I have an images job where the Created Date, Last Write Time and Last Accessed date extracted in Cellebrite and Griffeye pre-date the device they were extracted from. They date back to 2014 but were found on an iPhone 11.
Does anyone know how still and moving images can get onto a handset without any of these dates and times being affected?
Â
Thanks
Â
Matt
One possibility is that they have been synched from an iCloud or pc-based backup - in UFED you can see whether that was enabled or not. But the sync-state in the image overview only shows the enabled/disabled state at the time the device was imaged.
If the owner has been using Apple devices for a while they are likely to be using the same account they have had for years so data can be dragged along from one device to the next. Via backups and syncs.
If the files contain EXIF metadata, check that. Also double-check the folders you found the files in as they should tell you where the files came from.
The timestamps can be unreliable though, they can be changed and different systems create them differently. Especially the 'last accessed' should not be overrated. And if the files went through backup and sync processes that will have changed the timestamps, maybe all of them.
Hi, thank you for your reply. In response to some of the questions raised;
the Photo settings had the following enabled, iCloud Photos, Shared Albums and Optimise iPhone Storage is ticked.
There isn't any EXIF data for these images.
The file paths are in the main Media/DCIM/100Apple.
Thanks again for your help.
Â
Get a blank/test iPhone.
Activate it with an Apple account you create.
Make sure iCloud backup is on.
Set its date to 2014.
Save some pictures.
Let it back up your data.
Reset the phone.
Start the phone up and restore from your iCloud backup.
Examine the pictures now on the phone.
