Reviewed by Jade James
Griffeye Analyze DI Pro is used by law enforcement agencies and other national security and defence organisations for all sorts of investigations involving large volumes of media files. Although it is perhaps most well known for its application to child exploitation cases, Analyze DI Pro is not designed specifically for use in such investigations.This tool has a wide variety of add-on functionality, meaning investigators are able to work smarter and faster with automated processes that will categorise and filter out non-pertinent material. Analyze DI Pro is designed for individual investigators, with integrated tools for sorting and efficiently analysing large volumes of media files. In a nutshell, Analyze DI Pro parses images and videos intuitively to return the best results for the user.
After the initial setup and entering case information, you can add data from a variety of sources. There are options to import data from physical media, forensic images, VICS (Video Image Classification Standards), C4ALL and so on. With forensic images you are only capable of importing standard image file types (i.e. open source image types including dd, RAW, E01, .iso, .bin, .dmg .vhd, but not newer file types such as Ex01 or AFF4). You can continue to add more data throughout the investigation and change the settings to exclude certain attributes to speed up processing times. You are also able to import data from Cellebrite UFED in the form of a JSON file. Project VIC is a US-based cloud service which provides quality controlled hash sets to law enforcement agencies, with the purpose of collaborating and sharing information and creating standardised law enforcement data formats. Analyze DI Pro allows you to import VICS output as JSON files, which it stacks and categorises; then you are able to re-export the data and files as a VICS output, functionality that further helps law enforcement agencies identify and rescue children from sexual abuse.
Hash databases can be added to index and filter out any duplicate or known images and videos, so that you are only presented with pertinent material. In cases of CSA, you can choose to exclude images and videos returned from processing that are already known and have been processed before, to avoid over-exposure to potentially harmful material.
If you slightly alter an image, it will produce a completely different hash value; therefore you could end up seeing the same image in multiple locations, again increasing exposure to potentially harmful material. Analyze DI Pro includes robust hashing in the form of Microsoft PhotoDNA, which is built in. PhotoDNA will match photos that are visually similar but will not give an MD5 hash match. With PhotoDNA, a unique 144-byte hash value is created by resizing the photo, changing the photo to black and white, dividing the photo into a grid then looking at the gradient in each square of the grid.
One great feature of Analyze DI Pro is that it will not show you duplicates. Duplicates will be stacked, meaning that the thumbnails of the same file will only be shown once. If there are multiple instances of the same image, this will be indicated by a number in the top left corner of the thumbnail. If you select a thumbnail, it will give you further information as to where each duplicate was found within the image.
File carving is the process of reassembling computer files from fragments in the absence of filesystem metadata. With the LACE Carver integrated into the platform, the data is automatically extracted from the device and imported directly into the platform as part of the same process. The LACE Carver is integrated as an optional add-on and is available to Griffeye Analyze DI Pro users.
Once the processing of the image is complete, you are presented with thumbnails of all the images and videos present. Images and videos are categorised by pre-determined configurations in your setup. The categories consist of: Non-Pertinent; Child Abuse Material (CAM) – Illegal; Child Exploitive (Non-CAM)/Age Difficult; CGI/Animation – Child Exploitive; Comparison Images; and Unassigned. You can use these categories to filter out and only view relevant material, for example the unassigned material.
When carrying out your investigation, you can search for similar images within the imported data by simply selecting the image and pressing enter. This will return results with similar characteristics such as colours, shapes, contours and textures. This technique can return quite a few false positives as there is no threshold like with PhotoDNA. Also with images you can select a reference point and search for this point in any other similar photos (for example, if there was a particular background object in an image, you can search for this object in other images, which may provide more detail to the case).
Using filters, you are able to search the metadata within the images; for example, the file size, EXIF dates, camera model, file path, length, width/height, serial number, tags, series, software, source location, timestamps, bookmarks, categories, name and GPS data. Using metadata as a reference point to search, you could search EXIF data to find out if there are any other images or videos with the same EXIF data. The Map view of Griffeye Analyze DI Pro also allows you to see where photos were taken in the world by marking the points on a map (if GPS data is available).
To view videos, you simply need to filter to view. Videos are presented in a 64-frame storyboard format which is useful for quick review and exclusion of certain videos, or alternatively you can hover your cursor over a video file and it will play the video from start to finish as a preview. When you select a particular video, you can choose to view it as a single frame or as a multi-stream (either in 6/9/12 streams). Analyze DI Pro will read the video file and analyse for motion and nudity, which is indicated below the video. To the left of a video, you can see it broken down into chapters and scenes.
Like with images, you are able to search reference points within videos; for example you could select a car in a video, and then configure Analyze DI Pro to only show footage in the video where there is movement at that particular reference point.
On the top of each thumbnail, you are given in an indication of stacks, file type, EXIF information present, PhotoDNA hash, and so on. The thumbnails are also colour coded to the categories you have set.
