News:

2023-03-15 Major improvements to the new Geolocation feature

Main Menu

Missing original date and time - help!

Started by SnooditBsr3, April 11, 2018, 10:40:40 AM

Previous topic - Next topic

SnooditBsr3

I am trying to determine the original date and time of JPGs that were extracted from an iPhone 8 via Cellebrite.  For some reason the metadata coming back for the date and time is from when the cellebrite extraction took place!  I am new to ExifTool, although I have successfully read original date and time before from other pictures.  Can someone please help me?  Phil,  I did send you a message directly yesterday, but never heard back, and it's not even under my account as having sent it. 

Thank you,
Sierra

Phil Harvey

Hi Sierra,

This is the command to show all of the available date/time information from a file:

exiftool -time:all -a FILE

I didn't get the email you tried to send.

- Phil
...where DIR is the name of a directory/folder containing the images.  On Mac/Linux/PowerShell, use single quotes (') instead of double quotes (") around arguments containing a dollar sign ($).

SnooditBsr3

Hi Phil,

Thank you for the reply!  Even with the command line you provided, I am still only getting the Cellebrite extraction information...

File Modification Date/Time     : 2018:03:01 13:12:42-06:00
File Access Date/Time           : 2018:04:11 11:03:51-05:00
File Inode Change Date/Time     : 2018:04:11 10:29:27-05:00
Profile Date Time               : 2017:07:07 13:22:32

March 1, 2018 is when the Cellebrite extraction took place, and I am guessing the Profile Date Time is when the iPhone was set up?  I didn't think it was possible for Cellebrite to change the metadata, the pictures were supposedly taken in February 2018.  Any ideas or input would be greatly appreciated.

Sierra

Phil Harvey

Hi Sierra,

The ProfileDateTime is when the color profile was defined, and isn't useful to you.

Unfortunately there seem to be no other date/times in the file metadata.  The FileModification/Access/InodeChange date/times are from the filesystem, and not part of the metadata in the file.

So it looks like the file's metadata was basically scrubbed, and I can't see a way to recover the original date/times from this file. :(

- Phil
...where DIR is the name of a directory/folder containing the images.  On Mac/Linux/PowerShell, use single quotes (') instead of double quotes (") around arguments containing a dollar sign ($).

SnooditBsr3

Aware the 2nd and 3rd lines are from the filesystem, thank you.  Have you ever heard of cellebrite doing this before?  If the original date/time was available, so I know for the future, what would it have said?  Also, in general, after an extraction, the files are moved off of an USB drive to the computer, could that have caused the metadata to have been scrubbed?  I know my supervisor is going to want an answer as to how this happened, as well as I will be blamed.  I need to prevent it from happening again in the future.  Any advice you could provide would be greatly appreciated!

Sierra

Phil Harvey

For a typical JPEG image (with the -G1 option added so you can see the location of the information):

> exiftool -time:all -a -G1 a.jpg
[System]        File Modification Date/Time     : 2018:04:01 01:03:04-04:00
[System]        File Access Date/Time           : 2018:04:11 07:06:01-04:00
[System]        File Inode Change Date/Time     : 2018:04:10 08:09:19-04:00
[IFD0]          Modify Date                     : 2000:03:31 10:44:15
[ExifIFD]       Date/Time Original              : 2000:03:31 10:44:15
[ExifIFD]       Create Date                     : 2000:03:31 10:44:15


I've never heard of cellebrite, but lots of apps strip metadata from images.

- Phil
...where DIR is the name of a directory/folder containing the images.  On Mac/Linux/PowerShell, use single quotes (') instead of double quotes (") around arguments containing a dollar sign ($).

SnooditBsr3

Cellebrite is an Universal File Extraction Device used by law enforcement, government agencies, etc to forensically extract data from devices.  I have also contacted them to find out how this could have happened, www.cellebrite.com.

I am also surmising then that the original GPS information would also have been scrubbed.  What would that command line be please?  I tried several from the examples, but nothing came up. 

On a sidenote to the date/time, I also got the following, blanks, I'm guessing that is also because the original metadata is gone.

exiftool -T -createdate Pictures
-
-
-
-

Thank you,
Sierra

Phil Harvey

I don't think we can blame cellebrite if it is designed as a forensic analysis tool.  The times must be missing for some other reason.

Scrubbing the GPS is easy:

exiftool -gps:all= FILE will scrub the EXIF gps

or

exiftool -all= FILE will scrub all metadata from a JPEG file

Yes.  Dashes in the -T output indicate missing values.

- Phil
...where DIR is the name of a directory/folder containing the images.  On Mac/Linux/PowerShell, use single quotes (') instead of double quotes (") around arguments containing a dollar sign ($).

SnooditBsr3

I think I may have used the wrong term when I said "scrub". I don't want to remove any metadata, if that's what "scrub" means?  I am wondering if the original locale/GPS information on these same pictures may be available, even if the date/time is gone.  Are those command lines to read the GPS data, or remove it?  I'm sorry I'm confused.

Thanks,
Sierra

Phil Harvey

Quote from: SnooditBsr3 on April 11, 2018, 12:43:38 PM
I don't want to remove any metadata, if that's what "scrub" means?

