Intro To DEI PRO: Assessing All Devices In A Timely Manner

Rich: Good day everybody and welcome to our webinar. Today we are going to introduce you to Digital Evidence Investigator Pro so you can assess all your devices in a timely manner. I’m Rich Frawley. I am the director of training here at ADF Solutions. I have been with ADF Solutions for over seven years now. Prior to that it was 23 years in law enforcement, and 17 of those as a forensic examiner and investigator investigating all different types of crimes. You name it, I had it, including a jury tampering case, one of my favorite. We were an affiliate of the Internet Crimes Against Children Task Force. Of course, just like a lot of you out there, I did a lot of ICAC cases as well.

That’s what I’m bringing to the table and I am going to show you Digital Evidence Investigator Pro today, a flagship tool with ADF Solutions here, so that’s Advanced Digital Forensic Solutions. We have been around since 2005, 2006. Started out in the image identification arena, quickly turned into the triage, gathering more artifacts, more images. That turned into a pretty robust triage tool, Linux-based. In 2016 we had a major user interface change and we went from Linux to Windows based. So when booting you can boot into more computers and not have to deal with changing the boot order or going in and turning off a secure boot on most modern computers.

From 2016 we’ve been building on what is Digital Evidence Investigator. In 2017, 2018 we added mobile and we have been building that up ever since. We really do have a Premier Mobile tool for you to use, and still thinking back to our original core, our triage, our early case assessment.

Here’s some of the uses for Digital Evidence Investigator Pro. Triage, early case assessment. Like I was saying, you go in, you want to see what’s on that computer and make a decision on it right away. Hey, show me five images, show me some videos, show me some of the keywords I’m looking for, match a couple hashes, and we’re going to take this computer and do a really good interview and move on, and maybe triaging some of the other computers and eliminating them so we’re not creating a backlog in the lab.

Move that down one step to early case assessment and investigative scans. Probably you haven’t heard what’s an investigative scan, Rich? So you’re in there. You can either run a live scan or a boot scan on these computers and you’re gathering that triage information. But think about a couple of these situations. You are an investigator maybe in an ICAC unit. And if you can gather the information on scene, you get to keep it and continue that investigation on. If you don’t gather that information on scene, the computer gets seized, goes to the lab. Now you’re not going to get that information back until that computer is complete. So that depends on the backup at the lab.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


So you’re running your scan couple more minutes, you have a really good assessment of that computer, or you’ve gathered enough information and five, 10 minutes to continue that case that day. Preservation orders; who’s been dealing with this person? Are they trading? What accounts do they have that I need to know so I can, like I said, preservation orders, put a hold on that?

You can use it for specific evidence retrieval. You’re always grabbing something, simple cases, and sending them to the lab. You know what you’re looking for. You’ve been trained in this. You want to get your case done. So using Digital Evidence Investigator Pro, you can set it and customize it to go in and get what you’re looking for. I have a simple threatening case, or I have a simple harassment case, or I have an embezzlement case that’s just involving documents on this computer, and that’s all I need. You can set this to go in and collect that information for you. Doesn’t stop you from still sending that computer up to the lab if you’re a department that does that. We don’t have a lab, but we have a lot of digital evidence. It allows you, again, to keep that investigation open, doesn’t let it get stale while the computer sits at somebody else’s lab.

Child exploitation investigation and analysis, that is our sweet spot. We have designed the inner workings of our search profiles or our set of instructions to specifically look for this information. Look for the low hanging fruit, look in the areas that this information’s going to be. Bring in your specific keywords, bring in your specific hashes, work those cyber tips, bringing in the files that Google or Twitter have sent you and make those a part of your scan. Very simple. We do both computer and mobile.

When we’re getting that victim witness consent, knock and talks. Victims of serious crimes, of sexual assaults, that are reluctant to give you that device. You can sit down with them. We’re going to show you. It’s easy for you to work with them so they feel more comfortable and you are getting what you need in your case. You can use this for any case, anywhere, at any time.

Users, like I was saying, ICAC Task Force members, investigators, examiners, undercover officers, especially on the mobile side. When you have CI’s and you’re trying to get some information off the phone, we’ll show you how to get that quick. With the ICAC Task Forces, how to do previews of mobile devices on scene. Special investigation units where you’re dealing with those victims and those witnesses to get that information upfront and close.

