Digital pictures and video have transformed our lives. I have so many pictures and videos of my kids that by the time they are in college, I’ll have Terabytes of data. It is so easy these days to capture anything with a digital image. There is no need to worry about having film developed, or being careful to only take good pictures since you only have a limited amount of pictures left on the roll in your camera. Now, we’re only limited by the amount of storage space our digital devices have. As an example, the MicroSD card in most of our smartphones can contain over 18,000 pictures.
MicroSD cards now have a capacity of up to 64 GB
Often, digital images are involved in criminal investigations. Imagine the treasure-trove of information that can be obtained from a cell phone, tablet, or digital camera when it is seized from a suspect. In my experience, those involved in criminal activity just can’t help themselves when it comes to documenting their criminal activity in pictures or video. In literally hundreds of cases, I found suspects taking pictures of themselves using drugs, vandalizing property, committing arson, abusing children, and in some cases, even murder.
While having picture or video evidence of a suspect actually committing a crime is the type of evidence that makes a prosecutor excited about a case, the digital image is just the beginning of the story. Imagine if we could tell what camera was used to take a certain picture that was found on the Internet, or could link an image found on a suspect’s computer with their personal phone or digital camera found at their home? This is all possible thanks to something called metadata.
Metadata is simply extra information about a file, or some people refer to it as “data about data”. You are probably familiar with metadata but maybe not with the term itself. Have you ever right-clicked on a computer file and seen the properties? Dates, times, who was the author, when the file was last printed, etc., are all examples of metadata. For digital pictures and videos there is a specific kind of metadata that exists known as EXIF (Exchangeable Image File Format) data. EXIF data is information embedded in the image or video that can contain all or some of the information below (what is actually in the image depends on the camera manufacturer):
· Make of the camera that took the picture/video
· Model of the camera
· Serial number of the camera
· Date / time the image was taken (according to the camera’s clock)
· Flash settings
· Aperture settings
· Image resolution
· And more…
A forensic computer examiner can examine a picture or video for evidence of EXIF data and use special programs to interpret the information. There are many free programs available on the Internet to do this and many photographers use EXIF data to improve their photographs. In fact, EXIF data was originally created for photographers so they could look at their camera settings stored within the EXIF data to find out what settings worked or didn’t work when taking pictures under different conditions.
Screenshot from an EXIF data parsing tool
To illustrate how EXIF data can be used to solve a crime, imagine this scenario. I was investigating a case where an adult male was suspected of having a sexually explicit conversation with a 14-year-old female via the Internet. This adult male was sending explicit text messages and it gradually escalated to him sending images of…well, you can image, to the victim. When the victim reported this to a teacher at school, our unit became involved and we forensically analyzed the victim’s cell phone.
When reviewing the pictures on the victim’s phone, we found the pictures of the suspect. None of the images showed his face and all of them were obviously taken from inside of a residence. Since he sent the messages from his cell phone, we were able to trace the phone number they came from and identify the sender. When we reviewed the pictures sent from the suspect, each image contained EXIF data. The EXIF data showed that the pictures were all taken from a Samsung cellular phone and since he had his geotagging feature enabled on this phone, each image contained the latitude and longitude of exactly where the phone was when the image was taken. This allowed me to create a Google Earth map, which happened to place a big red dot right over the suspect’s apartment.
Just from the EXIF information we could prove that the particular sexually explicit image was taken by the suspect’s phone, from the suspect’s home, at a certain date/time (since phone’s clocks are generally set by the cell phone network, they are reliable). Another critical element to prove in a crime is that of venue (proving the crime happened within a certain jurisdiction). With EXIF data, it is not difficult to prove this at all, since we know the exact GPS coordinates of the crime scene.
EXIF data has also been used to locate victims or suspects of crimes from images and videos posted on the Internet. Imagine watching a video that was uploaded to the Internet which depicted the racially motivated assault of a person. If the camera used to create the video is capable of embedding EXIF data and the website the video was uploaded to doesn’t remove EXIF data, investigators can download the video and examine the EXIF data to potentially find out more information to lead to a suspect.
While EXIF data has proven itself to be an amazing tool for law enforcement, it has also been exploited by criminals. If you have used any of the geotagging features of your favorite social media sites (Twitter, Google+, YouTube, Facebook, Foursquare, etc.) then you are aware that you can share your location with your posts and pictures. This technology is similar to EXIF data by utilizing the devices internal GPS functionality to embed your longitude and latitude into your post.
Criminals have begun using this technology as another tool for cyberstalking. By downloading images and videos that people post to their personal websites or social media sites, tech-savvy criminals can do the same technique law enforcement employs to locate where someone was at when they created the image. If you are a victim of stalking or have been threatened by someone in the past and have gone to great lengths to hide from them, all it would take is them getting ahold of one image placed on a social network site taken by your cell phone or high-end digital camera with built-in GPS. If that picture was taken at your home, work, child’s school, etc. that’s all they would need to find you. It’s a scary thought and one that people must consider when using this kind of technology that is generally turned on by default.
Josh has a long history of public service, beginning in 1993 as a Firefighter and EMT. After eight years of various assignments, Josh left the fire service with the rank of Lieutenant when he was hired as a police officer.
Josh spent the next eleven years in law enforcement working various assignments. Josh worked as a patrol officer, field training officer, arson investigator, detective, forensic computer examiner, sergeant, lieutenant, and task force commander.
The last seven years of Josh’s law enforcement career was spent as the commander of a regional, multi-jurisdictional, federal cyber crime task force. Josh oversaw cyber crime investigations and digital forensic examinations for over 50 local, state, and federal law enforcement agencies. Under Josh’s leadership, the forensics lab was accredited by the American Society of Crime Lab Directors / Laboratory Accreditation Board (ASCLD/LAB) in 2009.
Josh has been recognized as a national expert in the field of digital evidence and cyber crime and frequently speaks across the nation on various topics. He has testified as an expert witness in digital forensics and cyber crime in both state and federal court on several occasions. He also holds a variety of digital forensic and law enforcement certifications, has an associate’s degree and graduated summa cum laude with his bachelor’s degree.
In 2012 Josh left law enforcement to pursue a full-time career in cyber security, incident response, and forensics supporting a federal agency. Josh now leads the Monitor and Control Team of a Cyber Security Office and his team is responsible for daily cyber security operations such as; incident response, digital forensics, network monitoring, log review, network perimeter protection, and firewall management.