Griffeye 101: Analyze DI Pro Intro Course


Join the forum discussion here.

View the webinar on YouTube here.

Read a full transcript of the webinar here.
Eric: Hello everybody. Can you guys hear me okay?

Excellent. Well, good morning to those of you in my sector of the world – I’m coming to you live from Phoenix, Arizona. If not, if it’s later on in the day for you, then good afternoon and welcome to this webinar. Today, we’re going to slow things down a little bit and mix it up. This is going to be an introduction course, so this is going to be a brief overview on the tool Griffeye Analyze DI Pro and what it can do for you, and how it can vastly improve your investigations.

But before we start talking about the tool, I want to tell you a little bit about myself. My name is Eric Oldenburg. I am the Law Enforcement Liaison for North America with Griffeye. I worked as a police officer and retired after 25 years of service. I have approximately 15 years of service involved in child exploitation investigations, primarily through the Internet Crimes Against Children task force here in the US. I split my time between being an investigator and being a forensic examiner. My first exposure to this tool was in 2011, and we were looking for a tool that could help us get through large amounts of pictures and videos in a more efficient way, and in a way that would reduce exposure to any child abuse material that the investigator or forensic examiner would be involved with during the course of their investigations. Vicarious trauma is a big thing in the scope of CSA investigations, and this tool, just in the mere fact of the way it functions, can reduce your exposure and eliminate a lot of that vicarious trauma that [you] incur.

Now, I will tell you: This tool is not designed just for child sex abuse investigations. It can be used in any type of investigations involving large amounts of pictures and videos. Also, some other applications could be terrorist – if you have large datasets, faces, [entities] that you need to collect and things like that, this tool would be very good for that. But the specific powers of it are for pictures and videos.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Today … let me see if I can advance the slide here. Today we’re going to talk about basically what the tool is and how it can help you in your investigations. Using the power of hash databases to increase efficiency and results, we’re going to show you how to connect databases of known files that you could have the program identify as it processes information. We’re going to also intro some of the apps that could extend the functionality of the tool, that’ll take you from just an interface to go through pictures and videos to actually help you get through your investigation or examination much quicker. We’re going to talk about filtering and using the power of filters in this tool, to really help you find what you’re looking for much faster. And we’re also going to talk about some searching and relationship capabilities to target and refine the results that you’re looking for. Also, we’re going to talk about some of the administrative things you can do by creating reports and also exporting your work to extend functionality and collaborate with other users.

Alright, without further ado, let me go ahead and switch my screen here. Now, we are looking at the Griffeye Analyze DI user interface. This is a case that has already been set up and processed. This is a training case that I use quite often when I teach the tool. I’m going to bring you back to the main overview page. This is basically an overview of all the cases that you’ve been working on and things of that nature. And as you can see, there are some cases that I’ve created before that are listed, that I can open up if I wanted to.
I’m going to show you, though, what we can do – we’re going to create a new case real quickly and we’re going to call this ‘Webinar’. And I wanted to show you, basically, what it is is the tool is designed for you to take any of the evidence or data storage devices that you’ve collected during your investigation and import them into the tool in one batch import, so that then the tool can pre-process the files or pre-process all the information, and scan and run any processes against it that the program needs to, in order to present you with the investigation to be reviewed.

You’ll notice down here that we have several different options. We can bring in physical media – that’s thanks to the LACE Carver integration that we now have with the pro version of this software. We can bring in a standard forensic image. We can bring in a VICS case, which is basically an open file format that allows us to move data and files between tools back and forth. You can use this tool to actually create a VICS case package that you can give to another investigator, and they can import it into their tool, and they can review the evidence just like they were looking at the original evidence. We can also bring in XML exports, which are very popular for … like Cellebrite and things like that. Any tool that’s going to export your work in an XML file format you can bring in here. You can also bring in a folder full of images and videos, if you’d like.

For demonstrative purposes, let’s bring in a EO1. And we can bring it in here, and notice that because we’re using the pro version, we have the ability to carve now, with the LACE Carver integration. So, if I select that, I will actually be given this dialog asking how I would like to carve. Now, it says “Carve with LACE”, that means it’s actually going to process all the valid files as well as any files that have been deleted or off in unallocated space. I’m just going to bring this in standard, to show you, but we do have the ability to bring in lots of different types of data from these different formats. This would be our import option – it shows us, hey, we can bring in just pictures and videos, we can bring in documents and text files as well. The power of this tool is really with pictures and videos. It will handle documents and text files – you can view them and review them within the tool – but again, the power is really for those pictures and videos.

We can also extract from archives such as [seven] zips, RARs, zip files, as well as our Windows thumb cache. Also, we’re going to use the power of the Griffeye Analyze databases, and we’re going to check against any files that we have stored in that hash database, which we’ll show you in a little bit. And then, we can also … it’s going to perform some really cool functionality in the background, it’s going to create all our thumbnails that we can review the files quickly with. It’s going to allow us to perform similarity searching, which is going to let us look for files that are similar to the target file that we are interested in.

It’s also going to calculate Microsoft Photo DNA, which is a visual duplicate hashing technology. It’s not for binary matches, it’s a visual duplicate – Microsoft Photo DNA will calculate that and will use that for you within the tool. We can also … over here, on our video processing, we’re going to see here in a little bit some of the really powerful functionality that we have when it comes to videos and handling videos within this tool. And you’ll notice, down here at the bottom, we also have the ability now to detect faces within video, which is pretty neat. I’ll show you that in a little bit.

And then, we also have the ability to exclude files based on certain criteria if necessary. I’ve selected here to remove files that are smaller than 50 pixels or 50 bytes, just because they’re so small I wouldn’t be able to make any determinations or victim identifications or chargeability. So, that’s one of the reasons something like that would be set. And then, we have our after-import processing. This is a pre-processing tool. You’re going to point it at the files that you’re interested in. And then you are going to let the tool do its work. And then, once the tool is done is done processing the files, you sit down in front of your investigation and you’re ready to go.

