Snowden Didn’t Tell You Everything…


What Snowden Didn’t Tell You


It is no secret that the NSA has been under an amplified amount of scrutiny in recent months. In fact I am writing this rather late as a matter of breaking news.They have Edward Snowden to thank for all the publicity, as well as the recent difference in ruling between two judges.
“The decision, from Judge William H. Pauley III in New York, could not have been more different from one issued on Dec. 16 by Judge Richard J. Leon in Washington, who ruled that the program was “almost Orwellian” and probably unconstitutional.” Source: NY Times
From the same article quoted above, we read; “vacuums up information about virtually every telephone call to, from or within the United States.” That information is “metadata” — the phone numbers involved, when calls were made and how long they lasted.” If you think that metadata is only when calls are made and how long they lasted, then just stop reading this. Snowden I am sure knows this all to well.
True, metadata is about the phone number involved and how long the call lasted, but metadata is so much more. Saying metadata is simply about who you called and how long it lasted is the preschool description of the plethora of data available to people with the right skills, hardware and software. People like me and Snowden,those in my industry and those within the NSA.
By education, profession and daily practice, I am a computer forensics analyst. We have many titles and methods of specialization, but one thing we all deal with in this profession is metadata. Metadata is data describing a file or its properties, such as creation date, author, or last access date. It also offers up invisible information that different programs attach to each file. Most of the time I hear it referred to as “data about data”.

I want to give you an idea of what types of data can be found about the data you send across “the wire” on your phone. From that point you can make your own decision. We must remember that phones today are simply extensions of our own MAC or PC that we keep on our desk at home or at work. If you can send it on your phone (pictures, text messages, multimedia messages, email, apps on your phone like kik, facebook messenger or google maps), metadata is now fair game for the NSA according to Judge Pauley. And believe me when I say they all contain metadata.

Email Metadata
Within Outlook Express emails you can find the account name, account registration key, answered, answered message ID, digitally signed, email size, has attachment, Hotmail message ID, marked, message ID, message offset, priority, recipient address, recipient name, sender address, sender name, server, server info, subject thread ignored, thread watched, time message was saved, time received, time sent.
Within Outlook/Exchange features can tell us; attachment MIME tag, comment, content count, conversation index, conversation topic, delete after submit, entry ID, From, Importance, Internet message ID, MAPI Display Name, message class, message size, originator delivery report requested, provider submit time, read receipt requested, received by email address, received by name, received representing email address, reply receipt names, resend, sender email address, sensitivity, sent representing email address, sent representing name, store entry ID, submitted, transport message headers.
Standard email metadata can include; attachment, attachment count, BCC, CC, delivery time, email file, email thread ID, forwarded, from, from email, has attachment, reply, subject, submit time, to, unread, unsent.
While many of these you may have never heard of; in the right circumstance and over a period of time a great deal can be learned about a person from any one of these items.

Mobile Phones
When it comes to mobile phones, this is what most people are concerned about with the NSA and its ability to peer into our lives. Mobile device metadata covers a vast amount of data since you can do almost everything on your cell phone that you are able to do on your home or work computer.
Within the calendar on a phone we are able to see calendar events, call history can provide the call duration, call number, call time, and call type. Text messages can include; SMS: From number, SMS: Time Received, SMS: Time Sent, SMS: Time zone of sender, SMS: to number, SMS: Type. In this context, the NSA or anyone else doesn’t need to see the actual message itself when you have this type of information contained in the metadata. Again this info compiled over a period of time reveals much of a persons habits.
Do you have facebook on your phone? Most people that have smartphones have facebook on their phone. As I currently look at my friends list on facebook I see 45 of my 66 friends online currently signed into facebook are listed as mobile right now. Do you use messenger on your facebook account? Many people can be easily located by facebook messenger. Once you have sent a friend a message, you are giving up your GPS location and you don’t have to be a computer forensic examiner to find it either.
Digital photos have become the norm. Most professional photographers use digital cameras and the term “selfie” was rated the most popular new word in 2013. 91% of adults have cell phones in the United States. Within digital photos we can discover the following…
Camera model, Camera serial number, Exposure setting, Date and time picture was taken, GPS coordinates, GPS version ID, Latitude and longitude, Altitude, GPS timestamp, Image description, Software and Author. To be honest I am sure I am missing a few more as well.
GPS latitude and longitude coordinates of where you were standing when the photo was taken. So it might necessarily not matter what the photo was, but rather where you were and what time it was when it was taken. This info has proved helpful in numerous law enforcement cases.
For example, a marijuana grower in an unnamed state took a picture of the season’s crop and sent it to his boss. The grower was picked up later that year for unrelated charges. The suspect (grower) had his phone confiscated and a warrant was obtained for the information in it. Police were able to find the pictures which contained the GPS data and who he had sent the photo to. This lead to the takedown of a mid-size drug ring operating in the United States. This is a good example of metadata being used to aid law enforcement, but does the NSA need to know exactly where you stood on a beach or had your daughter’s birthday party?

