Forensic Considerations for the High Efficiency Image File Format (HEIF)

TL;DR

This paper examines the forensic challenges of the HEIF image format, highlighting its features, potential for data hiding, and providing best practices and requirements for forensic analysis tools.

Contribution

It offers a detailed analysis of HEIF's forensically relevant features and discusses the development of robust forensic tools for this modern image format.

Findings

HEIF has complex features that can be exploited for hiding data.

Current software support for HEIF is limited and inconsistent.

Best practices for forensic analysis of HEIF are proposed.

Abstract

The High Efficiency File Format (HEIF) was adopted by Apple in 2017 as their favoured means of capturing images from their camera application, with Android devices such as the Galaxy S10 providing support more recently. The format is positioned to replace JPEG as the de facto image compression file type, touting many modern features and better compression ratios over the aging standard. However, while millions of devices across the world are already able to produce HEIF files, digital forensics research has not given the format much attention. As HEIF is a complex container format, much different from traditional still picture formats, this leaves forensics practitioners exposed to risks of potentially mishandling evidence. This paper describes the forensically relevant features of the HEIF format, including those which could be used to hide data, or cause issues in an investigation, while also providing commentary on the state of software support for the format. Finally, suggestions for current best-practice are provided, before discussing the requirements of a forensically robust HEIF analysis tool.