These are some apps and plug-ins that extend the functionality of this tool. And since we’re here, let’s go ahead and talk about them. I’ll show you. This is our Analyze Forensic Marketplace, and you’ll notice that there are several different apps that we can choose to extend the functionality of the tool. These checkboxes in the upper right-hand corner indicate that that app is installed and ready to go or activated. You can see that we have the Carver integration, allowing us to get deleted and unallocated files. We have face detection, which will allow us to not only detect faces within a case, but take an external face, a picture, and bring it in and see if there’s any similar faces that exist in our dataset. We have Analyze Relations that allows us … it’s a way to visually map relationships between files. We have Statistics that allows you to report, show cool charts and graphs and stuff like that. We also have Annotations – this allows you to put an annotation on a file.

CameraForensics as well – extends the functionality. Now, CameraForensics is an online database that scrapes the public internet for any files that have been uploaded that still contain Exif information. So we can connect CameraForensics, that website, with Analyze DI Pro and we can harness the power of checking whether or not the camera used to create the imagery within your investigation was also used perhaps to upload to the public internet. And I know of several cases that have been solved specifically because offenders have uploaded files using the same camera they created abuse imagery with, up to the public internet. We also have the ability to view files in hex view, we can do keyword-matching as well. If we give it a keyword list, we can bring that in and match any files against it. We also have the ability to create a NCMEC report package, which is very quick and easy. This will generate the package for you, and you can send it off to NCMEC if that’s part of your job assignment.

We also have the ability to export into the NetClean ProActive Export format, which is one of our sister products that basically sits on corporate networks and watches for any trading or moving of abuse imagery. We can reverse geocode any information that’s contained with an Exif, like GPS coordinates.

We have a social media identifier that checks the files and looks and says “Hey, I believe this file was potentially downloaded from Facebook or Tumblr or Flickr. We also have the ability to bring in these VICS (JSON) file formats, which is that open file format that allows us to communicate amongst other forensic tools, which is very important, in my opinion. We also have the Video Utility Pack that extends the functionality of how this handles video within the tool.

There are some other plug-ins that require additional licensing that I won’t go into, but you can feel free to go through here and take a look at your leisure. Videntifier is kind of a visual search that takes our search similarity, and it’s kind of like it on steroids. It uses points of interest and an algorithm to get you to find similar files based on logos and things like that.

Amped Authenticate and Amped FIVE is more functionality that is extended for file format analysis, forensic image authentication, and enhancement, things like that. We can plug that functionality into the tool. Also, what I want to talk about is we have our Griffeye CSA Brain and our Brain object detection. These are both plugins that are developed by us. And the CSA Brain will take any files that you import into your case, any imagery that is not pre-identified within your hash databases, and it will make a determination, the machine learning artificial intelligence will make a determination on whether or not it believes the file contains child abuse material or child sex abuse, and it’ll assign it a score between 1 and 100. Like, 1, 2, 3, 4, and 5 it believes is a low possibility. 95 through a 100 it believes is a high probability that the image contains CSA. And then it bookmarks those files so you can quickly go review them.

We’ve had some really good successes with that. It still is in beta, and as with any other beta or machine learning, it just requires to be trained on more and more datasets, which we are continuing to work on. But we’ve gotten some really good results with the CSA identifier, or classifier. We also have the Brain object detection that goes in to look, and it’ll determine or it’ll detect objects within files, and then present that information to you, which is pretty cool.
So each one of these Analyze Forensic Marketplace tools just extends the functionality of the program. Some of them come pre-installed, like the ability to handle forensic images and the ability to export your NCMEC utility packs, things like that, and handling VICS (JSON) or [o-data] information.

So, this is the Analyze Forensic Market place, it can also be accessed from the ribbon up here within the workspace as well. So, we would go ahead and select whatever we’re going to select on these if we wanted to run all these. Again, this is a pre-processing tool, so it’s going to handle all the work up front, and then once it’s done processing, then you sit down and you can start going through all your information, and here’s all your administrative options. And then it says, “Hey, here’s a case. Here’s what we’re going to do. Here’s a summary of what you said.” And if I click Start, it’ll process the case. But like any other good cooking show, I already have one in the oven for you.

So, we have a case already processed here. But what I wanted to show you, before we do that, is in order to set up the program, you want to have a collection of hashed databases. Now, the stronger your hash database system is, the more files you have in there, the more hashes, the better job it’s going to do of pre-identifying those files as you process your case on the way in. As you can see, this is a database that contains the MD5 hashes that are live in Project VIC. And if you’re not familiar with Project VIC or haven’t heard of it before, you can see exactly what they are at projectvic.org. But these are the hashes that I have from Project VIC. And as you can see, I’ve got six million hashes that are going to help me pre-identify files as I process my dataset coming in. We also have those hashes in Photo DNA format as well, extending that functionality, that file-matching functionality, to visual copies as well as binary copies. And then, I have a huge non-pertinent set. This is a database … whoop! I don’t have that one populated, sorry.

The Project VIC non-pertinent set, as it stands now, is approximately 67 million hashes that are all files like icons and album art and PNG files that aren’t important, that we can quickly have the program flag and say “Hey, these files aren’t important.” We also have … I have an Interpol ICSE database set up here, and the NIST NSRL as well. And as you can see, that database has 57 million hashes of non-pertinent files. Now, all these hash databases are set up specifically so that as I process my evidence, as I bring in those forensic images, folders, VICS cases, whatever I bring in, it’s going to check each and every file against this database, and it’s going to flag that database … or excuse me, it’s going to flag that file. And as you can see on the right-hand side, it’s going to put it into the category that you have that assigned to.

This categorization is set up for the United States standard. Each country has a different standard, has different categories. For example, we have six categories. In Canada, they have, I believe, three. In the UK, there’s like 14. In Portugal, I think there’s seven. So it just depends on how you want to set up the program in order to suit your needs. This is set up to the United States Federal Charging Standard. Basically, we have child abuse material that’s federally illegal, and anything that doesn’t meet the criteria of being illegal but is child exploitative. So the idea of these hash databases is you have … datasets are getting incredibly huge now. When I first started doing internet crimes against children investigations in 2001, I think about the largest hard drive you could buy back then was about 120 GB. And just think about that. You can get a micro SD card with a 120, with more than that on it, with magnitudes more data on that.

