Learn about the importance of images and videos stored within mobile devices and how to examine these artifacts in more detail with more information than meets the eye.
Multimedia files from a smartphone extraction can provide a wealth of evidence for an investigation; multimedia files include pictures, videos, and audio files. There are 3 metadata (data about data) standards, the most well-known being EXIF (Exchangeable Image File Format). The EXIF standard specifies formats for sound, image files, and ancillary tags used in digital systems, including smartphones.
The metadata fields available for a specific file depend upon the system, device, the application used, and user customization. Metadata is portable across systems and devices, which assists in data analysis. There are three metadata components:
- Embedded metadata
Knowing the difference allows an investigator to review the metadata that benefits their investigation.
System metadata of Modified, Accessed, and Created (MAC) provides date and time stamps for all investigations. The application metadata provides EXIF data in a photo for child abuse or an intellectual property investigation.
Metadata that can be obtained includes:
- Photos – make/model of camera, geolocation, editing software, orientation, time and date taken
- Videos – make/model of camera, geolocation, editing software, time and date taken
- Audio – make/model of device, codec information, time and date created
- Other files – PDFs, emails, and office documents may contain various metadata fields
Metadata allows an investigator to use ArtifactIQ by Grayshift to filter the data via their attributes to accelerate the investigation of files and information. ArtifactIQ timeline analysis is usually a starting place for most investigations. The MAC time and dates can be utilized to filter the data within the extraction to identify files around the time of the incident that is important to the investigation.
ArtifactIQ by Grayshift will identify the path and name of files within a file system, which can also be of great investigative value in multimedia files. There are default locations for photos to be stored in the smartphone that took the image, such as the /private/var/mobile/Media/DCIM/1*APPLE file path for iDevices or /DCIM/Camera for Samsung devices. The filename for photos can also indicate when the file was taken, such as Samsung devices with a filename of 20220915_100514 indicates the photo was taken on the 15 September 2022 at 1005 hrs.
Multimedia Variables To Consider
With smart devices, there are many variables for multimedia files on a device, including being sent and received by a variety of means like:
- Downloads from the internet
- Downloads from emails
- Files sent via Bluetooth or “photo drop”
Investigations of the path and filenames within ArtifactIQ can suggest how and when the files were created, received, or sent.
As outlined, multimedia files and their metadata are helpful in all investigations. They can provide a critical part of the evidence gathered from the extraction and analysis of the digital evidence of a smart device. ArtifactIQ by Grayshift allows increased acceleration in an Investigation as it is efficient and effective, and reduces the time taken during extraction and analysis to identify important evidence such as the media covered in this blog post.
Try ArtifactIQ by Grayshift for yourself by participating in ArtifactIQ Early Access and get to know the Media Category (and other useful features).
© 2022. Grayshift, LLC. All rights reserved. Proprietary and confidential.