*Hint: If the topic of this post is of value to you, there is a special gift at the end of this post that may interest you.
Let’s say you have a digital photo that is evidence in your case, perhaps critical to the case. The questions: Who took the photo? How can you prove it? How can you tie the photo with a camera to the suspect?
In the context of this blog, a “photo” means an electronic file (image or picture). But some of what I am talking about can apply to a physical photo that may be pertinent to your case. This post mainly focuses on child exploitation investigations, but the methods apply to any case where digital photos are evidence in the case (civil, criminal, or an internal corporate matter). Whether it is a violent crime or stolen Intellectual Property, a picture can be worth a thousand words (or a conviction). As for the forensic 'how to', I am only writing on the 'what to do'. Most likely, you already know how to pull EXIF data from a digital photo, from within a forensic image of a hard drive or smartphone. If you do this job, you probably got that part mastered. For the part you don't have mastered (analysis and investigation!), this post is to shore that up.
Proving who took a photo is no different than proving who was behind a keyboard at a specific point in time. It takes a critical eye, an analytical mind, and an inquisitive attitude. Regardless if the camera was a typical digital camera or a smart phone, there are many aspects of looking at the digital photo to place the suspect behind the lens. Some or all of the following may or may not be available, but if you don’t look, you will not find.
Without direct evidence, it’s all circumstantial. But with enough circumstantial evidence, it’s enough to prove beyond a reasonable doubt that a specific person committed a specific crime. Without getting into “what is evidence”, let’s talk about the things you can find out about a photo that can constitute evidence.
First, the easy stuff, like metadata (Exchangable image file format, aka EXIF data). EXIF data is simply information about the photo (digital image) that is embedded in the photo. EXIF data is easy to pull out and see using forensic software, free software, and even through Windows Explorer. The type and amount of EXIF data depends on the settings and capabilities of the camera. For example, one camera may have GPS off by default while another camera has GPS on by default. Also, a user can turn off GPS from being embedded into photos by choosing the setting to turn it off. Some cameras may include a serial number or unique ID of the camera as metadata, while other cameras will not.
So, depending on the camera and the user selected settings, you may or may not some or all EXIF data to exam. Best case scenario, you get it all, or just enough to make your case. EXIF data is also the second thing to exam with a digital exam as content of the photo is usually most important. I’ll get into content as well as the EXIF data.
Each item below is relevant to an investigation as a source of evidence, corroboration of evidence, or leads to other evidence. The more you focus in looking at photos in this manner, you faster you become proficient in finding clues.
Device Used (EXIF data)
Make, Model, Type, Serial Number, Unique ID
If this data exists AND you have the camera, you are way ahead of the game because you have the camera used to take the evidence photo (unless it can be proven otherwise)
Geolocation (EXIF data)
Location of the photo
Having the GPS coordinates allows you to (1) find the location of the crime and (2) corroborate the GPS coordinates by visually inspecting the location to match the photo. As an example, GPS coordinates pointing to a specific location (such as a house), can be visited and confirmed by matching the photo to the location.
Date/Time Group-DTG (EXIF data)
Date and time of the photo
Important because if you can place the suspect at the location (see geolocation above) at the date and time noted in the EXIF data, you are getting close to tying the camera to the suspect.
Content of the Photo
The content can be (1) a photo of the crime, (2) a crime in and of itself, (3) corroborating evidence, or (4) any or all of these.
Examining the content can corroborate or disprove EXIF data. For example, if the DTG states December 15, 2016 at 2pm, and the GPS states Alaska, but the content shows a moonlit Hawaii beach, then something is wrong with the EXIF data. Conversely, if the content matches, such as a bright sunny day with a snow-covered tree in Alaska, then EXIF data is corroborated.
Of course, persons in the photo can be important. Victims, witnesses, and your suspect might be identifiable by visual inspection or facial recognition.
Items in the photo can be important clues. Electronic devices in a photo of a crime scene that have not been seized might be able to be identified. Violent crime scenes may show blood spatter that may have been cleaned, or perhaps a rug in the photo is no longer at the scene. New paint on walls can give some implication that damage (bullet holes?) may have been repaired and repainted over. Anything that is different from the scene as it sits as you see it compared to a photo taken at the time of a crime is suspicious.
