User Manual - Digital Assembly
Contents
1. Viewing Photo Empidonax flavescens 001 jpg Exif Exif Exif Exif Exif Exif Image Image Exif Exif Image Image Image Exif Exif Image Image Image Exif Exif Image Image Photo Exif Exit Photo Photo Photo Exif Exif Exif Exif Exif Exif Exif Exif Exif Exif Photo Photo Photo Photo Photo Photo Photo Photo Photo Photo Make Canon Model Canon EOS 1iD Mark III Orientation 1 XResolution 3500000 10000 YResolution 3500000 10000 ResolutionUnit 2 Software Adobe Photoshop Elements 6 0 Windows DateTime 2008 02 16 05 11 30 YCbCrPositioning 1 ExifTag 248 ExposureTime 1 300 FNumber 8 1 ExposureProgram 1 ISOSpeedRatings 400 ExifVersion DateTimeOriginal 2008 01 28 16 41 17 DateTimeDigitized 2008 01 28 16 41 17 ComponentsConfiguration ShutterSpeedValue 540672 65536 ApertureValue 393216 65536 ExposureBiasValue 0 1 Flash 9 FocalLength 1000 1 UserComment Summary Photo Summary Photo 171 Type JPEG JPG Resolution 1920 x 1200 Bookmark 1 Category No Profile Chosen File Summary Name Empidonax flavescens 00 Valid Success Size 739 00 KB Date Created May 21 2008 Modified Mar 10 2008 Accessed May 29 2008 EXIF Summary Camera Canon Model EOS 1D Mark Ill Software Adobe Photoshop Elements Date DateTime 2008 02 16 05 12. e Left click on the orangehotspots denoting evidence usage to view more details about the photos being represented e Double click on the hotspot to view the photos indicated by the time line e Time line also shows thumbnail previews of photos if show thumbnails is enabled which are responsible for evidence activity for the corresponding period Digital Assembly 59 Recovery Counts Counts by Recovery Type Counts by File Type Counts by Categor Valid Total number of photos recovered Bookmarked e View the analysis summary of the evidence e Statistical data such as files found carved valid etc can be viewed here For more detailed Statistics view the log Digital Assembly 60 To view analysis summary View gt Recovery Counts Total number of photos recovered Windows Bitmap Counts by File Type shows the number of photos recovered in terms of photo formats Digital Assembly 61 e e D ecc en Cur Ke we u Counts by very Type Counts by File Type Counts by Category Total number of photos recovered Not Categorized Child Pornography Counts by category Displays the number of photos that belong to a particular category This is specific to the category profile currently assigned to the case If the category profile is changed these numbers will be updated accordingly Digital Assembly 62 Generate Reports Report Generation 2 Report Generation pol D Reco
3. Report for case TECHNOSECURITY_D Case Information Examiner Information Evidence Information Recovery Statistics Category Profile Partition 1 Details Partition 1 File Information _ Report for case TECHNOSECURITY_D Case Information Examiner Information TTT DI anennnnnnnnnnsnananennenanenanennnennnnannnnananannnannnnsnanannng Evidence Information Recovery Statistics Category Profile Partition 1 Details Partition 1 File Information Digital Assembly d ba Ae di r z le d i i i VeeeeRENREEREENEEENERNEENEERNEENEENEEENEEN ENEE REENEN EEUU EEEE EENEN EEEE EEEE EEEE EEEE Product Adroit Photo Forensics 2010 Version 23 Case Name TECHNOSECURITY_DEMO2_ Case Reference 1002 Case Description Case Created Date Sep 14 2010 Case Last Accessed Date Sep 14 2010 Evidence Drive TECHNOSECURITY_DEMO2 img Evidence Type Disk Image RAW DD BIN ENCASE Evidence Size 125829120 bytes Evidence MD5 Hash Not Calculated Evidence SHA256 Hash Not Calculated Number of Partitions 1 os werk 3 W H rs ea LILIOT S Partition Name NO NAME Partition Size 125562880 bytes Partition Free Space 37814272 bytes Partition File System Fat16 Partition File System Validity true Partition Cluster Size 2048 bytes Partition File System Offset 266240 bytes Partition Offset 0 bytes Partition Cluster Count 61310 Partition Details click here Partition File S
4. Recover only camera photo formats Photo Formats to Recover JPEG jpg and jpeg Adobe Digital Negative Raw Format dng Canon Camera Raw format crw Canon Camera Raw format cr2 Sony Camera Raw Format arw Sony Camera Raw Format srf Nikon Camera Raw format nef Olympus Camera Raw Format orf Minolta Camera Raw Format mrw Fuji Camera Raw Format raf Epson Seiko Raw Format ert Tagged Image File Format RAW tiff Windows Bitmap bmp Portable Network Graphics png Graphics Interchange Format gif This tab determines which photo formats should be processed There are two standard options Recover all photo formats supported This option checks all supported photo formats and ensures that they are recovered if present in the evidence Recover only camera photo formats This option checks only those formats that can be generated by a digital camera In addition each of the formats can be individually checked or unchecked Digital Assembly 32 SmartFilters Tab e d sis C Analysis Profile Best Recovery Basic Validation Active amp Deleted Recovery Integrity Hashing Photo Formats SmartFilters Category Profiles SmartFilter Exclusions Do filtering during recovery Do filtering on active photos Do filtering on deleted photos E Do fitering on in active photos El Do fitering on embedded in deleted photos Don t fiter for width x height less than 123 x SmartFilter Explicit Image Dete
5. Le e i i TIA S F Li h wk K e 1 251E 1 Y W A 4 a ec Se 1 259E 1 ie bh N e Weih eg 1 259E 1 1 262E 1 1 266E 1 1 266E 1 1 273E 1 1 282E 1 1 283 1 1 285 1 1 29E 1 1 296E 1 1 298E 1 1 298E 1 1 3E 1 1 301E 1 1 301E 1 Then select from the list of blocks the block that you think fits in correctly Keep trying until you get the correct block Digital Assembly 100 Di BG caoil O P File Details Photo Details Metadata EXIF Details Stored Thumbnail 1 Swap Photo Zoom 26 100 J Swapping Choices L AEA e AF 4s CHL j 51222 a Jee ie et Li E Starting Cluster g d ZS He A Bn Ai E 2 Cluster Before Swap 17136 Aa Cluster To Swap Out EOF Cluster Amount To Select 150 ell Selected Cluster Start 54417 Selected Cluster End 54566 Best Matches 1 12E 1 1 223E 1 1 228E 1 1 249E 1 1 251E 1 1 259E 1 1 259E 1 1 262E 1 1 266E 1 1 266E 1 1 273E 1 1 282E 1 1 283E 1 1 285E 1 1 29E 1 1 296E 1 1 298E 1 1 298E 1 1 3E 1 1 301E 1 1 301E 1 e Once you have a correct continuing block to append to the photo keep increasing the Number Of Blocks To Select until you reach an incorrect block or until you reach end of the file e If you reach an incorrect block reduce the Number Of Blocks To Select such that only correct blocks are present in the p
6. automatic update checks About Information dialog about Adroit Photo Forensics Digital Assembly 21 New Case The New Case screen is the screen that will be used most often for creating a case Cases can also be created in the Batch Analyze Screen H CTS Ki P File View Tools Help ba EZ Se CO TP ES Viewing New Case Case Information Examiner Information Examiners Name Jane Case ID 1000 l Company Agency Digital Assembly Address Case Path E APFCases apf_demo_image Street Name 437 Varick Street Case Creation Date Jan 8 2013 Last Modified Date Jan 8 2013 City New York Case Name apf_demo_image Comments State Province NY Zip Postal Code 10013 Country USA Contact Phone Email Comments Evidence Evidence Information Drive apf_demo_image E01 Partition 1 Regular Type Encase Disk Image Name NO NAME Size 243 1 MB Size 242 9 MB Free Space 82 5 MB Model Not Available File System Fat16 FS Validity Success Zb Folder Access Cluster Size 4096 bytes Offset 266240 bytes Serial ID Not Available ik R ER Clickhere to choose a folder Se 7 SHA256 Not Available s Physical Drives Partitions 1 PHOTO FORENSICS i e Status Ready for analysis Analysis Profile Best Recovery Basic Validation z Analyze Case Information Fora new case Case ID and Case Name are required however if auto generation of case is on they w
7. o File Modification Date by default The date when the photo was last modified o File Creation Date The date when the photos was created o File Access Date The date when the photo was last accessed o EXIF Date Time The embedded date and time within the photo Digital Assembly Select Date To Filter On File Modification Date File Creation Date File Access Date EXIF Date Time Choose Date Ranges C Dont apply any date filters Include photos with unknown dates Start Date Mar 6 2008 End Date May 1 2008 4 ii 18 Kl Today Jan 9 2013 e f you want to view photos only within a particular date range then uncheck the Don t apply any date filters option e At mes date information might not be present within the photo Under these circumstances we give them an unknown date identity If you want to include photos with unknown dates then check this option It is recommended that you keep this option checked e Select the date by either entering the date in Mon Day Year format for example Jan 01 2010 or clicking the button next it to bring out the calendar e After selecting the start and end dates click Ok Digital Assembly 58 TIMELINE ZOOMED Ze 100 291 photos found in a File View Tools Help a ie Ka GC las Viewing Timeline All Photos 291 File Modification Date Sun Apr 5 1998 Fri Jun 17 2011 291 291 photos Jun 17 Unknown 2011 l Show Thumbnails
8. 01 28 16 41 17 Starting Cluster 3777 2008 01 28 16 41 17 Cluster Count 395 1 fragment Cluster Range 3777 4171 File Details The File Details tab provides layout file system information and hash information for a photo e File System information such as long file name short file name file size dates creation modified accessed if present are displayed here e Hash information including MD5 SHA1 SHA256 and SmartHash if calculated are displayed here e The cluster information has the starting cluster information which is the cluster from which the current photo begins from e Cluster count is the number of clusters that belong to the photo and the fragment count is the number of contiguous clusters that belong to the photo e The cluster ranges denote the range of clusters which constitute the photo being viewed Digital Assembly 48 177 photos found in del_AD_Testset File View Tools Help Ba caoil 0 P Primary Photo Zoom 40 100 File Details Photo Details Metadata EXIF Details Stored Thumbnail 1 Stored Thumbnail 2 Exif Image Make Canon Exif Image Model Canon EOS 1D Mark III Exif Image Orientation 1 Exif Image XResolution 3500000 10000 Exif Image YResolution 3500000 10000 Exif Image ResolutionUnit 2 Exif Image Software Adobe Photoshop Elements 6 0 Windows Exif Image DateTime 2008 02 16 05 11 30 Exif Image YCbCrPositioning 1 Exif Image Exi
9. Batch Analyze screen by clicking on the Analysis Options button Analysis options are saved as part of profiles APF comes with a few basic profiles built in each of which can be edited and deleted In addition a user can create as many different profiles as necessary Modification and deletion of analysis profiles can only be done in this screen The Analysis Options screen has six tabs Active amp Deleted Recovery Tab Active amp Deleted Recwery Weg Active Recovery Use file system to set offset clusters and active files Offset Bytes OK Cluster Size Bytes Recover active photos from file system identify active photos by header signature Validate active photos found Deleted Recovery Carve photos using file system logs NTFS FAT LogCarving Carve photos that are sequentially stored Sequential Carving Carve photos that are fragmented SmartCarving Limit each SmartCarving cycle to 1 200 H sec Size Carve based on unallocated space BMP TIFF RAW formats Preview Thumbnails Show preview thumbnails during recovery E Create prewiew thumbnails by scaling photo instead of embedded thumbnail E Upscale preview thumbnails to max viewable size Ignore Z Ignore photos smaller than OK KB E Ignore on MDS stored in the Ignore DB E ignore duplicate photos based on MDS stored in the case Active Recovery ga Use file system to set offset clusters and active files Selected When this option is on if a file system like NTFS o
10. If a photo contains multiple embedded thumbnails they will each be shown in their own tabs Digital Assembly 51 Summary Type JPEG IPG Resolution 2112 x 1584 Bookmark Category Other MM File Summary Name img_4333 JPG Valid Not Checked Size 1 33 MB Date Created Jun 19 2011 Modified Jun 17 2011 Accessed Jun 19 2011 EXIF Summary Camera Canon Model PowerShot SD 700 IS Software Adobe Photoshop CS Maci Date DateTime 2005 08 04 20 06 36 Original 2010 11 21 14 26 04 Digitized 2010 11 21 14 26 04 Shows a summary of the photo recovered along with EXIF information if available such as creation modified and accessed dates You can bookmark single photos in the photo viewer by checking the Bookmark checkbox or hitting the B or b key on the keyboard The category too can be set for the photo being currently viewed by hitting the number keys on the keyboard to which category you want to assign the photo or selecting from the drop list Digital Assembly 52 Clusters Locate Potential Error Cluster Locate First Potential Error Previous Error Mext Error GuidedCarve Start GuidedCarve Every photo is made of a series of disk clusters This screen lists all the clusters that contain information pertaining to the photo If a regular jpeg each of the green buttons can be toggled and its corresponding region gets highlighted in the jpeg This linkin
11. JPG img_5791 JPG SelectAll Select All in Page Select None e Example In the Photo Gallery Select group by camera filter Select a particular Camera group for say Canon Power Shot SD 700 IS and open this group in a Custom Gallery In this Custom gallery we can again perform grouping or sorting operations on the basis of day month year software etc Digital Assembly 46 S 177 photos found in File View Tools Help mb E Sa 3 TE H Viewing Photo Empidonax flavescens 001 jpg gt x Image Ops Summary Clusters Photo Summary Photo 1 Type JPEG JPG Resolution 1920 x 1200 Bookmark i Category No Profile Chosen File Summary Name Empidonax flavescens 00 Valid Success Size 789 00 KB Date Created May 21 2008 Modified Mar 10 2008 Accessed May 29 2008 EXIF Summary Camera Canon Model EOS 1D Mark Ill Software Adobe Photoshop Elements Date DateTime 2008 02 16 05 11 30 Original 2008 01 28 16 41 17 Digitized 2008 01 28 16 41 17 Save Save Photo Primary Image With the help of the Forensic Photo Viewer you can view all available forensic file system and miscellaneous information for recovered photos This includes the File information EXIF info embedded thumbnails photo header details etc In the Primary Image tab the actual photo contents can be seen If the photo is larger than the screen it is automat