Examiners, investigators, it is for both. It is designed to be easy to use, customizable, and for the examiners you can actually keep control of this and send the investigators out with just what they need to get the job done so they can’t run more than you want them to. So you can keep some control over it. You can have your more experience investigators go out and use the tool and bring the information back for you, allowing you more time with the more difficult tasks at hand in the lab.

Intelligence officers, military. I have some time, I don’t know how much time I have, so I’m going to start to scan and run it until I have to beat feet. I’m going to pull the key and run. Great, great, great for that. You have the ability to set it in that manner. Probation parole, again, previews, screenshots, screen recordings on the mobile devices, quick, fast, logical, computer plug and play. Put the USB device in, choose the scan you want to run and start seeing the information that’s on that computer. School resource officers; again, quick access to the phone. I only need a couple of things off of this or I just want to see a couple of things off of this. How can I collect that and move on? Assurance investigators, when you’re looking at the phones, this tool is so nice to have right there on your tablet or on your laptop, gather some information, gather some pictures, and do it in a manner where you’re not using the other phone to send or have them send. Make sure you’re getting exactly what you’re looking for.

If you want a free trial of the tool, you can get that. I’ll show you this again at the end. But tryadf.com. Nice to have this upfront, so if that’s what you’re looking for.

Let me get into the tool now. What we’re looking at here is Digital Evidence Investigator Pro. Pro means it has both computer and mobile in it. We have Digital Evidence Investigator is our computer tool. We have Mobile Device Investigator which is our mobile tool. Smash those together into this interface and you have Digital Evidence Investigator Pro. It investigates computers, mobile devices. We have our settings here and our user guides. User guides are nice PDFs that open up, and it’s broken down here kind of by chapter. What do I need help with? Pick it, open it, and it is specific to that so you’re not fishing through hundreds of pages trying to find what you’re looking for.

We’re going to start with computer today. So again, this is introduction to Digital Evidence Investigator Pro. A lot of you probably haven’t seen it before. Or you’ve been interested in it, you’ve seen it maybe at a show, but haven’t followed up on it. We’re going to walk you through high level, get a good idea of what’s in the tool. And if you need more you’ll be able to contact us and see more. We can do a more detailed demo for you along the way.

Anyways, scan. That’s where you go in. Need you to think a little bit different out of the box. Some of you probably are used to going on scene, you’re used to looking at computers on scene, the triage. That’s what a scan is. I’m going into this device and I’m only collecting what I’m telling it to. I want these artifacts. I want these files. I want to run these keywords and these hashes. I’m not making an image looking at that whole image and trying to decipher what I want. I’m telling it what I want, go in, collect it, bring it back to me. It clears all that noise out and allows you to look at what you are focused on. So that’s your scan area.

I’m just going to come in here real quick. Target devices are over on the left. This is everything that’s attached to this computer minus the system drive, because I’m working on this. This is installed on my laptop here. It could be on a tablet, on your forensic machine, wherever your main installation is. You can see I have a phone hooked up and some external drives. All this is available to me to scan.

I can point it towards a folder. I can add an image file. I can add phones, add phone backups. And we have a remote agent which allows us to connect to the Mac, so the M1s, the T2s, the M2s allows you to make a direct connection and from the Windows side scan that computer or image that Mac.

When you select a device, you have the search profiles in the middle, kind of explained that a little bit before. This is your set of instructions. What do I want out of this computer? It is completely customizable. And, you can collaborate with other DEI users. So if they’ve created a profile and you want to use that, they can send it to you, you can import it. Great for taskforce if you’re going to be hitting different businesses on the same case or different locations on the same case. This will allow you to collaborate and all have the same search profiles.

We give you about 13 out of the box profiles. We have Quick; those are designed as a quick general profiling of this device and its browsing history; so browsing images, browsing history, downloads, cash. And we have child exploitation which adds the child exploitation keyword list and about 400,000 hashes.

You have our mobile. If you’re doing mobile devices, we have Intermediate. Intermediate now steps up from that Quick. Intermediate gets all the artifacts that you’re looking for, makes that general profile. But then when it comes to collecting files, it’s focusing on the user profiles, right? So it’s still Quick, but it’s focusing on where that information typically is. And we have both general and child exploitation.

