adroit photo forensics 2013
DESCRIPTION
Adroit Photo Forensics 2013. Get the Complete Forensic Picture!. How Adroit Photo Forensics can assist forensic examiners in every stage of an investigation involving photos. Photo Forensic Case Stages. Evidence Acquisition. Photo Recovery. Organization. Content Analysis. Verify Integrity. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Adroit Photo Forensics 2013](https://reader035.vdocuments.site/reader035/viewer/2022062801/568143ab550346895db0354f/html5/thumbnails/1.jpg)
Adroit Photo Forensics 2013
How Adroit Photo Forensics can assist forensic examiners in every stage of an investigation involving photos.
Get the Complete Forensic Picture!
![Page 2: Adroit Photo Forensics 2013](https://reader035.vdocuments.site/reader035/viewer/2022062801/568143ab550346895db0354f/html5/thumbnails/2.jpg)
Photo Forensic Case StagesEvidence Acquisition Photo Recovery Organization Content Analysis
Photo Details
Adult
Obscenity
CP
Nudity
Classification/CategorizationVerify IntegrityReporting and Exporting
![Page 3: Adroit Photo Forensics 2013](https://reader035.vdocuments.site/reader035/viewer/2022062801/568143ab550346895db0354f/html5/thumbnails/3.jpg)
Evidence Acquisition• Adroit Photo Forensics (APF) supports :• Disk Images
• EnCase (E01) single/split images• DD/RAW/BIN single/split images
• Logical Drives• Physical Drives• Folders
![Page 4: Adroit Photo Forensics 2013](https://reader035.vdocuments.site/reader035/viewer/2022062801/568143ab550346895db0354f/html5/thumbnails/4.jpg)
Photo Forensic Case StagesEvidence Acquisition Photo Recovery Organization Content Analysis
Photo Details
Adult
Obscenity
CP
Nudity
Classification/CategorizationVerify IntegrityReporting and Exporting
![Page 5: Adroit Photo Forensics 2013](https://reader035.vdocuments.site/reader035/viewer/2022062801/568143ab550346895db0354f/html5/thumbnails/5.jpg)
Photo Recovery - Active• Adroit Photo Forensics provides
Active recovery for the following file systems:• FAT12/16/32• NTFS• HFS• HFS+• All other file systems are carved.
![Page 6: Adroit Photo Forensics 2013](https://reader035.vdocuments.site/reader035/viewer/2022062801/568143ab550346895db0354f/html5/thumbnails/6.jpg)
Photo Recovery - Carving• APF can recover photo evidence that
no other forensic product can! • Validated Carving: Verifies that the
photos follow the rules of the format• NTFS/FAT Log Carving: Uses NTFS logs
to validate and carve deleted photos• SmartCarving™: Automatic recovery of
fragmented photos.• GuidedCarving™: Manual assisted
recovery of fragmented photos.• Size Carving: Specialized recovery of
BMPs, TIFFs and RAWs.
![Page 7: Adroit Photo Forensics 2013](https://reader035.vdocuments.site/reader035/viewer/2022062801/568143ab550346895db0354f/html5/thumbnails/7.jpg)
Importance of complete carving• On average 16-20% of photos
are fragmented.• Every additional picture
recovered can contain:• Potential Suspects• Potential Leads• Potential Victims• Potential Locations• Missing timeline information
Fragmented Recovery Traditional Forensic Tools
Fragmented Recovery Adroit Photo Forensics
![Page 8: Adroit Photo Forensics 2013](https://reader035.vdocuments.site/reader035/viewer/2022062801/568143ab550346895db0354f/html5/thumbnails/8.jpg)
Embedded Carving• Specialized Embedded Validated Carving for:• MS Office• PK-ZIP• Thumbnail Cache (XP, Vista & Windows 7)
• Generic Embedded Validated Carving for:• All other files
• Sector Carving/Byte Carving:• After carving and active recovery at the cluster level, APF
removes all validated files. Remaining clusters are carved at the sector or byte levels.
