2. Background and Related Works
2.1 Extraction of Timestamps from Multimedia Files
Mobile devices with built-in cameras save captured images as multimedia files (photo or video format) on storage media using a specific filesystem. The time values for the multimedia file can be extracted from the metadata of a filesystem or an internal file. MAC times can be extracted through filesystem analysis, and digitalized time ([TeX:] $$D i$$) can be found in exchangeable image file format (EXIF), which is internal metadata from the multimedia file. In addition, timestamps can be found in the filename (FN) because some digital devices, such as smartphones, cameras, or dashcams, use the timestamp as a filename when creating a new multimedia file. Some filesystems can also store the deletion time (e.g., EXT4) [3] or the last archive time (e.g., APFS) [4], but we will mainly discuss MAC times because SD cards and USB flash drives on mobile devices are typically formatted as FAT32 or exFAT. Thus, they have no fields for the last time the metadata was changed, deleted, or archived.
FAT32, exFAT, NTFS, and EXT4 are the most commonly used filesystems for storage media on Windows and Android systems. Each filesystem contains MAC times and filenames in the directory entry, $MFT entry ($STANDARD_INFORMATION, $FILE_NAME attributes), or inode [5]. The point when extracted timestamps from multimedia files is at which the operation related to taking photos and creating files is finished when the handler that makes the change is closed because timestamps are updated by various mechanisms of each system. Moreover, even if the timestamp has been manipulated, it can be detected for reliability in NTFS on Windows [6].
2.2 States of the Timestamp
Extracted timestamps are occasionally represented as a form of natural language (e.g., September 20th, 2020 [7]) or a human-readable string using ASCII codes (e.g., 2020-09-20, 14:31:55 Z [8]); however, they can only be retrieved in practice when converted because they are stored in hexadecimal format (e.g., 0x4B E9 66 5F, Unix time - 32 bits LE). MS-DOS time [9], Windows file time, and Unix time are examples of timestamp representations that do not always contain the same information, especially in terms of the resolution (Table 1). The resolution of the creation time in FAT32 is ten milliseconds (10-2 seconds, centisecond). In contrast, the time of the last modification has a resolution of 2 seconds and the last accessed time has a resolution of a day [10].
Because each file system within a volume supports different time resolutions, the damage of their precisions can remain when a file is moved to another volume. This is regarded as a kind of information loss in digital investigation. Also, when analyzing a file's metadata, it can lead to misunderstandings if the file operation is executed and the update of the time value is delayed. Therefore, understanding the processing of timestamps of files between volumes is required.
Resolutions of timestamps on filesystem metadata
3. Experiments on the Processing of Timestamps
3.1 Approach and Experimentation
To understand the mechanism of timestamps in creating a multimedia file on mobile devices, we considered common usages and activities when taking pictures and selected subjects, as shown in Table 2. Since information about the timestamps of media files can be extracted from the filesystem or internal file metadata, in the present study, the relation between the five timestamps, including MACDiFN time values, is studied. In particular, we examine the reversal of the timestamps for multimedia files when moving them from a mobile device to a PC.
Subjects of the experiment and settings of digital devices
In experiments as a dataset, we employed the preloaded camera app and various modes to take photo or video files, including burst and panorama modes. The reason for selecting multiple products was to determine whether there is a difference according to the manufacturer, OS version, or camera app version. As a result, we could confirm that the handling of timestamps for creating multimedia files differs due to these factors.
Cases of the reversal of timestamps were not easy to find for mobile devices. Still, we had identified such cases occurring due to structural restrictions of the filesystem and date/time representation. Furthermore, we determined the mechanisms for multimedia file creation on mobile devices and for copying files from a mobile device to a PC, which involves moving them from FAT32 or exFAT to NTFS or EXT4. To produce these experimental results, we compared the timestamps for photo and video files concerning standard file operations for five mobile devices (Table 2). We generated multimedia files based on expected scenarios, including taking photos, recording video, taking screenshots from a video, restarting the recording of a video after pausing, and copying and pasting a file. A SanDisk Micro SDHC Ultra 32GB was used as the external storage media for storing the files. We used EnCase (ver. 8.09) to extract and analyze timestamps from the filesystem and ExifTool [11] by Phil Harver to read EXIF data in JPEG and MP4 format. In this process, DCode [12] had used to decode the timestamp data, and the time zone is standardized as Korea Standard Time (KST, UTC+09).