12. NEF Child Nudity est_3730 jpqg Child Other Ignore Adult Remove Bookmark Remove Ignore Obscenity 1 V KG Geck Other E S 7 A Gn g kend Be S zs nig BE X E ET Lee W P5021754 0RF Photo_00369 jpg Photo_0037 jpq Photo_00371 246 jpg Photo_3770 jpa SelectAll SelectAllinPsge Select None sa Each photo group can be double clicked to view the photos in the group Right Clicking on a group brings up a popup as shown above View Photos This launches the photo viewer with the group It is the same as left clicking the group View Timeline This allows you to view the selected photos on the timeline View Custom Gallery This launches the Custom Gallery Screen where the selected photos can be further grouped and sorted View photos in same folders Opens a Custom Gallery containing photos from the same folder as the selected photo Save Photos This allows you to save all the photos in the group into the disk Generate Reports This allows you to generate a report only with the photos in the group Categorize This allows you to categorize the selected photos Add Bookmark This bookmark s all the photos in the group for future viewing or reporting Remove Bookmark This removes bookmarks from all the photos in the group Digital Assembly 43 Ignore Causes the ignore flag to be set for the selected photos This will cause the photo not to be processed by default Remove Ignor
13. in Database Default Not Selected Digital Assembly 8 Selected Will compare the SmartHash of photos in a case with photos that have SmartHash values in the alert database If the photos are determined to be similar a SmartHash Alert will be set on the photo RS Not Selected Will not perform SmartHash Alerts SmartFilter Other va Do face detection frontal Default Selected Selected Will perform face detection as part of SmartFiltering if checked Not Selected Will not perform face detection as part of SmartFiltering Do photo thumbnail mismatch detection Default Selected Selected Compares an embedded thumbnail against the photo it is supposed to represent Some photos may contain a thumbnail embedded within the photo itself these thumbnails are used by the operating system for quick views There have been instances wherein an explicit image is hidden by an incorrect thumbnail This option when clicked checks if the thumbnail matches with the primary photo Not Selected Will not perform the thumbnail mismatch detection Alert for Photos with MDS hash in Database Default Selected Selected Tags photos whose MDS hash value match with the MD5 hash values in a database Not Selected Does not compare the MD5 hash values of the current case with the MD5 hash values on the database Detect duplicate photos using MD5 Hash Default Selected Selected Detects duplicate photos in the case
14. to bring up the above pop up menu e The View photos timeline save etc all correspond to only those photos that belong to that category e The Redo this SmartFilter Only option basically performs the SmartFilter for that category only This feature comes in handy when minor changes are made to SmartFilter options and re running the entire SmartFilter for all the categories can be cumbersome e Thumbnail mismatch will show modified thumbnail in the background outlined with red and the original thumbnail in the foreground Digital Assembly 70 MD5 and SmartHash Alerts Ignores and Bookmarks Photos may be marked automatically or manually in many ways for easier printing filtering and viewing Bookmarks IMG 0183c jpg Bookmarks allow for quick identification viewing and reporting of photos that are of interest to a user Bookmarking can be done from almost any screen in APF where thumbnails are available This includes the Photo Gallery Custom Gallery Categorization and Photo Viewer screens Most operations on photos including viewing reporting exporting and saving allow a user to select only bookmarked photos For finer classification of photos please view the next section on Categorization MD5 Hash Alerts 7 el DSC_0000455 jpa S MDS hash alerts occur when a photo from the hash database has the same exact MD5 hash as a photo from the existing case Any photos that are MD5 hash alerted will appear with a red triang
15. 1 30 Original 2008 01 28 16 41 17 Digitized 2008 01 28 16 41 17 Metadata EXIF Details EXIF information can contain additional information about a photo like the camera settings color encoding information sounds recorded when the picture was taken and Global Positioning System GPS information Exactly what is recorded depends on the model of camera EXIF IPTC data if present will be displayed here Digital Assembly 50 S 177 photos found in del_AD_Testset Adroit Photo Forensics 20 File View Tools Help A e E a eg amp TP pe LJ pi Viewing Photo Empidonax flavescens 001 jpg Primary Photo Zoom 40 100 File Details Photo Details Metadata EXIF Details Stored Thumbnail 1 Stored Thumbnail 2 Fragments Image Ops Summary Clusters Photo Summary Photo 1 1 Type JPEG JPG Resolution 1920 x 1200 Bookmark 1 Category No Profile Chosen File Summary Name Empidonax flavescens 00 Valid Success Size 789 00 KB Date Created May 21 2008 Modified Mar 10 2008 Accessed May 29 2008 EXIF Summary Camera Canon Model EOS 1D Mark Ill Software Adobe Photoshop Elements Date DateTime 2008 02 16 05 11 30 Original 2008 01 28 16 41 17 Digitized 2008 01 28 16 41 17 Save Empidonax fl Save Photo Stored Thumbnail Some photos have an embedded stored thumbnail within them If present it is displayed in this tab
16. 26 clusters tassa me mem mee _issse_ me ss ansia zs zem zs zem zs zm zs amose 24020 isoa seoza om ae t Locate Potential Error Cluster GuidedCarve spit Swap Append Save Save Photo e Once the first erroneous region has been identified click on Swap e This will inform the carver that the current block is not in its right place and needs to be swapped with another block Digital Assembly 94 S 177 photos found in del_AD_Testset Ac File View Tools Help Ba calb O E Viewing Photo Invalid Partially Carved Primary Photo Zoom 33 100 File Details Photo Details Metadata EXIF Details Swap Photo Zoom 23 100 Swapping Choices p 7 gt r ek e Starting Cluster 13552 Cluster Before Swap 13561 Cluster To Swap Out 20912 Cluster Amount To Select Selected Cluster Start Selected Cluster End 5 471E 2 6 443E 2 6 918E 2 7 077E 2 7 097E 2 7 666E 2 7 666E 2 7 666E 2 7 666E 2 7 666E 2 7 666E 2 7 666E 2 7 666E 2 7 666E 2 7 666E 2 7 666E 2 7 666E 2 7 666E 2 7 666E 2 7 666E 2 7 666E 2 7 666E 2 Accept Wallpaper0038 Save Photo e There will be a brief pause while the algorithm determines the best possible matches and presents them to you in ascending order Clicking on these matches will show y
17. Bookmarked Shows all the bookmarked photos in the Custom Gallery If the case does not have any bookmarked images it is disabled Ignore Shows all the photos that have been ignored in the Custom Gallery Hash Alert If the current case has Hash Alerted Photos this will open them in the Custom Gallery Thumbnail Cache If the current case has Photos recovered from the Thumbnail Cache this will open them in a Custom Gallery Recycled If the current case has Photos recovered from the Recycle Bin this will open them in a Custom Gallery Resident Files Shows photos in the current case that are stored as Resident files Alternate Data Stream Shows photos that are stored as Alternate Data Stream files Sector Carved Shows photos that were carved out of unallocated space at the sector or byte level in the Custom Gallery Extension Mismatch Shows in the Custom Gallery those photos that were determined to have a different photo type from what their extension indicates Digital Assembly 19 Tools Menu E Adroit Photo Forensics 2013 M File View Tools Help l i gt New Examiner Edit Delete Examiner Case Infc Batch Analyze Alt B Casi Blur Thumbnails Alt U Cast Category Profiles Settings i ee New Examiner In order to add new examiners click here to add examiner details Edit Examiner Used to edit and delete examiner names Batch Analyze When there is a need to do case analy
18. File View Tools Help gt Ks aL E i Viewing Photo Photo_00145 jpg r Swapping Choices Starting Cluster 51222 Cluster Before Swap 17136 Cluster To Swap Out EOF Cluster Amount To Select Selected Cluster Start Selected Cluster End 54417 2 671E 2 38310 1 12E 1 38319 1 223E 1 60093 1 228E 1 15340 1 249E 1 15687 1 251E 1 15625 1 259E 1 60001 1 259E 1 54616 1 262E 1 59897 1 266E 1 60621 1 266E 1 60030 1 273E 1 60141 1 282E 1 1 283E 1 1 285E 1 1 29E 1 1 296E 1 1 298E 1 1 298E 1 1 3E 1 1 301E 1 1 301E 1 e Ooops I can t see the photo e Use the zoom feature in the swap image tab to see if the photo did get modified by the selected block Digital Assembly 99 ben File View Tools Help BG kan Ip Primary Photo Zoom 26 100 File Details Metadata EXIF Details Stored Thumbnail 1 Swap Ph p Swapping Choices one Starting Cluster 51222 cr Cluster Before Swap 17136 Cluster To Swap Out EOF Cluster Amount To Select Selected Cluster Start 54417 Selected Cluster End 54417 Best Matches All Available Clusters E 54417 2 671E 2 Zi d 5 BS te S 1 12E 1 Aar E y d E e ERT GER ee D Aw A TR BESA lt e vd 4 i ai a G 1 228E 1 a wl e K 7 r A p 8 s gt Rene d wd EI se e T er 1 249E 1 i H A E fi i y z 5
19. RR RRR RR ERR RHEE Tuesday January 8 2013 6 41 06 PM EST Time taken for analyzing case 00 01 30 The log contains all the details of the analysis The log also contains the analysis result of each individual photos as specified in the Analysis Options e To view the logs of a case View gt Log or click on the Magnifier icon e Scroll down to view the logged information e Click close to close the log NOTE If the Log is larger than 10 MB then APF would need to use an external text editor such as Notepad or Wordpad Digital Assembly 67 100 291 photos found in apf_demo_image Adroit Photo Forensics 2013 File View Tools Help F Ka Q las _ SmartFilters SmartFilters 26 SmarFilters 26 RH SCE Xplicit Best 18 Child 6 Faces 25 L cn Thumb Mismatch 4 TE Peles Se edt GA gt Smartiasn on Hem Be en Ee A ps z i Hash Filters 14 DSC_00004 jpg New_BikiniContest_3730 jpg gt Duplicates Off L HEES Al All Photos 291 Not SmartFiltered 55 MD5 Hash Alert 10 ert 4 Photo_00371 246 jpg Skipped 210 Failed 0 j V P Photo_3778 jpq E Photo 2978 o SelectAllinPsge Select None Redo Smart e Sma rtFiltering helps in auto detection of explicit content in photos child porn faces thumbnail mismatches and duplicates Explicit Fast Best Balanced Explicit photo detection attempts to detect photos th
20. S Pigital Assembly t Adroit Photo Forensics 2013 User Manual Version 3 0a The following user manual is for using Adroit Photo Forensics v3 0a and is a step by step guide on how to create and open cases perform analysis and view the results 2006 2013 All rights reserved Table of Contents TABLE OF LGONTENTS nrn nrr arrn r arruan rnrn r anrr ernennen 2 SETTING eege 5 Generol Senas TAO srrreirr tis rir iaraa AOA REEE OAOE TE OOOO 5 O ECT SUIS E 7 POO EE EE 10 CV SCS TO EE 11 SmmartCarve GuidedCarve Settings Tab 12 Hash Database SELUNOS TaD EE 14 VE OR 16 ett EE 16 VV SA EE 18 TOOTS ICI arcs sobtesacnn dees ne cat anaes hae waceantess acm bevsoeosavosceataevaaeontiesswestoeasasonceaiceaheeesasnsiesacc E A AEA 20 ele 21 NEW CA 22 o AE e E 22 EEN 22 EVIDENCE SCICCHION cnsecsencsetoontvaseesoncinndondiscitedenssedonnduadeesensendscdcusttadenesoiedsies eesendadecdseateadexdabdaseitebeoeonvasdacdsuabieteandedsse 23 PINON SVS POS eases asap EE E cc A esa es we ce as te srs nec nen E ce aa seg ese eee eee 23 PAA ZC scctaans ere E EEA te Se tad v8 0G Paso EA A EE easements T acoder oleae A sete neta 23 NEW EXAMINER DCREEN 24 ANALYSIS UPTIONS aeaeanenanennennenenernnrnnrnnrrrrr nrinn urra rr anrr a rnrn nern er nennen 25 Active amp Deleted Recovery TOD EE 25 Embedded RoCOvery TOD ean ane Rene i E TE ONTA ORNE ONTTO EO OEO N E eer ae ee eee 28 EEN 30 POT oma e DN 32 EY 418 O E 33 Calegory Profiles E 36 ANALY
21. SIS START ccccccceccceeeeeeeeeeeeeeeeeeeveveveveveveveveveveveveveveveveveneteveeeneeeneness 3 PHOTO GALLERY cccececeeeeececeeeeeeeveveveveveveveveveveveveveveteveveveveeeeeeeeevenenenenens 39 EE 40 EE 41 EEN 42 Photo Gallery Selection and Novwiggtion 43 Digital Assembly 2 CUSTOMGALLER EE 45 FORENSIC PHOTO VIEWER ccccccccccccccccccecuueuecuuueveuuueuecuuuuueuuuevesuueuenuuutnenuns 47 EE een 47 R DI E E2 RE EN EE EE EE 48 elek ka BIERS aR eR ee RR ON AT ER NORE OTT TE ENEE 49 Mertad ara TEE EE 50 SFOEO dE eeh geheegt 51 ee te LEE ER EE dee ee Ee Ee eege 53 gerett 54 MAJE Ee EE 55 OGL a RI 56 RECOVERY COUNTS u cccccccccccccccuecceuecueuecuuuenuuuucuueueuueuenuevenuuueuuueusuuensuueneues 60 GENERATE EIER L anaana anneren 63 VEN ae EE 67 HESE EE E 68 MD5 AND SMARTHASH ALERTS IGNORES AND BOOKMARkS 11 ae ege 71 Ee EE enee EE EE 71 SOP et KAES 72 eeler 72 TG RIES et 13 CATEGORY PROFILES cccceccccccccccccceueccevencuveuuuuecuuueuuueueuueueuuevecuuvesuuuesunenes 14 TEE EENEG ere 75 OPENING CASES EE Tf Zug EE EE 18 VERIFY HasnutEe EELEE ELLAELL LAARA nanan nnani 82 EXPORT AS CR EE 84 IMPORT e EE 85 ere EE Ee e 85 MIDS AG NOVCG Ee Vurria e ANE eerie elas E E ARE to ete eon ea eee ea Rael 86 Digital Assembly 3 GUIDED GAR VE EE 87 GuidedCarve Step 1 Identify Potential Error Block amp Deleted recovery ccccsecccccseececcesececeeseseseescsssesecsesseseseenss 88 GuidedCarve Step 2 Ch
