(This is also available on the CSITech website at http://www.csitech.co.uk/iphone-video-metadata/)http://www.csitech.co.uk/iphone-video-metadata/
First question, if you start a
sentence with the word iPhone should you captialise the ‘I’, answers on a
postcard please.
Second question came from a law firm that I often
assist with digital forensics cases.
When an iPhone is used to take a video and then distributed does it
contain any device ID information that can be used to trace it back to the
original phone?
The answer, somewhat surprisingly knowing Apple,
appears to be no, I cannot find any reference to the serial number, IMEI or
ICCID numbers within the file although it is possible that the data is there
but obfuscated in some way.
Whether there or not, looking at iPhone movie data
is very interesting. We are all used to
the vast amount of metadata embedded within a photo but movies are a bit more
of a dark area with not much written about it.
The movies are based around the QuickTime file type that is well
documented by Apple which can be found here - http://developer.apple.com/library/mac/documentation/quicktime/qtff/qtff.pdf
The filetype is awash with metadata, some which are
used by default in the iPhone and many that are not. Although there does not appear to be anything
to specifically identify the iPhone which shot the video there are some useful bits
of data which could help. I have focused
on a video shot by an iPhone 5 and then emailed out of the device.
The QuickTime structure is
based around Atoms and Keys. Atoms are
small 4 character tags such as ‘prfl’ for profile, ‘tkhd’ for the track header
and many, many more. There are also keys
that are of specific interest to us as they contain the primary metadata that
we may want. The keys are in the ‘mdta’
atom and take the form of ‘com.apple.quicktime.author’,
for example.
At offset 0x04 you come across the ‘ftyp’ atom
which identifies the type of video to follow.
The iPhone uses QuickTime and so the tag which follows is ‘qt’.
Next is the ‘moov’ atom which partly indicates that
the movie came from a Mac platform, ie the iPhone. The ‘moov’ atom has a number of sub-atoms
which brings us to the area we are interested in.
Once we pass all the obvious movie data we pick up
a ‘keys’ atom which is then followed by metadata identified by the atom
‘mtda’. The entire section can be seen
in the image below.
There are several interesting tags here.
©mak«Apple - This identifies that the movie came
from an Apple manufactured device.
Although this might sound obvious we might have a series of videos from
a suspects computer that we think he may have taken. However, if he is an Android and PC user then
this would reduce the likelihood that he created them.
©swr«6.1.4 - This is rather useful as it tells us
the IOS software version that was installed at the time that the video was
taken. Again, a scenario could be that a
suspect accuses his co-defendant of shooting a video but we not that the
co-defendants iPhone is running an earlier IOS version.
©day«2013-05-27T21:38:21+0100 – This provides us
with the time and date that the video was shot.
Helpfully this date does NOT change when the file is moved, emailed or
uploaded. This provides a solid line in
the sand as to when the video was made.
The time is also adjusted from UTC so we see the real world time it was
created.
©xyz«+52.5461-002.6371+115.546
– This tag ‘@xyz’ provides GPS location data provided by the GPS
chip in the phone. Although not
delimited we can divide it up to provide:-
x - +52.5461
y - -002.6371
z - +115.546 – This appears to be the direction
taken from the onboard compass.
This data depends on location data being turned on
for Photos in the Privacy tab in Settings.
©mod«iPhone 5 - This is great, it doesn’t just tag
the device as an iPhone but as an iPhone 5.
Again this may help us to identify the phone in a case that shot a
video. So we know the video was taken by
an Apple iPhone 5 with firmware 6.1.4 on the 27/5/13 at 21:38:21 at a specific
location. That’s not bad information.
All the information is then repeated using
different tags as follows:-
mdtacom.apple.quicktime.make
mdtacom.apple.quicktime.creationdate
mdtacom.apple.quicktime.location.ISO6709
mdtacom.apple.quicktime.software
mdtacom.apple.quicktime.model
So can we identify a specific device that shot a
video? Not definitively no, however we
may have a case where a number of phones are seized, perhaps a couple of
Androids, an iPhone 3 and an iPhone 5.
They may all have the same video on their phones showing illegal
activity and be accusing one another of shooting it. In this case we may have sufficient metadata
to pinpoint the culprit.
When I first started looking at this I assumed that
it was a purely academic exercise as our normal forensic tools probably report
this data but it seems not. A quick look
in FTK with my test video only showed the Operating System dating, created,
modified etc and not the embedded video created date. There was also no extraction of ANY of the
metadata we have discussed, no model, firmware, GPS data, anything! Obviously you can manually work through the
Hex to find the tags but it could easily be missed if we don’t know it’s there.
Hope that’s helpful to you?