As mentioned previously, Griffeye Analyze DI Pro has an open API which makes it possible to integrate with various add-ons, apps and other tools. It has a basic core version which is free for law enforcement agencies and includes Camera Forensics, a Forensic Utility pack, NCMEC Utility pack, VICS (JSON) and NetClean ProActive Export. In the Pro version, you have a vast amount of apps and plugins available to you: LACE Carver, FACE, Analyze Relations, Analyze Statistics, Annotations, Hex Viewer, Keyword Matching, Reverse Geocoding, Social Media Identifier, Video Utility pack, Videntifier Visual Search, Amped Authenticate, Amped FIVE, Griffeye Brain CSA BETA, and Griffeye Brain objects.
Griffeye work with other forensic service providers and organisations, most recently with Amped Software, who are known for their tools in image and video enhancement. The Griffeye / Amped integration means that data can be exported directly from Griffeye in to one of the Amped products: Amped FIVE, which can be used to improve and analyse images and videos; Amped Authenticate, which can be used to evaluate the authenticity of an image and verify its source; and Amped DVRConv, which is used to convert videos in proprietary formats into standard formats.
The Camera Forensics app is a web crawler tool which was created to search the internet for specific EXIF data and report back. Camera Forensics indexes open source EXIF data and shows you where it appears on the internet. The Social Media app allows you to filter images and videos from particular social media sites. When you post an image on Facebook, it will be renamed and it will not contain the EXIF data anymore. Analyze DI Pro manages to get around this and in some cases you are able to view the native image on Facebook or other associated social networks. This is useful to build more of a picture in an investigation and it could lead you to other people of interest.
Another feature of Analyze DI Pro is Face Detection And Recognition. Analyze DI Pro is integrated with Luxand FACE technology. Luxand FaceSDK is a cross-platform face detection and recognition library that can easily be integrated with software such as Analyze DI Pro. The FaceSDK API can detect and track faces and facial features, and recognises gender, age and facial expressions. FaceSDK is provided with a Tracker API which allows tracking and recognition of faces within live video. The tool provides the coordinates of 70 facial feature points, including eyes, eyebrows, mouth, nose, and face contours.
To use the Face Detection feature of Analyze DI Pro, you need to have the FACE and Video Utility pack activated beforehand, and then you can create a new case and import your data. Detection and recognition of faces in videos are done during the import stage (if selected) and may take some time to process. Once the processing is complete, if you select the Grid view, you will see a column which shows the number of faces detected within an image or video. Using the filters, you can also filter for images and videos that actually have faces in them; those that have more than one face; or those that have no faces present.
You can search an image with a face for a similar image by creating a reference point around the face and clicking right, then selecting Search > Similar Faces. When viewing videos with particular faces of interest, you can adjust the settings of the player to only show the segment of video which has the face you are interested in. Again, within the video you can pause at a particular frame and use the face in the frame to find images and videos containing a similar face to the one in the video. The investigator can also search for similar faces from external images simply by adding an external image to Analyze DI Pro. Lastly, you can find relations between files by linking images and videos with the same face, by selecting the Relations Wheel from the options menu. Relations Wheel is a visual diagram of all the faces related to one particular face.
Low-Level Feature Extraction can be used to search for street signs, or for distinguishing marks on a person during similarity searches. Using identifier technology, Analyze DI Pro creates unique digital fingerprints for 300 points within the image. The technology uses points such as rotation, scale, viewpoint, source camera, illumination, cropping and transcoding to make sure that quality results are returned.
To summarise, Griffeye Analyze DI Pro is a very easy to use and powerful tool for the processing and analysis of large quantities of images and videos, with exceptional ability to integrate with other forensic tools. Analyze DI Pro is not designed for triage; this tool should be used for pre-processing and processing. What I noticed with Analyze DI Pro is that, because there are so many features, it would be quite easy to get lost down a rabbit hole in search of a person of interest. There are bookmarking facilities which you can use to help circumvent this, but there is no sure-fire way of retracing your steps or backtracking. As Analyze DI Pro is not a forensic tool, there is no audit trail, however you are able to create reports and there is a log, similar to a programme log, which would be useful to developers. With the use of known hash datasets, you can cut down the exposure to indecent images and with the use of MD5 and SHA1 hashes in general you can be given some assurance as to the integrity of the images and videos which are returned from carving.
Griffeye provides the law enforcement community with excellent resources for turning information into intelligence. Analyze DI Pro offers advanced analytical features and capabilities, and the flexibility to ensure a smooth and efficient workflow, for individual investigators who require a powerful set of tools to get the job done.
About The Author
Jade James BSc (Hons) is currently a Digital Forensic Investigator at the Serious Fraud Office. She has previous professional digital forensic experience from working at IntaForensics, the Home Office Centre for Applied Science and Technology and the City of London Police. Jade has gained experience from conducting computer and mobile device examinations and drone forensics, and has been involved with ISO 17025 & Quality Standards both as a Digital Forensic Practitioner and Quality Manager.