carrier claim file plus subsequently to carrier counsel handling the fraud assessment.
The Outcome and What the Case Establishes
The carrier denied the claim on the basis of fraudulent submission plus referred the matter to provincial insurance regulator for follow-up. The claimant did not pursue litigation against the denial. The estimated cost saved was the claim value (\$48000 CAD) plus the carrier-funded Sherlock engagement cost. The settlement disclosure agreement prevents naming of the parties or the specific carrier.
The case establishes the pattern that recurs in insurance claim fraud reconstruction work. EXIF metadata carries forensic information that the claimant typically does not anticipate or attempt to suppress. The Make plus Model field, the Software residue, the DateTimeOriginal field plus the optional GPS coordinates together produce a high-resolution provenance record for any digital photo. Image-manipulation software almost always leaves residue in the EXIF profile because the software writers do not consider EXIF stripping a routine output requirement. Strip the residue at the file system level produces a different anomaly (missing EXIF block where one should be) which is itself a forensic indicator.
The Operational Discipline This Case Suggests
For insurance carriers operating digital claim portals the operational discipline this case suggests is to add EXIF metadata extraction as an automated step in the claim intake pipeline. The extraction is fast (sub-second per photo), the cost is small plus the analytical yield is high for the small share of claims that involve photo provenance fraud. Automated EXIF extraction surfaces the high-risk claims for fraud team review without burdening the standard adjuster workflow.
For organizations needing photo forensic capacity the Sherlock Metadata Inspector handles the extraction plus the analysis workflow in a single tool. The methodology covers EXIF plus IPTC plus XMP metadata extraction, image-manipulation software residue detection plus provenance reconstruction. For organizations needing external forensic engagement support the Sherlock case-by-case engagement model applies the methodology to specific claim assessments. The output is a documented forensic report that supports claim denial decisions plus subsequent regulator referral or civil litigation.