I was asked to do forensics on a Blackberry Bold (9000). More specifically, I was asked to get information about a picture that was seen on the device. We rarely get request to do mobile forensics so we don't own any forensic software specifically for phones. So I used the trial version of Device Seizure to see what information it would pull. I ran Device Seizure and created a logical copy of the device but no pictures showed up in Device Seizure. Which confused me since HR said that they had actually seen the photo on the device. So I then used the Blackberry Desktop Manager and made a backup of the device and then used ABC Amber Blackberry Converter to view the backup .ipd file. Still could not see a picture. Ok..I'll try something else. I then loaded the .ipd file onto the Blackberry simulator…still could not see any picutures. What I believe is happening is since the device is set to compress pictures…no software recognizes them when making a logical copy. I still don't know why the .ipd file didn't contain them unless it also doesn't recognize it's own compressed files.
After consulting with HR and them assuring me that the picture is indeed on the device I decided the only way to get the picture would be to view the device through Desktop Manager using Roxio. Doing that..I could now see this picture. So I copied the picture out ( I know, not the most forensically sound manner but documentation was done and my only choice for retrieval).
I loaded the picture into EnCase and viewed the EXIF data. The image name given by the Blackberry is IMG00017-20100529-1402 which would breakdown to the 17th image taken on 5/29/2010 at 202 Pm. I get this, but the EXIF data shows a time stamp of 20100526 204331, which would be 3 days earlier at 843 PM than the Image name showed. Upon looking at the picture it would appear that the Image Name would be the correct date and time. Part of the picture content is of a bright sunny day..to bright and sunny to be at 843PM.
I've read others posts about Blackberries writing the wrong EXIF data but not to the extent that this one did. I just find it crazy that it wrote the EXIF data 3 days earlier than when the picture was taken. Anyone run across this before?
To make matters more confusing, the EXIF timestamp is on the date and around the time this person emailed other pictures of interest from their Blackberry to their work account. Unfortunatly, this person had deleted the pictures from the Blackberry before HR could get the device.
I've tried recreating the timestamp oddity with my own blackberry bold (9000) but have had no luck. Everything match's up.
Anyone have any thoughts on the matter?
I know nothong about blackberries - but have you looked at the other photos in the series, in particular 16 and 18?
You can be bright at sunny at 2043, just go North, and maybe a different time zone, or maybe incorrect clock.
Did the photo come form a different imaging device?
Did the photo come to the phone as an MMS message? That may be why you could not find it with logical downloads. Many programs cannot get MMS messages.
Eric
Thanks for the replies fellas. To answer a couple of the questions, the photo appears to have come from this phone. The Meta data in the picture lists this model of phone and the picture was found in the default location of where pictures are stored when taken.
As far as the other photo's in the series….there are none. It appears this person deleted pics right before HR arrived.
Hi Rong,
I'm trying to determine the date a photo was taken that was sent from one blackberry to another. I have the MMS files obtained via the blackberry desktop backup (IPD) file using ABC Amber.
Do you think what you did will work for me? If so, exactly what EnCase program did you use?
Thanks,
Leanne
Hi Rong,
I'm trying to determine the date a photo was taken that was sent from one blackberry to another. I have the MMS files obtained via the blackberry desktop backup (IPD) file using ABC Amber.Do you think what you did will work for me? If so, exactly what EnCase program did you use?
Thanks,
Leanne
Leanne,
I use EnCase Forensic edition. I just imported the file into EnCase as a logical file. It should work but to be honest I haven't tried looking at MMS files. I would assume though if it is a picture there should still be meta data tied to it.
Hi, thanks for the response. I tried other software that read the EXIF data of JPEGs but they aren't giving me anything - just the date the file was downloaded onto the computer.
I'll give EnCase a try unless anyone else has a better suggestion.