“Documents” come in many different forms. Word, Adobe Acrobat, HTML and XML as well as text documents among others, but I would assume that if I were to survey 100 people and ask them the to tell me the first thing that comes to mind after saying document, I would say the most popular term might be a Word document. Documents have some specific features that become available if you email the document from your phone. With the correct equipment(all easy to obtain) one can see the path from which the document has been stored, see the file type such as Microsoft Word or Adobe Acrobat and can give you information on the modified, access and created date of the document. An entirely separate article could be written on the subject of what we refer to as MAC time of a document. Many qualified people have written on the subject, so I do not wish to dive into the matter further.

Is it right that just because you might come in contact with the “wrong” person, that the NSA has the right to view your GPS location, email statuses, or photo GPS coordinates just because the NSA says they are protecting you? That is a matter of opinion I suppose. Some people call it an invasion of privacy; others call it your government looking to protect you. Either way, your personally created data is not personal. Count on the fact that if it’s electronic, then it’s not personal or protected by any legality in this country. The NSA today is the equivalent of having a colonial soldier in your home listening and watching to your every move in 1776. Communication/Information is the crux of our society today.
While I have touched on metadata, much more can be studied on the subject to fully understand what types of information you are giving out freely when you use your smartphone. Technology is a fantastic thing. It improves communications and improves the quality and safety of our lives. The question we must ask is what are we willing to give up once we understand what we are giving up?
I wonder if Judge Pauley or Senator Feinstein would be willing to submit their phones to me for examination. I could create a wealth of uncomfortable data on either of them by only using the metadata. If it’s not a big deal for us to give up our information, then it shouldn’t be an issue for them as well. I doubt those phones will be hitting my office anytime soon.
Even more damaging is what you can learn about a person once you start patterning them through the use of metadata. The grad students at Stanford did an excellent job of showing how much can be learned about a person once this type of data can be patterned and tracked. Should this require a search warrant? I leave that up to you.

Many other tools exist to bring in even more data. FOCA and Wireshark are two popular tools that can be used in their respective right to find hidden data in different aspects. Many other tools exist that can be purchased on the open market by everyday individuals to collect data in legal and illegal manners. So one can only imagine what a federal agency with an endless wallet and the brightest minds can accomplish?

Trent L. Leavitt is the Co-Founder of Decipher Forensics LLC. Mr. Leavitt has handled cases involving multi-million dollar lawsuits in commercial litigation, construction defect, intellectual property, missing persons, family law, incident response, and has assisted law enforcement in criminal matters as well. Trent holds a B.S. in Computer Forensics & Digital Investigation from Champlain College in Burlington, Vermont. Trent is a former FBI liaison in computer forensics for AccessData where he assisted numerous government entities in criminal computer forensic matters. He currently resides in Utah and can be reached by email at

Mobile Forensics in the Law

Mobile Forensics is something that if you don’t know what it is, you should, and hopefully will after reading this article.

Mobile Forensics is the practice of acquiring data from a mobile device and analyzing the data in a forensic manner.

First, what is stored on a mobile phone? What are some of the things that can be found? Think about your own phone. All of your contacts, text messages, emails, browsing history, banking information, pictures, videos, social media, shopping information, calendar, access to your cloud storage, and maybe in all of that, some information you wouldn’t want anyone else to ever see.

Most of the information listed above can be retrieved through mobile forensics.

Sometimes, even deleted information can be recovered on mobile devices.

So what does that mean for your case? How could this help?

Banking information from banking apps and browser history to find hidden financials in a divorce case or an intellectual property case. Recover photos, social media, emails, and text messages for a divorce case to prove infidelity. Emails and text messages could be used in an intellectual property case to prove an employee stole company property. We can even track the previous locations of a device to see if someone has broken a restraining order.

All of this information can be retrieved from regular old “dumb” phones, as well as smart phones, and even tablets. All of this can be achieved through a simple electronic discovery request.

So what kind of devices can have information retrieved from? Just about any Android device can have basic information pulled from it, and most Android devices can be rooted and have everything pulled off of it, including deleted information. Newer iPhones can have some information pulled from them, but iPhone 4 and older can have everything pulled from them like most Androids.

