Wednesday, November 20, 2013

Analysis of images from cell phones

Processing images from cell/mobile phones and tablets has been an increasingly larger part of my workday this year. Folks are capturing so much of their lives on their mobile devices. They post these pictures and videos to Facebook and other social media sites. They also send the pictures to their friends via text or MMS messages.

But what happens when a mobile device is received as evidence? What's the best way to get those pictures and videos (the evidence) out of the device and into your analysis software for processing?

Let's start with how not to do it (though many are using this method). Don't browse through the device to find the images/video - then send them as MMS messages to your own phone or e-mail address. The problems of mixing your e-mail or phone with the case files notwithstanding, sending the files via MMS adds compression, strips some vital metadata, and changes hash values.

This screen shot from Amped's Authenticate shows the many problems that can arise from using MMS to get images/video out of a phone. From top to bottom, here's what's changed:

  • The filename has been changed
  • The file's dimensions have been changed (reduced)
  • Exif Fields changed from 47 to 0
  • Exif Make and Model have been stripped
  • JPEG Quality settings are different
  • JPEG QT Hash values are different
  • Exif ModifyDate is missing
  • File size has been reduced
  • MD5 Hash is different (as are all the SHA hash values)

So, in my test, the physical dimensions have been reduced and the file recompressed at a lower setting for transport. What do you think will be the outcome if you're trying to discern fine details within the image?

Instead, use a purpose built solution for extracting data from mobile devices. Use Cellebrite, FinalMobile, MSAB's XRY, or any of the other tools that work best for your device. These will download the files without changing or recompressing them. These tools preserve the evidence and provide a report of the process utilized. These tools have been to courts across the world and are used daily by forensic teams in private and public service. Sending yourself a text from the suspect's phone? I'm guessing that you may have a problem with that one in court.


No comments: