Reconnoitre – Link files, geolocation and C4P

Since Reconnoitre was released in January this year there have been a number of enhancements driven by requests from our users including link file support, EXIF and geolocation support, features to query C4P hash servers and advanced reporting.

Of course during this time numerous enhancements were also made to the core functionality of Reconnoitre, i.e. parsing Volume Shadow Copies, to further streamline and enhance the user experience. These enhancements included the ability to hash just graphics files, comprehensive tooltips to accelerate the learning process and additional “copy to clipboard” functions making it easier to get data from grids (and pictures) out of Reconnoitre for those who don’t want to use our report…There are lots of further user driven developments planned for Reconnoitre as our intention is to make this the tool that you want, rather than the tool that we think you want.

The most recent release (May) adds integrated support for link files, so in Reconnoitre when you click on a link file you can see which file it links to and when you click on target file you can see which link file(s) link to it.

At the end of March we added support for EXIF data from graphics files, allowing the investigator to view all EXIF data (including GPS data if present) in one grid and the ability to interrogate an Open Street Map server to see where a picture containing GPS EXIF data was taken.

At the beginning of March we added enhanced reporting, a thumbnail view and C4P integration allowing the user to directly query a C4P hash server (MySQL or SQL server) to automatically categorise files (both live and those in shadows). For C4P users outside of the UK the categories are also user configurable.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


Current enhancements in more detail:

EXIF, GPS/Geolocation and Open Map Server

Reconnoitre now has the ability to parse every graphic file looking for EXIF information, specifically the date a picture was taken, camera/phone make, model etc. along with any GPS information, this is then placed in a table for review. In conjunction with this I have added a map panel, when a picture with GPS data is selected in the EXIF table it will be displayed in the picture panel and a map depicting where the picture was taken will be displayed alongside in the map panel (see screen shot below). I am particularly excited about this feature as with use alongside C4P it has the potential to very easily and quickly show where a particular illegal image was taken, giving the opportunity to potentially take a child away from harm.

Once you have identified a picture of interest you can then filter all the EXIF records contain GPS information and restrict the view to just those picture taken within a user specified distance of your base picture.

This feature does require internet connectivity to query Open Map Server and download the necessary tiles for the map. This feature is disabled by default.

Link file support

This release adds LinkAlyzer like functionality to Reconnoitre. On completion of volume parsing Reconnoitre will now identify all link files in the file system and decode the information within and add it to a Link Files grid. Reconnoitre will then use the information within the link files to try and determine the file to which a link files points (the target). You can apply filters on the grid to easily identify (for instance) all of the volume serial numbers that the link files refer to, or look at Object ID’s to see whether a file has been copied from another volume.

When you select/click on a link file and the cursor on the main files grid will be updated to select the target file. You can also configure Reconnoitre so that clicking on a file in the main grid results in any link file(s) that point to this file being highlighted (known a master-detail relationship). To help with this Reconnoitre has a new field “haslink” that can be used to create a filter on the main files grid to show just those files that are the target of a link file.

The reporting features of Reconnoitre (see below) have also been updated so that the user can create a report containing just link files, or using the master-detail functionality create a report on selected target files with sub-reports immediately after each target file detailing the link files which point to the target.

Enhanced reporting

We have also enhanced the reporting facilities in Reconnoitre and a comprehensive reporting package has been added that allows you to design your own report templates. These reports are very configurable and once created can be saved and reused or even sent to a colleague who can use them as they are or modify them for their own use. The installer includes a couple of templates for you to start with and to modify for your own use.

C4P

C4P integration includes the ability to query MySQL and SQL server C4P hash databases as well as import .c4p files (created and exported directly from C4P) to identify and categorise files identified by C4P as “somewhere” in a shadow file.

For C4P users outside of the UK, you can now configure the illegal image categories to match those that your country uses.

You can download the latest Reconnoitre demo from the link below.

Reconnoitre Demo

Short support videos showing the above features are available at this link

Support videos

Or contact Sanderson forensics at +44 (0)1326 572786 or

paul@sandersonforensics.com

Leave a Comment