Dear Tip Tuesday addict, welcome to this week’s Tip! While using Amped Authenticate have you ever noticed that, for most images, you can find a lot of different places showing dates and times? Why are they so many, and what is the difference between them? Keep reading to find out!
If you’re into image forensics, you surely know that a single digital image can be a mine of information. Besides what’s shown by pixels, we have a lot of metadata that travels with the image file and carry information about when the picture was taken, where (if any localization system was active on the device), possibly by who, the camera being used, and even most of its settings at the moment of the shooting (flash, lens, zoom, etc.).
Needless to say, time is one of the most valuable information. If you’re interested in assessing the time at which your evidence picture was taken, there are some facts you should definitely know. Let’s use this picture of a sunset, captured with an Apple iPad Air, to go through all of them.
We just drag the image into Authenticate and search for all places where DateTimes are reported (we’ll use the technical word datetime as a way to say “date and time”).
We already encounter six datetimes in the File Format filter, part of the Overview category. Three of them are information available in the Exif metadata: Exif DateTimeOriginal, Exif CreateDate, and Exif ModifyDate. Then, we have three more datetimes called Last File Access, File Creation, and Last File Modification.
This brings us to the first, very important distinction: all Exif datetimes are taken from image metadata, which means, they are part of the information embedded in the image file. It is important to notice that:
- If the file is transferred to another device, this information will remain unaltered (unless your file transfer program does fancy things like stripping or editing Exif metadata, in which case you should consider eradicating it from your forensic toolkit);
- If you make any change to the datetimes, the edited file will have a different hash code than the original one, because they are written inside the file;
- On modern devices, the Exif DateTimeOriginal and the Exif CreateDate are usually set to the same value, and they both indicate the moment of acquisition (while, in ancient times, it could happen that you took a picture with an analog device and only later digitized it: in such cases, Exif allowed you to annotate the datetime for both operations.) The Exif ModifyDate, instead, is there to be updated every time the image is modified… but updating it is a responsibility of your image processing software, so there’s no guarantee that it will be done;
- This information can be easily altered using free tools or, depending on your operating system, just right-clicking on it and editing file Details as shown below:
Let’s now turn to the three datetimes having “File” in their name. They refer to information made available by your drive’s file system. Indeed, your operating system maintains a table of all the files stored in your drive; information in this table includes the time of creation, last access, modification of every file (regardless of its “type”: digital images are treated just like any other kind of file at this level). If you’re curious, you can read something more here. For the sake of this Tip, it is important to understand that:
- This information is not written into the image file, it is stored somewhere else in your drive;
- If you (or any software) open the file or transfer it to another location/drive, this information will normally be updated. For example: if you copy-paste the file to create a new one, the Creation datetime will normally be set to the date of the “paste” operation. Instead, if you just move the file to another folder, normally no datetime gets updated. If you simply open and close the file, the Last File Access information will be updated, and so on;
- Although less immediate, there are ways to tamper with these datetimes as well (see here, for example).
From what we’ve seen until now, we should already agree that information in Exif metadata are usually more valuable if your goal is to understand when the image was captured. Sometimes it happens, as shown below, that the Last File Modification and File Creation dates are very close or equal to the Exif CreateDate, which is surely a positive fact for our investigation.
But we’re not done yet! There is one more place where we can find useful datetimes. If we just go back to our initial image and select the Exif filter, we’ll, of course, find the three Exif datetimes showed by the File Format filter (this is just repeated information), but we may also find something more:
Oh right! When you let your device store the “location” in your pictures, it will also store the datetime of the shot! Notice that, if you compare the values shown above with those at the beginning of the post, they are not exactly the same.
The 2 hours difference is due to the different time-zones used by the GPS system (UTC) and by the tablet (CEST). There is also a small difference in seconds, which is understandable when comparing dates obtained from different timing systems (the tablet uses the date and time sent by the telephone company or those set by the user). The fact that these datetimes are provided by different sources is good for us: it means we can cross-check them!
In a future Tip, we’ll focus again on how we should cross-check all this time-related information, possibly linking it with the content of the image to increase our confidence about the real moment in which the picture was captured. This week’s takeaway is: modern images are more of a clock than a picture!
That’s all for today! We hope you’ve found this issue of the Video Evidence Pitfalls series interesting and useful! Stay tuned and don’t miss the next ones. You can also follow us on LinkedIn, YouTube, Twitter, and Facebook: we’ll post a link to every new tip so you won’t miss any!