As technology advances, mobile screenshots, particularly of text messaging conversations, are becoming more prevalent in the discovery process. As forensic investigators, Vestige has seen plenty of mobile screenshots across many different scenarios. Almost all modern mobile devices have a function to preserve its own display. Screenshots can provide a wealth of information for investigators in regards to, data on or even data deleted from, the device. Text messaging conversations, emails, applications, and even other photos are all the subject matter of screenshots we have found on mobile devices we have analyzed. However, it is possible to fake a screenshot, particularly involving text messaging.
Fake Screenshot Generators
Just by Googling “fake a screenshot,” every result on the first page is either a tutorial or actual screenshot generators for faking text messaging conversations. On the website “iphonefaketext.com” for example, it is possible to enter various data values, such as contact name, carrier, message content, and even signal strength. Entering in enough detail can result in a very convincing faux screenshot of a text conversation.
A faked screenshot of a mobile device can occasionally be detected by anyone. Similar to other forms of malicious mimicry, such as phishing emails (See our blog on Ways to Guard Against Phishing Attempts for information on that subject), it proves surprisingly difficult to copy every detail correctly from an actual conversation. It may be that the date format is entered incorrectly, the carrier is not capitalized (AT&T as opposed to at&t), the text bubbles are the wrong color, the battery icon is in the wrong corner, and so on. While investigators have a sharpened eye for these miscues, the average user may be able to spot them as well.
How to Combat the Issue
Then what would happen if every detail of a screenshot was indistinguishable from the real deal? Vestige has a consistent forensic means to combat this situation through document authentication. Artifacts reviewed by Vestige are standardized and embedded in common image and audio formats that serves primarily as tag values. Artifacts typically included are date and time information of when the screenshot was taken, the device make and model that took the screenshot. Other artifacts, depending on device, can include values such as camera flash setting, GPS coordinates, image orientation, and other identifying information.
As an example, if a screenshot was claimed to have been taken with an iPhone, Vestige would expect an “Apple” identifier tag inside the image artifacts. Apple devices by default will insert various tags that reference Apple. Additionally, if the screenshot showed the time at the top of the screen, as Apple iPhones do, Vestige’s digital forensics experts would be able to verify if that time is reflected as when the image was created. It is through this type of analysis that these artifacts have been utilized by Vestige in a number of cases in order to authenticate images in general, and screenshots can be reviewed by the same means.
If you need professional assistance on mobile device forensics matters, including questionable screenshots with suspicion of falsified evidence, CONTACT Vestige Digital Investigations today.
By Ian Finch, CGFA,
Senior Forensic Analyst
Vestige Digital Investigations