A Targeted Data Extraction System for Mobile Devices

Smartphones contain large amounts of data that are of signiﬁcant interest in forensic investigations. In many situations, a smartphone owner may be willing to provide a forensic investigator with access to data under a documented consent agreement. However, for privacy or personal reasons, not all the smartphone data may be extracted for analysis. Courts have also opined that only data relevant to the investigation at hand may be extracted. This chapter describes the design and implementation of a targeted data extraction system for mobile devices. It assumes user consent and implements state-of-the-art ﬁltering using machine learning techniques. The system can be used to identify and extract selected data from smartphones in real time at crime scenes. Experiments conducted with iOS and Android devices demonstrate the utility of the targeted data extraction system.


Introduction
Smartphones contain large amounts of data that are of significant interest in forensic investigations.However, these devices have in essence become personal data repositories and the privacy of their data is a serious concern.A landmark 2014 ruling by the U.S. Supreme Court in Riley v. California and subsequent rulings based on this case suggest that it may not be enough to obtain a warrant to conduct a search of a smartphone, but it may also be required to restrict the search to specific items on the device that relate to the crime being investigated.What is needed is a forensically-sound system that can perform targeted (selective) data extraction under a documented consent agreement.Commercial tools such as Cellebrite UFED Physical Analyzer have great utility, but they do not support targeted data extraction.
This chapter describes the design and implementation of a prototype software system that supports targeted data extraction from iOS and Android devices in a forensically-sound manner.The system runs on a solid state drive connected to a laptop, which is connected to a mobile device of interest on which the targeted data extraction app is downloaded.Metadata and content filtering rules in the app support targeted data extraction under a consent agreement signed by the device owner.Metadata filtering rules enable data of specific types with relevant creation dates/times and locations to be extracted.Content-based filtering leverages machine learning to exclude non-relevant data and ensure that user data privacy is maintained.Forensic soundness is realized using the eDiscovery Reference Model [19] and dynamic/live analysis techniques drawn from network and cloud forensics [17,26].

Related Work
Several tools support full data acquisition from iOS and Android devices.Commercial tools include Cellebrite UFED Physical Analyzer, Paraben Electronic Evidence Examiner, Oxygen Forensic, AccessData Mobile Phone Examiner Plus, Microsystems XRY, Magnet Acquire and Blackbag Mobilyze.These tools attempt to acquire as much data as possible via logical and physical acquisitions.However, they do not support on-device or off-device selective methods for extracting only the data that is relevant to investigations.
Considerable research has focused on forensic data extraction and analysis.Some of this work deals with the extraction of specific types of artifacts from cloud drives and social networking applications [2,4,26].Other research has been directed at general forensic data extraction techniques for mobile devices [14,25].Interested readers are referred to [23] and [28] for detailed discussions about iOS and Android device forensics, respectively.
The concept of "real-time triage" has become increasing important and there has been some work on building such systems [9,27].Another important aspect is data privacy in the context of digital forensics in general and mobile forensics in particular [3,31].
Machine learning (see, e.g., [24]) and its applications have gained considerable attention in recent years.Deep learning (see, e.g., [20]) has been successfully applied in areas ranging from image recognition [18] to natural language translation [10].Open-source frameworks such as Caffe [15], Theano [8] and TensorFlow [1] have been developed for implementing deep representational learning using neural networks.Stateof-the-art processors in modern smartphones make it feasible to perform image analysis and classification, including facial detection, using deep learning models such as Inception [33], Open NSFW [22] and Mo-bileNet [13].
At this time, mobile device forensic tools are unable to perform ondevice targeted data extraction as described in this chapter.In fact, the available tools only extract images of device content and enable the images to be queried and analyzed in an off-device manner.Moreover, these tools do not have the ability to filter data using machine learning techniques.

System Overview
The targeted data extraction system (TDES) for mobile devices has three components: (i) data identification system; (ii) data acquisition system; and (iii) data validation system.