So, datasets are getting so big now that we need tools to help us cut through this giant pile of information or data or pictures, and get us to exactly what we need quickly. Because if you have five million pictures and videos to go through, which is not unheard of … the last investigation was 1.2 million pictures and videos I had to go through. If you’re not using a tool that can pre-identify files using a database system, or you’re not using a tool designed to get through large amounts of media quickly, then you’re doing yourself a disservice, you’re working harder, not smarter. Let the computer, let the technology do the work for you. Let the technology help shield you from the vicarious trauma incurred while viewing CSA material, if that’s the type of investigation you’re doing. Let the computer do the work for you. And this program does an amazing job of that.

So, we have our hash databases set up, and we can populate those with files from various different sources that we might have – NSRL lists, there’s our Interpol ICSE, we can bring in actual files. If you have a folder full of files and you want the hashes of those files up in your database, you can just point the program right to the folder. It’ll hash all the files and put them up in the database for you. The idea is the stronger your databases are, the more, the higher percentage of files you’re going to get pre-categorized as you process your case in.

So, that’s setting up your databases. So we’ve got our databases set up, and we have got our Analyze Forensic Market place apps all ready to go, so we get our case set and processed, and as you can see, as this came in, as this processed the case, it said, “Hey, there were 5729 total files, the databases have pre-identified 3591 of them as non-pertinent, 886 as child abuse,” and as you can see, so on and so forth. So, it’s left me with a total of 5729 files, I have 1202 files left that are uncategorized. Because these all hit in the database, which indicates to me they’ve been seen before.

Another thing I wanted to show you as well is yes, this is just a training case, but as you can see, 79% of the work is already done, 20% of the files left are uncategorized, and the workload reduction is 86%. Now, I will tell you, in America, using the Project VIC databases as well as local databases that have been curated with information and knowledge from local cases, or older cases, we’re looking at between 30% and 70% pre-categorization. So think about that for a second – if you have a million files to get through and you could pre-exclude half of them, say, 500,000 – that’s what this program could do, right off the bat, not only in flagging files and saying “Hey, they belong in this category,” but also in stacking visual and binary copies.

What I mean by that is this program will take any files that it deems as it processes in, it says, “Hey, these files are duplicates.” It will stack them. And as you can see right here, I have this VIS with the number seven. That is telling me that seven of these files – and when I hover over it, it shows me those files – there’s seven files that are visually duplicative, and it lists exactly where they are over here. Here’s all the seven files and where their file locations are. But it’s stacked them. So imagine that’s CSA material, that’s an image of a child being brutalized or hurt. I don’t have to see that image seven times and make a determination on it seven different times. The power of the program hash-matching the databases, calculating the hashes and matching not only binary duplicates but visual duplicates or visual copies. Think of the reduction of how many times you have to see the same file over and over again.

And if you’re using tools like I used to use, like Encase or FTK or any of the other tools that aren’t designed specifically to get you through these large amounts of pictures and videos quickly, then you’re going to see these files over and over and over again. Where this tool allows you to reduce that amount of data you have to go through, sorting it out, making it a lot clearer, a lot easier to digest. So that’s the power of the Photo DNA stacking that we have going on right there.

As you can see, when the case was created, it created these pages of thumbnails, and at the top of each one of these thumbnails, we have these thumbnail header icons that perform different functions, which is really cool. And as you can see, you can also get some information from these thumbnail header icons visually, right off the bat. This icon being lit up tells me that there is Exif information, the camera being colored there. This icon indicates it hit in the database for me. And we have bookmarks, tags, lots of other stuff. But if I hover over things, it gives me information about the files.

Now, if I want to look at a file in its full view, I can just go ahead and hit the space bar and open it up. Now, one cool thing I want to show you, just a really neat tool that we have built into this, to kind of show you how powerful this program can be, is in the file view right here, this picture is really dark. And I can’t make any kind of determination as to what type of hotel room that is or maybe who the suspect is. I can quickly, with a push of this button right here, my shadow boost, I can tell the program to hey, try to adjust the contrast and brighten this to bring out any details in that picture that I can’t readily see. And when I do so, as you can see, it kind of brought out some of the shadowing and tone. Now, I might be able to make a determination as to where this file was taken. I can also use some of the functionality built in here as well, to zoom in on particular areas, helping even further with victim ID efforts, I can possibly make an identification, that type of thing. Really, really cool tools that are super easy to use, built right into the software.

Another thing I can do is if I hold down the SHIFT key, I can zoom in right here. But like I said before, if I want to look at the file, I can use my magnifying tool, and switch over to it. And I can zoom in right there, see what’s going on on the beach, see if anybody’s having a good time.

Alright, so, back to the thumbnail view. There’s lots of other cool functionality here, but we don’t have time, it’s beyond the scope. So let me walk you through the interface real fast. You can see that this is laid out very similar to a Microsoft Office program, where we have a ribbon up at the top. That is tabular data. We have our Home area, our Home tab. Case Data, where we can reprocess things if we need to go through, if we forgot to run an app in the beginning or we didn’t want to, we can always rescan it again after the case has been created, as well as the plugins. We have some other information stuff we can do over here. We can reprocess the case.

Our Report/Export tab is going to allow us to do all our reporting as well as any type of collaborative exports that we need to perform, such as that VICS case that I talked about earlier. On our View tab, this is where we can turn on or off certain areas of the program that we can or can’t see, or can’t use. One important button on this is your Reset User Interface, because this is a customizable interface. I can drag this out and I can put it wherever I want. I can extend the functionality by using multiple monitors, and just basically set this up however I want. But if you get a little crazy, like I’ve been known to do, and get myself lost, and I can’t figure out how to get these things put back correctly, I can just hit my Reset User Interface, and Bob’s your uncle, right back in business.