And then we have Comprehensive that looks everywhere on the disc, all your artifacts, collecting files, putting it all together. And again, these are all customizable, and with a little training you’ll understand everything that’s in here.

Once you pick a device and you pick a profile, your scan information comes up, you can give it a name. The scan button starts here and you can scan that device.

So this is what it looks like. What shows up below here on the lower third is what I’ve asked it to go in and collect. What’s happening up on top? It’s making a listing of every file and folder that’s on this device. So even if I’m only collecting 10 things, it still gives me that complete inventory of everything that’s on that device so I can go back and look if needed.

Once it does that, it goes out and starts collecting the artifacts. You can see it’s starting to fill in all the artifacts that I’ve asked it to go in and collect. And I’m showing what it came from, whether it was Windows, whether it was Chrome, whether it was Firefox, whether it was Skype, and the number of results I’m getting in my matches pane. You can see that those are some keyword hits. So we’re getting instant keyword hits as well. We run those a couple different ways.

As it moves on, it’s going to go in and start collecting files. You’ll start seeing those files or pictures and multimedia go across. So think, knock, and talk. Maybe I’m not collecting artifacts, but I go right to image collection. This stuff comes across right away. Now I use dogs as contraband. You’ve probably seen a couple of those go across already. If that was it, that’s my threshold. I can go and stop this scan. Anything I collected is there. I can also go in and view the results as this is happening.

So that’s what it looks like. We’re going to get a little bit deeper into this. Let me stop this. Just wanted to give you an idea of what it looks like in each step when you’re scanning something. Now the nice thing is I was showing you the installed desktop version. I’m going to show you it running from a USB device in a couple of minutes. The interface is the same. There’s no learning curve. Really easy to get through.

So you can see I stopped this early. It told me that it finished. I can go in and view my results here. That was a minute and 31 seconds. It collected over 1,900 files and all these artifacts, I can go into my picture gallery and see what it’s collected, and I could report on it. So analyze, report, all here, same day, lots of information. So let me get out of that. Let’s go back to the main page. That was your scan area.

We have Prepare Collection Key. Easy for me to say. Prepare Collection Key. This is where you can put it onto a USB device. Samsung T7 500 GB, might even be a terabyte that we’re giving now with the kit when you buy it. So USB 3, SSD, super fast. You could put the tool on this, take it out into the field and scan your device out there. I’m going to show you that here in one second.

You can image. Here from the desktop, anything that’s available or accessible I can select the physical device, the destination I’m going to save it to, give it an image name, and image that device. Reviewing your scan results, this is where all of my prior scans are that I can go in, analyze, and report on. And then setting up scans, here is the customizable area. Here’s where you can customize these profiles. Bring in your own hashes, bring in your own keywords, turn on or turn off the artifacts that you want to collect.

I’m going to go into Manage Search Profiles. This is my library. This is all the profiles I have on this. This is a clean installation, so I don’t have anything customized in here yet. If I wanted to, I’m going on a child exploitation case, Intermediate, I can copy one of the ones that we started. You can see how easy this is. Capture groups and your captures. Everything selected is what is going to run. My set of instructions, any forensic traces, application usage, peer-to-peer, installed applications, right? So there’s a lot going on in here. You’re doing a triage early case assessment, maybe even just investigation. You might want to pare this back a little bit so it runs a little bit faster. But do you just step down through each one of these groups and turn on or turn off what you want to collect. You could see you can get even granular down to the specific apps. Maybe you only have the authority to grab one or two, so you can do that.

A couple here under Device Data, encrypted drive on a live Windows machine. I’m going to show you this. It will pull the BitLocker keys for you, save those. So if you have a BitLocker machine up and running, when you go into that house or in your lab or wherever you are on scene, it will grab those credentials for you.

Also on Live under web browser is Saved Credentials. That will pull usernames and passwords from the browsers. That is great information. If I’m pulling that on scene, I can go back to my desk, open this up, and start doing preservation orders that day. I’m not worried about having to wait for this information to come back five days later. Maybe I missed it. Maybe stuff had been gone in and deleted. This gives me access that day to accounts they may have, child exploitation file sharing sites or photo sites. You’re working some type of financial case or drug case; what banks are they logging into? What cryptocurrency accounts have they logged into and saved their credentials? Just think of all the different sites you go to that require a username and password. And if you’re saving it into the browser, this is going to get it. So good information.

What you can also do, like I said, you can share this information. So if I am in here, I could import a profile. I’m going to come in here on my desktop. I have a couple, and I am going to import one. I’m going to come in, and I’m going to import another. So what were those? Well, one of them was designed to do specific triage, right? Just grab specific information from me on scene, and I’m going to show you that here how that works. And then one was designed just for storage devices to get multimedia off of that. So if you notice, when I’m scanning a machine, it’s not just the device I have, that device. Anything that was attached to it, you saw I had external drives. So now I have a profile that can go out and scan those just for images and videos or keywords, low hanging fruit just to see hey, which one of these may be the one that has the gold on it, if you will.

All right, so I’ve done that. Kind of gave you an overview of these menus. You want to go out in the field, you’re going to prepare a collection key. You have two ways to do it. I will show you both prepared. One is just the captures. So remember a couple minutes ago I showed you how to create your own search profile. All those captures that were checked, that’s what’s going to show up on your key, just the captures. So you can make your choices on scene, not necessarily go out with a search profile that’s already been created. When would I want to use that? I don’t really have a lot of information on this case to put into a customized scan. It’s a missing person, so I’m going to make my decision on what I want to get out of that device when I’m out there on scene. Maybe I’m just going to collect documents, chats, and web browsing history and downloads maybe first, have somebody else start working on that, then do a more comprehensive scan of that computer.

‘Maybe I get out there, and if I start figuring out names and things like that, then I can start deciding what I’m going to do. So it gives you that opportunity. Or, you could pick and choose which profiles you want to bring out. Now here’s the one I customized. Triage Live, and then Quick Triage. So if those are the only two I wanted, I would select those under Collection Key, select the USB device that you want to prepare. Just got to make sure, you can see I have a lot of devices here, I don’t want to prepare the wrong one.

This one has already been prepared before. It’s called Collection Key and it’s my Samsung T7. I know that’s the device I use as my Collection Keys. So I select that, I would hit prepare. It prepares the key. One, it makes it bootable. I can boot two any device and run these scans on it. Or, it can run live on a Windows machine. So let’s get to that. Let me close this down and let me plug in. So I’m on scene. There we go. I have my Samsung that’s been prepared. I am going to plug it into that live machine. It opens up, there’s a start icon on there, pretty simple. I’m going to select start and yes. And here we go. So I am on the target machine. I plug in the USB device. I select start, and this is what comes up. ADF Digital Evidence Investigator. Have the ability to scan this target machine, image this target machine, and create a RAM dump. One click, everybody knows the rules, and it will start collecting that RAM dump to that collection key. It will be a BIN file saved within a 7-Zip. When that’s done, bring that back, use your favorite RAM analysis tool to go through that. You’ll be able to pull that into us and scan it for images or something like that. But we’re not a RAM analysis tool, so you can save that for one of those.

Come in to scan. Now remember, I am on the suspect device. It’s going to come up here. And under Target Devices you can see I have my system drive and everything that’s attached to this computer. Under the system drive I have the operating system drive or the C drive, and in red, probably hard for you to see, it says it is BitLocker encrypted with TPM. It is currently unlocked, meaning I can scan it.

Here’s the first way I could set up my device. I could pick and choose at the time I’m here on what I want to pull out of this device. I know it’s an encrypted drive. I want to pull the BitLocker keys in case something happens, and maybe I want to get the saved credentials. Maybe that’s all I’m looking for. Just spitballing here. But you can see how I could pick and choose just those items. Or if I don’t want, well maybe I do want those, but I also want to go into my multimedia and I want to pick pictures and videos under 500 megabytes in size in the user profile, and then that’s what it’s going to look for. So you could pick and choose here.

What I want to do is close this down for you. I’m going to unplug this one. I have another one that I’ve prepared. You can go out on scene with as many collection keys as you want. Quick story while I’m setting this up. We had a task force go out into a business. They had 70 computers within this business. They had 70 collection keys. They were able to plug them into all the computers, collect RAM, get them started. Whether they were powered off, they booted to them, powered up, collected the RAM, started the scan. One license; that’s all they need to start every one of those. They were running 70 computers at the same time and making decisions that day.

All right, so I plugged in that other collection key that I had set up the other way. Again, plug it in, select start. Tool starts up, scan, image, create RAM dump, one click, everybody knows the rules. Scan computer. Same interface, C drive. And now you can see on here I have specific search profiles that I put on here, specific to maybe my cyber tip; my unique keywords, my hashes, what am I looking for on this computer? So I have one here I called Triage Live. This just goes in, grabs the pictures and videos from the user profiles, the encrypted drive information, the operating system information, child exploitation keywords, USB history downloads, and peer-to-peer. Give it a name and we hit scan. It says here, “Can’t find the license.” This is where you plug in your license.

You can see I plugged in the license and that opened. Once it recognizes the license it just takes a second. Once you see this scan start, I can pull that license out and I can move on to another computer and another device so this can get started. I am running this on this machine, heavily used work computer which is currently doing a broadcast. So it’s being used so not all the potential is there, if you will.

Up on top it is making a listing of every file and folder that’s on that device, so I always have that inventory. You bring it back, you say, “Hey, I seized this computer because I found these 10 images, these six videos, these download histories.” And somebody comes back to you and says, “That’s great. What else did you find?” Here you go. You have the whole inventory. You can export that in CSV and see everything that’s on that device.

This takes about a minute or so to make this inventory. And then you can see what I’ve asked it for. Peer-to-peer files, child exploitation keywords in file names and in the user profile. Child exploitation keywords in file names is low hanging fruit. Any of the search terms, Hussy Fan, PTHC, all your age groups, Lolita, Adventure Island, LS Studios, all that. If it’s in the name, it’s going to collect it right away.

So it ran. I now have my USB history. I’m on scene. I can come in and view my results, show that USB history, and start telling my search team, “Hey, this stuff has been attached to this computer, and it is not currently sitting in front of me. Keep an eye out for it.” I’ve got the recent files user accounts. So now I have the user accounts, I can see that information as well. I have some peer-to-peer traces showing up. Let me explain a couple of the things that I’m collecting here and why. Why is this my triage go-to? There’s the Save Credentials, 3,400 passwords, usernames and passwords collected, right? That’s huge. I just got my encrypted drive by operating system information.

Download history; so download history, recent files, and the pictures and videos that I collect. As it’s collecting these files, and these files have names, so picture 1, 2, 3, 4, collects it. It now looks for picture 1, 2, 3, 4 in the download history, the recent files, in the peer-to-peer, in messaging and in emails, and in browser cache. So there’s six different artifacts that it’ll look for. And if it finds it, it will link it for you. So by the time this scan is done, if I click on a picture, I’ll be able to see, has it been downloaded? Is there a recent file entry? Did it come from peer-to-peer? Did it come from email? So I could make decisions quicker without having to do that analysis right away. So saving time, linking the user activities to the files. We’re doing that in the background here.

One of the things you’ll notice up on top if you were watching, it found an iTunes backup and it scanned through that as well. So if you have a Pro version, it will look for those and parse those out when you’re scanning as well.

Once all those artifacts are done, it will go through and start collecting the files again. Here it is looking for keywords in the file names. It found 21, so low hanging fruit there, and keywords in the user profile. And then now you can see pictures and videos under 500, and it’s up to 2,800 pictures have been collected. I can come in. Now it’s still scanning. I’m looking at the results here while it’s scanning. So as you’re in here I can refresh my view. If I see what I want, like I said, I can stop this at any time and move on.

So let this update. Now if you recall, too, I said it could be used in intelligence. So I’m on scene, I have time, I don’t have much time. And when you customize it, you can customize it towards the user profiles and the information you want first, and then go out farther and scan the rest of the system. So you can target and then get general in your scans.

I am sitting here and I’m like, “All right, I don’t have any more time, I have to go,” you can just shut this down, or you can just pull the key right out and it will not corrupt. You could run out the door with the key and have no issues with it. This will close down automatically and you can move on. So that is how you run it out on scene.