Data Identification System:
The data identification system is responsible for identifying the relevant files based on metadata and content.Input to the system is broadly driven by a consent form and is fine-tuned by the forensic investigator using a speciallydesigned user interface.
Smartphone data comes in a variety of types.The basic categories of smartphone data are photos (images), videos, messages and contact lists.Each category is associated with metadata that describes aspects of the data, such as time (when an image was placed on the device), location (where the image was taken) and sender and receiver (of text and multimedia messages).
Note that metadata is different from content.For example, a query based on a date range -"photos taken within the past week" -uses metadata about photos.However, a query for photos containing "weapons" would require content-based filtering.The data identification system incorporates state-of-the-art machine learning, natural language processing and data mining algorithms to perform content-based filtering.
Data Acquisition System: The data acquisition system interacts with the data identification system to retrieve targeted files from a smartphone in a forensically-sound manner.Data acqui-sition corresponds to data collection; therefore, the data that is acquired is the desired evidence.The data acquisition system incorporates two components: (i) TDES manager; and (ii) TDES app.The TDES manager is a system-on-chip that resides on a portable bootable drive.The manager boots up in Windows 10 when connected to a laptop or workstation.The target smartphone is connected to the same laptop or workstation in order to deploy the TDES app on the target smartphone.The user interface of the TDES app enables an investigator to provide input to the data identification system.Finally, the filtered data from the target phone is transferred to the TDES manager.
Data Validation System: The data validation system, which is integrated with the data identification and data acquisition systems, ensures that data is transferred in a forensically-sound manner.It performs appropriate hashing to insure data integrity.Additionally, it generates a log timeline that documents all the steps taken by the TDES system during "live analysis."Finally, the data validation system produces a report that documents the needs of the investigator (e.g., queries), the data analysis that was performed and the data that was selected.
The data identification and data acquisition systems are described together because their abstractions are closely coupled.Also, because the system only performs logical data extractions, it is assumed that relevant data is not stored in hidden or deleted files.Furthermore, the focus is on rapid targeted data extraction -how to define what data is to be extracted, how to ensure that data extraction is done in a forensicallysound manner and how to perform data extraction very rapidly.

Targeted Data Extraction
In order to motivate the development of the model for targeted data extraction, it is instructive to present potential application scenarios.These scenarios, which were suggested by forensic investigators, involve instances where consent is natural and the ability to filter data would be very useful: A car accident where a bystander has taken photos or a video of the incident.
A drug overdose incident where the victim's phone has information about drugs and drug dealers.
A suicide case where the victim's phone may contain relevant texts, email and photos.
A domestic violence situation where the victim's phone has photos that document the physical abuse.
A major incident where several individuals have captured videos and photos of the perpetrators, their weapons and their vehicles.
In several shooting incidents, bystanders and/or companions have recorded the events on their phones [30].The Boston Marathon bombing case had a massive amount of digital evidence from multiple sources [32].In these and many other incidents, automated selective data extraction would have been very useful.
Data of value in forensic investigations is classified as follows: User-Created Data: This includes contacts and address books, SMS messages, MMS messages, calendars, voice memos, notes, photographs, video/audio files, maps and location information, voice mail and stored files.
Internet-Related Data: This includes browsing histories, email and social networking data.
Third-Party Application Data: This includes messaging data (text, voice, video and pictures) from applications such as Facebook, WhatsApp and Skype.
As discussed above, the TDES app, which is deployed on the target device, is responsible for filtering and transferring the data to the TDES manager.This method of data extraction is called "on-device acquisition."In this type of acquisition, only the data that is filtered by the TDES app is transferred from the phone.No other data on the device is ever pushed to the TDES manager.
However, for some iPhone data types, it is not possible to selectively extract relevant data without "jailbreaking" the phone or using the iTunes backup system.Since jailbreaking is not employed in this work, the only option is to use the iTunes backup system.Selective data extraction from iTunes is referred to as "backup acquisition."In backup acquisition, all the available data from the iTunes backup is moved to the TDES manager, which extracts the relevant data and deletes the backup after the extraction is completed.

On-Device Metadata-Based Filtering
Table 1 shows the data that can and cannot be extracted by the TDES app in the on-device mode via metadata filtering.The first part of the table shows the data that can be extracted from iPhones (iOS devices) and Android phones.The second part of the table shows the data that can be extracted from Android phones, but not from iPhones (e.g., photos captured by third-party apps such as Facebook and WhatsApp).The third part of the table shows data that the TDES app currently cannot extract from iPhones and Android phones.
iPhones: System interfaces for iPhones are delivered in the form of packages called frameworks (Figure 1).The TDES app for iPhones uses several frameworks in Media Libraries and Core Services.The Photos framework provides direct access to photo and video assets managed by the iPhone Photos app.The AVKit framework provides a high-level interface for playing video content.The CoreLocation framework provides location and orientation information.The EventKit framework provides an interface for accessing calendar events.The Contacts framework provides access to user contacts and functionality for organizing contact information.
Android Phones: Figure 2 shows the Android operating system stack.The TDES Android app, which is deployed in the application layer, leverages services provided by the Application framework, which includes the Content Provider, Activity Manager, Resource Manager and View [12].Content Provider provides access to a range of data and other services used for design and implementation.