22. Su i g 3 Su H thumbnail_jpeg_600mb_1 img 1011 thumbnail_jpeg_600mb_1 E APFCases thumbnail_jpeg_600mb_1 g a Legena L spog Reset cose Hot Processed Analysis Ongoing W Analysis Incomplete E Analysis Completed Total number of cases 11 Cases left to analyze 2 To clear all entries in the batch screen click on New Batch You can always return to the batch screen by clicking on Tools gt Batch Analyze Digital Assembly 81 VERIFY HASHES Mi Hash Match W Hash Mismatch W Nothing To Match Against When starting the recovery In the Analysis options if you choose to calculate MD5 and SHA1 or SHA256 then the respective hash values are calculated before and after recovery We can verify the hashes at any point once the recovery is completed Once the analysis is complete click on View gt Verify hashes you can always compute the different hashes of the current case Select the type of hash to be calculated and click on the Compute current hashes button If the evidence is an Encase disk image then embedded hashes are retrieved and matched against the hash values computed prior and post recovery lf itis not an Encase disk image embedded hashes do not exist and the post recovery hashes are compared with the hashes calculated prior to recovery Digital Assembly 82 zw DHA 1037 CFOSA0996601002897 75E630BFE90B959E43 SHAZ56 CT26ESDS005R 43F230609721B0356310DF4A691 DF BB2ZESC B299s
23. a swap except you are indicating that the picture is incomplete but has no problem blocks So you are simply indicating to the GuidedCarve algorithm that you are selecting the next correct block s Digital Assembly 90 GuidedCarve Operation Split 145 photos found in APF Trainin File View Tools Help i E Sa CH TP D Viewing Photo Photo_00113 jpg Primary Photo Zoom 26 100 File Details Photo Details Metadata EXIF Details Fragments Summary H p E Locate Potential Error Cluster Locate First Potential Error Previous Error Next Error GuidedCarve ap Append Start GuidedCarve Save LI U Save Photo Go Back e Once the first erroneous region has been identified click on Split e This indicates that the current block is not in its right place and needs to be broken off e Now click on Start GuidedCarve to initiate the recovery of the photo e The problem with Split is that the next best match as determined by the algorithm could be wrong e After split has been done click on Start GuidedCarve to begin the GuidedCarve process the new photo will then be displayed to you Tip Swapping while initially slower gives better results Digital Assembly 91 File View Tools Help Rech GSO ie HIP Primary Photo Zoom 26 Viewing Photo Photos Being Rebuilt Summary Clusters Fragments image Ops Cluster Sequence 7 fragments Locate Potent
24. ase files To change click Browse and select the path 4 Examiner name is required and must be selected Digital Assembly 78 Click inside disk image column to select evidence Examiner Name John Smith d 9 Over write existing case Ask before over writing Case ID Case Name Case Path apf_demo_image E01 apf_demo_image E APFCases apf_demo_image at Zongen oe gf Eege fm 38GBmixea FATI2Iing hoos D tenei fat EVAPFCasesi3 8GBmixed_FAT32 i a le EI P a I v v v v S a mixedfiles_130mb img 1007 mixedfiles_130mb E APFCases mixedfiles_130mb fq i H a le d ntfs_20jpq_11bmp_11nef_alldelimg 1008 _ _ ntfs_20jpq_11bmp_11nef_allde _ E VAPFCases ntfs_20jpq_11bmp_1 tnef_alldel png_unfrag_65mb img 1009 png_unfrag_65mb E APFCases png_unfrag_65mb V progressive_jpa ima 1010 progressive_ pg E APFCases progressive_jpa thumbnail_jpeg_600mb_1 img 1011 thumbnail_jpeg_600mb_1 E APFCasesithumbnail_jpeg_600mb_1 i g 345files_ntfs_active E APFCases 345files_ntfs_active i a a BSS Sse 8 d e In batch analysis select a disk image by clicking in the disk image column e lf the auto generate case details feature is not on then fill in the case name id and path Enter the case comments if any and select the options button to define the various parameters you would like to use when performing analysis e The total estimated time taken to analyze the selected cases is displayed in the bo
25. at have skin tones in them The greater the skin tone the more likely a photo is to be flagged as explicit Useful for porn detection Explicit Fast is used to do a quick but not precise analysis of all the photos Explicit Best is slower but is more likely to correctly identify skin in photos whereas Explicit Balanced is somewhere in between Best and Fast in terms of speed and accuracy Child is a feature for detecting child pornography it looks for photos that are explicit see above and that may potentially have children faces in them Thumbnail Mismatch Some photos may contain a thumbnail embedded within the photo itself these thumbnails are used by the operating system for quick views There have been instances wherein an explicit image is hidden by a safe thumbnail This SmartFilter shows Digital Assembly 68 those photos that were detected as having thumbnails that are different than the original photo o SmartHash Photos identified in this group are either duplicates of each other or are edited versions of the same photo SmartHashing is basically a form of Fuzzy Hashing o Hash Filters Filters photos that are duplicates and hash alerted o Duplicates Photos identified in this group are exact MD5 matches of each other o MDS Hash Alert Photos in this group have been matched against the database of known file MD5s If the categories have been stored in the database then the photo will be auto categorized o Smar
26. by comparing MD5 hashes If there are 2 or more photos having the same MD5 hash then duplicates are present Not Selected Does not compare the MD5 hash values of the photos with each other Digital Assembly Report Settings Tab Settings Full Photo va Reports can be customized by selecting and removing fields va The list box on the left contains fields not appearing in the report The list box on the right lists fields appearing in the report Reports are saved in the Reports folder within the case folder The main report is index html Digital Assembly 10 CSV Settings Tab Modification Date Accessed Date File Status Recovery Process Validity MDS SHAT SHA2Z5 amp Cluster Ranges CSV reports can be customized by selecting and removing fields go The list box on the left contains fields not appearing in the report go The list box on the right lists fields appearing in the report CSV reports are generated in the case folder and are named lt case name gt Report Ce After the CSV is generated a prompt will appear that will ask if the CSV is to be viewed or not Generally CSV files are viewable in Excel Digital Assembly 11 SmartCarve GuidedCarve Settings Tab Fragment Recovery Settings Maximum fragments Maximum forward search Maximum backward search Forward match threshold Backward match threshold Sequential match threshold 0 05 Fragment ignore threshold Check
27. ck so we go back a block and select only 5 blocks to be swapped e Click on Accept Swap e Click on Start GuidedCarve e You may need to repeat the steps until you carve out the photo correctly and completely Digital Assembly 96 File View Tools Help a Gel ES Ee IP e e Viewing Photo Photos Being Rebuilt gt Fragments image Ops Summary Clusters Cluster Sequence 585 clusters gt lastast Locate Potential Error Cluster Locate First Potential Error GuidedCarve Save Revert Save Photo e Once the photo is carved out correctly and completely the thumbnail is outlined with a green border Digital Assembly 97 GuidedCarve Operation Append Primary Photo Zoom 26 100 File Details Photo Details Metadata EXIF Details Stored Thumbnail 1 si A Ke z SICA ei y e 7 De ae e ch Te 4 te ai ABT Locate Potential Error Cluster Locate First Potential Error Previous Error Next Error GuidedCarve e When a photo has been incompletely carved out you need to perform GuidedCarve using Append e Inthis scenario all the blocks are correctly in place but the photo is not recovered completely e Similar to GuidedCarve using Swap but here no block is getting replaced Instead a new block is getting added to the end of the recovered photo which you think is the correct match Digital Assembly 98
28. ction EID No EID will not show explicit images GC Fast EID lower accuracy rate very fast Best EID highest accuracy rate slow Identify explicit images with children SmartFilter SmartHashing Group photos that are similar resized edited etc Similar Smarthash threshold Alert for photos with SmarthHash in database SmartFilter Other Do face detection frontal E Do photo thumbnail mismatch detection Alert for photos with MDS hash in database Detect duplicate photos using MDS Hash en Pro save Prone Cusa rone _pacteProtie_ canci SmartFilter settings in Analysis Options affect SmartFiltering only during recovery We recommend that SmartFiltering be run in triage mode with Hash Alerts on at least assuming user has a hash database to compare against SmartFilter Exclusions SmartFiltering is a feature that filters specific content in the recovered photos SmartFiltering can either be performed during recovery or after recovery is complete This section refers to the options available during recovery va Do filtering during recovery Selected SmartFiltering will be performed during the recovery of the pictures Not Selected It does not perform SmartFiltering during recovery By default it is unchecked Do filtering on active photos Selected SmartFiltering will be performed for active photos Not Selected Does not perform SmartFiltering for active photos va Do filtering
29. d Thumbnail Cache Recycled Digital Assembly lt x CO D Lo A Dw Cl A or Ctrl Shift correspond to default All arrow keys Mouse wheel Backspace key Ctrl N Ctrl O Alt G Alt V Alt T Alt R Alt Y Alt L Alt F Alt C Alt B Alt U Ctrl R Alt 1 Alt 2 Alt 3 Alt 4 103
30. d V i H a P ab F x Ze F 8 i y RaT Wf d ae a ibe t a S e ka ae oe oe p e i d aS Fa lt K W H AT 5 Se 4 e H K J e F Ca 3 1 ee GE e Ps 4 wp G Ki yey e kb ko i Rt F Wi ZZ o e D EN t eg a e ZS Faa fi Ce DSC_00004 jpg 285 New_BikiniContest_8730 jpq P5021754 ORF Photo _00369 jpg Photo_0037 jpg Photo_00371 246 jpg Photo_3770 jpaq SelectAll SelectAllinPsage Select None The first show drop down can be used to only display photos belonging to a specific file type For example to view only jpeg photos simply select the appropriate option The second drop down can be used to filter photos based on their resolution For example to view only photos greater than 32x32 pixels simply select it from the drop down options The third drop down determines if Ignored photos are shown or not By default ignored photos are not shown To show even ignored photos select Digital Assembly 42 Photo Gallery Selection and Navigation File View Tools Help a E P 3 TP o pi Photo Gallery Active 77 gll A ror inai 1 O EE Page IS L e e View Photos 1071728760_280c116db6_0 BASN3P02 PNG View Timeline View Custom Gallery View photos in same folder s Save Photos Generate Reports ei ae o d LA Categorize Not Categorized F r E R Fe anal Child Pornography e e z Add Bookmark 973 i DSC_0000455 jpg DSC_0285
31. d below which if a block is being analyzed before the last known block gets automatically selected This means that backward searching will get terminated and the block that had a score below the threshold value gets selected Sequential match threshold Default value 0 07 This determines the score threshold below which sequential blocks are automatically merged Fragment ignore threshold Default value 0 3 This determines the score threshold ABOVE which blocks are removed from consideration va Check threshold for a footer fragment Default value Not Selected Selected When a footer is the starting block of a fragment the footer must pass the score threshold before being selected for the recovery of a photo Not Selected The footer will be automatically attached to a recovered photo if it decodes successfully No threshold is checked Swap Append Settings Maximum forward search Default value 50 000 This determines the number of blocks to search AFTER the selected block for swap The lower the number the quicker but the higher the number the more likely that the correct block to swap in will be found va Maximum backward search Default value 50 000 This determines the number of blocks to search BEFORE the selected block for swap The lower the number the quicker but the higher the number the more likely that the correct block to swap in will be found Maximum number of matches Default value 100 Tota
32. e Removes the ignore flag from a photo Navigation in the photo gallery follows normal Windows behavior You can use the mouse to select a thumbnail group you can hold the shift and ctrl key to select multiple groups and finally you can use the keyboard arrows to select a photo as well Ze All the buttons at the bottom of the screen require at least one thumbnail group to be selected Moving between pages can be done by using the slider the page buttons on the top right mouse wheel or PgUp and PgDown keys Ze Digital Assembly 44 Custom Gallery Geste SS deg ES TP p Photo Gallery Active 77 Ge S ed Z L e View Photos TT eh View Timeline img_3898 JPG View Custom Gallery img_4518 JPG img_5113 JPG View photos in same folder s Save Photos Generate Reports ker Categorize HS Log Add Bookmark D B Remove Bookmark img_5256 JPG img_5371 JPG img_5396 JPG img_5401 JPG Ignore Remove lgnore img_5672 JPG img_5750 JPG img_5791 JPG SelectAll SelectAllinPsage Select None e Grouped Selected photos can be opened in a Custom Gallery by right clicking on the selected group e Inthe Custom Gallery photos can be viewed sorted grouped in gallery format Digital Assembly 45 File View Tools Help B caol Cp Photo _00369 jp img_4518 JPG 2 jpg ag Ka l EI l H te a img_5218 JPG img_5256 JPG img_5371 JPG a __ img_5401 JPG img_5445 JPG img_5672
