New Today: 8
New Yesterday: 7
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Windows 8: Important Considerations for Computer Forensics and Electronic Discovery
ReviewsBack to top Back to main Skip to menu
Adroit Photo Forensics
A photos-only application can be a very handy part of a digital forensic examiner's “toolkit.” Many cases revolve around recovered images, whether the matter is criminal, civil or domestic. Adroit Photo Forensics from Digital Assembly (Brooklyn, NY, USA) has been created as just such a tool. The current version, 1.003, of Adroit Photo Forensics was released commercially in September 2009. Full disclosure: I was one of the testers of the first few beta versions, but have no financial interest in the company or their products, other than receiving a copy for evaluation purposes.
Adroit Photo Forensics is available as a download from the Digital Assembly web site. The regular price is $499 USD, but the product is currently (December 2009) promotionally priced at $299.
Both products use Digital Assembly's SmartCarvingTM technology, which the company describes on its web site as being based on “an array of computer algorithms and sophisticated mathematical models.”
Installation is straightforward and simple. The product requires the Microsoft Visual C++ Runtime, which will be installed by the program if it is not found on the examiner's workstation.
When Adroit Photo Forensics is started, the user is presented with an uncluttered, easy-to-navigate opening screen where case and examiner information may be entered. (Figure 1)
A nice feature is the ability to enter information for different examiners. These can then be selected from a drop-down list for future cases.
On the bottom-left is an “Analysis Options” button that allows the user to choose the level of image-carving desired (active photos, file system, unallocated space or fragmented files), MD5 or SHA256 hashing, as well as which photo formats to search, namely BMP, JPG, PNG, GIF and a few camera manufacturer-specific formats. (Figures 2 – 3)
Selected options are retained from case-to-case for convenience. Adroit Photo Forensics will attempt to recover images from hard drives, drive images (RAW, dd, BIN and EnCase formats), CD/DVD, and flash memory. Another helpful feature is the option to ignore images less than a user-defined size. The default is 100kb. For testing purposes, I chose 200kb as my limit. The ability to ignore BMPs, PNGs and any image below a certain size threshold is extremely useful in “de-cluttering” evidence.
I installed Adroit Photo Forensics on a Dell Vostro 1000 Notebook consisting of an AMD Athlon dual-core processor (1.9GHz) with 2gb RAM and USB memory-card reader.
Test Subject #1 was a 1gb SanDisk SD Card
Test Subject #2 was a 180gb drive image in .E0x format from an actual case I recently worked.
Adroit Photo Forensics completed its recovery from the 1gb SD card in just under 8 minutes. The 180gb image required a little over 11 hours, 15 minutes. As the product works through its recovery routines, the examiner is presented with progress bars across the top of the screen, a color-coded block diagram of the media under examination as well as a gallery-view of images as they are being recovered. (Figure 4)
Upon completion, the user is presented with options to view the galleries by various groupings, such as file type, active found, carving method, day/month/year, deleted, and image format. Selecting a group will present the user with a filmstrip view of that category along the bottom. Clicking an image will open it in the viewing area. Across the top are tabs to select Primary Photo, File Details, Photo Details and Metadata/EXIF Details. (Figure 5)
At the bottom-right is an option to extract and save the group of photos to an external location.
The product's SmartCarvingTM represents quite an improvement in image recovery technology. Photo files that were previously unrecoverable are now at least partially if not fully recovered. I was quite favorably impressed by this feature when I ran it against an image that I had not had previous success in recovering. Although not a complete recovery, the product rebuilt enough of the photo that the subject could be easily discerned. (Figure 6)
Using the “GuidedCarve” capabilities of the product, an examiner is presented with the opportunity to manually rebuild damaged images from separate blocks of data as shown below in Figures 7a and 7b.
One other tool is the “View Timeline” option, accessed by clicking the clock icon on the tool bar. The time-line presents a graphical representation of the relative number of photos found on the media (as indicated by the size of the orange “balloons”) and their respective file dates. Clicking on a balloon for a specific date opens a filmstrip view of those photos, in addition to general information about camera models used, size and date range of said photos. ( Figure 8 )
Adroit Photo Forensics includes the ability to generate an HTML-only report. The report includes case/examiner information, media and photo details. ( Figure 9 )
The “Generate Report” feature represents the one weak area of Adroit Photo Forensics. The examiner is presented with no options. There is no ability to refine the data that is to be added in the report, unless one performs a selective export of relevant images and generates the report on these. When I ran the product against my case image, more that 8900 photos were recovered, the vast majority of which (>99%) were trivial and irrelevant to the matter in question. All of these were added to the report, with no options to exclude items or highlight images of special interest. Without filtering, such a report would be quite tedious to review with a client or attorney. It would also be nice to have more readily editable/printable report formats, such as Word, Rich-Text Format or PDF to choose from. Typically, examiners have their own report template into which they import tool output.
Notwithstanding its limited reporting feature, at $499 USD per copy, Adroit Photo Forensics is not only a capable product, but a true bargain in today's market populated by forensics software suites that cost in the $3000-$4000 range. By limiting its focus to image-file recovery, this product is perfect for those cases that require an examiner to “get in / get out” in an expedited manner. Adroit Photo Forensics' options which permit the user to specify image formats and sizes as well as its unique carving algorithms make it a very welcome tool for digital examiners.
- Austin W. Troxell, MSc, CISSP
This review can be discussed here.
Austin Troxell is a licensed private investigator specializing in Digital Forensics. He has over 30 years experience in digital technology and holds a Master of Science degree in Information Assurance as well as the CISSP and AccessData Certified Examiner designations. Mr. Troxell may be contacted via email at firstname.lastname@example.org.