BTW (and as a side note) I believe that (at least in many countries) the LE/Prosecution has to provide to the defense the actual unmodified hard disk images and not a bunch of files copied to a hard disk.
If the images have been copied maintaining date/time of the original filesystem, dividing them in folders by date would make a lot of sense.
LE does not have an original hard drive. It's an odd case making it very difficult to process. In fact, the prosecutor is struggling trying to figure out a way to manage this data.
So far, I haven't seen much exif data in the photos. Many of them are simply memes downloaded from the internet and shared.
In addition to the images, we have a massive amount of documents that are saved in obsecure ways that prevents searching and manipulation by most programs.
I decided to dump everything into FTK because it could at least organize the files (about 1.5 Million potentially relevant files in total), and do some filtering for me.
There is a program called LACE from BlueBear that is specifically designed for this requirement. It uses a proprietary visual image matching system called ImageMark. ImageMark will find matches even if the image is
- different format jpg vs. tif vs. bmp vs. png, etc.
- cropped
- watermarked
- different resolution full res vs. thumbnail
- rotated
- forensically recovered data missing
ImageMark is "zero-false-positive" and is used for automatic categorization by matching to the accumulated database - unlike PhotoDNA which is only used for similar matching. If there is any doubt regarding a match then that file is placed in the Unknown category for manual review.
Typical performance on a plain vanilla i7 with 16G RAM and a 500G SSD for the database is 1 million files processed in 2 hours. Every case is different but with a decent database average case reduction (pre-categorization) is over 85%.
No restrictions on database size or case size.
LACE is Client-Server The server does the heavy lifting (Image matching, Face Extraction/Matching) while Investigators use the Client work at the own desk at their own computer on their own cases. Included is the LaceCarver which carves Image and Video files from any digital media including HD's, USB, CD/DVD, and forensic images (E01, Ex01, L01, Lx01, DD, RAW, etc.) and can be copied and used on as many workstations as desired. There are NO dongles.
The website is
Best regards,
-Jeff Nash
Hi,
you can use Vizx2 from ZIUZ or LACE from Bluebear.
The problem I have is I don't know what is relevant. It is not a CP case. Some relevant pictures may have people, others may show items, but we don't really know what we are going to find that is useful.
There is a program called LACE from BlueBear that …
Full disclosure (if needed)
http//www.forensicfocus.com/Forums/viewtopic/p=6545807/#6545807
jaclaz