33. e Clicking on the photos will navigate to the partition details where more information can be seen with respect to the photo clicked on Digital Assembly 65 MD5 TESB9B3F586162588A1CA06BF is SHA256 Not Calculated D 123 jpg 500x375 SmartHash Not Calculated Thumbnail Mismatch No Starting Cluster 58076 Cluster Ranges Cluster Count 54 1 fragment Cluster Ranges 58076 58129 Thumbnail Short File Name 375964 1_JPG retrieved from file s iT amne Soa Ale De Ae o d AQ Zap obs e Clicking on the thumbnail will navigate to the actual full size photo with respect to the thumbnail clicked on Digital Assembly 66 View Log File View Tools Help BG zaol Op Case Comments Examiner Name John Smith Case Creation Date Jan 8 2013 Case Last Accessed Date Jan 8 2013 Evidence ive apf demo image E01 Evidence z Disk Image RAW DD BIN EnCASE Evidence Not Available Evidence Serial ID Not Available Evidence MDS Hash 789111BBS8AA07DD6671067350E3CSiIAC Evidence SHA256 Hash Not Calculated Evidence Size 254951424 bytes Partition Count 254685184 bytes Free Space 86552576 bytes File System Fati6 File System Initialize Success Cluster Size 4096 bytes File System Offset 266240 bytes Case Analysis using Adroit Photo Forensics 3 0a beta RRR RRR RRR RRR RRR RRR RRR RHR RRR RRR RRR RRR RRR RRR ERR RRR E WeWWKKKEKKWANAlL YSIS complete ke KkKKKn RRR RR RRR RRR RRR RRR RRR
34. e folder C mysavedcase 3jpegs by default Examiner Path is where examiner details are saved To change click on Browse Multiple examiners can be saved and then subsequently selected when creating a case APF remembers the examiner information of the most recently created case Digital Assembly Case Creation ge Fill case details based on disk image Default Selected Selected The case name and case path will be automatically filled out when selecting a disk image or drive For example if 3jpegs e01 is selected then the case name and case path will be 3jpegs Note the name and path can be manually edited at any point Not Selected Case name and ID will have to be manually entered Starting case ID seed value determines at which number case ID processing should start This too can be changed at any point Thumbnails ge Blur thumbnails to hide photo content Default Not Selected Selected Thumbnails of the photos recovered during and after the recovery process will be blurred May slow down navigation Not Selected No blurring will occur on the thumbnails Show Thumbnails in TimeLine Default Selected Selected Allows thumbnails to be displayed when a hotspot in the timeline is clicked You can read more about this in the timeline section Not Selected Thumbnails are not shown in the time line Screen after Analysis Recovery This section allows you to choose the default screen set after a
35. e performed for embedded in deleted photos Not Selected SmartFiltering will not be performed for embedded in deleted photos Digital Assembly s Do filtering on embedded in active photos Default Not Selected e Do filtering on embedded in deleted photos Default Not Selected k Do filtering on partial photos Default Not Selected Selected SmartFiltering is attempted on invalid corrupted partial photos Not Selected SmartFiltering will not be performed for invalid corrupted partial photos SmartFiltering can also be configured to filter only photos larger than a certain resolution The default minimum is 128x128 pixels and it can be changed Setting it to 0x0 will ensure that the resolution will not be used to determine if the photo should be skipped or not SmartFilter Explicit Image Detection EID k No EID will not show explicit images Default Not Selected Explicit image detection will be disabled Fast EID lower accuracy rate very fast Default Not Selected The time taken to perform EID is reduced but the accuracy is lower Best EID higher accuracy rate slow Default Selected The most accurate EID mode but also the slowest Slow El only if face is detected Best EID only Default Selected Selected An image will only be considered explicit if a face is detected in the image This will dramatically lower false positives and may decrease speed a bit but wi
36. e4B0475R73036C5 E Hash Match W Hash Mismatch W Nothing To Match Against Computed hash values of current case are compared against all the previously retrieved or calculated hashes It will be displayed in green if the hashes match If they don t match they will be displayed in red If the hash values prior to the recovery are not calculated then the newly computed hashes appear in black Digital Assembly 83 EXPORT AS FTK KFF Recovery Type Select Group 5 All Photos 291 Active amp Valid 244 Carved amp Valid 76 Select by El Not Categorized 273 Child Pornography CD Bookmarked 8 O MDS Hash Alert 8 E SmartHash Alert 2 Select Active C Child Nudity 6 E Child Other 4 E Active 77 O Embedded in Active 137 Invalid Partially Active 0 Ohecenithe CD Select Deleted E Adut 8 Obscenity 0 E Seguentialy Carved 11 LogCarwed 0 El Smart arved 9 GuidedCarved 0 Other 0 E Embedded in Carved 58 E invalid Partially Carved OO Process ignored photos in selections above Process ignored photos in selections above THE CATEGORY SECTION WILL NOT APPEAR IF CATEGORY PROFILE IS NOT SET FOR THE ACTIVE CASE In order to export MD5 hashes of the photos recovered go to File gt Export As FTK KFF and the above dialog will appear Select the group of photos whose MDS hashes you would like to export Save this hash list as a Comma Separated Value csv file which can
37. ea Hide Ignored e page E B is All Recov S r e Ignored 0 MDSH Aa er Use to show thumbnails in different tabs dependent on recovery mode Embedded Invalid Valid Invalid All Photos Single Tab SL E e d r eor a a athe tino oe S 1071728760_280c116db6_o0 j BASN3P02 PNG Y J New_BikiniContest_8730 jpg ES ei Za Pat abs j a DSC_00004 jpg DSC_0000455 jp z a Se an e a m m y SC p 4 Law 8 s 2 EI P5021754 ORF Photo _00369 jpg Photo_0037 jpg Photo_00371 246 jpg SelectAll SelectAllinPsage Select None By default photos are separated by the process in which they were recovered So for example fragmented photos recovered by SmartCarving that were validated will show up in the SmartCarving tab You can change this default grouping to suit your needs For example if you don t care about separating the photos by their recoveries simply select l and then all photos will be shown in a single tab Digital Assembly 41 Show Options it Photo Forensics 2013 File View Tools Help a im gc ge T Photo Gallery Active 77 y SI kl t MEn Pm o O e aE DR All Formats ed 0 il tasn Alert Mai ras OC ge b ie d Ignored 0 i SC Allows you to show photos of a specific type jpeg png etc EN et athe Bee abe EN E 1071728760_280c116db6_0 j BASN3P02 PNG ah H Daag NK 7 A ck H A G N 1 gt A 9 H e 2 BW P r T a Ru t
38. ent in the file system i e file not deleted etc Depending on the various photo types recovered you will have a list of various photo types and corresponding number of photo of that type Generate Reports Creates a more presentable and detailed report of the group of photos generated for Case information examiner information evidence information along with detailed analysis reports is generated Please be patient while generating reports for cases having large number of recovered photos Log Opens up the log created during the analysis of the evidence The log contains case information right from creation time including case update information File recovery statistics also get written to the log if the analysis option of Write recovered file information to log is checked Verify Hashes If MD5 and SHA1 or SHA256 values are chosen to be calculated in Analysis options then respective hash values are calculated before and after the recovery We can verify the hashes at any point once the recovery is completed Digital Assembly 18 SmartFilters SmartFilter auto detects explicit content adult and child faces photos that have mismatched thumbnails embedded within them similar looking photos and more Custom Gallery Custom Gallery Bookmarked Alt 1 Ignored Alt 2 Hash Alert Alt 3 Thumbnail Cache Alt 4 Recycled Alt 5 Resident Files Alt 6 Alternate Data Stream Alt Sector Carved Alt 8 Extension Mismatch Alt 9
39. etected Rule for if a child face is found in the photo or not PARP If you are creating a new rule and you don t want to use one or more of the above simply select ignore Some examples of rules Digital Assembly 75 1 Photos with No Faces Skin Ignore Explicit Ignore Adult False Child False No Adult Face No Child Face 2 Photos with Adults and Skin gt 50 Skin gt 50 Explicit ignore Adult True Child ignore Skin gt 50 Adult Face 3 Photos with Adults and no children and Skin gt 50 Skin gt 50 Explicit ignore Adult True Child false Skin gt 50 Adult Face No Child Face Digital Assembly 76 Opening Cases File View Tools Help BG TE Ee Q lis 0 e Viewing Existing Case Case Information Examiner Information Examiners Name Jane Case ID 1066 Company Agency Digital Assembly Address Case Path C Users Pooja Madan PFCases apf_demo Browse Street Name 137 Varick Street CaseName apf_demo_image demo Case Creation Date Aug 10 2012 Last Modified Date Dec 18 2012 City New York Comments State Province NY Zip Postal Code 10013 Country USA Contact Phone Email n o Evidence Evidence Information Image File EnCase raw dd bin Drive apf_demo_image E01 Ze Type Encase Disk Image W xP 64_BackUp Dworkimage Demoapt _ Size 243 1 MB zk Model Not Available s p D T Serial ID Not Available s Ok a Click ne
40. fTag 248 Exif Photo ExposureTime 1 300 Exif Photo FNumber 8 1 Exif Photo ExposureProgram 1 Exif Photo ISOSpeedRatings 400 Exif Photo ExifVersion Exif Photo DateTimeOriginal 2008 01 28 16 41 17 Exif Photo DateTimeDigitized 2008 01 28 16 41 17 Exif Photo ComponentsConfiguration Exif Photo ShutterSpeedValue 540672 65536 Exif Photo ApertureValue 393216 65536 Exif Photo ExposureBiasValue 0 1 Exif Photo Flash 9 Exif Photo FocalLength 1000 1 Exif Photo UserComment Summary Photo Summary Photo 171 Type JPEG JPG Resolution 1920 x 1200 Bookmark 1 Category No Profile Chosen File Summary Name Empidonax flavescens 00 Valid Success Size 739 00 KB Date Created May 21 2008 Modified Mar 10 2008 Accessed May 29 2008 EXIF Summary Camera Canon Model EOS 1D Mark Ill Software Adobe Photoshop Elements Date DateTime 2008 02 16 05 11 30 Original 2008 01 28 16 41 17 Digitized 2008 01 28 16 41 17 Photo Details Save Photo The Photo Details tab provides information taken from the header structure of the photo This information presented may include such details as image type color width bits per pixel etc Digital Assembly 49 177 photos found in del AD Testset File View Tools Help Wb E SO Cp Primary Photo Zoom 40 100 File Details Photo Details Metadata EXIF Details Stored Thumbnail 1 Stored Thumbnail 2
41. g does not work for other photo types currently Digital Assembly SE Fragments IF x Fragments Image Ops Locate Potential Error Cluster Locate First Potential Error Previous Error Next Error GuidedCarve Split Swap Append Stan GuidedCarve CD Save A fragment is a sequence of clusters which are contiguous There are 4 cluster ranges in the above example and they are not sequential contiguous thus the photo has 4 fragments If a regular joeg each of the green buttons can be toggled and its corresponding region gets highlighted in the jpeg This linking does not work for other photo types currently Digital Assembly 54 Image Ops x Resize 100 5 0 50 100 150 200 250 300 350 400 Rotate p Brightness D l Contrast 0 l Processed Image Close Save The image ops supported are resize rotate brighten and contrast When changing the defaults for the image a new tab will open in the primary display area with the modified image Once a modification has been carried out the two buttons Close and Save will be enabled The Save button will allow the modified image to be saved as a jpeg The Close button will close the opened modified image Digital Assembly 55 d 100 291 photos found in apf_demo_image Adroit Photo Forensics 20 Lo xX File View Tools Help ech cs Q WP pi Viewing Timeline All Photos 291 File Modificatio
42. group of the current open case The photos do NOT have to be ignored in the current case so any selection will do From File The hashes are imported from an external file The external file selected must be in the following formats only FTK Imager Hash List or simple CSV csv iLook hsh Hashkeeper hsh From Windows OS The hashes are imported from a file containing Windows XP Vista and 7 operating system folder photos Digital Assembly 86 GuidedCarve Viewing Photo Photo_00113_jpg Clusters Fragments Image Ops Cluster Sequence 7 fragments Locate Potential Error Cluster Locate First Potential Error Previous Error text Error e GuidedCarve is the process by which partially carved files can be fully recovered after some user manipulation Currently GuidedCarve is only supported for jpegs e There are three steps to GuidedCarve Step 1 Identify the first incorrect block This is the first block that does not belong to the image Step 2 Choose one of three modes Split Swap or Append Step 3 Start the GuidedCarve process Digital Assembly 87 GuidedCarve Step 1 Identify Potential Error Block amp Deleted recovery File View Tools Help SS m m a gt la Tg BG caoil 0 P e Fragments Image Ops Summary Clusters Cluster Sequence 2687 dusters mn zi g Locate Potential Error Cluster Locate First Potential Error Previous Erro
43. hoto e Click on Accept Swap e Inthe next screen click on Start GuidedCarve Digital Assembly 101 se Ted pth ht sed kd s t ile View Tools Help a be n a TP 0 EN Viewing Photo Photos Being Rebuilt Primary Photo Zoom 26 Le gt 100 File Details Photo Details Metadata EXIF Details Stored Thumbnail 1 Summary Clusters Fragments image Ops Cluster Sequence 4 fragments Locate Potential Error Cluster Locate First Potential Error GuidedCarve Save Revert Go Back e The carver will continue from where you left e f the carver correctly carves the photo it will display the thumbnail with a green border which means that the photo has been validated Digital Assembly 102 Appendix A Keyboard Shortcuts The following keys are specific to selected groups of photos Hide unhide thumbnail strip and summary block View in Forensic Photo Viewer Generate reports View Timeline Save photos Bookmark unbookmark Categorize the photos Selection Select all photos in a tab Select all photos on a page Deselect all photos on a page Selecting photos Navigation Navigating between photos Page navigation Go back to previous screen Screen New Case Open Case Photo Gallery Photo Viewer Timeline Generate Reports Recovery Counts Show Log View SmartFilter View Categories Batch Analyze Blur Thumbnails Register Product Bookmarked Hash Alerte