On-Device Content-Based Filtering
Trained machine learning models are developed using supervised learning techniques, including learning using deep neural nets.A trained model can be incorporated in the iOS or Android TDES app using the appropriate framework.The model can be used directly by retraining the final layer or by using heuristics based on model outputs.The current versions of the TDES app employ adapted trained models from Inception-v3 [16], MobileNet [13] and Open NSFW [22] to classify photos and videos.Interested readers are referred to the bibliography for details about the accuracy of these models.The TDES apps are able to identify photos containing weapons, people, vehicles, drugs, websites, skin exposure and gadgets.The accuracy of the adapted models is discussed in Section 5.
The Core ML framework [5] is used for on-device content-based filtering on iPhones.Core ML provides support for several machine learning frameworks, including Vision and GameplayKit.
The TensorFlow Lite framework [35] is used for on-device content-based filtering on Android phones.The trained model and related labels are used in conjunction with a shared object file libtensorflow inference.so,which is written in C++.The Java API libandroid tensorflow inference java.jar[1,29] is used to interface with Android platforms.

Off-Device Backup-Based Filtering
Table 2 shows the data that can and cannot be extracted by the TDES app in the off-device mode via metadata filtering.The first part  Other standard, albeit complex, techniques can also be used to extract data from a backup.
Android Phones: In the case of Android phones, any data that can be extracted off-device can also be extracted on-device; therefore, on-device extraction is employed.However, data from the third-party applications in Table 1 cannot be extracted using ondevice acquisition when the phone is not rooted.Experiments with rooted and non-rooted Android phones did not reveal an Android equivalent of the iTunes backup mechanism.

TDES Communications
Communications between the TDES manager and the TDES app on a target phone is an important component of the TDES system.Figure 3 shows the communications paradigm that is implemented on iPhones and Android phones.The forensic investigator is provided with a portable TDES boot drive (e.g., SSD drive or USB stick) that is preloaded with a bootloader for a Windows 10 machine, TDES manager and the tools necessary to install the TDES app on the target phone.All the extracted data is sent back to the boot drive by the TDES app; reports pertaining to the extracted data also reside on the boot drive.
Any available Windows 10 system can be used to boot into the TDES manager, which runs in an isolated environment on the drive.After booting up, the TDES manager must have Internet access if the target device is an iPhone.
The steps for targeted data extraction are: The boot drive containing the TDES manager is inserted into a laptop.
The Windows 10 operating system boots up and the TDES manager starts its execution.
A wired connection using a USB cable is established from the laptop to the phone.The TDES app is installed.In the case of an iPhone, a hotspot is needed to connect to Apple in order to sign the code and acknowledge trust in the developer.
After the app is downloaded, the phone may be disconnected from the laptop.
A wireless or wired two-way communications channel is set up between the TDES manager and TDES app for data transfer.
The targeted data extracted by the TDES app is exported to the TDES manager and reports are generated for the extracted data.
Note that no copies of data or residual data from the export process are stored on the phone.

TDES App Installation on iPhones:
Only applications from sources approved by Apple can be executed on iPhones that are not jailbroken.Apple iOS requires that all executable code must be signed with a certificate issued by Apple.Third-party apps must have signed certificates to ensure that they do not load any tampered or self-modifying code [6].
The TDES implementation uses Cydia Impactor [34] to sign the TDES app code.The procedure involves the generation of an iOS App Store Package (IPA) file of the TDES app using the XCode Archive utility.This application archive file stores an iPhone app.In order to sign the code, Impactor logs into the Apple Developer Center and downloads the developer's provisioning profile and iOS development certificate.Logging into the Apple Developer Center requires an Internet connection.Impactor signs the IPA file content in a depth-first manner starting with the deepest folder level.After the signing is done, Impactor installs the TDES app on the iPhone.All these tasks are automated by an AutoHotKey script [7] that executes after the TDES manager boots; thus, no actions are required to be performed by the forensic investigator.

