Presentation is loading. Please wait.

Presentation is loading. Please wait.

Adroit Photo Forensics 2013

Published byPranav Drust Modified over 11 years ago

Similar presentations

Presentation on theme: "Adroit Photo Forensics 2013"— Presentation transcript:

1 Adroit Photo Forensics 2013
Get the Complete Forensic Picture! How Adroit Photo Forensics can assist forensic examiners in every stage of an investigation involving photos.

2 Photo Forensic Case Stages
Evidence Acquisition Photo Recovery Organization Content Analysis Reporting and Exporting Verify Integrity Classification/Categorization Photo Details Adult CP Obscenity Nudity

3 Evidence Acquisition Adroit Photo Forensics (APF) supports :
Disk Images EnCase (E01) single/split images DD/RAW/BIN single/split images Logical Drives Physical Drives Folders

4 Photo Forensic Case Stages
Evidence Acquisition Photo Recovery Organization Content Analysis Reporting and Exporting Verify Integrity Classification/Categorization Photo Details Adult CP Obscenity Nudity

5 Photo Recovery - Active
Adroit Photo Forensics provides Active recovery for the following file systems: FAT12/16/32 NTFS HFS HFS+ All other file systems are carved.

6 Photo Recovery - Carving
APF can recover photo evidence that no other forensic product can! Validated Carving: Verifies that the photos follow the rules of the format NTFS/FAT Log Carving: Uses NTFS logs to validate and carve deleted photos SmartCarving™: Automatic recovery of fragmented photos. GuidedCarving™: Manual assisted recovery of fragmented photos. Size Carving: Specialized recovery of BMPs, TIFFs and RAWs.

7 Importance of complete carving
On average 16-20% of photos are fragmented. Every additional picture recovered can contain: Potential Suspects Potential Leads Potential Victims Potential Locations Missing timeline information Fragmented Recovery Traditional Forensic Tools Fragmented Recovery Adroit Photo Forensics

8 Embedded Carving Specialized Embedded Validated Carving for:
MS Office PK-ZIP Thumbnail Cache (XP, Vista & Windows 7) Generic Embedded Validated Carving for: All other files Sector Carving/Byte Carving: After carving and active recovery at the cluster level, APF removes all validated files. Remaining clusters are carved at the sector or byte levels.

9 Recovery Profiles A Recovery Profile contains a set of carving and analysis options. Can be quickly selected before starting a case. Built-in profiles for triage and detailed analysis built in. Create, Edit & Delete profiles. Profiles can be copied from one user to another.

10 Photo Formats Recovered
Adroit Photo Forensics recovers photos taken by digital cameras: JPEG RAW – Canon, Sony, Olympus, Nikon etc. Adobe DNG TIFF Also recovers: PNG GIF BMP

11 Photo Forensic Case Stages
Evidence Acquisition Photo Recovery Organization Content Analysis Reporting and Exporting Verify Integrity Classification/Categorization Photo Details Adult CP Obscenity Nudity

12 Organization APF allows faster organization and processing of cases involving photos Traditional forensic applications are focused on text and files. APF has a dedicated and streamlined UI for photos. Forensic Photo Gallery provides the fastest and most powerful way to view and organize photos. Sort/Group/Filter based on important photo specific properties

13 Organization – Forensic Photo Gallery
APF has a unique and powerful forensic photo gallery: Identify with one click Cameras used Image Manipulation Software (ex. Photoshop) EXIF Date/Times (Day, Month or Year) File name, folder and much much more Filter Photos By Photo Format Resolution (include/exclude thumbnails etc.) Ignore Status

14 Photo Gallery – Camera Grouping
Filtering out thumbnails Grouping By Camera Category Bookmarked (4 Photos) Apple iPhone 4 User selected ! Hash Alert (2 Photos) Nikon D100 Possible actions for selected photos

15 Custom Gallery APF contains a custom gallery:
View and sort user selected pictures. View and sort location or type specific photos like: Windows Thumbnail Cache Recycle Bin/Trashes Extension Mismatch Hash Alerts Bookmarks Ignored

16 Photo Forensic Case Stages
Evidence Acquisition Photo Recovery Organization Content Analysis Reporting and Exporting Verify Integrity Classification/Categorization Photo Details Adult CP Obscenity Nudity

17 Content Analysis There can be hundreds of thousands of photos in a single disk image. Analyzing them manually is just not efficient. Viewing photos by their thumbnails can still take a huge amount of time. Thumbnails are subject to anti-forensic attacks. So how do we save time and show an examiner only forensically important photos? SmartFiltering™

18 SmartFiltering™ SmartFilters™ present the most forensically relevant photos: Explicit Image Detection (Fast/Best) Face Detection Thumbnail Mismatch SmartHash™ MD5 Hash Alerts SmartHash™ Alerts

19 Explicit Image Detection
2 Modes of EID Best for detailed analysis Fast for triage (does not slow down recovery) Experimental Child Explicit Image Detector included Dynamic slider for reducing or increasing explicit images shown. Sort by skin percentage EID uses much more than skin analysis to reduce false positives and false negatives

20 Thumbnail Mismatch Criminals know that investigators maybe reviewing evidence via thumbnails. Investigators rarely have the time to view each photo in full detail. Illicit images can be hidden behind “safe” thumbnails! Easy to do Manually Photo applications like Photoshop Thumbnail Mismatch identifies those photos where the full image does not match with it’s thumbnail

21 MD5 Hash Alerts, SmartHashing™
Finding known illicit images, examiners normally use MD5 hashes APF has full support for MD5 hash alerts But what if the photo is slightly changed? MD5 Hash will not work. APF incorporates SmartHashing™ that finds photos even if: Resized Color changed Brightness changed Slightly Cropped/Rotated Touched up/Logo Insertion/Logo Removal

