While working on a forensic investigation that involved a Blackberry 8310 I ran into an issue that just didn't settle right with me. I wanted to ensure that, beyond a reasonable doubt, the EXIF time stamp embedded within a photo taken by the Blackberry device was written accurately by the device. Before signing off on the validity of the EXIF time stamp, something just didn't seem right. After digging around and doing countless tests, I was surprised that I was able to consistently recreate a failure whereby the incorrect time stamp was written to the original date/time EXIF field. Here are additional details:
DEVICE: Blackberry Curve 8310 smartphone (EDGE)
VERSIONS: v22.214.171.124 (Platform 126.96.36.199) & v188.8.131.52 (Platform 184.108.40.206)
DATE/TIME SOURCES: Blackberry & Network
ADDITIONAL ENABLED SETTINGS WORTH NOTING:
- PASSWORD (options | security options | general settings | password)
- BACKLIGHT TIMEOUT value of 30 seconds (options | screen/keyboard | backlight timeout)
- SECURITY TIMEOUT value of 1 minute (options | security options | general settings | security timeout)
The EXIF original date/time embedded within a photo taken by the Blackberry 8310 had the incorrect time stamp. Consistently and repeatedly I was able to have the Blackberry device write the incorrect time stamp to the EXIF field. The EXIF original date/time was inconsistent with the actual date/time that the photo was taken in addition to the “Last Modified” time displayed by the Blackberry device.
SCENARIO REPRODUCING THE PROBLEM:
- I take a photo with the Blackberry at 0600 on 1/22/2009. The image name is IMG00001. Using the Blackberry and looking at the properties of photo IMG00001 I see the correct “Last Modified” date and time of “Jan 22, 2009 6:00AM”. Emailing the photo to my email address I then view the EXIF data of the photo on a separate forensics system and see the correct original date/time of “2009:01:22 06:00:00”.
- An hour passes. I delete IMG00001 from the Blackberry and then take a photo at 0700 on 1/22/2009. The image name is IMG00002. Using the Blackberry and looking at the properties of photo IMG00002 I see the correct “Last Modified” date and time of “Jan 22, 2009 7:00AM”. Again, I email myself the photo and view the EXIF data of the photo on a separate forensics system. However, this time I see the incorrect original date/time. The EXIF field shows “2009:01:22 07:02:00”.
- [update: 1/23/2009] - I can also reproduce this EXIF incorrect time stamp issue without deleting photos. This issue presents itself only with the first photo taken after the phone has automatically locked, requiring a password to unlock before the said photo with the incorrect EXIF time stamp can be taken by the device. Subsequent photos taken before the security timeout locks the device have the correct EXIF time stamps.
An assumption is made that the Blackberry device is writing the correct date/time within the EXIF data when a photo is taken with the device. EXIF data within photos could potentially be used as evidence to support what an individuals recorded statement (e.g., whereabouts at a given time). From my tests there’s reasonable doubt that the EXIF time stamp of a photo taken by a Blackberry 8310 device (and perhaps others) may be incorrect. Therefore, EXIF time stamps from photos used as evidence becomes highly questionable and ultimately, and likely, could be rendered irrelevant.
ADDITIONAL NOTES & QUESTIONS:
- Blackberry and RIM have been contacted to investigate and confirm the issue.
- I was able to reproduce this issue on a single Blackberry Curve 8310 which was initially running v220.127.116.11 (Platform 18.104.22.168). I was also able to reproduce the failure after upgrading the same Blackberry Curve 8310 to v22.214.171.124 (Platform 126.96.36.199).
- I viewed the EXIF data on a Mac using both “EXIF Viewer” and “Preview”. I viewed the EXIF data on a Windows XP system using “InfranView” with the EXIF plugin installed.
- Can others reproduce the same issue on 8310’s running similar and/or different firmwares?
- Can others reproduce the same issue on non-8310 Blackberry devices?
- [update: 1/23/2009] - Could this be a residual artifact of the security lockout feature? (will need to test after disabling the security timeout)