TDES App Installation on Android Phones:
The Android operating system permits only signed applications to be installed on an Android phone.As long as an application is signed and does not attempt to update another application, it can be selfsigned -this approach is adopted in the TDES implementation.The output of the compilation is an APK file.Note that no other authentication is necessary.
The TDES app is installed after the APK file is stored on the target phone.For simplicity and ease of use, an Android debug bridge is employed for communications between the host computer and target phone.The Android debug bridge requires the phone to be placed in the USB debugging mode; this mode is turned off after the app is installed.

TDES Data Transfer Protocol:
The communications channel between the TDES app and TDES manager must ensure that the extracted data is transmitted with forensic integrity and that all data modifications are detected and documented.Furthermore, data that is modified inadvertently or intentionally during the chain of custody is also identified and documented.This is implemented by hashing essentially every file and computing a final hash value, which is exported to the TDES manager.Note that the hashing is done on the phone.If required, the final hash value could be sent to the phone's owner, the forensic investigator or to a third party.
The iPhone implementation employs a socket-based data transfer protocol.Since the iPhone implementation requires a hotspot in any case, a wireless link is used for communications between the app and the manager.
The Android implementation uses an Android debug bridge, which supports socket-level communications.Since Android applications are natively written in Java, ServerSockets and Sockets are employed.A wired connection is used for the Android communications protocol.

User Interface
The user interface, which runs as part of the app on the target phone, enables a forensic investigator to specify the selection criteria for data extraction.At this time, the interfaces are somewhat different for iPhones and Android phones.An optional PDF consent form is provided by the TDES manager.In the case of an iPhone, after the data extraction criteria are specified using the app, a digital consent form that specifies the data to be extracted can be completed on the app itself.In the case of an Android phone, a broad consent form is completed on the app first.This consent form ensures that only the relevant subset of data specified using the app is, in fact, extracted.
A useful bookmarking feature is provided by the TDES app.Consider a situation where a dataset has been extracted using a set of filters.The forensic investigator who set up the filters can display the results and do a quick data review on the phone itself before deciding what data to actually export to the TDES manager (i.e., bookmarked data).For example, if the investigator selected a set of images of weapons obtained during a certain time period, then he/she could review the images and select a subset of relevant images by bookmarking the subset.
Discussions with a former prosecutor and a current defense attorney indicated that bookmarking is a useful feature, but it may introduce bias during the evidence collection process.Consequently, the current implementation enables bookmarking to be turned on or off.Alternatively, both options may be selected, producing two versions of the exported data -the bookmarked version and the original version.If needed, an investigator could export all the data that could be examined under the consent and filtering definitions, including possible exculpatory data.
iPhone App Interface: Figure 4 shows the iPhone TDES app interface.The initial choices for a forensic investigator to define are: (i) when (specific date ranges, today, last week, last month, etc.); (ii) where (current location, location within a certain number of miles, location determined by city, state or zip code, etc.); and (iii) what (data types -photos, videos, calendar, call logs, messages and contacts).
Additional filtering options -generally, content filtering -may be defined.For example, if photos and videos are of interest, then the content filtering options supported are the inclusion or exclusion of weapons, places, vehicles, drugs, websites, gadgets, skin exposure, pornography and favorites.If the exclude skin exposure option is selected, then the app filters the corresponding images, and displays and exports the remaining images.
The last screen of the interface enables the investigator to display the selected data on the device, export the data, or both.A consent form is displayed before the data is exported to the TDES manager.
Android App Interface: Figure 5 shows the Android TDES app interface.The app first presents a screen for specifying the data categories to be extracted; the same categories of data as the iPhone app are supported.Selecting any of these data types leads  to a new screen with another set of choices providing additional filtering options for metadata and content filtering.The Android app interface also has provisions for first defining a broad consent form that restricts further data selections.It also supports data bookmarking, display and export.

Data-Based Filters
Both versions of the app interface support a fair amount of metadata and content filtering.For example, call logs can be filtered by name and number as well as by date and time.Contacts can be filtered by name and number.Messages can be filtered by name and number as well as by date and time.Videos and photos can be filtered by location, date, time and various implemented content using machine learning models.