44. hotos in carved files Selected Each embedded photo found in a deleted file is validated for structural correctness Not Selected Embedded photos in deleted files are assumed valid File Types Analyzed for Embedded Analyze all file types for embedded photos Selected Every single file type recovered will be parsed for embedded photos Warning this option can be very slow on large drives Not Selected File types recovered will be determined by the list selection below k List Selection Lists the file types which when detected will be parsed for embedded photos Digital Assembly 29 Integrity Hashing Tab Analysis Profile Best Recovery Basic Validation d Photo Integrity Generate MDS hash of each photo Generate SHA hash of each photo E Write detailed information of each photo to log Evidence Integrity Generate SHA hash of ewidence SHA1 Select evidence disk image time zone America North_Dakota New_Salem America Ojinaga New Poi Photo Integrity Generate MDS hash of photos Selected Generates a MD5 hash of each photo recovered Not Selected Disables MD5 hash generation Note This setting can be over ridden if user has chosen hash alerts or duplicate detection Generate SHA hash of photos Selected Generates SHA hash of each photo recovered You can select SHA 1 or SHA 256 but not both Not Selected Disabled SHA hash generation Write detailed information of each ph
45. ial Error Cluster Locate First Potential Error For heavily fragmented photos like the one above you may need to iteratively select the erroneous block fragment click on Split click on Start GuidedCarve until you successfully carve the photo completely Digital Assembly Save Photo GuidedCarve was performed correctly and successfully for the given example The photo has been validated and moved to a separate tab Guided Carve 92 GuidedCarve Operation Swap Fie View Tools Help l SS Gel T Ee TP pi Viewing Photo Invalid Partially Carved Summary Clusters Fragments image Ops Cluster Sequence 10 fragments D o ZZ e k 3 Locate Potential Error Cluster Locate First Potential Error i z A fa k KK Zu aa EE E Maach Erem Save Photo e By doing a swap the block fragment that has been selected will be replaced by another block which you think is the correct match e Similar to GuidedCarve using Split the difference being that after selecting the incorrect block fragment we do not Start GuidedCarve instead we look at the list of available blocks and visually select which block to choose Digital Assembly 93 ZE 177 photos found in del AD Testset Adroit Photo Fo File View Tools Help Ba eae Oln O D Viewing Photo Invalid Partially Carved Primary Photo Zoom 33 Fragments Summary Cluster Sequence 5
46. ically scaled to fit the screen You can view the full photo by clicking on the zoom button 100 in the Primary Image tab Digital Assembly 47 File View Tools Help br ba lis e CIR Viewing Photo Empidonax fiavescens 001 jpg Primary Photo Zoom 40 100 1 File Details Photo Details Metadata EXIF Details Stored Thumbnail 1 Stored Thumbnail 2 FILE INFORMATION Summary Photo Summary Unique ID 231 auto generated Photo 1 1 Short File Name OMPIDO 1 JPG Type JPEGIJPG Long File Name Empidonax flavescens 001 jpg File Size 807946 bytes 789 01 KB 0 77 MB File Type JPEG JPG Bookmark F Resolution 1920 x 1200 Category No Profile Chosen Partition 1 Path File Summary Name Empidonax flavescens 00 Valid Success Size 789 00 KB Date Creation Date May 21 2008 Wed at 11 31 52 AM America New York Modification Date Mar 10 2008 Mon at 07 45 18 PM America New York Accessed Date May 29 2008 Thu at 12 00 00 AM America New_ York File Status Deleted Created May 21 2008 Recovery using Sequential Carving Modified Mar 10 2008 Embedded false Accessed May 29 2008 Validity Fully Recovered File is in the correct format MDS CADAESBOS2DD9F70409F082CF7080AE2 SHA256 Not Calculated Camera Canon SmartHash Not Calculated Model EOS 1D Mark Ill Adobe Photoshop Elements EXIF Summary BLOCK INFORMATION Date 2008 02 16 05 11 30 2008
47. ill be created based on the evidence selected Zo Auto Generation of Case ID and Case Name based on the selected evidence is turned on by default in the Settings screen Examiner Information By default the last chosen examiner is displayed in the Examiner s Name drop down list sa No examiner details will be present when APF is run for the first time Click on the button to add a new examiner s information You can also use File gt New Examiner to add new examiners Digital Assembly 22 Evidence Selection va There are four different types of evidences that can be selected disk images physical drives logical drives and folders Disk Images Click on Click here to choose a disk image and then browse to and select the disk image that you want analyzed APF currently supports both Encase and DD Raw disk images Disk Images are the preferred method of analyzing evidence Folder Recovery Click on the node Click here to choose a folder and then browse to and select the Folder you wish to recover from APF allows you to select a folder and optionally all sub folders underneath the folder Cluster Information and deleted file recovery will not be available in this mode Physical Drives node gives the list of all detected physical drives Typically analysis on drives should be done on the physical drive Logical Drives node gives the list of all detected logical drives Analysis Profiles ga Select the Analys
48. ing rule Explicit Adult Face No Child Face What this means is that if the rule is turned on then during SmartFiltering any photo that is detected as Explicit and has an adult face and has no child faces will be categorized as Adult You can of course change the categorization of any photo that you are not happy with This feature is just meant to be used as a time saver for users who do a lot of categorization Note All rules are ANDed There is currently no OR Creating new rules Tw 4 Generate Rule Category Rules Default Number Key Description Skin Detected EI es Ei matic Categorization Dot Categorized i 1 Child Pornography Explicit Detected Ignore True it Face Child Face 2 Child Nudity Adult Face Child Face 3 Child Other Adult Detected Ignore sg True Fake 4 Adult 5 Obscenity Child Detected ignore rue False 6 Other Adult Face No Child Face Adult Explicit Adult Face No Child Face OK Cancel You can create new rules for existing or new profiles by simply clicking on the last column for a group This will bring up the screen above The four rules currently selectable are Skin Detected Rule based on the percentage of skin detected in a photo Explicit Detected Rule for if the SmartFilter process detected an image as explicit or not Adult Detected Rule for if an adult face is found in the photo or not Child D
49. is Profile from the drop down list that you want to use on the evidence Analysis Profiles are set of recovery and analysis settings that are run on a case Click on Analysis Options to modify add or delete analysis profiles Read more about this in the Analysis Options section Analyze va fno problems are detected the Analyze button will become enabled Click on it to start evidence analysis Digital Assembly 23 New Examiner Screen New Examiner Information Examiner Information Examiner s Name John Smith CompanyAgency XYZ Address Street Name 160 Varrick St City New York State Province NY fip Postal Code 11111 Country USA Contact Phone Email john smith xyz com Comments This screen is fairly self explanatory You can use this screen to add as many examiners as you want They will then be available in the examiner drop down list in both the New Case and Batch Analyze screens Si Ze d KL d d Digital Assembly Fill in examiner details as required and click Save Only the Examiner s Name field is mandatory All examiners added can be chosen in the combo box in the case screen APF will remember the examiner details of the last case created 24 Analysis Options The Analysis Options screen allows you to change several carving hashing logging and speed settings for the analysis of a new case This screen can be accessed from the New Case or
50. ji MS Excel 97 2003 xls MS Outlook pst Adobe PDF pdf Rich Text Format rtf JPEGIPG jpg DK ZP zip Canon Raw Formati cw Canon Raw Format cr2 File formats like pdf ppt zip can contain embedded files within them This tab deals options that configure embedded file parsing Embedded in Unallocated Space No sector carve No sector carving of unallocated space is done Scan for photos only at sector boundaries Carves at sector boundaries for all sectors which have not been assigned to an active or deleted file Warning this option can be a little slow on large drives Scan every byte in a sector for photos Carves every byte in all the remaining sectors which have not been assigned to an active or deleted file Warning this option can be very slow on large drives Embedded tn Active Deleted Recover embedded photos in active Selected Recover from embedded files which are active on the file system Not Selected Active files will not be parsed for embedded photos Recover embedded photos in carved files Digital Assembly 28 Selected Recover from embedded files which are deleted Not Selected Deleted files will not be parsed for embedded photos Validate embedded photos in active files Selected Each embedded photo found in an active file is validated for structural correctness Not Selected Embedded photos in active files are assumed valid Validate embedded p
51. l Alert for photos with MDS hash in database SmartFilter Exclusions SmartFiltering is a feature that filters specific content in the recovered photos SmartFiltering can either be performed during recovery or after recovery is complete The SmartFilter options in the Settings dialog represent the options for SmartFiltering after recovery is complete For SmartFilter eins SmanFitter Settings W Do fitering on deleted photos fal Do fitering on embedded in deleted photos 128 gt O Fast EID lower accuracy rate very fast show El only if face is detected Best EID only Skin threshold for EID n Similar SmartHash threshold Do photo thumbnail mismatch detection F Detect duplicate photos using MDS Hash options during recovery please look at the Analysis Options section Ze s Do filtering on active photos Default Selected Selected SmartFiltering will be performed for active photos Not Selected SmartFiltering will not be performed for active photos s Do filtering on deleted photos Default Selected Selected Smart filtering will be performed for deleted photos Not Selected SmartFiltering will not be performed for deleted photos Selected SmartFiltering will be performed for embedded in active photos Not Selected SmartFiltering will not be performed for embedded in active photos oe Selected SmartFiltering will b
52. l possible number of blocks returned as options for swap ordered by the best scores Digital Assembly 13 Hash Database Settings Tab E Local DB Network DB Network Settings P Address 1924 168 4 15 1724 Port Number User name apfuser Password eeeeeeee Hash Database Source No DB No Hash Database is selected Selecting this option disables MD5 and SmartHash alerts and prevents MD5 Ignore matching as well Local DB Default Selecting this creates and uses a database on the same machine as Adroit Photo Forensics Network DB Selecting this option allow for connection to a network database The connection settings can be set in the fields following Please note that the network DB server must be running in order to connect to a database Network Settings IP Address This is the IP address of the server running the network database Port Number Default value 1527 This is the port number that the network database server is listening for requests on User Default value apfuser Enter a user name to access the network database Password The password associated with the user name to access the network database Digital Assembly 14 k Test Connection If alocal or network database is selected you can test the connection to the database by clicking on this button A message will appear indicating if the connection was made successfully or not Digital Assembly 15 Menu File Me
53. le in the photo gallery custom gallery and categorization screens Hash alerting is turned on from the SmartFilter screen Note Manual removal of a hash alert is not possible Digital Assembly 71 SmartHash Alerts DSC 00004 jpg SmartHash Alerts occur when a photo from the SmartHash database has a SmartHash that is similar to a photo in the existing case Any photos that are SmartHash Alerted will appear with a simple red symbol in the photo gallery custom gallery and categorization screens SmartHash Alerts is turned on from SmartFilter screen Ignore Photo _00369 jpg Ignores prevent photos from being processed in SmartFilters and from being shown in the Photo Gallery Custom Gallery Photo Viewer etc Ignores can happen automatically by comparing against a ignore database based on MD5 hashes Duplicates can also be ignored from a case and finally ignores can be manually set or removed by using the right mouse button and selecting the appropriate option from the subsequent popup Digital Assembly de SB 98 photos found in apf Jt Mae File View Tools Help Ge re Se mT i E Categories Other 14 Not Categorized 70 Child Pornography 0 Child Nudity 5 Child Other 2 Adult 7 Obscenity 0 3 Reto i ee 1071728760 280c116db6 DL Other 14 carve000013 jpg carve000016 jpg Select All e Category screen shows the various categories assigned to
