I've been running into this a lot lately over the last year. The last one was easy. The person doing the extraction didn't realize that the Cellebrite report's extraction in device info was a version that was not developed for another year and a half after. I'm trying to get some input on a different case where I know the clock was turned back among other things such as moving modified facebook images back to the device after reset etc.
I'm going to make this easy and just post each red flag of a clock change while numbering them. If you have input on a certain number, please feel free to post. These evidence items are mostly images from Facebook or photographs captured by the device. Refer to this Cellebrite article:
(I know it's IOS but Android works the same when restoring data while the clock is set backwards:
https://cellebrite.com/en/if-i-could-turn-back-time-a-closer-look-at-ios-time-modifications/
This is a model SM-S767VL Galaxy J7 Crown Prepaid with the extraction end time being :Â Â 8/19/2021 8:25:34PM (UTC-5)
Red Flag #1:
Multiple Facebook images that were converted and put back on the device. Correct me if I'm wrong. I have never seen a Facebook cached image file with any extension EVER from the path data/Root/data/com.facebook.kat ana/cache/compactdisk/image/1/s essionless/storage/. Some of these files have the .JPG extension and some even have _converted.JPG.
Â
Red Flag #2
Capture time of photographs taken by this phone are 5 hours after the last modified time.
Â
Red Flag #3Â Â 66 files mostly facebook images appear to be restored back to the device as they have the exact same time of 6:45AM
Â
Red Flage #3
There are three facebook files that have modified dates more than 3 hours after the last extraction was completed.