22 Photo Forensic Case Stages
Evidence Acquisition Photo Recovery Organization Content Analysis Reporting and Exporting Verify Integrity Classification/Categorization Photo Details Adult CP Obscenity Nudity

23 Photo Details APF has the most powerful forensic photo viewer on the market: Full Image Preview/Thumbnail Images Photo Header Details EXIF Metadata File System Information Categorization & Bookmark Info Summary Cluster/Fragment Linking

24 Photo Details - Timelines
Generate zoomable time lines based on File Access Dates File Creation Dates File Modification Dates EXIF Date/Time Use EXIF Date/Times to get date time information even if files are deleted. Filter based on dates

25 Photo Forensic Case Stages
Evidence Acquisition Photo Recovery Organization Content Analysis Reporting and Exporting Verify Integrity Classification/Categorization Photo Details Adult CP Obscenity Nudity

26 Classification/Categorization
Categorization is an important part of a forensic analyst’s work. APF categorization was built from the ground up to be FAST and powerful. APF includes built-in category profiles UK CP North American CP APF allows creation of custom profiles. Create rules to automatically categorize based on SmartFilters™ Use hot keys to efficiently categorize from any screen. Use categories to view/report/export/save/timeline photos. Adult CP Play Nudity

27 Categorization Flow MD5 DB Check SmartHash DB Check Lookup Lookup
Recovered Photo Match Categorize EID Rules Check Manual Match Other CP Adult Nudity

28 Photo Forensic Case Stages
Evidence Acquisition Photo Recovery Organization Content Analysis Reporting and Exporting Verify Integrity Classification/Categorization Photo Details Adult CP Obscenity Nudity

29 Verify Integrity Full Viewable Logs
Generate MD5/SHA1/SHA256 hashes of photos Do MD5/SHA1/SHA256 hashes of evidence before and after recovery Compare evidence hashes prior to recovery against current hashes and stored hashes (Encase Only)

30 Photo Forensic Case Stages
Evidence Acquisition Photo Recovery Organization Content Analysis Reporting and Exporting Verify Integrity Classification/Categorization Photo Details Adult CP Obscenity Nudity

31 Reporting and Exporting
Customizable reports File System Data Photo Details EXIF Details Thumbnails CSV Exporting FTK KFF Exporting

32 Additional Features Batch Analysis for running multiple cases over night or over the weekend Ability to quickly blur thumbnails to prevent others from viewing photos. Full hotkey support for all major features. Built-in context sensitive help Certified Adroit Forensic Examiner (CAFE) training available

33 Adroit photo Forensics
Contact Digital Assembly or an authorized reseller to provide you with a demo or additional information. Website: Phone: Adroit photo Forensics

Download ppt "Adroit Photo Forensics 2013"

Similar presentations

Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)

Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)
XProtect ® Express Integration made easy. With support for up to 48 cameras, XProtect Express is easy and affordable IP video surveillance software with.

XProtect ® Express Integration made easy. With support for up to 48 cameras, XProtect Express is easy and affordable IP video surveillance software with.
1099 Pro, Inc. – Software for 2004 1099 Pro Enterprise Edition Features.

1099 Pro, Inc. – Software for Pro Enterprise Edition Features.
CAPTURE SOFTWARE Please take a few moments to review the following slides. Please take a few moments to review the following slides. The filing of documents.

CAPTURE SOFTWARE Please take a few moments to review the following slides. Please take a few moments to review the following slides. The filing of documents.
The Evolution of File Carving Presenters: Muhammad Mohsin Butt(g201103010) COE589 Paper Presentation.

The Evolution of File Carving Presenters: Muhammad Mohsin Butt(g ) COE589 Paper Presentation.
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
TRACK 2™ Version 5 The ultimate process management software.

TRACK 2™ Version 5 The ultimate process management software.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Jewelry Inventory Management Software Your Logo Here Welcome to a demonstration of Del Mar Data Systems Jewelry Inventory Management.

Jewelry Inventory Management Software Your Logo Here Welcome to a demonstration of Del Mar Data Systems Jewelry Inventory Management.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Adobe Photoshop CS Design Professional ADOBE PHOTOSHOP CS GETTING STARTED WITH.

Adobe Photoshop CS Design Professional ADOBE PHOTOSHOP CS GETTING STARTED WITH.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Computer & Network Forensics

Computer & Network Forensics
X-Ways Trace Prepared By: Leen F. Arikat Supervisor: Dr. Lo’ai Tawalbeh.

X-Ways Trace Prepared By: Leen F. Arikat Supervisor: Dr. Lo’ai Tawalbeh.
COS 413 Day 13. Agenda Questions? Assignment 4 Due Assignment 5 posted –Due Oct 21 Capstone proposal Due Oct 17 Lab 5 on Oct 15 in N105 –Hands-on Projects.

COS 413 Day 13. Agenda Questions? Assignment 4 Due Assignment 5 posted –Due Oct 21 Capstone proposal Due Oct 17 Lab 5 on Oct 15 in N105 –Hands-on Projects.
Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition.

Chapter 10 Recovering Graphics Files Guide to Computer Forensics and Investigations Third Edition.
ETT 429 Spring 2007 Digital Photography/Scanners.

ETT 429 Spring 2007 Digital Photography/Scanners.
Guide to Computer Forensics and Investigations Third Edition

Guide to Computer Forensics and Investigations Third Edition
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.

COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.

COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.

Similar presentations

Ads by Google