How Did That Photo Get on That iPhone? – Deep Dive into the iOS “Photos.sqlite” database

 

Usually, the content of a photo, its EXIF information (if available), and/or its timestamp are generally adequate in most inquiries and the process by which any media file came to be on a particular device is self-evident. It could have been sent as a WhatsApp attachment, an MMS, taken by the host device camera, or so on. 

There are times, however, when a media file is important to a case and the “how it got there” is relevant, but is not obvious and often quite puzzling. Most of us have seen such a media file. It is simply among the media files taken by the host device. It may lack EXIF information or it has conflicting EXIF information, meaning it was taken by another device. In the midst of this all, the question remains: how did it get there? 

This question has an answer, one that can be found in the Photos.sqlite database. However, the answer does require a deep dive and some research to bring the answer to the surface. Fortunately, XAMN now does some of the work for you.   

In this whitepaper, we consider an actual case that occurred, the accusations and questions that arose, and the forensic answer. In this case, XAMN was displaying the ‘answer,’ but its meaning was anything but obvious. 

Find out how Steve Bunting, an experienced digital forensic examiner, got to the bottom of things and how XAMN made his investigation easier and more efficient.