So that’s the View tab up here, and then any of the apps that we’ve activated in the Analyze Forensic Marketplace, we can access right over here. And as you can see … oh, one thing I want to point out to you guys, if you do go on our website, griffeye.com, and download and obtain a free copy of our software, you can … I want to point out for the fact that up in this upper left-hand corner, by this question mark, is the user manual that is built into the program, and as you can see, it’s paginated out, and bookmarked. The folks on our team have done an amazing job on making a very good, very easy-to-use manual for your convenience. And it is built right into the tool.

Also, we have … as you can see, right here, that this case is opened in a tab. We actually have the ability in this program … if I click Create New Workspace, we can have more than one case open at the same time. As you can see here, I could open up this case right here, and now I have two cases open at the same time, and one of the neat things I can do is I can right-click and search for similar images, which we haven’t really discussed yet, but I’ll show you. But I can do that across cases. So I can run a similarity search across cases if I have more than one open. Close that one out.

So, you’ll see over at the left-hand panel, we have kind of our information, and the program has so much information that it has to provide for you or display for you that it is kind of organized in this system of window panels. We have our main working panel in the middle, our info and folder panel on the left, and our classification panel on the right. And you’ll notice that it is tabbed out along the bottom. So, the tabs for the ribbon are up at the top, but in your workspace, they’re all at the bottom. And as you can see, I can tab between the folder interface or the info. Info just gives me summary information – actually, pretty rich information about whichever file I have selected. It’ll show me the location of any files, full Exif information of that particular file, and as you can see, as I click it, it pops up and says, “Please wait,” because it actually rescans all the Exif from the file you select in real time, to make sure you’re getting all comprehensive Exif information.

On the Folder view down here, we have a folder tree that basically shows us, that kind of gives us a file path of all of the evidence contained within our case. One cool thing I like to point out is these red folder names indicate that they’re files that have been flagged as illegal while the case was processed. Now, how does the case know that the file was illegal? Well, we have our hash databases set up and we have our categorizations set up – as I told you before, this is set up to the United States standard, but this can be set up to however you would like to have your files categorized. And we’ve flagged this particular category as illegal, which you could set any, as you want.

So, the program is saying, “Hey, there’s a file that was processed in your case and brought in, was categorized as an illegal file, and it exists in this folder.” So that’s a quick way to just have the program tell you, “Hey, there’s illegal files in here.” And using the ‘where there’s smoke, there’s fire’ theory, that’s probably a good place to start your investigation, is to go into the folder that contains previously identified illegal files, because it’s probably going to contain unidentified illegal files as well.

So that’s the folder view, the folder tree view, which is pretty cool. I’m going to jump all the way over to the right-hand side and show you the classification and filters panel. Over here, on the right-hand side, is basically where it’s going to give you the counts for all the files that you’ve classified or have been categorized as they were processed. Now, just because they were categorized by the program doesn’t mean – I could change a categorization or I could set it myself. So, let’s say, for example, I know that this file is not non-pertinent, but it’s important to me, it has to do with child exploitation. I want to make it a category two. I simply hit the ‘2’ key and I change that category.

Now, when you change categories within this case, or within this investigation or your case, it’s not storing those categories up in the database yet. They have to be pushed at the end of your case. So this, your categorization changes just live within your case, and when you’re done, you push them to archive that knowledge for future investigations. And I’ll show you how to do that here in a little bit. But that’s basically your categorization.

Your next tab over is Filters. Filters is the way that you’re going to get to information very quickly. I can … and we’ll talk about filters here in a second after I go through the interface. But beyond that, we have Bookmarks as well. So, we have the ability to create case bookmarks in here. I can right-click and add bookmarks, add folders, extend this however I want. And you’ll notice in here that this CSA brain I talked about earlier has found files and flagged them. It found these four files and said, “Hey, the AI believes that these are CSA-related.” Now, these are training files that we use just for training, because we don’t want to have, obviously, real CSA material. But this is how it [codes] it for you, and you notice it puts a little flag on there and says, “Hey, this is CSA high.” That’s a great way for you to quickly have the machine or have your computer look through this huge mass of files and get you quickly to the files that you may be interested in. Or you could reverse it and just look at the low ones, and exclude things like icons and PNGs and things of that nature. So that’s pretty cool.

Back to the Classifications panel. One thing I want to talk about as well is we have the ability … now that we have the program set up, we have our files brought in, now we have this huge mess of files. And as you can see, the total amount, like we said before, is 5729, but if I look down at the bottom of my thumbnail view, it says “1 – 3,322”, because this program has stacked all those duplicate files. There’s not 5729 files for me to go through, there’s only 3322 files that … or stacks of files that I need to go through. Significantly reducing my workload and the amount of time it takes me to get through cases.

And I will tell you, having used this program since 2011, it has dramatically reduced the amount of time it takes to get through a single investigation. Reductions … 50-75% reductions in time spent going through media. And that’s extremely powerful. And the reason that is, is because of the ability to use filters and searching within the program. It stacks, it pre-identifies, pre-calculates information, pre-checks against database, and presents you with this information, and then you just sit down and you continue to work, using the tools like filters and searching.

So, filters are really quick. I will go through these. This is … when I do this class, it’s about a two-and-a-half-hour block just on filters. But I’m just going to run you through them real fast. We have filters, they’re tabbed up at the top. Filters related to Exif files. So anything that’s Exif or information embedded in the file. File filters are typically anything external to the file, like file size and file type. Intelligence is anything that typically a human has made a determination on, it’s been commented on, or … it lives in a database, it’s been identified. And Apps, anything related to the applications that you use to extend the functionality. For example, our face detection – I can filter down to the files that just have faces, or the program has detected faces. We’ll get to that in a minute.

