Adroit Photo Forensics 2011 - PowerPoint PPT Presentation

Loading...

PPT – Adroit Photo Forensics 2011 PowerPoint presentation | free to download - id: 6e389c-NjBmZ



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Adroit Photo Forensics 2011

Description:

Adroit Photo Forensics 2011 How Adroit Photo Forensics can assist forensic examiners in every stage of an investigation involving photos. – PowerPoint PPT presentation

Number of Views:2
Avg rating:3.0/5.0
Date added: 17 February 2020
Slides: 34
Provided by: Pash150
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Adroit Photo Forensics 2011


1
Adroit Photo Forensics 2011
  • How Adroit Photo Forensics can assist forensic
    examiners in every stage of an investigation
    involving photos.

2
Photo Forensic Case Stages
Evidence Acquisition
Photo Recovery
Organization
Content Analysis
Photo Details
Classification/Categorization
Verify Integrity
Reporting and Exporting
Adult
CP
Obscenity
Nudity
3
Evidence Acquisition
  • Adroit Photo Forensics (APF) supports
  • Disk Images
  • EnCase (E01) single/split images
  • DD/RAW/BIN single/split images
  • Logical Drives
  • Physical Drives
  • Folders

4
Photo Forensic Case Stages
Evidence Acquisition
Photo Recovery
Organization
Content Analysis
Photo Details
Classification/Categorization
Verify Integrity
Reporting and Exporting
Adult
CP
Obscenity
Nudity
5
Photo Recovery - Active
  • Adroit Photo Forensics provides Active recovery
    for the following file systems
  • FAT12/16/32
  • NTFS
  • HFS
  • HFS
  • All other file systems are carved.

6
Photo Recovery - Carving
  • APF can recover photos that no other forensic
    product can!
  • Validated Carving Verifies that the photos
    follow the rules of the format
  • NTFS Log Carving Uses NTFS logs to validate and
    carve deleted photos
  • SmartCarving Automatic recovery of fragmented
    photos.
  • GuidedCarving Manual assisted recovery of
    fragmented photos.

7
Importance of complete carving
  • On average 16-20 of photos are fragmented.
  • Every additional picture recovered can contain
  • Potential Suspects
  • Potential Leads
  • Potential Victims
  • Potential Locations
  • Missing timeline information

8
Embedded Carving
  • Specialized Embedded Validated Carving for
  • MS Office
  • PK-ZIP
  • Thumbnail Cache (XP, Vista Windows 7)
  • Generic Embedded Validated Carving for
  • All other files
  • Sector Carving/Byte Carving
  • After carving and active recovery at the cluster
    level, APF removes all validated files. Remaining
    clusters are carved at the sector or byte levels.

9
Recovery Profiles
  • A Recovery Profile contains a set of carving and
    analysis options.
  • Can be quickly selected before starting a case.
  • Built-in profiles for triage and detailed
    analysis built in.
  • Create, Edit Delete profiles.
  • Profiles can be copied from one user to another.

10
Photo Formats Recovered
  • Adroit Photo Forensics recovers photos taken by
    digital cameras
  • JPEG
  • RAW Canon, Sony, Olympus, Nikon etc.
  • Adobe DNG
  • TIFF
  • Also recovers
  • PNG
  • GIF
  • BMP

11
Photo Forensic Case Stages
Evidence Acquisition
Photo Recovery
Organization
Content Analysis
Photo Details
Classification/Categorization
Verify Integrity
Reporting and Exporting
Adult
CP
Obscenity
Nudity
12
Organization
  • APF allows faster organization and processing of
    cases involving photos
  • Traditional forensic applications are focused on
    text and files.
  • APF has a dedicated and streamlined UI for
    photos.
  • Forensic Photo Gallery provides the fastest and
    most powerful way to view and organize photos.
  • Sort/Group/Filter based on important photo
    specific properties

13
Organization Forensic Photo Gallery
  • APF has a unique and powerful forensic photo
    gallery
  • Identify with one click
  • Cameras used
  • Image Manipulation Software (ex. Photoshop)
  • EXIF Date/Times (Day, Month or Year)
  • File name, folder and much much more
  • Filter Photos
  • By Photo Format
  • Resolution (include/exclude thumbnails etc.)
  • Ignore Status

14
Photo Gallery Camera Grouping
Filtering out thumbnails
Grouping By Camera
Category
Bookmarked
(2 Photos) Canon EOS 20D
User selected
! Hash Alert
(6 Photos) HTC Apache
Possible actions for selected photos
15
Custom Gallery
  • APF contains a custom gallery
  • View and sort user selected pictures.
  • View and sort location or type specific photos
    like
  • Windows Thumbnail Cache
  • Recycle Bin/Trashes
  • Extension Mismatch
  • Hash Alerts
  • Bookmarks
  • Ignored

16
Photo Forensic Case Stages
Evidence Acquisition
Photo Recovery
Organization
Content Analysis
Photo Details
Classification/Categorization
Verify Integrity
Reporting and Exporting
Adult
CP
Obscenity
Nudity
17
Content Analysis
  • There can be hundreds of thousands of photos in a
    single disk image.
  • Analyzing them manually is just not efficient.
  • Viewing photos by their thumbnails can still take
    a huge amount of time.
  • Thumbnails are subject to anti-forensic attacks.
  • So how do we save time and show an examiner only
    forensically important photos?
  • SmartFiltering

