±Partners and Sponsors

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 8
Overall: 26781
Visitors: 84

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

How do you testify EXIF data?

Discussion of legislation relating to computer forensics.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

How do you testify EXIF data?

Post Posted: Wed Oct 09, 2013 8:36 am

I was discussing among my digital forensic investigation team and would like to hear your insight and experiences. Since EXIF data can easily be modified, how were/are you able to validate the integrity of it in court?

Obviously hash values are used to show file integrity. If you were questioned "How can I be sure that the EXIF data wasn't modified before you received the camera phone to compute the hash value?"

Can't this be a counter in almost all cases? Because it is always a possibility that the alleged criminal could have modified this data, even if it means that it was transferred to a computer first, modified, then transferred back (Unless they were arrested on the spot of course and had their phone confiscated).

I would like to hear your input and experiences on this matter, thank you in advance.  

DigitalAgent
Newbie
 
 
  

Re: How do you testify EXIF data?

Post Posted: Wed Oct 09, 2013 8:58 am

JPEGsnoop ?

Belkasoft ?

AVIZO ?
_________________
Computer, Cell Phone & Chip-Off Forensics

linkedin.com/in/igormikhaylovcf 

Igor_Michailov
Senior Member
 
 
  

Re: How do you testify EXIF data?

Post Posted: Wed Oct 09, 2013 9:36 am

Most data can be tampered with - You need to look at it in context.

For instance Reconnoitre can query an Open Map Server and show a map of where an image was taken, based on EXIF data. If the data helped identify the location of a child that is being abused, then the integrity would be supported by finding a child at those coordinates.

If however the GPS data is being used to place a suspect at a given location and the suspect argues that he/she wasn't there a bit more supporting evidence may be required. Does cell site back up the evidence? are there multiple pictures with similar (but not the same) GPS data? Doe sthe numbering (usually used for a file name), mac date of the image and EXIF date correlate?

At an extreme you could possibly look at exif focal length/apperture etc. and see if they correlate with the picture under investigation.

I would say that it is also reasonably difficult to modify the data on a phone and anyone who did so would need a) access, b) the knowledge c) a motive, and even then I would imagine that there may be traces in the underlying operating system just as there might be on any computer,
_________________
Paul Sanderson
SQLite Recovery - find and recover deleted sqlite dbs
sandersonforensics.com...e-Recovery
www.twitter.com/sandersonforens
www.facebook.com/recon...resoftware 

PaulSanderson
Senior Member
 
 
  

Re: How do you testify EXIF data?

Post Posted: Wed Oct 09, 2013 10:11 am

- DigitalAgent
I was discussing among my digital forensic investigation team and would like to hear your insight and experiences. Since EXIF data can easily be modified, how were/are you able to validate the integrity of it in court?

Obviously hash values are used to show file integrity. If you were questioned "How can I be sure that the EXIF data wasn't modified before you received the camera phone to compute the hash value?"


As Paul stated, I would think that you need to take the data in context.


- DigitalAgent

Can't this be a counter in almost all cases? Because it is always a possibility that the alleged criminal could have modified this data, even if it means that it was transferred to a computer first, modified, then transferred back (Unless they were arrested on the spot of course and had their phone confiscated).


Let's look at the scenario...let's say that the suspect is found in their home, with their digital camera or smartphone. Moving or copying the image to a computer system would leave artifacts (shellbags, timestamps within the file system), as would accessing the image itself. Then, software would be required to alter the EXIF data...either a specific application or a hex editor. Either of these being launched by the user and accessing/opening the file will leave artifacts. There will also be artifacts if the suspect moved the image(s) back to the camera.

Let's say that you have a number of pictures on the digital camera that, based on the subject and background, appear to have been taken about the same time...were they? What are the time stamps of the images within the file system in which they're stored? How do they relate to each other, and to their own EXIF data?

If you're looking at JUST the EXIF data in isolation from anything else, I can completely understand the issue...but as you're aware, you really can't do that.  

keydet89
Senior Member
 
 
  

Re: How do you testify EXIF data?

