±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 4
Overall: 27389
Visitors: 166

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Image file system created time and EXIF time mismatch

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2, 3  Next 
  

Image file system created time and EXIF time mismatch

Post Posted: Fri Nov 30, 2012 4:05 pm

I have a Blackberry microSD card that I am examining, and I noticed something odd with the file system times and EXIF times.

The file system records a created time of 11:00:18am.

The EXIF DateTimeOriginal records a time of 11:33:06.

Can anyone explain how the file was created half an hour prior to the EXIF data (and the picture, presumably) being recorded?

Sampling a few others images showed discrepancies, but those were closer to an hour.  

twjolson
Senior Member
 
 
  

Re: Image file system created time and EXIF time mismatch

Post Posted: Fri Nov 30, 2012 11:03 pm

Possible software interpretation issue of the data?

I would test both the file timestamp with various applications, and the same with the EXIF data.

I would also make baseline images, that may reveal if there is such issues.

Have you looked at the raw data within the file itself, and manually converted it to date/time? Same for the FAT?  

jhup
Senior Member
 
 
  

Re: Image file system created time and EXIF time mismatch

Post Posted: Sat Dec 01, 2012 12:32 am

I already tested this, going beyond the tools and viewing the hex. The conundrum still exists.  

twjolson
Senior Member
 
 
  

Re: Image file system created time and EXIF time mismatch

Post Posted: Sat Dec 01, 2012 2:51 am

Is the create time on the sD card, or are you looking at the file on a PC?

When you copy a file to a hard drive through windows, the modify time is retained, but the create time is time of the copy.

Is the modified time the same or different?

Was the photo rotated or changed in the camera?
_________________
Michael Cotgrove
www.cnwrecovery.com
cnwrecovery.blogspot.com/ 

mscotgrove
Senior Member
 
 
  

Re: Image file system created time and EXIF time mismatch

Post Posted: Sat Dec 01, 2012 2:53 am

- twjolson
The file system records a created time of 11:00:18am.

The EXIF DateTimeOriginal records a time of 11:33:06.

Can anyone explain how the file was created half an hour prior to the EXIF data (and the picture, presumably) being recorded?


Not necessarily in your particular case. But in general ...

Typically the creation time is relevant for the file, not for its contents. So ... can you overwrite an existing file with new contents? If that is possible, you might get an 'old' file creation time with a 'new' exif date.

Can you run local operations on the image? Do those keep original time stamps or do they change them?

Additionally, the timestamps may come from different sources that are not in synch -- that would mean the card had moved from one device to another.  

athulin
Senior Member
 
 
  

Re: Image file system created time and EXIF time mismatch

Post Posted: Sat Dec 01, 2012 3:06 pm

- athulin
- twjolson
The file system records a created time of 11:00:18am.

The EXIF DateTimeOriginal records a time of 11:33:06.

Can anyone explain how the file was created half an hour prior to the EXIF data (and the picture, presumably) being recorded?


Not necessarily in your particular case. But in general ...

Typically the creation time is relevant for the file, not for its contents. So ... can you overwrite an existing file with new contents? If that is possible, you might get an 'old' file creation time with a 'new' exif date.

Can you run local operations on the image? Do those keep original time stamps or do they change them?

Additionally, the timestamps may come from different sources that are not in synch -- that would mean the card had moved from one device to another.


Yes, I don't think this is the case here.

The files in question were created by the device, based on the EXIF make and model fields. They did not have a second blackberry of this model. And even if they moved it from one device to another, wouldn't the file creation and EXIF DateTimeOriginal be the same anyways, regardless?

If the file's contents (the picture taken) were created and then saved to the microSD card after a delay, I would assume the EXIF to predate the file's MAC times, not the other way around.

As for overwriting the file with new contents, that is not the type of behavior I would expect from a smartphone camera. If they took a new picture, it would get a new file name and entry, not overwrite an old one (this becomes less likely when seeing the same behavior in several other spot-checked images). If they went in and edited the image, the EXIF and file's Creation time should remain the same.

I shall try various edits to the image, but again, I would assume that anything that might update the EXIF would cause it to be updated to something after the file's creation date, not predate it.

Thank you greatly for the reply, it is getting me thinking more and more, and opening up new ideas.  

twjolson
Senior Member
 
 
  

Re: Image file system created time and EXIF time mismatch

Post Posted: Sat Dec 01, 2012 5:55 pm

You said other files were closer to 1 hour different.

Was this in UK in the summer, ie is one displaying GMT and other BST?

Am I correct that FAT32 does not have a time zone flag? (My personal time zone flag says it is too late at night to check carefully!!)
_________________
Michael Cotgrove
www.cnwrecovery.com
cnwrecovery.blogspot.com/ 

mscotgrove
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 3
Go to page 1, 2, 3  Next