In summarizing the experimental results, the relation between the five timestamps for the photo is basically [TeX:] $$D i \leq F N \leq C \leq M \leq A$$. The digitalized time or filename value is smaller than MAC times because the operation on mobile devices for the file creation usually takes precedence over the process for the filesystem. In other words, the operation on the processing of timestamps in creating multimedia files is due to the difference between the camera application and the library for managing the filesystem on the operating system. This relationship can be easily observed if you look at the Case I in Fig. 1; it can be seen that [TeX:] $$D i=F N \leq C=M=A$$. However, in mobile devices, different manufacturers handle multimedia in different ways. In particular, we have confirmed through experiments that it is more easily occurred in case of a lack of performance to process multimedia on the mobile device.
Examples of extracting time values from a photo and a video using ExifTool.
Experimental results for the resolution of timestamps on FAT32 and exFAT volume and features about time data for the multimedia files (exceptional cases)
In exceptional cases, the relation is no longer established, and the reversal of time values was identified. We discovered these cases when a number of photos were taken within 1 second or when a video was recorded for 1 second or more. Regarding the timestamps from a video file stored in the smartphone on the right side of Fig. 1, the last modified time value is greater than the last accessed time value. The following examples in Table 3 show some exceptions that timestamps were reversed. For P#1, P#3, and V#1 cases, the created and last modified times were reversed because of resolutions of timestamps on filesystem metadata. In the case of P#2, the timing at which the multimedia file, which is handled by the camera application or filesystem library, has a slightly different point between the camera application and the filesystem library is slightly different in seconds. For video files, a particular time indicates the start and end of the recording, so A and Di, C, M times represent shooting start and end in subjects #1 to #4, respectively. The following is a list of the filenames and scenarios of each dataset in Table 3, and the FN indicates the start time of the shooting. Since the filename is assigned as a time value in seconds, a delimiter is additionally included after the filename, such as P#2 and P#3, in order to distinguish files with the same filename within 1 second.
- P#1: 20200902_134521.jpg – A first photo taken at Sep. 02, 13:45:21. [C > M, reversed due to the resolution of time values supported by FAT32]
- P#2: 20200902_134521(0).jpg – A second photo taken at Sep. 02, 13:45:21. [FN = Di < C, C may not coincide with FN or Di due to the sequence of internal operations]
- P#3: 20200902_134521(1).jpg – A third photo taken at Sep. 02, 13:45:21. [M > A, reversed due to the resolution of time values supported by exFAT]
- V#1: 20200902_134531.mp4 – Video files recorded at Sep. 02, 13:45:31 for 10 seconds. [C > M, reversed due to the resolution of time values supported by FAT32]
- V#2: 20200902_134531.mp4 – Video files recorded at Sep. 02, 13:45:31 for 10 seconds. [FN < Di, M > A, reversed due to determination of time values by action to start (FN, A) or end (Di, C, M) video recording]
Since exFAT has higher precision than FAT32, we will look at examples related to this. As described in Section 2.2, when a file is created in a storage medium formatted with exFAT, the interval of MAC times could occur from 0.01 to 2 seconds logically. In practice, however, it was confirmed that the time difference could vary for each device due to the method of using the time increment value, as shown in Table 4. Among ours, subjects #1 to #3 and #5 use only 0 and 100, and subject #4 uses all of 0 to 199 for MAC times. With regard to processing for the video file, unlike the previous results, Di, C and M, A times represent shooting start and end respectively in subject #5 as seen in the V#3.
- P#4: 20200902_134521.jpg – A photo taken at Sep. 02, 13:45:21 on subject #1, #2, #3 and #5. [M < A, A may not coincide with C or M due to usage of the time increment value for centisecond]
- P#5: 20200902_134521.jpg – A photo taken at Sep. 02, 13:45:21 on subject #4. [M < A, A may not coincide with C or M due to usage of the time increment value for centisecond]
- V#3: G0017331.mp4 – Video recorded at Sep. 02, 13:45:31 for 10 seconds on subject #5. [C < M, Subject #5 sets FN, Di, C of a file as a start timestamp of video recording and M, A of a file as an end timestamp (Also includes the same issue as P#5)]
In addition, because GoPro assigns filenames so that the number increases according to the order in which the files are created, extracting a specific time value from the filename was limited, but only the order of creation between multimedia files could be checked. Another mobile device that uses this method for assigning a filename is an iPhone [13]. However, we have not included it in the experimental subject since it can mostly be acquired through logical imaging.