![Page 9: Adroit Photo Forensics 2013](https://reader035.vdocuments.site/reader035/viewer/2022062801/568143ab550346895db0354f/html5/thumbnails/9.jpg)
Recovery Profiles• A Recovery Profile contains a
set of carving and analysis options.
• Can be quickly selected before starting a case.
• Built-in profiles for triage and detailed analysis built in.
• Create, Edit & Delete profiles.• Profiles can be copied from
one user to another.
![Page 10: Adroit Photo Forensics 2013](https://reader035.vdocuments.site/reader035/viewer/2022062801/568143ab550346895db0354f/html5/thumbnails/10.jpg)
Photo Formats Recovered• Adroit Photo Forensics recovers
photos taken by digital cameras:• JPEG• RAW – Canon, Sony, Olympus,
Nikon etc.• Adobe DNG • TIFF
• Also recovers:• PNG• GIF• BMP
![Page 11: Adroit Photo Forensics 2013](https://reader035.vdocuments.site/reader035/viewer/2022062801/568143ab550346895db0354f/html5/thumbnails/11.jpg)
Photo Forensic Case StagesEvidence Acquisition Photo Recovery Organization Content Analysis
Photo Details
Adult
Obscenity
CP
Nudity
Classification/CategorizationVerify IntegrityReporting and Exporting
![Page 12: Adroit Photo Forensics 2013](https://reader035.vdocuments.site/reader035/viewer/2022062801/568143ab550346895db0354f/html5/thumbnails/12.jpg)
Organization• APF allows faster organization
and processing of cases involving photos• Traditional forensic applications
are focused on text and files.• APF has a dedicated and
streamlined UI for photos.• Forensic Photo Gallery provides
the fastest and most powerful way to view and organize photos.
• Sort/Group/Filter based on important photo specific properties
![Page 13: Adroit Photo Forensics 2013](https://reader035.vdocuments.site/reader035/viewer/2022062801/568143ab550346895db0354f/html5/thumbnails/13.jpg)
Organization – Forensic Photo Gallery
• APF has a unique and powerful forensic photo gallery:• Identify with one click
• Cameras used • Image Manipulation Software (ex.
Photoshop)• EXIF Date/Times (Day, Month or Year)• File name, folder and much much more
• Filter Photos• By Photo Format• Resolution (include/exclude thumbnails etc.)• Ignore Status
![Page 14: Adroit Photo Forensics 2013](https://reader035.vdocuments.site/reader035/viewer/2022062801/568143ab550346895db0354f/html5/thumbnails/14.jpg)
Photo Gallery – Camera Grouping
Grouping By Camera
Filtering out thumbnails
(4 Photos)Apple iPhone 4
(2 Photos)Nikon D100
Category
User selected
! Hash Alert
Bookmarked
Possible actions for selected photos
![Page 15: Adroit Photo Forensics 2013](https://reader035.vdocuments.site/reader035/viewer/2022062801/568143ab550346895db0354f/html5/thumbnails/15.jpg)
Custom Gallery• APF contains a custom gallery:
• View and sort user selected pictures.