Yes.  "scrub" = "delete" = "remove" = "you'll never see it again"

To read all the metadata, try this command:

exiftool -a -G1 FILE

The GPS will appear if it exists.  For videos, add the -ee option to this command to extract metadata embedded in the movie data.

- Phil
...where DIR is the name of a directory/folder containing the images.  On Mac/Linux/PowerShell, use single quotes (') instead of double quotes (") around arguments containing a dollar sign ($).

SnooditBsr3

What would the GPS info be called?  it's not showing anything relating to locale, it's also blank under the Device name...This was the first command I used in trying to determine the date/time.  Thank you for the video GPS info.  Here's all that came up, basically dimensions, size, colors...

[ExifTool]      ExifTool Version Number         : 10.92
[System]        File Name                       : 0044~5005.JPG
[System]        Directory                       : .
[System]        File Size                       : 29 kB
[System]        File Modification Date/Time     : 2018:03:01 13:12:42-06:00
[System]        File Access Date/Time           : 2018:04:11 11:04:09-05:00
[System]        File Inode Change Date/Time     : 2018:04:11 10:29:27-05:00
[System]        File Permissions                : rwxr-xr-x
[File]          File Type                       : JPEG
[File]          File Type Extension             : jpg
[File]          MIME Type                       : image/jpeg
[File]          Exif Byte Order                 : Big-endian (Motorola, MM)
[File]          Image Width                     : 342
[File]          Image Height                    : 256
[File]          Encoding Process                : Baseline DCT, Huffman coding
[File]          Bits Per Sample                 : 8
[File]          Color Components                : 3
[File]          Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
[IFD0]          X Resolution                    : 72
[IFD0]          Y Resolution                    : 72
[IFD0]          Resolution Unit                 : inches
[IFD0]          Y Cb Cr Positioning             : Centered
[ExifIFD]       Exif Version                    : 0221
[ExifIFD]       Components Configuration        : Y, Cb, Cr, -
[ExifIFD]       Flashpix Version                : 0100
[ExifIFD]       Color Space                     : Uncalibrated
[ExifIFD]       Exif Image Width                : 342
[ExifIFD]       Exif Image Height               : 256
[ExifIFD]       Scene Capture Type              : Standard
[ICC-header]    Profile CMM Type                : Apple Computer Inc.
[ICC-header]    Profile Version                 : 4.0.0
[ICC-header]    Profile Class                   : Display Device Profile
[ICC-header]    Color Space Data                : RGB
[ICC-header]    Profile Connection Space        : XYZ
[ICC-header]    Profile Date Time               : 2017:07:07 13:22:32
[ICC-header]    Profile File Signature          : acsp
[ICC-header]    Primary Platform                : Apple Computer Inc.
[ICC-header]    CMM Flags                       : Not Embedded, Independent
[ICC-header]    Device Manufacturer             : Apple Computer Inc.
[ICC-header]    Device Model                    :
[ICC-header]    Device Attributes               : Reflective, Glossy, Positive, Color
[ICC-header]    Rendering Intent                : Perceptual
[ICC-header]    Connection Space Illuminant     : 0.9642 1 0.82491
[ICC-header]    Profile Creator                 : Apple Computer Inc.
[ICC-header]    Profile ID                      : ca1a9582257f104d389913d5d1ea1582
[ICC_Profile]   Profile Description             : Display P3
[ICC_Profile]   Profile Copyright               : Copyright Apple Inc., 2017
[ICC_Profile]   Media White Point               : 0.95045 1 1.08905
[ICC_Profile]   Red Matrix Column               : 0.51512 0.2412 -0.00105
[ICC_Profile]   Green Matrix Column             : 0.29198 0.69225 0.04189
[ICC_Profile]   Blue Matrix Column              : 0.1571 0.06657 0.78407
[ICC_Profile]   Red Tone Reproduction Curve     : (Binary data 32 bytes, use -b option to extract)
[ICC_Profile]   Chromatic Adaptation            : 1.04788 0.02292 -0.0502 0.02959 0.99048 -0.01706 -0.00923 0.01508 0.75168
[ICC_Profile]   Blue Tone Reproduction Curve    : (Binary data 32 bytes, use -b option to extract)
[ICC_Profile]   Green Tone Reproduction Curve   : (Binary data 32 bytes, use -b option to extract)
[Composite]     Image Size                      : 342x256
[Composite]     Megapixels                      : 0.088


Sigh. 

Thanks,
Sierra

Phil Harvey

Any GPS will show up with tag names that start with "GPS".

So there is some metadata in your file.  Just no timestamps or GPS.  Only very basic image-related metadata.

- Phil
...where DIR is the name of a directory/folder containing the images.  On Mac/Linux/PowerShell, use single quotes (') instead of double quotes (") around arguments containing a dollar sign ($).

SnooditBsr3

Right, just no metadata relating to the 2 things I need lol

Do you have any idea why the Device model is coming up blank as well?

Thanks,
Sierra

Phil Harvey

All of the ICC stuff is only related to the color profile, and if set this DeviceModel will be the color model (like 'sRGB') and not your camera model.

- Phil
...where DIR is the name of a directory/folder containing the images.  On Mac/Linux/PowerShell, use single quotes (') instead of double quotes (") around arguments containing a dollar sign ($).

SnooditBsr3

Ahhh, got it.  Thank you for putting up with my questions, you're the best!

Sierra