Hello everyone,
Sometimes, prosecutor sends all seized 20 computers and a printed photo to the lab, and he asks if that specific photo exists (either deleted or present) in any of those computers.
So, to be able to answer the question, computer forensic examiner must extract all pictures and look at each of them. And the number of pictures from common pictures formats may amount up to millions of photos (jpg, jpeg, tiff, etc) when extracted.
And just to scroll those pictures requires weeks or months depending on the number of examiner and it takes so long that it prevents other cases from being taken care of if the examiner is allocated to reviewing pictures"
So, it is all right that a computer forensic examiner must extract all those millions of pictures from all those hard drives, which is a very technical issue, but do you think he/she must look at and confined to those millions of pictures which might take weeks or months, or should the examiner just send all the pictures to the prosecutor saying "all pictures extracted and sent to you, because looking at millions of pictures does not require computer forensics skills".
I understand from prosecutor's point of view, yes the examiner should review all those pictures othervise proscutor has to arrange someone else to get the pictures reviewed.
But from examiner's point of view, forensic computing should not cover non-technical activities.
What do you think?
Sometimes, prosecutor sends all seized 20 computers and a printed photo to the lab, and he asks if that specific photo exists (either deleted or present) in any of those computers.
That sounds "unusual".
It is a question that has not (and cannot have) an answer.
If the prosecutor provides a file, is one thing, but if he/she provides a printed picture the question makes no sense.
On the PC there may be tens of pictures similar (or looking like) the given printed one, but there is no way on earth that you can link the file to the print or vice-versa, at the most you will be able to state that a "copy" of a "similar" image was found.
There are specialized tools that attempt to identify similarities between images, example of a few free ones
http//
https://
https://
so what you could do would be to scan the picture the prosecutor gave you (i.e. re-digitilize it if the prosecutor printed it from a file) and then run a tool looking for a "duplicate" of your scan.
There is (was) a tool that arranged images according to colours/shades
https://
http//
jaclaz
Thank you for the answer jaclaz.
What we are trying to find is whether or not there is any picture which is similar or seemingly-same as the picture on the paper.
But the question is who should do the reviewing all millions of pictures extracted by the examiner? Should it be done by the computer forensics examiner or should it done by someone else the prosecutor will appoint?
But the question is who should do the reviewing all millions of pictures extracted by the examiner? Should it be done by the computer forensics examiner or should it done by someone else the prosecutor will appoint?
If I am assigned a case where points to prove are provided and specific details are provided, i.e. file names, date/time stamps, other attributes, investigation summary etc then I have more to work with and I can filter my analysis more. However, if it is essentially a fishing expedition and limited details are given, then there's only so much I can do…
If all you have been given is an image printed on a bit of paper and nothing else to work with, then personally I would hand that back to the officer along with all the images recovered and tell them to get a coffee and get comfy in a chair as they can go through them to see if any image(s) are visually the same.
In my opinion it is for the officer in case to review the data and identify anything notable which they want to use for evidence.
But the question is who should do the reviewing all millions of pictures extracted by the examiner?
The investigator and prosecutor have to take what is provided by the examiner as responsive to their request and review that data to find what they will take to court.
Should it be done by the computer forensics examiner or should it done by someone else the prosecutor will appoint?
What qualifications do you have in photographic analysis? Can you describe the similarities between the images sufficiently? If not the prosecution needs to find a specialist in those areas.
I would also recommend your implementing some sort of Known File Filter (KFF) / hash-list of known files. That should help reduce those numbers you are referencing. If allowed by policy/law in your area, I would also start maintaining a hash list of files (or just images and videos) that you see across cases so that you can build a larger and larger hash list as you progress as an examiner. This will help in white-listing or reducing large file reviews.
Here's a good place to start for known software (I know the post is specific to images, but a start is a start) http//
I also agree with jaclaz that optimally using software to your benefit is a must, especially with the volume you are referencing. I have used NetClean, IEF, and BlueBear Lace which all have great skin tone detection features to help you filter down through large sets of images very quickly. I've reduced 15 million image investigations down to 100k of pertinent images using these techniques.