Again quick, I want to get into the mobile here in a second. Just going to show you what happens when you bring this back to the lab now. Now I could have analyzed that on scene a little bit. I could go through and I could tag and sort and filter when it’s done. But when I come back I can plug this in. Now this is the key I just unplugged on scene. It was in the middle of running. So it’s saying here, “Hey, you have scan results. They’re on here. Do you want to back them up?” And I can back these up here, or I can just come in and review the scan results. So here’s my results up on top, and I can go through and look at those as well.

So there it is. It ran for four minutes and collected all that information. Let’s close that up. No, we’re going to keep this open. All right. So Digital Evidence Investigator Pro computer side of it, you could run it on scene. A lot of different things you could do. High overview. In the lab, image files. Anything you can get attached to a right blocker. You can boot to a computer, so Surface Pros, Lenovo Yogas, anything that maybe have something married to the hard drive where it’s hard to get it out, you can boot to it, you could scan it, you can image it. So boot tool, live tool, and remote for Macs.

Let’s get into mobile. We’re a little bit more than halfway through the webinar. Mobile goes pretty quick here. A lot to show you. Let me plug my license back in here, and let me disconnect the drive and start going towards my phones. All right, on the mobile side, scan; it’s the same as the computer side. I go into scan. So this is from my tablet, from my laptop, from my forensic machine. You can see I have an Apple device and a Google device connected. You may also see there on the bottom it shows a folder. The bottom is your basic Windows MTP connection, just multimedia. So when you first connect it, you’re going to see these folders pop up. When you get it properly connected as a device, you’re going to see it show up as a device. You only need to select the device. It will get the images through that MTP connection.

Why here and where does that really help you out to? Well, if you have something else like a GoPro or some type of device that connects with MTP, maybe a feature phone that we might not get artifacts off of it, but we may be able to get the multimedia off of those flip phones. They connect with MTP, you’ll see it as a folder, you can pull off the media.

All right, so scan. You can connect the device, pick a search profile. They have to be one of the mobile ones. The computer ones will not work on a mobile device. You want to select, make sure it says mobile. Or if you’re customizing it, designate it as a mobile search profile. Give it a name, you’re going to hit scan. And here’s one of the nice things. We are logical, Android, and iOS. We’re not rooting, we’re not jailbreaking, we’re not breaking any security on this device other than all the standard protocols we can throw at this to try to get as much information off as we can in that manner.

With that being said, it’s logical. So you may not get everything that’s on that phone, right? It’s well-known. Physical, you should probably get everything that’s on there. Logical, you may not be getting things like WhatsApp, things like Kick. Depending on the OS and the versions depends on whether it’s going to be on there or not. So we give you the ability to screen record and screenshot any of those items you may not get. You can see here if I want it to open up Kick, and I can start screenshotting anything that comes up there.

Once that’s done, I hit continue and it goes into the logical acquisition phase of this device. Remember, this is scan. It’s all in one. Connect the device, pick a profile, give it a name, do your screenshots and screen recordings, do your logical acquisition. And then once the logical acquisition is done, it will automatically start parsing that information out. So connect it, make your choices. Once it’s to this point, you can walk away and let it run. What you’ll see here is it’s doing the encrypted ADB backup. So we encrypt it, decrypt it, so we get more information off the device. We do it both on Android and iOS.

When that is done, we put on the backup agent, nice agent goes up, starts collecting all the other information that the ADB backup didn’t get and is available without breaking security. So now that agent, we’re going to get a lot better speeds out of it. You can see here it went from 47 megabytes and it’s flying up to about 600, 700 megabytes on this phone, just a little demo phone. There we go. 689 megabytes and now that is done. Device can be detached, given back, put back in evidence, whatever you do. And now it’s going through and parsing out that information.

Same as computer; listing of every file and folder that is in that logical acquisition. Any artifacts that I asked it to parse out, any keywords, it’s going to collect files, it’s going to run hashes. You’re going to get a sampling of what’s being collected above. And you can hide that. If you’re doing knock and talks or previews, that pane up on top can be hidden so those around you can’t see what’s being collected. Or even if you’re in your office and it’s a secure office and you’re doing a sensitive case, somebody walks in that’s not used to seeing that type of stuff, you can hide that from view as well. Again, you can go in and view your results while it’s scanning and you can stop it at any time. We are going to stop this and I’m going to go back here.

