Forensic Considerations for the High Efficiency Image File Format (HEIF)
This addresses a critical gap for digital forensics practitioners who may mishandle evidence due to HEIF's complexity, though it is incremental as it builds on existing forensics knowledge for a new format.
The paper tackles the lack of digital forensics research on the High Efficiency Image File Format (HEIF), which is increasingly used in devices like Apple and Android smartphones, by describing its forensically relevant features, such as data hiding risks, and providing best-practice suggestions for handling evidence.
The High Efficiency File Format (HEIF) was adopted by Apple in 2017 as their favoured means of capturing images from their camera application, with Android devices such as the Galaxy S10 providing support more recently. The format is positioned to replace JPEG as the de facto image compression file type, touting many modern features and better compression ratios over the aging standard. However, while millions of devices across the world are already able to produce HEIF files, digital forensics research has not given the format much attention. As HEIF is a complex container format, much different from traditional still picture formats, this leaves forensics practitioners exposed to risks of potentially mishandling evidence. This paper describes the forensically relevant features of the HEIF format, including those which could be used to hide data, or cause issues in an investigation, while also providing commentary on the state of software support for the format. Finally, suggestions for current best-practice are provided, before discussing the requirements of a forensically robust HEIF analysis tool.