Back to Exif – one quick way you can figure out what imagery your suspect or your person of interest is creating is to use your Exif filters. And let’s say you have collected, up on scene, at the scene of your search warrant or whatever your investigation is, you’ve collected a bunch of iPhones and you don’t know what model iPhone they are. There are a couple of different ones and you’re not that familiar. I can quickly go to my Exif tab and select my Apple filters, and now it has taken my thumbnail view, and it has filtered it down to display just files where Apple is in the camera make field of the Exif. And if you hover over one of these Exif thumbnail header icons, you’ll notice it says “Make: Apple, Make: Apple”. So I’ve taken this giant amount of files – it was 3322, if I remember correctly – and now it’s filtered it down to 276 stacked items that were all taken with a camera that was manufactured by Apple. According to the Exif again.

I could select another type … let’s say I have this camera, it was a One Plus cellphone I found on scene, and I want to see the pictures taken. Here we go. Now, here’s a really cool example of something that the program does, is it has detected in this image that not only is there Exif, but there’s GPS coordinates embedded within that file. And if I click on that thumbnail header icon, it actually takes me to the map, exactly where that file was taken, and bullets it for you. So that’s amazing, that it’ll do that for you. But I can map any of the files that indicate that there are GPS coordinates embedded in it. That’s one cool functionality as far as filters.

We can also do some other cool tricks. I will show you one thing. If you have an individual who has obfuscated something in the main image, trying to hide their face or … we have suspects now that are blurring fingerprints, because people have been identified through fingerprints within photographs, because the imagery is so resolute, with the quality of cameras any more. So, the program, as it processes the files, it’s scanning and saying … it’s checking the embedded Exif thumbnail. And these files, it has identified that the embedded thumbnail doesn’t match the main image. For example, this picture right here, someone has blocked out this gentleman’s face, and if I want to look at it and see what his face is – because this is indicating the Exif mismatches – I click that box, excuse me, and it comes up on the left showing the main image, and on the right, this is the Exif-embedded thumbnail or the thumbnail image that exists embedded within this photograph. And now I can potentially make an identification. I could save this file externally if I needed to, I could add it back to the case.

One other demonstration of this function is here’s the main image, it’s been completely obliterated and pixelated. And here’s the embedded Exif thumbnail, you can see the resolution is a little bit better but still pixelated. But the program has identified that there’s more than one embedded thumbnail. Now, Griffeye Analyze Pro can handle three. There is no limit to how many Exif thumbnails can potentially be embedded in a file, but this program can handle up to three. And if I click this arrow, it shows me, “Hey, there’s an actually even more resolute thumbnail embedded. And now I could identify this girl, where here I could not. Just extending that victim ID functionality within the program.

I can also create a lat-longitude fence and say “Just show me the photographs that were taken within a particular geographical fence. And if I do that … I’ll go to Arizona, where I’m from, and I filter based on selected map, and it has just filtered all the pictures taken within this investigation that have Exif in that fence that I just set up.

So that’s kind of some of the examples of how you can take a huge amount of files and filter them down to what you’re interested in. You can also filter by just about anything. We can filter by file size. If you’re just interested in files that are over a megabyte or really big files that are over a hundred megabytes, you can filter down. We can also filter down by file type. One of the workflows that I would do is I would work on videos first. Or, excuse me – images first. And when I was done with my images, I would move on to video. But I want you to look at this video, the power of what this tool does for you.

As it processes videos coming in, it creates a 64-frame collage of the video that displays for you, so you can get a quick idea of what’s in the video, just by looking at the collage it’s created. But it’s also extracted frames, and if you remember correctly, I said when it processes in the video it does some really cool stuff. One of the things it does is it extracts frames out of the video.

So if you have a video file that’s broken, that won’t play in a standard player, this can potentially handle it, because it can just play the extracted frames for you. But not only that – I can scrub my mouse over each video, and kind of watch all those extracted frames or quickly watch the entire video. And I cannot tell you how much time this has saved me, as an investigator, in just locating and also excluding files that I don’t care about or files I’m not interested in.

I wanted to show you also one of the powerful functions of this, and let me … I’m trying to make this full-screen, so you guys can see the power of the video tool.

So, this is a video, and we have a surveillance video that’s an hour and 23 minutes long, but perhaps your surveillance videos are much longer than that. All the surveillance videos I ever had to watch in my career seemed to be at least 30 or 40 hours long, with nothing going on in them. One of the things this tool does is if you have the video utility pack enabled, with the pro version, it does scene detection on the left-hand side. Now, as you can see, this quickly tells me that nothing has happened in the first nine minutes and 14 seconds, and then stuff actually starts happening. If your scene detection isn’t good, you can adjust it. But I can play the video here in the middle, I can play it at normal speed, and as you can see, it’s counting up by the seconds. I could speed this up if I wanted to. I could speed it all the way up to 16x, to watch the video faster. That’s one way to get me through the video quicker. And as you can see, the little play head down at the bottom is showing me where I am.

But one other thing I can do – I’m going to slow this back down – I can extend it by showing multiple frames at the same time. So, I can concurrently play the video in the … or six, nine, or twelve segments, and I could watch the entire video, I could then speed it up as well. And you’ll see down at the bottom there’s a play head for each segment where that video is – which is pretty awesome.

Now, I’m going to switch back to the main view. This is where I could switch between those extracted frames, if I wanted to. And as you can see, the quality kind of changes. And if I hit the Play button, it’s just going to be … it’s actually just playing the frames that it extracted. I’ll switch back to video mode.

One thing that I have to highlight that the developers saw fit to do is any time you open a video in this program, by default, the sound is turned off. Even if there is sound. And I just think that was an amazing thing for the developers in my team to implement into this tool, because that … if you’ve done CSA investigations, if you’ve seen any child exploitation, oftentimes, the audio is as bad, if not worse, than the actual visual imagery. So, you can clearly turn the audio on if you want to, but I just wanted to highlight that, because that’s a hugely important thing that demonstrates the mindset of this team. So I’m just … I’m so proud.