We at Decipher Forensics have retrieved many evidentiary items from mobile devices. Several months ago we even figured out how to retrieve Snapchats from Android devices. We have recovered deleted text messages that provided additional evidence that a mother shouldn’t have custody of her kids because she was providing them with alcohol. We’ve recovered videos and messages from social media applications that led to the recovery of a missing child. We have also recovered internet history evidence from an iPhone that added evidence of a cheating spouse.

If you have a case where you think mobile device information could be helpful, give us a call at 800-537-3424 or email us at

Quarterly Review 2013

I was recently having a conversation with my business partner Mike and an attorney. When the attorney asked us the types of cases we normally work on, the first thought I had was that we have yet to experience a “normal” case. His question sparked the idea to let our past, current and potential clients know on a more regular basis the types of cases that come to us each quarter. I will of course be vague and always leave out names and locations, but wanted to give an idea of cases that are brought to us. I hope you find it interesting.

  • We were able to recover deleted text messages for a case involving an inappropriate relationship with a minor.
  • Worked with counsel to provide proof positive information regarding the intellectual property theft from computers from a major corporation.
  • Worked diligently to find information concerning alleged child sex abuse and deviant pornography behaviors that supports the claims of the minor child involved.
  • Teamed up with a private organization from NY to forensically test a software cell phone application for personal information left behind on the phone, thus preventing security flaws.
  • Contracted with a personal banking cell phone application to find personal security information flaws.
  • Successfully recovered 9 mobile devices that were otherwise damaged and unable to recover information from.
  • Successfully worked with the F.B.I. to recover information from a tablet and an iPhone that directly lead to the recovery of a teenager who had been missing for over a week. This was done on a strictly volunteer basis.
  • Recovered over 20 hard drives for customers that had crashed or had become inoperable.
  • Successfully recovered vital information for counsel in a wrongful death case.
  • Assisted forensic accountants in 100 million dollar Ponzi scheme case.
  • Used custom built password/decryption breaking machine to break difficult encryption in record time. (Machine operates at 5 BILLION password attempts per second)
  • Provided information to numerous attorneys on writing discovery requests that cover all areas of electronically based discoverable information in civil cases.
  • Provided multiple forensic collections for law offices throughout the country.
  • Successfully deployed “man in the middle” attack for an employer seeking info on deviant activity of an employee.

I hope this provides additional insight into what we might consider “normal” case work. We perform all standard computer forensics and have experience working with attorneys, private investigators and law enforcement. In addition you see that we have the ability to break passwords and encryption, recover and perform cellular forensics among other services.

Snapchat Image Recovery




Snapchat is a mobile application that is available on iOS and Android mobile devices. The application allows the user to share pictures and videos with other users, and allows the sender to set a specific time limit from one to ten seconds that the receiver can view the message. The receiver of the message has that long to view the message, then the message “disappears forever.”

Snapchat moves “upward of 150 million photos through the service on a daily basis.” Compared to Facebook’s Instagram, which moves 40 million photos a day, that is a lot of photos moved for such a new company. The app differs in the fact that images and videos are ephemeral rather than permanent, something that is attractive to teens and young adults.

We wanted to know if “snaps” really do “disappear forever,” if there is metadata associated with “snaps,” if “snaps” can be recovered after becoming expired, and if they can be recovered, if there is metadata associated with the expired “snap.”

Based on the home screen for Snapchat, it is clear that these time stamps are stored some place, it is just unclear if they are recoverable. However, they are stored somewhere, even for expired “snaps.”


We used two android devices to examine artifacts left behind by Snapchat. An account (rhickman1989) was created on a Samsung Galaxy Note 2, and pictures and videos were sent to another account (DeciphForensics). The receiving account was logged into on a Samsung Galaxy S3, when some of the images and videos were viewed, while others were not. We then acquired the phone using AccessData’s Mobile Phone Examiner+ version After the acquisition was complete, the image was exported as an .AD1 image file, and then imported to AccessData’s Forensic Toolkit version

After a brief examination of the contents, a different account (decipforensics2) was created on the Samsung Galaxy Note 2, and more pictures and videos were sent to the account on the Samsung Galaxy S3 (rhickman1989). This was to determine if there are identifiers for the sender account of a “snap.” The same acquisition process was followed again after the second batch of “snaps” were sent.

After another brief examination of the contents, pictures and videos were sent from the Samsung Galaxy S3 with the rhickman1989 account to both the DeciphForensics and DecipForensics2 accounts. The same acquisition process was followed again after sending these “snaps.”

All examination took place using AccessData’s Forensic Toolkit version

Snapchat Structure

The majority of Snapchat data is stored within the data/data/ folder. There are four folders within this directory, with two folders within the cache folder.

Examination of the Samsung Galaxy S3 revealed that within the shared_prefs folder are several XML files: CameraPreviewActivity.xml,, com.snapchat.android_preferences.xml, and SnapPreviewActivity.xml.

The com.snapchat.android_preferences.xml File

This file is where the majority of information stored by Snapchat is located. Within this file is a listing of all the contacts stored on the device. This is done with the permission allowed by the user for the application to read the contacts on the device.

Below the list of contacts is a listing of Snapchat messages. It appears that there is a set of fields stored for each message in Snapchat. The following are the fields stored in this section of the XML file: type, mSender, mWasViewed, mCaptionPosition, mCaptionOrientation, mIsLoading, mIsTimerRunning, mIsBeingViewed, MWasOpened, mWasScreenshotted, mDisplayTime, mId, mTimestamp, mStatus, mIcon, and mMediaType.

We sent only two pictures from the DecipForensics2 account, and one was viewed and expired. Within this XML file are two records that show the mSender field set to “decipforensics2.” Of those two records, one has the mWasOpened set to “true.” The author kept documentation as to which images were opened and allowed to expire and which are not, so it is known which image is tied to this record.

The mTimestamp field is stored in Epoch format. Upon conversion of this value, it showed the time that the image was either taken or viewed. Further research will need to be done to determine which it is, however, the time is within the timeframe of both being sent and viewed. Unfortunately, the author did this within a few minutes of each other and did not record the exact time sent.

The mId field for the picture shown to the left is “270518365528484358r.” The mTimestamp field in the same record is “1365528484358.” After converting the Epoch time format to readable format, the time stamp is for April 9, 2013 11:28:04 MDT. The similarities here will be address further in a later section of this paper

The received_image_snaps Folder

Within this folder were located every image sent to the DeciphForensics account on the Samsung Galaxy S3, including the images that had been viewed and were expired. There were some duplicate images with different names as well, the reason for this is unknown.

Android developers created a way for media files such as graphics to be stored on the phone for application use and function without being put into the Gallery application as an image to be viewed. The way that they did this was with .nomedia files. “If a directory has a file named .nomedia, then the media store will not scan and record the metadata of files in that directory” (Hoog, 2011).

Each of the images within the received_image_snaps folder had a .nomedia extension appended to the end of the file name. For example, the name of the file figure 3 is “h1a81hurcs00h1365528700423.jpg.nomedia”. This was likely done to prevent the images stored within this directory from being placed in the gallery or from being scanned by the media store. AccessData’s Forensic Toolkit recognized the .nomedia extension that was appended to the end of the file name and ignored it, displaying the images.

Correlations between the XML Records and the Image Names

There is a small correlation between records within the com.snapchat.android_preferences.xml file and the name of the image file stored in the received_image_snaps folder.

As shown above, there are three correlations between the name of the image, the mTimestamp value, and the mId value. While this is consistent with this image, it is not always consistent with all images. The section in blue is present in several of the other images, only with different numbers following to separate the image.


The author began this research in an attempt to answer several vital questions about the Snapchat application as it is stored and used on Android devices. The author has concluded that metadata is stored for Snapchat images, as shown by the com.snapchat.android_preferences.xml file, and that it contains metadata about expired “snaps” as well as unexpired “snaps,” and that images that are sent via Snapchat are indeed recoverable, and do not “disappear forever.”

Recommendations for Further Research

We recommend several avenues for further research into Snapchat and how it stores data. Figuring out how to correlate the XML records to the actual images is vital. The author was able to do so in one instance because of known facts, but this will not be the case for examiners in live cases. The author also recommends research be done into finding where sent “snaps” are stored, as well as recovering video “snaps.”

We finally recommends that all of this research should also be done on iOS devices to find out if “snaps” are recoverable and can have time stamp and sender information associated with the “snaps.”

Any questions about this research should be directed to

This research was done as part of the Advanced Mobile Forensics course at Utah Valley University.

Internet Safety

Safety Tips for Children

There are some simple things that you can inform you children of to help keep them safe while they are surfing the internet.

-Never give out personal information, not even your name.

-Always use a handle or alias for online use.

-Never communicate with someone who has made you feel uncomfortable or scared.

-Never meet someone in person that you met online.

-Remember that people aren’t always who they say they are.

Be sure to check out our software to help monitor your children on their smartphones and computers.