54. ll also increase false negatives some images that are explicit may not be detected Not Selected Explicit images without having faces in it also will be detected as explicit Higher chance of false positives Identify explicit images with children Default Selected Selected Will look for explicit photos showing children Not Selected Will not look for explicit photos showing children Skin threshold for EID Default Value 22 Photos with skin percentage detected less than the value selected will not be detected as explicit SmartFilter SmartHashing SmartHashing is a proprietary technique to group similar photos together in a case This allows the user to find duplicate as well as slightly modified or thumbnail versions of photos Note SmartHashing does not run on photos that are smaller than 128 x 128 in resolution Group photos that are similar resized edited etc Default Not Selected Selected It turns on SmartHashing SmartHashing is a proprietary technique to group similar photos together in a case This allows the user to find duplicate as well as slightly modified or thumbnail versions of photos Not Selected It turns off SmartHashing Similar SmartHash Threshold Default value 30 This threshold determines how likely two similar files will be grouped together The higher the threshold the more likely that two similar photos will be grouped together ga Alert for Photos with SmartHash
55. mns and their values for each header are listed List of recently opened cases This contains the list of the last 5 recently opened cases Exit Exits the application Digital Assembly 17 View Menu e mmm SE 291 photos found in apf demo_image Adroit Photo Forensics 201 File Tools Help Photo Gallery Alt G i mv E O H Photo Viewer Timeline Alt T Generate Reports Alt R Recovery Counts Alt Je Log Alt L Verify Hashes MadaniAPFCases apf_demo SmartFilters Alt F 3 Last Modified Date Categories Alt C Custom Gallery Photo Gallery Displays a photo gallery of thumbnails for the recovered photos The results screen has features for grouping photos for by day month year camera and even on the basis of size There is a feature of separating the recovered photos into different tabs depending on the recovery mode of the photo Also you can filter out the different type of photos recovered Photo Viewer Displays the selected group of photos in the photo viewer Timeline The timeline is the representation of the evidence usage It represents the evidence usage along a time graph in the form of balloons You can select from the group of photos whose timeline you would like to view Recovery Counts Shows a summary of all the recovery statistics such as number of photos found photos without filename photos that have been deleted fall in this category active photos photos that are pres
56. n Date Sun Apr 5 1998 Fri Jun 17 2011 291 291 photos File Types jpg Camera Models Unknown Number of Photos 34 Status Carved 34 Earliest Fri Dec 12 2008 Latest Thu Feb 5 2009 Smallest Size 1729 bytes 1 69 KB 0 00 MB Largest Size 4042 bytes 3 95 KB 0 00 MB Jun 17 Unknown 2011 arn arn e E E a g View Photo e View timeline of the evidence analyzed to monitor evidence usage in a date range Each hotspot represents a group of images created modified during the time period The larger the hotspot the more the images available during that time period To view timeline or click on the Clock icon e To zoom in further use the zoom scroll on the extreme left on the window To move along the timeline move the mouse over the timeline while keeping the left mouse button pressed move mouse to left or right alternatively move the green window at the top of the screen Digital Assembly 56 DATE FILTER Jul 29 2004 May 21 2008 Mar 6 2008 May 21 2008 File Access Date May 29 2008 May 29 2008 bc EE Sep 9 2002 May 2 2008 Choose Date Ranges Dont apply any date filters W Include photos with unknown dates Date Mar 6 2008 End Date May 21 2008 Dates entered in Mon Day Year format Jan 01 2013 e The timeline can also be modified to use file creation date instead of file modification date Instead you can choose either of the following date types to be used
57. n easily add additional categories To create a new Category profile go to Tools gt Category Settings Create a new category profile by hitting new and enter the category profile name along with the various categories Also each category profile has a default category This is the category to which all photos are assigned to when a category profile is set initially to a case Edit to category profiles can also be done in this window Select the profile from the list which needs to be updated To save the edits hit the lt Update gt button At any point click lt Use Profile gt to assign the selected profile to the currently open case NOTE Only one category profile can be assigned per case Assigning a new profile to a case will remove the old profile from the case NOTE 2 Changes made to a category profile will not be reflected in older cases to reflect those changes you must open the cases enter the category profile screen select the profile and click on lt Use Profile gt Digital Assembly 74 Automatic Categorization Rules The right most column Rule for Automatic Categorization shows rules that can be used to automatically categorize photos when doing SmartFiltering This can be a powerful time saver The column to the left Use Rule is required to be checked for the automatic categorization feature to work To give an example category called Adult in the North American CP profile above has the follow
58. nalysis on a case is complete The default screens can be either the Photo Gallery SmartFiltering or Categorization screens This is a convenience option as you can switch between the screens whenever you want to Default Grouping in Photo Gallery Allows you to set the way the Photo Gallery is initialized when launched The Mode selection determines if you want photos sorted or grouped stacked The Group drop down list allows you to select from a range of grouping options including date camera file name etc The Tabs drop down list allows you to determine if the groups should be separated into different tabs by the carving method The Show drop down allows you to filter out photos by resolution You can learn more about this in the Photo Gallery section Note these are only the defaults and you can change settings in the Photo Gallery at will Digital Assembly 6 SmartFilter Settings Tab tl Do filtering on embedded in active photos E Do fitering on partial photos Don t fiter for width x height less than 128 H x SmartFilter Explicit Image Detection EID No EID will not show explicit images Best EID highest accuracy rate slow Identify explicit images with children SmartFilter SmartHashing El Group photos that are similar resized edited etc Alert for photos with SmartHash in database SmartFilter Other Do face detection frontal J
59. nu d Adroit Photo Forensics 2013 File View Tools Help Mew Case Ctrl h Open Case Ctri 0 Close Case Backup Case Save Photos Save File By Unique ID Import Hashes i Export as FTK KFF Export as CW 1 apf_demo_image cio 2 del_AD Testset cio 3 3jpegsEWF cio 4 warehouse _235GB cio 5 apft_demo_image demo cio Exit New Case Shows the screen where a new case can be created The current case if any will be closed and a new case screen will show All entries will be cleared Open Case Opens a file open dialog box from where you can open a case file cio Case files can be opened directly or by choosing their parent folder Close Case Closes the current open case Backup Case Creates a backup copy of the entire case folder including all case related files Save Photos Displays a dialog which will prompt as to which group of photos is to be saved Save File By Unique ID Displays a dialog allowing photos and container files for photos to be saved based on their unique ID This option allows users to export out zips and other container files from evidence Digital Assembly 16 Import Hashes The import hash feature allows you to import hashes for both the hash alert as well as the hash ignore databases MD5 amp SmartHash Alerts Import Hashes MDS amp SmartHash Alerts From Current Case Export as FTK KFF MDS Ignored Photos From File Export as CW From Old APF Da
60. on deleted photos Selected SmartFiltering will be performed for the deleted photos Digital Assembly 33 Not Selected SmartFiltering is not performed for deleted photos Do filtering on embedded in active photos Selected SmartFiltering will be performed for embedded in active photos Not Selected SmartFiltering is not performed for embedded in active photos Do filtering on embedded in deleted photos Selected SmartFiltering will be performed for embedded in deleted photos Not Selected SmartFiltering is not performed for embedded in deleted photos Don t filter for width and height less than Only filters photos larger than a certain resolution The default minimum is 128x128 pixels and it can be changed Setting it to 0x0 will ensure that the resolution will not be used to determine if the photo should be skipped or not SmartFilter Explicit Image Detection EID No EID will not show explicit images Explicit image detection will be disabled Fast EID lower accuracy rate very fast The time taken to perform EID is less but its accuracy is lower Best EID higher accuracy rate slow This mode of explicit image detection is the most accurate It comes at the cost of time taken in performing explicit image detection Slow El only if face is detected Best EID only Selected An image will only be considered explicit if a face is detected in the image This will d
61. oose A G idedCarve Mode sereteriiii nitanna PE NE EEEE E EERTE EEE 90 GuidedCarve Opera Hon SPESE EE 91 G idedCarve Operation SWGD reren aneio E AEN TANE A 93 GUIGEACCOIVE Operation APPEN EE EE 98 APPENDIX A KEYBOARD SHORTCUTS cceccecceeceeeeeeeeeeeeeeeseeseeseeeeeseeeeees 103 Digital Assembly 4 Settings When APF is run for the first time the Settings dialog below appears for a user to set the initial configuration settings The Settings dialog can also be accessed by selecting from the menu Tools gt Settings General Settings Tab Ge EEN ETL ma arme cudedLar General Settings SmartFilter Settings Default Paths Case Path E APFCases Examiner Path E ExaminerDB Case Creation Fill case details based on disk image Starting case ID seed 1000 Thumbnails Blur thumbnails to hide photo content Show thumbnails in timeline Screen After Analysis Recovery Photo Gallery E SmartFitters Category Default Grouping in Photo Gallery Mode Sort Group Group Sort File Name a Tab All Recoveries Show All Resolutions Default Paths Zo Case Path is where the case folder will be created by default All case related files such as the log reports and case database will be saved here To change the default path click on Browse For example if the case path is C mysavedcases and a new case named 3jpegs is created then all the case related files will be saved in th
62. option can dramatically affect recovery time on extremely fragmented drives It is highly recommended that the default value of 1200 seconds be left as is To speed up the recovery process this can be lowered however lowering to below 5 minutes may greatly reduce SmartCarving accuracy Size Carve based on unallocated space BMP TIFF RAW formats Selected Once all other carving is done Size Carve is performed based on the remaining unallocated space Not Selected Allows faster recovery but BMPs TIFFs and RAWs may not be recovered fully Preview Thumbnails Show thumbnails during recovery Selected Thumbnails are generated and extracted for every photo recovered The GUI uses the thumbnail for displaying results Not Selected Thumbnails are not shown during the recovery process This will marginally speed up the recovery process Note Thumbnails are still created so that navigation is fast post recovery Create preview thumbnail instead of embedded thumbnail Selected It scales the actual photo to the thumbnail size instead of retrieving the actual embedded thumbnail if available This will reduce the speed of the recovery process but will ensure that the preview thumbnail matches that of the actual photo Not Selected It retrieves the actual embedded thumbnail if available Upscale preview thumbnails to max viewable size Selected All the thumbnails will be scaled to the maximum viewable size It avoids showing s
63. oto to log Selected Writes the photo information such as file name size dates etc to the log during the recovery process If evidence has a very large number of recovered files the log size could be more than 100MB in size and would require an external application like TextPad to open Not Selected Only recovery statistics and usage statistics are written to the log individual photo details are not logged Digital Assembly 30 Evidence Integrity k Generate MD5 hash of the evidence Selected Generates MD5 hash of the evidence before and after recovery to verify that the evidence was not tampered with This can be very slow on larger drives Not Selected No hash is generated for the evidence Generate SHA hash of the evidence Selected Generates SHA hash of the evidence before and after recovery to verify that the evidence was not tampered with This can be very slow on larger drives You can select SHA 1 or SHA 256 but not both Not Selected No hash is generated for the evidence Evidence Time Zone Evidence Time Zone This panel determines which time zone the evidence being analyzed is from By selecting the correct time zone the date related information extracted from the photos recovered than then by accordingly adjusted to show the correct timeline Digital Assembly 31 Photo Formats Tab im m e Analysis Options Analysis Profile Best Recovery Basic Validation aa Integrity Hashing Photo Formats
