Run Time Since Power Up fuels populated with a “v”

[london123]

Hello. I'm reviewing metadata that I believe to be altered/copied from another photo. It's for a Live Photo taken by an Apple iPhone 7+ running IOS 11.3. The value for the Run Time Since Power Up is simply "v".  What does this signify? Is the run time since power up perhaps not editable and  therefore a "v" is placed there by default? Comparison with non-suspicious photos/metadata from same device show actual durations in this field. Any input appreciated. Thanks!!

[Phil Harvey]

I would guess that it is likely that the Apple maker notes were corrupted, possibly by some editing.

- Phil

[london123]

Thank you for your reply. I've attached the data extracted using the EXIF tool and would greatly appreciate any additional comments you may have on this query. Thank you again.

[Hayo Baan]

The file you attached was empty. To further investigate this, perhaps you could share the image in question?

[london123]

Here is the photo in question, and thank you again very much.

[Hayo Baan]

I don't see a "v" value anywhere in the output of exiftool for the file you uploaded...

Here's what I get with exiftool -a -G0:1:

Code Select Expand

[ExifTool]      ExifTool Version Number         : 11.33
[File:System]   File Name                       : image1.jpeg
[File:System]   Directory                       : .
[File:System]   File Size                       : 1879 kB
[File:System]   File Modification Date/Time     : 2019:04:02 19:21:27+02:00
[File:System]   File Access Date/Time           : 2019:04:02 19:24:35+02:00
[File:System]   File Inode Change Date/Time     : 2019:04:02 19:21:29+02:00
[File:System]   File Permissions                : rw-r--r--
[File]          File Type                       : JPEG
[File]          File Type Extension             : jpg
[File]          MIME Type                       : image/jpeg
[File]          Exif Byte Order                 : Big-endian (Motorola, MM)
[File]          Image Width                     : 4032
[File]          Image Height                    : 3024
[File]          Encoding Process                : Baseline DCT, Huffman coding
[File]          Bits Per Sample                 : 8
[File]          Color Components                : 3
[File]          Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
[EXIF:IFD0]     Make                            : Apple
[EXIF:IFD0]     Camera Model Name               : iPhone 7 Plus
[EXIF:IFD0]     Orientation                     : Rotate 90 CW
[EXIF:IFD0]     X Resolution                    : 72
[EXIF:IFD0]     Y Resolution                    : 72
[EXIF:IFD0]     Resolution Unit                 : inches
[EXIF:IFD0]     Software                        : 11.3
[EXIF:IFD0]     Modify Date                     : 2018:07:01 19:29:00
[EXIF:IFD0]     Y Cb Cr Positioning             : Centered
[EXIF:ExifIFD]  Exposure Time                   : 1/4
[EXIF:ExifIFD]  F Number                        : 1.8
[EXIF:ExifIFD]  Exposure Program                : Program AE
[EXIF:ExifIFD]  ISO                             : 100
[EXIF:ExifIFD]  Exif Version                    : 0221
[EXIF:ExifIFD]  Date/Time Original              : 2018:07:01 19:29:00
[EXIF:ExifIFD]  Create Date                     : 2018:07:01 19:29:00
[EXIF:ExifIFD]  Components Configuration        : Y, Cb, Cr, -
[EXIF:ExifIFD]  Shutter Speed Value             : 1/4
[EXIF:ExifIFD]  Aperture Value                  : 1.8
[EXIF:ExifIFD]  Brightness Value                : -1.665732306
[EXIF:ExifIFD]  Exposure Compensation           : 0
[EXIF:ExifIFD]  Metering Mode                   : Multi-segment
[EXIF:ExifIFD]  Flash                           : Auto, Did not fire
[EXIF:ExifIFD]  Focal Length                    : 4.0 mm
[EXIF:ExifIFD]  Subject Area                    : 2015 1511 2217 1330
[EXIF:ExifIFD]  Sub Sec Time Original           : 626
[EXIF:ExifIFD]  Sub Sec Time Digitized          : 626
[EXIF:ExifIFD]  Flashpix Version                : 0100
[EXIF:ExifIFD]  Color Space                     : Uncalibrated
[EXIF:ExifIFD]  Exif Image Width                : 4032
[EXIF:ExifIFD]  Exif Image Height               : 3024
[EXIF:ExifIFD]  Sensing Method                  : One-chip color area
[EXIF:ExifIFD]  Scene Type                      : Directly photographed
[EXIF:ExifIFD]  Exposure Mode                   : Auto
[EXIF:ExifIFD]  White Balance                   : Auto
[EXIF:ExifIFD]  Focal Length In 35mm Format     : 28 mm
[EXIF:ExifIFD]  Scene Capture Type              : Standard
[EXIF:ExifIFD]  Lens Info                       : 3.99-6.6mm f/1.8-2.8
[EXIF:ExifIFD]  Lens Make                       : Apple
[EXIF:ExifIFD]  Lens Model                      : iPhone 7 Plus back dual camera 3.99mm f/1.8
[MakerNotes:Apple] Run Time Flags               : Valid
[MakerNotes:Apple] Run Time Value               : 1089085565168375
