Wednesday, May 29, 2013

iPhone Video Metadata


(This is also available on the CSITech website at http://www.csitech.co.uk/iphone-video-metadata/)http://www.csitech.co.uk/iphone-video-metadata/

First question, if you start a sentence with the word iPhone should you captialise the ‘I’, answers on a postcard please.

Second question came from a law firm that I often assist with digital forensics cases.  When an iPhone is used to take a video and then distributed does it contain any device ID information that can be used to trace it back to the original phone?

The answer, somewhat surprisingly knowing Apple, appears to be no, I cannot find any reference to the serial number, IMEI or ICCID numbers within the file although it is possible that the data is there but obfuscated in some way.

Whether there or not, looking at iPhone movie data is very interesting.  We are all used to the vast amount of metadata embedded within a photo but movies are a bit more of a dark area with not much written about it.  The movies are based around the QuickTime file type that is well documented by Apple which can be found here - http://developer.apple.com/library/mac/documentation/quicktime/qtff/qtff.pdf

The filetype is awash with metadata, some which are used by default in the iPhone and many that are not.  Although there does not appear to be anything to specifically identify the iPhone which shot the video there are some useful bits of data which could help.  I have focused on a video shot by an iPhone 5 and then emailed out of the device. 

The QuickTime structure is based around Atoms and Keys.  Atoms are small 4 character tags such as ‘prfl’ for profile, ‘tkhd’ for the track header and many, many more.  There are also keys that are of specific interest to us as they contain the primary metadata that we may want.  The keys are in the ‘mdta’ atom and take the form of ‘com.apple.quicktime.author’, for example.
At offset 0x04 you come across the ‘ftyp’ atom which identifies the type of video to follow.  The iPhone uses QuickTime and so the tag which follows is ‘qt’.






Next is the ‘mdat’ atom which I guess stands for movie data and contains the data related to the movie itself.





Next is the ‘moov’ atom which partly indicates that the movie came from a Mac platform, ie the iPhone.  The ‘moov’ atom has a number of sub-atoms which brings us to the area we are interested in.

Once we pass all the obvious movie data we pick up a ‘keys’ atom which is then followed by metadata identified by the atom ‘mtda’.  The entire section can be seen in the image below.





There are several interesting tags here.

©mak«Apple - This identifies that the movie came from an Apple manufactured device.  Although this might sound obvious we might have a series of videos from a suspects computer that we think he may have taken.  However, if he is an Android and PC user then this would reduce the likelihood that he created them.

©swr«6.1.4 - This is rather useful as it tells us the IOS software version that was installed at the time that the video was taken.  Again, a scenario could be that a suspect accuses his co-defendant of shooting a video but we not that the co-defendants iPhone is running an earlier IOS version.

©day«2013-05-27T21:38:21+0100 – This provides us with the time and date that the video was shot.  Helpfully this date does NOT change when the file is moved, emailed or uploaded.  This provides a solid line in the sand as to when the video was made.  The time is also adjusted from UTC so we see the real world time it was created.

©xyz«+52.5461-002.6371+115.546 – This tag ‘@xyz’ provides GPS location data provided by the GPS chip in the phone.  Although not delimited we can divide it up to provide:-

x - +52.5461
y - -002.6371
z - +115.546 – This appears to be the direction taken from the onboard compass.

This data depends on location data being turned on for Photos in the Privacy tab in Settings.

©mod«iPhone 5 - This is great, it doesn’t just tag the device as an iPhone but as an iPhone 5.  Again this may help us to identify the phone in a case that shot a video.  So we know the video was taken by an Apple iPhone 5 with firmware 6.1.4 on the 27/5/13 at 21:38:21 at a specific location.  That’s not bad information.

All the information is then repeated using different tags as follows:-

mdtacom.apple.quicktime.make
mdtacom.apple.quicktime.creationdate
mdtacom.apple.quicktime.location.ISO6709
mdtacom.apple.quicktime.software
mdtacom.apple.quicktime.model

So can we identify a specific device that shot a video?  Not definitively no, however we may have a case where a number of phones are seized, perhaps a couple of Androids, an iPhone 3 and an iPhone 5.  They may all have the same video on their phones showing illegal activity and be accusing one another of shooting it.  In this case we may have sufficient metadata to pinpoint the culprit.

When I first started looking at this I assumed that it was a purely academic exercise as our normal forensic tools probably report this data but it seems not.  A quick look in FTK with my test video only showed the Operating System dating, created, modified etc and not the embedded video created date.  There was also no extraction of ANY of the metadata we have discussed, no model, firmware, GPS data, anything!  Obviously you can manually work through the Hex to find the tags but it could easily be missed if we don’t know it’s there.

Hope that’s helpful to you? 

11 comments:

Elizabeth J. Neal said...

Apple quietly introduced an in-store trade-in program recently under its Reuse and Recycle program, and it works like this: permanently erase iPhone data Customers can bring their old iPhones -- as old as the iPhone 3G -- into Apple stores and an Apple employee will check out the condition of the phone and then give you a credit toward a new iPhone. If you agree to the price, the employee will give you credit toward a new phone on the spot.

Richard C. Lambert said...

iPhonereparation Göteborg Det kan vara komponenter så enkla som en liten gummikudde till en svart tejp till att Wifi slutar fungerar för att vi inte har använt oss av rätt skruv. Dessa saker återgärdar vi självklart utan extra kostnad så att telefonen ska bli så som ny.Vi anses vara reparationsverkstaden som är duktigast i Göteborg på att laga iPhone och på iPad reparation.

Richard C. Lambert said...

Seems Pinterest is driving a bunch of readers to your site. I as well. Everything looks so good. Will make a nice surprise for my wife when she gets home from Portland. Phone reparation Göteborg

Elizabeth J. Neal said...

Out of Warranty is a cell phone repair shop, specialized in repairing smartphones and tablets that are broken, water damaged and non-functioning in New york. iPhonereparation Göteborg

Richard C. Lambert said...

laga sony xperia Dessa problem är inga större, allt går att byta ut på en iPhone och sony Xperia Z3 z5. Är det bara linsen som gått sönder är oftast att du behöver byta ut hela baksidan på din iPhone 6 detta gör samtidigt att små repor försvinner på telefonen

Natasha Setil said...
This comment has been removed by the author.
Colingwood said...

Pc forensics has comparable exam stages to other forensic disciplines and faces similar issues. pen testing

Waleed said...

Best Cellphone repair shop POS with RepairDesk. It allows techs to manage repair jobs, daily activities, sales & orders, stay on top of inventory, and much more.

Malcolm Burrows said...

I have unfortunate luck with iPhone as when I try to update its OS I constantly get iPhone Error 4013

Valentino thomas said...

Upgrade to a brand-new battery, and power is going to be delivered far more effectively. Do you want to know more about macbook repair? for detailed info click here.

sehrishkhan said...

The post is written in very a good manner and it contains many useful information for me.
online phone shop