Ian Whiffin
Posted: 26th October 2021
Revised: 26th January 2022 Tweet #share
This is another post prompted by discussions on various forums...
iOS Media Adjustment
iOS15 introduced an option to adjust both the Capture time and Location of media items right from within the Photo Gallery application.
From the Photo Gallery, view the image you want to edit and swipe up.
You will now see the option to Adjust both the time and the location.
What affect will this have on Digital Forensics?
I decided to do a few tests. Firstly, I took a photo and made the edits shown above. 25th October 2021 became 15th October 1066 and Calgary, Canada became Hastings, UK. (I also modified the timezone to reflect the UK).
Firstly, I decided to take a look at the image file itself. So I connected the phone to my Windows computer and accessed the iPhone.
It should be noted that iOS15 has changed the folder structure away from the APPLE100, APPLE200 we are used to and has moved to a combination of Year and Month in the format YYYYMM_.
Of note was that there was NO 106610_ directory on my device. The image I wanted was to be found in the 202110_ directory as you would initially expect.
NOTE: This change does not apply to the folder structure on the device, just the structure that is provided when you connect via Windows > Apple iPhone > Internal Storage
I copied the image directly from the device to my computer and viewed the properties, which was as if I hadn't changed a thing.
The data showing correctly, as if I had never made any adjustments.
I took the file into HxD to see what was happening there:
Again, the data shows as if I had never made any adjustments.
I also used MacOS Image Capture to view the image and it still showed up as if nothing had been changed.
Image Capture, still showing the original data.
Moving on, I decided to try AirDropping the image to another device. I sent it to both my Mac and to another iPhone (iOS14).
There was no difference in the outcome of the airdropped image, so I'll just cover it once.
Viewing the file properties in Windows, I could immidiately see the change that I'd made.
No date is shown (Windows struggling with 1066?) and the GPS is now Hastings, UK.
Looking at the file in HxD, all values had been changed...
As expected, all dates/times and locations are changed to the adjusted values.
Except one. The EXIFENUMGPSTIMESTAMP still showed the original date the image was taken.
EXIFENUMGPSTIMESTAMP remained unchanged
I also logged into iCloud and checked the gallery there, only to find a record dated October 20th(!) 1066. The subsequently downloaded image was the same as the AirDropped image.
iCloud Gallery also shows the adjusted information
So it appears as though the original file is not altered on the original device. But iOS is altering the EXIF data upon sending the file via AirDrop or iCloud.
As for why iCloud was showing October 20th and not 15th? I'm sure there is a perfectly good reason, probably related to the fact that it's almost 1000 years ago and lots of weird stuff happened during that time. I don't know and frankly don't care too much. I just wanted a time far enough away from now to stand out. More realistic dates present as expected.
I digress.
Obviously, the next question then is, "What is being altered when the adjustments are made?". And as with most things, we find the answer in a database. Photos.sqlite specifically.
ZASSET
ZDATECREATED
Affected by the change (also shows 20th Oct)
ZLATITUDE
Affected by the change
ZLONGITUDE
Affected by the change
ZADDEDDATE
Unaffected
ZANALYSISSTATEMODIFICATIONDATE
Unaffected
ZADDITIONALASSETATTRIBUTES
ZSCENEANALYSISTIMESTAMP
Affected by the change
ZTIMEZONEOFFSET
Affected by the change
ZTIMEZONENAME
Affected by the change
ZREVERSELOCATIONDATA
Affected by the change
ZGPSHORIZONTACCURACY
Affected by the change (Now shows -1)
ZEXIFTIMESTAMPSTRING
Unaffected
ZCLOUDMASTERMEDIAMETADATA
ZDATA
Unaffected
ZEXTENDEDATTRIBUTES
ZLATITUDE
Unaffected
ZLONGITUDE
Unaffected
To conclude the testing, I checked the receiving iOS device to see what was in the database there.
As expected, pretty much all records suggest the photo was taken in Hastings in 1066. But as with the original device, the ZADDEDDATE is current.
Wrapping Up
Despite the initial concerns for the affects this change could have, iI don't think it's as bad as it seems.
Photos taken on the device being examined still appear to have enough persistent artifacts to tell that changes have been made. It may just take a little more digging.
The even better news, is that tools such as PA already draw the information from the images themselves, not the database. So all media taken with the device being investigated should present unaffected. Media taken on a different device will cause more confusion, but likely won't be as important anyway in most cases. Cloud backups are where things could get really fun. But I'll leave that for another day.