Reporting and Forensic Integrity
A common interface using the JSON object format [11] is implemented for the selected export of data from the iPhone and Android phone apps.The JSON structure facilitates the description of the extracted data as well as hash values and reporting information.For example, a report may need to document when the TDES app began its execution and when the extraction was completed.Although the data transfer is primarily from the app to the manager, some information, such as the forensic investigator's name, phone owner's name and case number, is  passed from the manager to the app.The Android TDES app extracts additional information such as the IMEI, phone number and email address associated with the phone.In the case of the iPhone TDES app, this information must be entered in the manager.Figure 6 shows a sample report generated for an iPhone.
TDES Directory Structure on the Boot Drive: Figure 7 shows the directory structure created for storing evidence on the boot drive.The structure is designed to ensure data integrity and support reporting.A directory is created for each case.The complete report is stored as an HTML file in this directory.The JSON files, including Final.json, are discussed below.The extracted data is stored as one or more iterations of requests made by the investigator.In each iteration, every data category has a separate directory and a JSON file is associated with the directory.

JSON Format for Data Transfer:
The JSON format is used to describe the structure of the exported data, which is used to create reports in the HTML format.Figure 8 shows example JSON files.
Assume that a set of photos has been extracted using metadata and content filters.Auxiliary information about each photo is transferred to the TDES manager along with the actual image file.The TDES apps for iPhones and Android phones create this information in the same format.After the information is transferred to the TDES manager, a report manager creates the actual report.
Hashes are also transferred as part of the JSON files.As shown in Figure 8, the It1 Photos.jsonfile is structured into arrays of arrays containing (key, value) pairs.For example, creation date is a key and its value is the string 01-01-2017.
Considerable information is exported in a JSON file.The key filename has a value string associated with it, which corresponds to the name of the actual photo image.The actual image is stored as a separate file as defined by the key exportpath.The hash value of the actual photo file is stored in the JSON structure and is defined by the key f hash.
Hashing and Data Integrity: SHA-1 hashes are used to ensure the integrity of the data transferred to the TDES manager; other hash algorithms may be used if needed.Each file filename defined in a JSON file has a hash associated with the file called the f hash.
Next, every JSON file has JSON hash j hash associated with the file.For example, the hash value computed for the file It1 -Photos.json is stored as the key It1 Photos j hash in file It1 -Hashes.json.For each iteration n, the hash of Itn Hashes.json is stored in the Final.jsonfile.The hash of Final.json is called Final hash.This hash value ensures that no file in any case directory can be modified without detection.
The Final hash value computed by an app is sent to the TDES manager and stored in Report.htm.The manager can independently compute the Final hash value to check if any changes occurred during the data transfer.Hash values are computed at intermediate points for several reasons, including to facilitate the granular transfer of data and check if the transfer is correct.Checking the extracted files against known files is also simplified.The TDES manager (or app) could also email a copy of the Final hash value to the phone's owner, forensic investigator or third party.

