A Single Second Exposed…to the World?
Imagine this scenario. A woman’s boyfriend is traveling and sends her a photo from his iPhone of a hotel bed with a cuddly toy by the pillow and says he misses her. Sweet, right?
Not so, when the woman clicks on the “live” version of the photo. That version shows a brief second of another woman falling on his bed and laughing.
Is this a hypothetical situation? No, it actually happened earlier this year, according to this article from The Sun. Even worse for the boyfriend is the fact that the girlfriend he cheated on is a Tiktok influencer. Now everybody knows! A single second exposed his cheating to the girlfriend – and to the world!
What are Live Photos?
Live Photos are actually two files: 1) a still image, and 2) a 3 second video with sound. With Live Photos, your iPhone records what happens 1.5 seconds before and after you take a picture. Pressing your finger on a Live Photo makes it come to life, with the full audio captured for those 3 seconds. They can be viewed on iOS devices and Mac computers within the Photos app.
Apple introduced Live Photos with iPhone 6s and iOS version 9, so most iPhone users today have the ability to take Live Photos and many are doing so without even realizing it. The Live Photos setting is on by default, so many people don’t realize (or they forget) that the picture they are taking is accompanied by that 3 second video.
As for the still image, it is also typically unique when compared to traditional image formats. For iPhone 7 and above, the default image format is to take high-efficiency HEIC/HEVC pictures and videos. With that setting on, Live Photos are saved with an .HEIC picture but still retain a .mov file for the video portion. If you have an iPhone, you can check your setting here: Settings/Camera/Formats, to see if High Efficiency is set.
How to Identify Live Photos
There are two potential indicators of Live Photos on an iOS device. The first is that there will be two files with the same filename, but a different file type. So, a Live Photo could be represented by a .HEIC file (e.g., IMG_1208.HEIC) and also a .MOV file (e.g., IMG_1208.MOV). Normally, iOS saves pictures and videos in sequence, so the fact that two files have the same filename is an indicator that they comprise a Live Photo.
Finding all of those, however, can be very time consuming. Another way to find them (using a forensics application like Cellebrite Inspector) is to locate the universally unique identifier (UUID) within both members of the Live Photo. The UUID within Live Photos contains five sets of letters and numbers separated by dashes. The first set contains eight letters and numbers, the next three include four letters and numbers each, and the last set consists of twelve letters and numbers. Here’s an example of what the UUID can look like:
While searching for the UUIDs that identify Live Photo files within the collection may seem complex, it can be easily accomplished with a regular expression search looking for that pattern within the /mobile/Media/DCIM/ folder path (where pictures and videos are normally stored on the device). An experienced forensics specialist using a tool like Cellebrite Inspector can find the pictures and videos that comprise Live Photos with ease.
When self-collecting from iOS devices, many people don’t realize that collection of each photo actually entails collection of two files – not just the photo itself, but also the 3-second video that accompanies it. Certainly, many custodians don’t realize (or forget) that Live Photos exist, as evidenced by the example of the boyfriend above (or he wouldn’t have sent the “photo” that turned out to expose his cheating).
Discovery of Live Photos requires forensic expertise and an ability to link the photo and video together. A single second can literally expose the truth when it comes to mobile device discovery!
For more information about Forensic Discovery’s Mobile Phone Forensics services, click here.