64. ou the change immediately on the picture e The carver will then swap the incorrect block with the block you have just selected from the list of Best Matches e Then visually you will have to check if the block you choose fits in correctly e If not then keep trying the next block in the list of Best Matches e Once you get the correct block you need to increase the Number Of Blocks To Select initially 1 e Keep increasing the Number Of Blocks To Select untill you encounter an incorrect block or photo gets validated or you get tired which ever is earlier Digital Assembly 95 e If you look closely in the above example we encountered an incorrect block So we stop increasing the Number Of Blocks To Select File View Tools Help Baa ewe 3 TP ES 0 p Viewing Photo Invalid Partially Carved Photo Details Zoom 33 100 Swapping Choices eS gt a oe ACH 7 Starting Cluster 13552 lt a e Kr Te mme Selected Cluster Start 11157 A Cluster Before Swap 13561 Cluster To Swap Out 20912 Cluster Amount To Select Selected Cluster End 11161 6 443E 2 6 918E 2 7 077E 2 7 097E 2 7 666E 2 7 666E 2 7 666E 2 7 666E 2 7 666E 2 7 666E 2 7 666E 2 7 666E 2 7 666E 2 7 666E 2 7 666E 2 7 666E 2 7 666E 2 7 666E 2 7 666E 2 7 666E 2 7 666E 2 GoBack Back e Inthe above example 6 blocks gives an incorrect blo
65. r FAT is detected it will use the file system s parameters like block size offset etc to do the recovery In addition active Digital Assembly 25 files display is possible only if this option is on Carving for deleted files will only occur in the area of the disk indicated to be unallocated by the file system Not Selected If this is turned off the file system is ignored completely and the whole disk is eligible for carving Offset and Cluster size Offset This is the byte offset from the beginning of the disk that you want to start carving The option is only available when Use file system to set offset clusters and active files is unchecked The default value is O Block Size This is the user specified block size in bytes The option is only available when Use file system to set offset clusters and active files is unchecked The default value is 512 Itis highly recommended that these fields be changed only if the user knows the actual disk Statistics Changes to these options can dramatically affect the recovery quality Recover active photos from file system Selected Active Photos i e photos not deleted are to be displayed For this to work Use file system to set offset clusters and active files must be checked Not Selected No Active Photos are shown Only carved photos are to be displayed Identify active photos by header signature Selected All active photos are re verified using the starting header by
66. r Next Error Save Photo We have three buttons to help you identify the first error block To begin click on the button lt Locate First Potential Error gt In photos with the error early in the photo this will highlight the first block that it thinks will be an error If it is not an error you can cycle through the next few potential errors TIP Frequently though not always the first error block begins at a fragment start Click on the fragments tab on the right of the photo viewer and select the second or later fragments and see if the first error block is the start block of the fragment Digital Assembly 88 Once you have identified and selected highlighted the correct error block We can begin the second step of the reconstruction Digital Assembly 89 GuidedCarve Step 2 Choose A GuidedCarve Mode So what are splits swaps and appends Split A split simply instructs the GuidedCarve algorithm that you have identified the first problem block and that you want the algorithm to figure out which is the next best block This happens when you click on lt Start GuidedCarve gt Swap A swap is much more powerful In a swap you identify the first problem block and then indicate what the next correct block should be You can also indicate what the next set of correct blocks should be A swap will provide you with a list of most likely replacements based on our algorithms Append An append is similar to
67. ramatically lower false positives and may decrease speed a bit but will also increase false negatives some images that are explicit may not be detected Not Selected Explicit images without having faces in it also will be detected as explicit Higher chance of false positives Identify Explicit images with children Selected Will look for explicit photos having children present in them Not Selected Will not detect explicit photos having children present in them da Skin threshold for EID Photos with skin percentage detected less than the value selected will not be detected as explicit SmartFilter SmartHashing SmartHashing is a proprietary technique to group similar photos together in a case This allows the user to find duplicate as well as slightly modified or thumbnail versions of photos Group photos that are similar resized edited etc Selected It turns on SmartHashing SmartHashing is a proprietary technique to group similar photos together in a case This allows the user to find duplicate as well as slightly modified or thumbnail versions of photos Not Selected It turns off SmartHashing ga Similar SmartHash Threshold Digital Assembly 34 This threshold determines how likely two similar files will be grouped together The higher the threshold the more likely that two similar photos will be grouped together Alert for photos with SmartHash in database Selected Turns on SmartHash Alert
68. re to choose a folder MD5 789111BB8A407DD6671067350E3C51AC PHOTO FORENS SHA256 Not Calculated amp Physical Drives Partitions 1 Status OK Wa PhysicalDrive0 1397 3 GB e To open a case File gt Open Case or click on the File Open icon e Browse to the location of the case file with extension cio and open e When the case opens you can view the results log and the timeline of the evidence using the View menu or shortcut buttons e f the case has been successfully analyzed no part of the case screen will be editable to prevent accidental tampering of the case Digital Assembly 77 Batch Analyze File View Tools Help Ba CHA 0 EN Batch Analyze Click inside disk image column to select evidence Over write existing case Ask before over writing Case Path Case Comments The batch screen is used for performing analysis for a bunch of cases together as a batch The various options in the batch analysis panel are 1 The auto generate case details helps to faster generate case details see Preferences 2 When analyzing a case that already exists then we have an over write conflict For this purpose we have 2 choices o Ifa case having the same name as the one entered then you can simple overwrite the previous Case o Prompt the user if he would like to overwrite for every case that may exist 3 Batch case parent path is where all the cases will be created along with other c
69. ry Basic Validation ie Woda eben enna Pn Forms srr ary Prot Default Number Key Description Thumbnail Initals Use S Rule For Automatic Categorization DNot Categorized a Chit Nudity NE Xplicit No Adult Face Child Face se s 2 hh Aut Je O Jett Adut Face No Child Face S Obscenity BS Other TR Explicit No Adult Face No Chid Face v3 Da beta Each case may or may not be assigned a category profile Category Profiles can be created from Tools gt Category Settings In the above screen we can set the profile for each case Rules can be defined and used by the profiles After setting the category profile for a case all the photos are set to the default category of the profile Digital Assembly 36 Analysis Start File View Tools Help e HI GC IP Analyzing 59 92 photos found apf_demo_image 01 lt i Partition 1 Smart Overall Progress 59 A carve000015 jpg carve000013 jpg carve000011 jpg carve000009 jpg Z Legend Recovered E Fragmented Processed Active Files Free Space E System Files e carve000008 po carve000007 cr2 carve000006 png carve000005 cr2 Disk Map Status Smar Filtering The left part of the screen shows the progress and information about the analysis You can hide it by clicking on its top right triangle icon This area contains three tabs Disk Map Provides a visualization of the evidence being analyzed Analysis Sta
70. s that allow the detection of modified versions of photos in the hash alert database Not Selected Does not perform SmartHash Alerts SmartFilter Other Do face detection frontal Selected Will perform face detection as part of SmartFiltering if checked Not Selected Will not perform face detection as part of SmartFiltering Do photo thumbnail mismatch detection Selected Compares an embedded thumbnail against the photo it is supposed to represent Some photos may contain a thumbnail embedded within the photo itself these thumbnails are used by the operating system for quick views There have been instances wherein an explicit image is hidden by an incorrect thumbnail This option when clicked checks if the thumbnail matches with the primary photo Not Selected Will not perform the thumbnail mismatch detection Alert for photos with hashes in imported set Selected Tags photos whose MDS hash value match with the MD5 hash values in a database Not Selected Does not compare the MD5 hash values of the current case with the MD5 hash values on the database Detect duplicate photos using MD5 Hash Selected Detects duplicate photos in the case by comparing MD5 hashes If there are 2 or more photos having the same MD5 hash then duplicates are present Not Selected Does not compare the MD5 hash values of the photos with each other Digital Assembly J5 Category Profiles Tab Analysis Profile Best Recove
71. sis on a number of cases you should use the batch screen Blur Thumbnails This is a short cut for blurring the thumbnails during recovery or while viewing the photo gallery You can also enable this from Settings gt General Settings Category Profiles The category profiles allows the user to categorize the photos into 10 categories Settings These are the application level options which were set when Adroit Photo Forensics ran for the first time Options include defaults such as case folder examiner folder etc Digital Assembly 20 Help Menu found in TECHNOSECURITY_DEMO32 Adroit P S i Help Contents Manual itic Help contents Opens the built in help guide Manual Adroit Photo Forensics PDF manual requires Adobe Reader Digital Assembly Website Opens up the system s default browser and takes you to Digital Assembly s website www digital assembly com Register Product Registration will allow you to unleash the full power of Adroit Photo Forensics All Register Product Ctrl R Check For Updates About C UsersispoomthyAPFCasesiTECHh unregistered version restrictions will be removed Once registered this option will no longer be visible Purchase copies of APF will not show this option Check for Updates This will cause the update check screen to launch This screen will allow the user to determine if a new version of APF is available You can also set how often if ever APF should do
72. tHash Alert Photos in this group have been found to be similar to the database of known file SmartHashes If the categories have been stored in the database then the photo will be auto categorized Navigation in the photo gallery follows normal Windows behavior You can use the mouse to select a thumbnail group you can hold the shift and ctrl key to select multiple groups and finally you can use the keyboard arrows to select a photo as well All the buttons at the bottom of the screen require at least one thumbnail group to be selected Digital Assembly 69 e Moving between pages can be done by using the slider the page buttons on the top right mouse wheel or PgUp and PgDown keys 8 100 291 photos found in apf demo_image Adroit Photo Forensics 2013 Sanaa File View Tools Help i W Ee CO TP 5 H e SmartFilters SmartFilters Faces 25 SmartFilters 26 Explicit Best 18 gt Child 6 i wg Redo this SmartFilter Only LC LAA ff View Photos Ce Sarre Bt View Timeline l 4 Pi l eS Cet adi gt ts View Custom Gallery Brazil_beach11 jpg DSC_00004 jpg New _BikiniContest_8730 jpg View photos in same folder s Save Photos Generate Reports Categorize Add Bookmark Remove Bookmark d Photo_00371 246 jpg Ignore Remove Ignore M lt A i CN Photo_3778 jpg Photo_3978 jpg SelectAllinPsge Seect None e Right click on any of the SmartFilter categories
73. tabase Import hashes for performing hash alerts There are three ways of importing hashes From Current Case Stores the MD5 SmartHash or Category for a group of photos Dialog will appear that will ask if SmartHash and categories should be saved along with the MDS From File From an external source which is in the Hashkeeper ILook or CSV format hashes Note Only MD5 hashes can be saved as part of the alerts using this option From Old APF Database Converts the old MD5 hash alert DB to the new format MD5 Ignored Photos Import Hashes MDS amp SmartHash Alerts F Export as FTK KFF MDS Ignored Photos From Current Case Export as CSV From File From Windows OS Import hashes for performing hash ignored There are three ways of importing hashes From Current Case Stores the MD5 hashes of a selected group of photos from the current case From File From an external source which is in the Hashkeeper ILook or CSV format hashes From Windows OS From a file of known Windows OS photos from Windows XP Vista and 7 Export as FTK KFF The Export as FTK KFF feature in APF creates a hash list of the group of photos that were selected Save this hash list as a Comma Separated Value csv file which can then be imported into FTK Please see Importing KFF Hashes in the FTK user guide Export as CSV Allows creating a CSV report of the current case The various fields selected are colu
74. tes to determine the file type Slower but much more thorough in retrieving active photos Photos whose extensions do not match the photo type can be seen in the View gt Custom Gallery gt Extension Mismatch menu Not Selected Active photos are determined by extension only This option is faster but will miss out on photos that have been renamed to a non photo extension Validate active photos found Selected Photo formats are validated for structural correctness Not Selected Active photos will always be shown as valid Deleted Recovery Carve photos using file system logs NTFS LogCarving Selected Some file systems log deleted file cluster ranges Enable this feature to allow APF to use any such information if it exists to carve photos out Not Selected APF will ignore any information from the file system that may help to carve out photos Carve photos that are sequentially stored Sequential Carving Selected This will enable sequential carving from the free space of the evidence Not Selected This will disable sequential carving from the free space of the evidence Carve photos that are fragmented SmartCarving Selected Carves fragmented photos For this option to be enabled the Normal Carving option needs to be checked Not Selected This will allow you to extract photos faster but it may result in less successfully carved photos Limit each SmartCarving Cycle to Digital Assembly 26 This