Post Posted: Wed Oct 09, 2013 11:57 am

I think someone who knows how modify EXIF data would also know how to securely encrypt the images and so not have them found.

As Paul says, looking for inconsistences is probably the biggest giveaway. eg an out of order date, or all fields the same between photos, when you would expect differences.
_________________
Michael Cotgrove
www.cnwrecovery.com
cnwrecovery.blogspot.com/ 

mscotgrove
Senior Member
 
 
  

Re: How do you testify EXIF data?

Post Posted: Wed Oct 09, 2013 12:54 pm

- DigitalAgent
I was discussing among my digital forensic investigation team and would like to hear your insight and experiences. Since EXIF data can easily be modified, how were/are you able to validate the integrity of it in court?


You really need to say what you mean by 'integrity'. Perhaps that's half of the problem -- my own definition cannot be used until something reasonably near to a chain of custody has been started. Not until is there a commitment to preserve data from modification or from detection that modification has taken place. And the term 'validate' has no obvious meaning unless you have something validate against.

I suspect you mean something like 'how can you definitely identify significant modification of evidence between 'time of infraction' and 'time of data collection'.

Probably not at all. There are signs, if course: timestamps, unallocated clusters, journalling data, backups, etc. but you can't rely on them in any situation.

What you can do is to identify different ways of performing such modifications (do a brainstorming session for altering some particular EXIF data, for example), then identify what kind of traces those leave, and then look for such traces. Don't forget to include how long time such modification would take, and the requisite knowledge or tools to do the job. If it takes detailed knowledge about Windows32 API to do a job, you would expect to find indications of Win32 programming skills somewhere near by, for example. Or perhaps a known tool, such as 'EXIFEDIT.EXE' or something. Or a downtime period enough for someone to extract the disk, connecting to another system, run the tool there, then move everything back again' Or ... you get the idea.

Then at least you can say what you have looked for and eliminated.

As long as you document all the ideas (even some of the most weird ones may turn out to be relevant, come another year), the research you've made etc. you will be able to reuse your findings in future cases. So it won't be wasted time.  

athulin
Senior Member
 
 
  

Re: How do you testify EXIF data?

Post Posted: Wed Oct 09, 2013 4:52 pm

In what I've read here, your asking for a blanket answer to a question that has a different answer literally every time that it's brought up in a court.

This is where real world investigation comes in handy. Not CF as much as taking that picture, laying it out on the center of a piece of paper, and working outwards on what can affect that picture, is there anything about the picture which just doesn't sit right, if so what, and why. Then take the what and why and work as to what possibilities can produce those changes.

As far as answering 100% that Exif data hasn't been changed, I can think of numerous ones where the answer would be absolutely this data is correct and unchanged. How could I say that? Seriously that's a question for you DigitalAgent, what circumstances could i say that I'm sure it hasn't been tampered with.

Also in your post, think opportunity, possibility, feasibility, people involved, location. Go through and apply each to your situation.

This is not speaking to you DigitalAgent (I've posted about it before as have others) there needs to be more classes teaching real world gumshoe detective work. I'm seeing more and more people coming out of school, and even 3-4 years into their job where if it's not givemeananswer.exe, then they are lost and have to call on someone else at work higher up, or in the case of a solo guy, worry their toes off that it can't be figured out quick enough.


- DigitalAgent
I was discussing among my digital forensic investigation team and would like to hear your insight and experiences. Since EXIF data can easily be modified, how were/are you able to validate the integrity of it in court?

Obviously hash values are used to show file integrity. If you were questioned "How can I be sure that the EXIF data wasn't modified before you received the camera phone to compute the hash value?"

Can't this be a counter in almost all cases? Because it is always a possibility that the alleged criminal could have modified this data, even if it means that it was transferred to a computer first, modified, then transferred back (Unless they were arrested on the spot of course and had their phone confiscated).

I would like to hear your input and experiences on this matter, thank you in advance.

_________________
Why order a taco when you can ask it politely?

Alan B. "A man can live a good life, be honorable, give to charity, but in the end, the number of people who come to his funeral is generally dependent on the weather. " 

armresl
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 2
Go to page 1, 2  Next