All right, so that was scan. Acquire, it’s same principle. You’re just going to make the acquisition, the screenshot, screen recordings. And then once that acquisition is done, you go back into scan and you add the backup, ADF acquisition. You add that here. It’ll show up below as the device that you acquired. Now we are not physical. Again, logical Android iOS, but we can ingest the GrayKey or UFED acquisition and scan those as well. If you have those and you’re looking to customize and get specific information out of there quick without having to do a whole scan, you could do that here as well. So we help you out there.

All right, back to investigate mobile devices. Scan, acquire, screenshot. I’m going to get into in a minute. Preview; on scene, you have a mobile device and you want to go through it and see if this is the mobile device. Just like with computers, you’re going to probably have, everybody’s going to have a phone when you get on scene. Mom, dad, or target, spouse, kids, grandma, grandma’s pink, iPad, all these things. Do you want to bring them all back, or just the ones that have the information you’re looking for?

I’m just going to go to this Android, I’m going to hit proceed. So same process. We’re attaching the phone, we’re starting to do the acquisition, but the difference here is we’re presenting it in real time. So we’re parsing it out in real time. As the items are collected, you could see with Android, I got some artifacts upfront. iOS is more heavy on a multimedia upfront. So you’ll get some artifacts here, but again, it’s collecting media on top.

So right now it’s up to about 600 files collected. However, if I go into my gallery, it’s identified 2,948 images on this device already. Thumbnails are being made. Most recent are on top. Again, if we’re doing dog cases, you could see I have some most recent pictures. If that’s all I need to see, I can stop. Everything I’ve collected up to this point is saved and I could bring it back and make my report on this.

It is filterable. If you are looking for specifics, if you know specifics and you want to filter down to that information, you can. You’re going to get the metadata associated with it. And if the preview opens, it means it’s been collected.

Video. It’s identified seven videos on here already. Now that I’ve been here, it understands that I’m looking at the videos, it’s going to start working with it. I can collect frames. I can. It does collect frames, 50 of them. First frame, last frame, 48 from in between. Give you a pretty good idea of what’s in each video without having to play it, but if there is something you’re not sure about, you can go to preview. If this opens and you can play it means it’s been collected from the device into your case already.

So remember this is preview. We looked at this instantly. So pretty easy to get through. I saw what I wanted. I could stop this, close the preview window. It brings me back to my main menu. If I go into review scan results, there’s my preview that I just did, I can now come in. Two minutes and 11 seconds, it collected 1400 files, these artifacts, I can go into my pictures. There they are. Brings me right back to where I was. And like I said, I can start tagging, bookmarking, filtering, and reporting. Reporting I didn’t go over yet, but we have HTML. We have PDF. We have CSV. VIX format, so we can ingest and run VIX hashes. You can also export in that format as well.

And then we have the standalone viewer, which is everything that you’ve collected in the case saved into the analysis portion of our tool that you could hand off to somebody else. They don’t need a license. So they can go through, tag, sort, filter, do whatever they need, do the whole analysis on it. They can also create a report from that standalone viewer.

When you’re creating reports, we also give you one button sanitize. If you wanted to remove any traces of thumbnails, original files, or pictures, it will sanitize the report and just give you all the properties for those. So doing those child’s exploitation cases, one button to sanitize.

Screen recording, screenshots. All right, so here we go. Apple iPhone 14 Pro Max we can do, and I also have the Google Pixel. I’m going to start with the Pixel and I’m going to do the Apple as well; I want to show you the differences. As you come in here, you can see the screen here. So think victim witness consent. I’m willing to give you A, B and C, but you’re not walking away with my phone. You are not going to take my phone for five hours, but I am willing to give you the information on here. They could sit right next to you. The phone is right here. So the phone could sit in between you. They could even, if you’re comfortable enough, and this is what you need to do to get them to give you the information, say, “Hey, we’re going to sit right here. You show me where the information is and I’ll record it here on the screen.” They can see everything that you’re capturing. “Hey, I just want to document what’s on your phone. So I’m going to hit the screenshot button and there it is.”

