Post on 11-Jan-2016
description
Adroit Photo Forensics 2013
How Adroit Photo Forensics can assist forensic examiners in every stage of an investigation involving photos.
Get the Complete Forensic Picture!
Photo Forensic Case StagesEvidence Acquisition Photo Recovery Organization Content Analysis
Photo Details
Adult
Obscenity
CP
Nudity
Classification/CategorizationVerify IntegrityReporting and Exporting
Evidence Acquisition• Adroit Photo Forensics (APF) supports :• Disk Images
• EnCase (E01) single/split images• DD/RAW/BIN single/split images
• Logical Drives• Physical Drives• Folders
Photo Forensic Case StagesEvidence Acquisition Photo Recovery Organization Content Analysis
Photo Details
Adult
Obscenity
CP
Nudity
Classification/CategorizationVerify IntegrityReporting and Exporting
Photo Recovery - Active• Adroit Photo Forensics provides
Active recovery for the following file systems:• FAT12/16/32• NTFS• HFS• HFS+• All other file systems are carved.
Photo Recovery - Carving• APF can recover photo evidence that no
other forensic product can! • Validated Carving: Verifies that the
photos follow the rules of the format• NTFS/FAT Log Carving: Uses NTFS logs to
validate and carve deleted photos• SmartCarving™: Automatic recovery of
fragmented photos.• GuidedCarving™: Manual assisted
recovery of fragmented photos.• Size Carving: Specialized recovery of
BMPs, TIFFs and RAWs.
Importance of complete carving• On average 16-20% of photos
are fragmented.• Every additional picture
recovered can contain:• Potential Suspects• Potential Leads• Potential Victims• Potential Locations• Missing timeline information
Fragmented Recovery Traditional Forensic Tools
Fragmented Recovery Adroit Photo Forensics
Embedded Carving• Specialized Embedded Validated Carving for:• MS Office• PK-ZIP• Thumbnail Cache (XP, Vista & Windows 7)
• Generic Embedded Validated Carving for:• All other files
• Sector Carving/Byte Carving:• After carving and active recovery at the cluster level, APF
removes all validated files. Remaining clusters are carved at the sector or byte levels.
Recovery Profiles• A Recovery Profile contains a
set of carving and analysis options.
• Can be quickly selected before starting a case.
• Built-in profiles for triage and detailed analysis built in.
• Create, Edit & Delete profiles.• Profiles can be copied from
one user to another.
Photo Formats Recovered• Adroit Photo Forensics recovers
photos taken by digital cameras:• JPEG• RAW – Canon, Sony, Olympus,
Nikon etc.• Adobe DNG • TIFF
• Also recovers:• PNG• GIF• BMP
Photo Forensic Case StagesEvidence Acquisition Photo Recovery Organization Content Analysis
Photo Details
Adult
Obscenity
CP
Nudity
Classification/CategorizationVerify IntegrityReporting and Exporting
Organization• APF allows faster organization
and processing of cases involving photos• Traditional forensic applications
are focused on text and files.• APF has a dedicated and
streamlined UI for photos.• Forensic Photo Gallery provides
the fastest and most powerful way to view and organize photos.
• Sort/Group/Filter based on important photo specific properties
Organization – Forensic Photo Gallery• APF has a unique and powerful forensic
photo gallery:• Identify with one click
• Cameras used • Image Manipulation Software (ex. Photoshop)• EXIF Date/Times (Day, Month or Year)• File name, folder and much much more
• Filter Photos• By Photo Format• Resolution (include/exclude thumbnails etc.)• Ignore Status
Photo Gallery – Camera Grouping
Grouping By Camera
Filtering out thumbnails
(4 Photos)Apple iPhone 4
(2 Photos)Nikon D100
Category
User selected
! Hash Alert
Bookmarked
Possible actions for selected photos
Custom Gallery• APF contains a custom gallery:
• View and sort user selected pictures.