Experimental results for the resolution of timestamps on exFAT volume and features about time data for the multimedia files
3.2 Comparison with Experimental Data and Discussions
Most multimedia files are created with mobile devices, and fake photo or video files could be manipulated with techniques such as data forgery, composition, or deepfake. Timeline analysis, which is one of the useful methods for file manipulation detection as an anti-forensic activity, requires reliable information about timestamps. For this purpose, we analyzed a combination of multiple timestamps stored in a filesystem (FN, C, M, A) or a file ([TeX:] $$Di$$) without relying on a single timestamp [14].
Experimental results about the processing of timestamps in the creation of multimedia files on mobile devices are summarized in Table 5. Unlike the generally expected relation between timestamps, the timestamps were reversed or inconsistent soundly due to the difference in the representation and resolution of time values supported by a filesystem or the difference in the internal operation between devices. These results are things that could happen without being manipulated. Therefore, it is necessary to comprehensively and thoroughly determine whether malicious or anti-forensic activities had been applied from the analysis result of the target device supporting the camera function. Subsequent discussions relate to additional considerations for reliable factors and helpful information in digital investigations.
Experimental results for the resolution of timestamps on FAT32 or exFAT volume and features about time data for the multimedia files on mobile devices
Time series for the photos and videos. The relation between the five-time values extracted from the external storage is assessed. This relation is quite different from the photos and videos. For a photo file, the time series is [TeX:] $$D i \leq F N \leq C \leq M \leq A$$ but for a video file, it is [TeX:] $$F N \leq A \leq D i \leq C \leq M$$. As shown in Table 5, there are differences in the results depending on the device.
Because high-definition (HD) video recording has recently become supported by mobile devices, and it is common to take more than 1 second to create a multimedia file, there are cases where the last accessed time is reversed [15]. Moreover, time values that were seconds or less can be set to 0 when moving from FAT32 or exFAT to NTFS or EXT4, which is caused by the difference in the time precision supported by the filesystems. For example, the created time for a photo file on NTFS can be saved as “2020-09-20 15:41:09.0000000 (0x80 30 E7 05 19 8F D6 01).” In practice, the probability of this case occurring when using the system is very low, so it is likely to be the result of the file being moved from another volume formatted as FAT32, exFAT, or the adoption of an anti-forensic technique for the intentional falsification of time values [6,16].
Rule for naming on a file. The filename (FN) of a multimedia file is created in consideration of the time or the sequence of its creation. “20200915_103518.jpg” for subjects #1 to 4 and “G0017330.JPG” for subject #5 are examples of these two filename strategies. Obviously, a time value can only be extracted from the former strategy, which was the case for subjects #1 to #4 in the present study. If two or more files are created within 1 second in burst mode, a separator is included at the end of the filename, such as “20200915_103518(1).jpg.” Occasionally, we observed several cases where the file with the larger number in parenthesis at the filename was created first. But it was found irregularly, and we could not explain why.
Folders containing files. To further confirm the analysis result, the time values for a folder containing multimedia files can also be extracted in the filesystem metadata analysis. When a file is added to a folder, the MAC times of the folder change, but the folder does not have EXIF data, and its name is fixed, such as “/sdcard/DCIM/camera/” or “/MTP Client Disk Volume/DCIM/100GOPRO/.”
The creation time and last modified time of the folder have the same value as the creation time of the file, and the last accessed time of the folder is the same as the creation time of the first file generated after connecting the storage medium to a mobile device. Thus, the time data for a camera folder has the sequence [TeX:] $$A \leq C \leq M$$, and when a new multimedia file is created, the folder creation and last modified times are updated with the corresponding times. So, it is possible to determine the connection history with more than one device.
Timestamps changes in the moving to the other volume. Multimedia files are used to be moved from a mobile device to a PC or transferred between different devices for viewing. During these operations, the volume in which the file is stored changes and its time information will be changed accordingly. In the case of Windows, which is the most used, the analysis of the time values in the NTFS [17] will be different from the information identified on the mobile device. The same result will be produced even if a different file system is formatted, such as EXT4 or APFS. Therefore, when moving a file between volumes, it is necessary to determine the resolution of timestamps supported by the filesystem. This is because the time values of the moved file are set to NULL if it does not support enough time information by the target volume. For example, if the last modified time in FAT is moved to NTFS, “2020-2020-09-02 13:45:21” is designated as “2020-09-02 13:45:21.0000000.”
Even when the time value is manipulated with an anti-forensic technique tool, this observation can be identified. Thus, it is necessary to examine other artifacts linked to the application's behavior in response to misinterpretation in this situation. For example, messengers work to delete or change the EXIF data to reduce the data size of the transmission. In other words, the results of analyzing timestamps in the digital investigation should be thoroughly examined, including multimedia files.