75. the group not available for single image groups Ki mode can be turned off by selecting the top left drop down list and selecting This will cause the photos to no longer be stacked together based on the selected property Digital Assembly 39 Group Sort Options File View Tools Help death E Ee Q TP ep Photo Gallery Active 77 Active 77 Embedded in Active 137 Sequentially Carved 11 SmartCarved 10 Embedded in Carved 56 e EH All Recoveries v Bee All Formats v Eee All Resolutions v Bea ide Ignored e page HE le x Allows you to group sort photos in different ways SS BASN3P02 PNG D Start Cluster Bookmarked New_BikiniCo ntest_8730 jpg e i P5021754 0RF Photo_00369 jpg Photo_0037 jpg Photo_00371 246 jpg Photo_3770 jpa SelectAll SelectAllinPsge Select None Photos can be grouped and sorted on the basis of various parameters including Day Month Year of Date of Last Modification Day Month Year of EXIF date Camera Software Resolution File Size File Name Folder Block Number and None Example To group by EXIF Month click on the arrow and select Month EXIF All the thumbnails of photos recovered will get grouped by EXIF Month date Digital Assembly 40 Tab Options it Photo Forensics 2013 File View Tools Help dab E Ee TP 5 e Photo Gallery Active 77 Group FileName EH All Recoveries e ECH All Formats v Ea All Resolutions v B
76. the photos e To quickly assign the photos categories either in the photo gallery or in the photo viewer hit the number key of the category that you want to assign the photo o Select the photos that you want to change the category for o Assign the category by pressing on the number key associated with the category or right clicking and choosing the category or else hitting the category button and then selecting the category e Note categories can be assigned in any of the following screens o Photo Viewer o Photo Gallery o SmartFilter o Categorization e The photos in the categories can be sorted based on File name Folder Resolution Camera Start Cluster Skin tone Digital Assembly 73 Category Profiles Default Number Key Description Thumbnail Initials Use Rule Rule For Automatic Categorization 0 Not Categorized NC CH CJ 1 Child Pornography Explicit Adult Face Child Face io 2 Child Nudity Explicit No Adult Face Child Face AEN Other O Se i gadt S OAD Explicit Adult Face No Child Face 5fObsceniy BS Eengel H tte S Explicit No Adult Face No Child Face Note All photos are initially set to the default category after recovery Category Profiles allow you to define a set of up to 10 categories for a case A photo can belong to one and only one category APF comes with the North American CP categorization as well as the U K CP categorization profiles built in You ca
77. then be imported into FTK Please see Importing KFF Hashes in the FTK user guide Digital Assembly 84 IMPORT HASHES Adroit Photo Forensics allows users to add to hashes to the MDS SmartHash and Ignore databases Hashes can be added from external files as well as from the currently processed case MDS amp SrmartHash Alerts From Current Case Import Hashes Export as FTK KFF MDS Ignored Photos From File Export as CSV From Old APF Database MD5 amp SmartHash Alerts va From Current Case The hashes are imported from a user selected photo group of the current open case This is currently the only option that allows you to import SmartHash and category information as part of the database From File The hashes are imported from an external file The external file selected must be in the following formats only FTK Imager Hash List or simple CSV csv iLook hsh Hashkeeper hsh S Import Hashes File Path Format You can import CSV Hashkeeper and Look format hashes Add file Remove file import From Old APF Database Converts the old format APF version 2 4b and earlier MD5 hashes to the current format Digital Assembly 85 MD5 Ignored Photos Import Hashes d MDS amp SmartHash Alerts F Export as FIK KFF MDS Ignored Photos i From Current Case Export as CSV From File From Windows OS From Current Case The hashes are imported from a user selected photo
78. threshold for a footer fragment Swap Append Settings Maximum forward search Maximum backward search Maximum number of matches Warning this section is for advanced users only Changes made here can dramatically affect the time and quality of fragmented photo recovery in SmartCarving and GuidedCarving Fragment Recovery Settings Maximum Fragments Default value 7 This defines the maximum number of fragments that SmartCarving will attempt to build before giving up The lower the number the faster the SmartCarving Maximum forward search Default value 4 000 This determines the number of blocks to search AFTER the last known block for the photo The lower the number the quicker but the higher the number the more likely that the file will be recovered Maximum backward search Default value 4 000 This determines the number of blocks to search BEFORE the last known block for the photo The lower the number the quicker but the higher the number the more likely that the file will be recovered Forward match threshold Default value 0 015 This determines the score threshold below which if a block is being analyzed after the last known block gets automatically selected This means that forward searching will get terminated and the block that had a score below the threshold value gets selected Backward match threshold Default value 0 01 Digital Assembly 12 This determines the score threshol
79. tored thumbnails which might be of different sizes Not Selected Actual sizes of the thumbnails will show up in the results Ignore Ignore photos smaller than Selected Photos of size smaller than the inputted threshold will be set to be ignored Not Selected Photos of any size will show up in the results va Ignore photos based on MDS stored in Ignored DB Selected Any photo that is found to match a MDS hash stored in the Ignore DB will be marked as ignored Ignored photos will not show up in most results in the GUI unless explicitly asked for Not Selected Photos will not be checked against the Ignore DB for determining ignore status va Ignore duplicates based on MDS5 stored in case Selected Duplicates will be ignored When ignoring duplicate files the file with the earliest modification date will be preserved Not Selected Duplicates will not be ignored Digital Assembly 27 Embedded Recovery Tab iG Analysis Options Analysis Profile Best Recovery Basic Validation el DEE O Scan for photos only at sector boundaries Scan every byte in a sector for photos Recover embedded photos in active files Recover embedded photos in carved files _ Validate embedded photos in active files Validate embedded photos in carved files File Types Analyzed for Embedded Analyze all file types for embedded photos Available file types Extract embedded from MS Word 97 2003 doc D MS Powerpoint 97 2003 ppt
80. tructure click here to view file structure 64 Dp LE TSO HE e ZE D FitiAaNnN I Detal Q aon 1 VEtalls PASSES EE Eat TT AA E OA OH A inn g OHXkKT 115 184 ing YUNMAK I 9 1999 104 Jpg Short File Name aOHXKT 1_JPG retrieved from file system Long File Name _ OOHXKT 31559184 jpg retrieved from file system Partition 1 File Information File Size _ 59810 bytes 58 4 KB eck File Type JPEG JPG OOHXKT 31559184 jpg Path Root _10 12 03 bobfleck 2 jpg Creation Date May 21 2008 E aai E d _ack_dragon jpg ee Me TO ae 1079106933 ver digoi Pi Accessed Date May 28 2008 1194880259 starcandy_04 jpg File Status Deleted 14d1f00a90b6dd4 db4cfc567d447eae7_g jpg Recovering Seal a ea 3 i CES Kl H Sany De eee e 2007_swifts_creek_lawnmower_races04_edit jpg MD5 Not Calculated 2008 03 07T175740Z_01_NOOTR_RTRIDSP_2 SCIENCE SPACE SHUTTLE DC jpg SHA256 _ Not Calculated 270px BITS_BudhMarg jpg 270px BITS_Hostel jpg j S oe 3 300197_rebar jpg Block Information Block Count 30 1 fragment Block Ranges 0 29 Camera Canon Model Canon EOS DIGITAL REBEL XT Software Adobe Photoshop CS Windows Thumbnail DateTime 2006 08 05 05 25 27 Original 2006 08 05 04 22 37 Digitized 2006 08 05 04 22 37 e The partition details show all the information that is embedded into the photo recovered during analysis e The file structure is a representation of the actual file structure detected on the evidence
81. ttom left corner e To begin batch analysis click on Batch Analyze Digital Assembly 79 13 44 photos found in apf demo_image oto Forensics 2013 File View Tools Help THU At I 7 CO Analyzing 13 A4 photos found apt_ demo_image E01 1 Partition 1 File System Active 11 Overail Progress 13 EEN Active Recovered 44 HHHH EEEE EEEE EEEE E E EEEE EEEE EEEE Panan gn e GE Hit RTT SR E zm s SC a E V Ga eae K SW d img_5256 JPG img_5218 JPG img_5113 JPG img_4518 JPG ck ee ME i E es a 2 e a Legend d SM ai TS E Recovered E Fragmented Processed E Active Files img_4338 JPG img_3894 JPG img_3867 JPG Free Space E System Files wa Eder 9 aaeeea Disk Map Status Elapsed Time 00 00 28 Pause While batch analysis is going on a button on the toolbar helps to toggle between the batch screen and the recovery screen After a case is analyzed it is highlighted and the recovery screen of the next case appears Digital Assembly 80 59 10 phe o Wen Sec Help wm i G ES nd CA HP ES CT i ES Analyzing 59 10 photos found Batch Analysis is ongoing please wait Examiner Name John Smith Over write existing case Ask before over writing Batch Options Case Path Analysis Options SIGI le g 3 3 8GBmixed_FAT32 img 1003 3 8GBmixed_FAT32 E APFCases 3 8GBmixed_FAT32 Bt Su H g 3
82. tus Provides a very basic text summary of the status of the recovery ga SmartFiltering Shows the SmartFiltering results The right side of the screen shows photos in 4 possible tabs va SmartFiltered Shows thumbnails of photos that have some SmartFilter identified For example a hash alerted photo or a photo detected as being potentially explicit Do filtering during recovery must have been set to true for this feature to work Active Recovered Shows thumbnails of photos that are present in the file system Will also show thumbnails of photos embedded in other active files if present Successfully Carved Shows photos that have been successfully carved out of unallocated deleted region of disk This will also show photos embedded in other deleted files Digital Assembly 37 Invalid Partially Carved Shows photos that have been identified as not being complete i File View Tools Help UHT Dn 8 LS Analyzing 70 233 photos found Recovery Counts Active LogCarved Sequentially Carved SmartCarved Embedded in Active Embedded in Carved Invalid Partially Carved Total SmartFiltered Legend E Recovered E Fragmented Processed Active Files Free Space E System Files Disk Map Status SmartFiltering Elapsed Time 00 01 14 Pause Stop In analysis options if we uncheck the Show preview thumbnails during recovery option we get to see only the statistics of recover
83. very Type Category Recovery Type Category S k Select Grow O All Photos 294 Active amp Valid 214 Carved amp Valid 76 Ven Select by El Not Categorized 291 Child Pornography 0 Bookmarked 15 MOS Hash Alert 0 Smathash Alert 0 Select Active Child Nudity 0 Child Other 0 E Active 77 C Embedded in Active 137 Invalid Partially Actiwe 0 Adult 0 Obscenity 0 Select Deleted El Sequentiallyy Carved 11 LogCarved 0 E SmartCarved 9 GuidedCarved 0 Other 0 C Embedded in Carved 55 E Invalid Partially Carved 1 Process ignored photos in selections above Process ignored photos in selections above Report Settings erate Reports i Report Settings Cancel THE CATEGORY SECTION WILL NOT APPEAR IF A CATEGORY PROFILE IS NOT SET FOR THE CASE e Once analysis is completed reports can be generated on full case or group of photos e Reports can be generated for a group of photos like active photos sequentially carved etc Full case would include all the photos recovered and successfully carved photos would include sequentially carved LogCarved SmartCarved and GuidedCarved photos e Photos can be bookmarked in the grouping screen or even in the photo viewer Reports can then be created only on the bookmarked photos e Once the report has been generated it will open up in your default browser as shown in the following pages Digital Assembly 63 REPORT EXAMPLE
84. y Turning this option off is marginally faster than keeping it on Digital Assembly 38 The photo gallery is the default screen seen after recovery analysis is complete The photo gallery provides multiple options to select view sort and filter photos based on file system database and photo properties To filter photos by content please see the Screen section File View Tools Help Ba E Sa CH hin Photo Gallery Active 77 Wl A Recoveries tash Alert mar masni A Ignored 0 Mi SUH All Formats v ER All Resolutions v ER Hide Ignored e page P tel x jet i e et e e en s eens a ENEE e ne 3 1071728760 _280c116db6_0 j BASN3P02 PNG Battle_of_North_Point j i Brazil_beach11 jpg Na A New_BikiniContest_3730 jpg es dn P5021754 ORF Photo _00369 jpg Photo _0037 jpg Photo_00371 246 jpg Photo _3770 jpg SelectAll SelectAllinPage Select None ven Report Timeline Save Bookmark As analysis of evidence completes photos are shown in separate tabs You can change the type of tabs by clicking on the tabs drop down at the top of the screen In addition the screen allows you to set the default tabs for this screen ge Each thumbnail in this screen represents a group of photos If there is more than one photo in the group the number of photos will be shown with parenthesis You can move the mouse over a thumbnail group and view a few selected thumbnails within
Download Pdf Manuals
Related Search