• Image Forensics

  • Image forensics is the analysis of what evidence or information can be obtained from images taken with digital cameras or mobile devices. For the purpose of this blog I’m going to focus on the photo of a cat.

    Image Forensics Example Image

    As a forensic analyst the first thing I want to examine is the meta-data associated with the image. Exif Data is information attached image file and is readable using an Exif reader application. Exif data is one of the most valuable artifacts in image forensics.

    Using the Preview application on an Mac system I can view this information using the Inspector tool which reveals the following:

    Image Forensics Exif Data

    This information doesn’t provide anything of value for investigative purposes, so let’s use an actual Exif reader such as the exif tool in the SANS SIFT Workstation.

    Using the exif tool from the command line we can extract the following Exif data:

    Image Forensics Exif data from SANS SIFT Workstation.

    The Exif data tells me that the photo was taken with an iPhone X, but this image was obtained from my iPhone 11 Pro Max. This can be explained by the fact the iPone X was upgraded to an iPhone 11 Pro Max and was restored to the upgraded phone.

    GeoLocation Artifacts

    A valuable artifact that is missing from this image is the geolocation data which will tell me the location the photo was taken in. Let’s examine a photo taken with my iPhone 11 Pro Max to see if we can obtain geo location data.

    Attempting to obtain Exif data from the Apple heic image format results in the following:

    $ exif IMG_1016.heic > exif2.txt
    Corrupt data
    The data provided does not follow the specification.
    ExifLoader: The data supplied does not seem to contain EXIF data.

    Unfortunately the exif tool in the SANS SIFT workstation is unable to parse the HEIC file. I’ll switch back to the Preview application in my Mac and see if it can be obtained there:

    Image Forensics of HEIC Exif Data

    The Mac Preview application reveals the Geolocation coordinates of Latitude and Longitude (I reacted that from the image) and shows a map below of that location.

    Image Forensics Analysis

    Image forensics only gives us part of what we need to build a case. We need more evidence to prove who took the photo, but this is a good start.

    With this information we can determine the location where the photo was taken, but we cannot prove that the owner of the phone was in the same location when the photo was taken. In this case we can only speak to what the evidence provides:

    A photograph of a cat was taken at the coordinates included in the Exif data at a certain time and place. Even that alone is not proof enough because Exif data can be modified using other forensic tools.

    To prevent this argument I always obtain the image from the original device and make sure that the MD5 and SHA1 hashes are included to prove that the image has not been modified once the device is imaged forensically.

    I’m still faced with the problem of placing the phone in the hands of the owner when the photo was taken and that could include supporting evidence such as:

    • Eyewitness testimony
    • Call logs
    • Video surveillance footage
    • SMS logs
    • Other forensic artifacts from the device

    This is an example of forensic analysis we perform during mobile forensics investigations. In some cases there are hundreds and thousands of images to process. For cases like that we use special forensic software suites such as Magnet Axiom, FTK, or Encase.