• View and sort location or type specific photos like:• Windows Thumbnail Cache• Recycle Bin/Trashes• Extension Mismatch• Hash Alerts• Bookmarks• Ignored
Photo Forensic Case StagesEvidence Acquisition Photo Recovery Organization Content Analysis
Photo Details
Adult
Obscenity
CP
Nudity
Classification/CategorizationVerify IntegrityReporting and Exporting
Content Analysis• There can be hundreds of thousands of
photos in a single disk image.• Analyzing them manually is just not efficient.• Viewing photos by their thumbnails can still
take a huge amount of time.• Thumbnails are subject to anti-forensic
attacks.• So how do we save time and show an
examiner only forensically important photos?• SmartFiltering™
SmartFiltering™• SmartFilters™ present the most
forensically relevant photos:• Explicit Image Detection (Fast/Best)• Face Detection• Thumbnail Mismatch• SmartHash™• MD5 Hash Alerts• SmartHash™ Alerts
Explicit Image Detection• 2 Modes of EID• Best for detailed analysis• Fast for triage (does not slow down recovery)
• Experimental Child Explicit Image Detector included• Dynamic slider for reducing or increasing explicit images
shown.• Sort by skin percentage• EID uses much more than skin analysis to reduce false
positives and false negatives
Thumbnail Mismatch• Criminals know that investigators maybe
reviewing evidence via thumbnails.• Investigators rarely have the time to view
each photo in full detail.• Illicit images can be hidden behind “safe”
thumbnails!• Easy to do• Manually• Photo applications like Photoshop
• Thumbnail Mismatch identifies those photos where the full image does not match with it’s thumbnail
MD5 Hash Alerts, SmartHashing™• Finding known illicit images, examiners normally use MD5 hashes• APF has full support for MD5 hash alerts
• But what if the photo is slightly changed?• MD5 Hash will not work.
• APF incorporates SmartHashing™ that finds photos even if:• Resized• Color changed• Brightness changed• Slightly Cropped/Rotated• Touched up/Logo Insertion/Logo Removal
Photo Forensic Case StagesEvidence Acquisition Photo Recovery Organization Content Analysis
Photo Details
Adult
Obscenity
CP
Nudity
Classification/CategorizationVerify IntegrityReporting and Exporting
Photo Details• APF has the most
powerful forensic photo viewer on the market:• Full Image• Preview/Thumbnail
Images• Photo Header Details• EXIF Metadata• File System Information• Categorization &
Bookmark Info• Summary• Cluster/Fragment Linking
Photo Details - Timelines• Generate zoomable time
lines based on• File Access Dates• File Creation Dates• File Modification Dates• EXIF Date/Time
• Use EXIF Date/Times to get date time information even if files are deleted.
• Filter based on dates
Photo Forensic Case StagesEvidence Acquisition Photo Recovery Organization Content Analysis
Photo Details
Adult
Obscenity
CP
Nudity
Classification/CategorizationVerify IntegrityReporting and Exporting
Classification/Categorization• Categorization is an important part of a forensic analyst’s work.• APF categorization was built from the ground up to be FAST and
powerful.• APF includes built-in category profiles• UK CP• North American CP
• APF allows creation of custom profiles.• Create rules to automatically categorize based on SmartFilters™• Use hot keys to efficiently categorize from any screen.• Use categories to view/report/export/save/timeline photos.
AdultPlay
CPNudity
Categorization Flow
Recovered Photo
MD5 DB Check SmartHash DB Check
EID Rules Check
Lookup Lookup
AdultOther CP Nudity
Categorize
Match
MatchManual
Photo Forensic Case StagesEvidence Acquisition Photo Recovery Organization Content Analysis
Photo Details
Adult
Obscenity
CP
Nudity
Classification/CategorizationVerify IntegrityReporting and Exporting
Verify Integrity• Full Viewable Logs• Generate
MD5/SHA1/SHA256 hashes of photos
• Do MD5/SHA1/SHA256 hashes of evidence before and after recovery
• Compare evidence hashes prior to recovery against current hashes and stored hashes (Encase Only)
Photo Forensic Case StagesEvidence Acquisition Photo Recovery Organization Content Analysis
Photo Details
Adult
Obscenity
CP
Nudity
Classification/CategorizationVerify IntegrityReporting and Exporting
Reporting and Exporting• Customizable reports• File System Data• Photo Details• EXIF Details• Thumbnails
• CSV Exporting• File System Data• Photo Details• EXIF Details• Thumbnails
• FTK KFF Exporting
Additional Features• Batch Analysis for running multiple
cases over night or over the weekend• Ability to quickly blur thumbnails to
prevent others from viewing photos.• Full hotkey support for all major
features.• Built-in context sensitive help• Certified Adroit Forensic Examiner
(CAFE) training available
ADROIT PHOTO FORENSICS
Contact Digital Assembly or an authorized reseller to provide you with a demo or additional information.
Website: http://digital-assembly.comEmail: sales@digital-assembly.comPhone: 212-292-3136