How to Uncover Media Artifacts for Mobile Device Investigations
Media artifacts on a device – both captured with the device’s on-board cameras and transmitted to the device through various methods – can be another area of interest during an investigation. Media items are often a source of geolocation data, particularly those captured using device cameras.
Media items have become a crucial piece of evidence collection in mobile device investigations. They can provide visual proof of a crime or an alibi. Photos, videos, voice recordings, and GIFs can help digital forensic experts unravel digital footprints through geo-tagged photos to timestamps on videos.
Media Artifacts in Investigations
When other forms of data may have been deleted or destroyed, media items tend to stick around. They can contain metadata, timestamps, and other useful information that can be used to reconstruct a suspect’s activities or track their movements.
The sorting and filtering capabilities within Magnet AXIOM Cyber make it possible to quickly filter to only those media items containing geolocation data. Additional filtering criteria make it an easy process to review those media items containing EXIF data indicating they were captured by the device.
Top Media Artifacts for Android and iOS
Magnet Forensics has curated the following list of top media artifacts and where they can be found on a given device. Magnet AXIOM and AXIOM Cyber will surface these artifacts for you quickly and easily, and Magnet GRAYKEY and VERAKEY provide same-day access to the latest iOS and Android devices; but it’s important you know where to look:
Android Media Artifacts
| User Photos |
| /data/media/0/DCIM/Camera |
| /data/data/com.androidproviders.media/databases/external.db |
| /data/media/0/bluetooth |
| /data/media/0/Download |
| /data/media/0/Pictures/Screenshots |
| /data/media/0/Pictures/Twitter |
iOS Media Artifacts
| User Photos |
| /private/var/mobile/Media/DCIM |
| /private/var/mobile/Media/PhotoData/Photos.sqlite |
| /private/var/mobile/Media/PhotoData/PhotoCloudSharingData/[DSID] |
Leveraging Media Artifacts
While many examiners spend the bulk of their time using the artifact explorer in AXIOM Examine, other features like Timeline and Connections can help surface items of interest. The volume of artifacts from a modern mobile device examination can make it easy for potential media artifacts of interest to blend into the noise, almost hiding in plain sight.
Using the Timeline explorer can help to profile when a particular activity occurred on a device or provide context as to what a user was doing on their device at a certain time. The use of absolute and relative time filters can also help examiners find key details around points of interest in the timeline of a specific investigation.
The Connections Explorer provides a visual representation of how the various artifacts in your case are related. By using the distinct properties of each artifact, called artifact attributes, you can show relationships between an artifact of your choosing – such as a screen name or phone number – to see how they relate to media artifacts in your case.
These days, mobile devices often have greater storage capacity, even rivaling traditional computers. Still, the always-on, always-connected nature of mobile devices means that cloud stored data cannot be overlooked. The Potential Cloud Evidence Leads dashboard is a great resource for identifying other sources of data which may be relevant to your investigation – particularly when mobile devices are involved.
Applications on a device may not always store data locally or there may be additional logs, usage, and analytics data available directly from the connected cloud account. The potential cloud evidence leads dashboard helps examiners by surfacing potential sources of cloud-stored data and accounts from the installed applications and accounts recovered on a device. This can help to provide an efficient method for directing further investigative efforts in a case.
If you haven’t tried Magnet AXIOM or AXIOM Cyber, request a free trial today.