Items that similar to other photos in other cases may be important as well. Using a tool such as Google’s Bedspread Detector can find items of similarity across other cases. Perhaps there is a child’s toy that is consistently seen in different photos, which could be an item used by the suspect in a child exploitation case.
Look at every item in a photo for clues. The content is just as important as the metadata.
Photos recovered from devices or media
Other devices that can be tied to the photo, such as computers, laptops, tablets, etc..
Same photo (by hash) or similar photo by content
Compare photos from recovered devices by hash, EXIF data, and content. The more devices you can identify, the more chance you have at tying the suspect to one or more of the devices.
Photos recovered from websites
From any website or social media site.
Although the EXIF data of photos is usually removed when uploaded to most social media websites, you still may have some EXIF data on other websites. Finding an evidence photo on the blog controlled by your suspect is a lead to tying it to your suspect.
Photos downloaded from the Internet
From any website or peer-to-peer connection
If a photo has been downloaded from the Internet, it may be tied to a camera, but, it might not be the camera of your suspect. However, a photo can be taken with a camera/smartphone with Internet access, in which the photo is uploaded to the cloud, and subsequently downloaded. An example would be a smartphone photo automatically uploading to a Dropbox account and the subsequently downloaded to the suspect’s Dropbox folder on his/her computer.
Another example of a download that can be tied to the suspect’s camera is where a WiFi digital camera is synched to a smartphone. Photos taken with the digital camera are automatically copied to the smartphone, which can then be sent to the cloud to sync with local storage on a computer. The smartphone and computer will show a “downloaded” photo, but the EXIF data will point to the camera used by the suspect.
Location corroborated by additional geolocation intelligence (place the suspect at the scene)
DTG corroborated by additional intelligence (suspected placed at the scene at a specific DTG)
Device corroborated by ownership/possession/control of photo device (who owns the camera)
Fingerprints on devices (in cases where photos are critical, it is critical to fingerprint the cameras)
Statements made by witnesses and the suspect (Claims ownership of the camera, but not the photo as an example)
Other photos taken by the suspect and uploaded (http://www.cameratrace.com/learn-more)
The photos taken of the crime scene matched against the photos you find
If you have a photo taken by the suspect of the crime scene, take your own photo to replicate the evidence photo at the same DTG. Place side-by-side to compare. What is missing? What is different? What is there now that wasn’t there before.
Don’t give up and don’t take shortcuts
Child exploitation cases generally have more than one photo and sometimes upwards of tens of thousands of photos (or hundreds of thousands!). Reviewing every photo is obviously labor intensive, but as one who has identified additional victims, found more evidence by looking, and closed more cases than not, I can say that it pays to look at the content and the EXIF data to the extent possible.
When software tools make it easier to do, use them to the extent they can do the work of many eyes to at least give you a dataset to find more clues and evidence. It is easy to find evidence when evidence is plentiful, but be sure to corroborate what you find. If you have GPS data, verify it. Does the GPS data and photo content match with the physical location? Check Google Maps to confirm, or better yet, visit the location if the photo content is important to the case.
Find one thing in this post to help make a case. Find closure for victims. Convict suspects. Prevent children from becoming victimized. All you need is one good clue, one good idea, one good lead, one drop of inspiration. I hope I gave one of these to you, or at a minimum, gave you something to think about that will be helpful in your cases.
This post was inspired by a conversation I had with perhaps the world’s greatest forensic company working in the field developing tools to do what this post describes. I also wanted to give a little bit of inspiration to push you into working harder, digging deeper, and thinking cleverly in your cases. I know you do a great job already, but if you are like me, you want to do better and learn more.
I created an entire online course in this area of investigations in addition to writing two books about it. And if you are reading this blog, I’ll give you a unique deal on the online course.
Use this link to register for Placing the Suspect Behind the Keyboard for $95 instead of the listed price of $799. http://courses.dfironlinetraining.com/placing-the-suspect-behind-the-keyboard?pc=blognb
The books are not included, but you do get the entire 12+ hours of learning to do what can make your cases: Placing the Suspect at the Keyboard. This discount is steep because the course content is important to the cases that mean everything. And you are getting it because you read my blog today. But you may want to hurry, the discount is good only for a few weeks and when the discount link stops working, the discount is over.