Monday, 25 March 2013

iPhone Forensics: Locating Live Victims / Mac, iPad, and iPhone Forensics and eDiscovery Experts | BlackBag Technologies

Forensics: Locating Live Victims

Posted on December 20, 2012 by BlackBag Training Team There have been 0 comments

The BlackLight forensic analysis software includes two very powerful metadata file filters that allow forensic analysts to quickly isolate data on iPhone and iPad devices according to the metadata contained in files. The BlackLight ‘Media’ view allows examiners to sort media files by calculated skin percentage (sometimes called flesh tone percentage) and pinpoint geolocation metadata on a map. These file filters are particularly important to agencies tasked with investigating crimes against children, where time is of the essence because live victims may be involved.
 
Locating Picture or Video Files Created at the Same Location

Using the BlackLight File Filter and Media features, an investigator may quickly isolate picture and/or video files containing geolocation metadata with just a few keystrokes. The investigator may then locate additional picture and video files taken at the same location, and/or with the same iPhone, iPad, or other camera make and model, by applying a filter containing a specific longitude and latitude coordinate, or the smart device or camera model name.
 

 
The BlackLight  ‘Metadata Field’ filter isolates files containing specified metadata attributes (seen in the above screenshot - left column). For example, choose the ‘Metadata Field’ file filter when you want BlackLight to ‘show me all the files containing GPS, latitude, longitude, and EXIF metadata.’
 

The ‘Metadata Value’ filter isolates files containing specified metadata values (seen in the above screenshot - right column) such as the actual longitude or latitude coordinate or a specific camera make.  For example, choose the ‘Metadata Value’ file filter when you want BlackLight to ‘show me all the files containing the latitude coordinate [41, 52.72, 0].’
 

Older iPhone device files do not have a ‘GPS’ metadata attribute field, but they do have ‘longitude’ and ‘latitude’ attribute fields. Additionally, if an iPhone or iPad device user  disabled ‘Location Services,’ the file may not contain GPS metadata, but an examiner may find picture files by filtering for the term 'exif.'
 

Therefore, in our opinion, the best media file filtering strategy includes filtering for several geolocation terms simultaneously. BlackLight makes this easy, as Mac and iPhone forensic investigators may type more than one term into a single ‘Metadata Field’ text field, as long as each term is separated by a colon (demonstrated below).
 

Let’s walk through the process step by step. To isolate media files containing geolocation metadata, in the ‘Component List’ under ‘Devices,’ select a device.  On the ‘Command Bar’ select the File Filter button.
 

 
Select the primary drop-down menu and select ‘Metadata Field.’
 

 
A secondary drop-down menu and text field appears.  Leave ‘contains’ (default) selected in secondary drop-down menu and in the text filed type:
 

gps:long:lat:exif

 

 
Select the Filter button, and files containing data in these metadata fields are isolated. BlackLight displays media files containing GPS metadata with a red placemark badge.
 

 
Our experience suggests that using the gps, long, lat, and exif filter terms simultaneously yields comprehensive media file filter results. Of course you may include other terms, and if you find additional terms that work especially well, please be sure to share them with us so we can pass them along to others.
 

Let’s look for additional iPhone picture files containing the same GPS coordinate metadata. In the ‘Content Pane,’ select a file that has GPS metadata. In the bottom left corner of the BlackLight ‘Case Window’ in the ‘File Information Pane,’ GPS metadata values for the selected file displays under the ‘Value’ column. Make note of a GPS longitude and/or latitude value.
 

 
At the top of the ‘Content Pane,’ to the right of the file filter criteria drop-down menus, select the ‘+’  button to add another file filter set. Select the new primary drop-down menu and select ‘Metadata Value.’
 

In the secondary drop-down menu, leave ‘contains’ (default) selected, and  in the text field, type the noted longitude or latitude value from the previously isolated file. Select the Filter button.
 

 
In this example, we typed the latitude coordinate [41, 52.72, 0] into the ‘Metadata Value’ text field, and eight picture files taken at this latitude were isolated.
 

