How do you testify ...
 
Notifications
Clear all

How do you testify EXIF data?

9 Posts
9 Users
0 Likes
2,679 Views
(@digitalagent)
Posts: 15
Active Member
Topic starter
 

I was discussing among my digital forensic investigation team and would like to hear your insight and experiences. Since EXIF data can easily be modified, how were/are you able to validate the integrity of it in court?

Obviously hash values are used to show file integrity. If you were questioned "How can I be sure that the EXIF data wasn't modified before you received the camera phone to compute the hash value?"

Can't this be a counter in almost all cases? Because it is always a possibility that the alleged criminal could have modified this data, even if it means that it was transferred to a computer first, modified, then transferred back (Unless they were arrested on the spot of course and had their phone confiscated).

I would like to hear your input and experiences on this matter, thank you in advance.

 
Posted : 09/10/2013 7:36 pm
Igor_Michailov
(@igor_michailov)
Posts: 529
Honorable Member
 

JPEGsnoop ?

Belkasoft ?

AVIZO ?

 
Posted : 09/10/2013 7:58 pm
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

Most data can be tampered with - You need to look at it in context.

For instance Reconnoitre can query an Open Map Server and show a map of where an image was taken, based on EXIF data. If the data helped identify the location of a child that is being abused, then the integrity would be supported by finding a child at those coordinates.

If however the GPS data is being used to place a suspect at a given location and the suspect argues that he/she wasn't there a bit more supporting evidence may be required. Does cell site back up the evidence? are there multiple pictures with similar (but not the same) GPS data? Doe sthe numbering (usually used for a file name), mac date of the image and EXIF date correlate?

At an extreme you could possibly look at exif focal length/apperture etc. and see if they correlate with the picture under investigation.

I would say that it is also reasonably difficult to modify the data on a phone and anyone who did so would need a) access, b) the knowledge c) a motive, and even then I would imagine that there may be traces in the underlying operating system just as there might be on any computer,

 
Posted : 09/10/2013 8:36 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I was discussing among my digital forensic investigation team and would like to hear your insight and experiences. Since EXIF data can easily be modified, how were/are you able to validate the integrity of it in court?

Obviously hash values are used to show file integrity. If you were questioned "How can I be sure that the EXIF data wasn't modified before you received the camera phone to compute the hash value?"

As Paul stated, I would think that you need to take the data in context.

Can't this be a counter in almost all cases? Because it is always a possibility that the alleged criminal could have modified this data, even if it means that it was transferred to a computer first, modified, then transferred back (Unless they were arrested on the spot of course and had their phone confiscated).

Let's look at the scenario…let's say that the suspect is found in their home, with their digital camera or smartphone. Moving or copying the image to a computer system would leave artifacts (shellbags, timestamps within the file system), as would accessing the image itself. Then, software would be required to alter the EXIF data…either a specific application or a hex editor. Either of these being launched by the user and accessing/opening the file will leave artifacts. There will also be artifacts if the suspect moved the image(s) back to the camera.

Let's say that you have a number of pictures on the digital camera that, based on the subject and background, appear to have been taken about the same time…were they? What are the time stamps of the images within the file system in which they're stored? How do they relate to each other, and to their own EXIF data?

If you're looking at JUST the EXIF data in isolation from anything else, I can completely understand the issue…but as you're aware, you really can't do that.

 
Posted : 09/10/2013 9:11 pm
(@mscotgrove)
Posts: 938
Prominent Member
 

I think someone who knows how modify EXIF data would also know how to securely encrypt the images and so not have them found.

As Paul says, looking for inconsistences is probably the biggest giveaway. eg an out of order date, or all fields the same between photos, when you would expect differences.

 
Posted : 09/10/2013 10:57 pm
(@athulin)
Posts: 1156
Noble Member
 

I was discussing among my digital forensic investigation team and would like to hear your insight and experiences. Since EXIF data can easily be modified, how were/are you able to validate the integrity of it in court?

You really need to say what you mean by 'integrity'. Perhaps that's half of the problem – my own definition cannot be used until something reasonably near to a chain of custody has been started. Not until is there a commitment to preserve data from modification or from detection that modification has taken place. And the term 'validate' has no obvious meaning unless you have something validate against.

I suspect you mean something like 'how can you definitely identify significant modification of evidence between 'time of infraction' and 'time of data collection'.

Probably not at all. There are signs, if course timestamps, unallocated clusters, journalling data, backups, etc. but you can't rely on them in any situation.

What you can do is to identify different ways of performing such modifications (do a brainstorming session for altering some particular EXIF data, for example), then identify what kind of traces those leave, and then look for such traces. Don't forget to include how long time such modification would take, and the requisite knowledge or tools to do the job. If it takes detailed knowledge about Windows32 API to do a job, you would expect to find indications of Win32 programming skills somewhere near by, for example. Or perhaps a known tool, such as 'EXIFEDIT.EXE' or something. Or a downtime period enough for someone to extract the disk, connecting to another system, run the tool there, then move everything back again' Or … you get the idea.

Then at least you can say what you have looked for and eliminated.

As long as you document all the ideas (even some of the most weird ones may turn out to be relevant, come another year), the research you've made etc. you will be able to reuse your findings in future cases. So it won't be wasted time.

 
Posted : 09/10/2013 11:54 pm
(@armresl)
Posts: 1011
Noble Member
 

In what I've read here, your asking for a blanket answer to a question that has a different answer literally every time that it's brought up in a court.

This is where real world investigation comes in handy. Not CF as much as taking that picture, laying it out on the center of a piece of paper, and working outwards on what can affect that picture, is there anything about the picture which just doesn't sit right, if so what, and why. Then take the what and why and work as to what possibilities can produce those changes.

As far as answering 100% that Exif data hasn't been changed, I can think of numerous ones where the answer would be absolutely this data is correct and unchanged. How could I say that? Seriously that's a question for you DigitalAgent, what circumstances could i say that I'm sure it hasn't been tampered with.

Also in your post, think opportunity, possibility, feasibility, people involved, location. Go through and apply each to your situation.

This is not speaking to you DigitalAgent (I've posted about it before as have others) there needs to be more classes teaching real world gumshoe detective work. I'm seeing more and more people coming out of school, and even 3-4 years into their job where if it's not givemeananswer.exe, then they are lost and have to call on someone else at work higher up, or in the case of a solo guy, worry their toes off that it can't be figured out quick enough.

I was discussing among my digital forensic investigation team and would like to hear your insight and experiences. Since EXIF data can easily be modified, how were/are you able to validate the integrity of it in court?

Obviously hash values are used to show file integrity. If you were questioned "How can I be sure that the EXIF data wasn't modified before you received the camera phone to compute the hash value?"

Can't this be a counter in almost all cases? Because it is always a possibility that the alleged criminal could have modified this data, even if it means that it was transferred to a computer first, modified, then transferred back (Unless they were arrested on the spot of course and had their phone confiscated).

I would like to hear your input and experiences on this matter, thank you in advance.

 
Posted : 10/10/2013 3:52 am
(@shawnaeh10)
Posts: 1
New Member
 

My question is about EnCase and any problems, glitches, or anything else with it. I have looked for court cases and tried to look in different blogs for this, but all I can seem to find is what the software is and things. I'm looking into this for a court case for my brother. Any help, links, or anything would be greatly appreciated.

 
Posted : 15/10/2013 5:08 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

My question is about EnCase and any problems, glitches, or anything else with it.

And which is the actual question? ?

jaclaz

 
Posted : 15/10/2013 7:35 pm
Share: