Login required to started new threads

Login required to post replies

Question on metadata
Quote | Reply
Quick question,

If you receive an email with a photo attachment, you save that then right click the properties and go to the details tab, is the date associated with its creation the true creation date?

My folks have a court case coming up and part of the argument hinges on whether they had an invoice in their possession or not at a particular date. The other side sent them an email on a date about one week later showing the invoice attached in his invoice book. When I saved the photo and checked its details it stated the photo was taken about 5 minutes before that email was received. One week after he claimed the receipt was given to my folks.

I don't know however if I'm interpreting information incorrectly or whether that is proof of any sort.
Quote Reply
Re: Question on metadata [mv2005] [ In reply to ]
Quote | Reply
Your case hinges upon what device was used to create the image. If it's a regular old camera, it might be harder to tell what the image creation date & time was if the person never set the date within the menu function. But, if it is a cell phone or other mobile device, all images have a creation date based upon the devices internal clock setting (those are always up to date & time). I would do a more thorough search of the EXIF data, which may tell you what device was used and if there were any changes made to the original file. Sounds like they sent it from a mobile device, which means you got 'em!
Last edited by: EndlessH2O: Oct 18, 17 17:38
Quote Reply
Re: Question on metadata [EndlessH2O] [ In reply to ]
Quote | Reply
Thanks for the response. Will check it out.
Quote Reply
Re: Question on metadata [mv2005] [ In reply to ]
Quote | Reply
https://www.windowscentral.com/how-edit-picture-metadata-windows-10


Metadata can be manipulated.
Quote Reply
Re: Question on metadata [mv2005] [ In reply to ]
Quote | Reply
I work in digital forensics now and I'm currently training to become an expert witness. EXIF data can absolutely be altered. Heck, just backdating the camera before the picture is taken is the easy way to fake a date. That stated, there are several fields in the metadata that contain different dates. What and how many can depend on the file system used. So they might have changed one date but not another if the pic metadata was altered after it was taken. You could run the file through something like FTK Imager and see some of the date info. Probably outside your scope, but the computer that was used to change the date would almost certainly leave a trail of the date being altered.

2018 Races:
Oceanside 70.3, Oceanside, CA, April 7th | Ironman Texas, The Woodlands, TX, April 28th | Finland 70.3, Lahti, Finland, June 30th | Jönköping 70.3, Jönköping, Sweden, July 8th

Gear: Dimond Bikes | Desoto Sport | Hoka One One
Quote Reply
Re: Question on metadata [The GMAN] [ In reply to ]
Quote | Reply
Ok so in theory they could argue that my folks altered the date to a later date after receiving the email?

Sounds like we just let it run its course. Learnt that it got put back until March next year. Goodness knows why. Anyway thanks for the reply.
Quote Reply
Re: Question on metadata [mv2005] [ In reply to ]
Quote | Reply
mv2005 wrote:
Ok so in theory they could argue that my folks altered the date to a later date after receiving the email?

Sounds like we just let it run its course. Learnt that it got put back until March next year. Goodness knows why. Anyway thanks for the reply.

Perhaps but if you're operating off the picture as it's originally contained within the email I don't see how they could make that argument. A copy of the picture downloaded or saved from the mail, yeah that argument could be made.

You could image the picture file in FTK Imager (which is available as a free download) and google how and where to read the hex info to discover the different dates (which are most likely some variation of created, accessed, and modified). There's software that will parse that out for you but they cost money. It's not hard to read the hex data for one file as the hex structure for a certain file is standard and universal. So the date fields would always be in the same place for a jpg, for example.

2018 Races:
Oceanside 70.3, Oceanside, CA, April 7th | Ironman Texas, The Woodlands, TX, April 28th | Finland 70.3, Lahti, Finland, June 30th | Jönköping 70.3, Jönköping, Sweden, July 8th

Gear: Dimond Bikes | Desoto Sport | Hoka One One
Quote Reply