Anyway, moving on – one of the other really cool things about this is it also allows the ability to filter based on certain criteria. So I can filter this video down to motion – if I just want to watch the parts of the video that have motion. Or faces, or nudity detection. Let’s do motion – this is a surveillance video. I want to get rid of all the white noise or the dead space, and I just want to get to the parts of the video where there’s things going on. So, if I go down to Filter, Motion, With Motion … you’ll notice down here at the bottom, my timeline, big segments are greyed out. Now when I play this video, I want you to watch this play head down at the bottom. And I’m going to hit my filtered play button, and you’ll see it jumped over all the dead space, and just plays the video, and … keep an eye on this. Boom! It just jumped over all that time, because nothing was going on in the video. I just think that’s amazing functionality, if you have surveillance footage of things you have to go through.

Also, one other cool thing you can do is not only can you look at motion for the entire video, but let’s say you’re just interested in this SUV – this is a surveillance video you’ve been assigned to review. And I just care about what’s going on here. I can go up to Filters … excuse me. I would go over here, and I would just say detect motion in just a particular area. I select that box. Makes a little crosshair. And then I run … it’s going to recalculate the motion data just within that specific frame of the video. And now it’s going to filter, just like it did before, but it’s going to filter down to the motion in just this segment of the video. So now, if I go to Filters, Motion, With Motion, and I hit my filtered play, you’ll see that it skips to the area where this person is walking around this SUV. Pretty slick. You can also take screenshots or, excuse me, snapshots of any video frames and export them, and face detection as well, within video.

Since we are here on video, let’s talk about face detection within video. Let’s say, for example, this video is important and I want to … I’ve found an individual and I think that … you know what, I’m going to switch to a different video. That one’s been giving me grief in some of my testing. Here is a video of my lovely wife hanging out with some of the animals on the farm. And this has detected, within the video, when it processed it, that there’s a face. Not only can I filter now, instead of motion, down to files with just a face, and as you can see, down here … oh, that’s why it was going so fast. Sped up too fast. You’ll notice that it has greyed out a segment of this video where there is no face. So, if I hit this filter play, it’ll play the video, where it shows her face, and then, when she turns away, you’ll see it’s skipped over all that, to the segment of the video back to where her face is being shown again. So not only can we filter based on a face, but we can filter based on a specific face as well.

So if you have more than one face in the video, you can say Filter, Face, Specific Face, and you can select which face you want to filter to, and then it’ll filter down and play the segment of the video where it’s just that face – which is absolutely amazing, in my opinion. So let’s go back to this video. We’ve watched this and we’ve found this individual. And I think this is a bad guy and I want to see if his face exists anywhere else in my investigation. So I could play the video until his face freezes, let’s say. I pause it right there. And I tick the Face Search button and draw a box around his face. And I’m asking the program to show me anywhere else in the investigation where this face or a similar face exists.

And when I release it, it kicks me over to my search results. And as you can see, here’s my sample that I fed it. It’s kind of a dark and twisted image with his face shadowed. And it has found him in ID photographs, it’s found him with different facial hair, a different photograph that looks similar to the video. It’s found his face in that video, because it exists there. It’s also found his face here kind of twisted and contorted. And then we go down and there are some false positives. That is him, these aren’t him. That’s Johann and Pelle, our CEO and Deputy CEO. But as you continue on your search results, you’ve got even more hits for this particular face. So it does a fantastic job of locating faces.

That was within a video. Now let’s say you have an investigation and you have imagery of a potential suspect or a victim, and you want to see, within this giant dataset that you have – and you have no idea where any of the information is. You have no idea, but you want to find the same person that you have a picture of externally. You can go over to your Search tab, and go down to Similar Faces. Change your search method to Similar Faces. Click Add, and we can go to … let me go up to my … sorry.

Sorry, I should have had that set up earlier. So let’s say I want to look for … this is a bad guy in my investigation, this chucknut right here. And I want to see if his face exists anywhere else. Now remember, this is a file that I have on my computer externally. I click Open, it imports it, and it conducts a search, and here’s the results. Which is interesting, because the file I brought in, I’m wearing sunglasses – and that is a picture of me, for those of you who didn’t notice that in the first slide – so, it’s found me and [Magnus] wearing sunglasses. It’s found me wearing different glasses than the sunglasses, as you can see. It’s also found … oops, excuse me. It’s also found me with yet other glasses, different facial expressions. Pretty cool. It’s found me here with a different angle. Does a really good job of detecting those faces. So, that’s taking an external image, and bringing it in, and locating it internally.

Now, I also talked about how on our filters, we could filter down to files that have faces. And let’s say I find this face, and I think that is a victim. She is a potential victim or she’s someone that I need to identify. You can see that face detection has already detected the face within this imagery, but if I was going through this and I just randomly came across this file, I could say, “Hey, I want to see all the other files in this case that have the same face.” Right-click, expand, and boom – kicks me over to my search results, and it’s found her face in lots of other imagery as well. Different angles, different … here she is trying Swedish candy for the first time. Even with her face all scrunched up. The face detection is just absolutely phenomenal, in this program. And again, it allows you to locate faces from data within the case, in imagery and videos, and it also allows you to bring in external faces and search for them within the investigation. This has been a huge, huge benefit for investigators. And we have got nothing but success stories from running these exact type of search queries.

Alright, so since we’re talking about searching, I wanted to talk about the power of searchability within this program. And one of things, one of the most basic ways that we can search for files is for visual similarity. So, let’s say we’re looking through our case and we come across this image, and it’s these two women. They’re potentially victims of ours. And I want to see if there’s any other pictures in this case that are kind of similar to this. I can just simply hit the ENTER key, and it kicks me over to the search tab again. And as you can see, it has given me results for multiple other files that look similar to this file, that I can then bookmark or I can add … I can bookmark them if I wanted to. And as you can see, as I bookmark files, it puts little flags up on here.

But I can also conduct a secondary relationship … excuse me, similarity search within the program, within the search results. So I can say, okay, I search for this file, and I found these results, but what if I search for this file? I’ll get different results. So, I hit ENTER, and I’ll see it’s found some other different files. I can always go back to my first search result, and try different files, in different settings, different layouts, and you can find even more imagery. Here they are, there’s no fence. I could hit that, and it’s finding even yet more similar files. So that’s just the basic, simply similarity search, and it works on pretty much any type of file. It’s using contours, points of interest, color dispersion and things like that, in order to identify visually similar files.