• View and sort location or type specific photos like:• Windows Thumbnail Cache• Recycle Bin/Trashes• Extension Mismatch• Hash Alerts• Bookmarks• Ignored
![Page 16: Adroit Photo Forensics 2013](https://reader035.vdocuments.site/reader035/viewer/2022062801/568143ab550346895db0354f/html5/thumbnails/16.jpg)
Photo Forensic Case StagesEvidence Acquisition Photo Recovery Organization Content Analysis
Photo Details
Adult
Obscenity
CP
Nudity
Classification/CategorizationVerify IntegrityReporting and Exporting
![Page 17: Adroit Photo Forensics 2013](https://reader035.vdocuments.site/reader035/viewer/2022062801/568143ab550346895db0354f/html5/thumbnails/17.jpg)
Content Analysis• There can be hundreds of thousands of
photos in a single disk image.• Analyzing them manually is just not efficient.• Viewing photos by their thumbnails can still
take a huge amount of time.• Thumbnails are subject to anti-forensic
attacks.• So how do we save time and show an
examiner only forensically important photos?• SmartFiltering™
![Page 18: Adroit Photo Forensics 2013](https://reader035.vdocuments.site/reader035/viewer/2022062801/568143ab550346895db0354f/html5/thumbnails/18.jpg)
SmartFiltering™• SmartFilters™ present the most
forensically relevant photos:• Explicit Image Detection (Fast/Best)• Face Detection• Thumbnail Mismatch• SmartHash™• MD5 Hash Alerts• SmartHash™ Alerts
![Page 19: Adroit Photo Forensics 2013](https://reader035.vdocuments.site/reader035/viewer/2022062801/568143ab550346895db0354f/html5/thumbnails/19.jpg)
Explicit Image Detection• 2 Modes of EID• Best for detailed analysis• Fast for triage (does not slow down recovery)
• Experimental Child Explicit Image Detector included• Dynamic slider for reducing or increasing explicit images
shown.• Sort by skin percentage• EID uses much more than skin analysis to reduce false
positives and false negatives
![Page 20: Adroit Photo Forensics 2013](https://reader035.vdocuments.site/reader035/viewer/2022062801/568143ab550346895db0354f/html5/thumbnails/20.jpg)
Thumbnail Mismatch• Criminals know that investigators maybe
reviewing evidence via thumbnails.• Investigators rarely have the time to
view each photo in full detail.• Illicit images can be hidden behind
“safe” thumbnails!• Easy to do• Manually• Photo applications like Photoshop
• Thumbnail Mismatch identifies those photos where the full image does not match with it’s thumbnail
![Page 21: Adroit Photo Forensics 2013](https://reader035.vdocuments.site/reader035/viewer/2022062801/568143ab550346895db0354f/html5/thumbnails/21.jpg)
MD5 Hash Alerts, SmartHashing™• Finding known illicit images, examiners normally use MD5 hashes• APF has full support for MD5 hash alerts
• But what if the photo is slightly changed?• MD5 Hash will not work.
• APF incorporates SmartHashing™ that finds photos even if:• Resized• Color changed• Brightness changed• Slightly Cropped/Rotated• Touched up/Logo Insertion/Logo Removal
![Page 22: Adroit Photo Forensics 2013](https://reader035.vdocuments.site/reader035/viewer/2022062801/568143ab550346895db0354f/html5/thumbnails/22.jpg)
Photo Forensic Case StagesEvidence Acquisition Photo Recovery Organization Content Analysis
Photo Details
Adult
Obscenity
CP
Nudity
Classification/CategorizationVerify IntegrityReporting and Exporting
![Page 23: Adroit Photo Forensics 2013](https://reader035.vdocuments.site/reader035/viewer/2022062801/568143ab550346895db0354f/html5/thumbnails/23.jpg)
Photo Details• APF has the most
powerful forensic photo viewer on the market:• Full Image• Preview/Thumbnail
Images• Photo Header Details• EXIF Metadata• File System Information• Categorization &
Bookmark Info• Summary• Cluster/Fragment
Linking
![Page 24: Adroit Photo Forensics 2013](https://reader035.vdocuments.site/reader035/viewer/2022062801/568143ab550346895db0354f/html5/thumbnails/24.jpg)
Photo Details - Timelines• Generate zoomable time
lines based on• File Access Dates• File Creation Dates• File Modification Dates• EXIF Date/Time
• Use EXIF Date/Times to get date time information even if files are deleted.