[MakerNotes:Apple] Run Time Scale               : 1000000000
[MakerNotes:Apple] Run Time Epoch               : 0
[MakerNotes:Apple] Acceleration Vector          : -0.05421511628 -0.9797225187 -0.1998520984
[MakerNotes:Apple] Content Identifier           : 6A76F68C-E35B-447D-A4CC-55C69559BB5E
[EXIF:GPS]      GPS Latitude Ref                : North
[EXIF:GPS]      GPS Latitude                    : 43 deg 41' 55.09"
[EXIF:GPS]      GPS Longitude Ref               : West
[EXIF:GPS]      GPS Longitude                   : 71 deg 38' 2.49"
[EXIF:GPS]      GPS Altitude Ref                : Above Sea Level
[EXIF:GPS]      GPS Altitude                    : 196.4624277 m
[EXIF:GPS]      GPS Time Stamp                  : 23:28:57
[EXIF:GPS]      GPS Speed Ref                   : km/h
[EXIF:GPS]      GPS Speed                       : 0
[EXIF:GPS]      GPS Img Direction Ref           : True North
[EXIF:GPS]      GPS Img Direction               : 252.5639098
[EXIF:GPS]      GPS Dest Bearing Ref            : True North
[EXIF:GPS]      GPS Dest Bearing                : 252.5639098
[EXIF:GPS]      GPS Date Stamp                  : 2018:07:01
[EXIF:GPS]      GPS Horizontal Positioning Error: 65 m
[EXIF:IFD1]     Compression                     : JPEG (old-style)
[EXIF:IFD1]     X Resolution                    : 72
[EXIF:IFD1]     Y Resolution                    : 72
[EXIF:IFD1]     Resolution Unit                 : inches
[EXIF:IFD1]     Thumbnail Offset                : 2194
[EXIF:IFD1]     Thumbnail Length                : 8507
[EXIF:IFD1]     Thumbnail Image                 : (Binary data 8507 bytes, use -b option to extract)
[ICC_Profile:ICC-header] Profile CMM Type       : Apple Computer Inc.
[ICC_Profile:ICC-header] Profile Version        : 4.0.0
[ICC_Profile:ICC-header] Profile Class          : Display Device Profile
[ICC_Profile:ICC-header] Color Space Data       : RGB
[ICC_Profile:ICC-header] Profile Connection Space: XYZ
[ICC_Profile:ICC-header] Profile Date Time      : 2017:07:07 13:22:32
[ICC_Profile:ICC-header] Profile File Signature : acsp
[ICC_Profile:ICC-header] Primary Platform       : Apple Computer Inc.
[ICC_Profile:ICC-header] CMM Flags              : Not Embedded, Independent
[ICC_Profile:ICC-header] Device Manufacturer    : Apple Computer Inc.
[ICC_Profile:ICC-header] Device Model           :
[ICC_Profile:ICC-header] Device Attributes      : Reflective, Glossy, Positive, Color
[ICC_Profile:ICC-header] Rendering Intent       : Perceptual
[ICC_Profile:ICC-header] Connection Space Illuminant: 0.9642 1 0.82491
[ICC_Profile:ICC-header] Profile Creator        : Apple Computer Inc.
[ICC_Profile:ICC-header] Profile ID             : ca1a9582257f104d389913d5d1ea1582
[ICC_Profile]   Profile Description             : Display P3
[ICC_Profile]   Profile Copyright               : Copyright Apple Inc., 2017
[ICC_Profile]   Media White Point               : 0.95045 1 1.08905
[ICC_Profile]   Red Matrix Column               : 0.51512 0.2412 -0.00105
[ICC_Profile]   Green Matrix Column             : 0.29198 0.69225 0.04189
[ICC_Profile]   Blue Matrix Column              : 0.1571 0.06657 0.78407
[ICC_Profile]   Red Tone Reproduction Curve     : (Binary data 32 bytes, use -b option to extract)
[ICC_Profile]   Chromatic Adaptation            : 1.04788 0.02292 -0.0502 0.02959 0.99048 -0.01706 -0.00923 0.01508 0.75168
[ICC_Profile]   Blue Tone Reproduction Curve    : (Binary data 32 bytes, use -b option to extract)
[ICC_Profile]   Green Tone Reproduction Curve   : (Binary data 32 bytes, use -b option to extract)
[Composite]     Aperture                        : 1.8
[Composite]     File Extension                  : .jpeg
[Composite]     Full File Name                  : image1.jpeg
[Composite]     GPS Altitude                    : 196.4 m Above Sea Level
[Composite]     GPS Date/Time                   : 2018:07:01 23:28:57Z
[Composite]     GPS Latitude                    : 43 deg 41' 55.09" N
[Composite]     GPS Longitude                   : 71 deg 38' 2.49" W
[Composite]     GPS Position                    : 43 deg 41' 55.09" N, 71 deg 38' 2.49" W
[Composite]     Image Size                      : 4032x3024
[Composite]     Megapixels                      : 12.2
[Composite]     Run Time Since Power Up         : 12 days 14:31:26
[Composite]     Scale Factor To 35 mm Equivalent: 7.0
[Composite]     Shutter Speed                   : 1/4
[Composite]     Create Date                     : 2018:07:01 19:29:00.626
[Composite]     Date/Time Original              : 2018:07:01 19:29:00.626
[Composite]     Circle Of Confusion             : 0.004 mm
[Composite]     Field Of View                   : 65.5 deg
[Composite]     Focal Length                    : 4.0 mm (35 mm equivalent: 28.0 mm)
[Composite]     Hyperfocal Distance             : 2.07 m
[Composite]     Light Value                     : 3.7
[Composite]     Time Zone                       : -04:00


