Adroit Photo Forensics

Course list http://www.c-jump.com/bcc/

Adroit Photo Forensics

Adroit Photo Forensics Overview
Investigation involving photos
Evidence Acquisition
Photo Recovery of Active Files
Photo Recovery - Carving
Importance of complete carving
Importance of complete carving, cont.
APF Photo Formats
Photo Organization
APF Forensic Photo Gallery
Photo Gallery - Camera Grouping
Content Analysis
APF Smart Filtering
Explicit Image Detection
Explicit Image Detection, cont.
Thumbnail Mismatch
MD5 Hash Alerts -- Smart Hashing
Smart Hashing, cont.
Photo Details -- APF photo viewer
APF photo viewer
Photo Details - Timelines
APF Timelines
Classification/Categorization
Verify Integrity
Verify Integrity
Reporting and Exporting
Reporting and Exporting, cont.
Additional APF Features

1. Adroit Photo Forensics Overview

Developed by Nasir Memon, a professor at the Polytechnic Institute of New York University in Brooklyn
- Website: http://digital-assembly.com
- Email: sales@digital-assembly.com
- Phone: 212-292-3136
APF can be used in investigations involving deliberately deleted images:
- CP
- Government/Corporate spying/intelligence
- Terrorism Activity
- Photographs of a particular person
- Explicit images of adults
- Indoor/outdoor photos
Also, private sector recovery of accidentally deleted images on corporate or consumer systems:

2. Investigation involving photos

Photo Forensic Case Stages:

Evidence Acquisition
Photo Recovery
Organization
Content Analysis Classification/Categorization Verify Integrity
Photo Details
Reporting and Exporting

3. Evidence Acquisition

Adroit Photo Forensics (APF) supports evidence formats that forensic examiners commonly work with:
- Disk Images
- EnCase (E01) single/split images
- DD/RAW/BIN single/split images
- Logical Drives
- Physical Drives

4. Photo Recovery of Active Files

Adroit Photo Forensics provides Active recovery for the following file systems:
- FAT12/16/32
- NTFS
- HFS
- HFS+
All other file systems are carved.

5. Photo Recovery - Carving

APF recovers photos using:
- Validated Carving: Verifies that the photos follow the rules of the format and file signatures
- NTFS Log Carving: Uses NTFS transaction logs to validate and carve deleted photos
- Smart Carving: Automatic recovery of deleted/fragmented photos
- Guided Carving: Manual assisted recovery of deleted/fragmented photos

6. Importance of complete carving

On average 16-20% of photos are fragmented.
Every additional picture recovered can contain:
- Potential Suspects
- Potential Leads
- Potential Victims
- Potential Locations
- Missing timeline information

7. Importance of complete carving, cont.

NOTE: images are often stored in fragments when the media card of the camera starts to fill up. Not only harddisks, but photo camera's flash cards must be forensically wiped before they can be sold or given away.

8. APF Photo Formats

Adroit Photo Forensics recovers photos taken by digital cameras:
- JPEG
- RAW (Canon, Sony, Olympus, Nikon etc.)
- Adobe DNG
- TIFF
- PNG
- GIF
- BMP

9. Photo Organization

Traditional forensic applications are focused on plain text and other file formats
APF provides tools for organization and processing of cases involving photos
APF Forensic Photo Gallery provides both the view and tools to organize photos
Sort/Group/Filter are based on photo-specific properties

10. APF Forensic Photo Gallery

The tools include
- Identify with one click
- Cameras used
- Image Manipulation Software (ex. Photoshop)
- EXIF Date/Times (Day, Month or Year)
- File name, folder, and more
Photo Filters include
- By Photo Format
- By Resolution (include/exclude thumbnails etc.)

11. Photo Gallery - Camera Grouping

12. Content Analysis

There can be hundreds of thousands of photos in a single disk image
Analyzing them manually is not very efficient
Viewing photos by the thumbnails can still take a huge amount of time
Thumbnails are subject to anti-forensic attacks
APF's Smart Filtering can reduce the view to only forensically important photos.

13. APF Smart Filtering

Smart Filtering includes:
- Explicit Image Detection (Fast/Best)
- Face Detection
- Thumbnail Mismatch
- Smart Hash
- Hash Alerts
Designed to focus on the most forensically relevant photos

14. Explicit Image Detection

Uses 2 Modes:
- Best for detailed analysis
- Fast for triage (does not slow down recovery)
Experimental Child Explicit Image Detector included
Dynamic slider used for reducing or increasing explicit images shown.
Detection by "by skin percentage"

15. Explicit Image Detection, cont.

To reduce the amount of false positives and false negatives, EID uses
- skin/face/body form analysis and combines them together
- machine-learning algorithms to distinguish child from not-child
Machine learning is a process of identification of certain kinds of images by processing other similar images.
For example, program may compute the distance between a person's eyes and nose and other facial features to separate children from adults.
APF is about 70 percent accurate in identifying images of interest.

16. Thumbnail Mismatch

Thumbnail Mismatch identifies photos where the full image does not match its embedded thumbnail:
- Criminals know that investigators maybe reviewing evidence via thumbnails.
- Investigators rarely have the time to view each photo in full detail.
- Illicit images can be hidden behind "safe" thumbnails, which are easy to do manually or using photo applications like Photoshop or Gimp.

17. MD5 Hash Alerts -- Smart Hashing

To finding known illicit images, examiners normally use known MD5 hash sets
APF naturally supports loading hash sets and MD5 hash alerts
But if the photo is slightly changed...
- ...MD5 Hash will not work

18. Smart Hashing, cont.

APF incorporates "Smart Hashing" that finds photos even if the photo was
- Resized
- Color changed
- Brightness changed
- Slightly Cropped/Rotated
- Touched up
- Underwent a Logo insertion or removal

19. Photo Details -- APF photo viewer

The photo viewer includes:
- Full Image
- Preview/Thumbnail Images
- Photo Header Details
- EXIF MetaData
- File System Information
- Categorization and Bookmark Info
- Summary
- Cluster/Fragment Linking

20. APF photo viewer

21. Photo Details - Timelines

APF generate zoomable time lines based on
- File Access Dates
- File Creation Dates
- File Modification Dates
- EXIF Date/Time
- Can extract EXIF Date/Times to get date time information even if files are deleted.
- Has filter based on dates

22. APF Timelines

23. Classification/Categorization

Categorization is an important part of a forensic analyst's work.
APF categorization includes built-in category profiles
- UK CP
- North American CP
APF allows creation of custom profiles.
- Create rules to automatically categorize based on Smart Filters
- Use hot keys to efficiently categorize from any screen (adult, nudity, CP, and so on.)
- Use categories to view/report/export/save/timeline of the photos

24. Verify Integrity

Verify Integrity includes:
- Full Viewable Logs
- Generated MD5/SHA1/SHA256 hashes of photos
- Generated MD5/SHA1/SHA256 hashes of evidence before and after recovery
- Evidence hashes compared:
  - prior to recovery,
  - against current hashes, and
  - stored hashe sets (limited to Encase format only)

25. Verify Integrity

26. Reporting and Exporting

Customizable reports for:
- File System Data
- Photo Details
- EXIF Details
Thumbnails
CSV Exporting of:
- File System Data
- Photo Details
- EXIF Details
- Thumbnails
FTK Known File Filter (FTK KFF) Exporting

27. Reporting and Exporting, cont.

28. Additional APF Features

Batch Analysis for running multiple cases over night or over the weekend
Ability to quickly blur thumbnails to prevent others from viewing photos
Full hotkey support for all major features.
Built-in context sensitive help
Certified Adroit Forensic Examiner (CAFE) training