18
SmartFiltering
  • SmartFilters present the most forensically
    relevant photos
  • Explicit Image Detection (Fast/Best)
  • Face Detection
  • Thumbnail Mismatch
  • SmartHash
  • MD5 Hash Alerts
  • SmartHash Alerts

19
Explicit Image Detection
  • 2 Modes of EID
  • Best for detailed analysis
  • Fast for triage (does not slow down recovery)
  • Experimental Child Explicit Image Detector
    included
  • Dynamic slider for reducing or increasing
    explicit images shown.
  • Sort by skin percentage
  • EID uses much more than skin analysis to reduce
    false positives and false negatives

20
Thumbnail Mismatch
  • Criminals know that investigators maybe reviewing
    evidence via thumbnails.
  • Investigators rarely have the time to view each
    photo in full detail.
  • Illicit images can be hidden behind safe
    thumbnails!
  • Easy to do
  • Manually
  • Photo applications like Photoshop
  • Thumbnail Mismatch identifies those photos where
    the full image does not match with its thumbnail

21
MD5 Hash Alerts, SmartHashing
  • Finding known illicit images, examiners normally
    use MD5 hashes
  • APF has full support for MD5 hash alerts
  • But what if the photo is slightly changed?
  • MD5 Hash will not work.
  • APF incorporates SmartHashing that finds photos
    even if
  • Resized
  • Color changed
  • Brightness changed
  • Slightly Cropped/Rotated
  • Touched up/Logo Insertion/Logo Removal

22
Photo Forensic Case Stages
Evidence Acquisition
Photo Recovery
Organization
Content Analysis
Photo Details
Classification/Categorization
Verify Integrity
Reporting and Exporting
Adult
CP
Obscenity
Nudity
23
Photo Details
  • APF has the most powerful forensic photo viewer
    on the market
  • Full Image
  • Preview/Thumbnail Images
  • Photo Header Details
  • EXIF Metadata
  • File System Information
  • Categorization Bookmark Info
  • Summary
  • Cluster/Fragment Linking

24
Photo Details - Timelines
  • Generate zoomable time lines based on
  • File Access Dates
  • File Creation Dates
  • File Modification Dates
  • EXIF Date/Time
  • Use EXIF Date/Times to get date time information
    even if files are deleted.
  • Filter based on dates

25
Photo Forensic Case Stages
Evidence Acquisition
Photo Recovery
Organization
Content Analysis
Photo Details
Classification/Categorization
Verify Integrity
Reporting and Exporting
Adult
CP
Obscenity
Nudity
26
Classification/Categorization
  • Categorization is an important part of a forensic
    analysts work.
  • APF categorization was built from the ground up
    to be FAST and powerful.
  • APF includes built-in category profiles
  • UK CP
  • North American CP
  • APF allows creation of custom profiles.
  • Create rules to automatically categorize based on
    SmartFilters
  • Use hot keys to efficiently categorize from any
    screen.
  • Use categories to view/report/export/save/timeline
    photos.

Adult
CP
Nudity
Play
27
Categorization Flow
MD5 DB Check
SmartHash DB Check
Lookup
Lookup
Recovered Photo
Match
EID Rules Check
Categorize
Match
Manual
Adult
Other
CP
Nudity
28
Photo Forensic Case Stages
Evidence Acquisition
Photo Recovery
Organization
Content Analysis
Photo Details
Classification/Categorization
Verify Integrity
Reporting and Exporting
Adult
CP
Obscenity
Nudity
29
Verify Integrity
  • Full Viewable Logs
  • Generate MD5/SHA1/SHA256 hashes of photos
  • Do MD5/SHA1/SHA256 hashes of evidence before and
    after recovery
  • Compare evidence hashes prior to recovery against
    current hashes and stored hashes (Encase Only)

30
Photo Forensic Case Stages
Evidence Acquisition
Photo Recovery
Organization
Content Analysis
Photo Details
Classification/Categorization
Verify Integrity
Reporting and Exporting
Adult
CP
Obscenity
Nudity
31
Reporting and Exporting
  • Customizable reports
  • File System Data
  • Photo Details
  • EXIF Details
  • Thumbnails
  • CSV Exporting
  • File System Data
  • Photo Details
  • EXIF Details
  • Thumbnails
  • FTK KFF Exporting

32
Additional Features
  • Batch Analysis for running multiple cases over
    night or over the weekend
  • Ability to quickly blur thumbnails to prevent
    others from viewing photos.
  • Full hotkey support for all major features.
  • Built-in context sensitive help
  • Certified Adroit Forensic Examiner (CAFE)
    training available

33
Adroit photo Forensics
  • Contact Digital Assembly or an authorized
    reseller to provide you with a demo or additional
    information.
  • Website http//digital-assembly.com
  • Email sales_at_digital-assembly.com
  • Phone 212-292-3136
About PowerShow.com