• Filter based on dates
![Page 25: Adroit Photo Forensics 2013](https://reader035.vdocuments.site/reader035/viewer/2022062801/568143ab550346895db0354f/html5/thumbnails/25.jpg)
Photo Forensic Case StagesEvidence Acquisition Photo Recovery Organization Content Analysis
Photo Details
Adult
Obscenity
CP
Nudity
Classification/CategorizationVerify IntegrityReporting and Exporting
![Page 26: Adroit Photo Forensics 2013](https://reader035.vdocuments.site/reader035/viewer/2022062801/568143ab550346895db0354f/html5/thumbnails/26.jpg)
Classification/Categorization• Categorization is an important part of a forensic analyst’s work.• APF categorization was built from the ground up to be FAST and
powerful.• APF includes built-in category profiles• UK CP• North American CP
• APF allows creation of custom profiles.• Create rules to automatically categorize based on SmartFilters™• Use hot keys to efficiently categorize from any screen.• Use categories to view/report/export/save/timeline photos.
AdultPlay
CPNudity
![Page 27: Adroit Photo Forensics 2013](https://reader035.vdocuments.site/reader035/viewer/2022062801/568143ab550346895db0354f/html5/thumbnails/27.jpg)
Categorization Flow
Recovered Photo
MD5 DB Check SmartHash DB Check
EID Rules Check
Lookup Lookup
AdultOther CP Nudity
Categorize
Match
MatchManual
![Page 28: Adroit Photo Forensics 2013](https://reader035.vdocuments.site/reader035/viewer/2022062801/568143ab550346895db0354f/html5/thumbnails/28.jpg)
Photo Forensic Case StagesEvidence Acquisition Photo Recovery Organization Content Analysis
Photo Details
Adult
Obscenity
CP
Nudity
Classification/CategorizationVerify IntegrityReporting and Exporting
![Page 29: Adroit Photo Forensics 2013](https://reader035.vdocuments.site/reader035/viewer/2022062801/568143ab550346895db0354f/html5/thumbnails/29.jpg)
Verify Integrity• Full Viewable Logs• Generate
MD5/SHA1/SHA256 hashes of photos
• Do MD5/SHA1/SHA256 hashes of evidence before and after recovery
• Compare evidence hashes prior to recovery against current hashes and stored hashes (Encase Only)
![Page 30: Adroit Photo Forensics 2013](https://reader035.vdocuments.site/reader035/viewer/2022062801/568143ab550346895db0354f/html5/thumbnails/30.jpg)
Photo Forensic Case StagesEvidence Acquisition Photo Recovery Organization Content Analysis
Photo Details
Adult
Obscenity
CP
Nudity
Classification/CategorizationVerify IntegrityReporting and Exporting
![Page 31: Adroit Photo Forensics 2013](https://reader035.vdocuments.site/reader035/viewer/2022062801/568143ab550346895db0354f/html5/thumbnails/31.jpg)
Reporting and Exporting• Customizable reports• File System Data• Photo Details• EXIF Details• Thumbnails
• CSV Exporting• File System Data• Photo Details• EXIF Details• Thumbnails
• FTK KFF Exporting
![Page 32: Adroit Photo Forensics 2013](https://reader035.vdocuments.site/reader035/viewer/2022062801/568143ab550346895db0354f/html5/thumbnails/32.jpg)
Additional Features• Batch Analysis for running multiple
cases over night or over the weekend• Ability to quickly blur thumbnails to
prevent others from viewing photos.• Full hotkey support for all major
features.• Built-in context sensitive help• Certified Adroit Forensic Examiner
(CAFE) training available
![Page 33: Adroit Photo Forensics 2013](https://reader035.vdocuments.site/reader035/viewer/2022062801/568143ab550346895db0354f/html5/thumbnails/33.jpg)
ADROIT PHOTO FORENSICS
Contact Digital Assembly or an authorized reseller to provide you with a demo or additional information.
Website: http://digital-assembly.comEmail: [email protected]: 212-292-3136