So, I am working a case that is going to trial and there are a few "snags" that I am running into. This particular case deals with images (sent/received..) between cell phones.
Below is what I am confused on. The time difference between what is located in the MetaData column and what is given in the "Information" column in a Cellebrite report.
Information
File Name 0818091953a.jpg
File Path brew/mod/10888/0818091953a.jpg
File Source Phone
File Size 19621 Bytes
File Date/Time 19/08/09 215614 (GMT)
MD5 XXXXXXXXXXXXXXXXXXXXXXX
SHA256 XXXXXXXXXXXXXXXXXXXXXXX
MetaData
Resolution 72x72 (unit inch)
Pixel Resolution 366x311
Camera Make LG Electronics
Camera Model VX-9200
Date/Time 08.18.2009 195320
The picture was sent from another phone to this one. Is the time in the Information column the time the file was received on the phone or what?
I am sorry if this is a stupid question to post, but it is something that is needed to be answered and I can't answer it.
Hi Beasley,
The File Date/Time in the information "appears" to be the received time. I am not a current UFED user, but having used it in the past, this is what I remember it to be.
The metadata is created by the phone at the time of taking the image. If this isn't the evidential phone then you have no way of telling if this time is accurate. The phone may not be set to update from the providers towers and may be set by the user.
If it is accurate, then it is the time the photo was taken by the original phone. If you have the luxury, take a photo on another camera and send it to a test phone, the same make and model of the one under analysis to test this hypothesis.
Testing something is going to look better in court.
DM
DangerMouse (btw, I like the name),
Thanks for the response. I currently do not and will not be able to have the evidence in my possession again due to time restraints.
I do know that the pictures in question was sent from the suspects phone to the victims phone (the victim made a statement saying so and the suspect said he deleted them off his phone and laptop) now I just have to prove it. I was lucky enough to be able to image the suspects laptop, external HD, thumb drive and cell phone along with the victims cell phones.
The picturesI am talking about are located on both the laptop and cell phones of the suspect and the victims, but the hash values are different from each device so I am having to find another route to present this.
Lets say the pic was taken on the phone first and transferred to the commputer or vice versa, if there was some resizing or compression would that cause the hash values to change?
Lets say the pic was taken on the phone first and transferred to the commputer or vice versa, if there was some resizing or compression would that cause the hash values to change?
I had raised that question, but the resolution, pixel size and file type were the same on all of the pictures.
Well I talked to the Cellebrite tech support today and they confirmed what they are.
MetaData is of course when the picture was taken and the "Information" date/time is when it was received on the phone.
However they were not able to give me an answer on the hashes being different.
Well I talked to the Cellebrite tech support today and they confirmed what they are.
MetaData is of course when the picture was taken and the "Information" date/time is when it was received on the phone.
However they were not able to give me an answer on the hashes being different.
If one pixel changes in a photo, the hash will be different. That being said, if the EXIF data says a LG VX9200 phone took that picture and you found that picture on the laptop or flash drive with the same EXIF data, that should be enough to at least raise some questions.