Reconnoitre – Link files, geolocation and C4P

Since Reconnoitre was released in January this year there have been a number of enhancements driven by requests from our users including link file support, EXIF and geolocation support, features to query C4P hash servers and advanced reporting.

Of course during this time numerous enhancements were also made to the core functionality of Reconnoitre, i.e. parsing Volume Shadow Copies, to further streamline and enhance the user experience. These enhancements included the ability to hash just graphics files, comprehensive tooltips to accelerate the learning process and additional “copy to clipboard” functions making it easier to get data from grids (and pictures) out of Reconnoitre for those who don’t want to use our report…There are lots of further user driven developments planned for Reconnoitre as our intention is to make this the tool that you want, rather than the tool that we think you want.

The most recent release (May) adds integrated support for link files, so in Reconnoitre when you click on a link file you can see which file it links to and when you click on target file you can see which link file(s) link to it.

At the end of March we added support for EXIF data from graphics files, allowing the investigator to view all EXIF data (including GPS data if present) in one grid and the ability to interrogate an Open Street Map server to see where a picture containing GPS EXIF data was taken.

At the beginning of March we added enhanced reporting, a thumbnail view and C4P integration allowing the user to directly query a C4P hash server (MySQL or SQL server) to automatically categorise files (both live and those in shadows). For C4P users outside of the UK the categories are also user configurable.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Current enhancements in more detail:

EXIF, GPS/Geolocation and Open Map Server

Reconnoitre now has the ability to parse every graphic file looking for EXIF information, specifically the date a picture was taken, camera/phone make, model etc. along with any GPS information, this is then placed in a table for review. In conjunction with this I have added a map panel, when a picture with GPS data is selected in the EXIF table it will be displayed in the picture panel and a map depicting where the picture was taken will be displayed alongside in the map panel (see screen shot below). I am particularly excited about this feature as with use alongside C4P it has the potential to very easily and quickly show where a particular illegal image was taken, giving the opportunity to potentially take a child away from harm.

Once you have identified a picture of interest you can then filter all the EXIF records contain GPS information and restrict the view to just those picture taken within a user specified distance of your base picture.

This feature does require internet connectivity to query Open Map Server and download the necessary tiles for the map. This feature is disabled by default.

Link file support

This release adds LinkAlyzer like functionality to Reconnoitre. On completion of volume parsing Reconnoitre will now identify all link files in the file system and decode the information within and add it to a Link Files grid. Reconnoitre will then use the information within the link files to try and determine the file to which a link files points (the target). You can apply filters on the grid to easily identify (for instance) all of the volume serial numbers that the link files refer to, or look at Object ID’s to see whether a file has been copied from another volume.

When you select/click on a link file and the cursor on the main files grid will be updated to select the target file. You can also configure Reconnoitre so that clicking on a file in the main grid results in any link file(s) that point to this file being highlighted (known a master-detail relationship). To help with this Reconnoitre has a new field “haslink” that can be used to create a filter on the main files grid to show just those files that are the target of a link file.

The reporting features of Reconnoitre (see below) have also been updated so that the user can create a report containing just link files, or using the master-detail functionality create a report on selected target files with sub-reports immediately after each target file detailing the link files which point to the target.

Enhanced reporting

We have also enhanced the reporting facilities in Reconnoitre and a comprehensive reporting package has been added that allows you to design your own report templates. These reports are very configurable and once created can be saved and reused or even sent to a colleague who can use them as they are or modify them for their own use. The installer includes a couple of templates for you to start with and to modify for your own use.

C4P

C4P integration includes the ability to query MySQL and SQL server C4P hash databases as well as import .c4p files (created and exported directly from C4P) to identify and categorise files identified by C4P as “somewhere” in a shadow file.

For C4P users outside of the UK, you can now configure the illegal image categories to match those that your country uses.

You can download the latest Reconnoitre demo from the link below.

Reconnoitre Demo

Short support videos showing the above features are available at this link

Support videos

Or contact Sanderson forensics at +44 (0)1326 572786 or

[email protected]

Leave a Comment

Latest Videos

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools. 

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools.

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_7QiFTiuY7Vw

AI In CSAM Investigations And The Role Of Digital Evidence In Criminal Cases

Forensic Focus 22nd March 2023 12:44 pm

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_g6nTjfEMnsA

Tips And Tricks Data Collection For Cloud Workplace Applications

Forensic Focus 20th March 2023 12:00 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...