You also have the ability to do the … just like the video, we can do a visual similarity on a selection. So, let’s say this candelabrum is important and I want to find it within my case somewhere, see if there’s any other imagery. I can go to the Similar Images, just next to my Similar Faces button. And when I select that, it gives me a crosshair. I draw, and my results … here’s the results for any files that are similar … oh, that didn’t come out very well. That’s pretty bad. I can see it hit right here. But that’s not great. Let me try that again.

There we go, that’s a little better. It was able to find the [carpet] dispersion there. But as you can see, now here’s a file where we can make a possible identification on that person. So, that is your basic, first line of searching. If you right-click over a file, you can see that we have the ability to also search for similar images, which is what we just did, similar faces. Relationship searches – so we can do a search based on relationships. This program allows us to find files related to other files by all this criteria. We can have it … we can search for files with the same Exif serial number, within the same date range, same GPS range, same resolution of files, if it’s in the series bookmark folder, if it’s visually similar or has a similar face. So, this is all the criteria that we can use to search for files that are related to other files. Let me pull up one that I know of, to show you, for demonstrative purposes.

So, if I have this file here, I can right-click and say Search … Relationship. And it has kicked me over to the Search tab, and it shows me all the files that are related to this file that I searched for, and all the ways it’s related. Here’s a file that’s related based on GPS – it was taken on the same date, same bookmark, same resolution, same folder. Pretty cool. This was taken in the same GPS range or same GPS area. Basically, it’s giving you all the list of how the files are related. Now, in the pro version, what’s pretty cool is we can perform that search in a visual manner, so I can right-click and say … excuse me. Open Analyze Relations for Selected File. So I select that, and it brings me to this interface. If I click the binoculars, it brings up a wheel with all the relationships, and I can select which ones I want to visually map. You’ll see over here on the right-hand side that we have kind of like scene detection – it’s listing all the files and showing all the related files and how they are related.

So, let’s say I just want to see the pictures taken on the same day. I select that, and it visually maps for me the files that were taken on the same day. And then, I can actually take these files and run subsequent relationship searches as well. I want to see all the files that contain the same faces – there we go. Not only did it find it again within Pictures, but it found it within Videos, and I can visually map it. That’s our visual similarity searching, which is … excuse me, that’s our Analyze Relationship Searching. So, it’s a way to visually map all these relationships. Because if you can identify relationships with files, then you can report on relationships, and you can show patterns of activity and patterns of behavior, and things like that.

Okay, another kind of searches we can do – we can obviously do tech searches across the program. We can actually do that up here, if we search for photo – there’s lots of different ways to search. When I select this, it gives me my results, right within here. We can do a batch search. Now, one of the helpful ways that … or a good use case to do a batch search is … let’s say you have an investigation, and you downloaded or you have eight files that you got in a cyber tip or you downloaded in a proactive, undercover investigation.

And you want to see if those reported files are in your dataset. You can basically bring in a text file, and if I say “Add text file”, I can bring in a file that contains … and I’ll show you what this is. This is just a list of MD5 hashes that represent the file … excuse me, that represent the files that I downloaded, and I want to see if they’re in this case somewhere. I can just click on … I can bring in my hashes list. And it says it’s successfully imported eight strings. And it identified four of them that it found within my case. That quickly.

So, that’s a really, really cool way to bring in external information and search within the program. So the searchability, searching, and filtering really extend the amazing functionality of this tool. Because it allows you to take your large datasets, for example, if I go back to Filters, and it brings them down to a size that you can easily ingest.

One thing I failed to mention – if you’re doing victim ID work. And one of the things that I always did, once I learned about this tool and about how powerful it is to identify the creation of first-generation material … I used it to quickly determine whether or not my suspect, or the owner of all this data that I’m going through, is actually creating first-generation material.

And one of the quick ways you can do that is by using your filters and saying, “Hey, show me all the pictures that have maybe a camera serial number,” and with my results, I can go through and say, “Oh, okay, this is interesting, this is important. I’ve found, let’s say, this file, and it’s telling me that there’s a serial number embedded in this file, listed right up here. And if I hover over it, it shows it to me. But I can right-click and say Search, Same Exif Serial Number. Now I can look at all the pictures that exist within that case that were taken with the same camera that I’m interested in. Really, extremely helpful way to get any victim ID work done when you’re potentially trying to identify any victims within your investigation.

So, that is basically the overview of the power of the tool using filtering and searching. Let me get this back to … we can all see what’s going on. We talked about searching, we talked about filtering. One view that isn’t utilized as much as I think it could be is the grid view. Now, we have our thumbnail view, [if you talk] about the grid, it’s basically just a tabular version of all the files that exist in the thumbnail view. And as you can see, we have different columns, and this is very much like an Excel spreadsheet. We can move these around, we can resize them if we want. We can actually filter from right within here. If I select this little funnel in the upper right-hand corner and I say I just want to filter down to child abuse material, I can do so. And it’s just filtered down to child abuse material. And notice, it has also filtered my thumbnail view – anything you do in grid also affects thumbnail. But that’s another way you can extend the functionality, is right within here.

I can also sort files, over here, in the bottom right-hand corner, depending on whatever sort criteria I want. I can sort my data. Including CSA score, which is kind of a cool use case, if you wanted to sort by CSA score, you can do so. And now I could sort my files and say just give me the strongest ones here. Or start off with ones with no score. It’s kind of a little workflow idea.

So, we’ve talked about filtering and searching and sorting and taking that big, huge amount of data and bringing it down to a size that you can analyze and review much quicker. Let’s assume we’ve completed our work and we want to export. Up here … or we want to generate a report. We can quickly do so. We can use our report function to create and export a report. And not only does this create a file list report, but it also creates a summary report. The summary report is just going to give you quick information about the case. And I’m going to just make a real small one, just for demonstrative purposes. And lots of criteria that I can select, depending on what I want to export or import into my report.

