Going Mobile: Metadata Considerations with Mobile Device ESI

In our last post, we discussed data types unique to mobile devices that are not only discoverable but often important in litigation and other discovery use cases.

When it comes to discovery of mobile devices, it’s not just the data that’s important for discovery, but also the data about the data – the metadata – that can be used to authenticate evidence, to determine whether the data has been tampered with or not, and to provide additional probative information about that evidence. In this post, we will look at some examples of metadata and how they can provide useful evidence in discovery.

EXIF Data

EXIF (Exchangeable Image File Format) data is a type of metadata embedded within image files, such as JPEG, which is automatically generated by digital cameras and smartphones. EXIF data provides detailed information about the image, the device used to capture it, and the settings and conditions at the time of capture. EXIF data includes:

• Camera Information: Such as the manufacturer and model of the camera or mobile device used and the serial number.
• Timestamp Information: The exact date and time the photo was taken, as well as the date and time it was last edited (if applicable).
• Image Information: The name of the file, the width and height of the image in pixels, and the compression type (i.e., the method used to compress the image).
• Exposure Information: Includes things like shutter speed, aperture, and ISO Speed (sensitivity of the camera’s sensor to light).
• Image Capture Conditions: Such as whether the flash was used, focal length, and white balance (color balance settings of the image).
• GPS Information: Geographical coordinates (latitude and longitude) where the photo was taken, the height above sea level, and the exact date and time the location data was recorded.
• Thumbnail: A small preview image embedded within the EXIF data for quick viewing.
• Software Information: The version of the software or firmware used by the camera or device and information about any software used to edit the image.

EXIF data can be important evidence in discovery. For example, timestamp information to determine whether a photo was taken at the time of an incident or taken at a different time to fabricate evidence associated with that incident.

GPS information can be used to determine the location of someone when the picture was taken. When John McAfee – the millionaire software executive who created McAfee anti-virus software was on the run after being suspected in a murder, the publication Vice published a story about him while he was a fugitive that included a photo of McAfee and Vice editor-in-chief Rocco Castoro taken with an iPhone 4S. None of them realized until after the story was published that GPS data identified their location in Guatemala. The GPS location is so precise, that it further identified them as being located “along the Rio Dulce in the Parque Nacional Rio Dulce. Near the Ranchon Mary restaurant. By a swimming pool”!

Software information can be used to determine whether a photo was edited. In the 2022 Johnny Depp/Amber Heard trial, the EXIF data of the photo of bruising on Heard’s face showed that the photo was saved using “Photos 3.0” – a photo editing software program – instead of the iOS version associated with the iPhone 6.

Other Examples of Metadata Used as Evidence

EXIF data is just one example of how metadata can be used as evidence. Here are some other examples:

• Browser History: Metadata such as URLs visited, timestamps, cookies, and cached files can provide information potentially important in discovery. For example, in this murder trial, the defense used a deleted Google search performed by one of the witnesses to support their theory that their client was being framed.
• App Usage Data: Information on which apps were installed, used, and the duration and frequency of their usage. This data could show, for example, what chat apps a custodian has used which they may have since deleted.
• Location Data: In addition to GPS data being tracked through EXIF data on photos, GPS coordinates can be collected through other apps (such as Life360 or FindMy) or the device’s built-in GPS. Even chat apps like Snapchat include location tracking capabilities, which became key evidence in this murder case.
• Wi-Fi and Bluetooth Connections: Metadata related to Wi-Fi networks and Bluetooth devices the mobile device has connected to, including network names, connection times, and device details. This could be used to show access to a network at a given time, such as when a cyberattack occurred.

These are just a few examples of metadata that can be discoverable – the list is continuing to change as new apps are developed and used on mobile devices. The sky is the limit!

Conclusion

Metadata is always important in discovery and given the wide range of apps used by mobile device owners, there may be more discoverable metadata on mobile devices than any other type of device. That’s why forensically sound preservation and collection from mobile devices is so important – it can literally make or break your case!

In case you missed the beginning of this series, you can catch up here, on the first blog, to explore how discovery of data from mobile devices has become more important, while also one of the most challenging forms of ESI to preserve and collect.Next time, we’ll discuss how mobile device data is being used in criminal investigations and the evidentiary and privacy considerations associated with those cases.

For more regarding Cimplifi forensics & collections capabilities, click here.