But what happens when a mobile device is received as evidence? What's the best way to get those pictures and videos (the evidence) out of the device and into your analysis software for processing?
Let's start with how not to do it (though many are using this method). Don't browse through the device to find the images/video - then send them as MMS messages to your own phone or e-mail address. The problems of mixing your e-mail or phone with the case files notwithstanding, sending the files via MMS adds compression, strips some vital metadata, and changes hash values.
- The filename has been changed
- The file's dimensions have been changed (reduced)
- Exif Fields changed from 47 to 0
- Exif Make and Model have been stripped
- JPEG Quality settings are different
- JPEG QT Hash values are different
- Exif ModifyDate is missing
- File size has been reduced
- MD5 Hash is different (as are all the SHA hash values)
So, in my test, the physical dimensions have been reduced and the file recompressed at a lower setting for transport. What do you think will be the outcome if you're trying to discern fine details within the image?
Instead, use a purpose built solution for extracting data from mobile devices. Use Cellebrite, FinalMobile, MSAB's XRY, or any of the other tools that work best for your device. These will download the files without changing or recompressing them. These tools preserve the evidence and provide a report of the process utilized. These tools have been to courts across the world and are used daily by forensic teams in private and public service. Sending yourself a text from the suspect's phone? I'm guessing that you may have a problem with that one in court.
Enjoy.
No comments:
Post a Comment