Hi,
Is anyone knows how we can determine that photos found in mobile phone are actually taken using that phone, not received them from other phone (bluetooth / IrDA) or MMS/3G (other person)?
Thanks.
There are various clues which can be compared to the capabilities of the phone
1) The compression rate exhibited by the image
2) The image dimensions
3) The encoded information inside the image. For example, a JPEG will usually have information regarding what was used to create it.
4) The quality of the image
You can easily discount images that could not have been captured on the handset (due to the above reasons) however finding an image of the same quality and size as the camera phone is capable of taking and image capture data stating that the appropriate camera phone of interest captured it doesn't imply the images were captured with that phone.
Sam
Is location of the files stored can also be differentiated? For example, a photo taken will store in photos foldes, photo received via MMS in MMS inbox, or photos received via bluetooth in download folder. I know it will depend on the phone model. But, has anyone look into this area before during analysis?
From my experience they have default folders but they can be moved from folder to folder. For example, I have examined handsets where an MMS image contained a photograph which was then appeared like the image was moved into another location onto the phone. Addtionally, a lot of phones now allow the insertion of memory cards which users can use to add photos and extract photos to and from their phone. I don't think you can make an assumption of where the files have come from just by looking at which directory they are saved in but it could possibly give more evidence to the situation if other clues are present.
That's my 2pence worth anyway )
Sam
When examining the file system you might have a command history. Like with the linux .bash_history.
If you can get a list of the latest commands that were executed you might be able to determine if files were moved, renamed, copied, etc. Maybe even determine when a pic was taken…or when/where a file was transferred from.
This is a good question, and I'm not certain of the answer, yet,
Skip
EDIT Ok, after talking to some cell phone experts (thats all they do, day in and day out)….and reading some articles/standards.
The meta data for the picture is contained in the exif header or the iptc header. You can search the Internet for programs to extract these headers. From the things I read it did not seem as if it would be easy to pick out the author and other readable meta data.
Also if the pic was transferred to the phone then it may have some other artifact with it. Such as a message….or a phone call. You may be able to correlate the pic creation time, with the message in which it was sent.
Now the catch is that not all phones tag the pic with this data. But I guess that isn't all bad because if the pic does/doesn't have a exif header and the phone doesn't/does tag it's pics with the exif header then you know that the pic was/wasn't taken with that particular phone.
After talking with people and doing some research it doesn't seem as if there is an ABC answer. But you may get lucky and have the pic image headers…or some message/call that carried the pic onto that phone.
Skip
Thanks skip for the info. I'm hoping for something like Windows artifacts which exist in Windows platform. Perhaps someone already perform some research and share it with us here.