Is this not what you get?

[london123]

No, using ExifTool version 11.1 it just shows a v  for that value (attached screenshot). The run time shown in nanoseconds on the v 11.1 version does match with what you show. I believe this photo had its date and/or time altered in the metadata. I have a reference photo from the same phone as was used for the suspicious  photo, taken 46 hours prior to the suspicious photo. If the metadata were accurate, the person taking the photo would had to have had the phone actively running for nearly 17 of those 46 hours in between the two photos.

[london123]

I attach a non-suspicious photo taken by the same iPhone as the suspicious photo, and taken 22 1/2 hours after the time shown in the suspicious photo. Curious to see what the run time for this looks like, relative to the suspicious photo.

Thank you again for your helpful insight.

[Alan Clifford]

Strange, I get a different value (1 second difference) using an older versuin of exiftool

exiftool -a -G0:1: image1.jpeg -exiftoolversion -runtimesincepowerup

Code Select Expand

[ExifTool]      ExifTool Version Number         : 10.79
[Composite]     Run Time Since Power Up         : 12 days 14:31:25


[Alan Clifford]

Second photo

exiftool -a -G0:1: E8F4DED1-F2B6-43EF-9237-32D81AD27229.jpeg -exiftoolversion -runtimesincepowerup

Code Select Expand

[ExifTool]      ExifTool Version Number         : 10.79
[Composite]     Run Time Since Power Up         : 13 days 7:25:55


[StarGeek]

I ran exiftool versions 10.69, 11.04, 11.12, and 11.33 on the "image1.jpeg" file you uploaded.  None of them returned a "v".

Versions 11.04 and 11.33 returned 12 days 14:31:26
Versions 10.69 and 11.12 returned 12 days 14:31:25

In all cases I used the Windows executable.

My perl version is a little messed up atm (says 11.01 [Warning: Library version is 11.10]) but it returns 12 days 14:31:25

Are you sure that's the proper image?  If you download what you uploaded and try again, does the same result happen?  What is the EXACT version of your exiftool  (run exiftool -ver) and what system are you on?

[london123]

The EXIF info was provided to me by a forensic expert so I'd have to defer to him as to exact specs of EXIF used and what hardware and software he used on his computer nd. I forwarded the email containing supicious photo to him directly.

If you'd like to message me I can give you details and contact info etc.

Turning to another point, the EXIF data says the suspicious photo (man pictured alone) was taken with the camera rotated clockwise 90 degrees, and it wasn't cropped based on resolution shown. But looking at the picture, it does not appear to have been taken with the iPhone horizontal (landscape). I am quite certain that this photo or at least it's metadata was maliciously altered.

Thank you.

[StarGeek]

Turning to another point, the EXIF data says the suspicious photo (man pictured alone) was taken with the camera rotated clockwise 90 degrees, and it wasn't cropped based on resolution shown. But looking at the picture, it does not appear to have been taken with the iPhone horizontal (landscape). I am quite certain that this photo or at least it's metadata was maliciously altered.

That is not an indicator of editing.  All cameras will take the picture in the horizontal.  They then set the Orientation tag to reflect how the image must be rotated to match the orientation of the camera when the picture was taken.  It is up to the software used to view the image to correctly rotate it and display it properly.  This image has the Orientation tag properly set to Rotate 90 CW.

[Phil Harvey]

I don't see the "v", and looking in more detail I can't see any evidence that the metadata in image1.jpeg has been altered:

1.  The metadata is structured exactly the same as the other image.  So it was either not edited, or edited by hand using a hex editor.

2. The image was compressed using the same quantization tables.  So the image itself was definitely not edited with any common image editor unless the quantization tables were replaced by hand, which is difficult to do.

3. The thumbnail images correspond to the originals, and use the same quantization tables.  It is unlikely that anyone would think of replacing the quantization table in the thumbnail image, so I'd have so say that these images are original.

- Phil

[london123]

The images are original, at least two of them and perhaps all three, but I believe the time and date were altered in the metadata for the man standing in the room photo. Either that or the person altered the iPhone time and date settings and then saved the pic to the phone thereafter. The file naming convention is suspicious. To my understanding, an unaltered iPhone image straight from the camera roll will be named sequentially with other photos taken, using the following format: IMG_1234.