Linking EXIF information to a specific iPhone

In other phones I would suggest looking at the created and last written times, seeing if subtracting play length but I don't think you can get that on the iOS devices

You can usually get the firmware revision of the phone out the video? Embedded creation dates match?

I've seen the software version, that's a bit of a help. However, after some testing with my own iPhone and another iPhone, it appears when you send a file (video or image) you can select to save them, which then puts them into your CameraRoll (or your DCIM if you will) and this unfortunately does not help matters.

This is the worse case scenario we have. If this person received the file, then deleted the message and saved the file, then it remains in the DCIM folder. Now if both people had a 4S then the DCIM of the phone we have says it was recorded on "a" 4S, but there is a 3rd person we don't know about and if they took the video and also had a 4S, then we have no way of determining if our guy actually recorded it or received it. You see the confusion we are having. If we had the other person and or phone it would help greatly. I'm just envisioning the worse case scenario where defense is grilling me and telling me to determine 100% that X person did infact take this video while they are claiming they didn't.

Bloody phones! evil

We have it in a sent item in WhatsApp, but not received. My gut and experience tells me it was this device that recorded it, but there is always that 1% of what if…!

I just wish there was a unique ID to link the image to the device, unfortunately I can't see anything. There are some iTunes UUIDs, but they are across the device and the same for all images either taken or received on the device.

4Rensics,

Have you run a search for the file name? You may find associated information that will allow you to further define the lifecycle of the file on the device. Also, depending on the file naming convention, there may be a sequence that allows you place the file between other files created with the phone.

Regards,

Jesse

You could use the sensor noise from the camera and compare it to the video itself.

A Purdue research team working with the FBI came up with some very interesting method to identify the source camera for pictures, a few years back.

In essence, the combination of the lenses and camera sensor produces a unique fingerprint.

If you have the camera, it is functioning, and you have several images there is a way to link the images at high probability to each other.

You mention the tools you have used to examine the EXIF - have you had a good look with a Hex viewer? You would probably need to compare the data with ones from a different camera.

Tools do not always display all features.

4Rensics,

I am in a similar position a lot of the time… "Was the Video taken on this iPhone!?"

Yes, it can be proved. The majority of the time i'll tend to look at created/last written dates/times, however in your sort of situation its best to take a look at Media Info.

I use Media Info software, which once the Video file(s) is loaded, the software locates the EXIF data embedded within the file and can report all of this in many different formats! You can then have a good hunt through and find the OS version, Make, Model encoded date and so on etc. A wealth of data thats very crucial to your case!

Let me know if you want me to get this across to you! )

Can you explain how "created/last written dates/times" link an image, for example a jpeg to a specific device?

Scenario -

• I hand you an 64GB iPhone 5s (Space Gray) and
• a USB drive with an image on it;
• the EXIF contains "created/last written dates/times" information; finally
• there is no other evidence that the image was on the iPhone (cannot carve, etc.).

How would your method link the device to the image?

Can you explain how "created/last written dates/times" link an image, for example a jpeg to a specific device?

Scenario -

• I hand you an 64GB iPhone 5s (Space Gray) and
• a USB drive with an image on it;
• the EXIF contains "created/last written dates/times" information; finally
• there is no other evidence that the image was on the iPhone (cannot carve, etc.).

How would your method link the device to the image?

Well, in your scenario comparing dates/times obviously wouldn't help at all if the file was on a USB drive… I'm referring to if you have just a handset submitted with a picture file stored in the default location.

When i say "the majority of the time i'll tend to look at created/last written dates/times" - This comment was just in general for some phones. It doesn't help at all for iPhones as majority of the file names are IMG_1234.jpg etc, but sometimes on other devices like a Blackberry if the created/last written date/time is the same and also matches a file name - its not obviously a 100% '1st generation' picture file taken on the device, but at the early stages of the examination its just an inkling.

Most of the time (much like this situation that 4R is in) i'll never say for certain 100% that the file is '1st generation', however i would use inklings to assist in the probability and primarily use third party software to look into the EXIF to try and obtain definitive answers.

I hope that makes sense, maybe i could have worded it better in the first place!? 8)

You could use the sensor noise from the camera and compare it to the video itself.

A Purdue research team working with the FBI came up with some very interesting method to identify the source camera for pictures, a few years back.

In essence, the combination of the lenses and camera sensor produces a unique fingerprint.

If you have the camera, it is functioning, and you have several images there is a way to link the images at high probability to each other.

The NFI also has a tool that works on the same principal.
Check out PRNU compare
http//sourceforge.net/projects/prnucompare/

By analysing the noise in the camera sensor a unique pattern is formed and compared to the images/video frames.

http//www.forensischinstituut.nl/Images/120287-01-prnu-compare-le-factsheets4_tcm119-449308.pdf