 
Mac and iPhone forensic analysts may use the same technique to isolate files taken by an iPhone (or any other camera type). To do so, select the first drop-down menu and choose ‘Metadata Value’ (since we are looking for the ‘iPhone’ metadata value rather than a metadata attribute). In the secondary drop-down menu, leave ‘contains’ (default) selected, to the right of the drop-down menus, in the text field, type ‘iPhone,’ and select the Filter button.
 

Files taken with an iPhone are isolated. To confirm, in the ‘Content Pane,’ select a file. In the ‘File Information Pane,’ iPhone displays in the ‘Value’ column.
 

Sorting Media Files by Calculated Skin Percentage

Mac and iOS forensic examiners may use the BlackLight ‘Media’ view to sort filtered media files by percentage skin tone or any other case-specific criteria.
 

BlackLight displays video files as 4 x 4 frame sequences and calculates skin percentage based on these frame sequences. This allows investigators to literally ‘look inside’ a video file and locate contraband that may be buried inside a benign media file. This is another important feature, especially if a case potentially involves live victims where time is of the essence.
 

Let’s continue building on our example by sorting filtered media files so that those with the highest calculated skin percentage appear first.
 

On the ‘Command Bar’ select the Media button. At the top of the ‘Content Pane’ make sure the Limit to current File Filter checkbox is activated to sort only the pictures that we isolated using the BlackLight File Filter.
 

In the top right corner of the ‘Content Pane’ select the primary (left-most) drop-down menu and choose Pictures/Videos to sort and display all media files, Pictures to sort and display only picture files, or Videos to sort and display only video files. Select the secondary drop-down menu and choose Calculated Skin %.
 

 
BlackLight sorts the media files, and the media files containing the highest calculated skin percentage appear first.
 

 
So far we have located media files that contain geolocation data, isolated files containing the same GPS coordinates, and sorted these files by calculated skin tone percentage. Now, let’s map our results.
 
Mapping GPS Metadata

To map geolocation metadata, select a file and at the top of the ‘File Content Pane,’ select the GPS button. If the analysis workstation is a non-networked machine, a Mercator map with with red cross hairs representing the file’s approximate longitude and latitude coordinates displays along with several of the file’s actual geolocation metadata attributes and values (i.e., latitude, longitude, timestamp, etc.).
 

 
If the analysis workstation has an Internet connection, select the Show on Google Maps… button. A default browser window opens and displays (potentially) an address, a street view picture, and a satellite view based on the file’s GPS metadata.
 

 
We have now located media files that contain geolocation data, isolated the files containing the same GPS coordinates, sorted those results by calculated skin tone percentage, and mapped the results.
 

Remember that media created using any camera with enabled GPS tracking features, such as the iPhone and iPad Location Services feature, may contain geolocation metadata, and forensic analysts may find geolocation artifacts on a Mac computer if the user attached the camera or smart device to the computer.
 

For more information about the BlackLight forensic analysis software, visit the BlackLight product page and BlackBag TV. Please contact support with questions or comments, or to schedule a live online BlackLight demonstration.


This post was posted in Forensic Software, Macintosh Forensics Tips and Tricks, Mac, iPhone, and iPad Forensics Training, iOS Forensics, BlackLight Forensic Software, Native Mac, iPad, and iPhone Forensics, iPhone Forensics, iPad Forensics, Computer Forensics Blog | BlackBag Technologies, iPhone and iPad Forensics eDiscovery Enterprise, Mac Forensics and was tagged with iOS Forensics, Macintosh Forensics Tips and Tricks, iPhone Forensics, iPhone Forensic Software, iPhone Forensics Tools, iPod Forensics, Mac Forensics, Macintosh Forensics Training, Apple Forensics, BlackLight Forensic Software Tutorial - File Filtering, Forensic Analysis, BlackLight™ Forensic Software, Forensic Analysis - Pictures, Mac Forensics and Video Files, Mac Forensics and Multimedia Files, Forensic Software, Native Mac Analysis, iPad Forensics, Native iPhone Analysis, Native iPad Analysis, Computer Forensics GPS Metadata, Locating Live Victims, GPS Forensic Artifacts, Geolocation forensic artifacts

No comments:

Post a Comment