And when I create this, what it has done is it has created a … I just selected to report on category three and … excuse me, two and three. So it’s giving me an overall, of all the imagery that was located within those categories, and the totals, overall of video length. This is the part that I like about this summary report, is it breaks down each object or source ID, and gives you an overview of how many files were found in that particular category, from that particular piece of evidence. So, when I created my case, I called my forensic images … the HP Laptop … I had a folder that I called ‘External HDD’. So, this is a quick report on exactly where all the imagery, all the illegal imagery was found. So that’s the summary report that it creates.

It also creates a file list report, which I will show you here in one second, when I can pull it up off my … [silence]

Reports. Here’s my file list report. And as you can see, it’s … I set this one up to not have any links to the imagery, but you can certainly set it up to have a link or a thumbnail right there that points you directly to that exported imagery. We also have the ability to copy files externally from this program, which is … if I want to copy this file out, I can just go over here to File Access. Or, if I have a large set of files I want to copy out, I can do so as well. I could select a bunch of files and copy them … selected files. And it kind of gives me an interface, how do you want to do it, where do you want to put it, do you want to split it up, things like that. That’s our exporting.

We can also create a CSV report, instead of … if you didn’t want to do an HTML report, you just wanted to do a CSV. Which is extremely extensible – we can create this however you want. You can have lots of different options, how you want to set up your CSV. And I don’t need to demonstrate and show you what a CSV file looks like, I don’t think. We can also export to the EnCase hash format. That’s just to export hashes. We can create an Excel report, and notice, it just says ‘Filtered Files’. So, when you create an Excel report, what it is doing is it is actually just going to create a … it doesn’t ask you what you want. It’s going to do an overview Excel spreadsheet of your entire dataset.

So, all the files, all the information within your case. And then you have it up in Excel, and you can actually use Excel, to use the filters built into Excel, to filter right within the CSV. This was one of the formats we would give to defense attorneys when we wanted to give them a full picture of all the data in the case but we weren’t obliged to give them the actual abuse imagery.
We also have the ability to export a VICS case. VICS, again, that’s that open file format. I can export the hashes at the top if I wanted to, as well as the files. So if I wanted to export just hashes, to give them to somebody else, to import into their database or for whatever purpose, I would select things at the top. But if I wanted to export everything into a VICS package, which basically creates a case, a portable case, from everything that I’ve selected, including all this criteria from the files, the categories tags, any Exif information, anything selected. And I could export the files and give that to another person, and they can import that into their installation, and go through the files themselves.

We also have a NCMEC submission, which I talked about a little bit before. I can quickly create a NCMEC submission report. It asks me where do I want to put it. Whoops … let me just do that real quick. And I ask which template I want. There’s four of them that are in here by default that you can select from. And all it basically does is creates a couple of folders, and it generates that report for you based on the information that you’ve created in your case. As you can see, here’s how many images it’s going to submit. Things like that. You fill this out, and it creates a package for you that you then copy to a hard drive and export out.

You also can export any hashes to the ProActive file format – that’s our sister company again. We can push cases to the collaborative server, if we have access to a collaborative server, we can actually push directly, push our case up to the server. So, let’s say you created a case locally, and you processed it, and you want other people to be able to access it and collaborate with you on it. You would push it up to your Griffeye collaborative server, and then other people can access it from the server itself.

Now, one of the last things you wanted to do – remember, what I said before is we’ve created our case, we’ve done our categorization, we’ve done all our victim ID work, whatever we’ve done, and we’ve created our report, but we want to keep this categorization and all the work that we’ve done within this case, we want to archive it.

Oh, you know what, let me back up. I apologize.

There’s lots of different intelligence that we can apply to files, above and beyond categorization. We can apply tags, so as you can see, there’s a tag system where I can not only say this is a category two file but I could apply a tag. As you can see here, we have S&M/Violence and Infant/Toddler. But you can create whatever tags you want. Bookmarks we talked about a little bit; I can bookmark this file. But in addition to that, I can actually add even more functionality, like the series information, identification and distribution status of the file. So, if I know this file is part of a known series, I can look it up here, and say, “Okay, it’s part of this series,” and I can select that, and apply the intelligence by double-clicking on it. And it says yeah, [1:09:09] previously unknown, yes. And I also changed the distribution and offender identification status.

So, not only does that database contain categorization, to categories that we’ve set up in here, but it also can contain … sorry, let me show you real quick. It also contains not only the hash value, the categories, but the series, any known series it’s a part of, any tags, the identification and distribution status of the file.

So, we could add all that additional intelligence. So, while you’re working on your investigation, you go through, and if you assign this type of intelligence, not only your categories, and you want to push them up to your database, you can quickly do so by your Manage Hash Database button. And this is taking a lot longer than I anticipated. I apologize. Because I grabbed the full Project Vic [1:10:04].

But as you can see, there’s lots of other intelligence in this database, beyond just the hash value and a categorization. So I want to keep all this status and series information, and categories and tags. So what I would do is I would go up to my Update Hash Databases button, here at the top. And I would select which database I want to update. Now, for demonstrative purposes, I want to show you that I have created this local database. And it’s empty, there’s nothing in it. And I want to save all my work, but I don’t want to mess with these national databases, I want to just keep it in my own local database, so I know that it’s work that I’ve done.

I can go to Update Hash Databases, and select just the one that I’m going to be updating. And it says “What hash values do you want to push up?” I want to push up all of these. I hit Start. Yes, I want to update that database. It’s updated. Now, if I go look at my hash databases and I select my local one … Overview … there’s all the hashes I just pushed into that database. Now, any future case that I process, it’ll check against my database, and it’ll help me find either files of value or files that I’m not interested in, basically separating the haystack from the needle. Because oftentimes, we

Leave a Comment

Latest Videos

Digital Forensics News Round Up, March 27 2024 #dfir #digitalforensics

Forensic Focus 27th March 2024 6:06 pm

Digital Forensics News Round-Up, March 21 2024 #digitalforensics #dfir

Forensic Focus 21st March 2024 6:15 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles