When an image is stored to an Apple iOS device, including an iPhone, iPad or iPod, it is stored within a folder named DCIM (Digital Camera IMages). Images can also be stored to this folder automatically by applications, such as WhatsApp.
When images are stored to the DCIM folder and the folder is browsed by the user with the images displayed as thumbnail sized version, those small versions are automatically stored to the phone within ithmb files in a folder named Thumbnails at the path \var\mobile\Media\PhotoData\.
The iPhone stores the thumbnail images within iThmb files that can be viewed once converted to a more common file type using software such as iThmb convertor.
The iOS operating system stores thumbnail versions of the images in this way so that, if the user revisits the folder and browses the images within it those images will be displayed more quickly.
The Thumbnails are retained within the Photodata folder even if the original version of the image has been deleted from the device.
Also, if the data on the device is stored to iTunes or iCloud, the Photodata images are also stored, meaning that they may be retrievable from other device connected to the same iTunes account.
The file named photos.sqlite that is stored within the Photodata folder contains information relating to images within the DCIM folder.
This information includes the time/date of creation of the original version of the image in Unix Epoch time format (number of seconds since 1st January 1970) as well as the file name, location, pixel width and height and, in relation to moving images, the duration of the footage in seconds.
If images have been deleted from a phone, it is sometimes possible to recover deleted thumbnail copies of images that previously existed on it from within the Photodata folder. These smaller images can include incriminating images or images that may be relevant to the Defence of an individual.
When images are stored to an iTunes backup, either deliberately or as part of an automated process, the iThmb files are stored separately and can also be retrieved as part of a forensic analysis of the device, allowing a further avenue of investigation to assess what images had been present on the phone previously.
About Athena Forensics
For information on our digital forensic services or if you require any advice or assistance please contact a member of our team on 0330 123 4448 or
via email on firstname.lastname@example.org, further details are available on our contact us page.
Our client’s confidentiality is of the utmost importance. All correspondence is treated with discretion, from initial contact to the conclusion of any
computer forensic investigation.
Our digital forensics experts are fully aware of the significance and importance of the information that they encounter and we have been accredited
to ISO 9001 for 10 years.
Our forensic experts are all security cleared and we offer non-disclosure agreements if required. Our premises along with our security procedures have been inspected and approved by law enforcement agencies.
Athena Forensics do not disclose personal information to other companies or suppliers.