Experiments and Results
Several experiments were conducted to evaluate the accuracy and speed of selective data filtering on iPhone and Android phones.The metadata filtering accuracy should be 100% because the Apple and Android frameworks were employed; however, manual checks of metadata filtering were still performed.
The performance of the prototype system was also compared against two commercial tools, Paraben EEE and Magnet AXIOM, which are used by law enforcement.As mentioned above, neither of these tools (nor Cellebrite) can perform selective data extraction as implemented by the prototype system.Note that the Cellebrite commercial tool was not evaluated because this tool (like the others) essentially performs a  Three iPhones and three Android phones were used in the experiments.Table 3 provides details about the phones and their contents.Apple Devices 1 and 3, which belong to the authors of this chapter, contained real user data.Apple Device 2 contained synthetic, noncopyrighted data that is available for reuse over the Internet.Similarly, Android Devices 5 and 6 contained real user data and belong to the authors; Apple Device 4 contained synthetic data.Table 3 also shows the total numbers of artifacts of each data category residing in each test device.The TDES boot drive used was a SanDisk Extreme 128 GB stick.A ThinkPad X1 Carbon laptop was used as the boot drive and to connect to the test phones.
iPhone Results.The iPhone experiments employed Devices 1, 2 and 3. Table 4 shows the results for on-device metadata-based filtering for Device 1.Each experiment (row) focuses on a specific data category and filter.For each experiment, the total number of artifacts selected out of the total number of artifacts on the device is shown (e.g., in the case of the 1-Photos experiment, 2/10,307 means that two photos out of 10,307 photos on the device were extracted).The metadata filtering was 100% accurate based on manual checking (e.g., a phone feature such as Photos Album count).The table also shows the times required to display data on the target device and to export data to the TDES manager (via a wired connection).The recorded times show that TDES is feasible for in-field targeted data extraction.The amounts of exported data are also shown.Note that a table entry marked with an asterisk (*) corresponds to an item whose location depends on the physical location of the phone.
Table 5 shows the results of experiments for off-device backup-based metadata filtering for Device 3. The results for messages and call logs are shown.As discussed earlier, the backup-based procedure involved the TDES manager acquiring a complete backup from iTunes; thus, there is no export time.Note, however, that the forensic investigator must still specify the filtering that must be performed by the TDES app.The accuracy of metadata filtering is always 100% based on manual analysis using iTunes.8 shows the results of seven experiments using Device 4 photos for various combinations of metadata and content filtering.The Mo-bileNet model from TensorFlowLite was used for metadata and content filtering.The display and export time results are excellent.The accuracy measure, computed using Equation (1), expresses how well the MobileNet model performs content filtering.The results are modest; better machine learning models will have to be developed to improve the accuracy of content filtering.
Comparison with Commercial Tools.Several experiments were conducted to compare the data export times for TDES against the times required by two commercial tools, Paraben and Magnet AXIOM.iPhone Device 2 and Android Device 4 were used in the experiments.Table 9 shows the experimental results -the iPhone comparisons are in the top half of the table and the Android comparisons are in the bottom half of the table.The app installation time (AIT) is the time period from the instant the target device was connected to the laptop to the time when a data selection can be made (in the case of TDES, this is when a data selection can be made on the target device; in the case of Paraben and Magnet AXIOM, this is when a data selection choice can be made on the laptop).The backup acquisition time (BAT) is the time taken for backup-based acquisition.Note that, in the case of TDES, the exported data was stored on a flash drive whereas, in the case of Paraben and Magnet AXIOM, the exported data was stored on the laptop hard drive.for data export.In contrast, Paraben required five seconds for initialization and 40 seconds for data export.
In the case of Paraben and Magnet AXIOM, the only choices available for acquisition are the broad categories shown in Table 9. Paraben does not extract photos and videos separately; it provides one option for all media artifacts.However, experiments revealed that selecting this option resulted in the extraction of metadata associated with media artifacts, not the artifacts themselves.

Conclusions
The targeted data extraction system described in this chapter supports the acquisition of relevant data from iOS and Android devices in a forensically-sound manner.It implements state-of-the-art metadata and content filtering functionality based on machine learning techniques.Forensic soundness is realized using the eDiscovery Reference Model [19] and dynamic/live analysis techniques drawn from network and cloud forensics [17,26].The design assumes that a phone is voluntarily provided to law enforcement under a documented consent agreement.However, it is equally applicable to situations where a court orders that a smartphone passcode must be provided for evidence recovery or where a smartphone memory dump (e.g., from a cloud backup) with an intact filesystem is available.The targeted data extraction system is currently being provided to law enforcement for testing and feedback, with the goal of incorporating additional features and capabilities.

NIC:
Network Interface Card; P: Photos; V: Videos; M: Messages; CL: Call Logs; CO: Contacts; CA: Calendar physical acquisition of all the phone data and then enables the user to analyze the data off-device.

Table 2 .
[21]device metadata-based extraction.Apple iOS security mechanisms do not permit applications that execute on an iPhone to extract certain types of content (second and third sections of Table1).Therefore, this content is acquired from an iTunes backup.The idevicebackup2 command supported by the open-source libimobiledevice[21]is employed.
of the table shows the data that can be extracted from iPhones and Android phones.The second part shows the data that can be extracted from Android phones, but not from iPhones.The third part shows data that the TDES app currently cannot extract from iPhones and Android phones.Note that a table entry marked with an asterisk (*) corresponds to an item that was not investigated.iPhones:

Table 3 .
Devices used in the experiments and device content.

Table 6
shows the results of the experiments using Device 2 photos for various combinations of metadata and content filtering.The test iPhone had 2,621 photos with 109 photos in the date range 12/25/17 to 12/29/17, and 72 of these photos were taken on 12/25/17.The Inception-v3 model was used for content filtering.Rows 1-3 of the table focus on filtering for "weapons."In the case of Row 2, content

Table 8 .
On-device metadata and content filtering for Android phones (MobileNet).Note that the display and export times are very good.For example, in the case of the 12-Messages experiment, exporting 236 MB of device artifacts required only 18.2 seconds.Table