Apple introduced Live Photos with iPhone 6s and iOS9Live Photos essentially are a still image combined with a short (3 second) video with sound. Selecting or pressing your finger on a Live Photo makes it come to life, with full audio support. They can be viewed on iOS devices and Mac computers within the Photos application.


When analyzing iOS devices or Mac computers, examiners may find a series of pictures and videos with the same IMG_### name.

BlackLight view of Live Photo. Note: .JPG and .MOV file have the same file name.

This would not normally be expected, as iOS devices save pictures and videos in sequence.

Live Photos are generally made up of a .jpg image combined with a .mov video file. When using an iPhone 7 and above, and the user has set their device to take high-efficiency HEIC/HEVC pictures and videos (Settings➔Camera➔Formats); Live Photos will be saved with an .HEIC picture but still retain a .mov file for the video portion.

BlackLight view of Live Photos showing .MOV and .HEIC files.

Even though this is good empirical evidence these files are part of a Live Photo set, it
indeed is not definitive. Analysis of Live Photos has found that each member of a Live Photo set contains a content identifier which is a UUID. This UUID can be used to identify each part of a Live Photo.

BlackLight showing Content Identifier UUID in both image and video files.

Looking at the UUID, we see that it contains five sets of letters and numbers separated by
dashes. The first set contains eight letters and numbers, the next three include four letters
and numbers each, and the last set consists of twelve letters and numbers.

This pattern exists for all Live Photos seen on iOS and macOS devices. We can leverage this pattern to search for Live Photos.


BlackLight has a powerful search function, where examiners can take advantage of several
options to narrow down the data they must search.

Searching for data patterns is one of the advanced features of BlackLight’s search
functionality. To do this, we can create a RegEx (regular expression) keyword within BlackLight to find our UUID pattern within a specific set of files.

We will use this RegEx pattern (\w{8}(-\w{4}){3}-\w{12}?).

This pattern searches the evidence item for:

  1. Eight alphanumeric characters then add a dash
  2. Three sets of four alphanumeric characters separated by dashes
  3. Twelve alphanumeric characters


1. Select the search view within BlackLight

2. Select the evidence item you wish to search

3. Optionally, select a path where you would expect to find Live Photos. In this example we are looking at /mobile/Media/DCIM/ where pictures and videos are normally stored when captured on the device.

4. Enter the RegEx expression (\w{8}(-\w{4}){3}-\w{12}?).

5. Ensure you select “Selected Keyword is RegEx Pattern”

6. Select “Start Search”

BlackLight showing search for Live Photos. Note that the keyword is selected and checked under “Regular Expression Keyword”.

BlackLight showing search for Live Photos. Note that the keyword is selected and checked under “Regular Expression Keyword”.


BlackLight search results showing Live Photos images (HEIC) and videos (MOV).

The files shown above represent files that are part of Live Photo containers. As discussed earlier, both the image file (HEIC in this case) and video file (MOV) in this case have the same IMG_ number.

Taking IMG_0569 as an example, there is both a HEIC (high efficiency picture) and MOV file with that name. Selecting each file in BlackLight will highlight data that matches the RegEx keyword we entered. As can be seen, IMG_0569.HEIC and IMG_0569.MOV both contain matching UUIDs. These files therefore can be confirmed as elements of a Live Photo. The matching UUID’s confirm their relationship as depicting the same image.

BlackLight viewing showing IMG_0569.HEIC with content identifier UUID 468AF519-85AA-4803-981D-3317016A1C53

BlackLight viewing showing IMG_0569.MOV with content identifier UUID 468AF519-85AA-4803-981D-3317016A1C53

To find out more check out BlackBag’s Digital Forensic Basics course.