A photos-only application can be a very handy part of a digital forensic examiner's “toolkit.” Many cases revolve around recovered images, whether the matter is criminal, civil or domestic. Adroit Photo Forensics from Digital Assembly (Brooklyn, NY, USA) has been created as just such a tool. The current version, 1.003, of Adroit Photo Forensics was released commercially in September 2009. Full disclosure: I was one of the testers of the first few beta versions, but have no financial interest in the company or their products, other than receiving a copy for evaluation purposes.

The Product

Adroit Photo Forensics is available as a download from the Digital Assembly web site (). The regular price is $499 USD, but the product is currently (December 2009) promotionally priced at $299.

Both products use Digital Assembly's SmartCarvingTM technology, which the company describes on its web site as being based on “an array of computer algorithms and sophisticated mathematical models.”

Installation

Installation is straightforward and simple. The product requires the Microsoft Visual C++ Runtime, which will be installed by the program if it is not found on the examiner's workstation.

Configuration

When Adroit Photo Forensics is started, the user is presented with an uncluttered, easy-to-navigate opening screen where case and examiner information may be entered. (Figure 1)

Figure 1

A nice feature is the ability to enter information for different examiners. These can then be selected from a drop-down list for future cases.

On the bottom-left is an “Analysis Options” button that allows the user to choose the level of image-carving desired (active photos, file system, unallocated space or fragmented files), MD5 or SHA256 hashing, as well as which photo formats to search, namely BMP, JPG, PNG, GIF and a few camera manufacturer-specific formats. (Figures 2 – 3)

Figure 2

Figure 3

Selected options are retained from case-to-case for convenience. Adroit Photo Forensics will attempt to recover images from hard drives, drive images (RAW, dd, BIN and EnCase formats), CD/DVD, and flash memory. Another helpful feature is the option to ignore images less than a user-defined size. The default is 100kb. For testing purposes, I chose 200kb as my limit. The ability to ignore BMPs, PNGs and any image below a certain size threshold is extremely useful in “de-cluttering” evidence.

Testing Specifics

I installed Adroit Photo Forensics on a Dell Vostro 1000 Notebook consisting of an AMD Athlon dual-core processor (1.9GHz) with 2gb RAM and USB memory-card reader.

Test Subject #1 was a 1gb SanDisk SD Card
Test Subject #2 was a 180gb drive image in .E0x format from an actual case I recently worked.

Performance

Adroit Photo Forensics completed its recovery from the 1gb SD card in just under 8 minutes. The 180gb image required a little over 11 hours, 15 minutes. As the product works through its recovery routines, the examiner is presented with progress bars across the top of the screen, a color-coded block diagram of the media under examination as well as a gallery-view of images as they are being recovered. (Figure 4)

Figure 4

Upon completion, the user is presented with options to view the galleries by various groupings, such as file type, active found, carving method, day/month/year, deleted, and image format. Selecting a group will present the user with a filmstrip view of that category along the bottom. Clicking an image will open it in the viewing area. Across the top are tabs to select Primary Photo, File Details, Photo Details and Metadata/EXIF Details. (Figure 5)

At the bottom-right is an option to extract and save the group of photos to an external location.

Figure 5