I have the main screen. Swipe over one, let me take that. And I can categorize these on the bottom. I’m just going to go back and I can say home screen, take that home screen, go back, get that one. I’m going to get that one. I can swipe over, maybe get the news, whatever’s on that page, and that’s it. I can swipe up and get my library, Make sure that I have all the apps that are on the device showing here. And they’re all named home screen.

Maybe your victim’s saying, “Okay, you can have my Kick chats. That’s where the suspect is.” So I’m going to name a new group Kick, and on the phone we’re going to go to the Kick app. You can already see it here. Now one of the things with this interface is too, if you’re on a touchscreen, you can control the phone from the user interface as well. I’m doing it with the mouse right now going back and forth. And with a touchscreen, you can do it with the touchscreen or on the device itself.

So I’m going to open up Kick. I already got it named Kick. I can make comments, take a screenshot of my landing page. Now this second person down is the one that I’m interested in. So if I open that up, I’m at the bottom of the chat. Now maybe I want to get his information. So if I click on that, I can make a comment, user profile and name. That’s the name I would need for legal process. I double clicked on that, or did I? No I didn’t. So now I have that information. I can go back. Again, I’m at the bottom of the chat. Android gives us the scroll feature, so I can hit the scroll button and it’s going to page its way up and get every screenshot on there and then save it over here. So you can see over to the right, I now have seven pages of information saved.

You can record. There’s a couple ways to use that. I’m going to close this out here and bring up my library. Go to photos. So let’s say there’s a video I want to play. I can turn on my recording and open the video and play it. If you could bring it up on the screen, you can screenshot it. So let it play. And then when I’m done, I can stop it, close it. Or I can record my whole session. Victim witness consent. You say, “Hey, do you mind if I record everything we do on the phone so when it gets to court we can see that we didn’t do anything funny?” And you also get to see where they navigate and how they’re navigating the phone. But just record turns it on and then turns it off and it saves it over here to the right.

When you’re done, you have two options. I could finish or I can acquire. Acquire would add all these to a logical acquisition and then you go scan it later. Or if you finish, it saves it as that acquisition. Where did they go? So you go back to scan, you add your acquisition here, navigate to where you saved it. It saves as an acquisition like I said. And then you scan it with mobile devices, screenshot profile. And here’s what it looks like when you’re done.

So screen recordings and screenshots. I took 16 of them. Date and time that I did it. Search profile I used to process it. How long it took, version of the tool I used. Did I tag anything? And the target device all goes towards chain of custody. Here’s my home screens, here’s my Kick chats. This one, I actually recorded the password screen. I let it sign out and then I signed back in and recorded the session. So this is what a recording would look like within your case.

And then Wickr. So I didn’t show it on there, but we have Wickr. Wickr doesn’t allow you to screenshot on the screen itself if it’s set that way, but we had it set and you can actually see, I think in here. Yeah, up on top it says, “Couldn’t save screenshot.” That’s when we tried it with the phone just to show that you can’t do it. But with our tool, there you go, you got the screenshot.

Now one thing we do is we run optical character recognition against these as well. I can go to my search. Here I can type in John. My Smoking Gun said, “Hey John, what’s up? It’s Lex.” I’m going to search for that name John. And there it is. “Hey John, what’s up? It’s Lex. Thanks for the dog picks.” Optical character recognition, pulled the text out, search the text. It was also the seventh out of seven scrolls, right? So seven pages. So it found the exact page it was on as well. Talking about pages, if I want to see everything in view, I can also do that as well as well. In preview, I can view individually.

Properties, date and time, device it was taken from, hash value, all goes towards that chain of custody and showing that this has not been manipulated from the date and time that you took it. And reporting, you can report on this, again, HTML, PDF, standalone view, or hand it off to somebody else.

We’ve kind of gone through everything there. A couple things I want to show you. I’m going to go back to computers for one second. When you’re doing a scan and you are running hashes and you’re running keywords and you’re coming across numerous files, so there’s 6,876 photos that were gathered in this scan. That’s not a lot. I know I’ve had millions of images, right? But think is that as millions. When you come into your gallery, all your matches, your keyword matches and your hash matches are brought to the top, and this little red magnifying glass is in the upper right-hand corner showing you that that is a match. And the ones that were automatically tagged, you can do that as well. If I bring in hashes, I say, “If you find it, tag it.” Project VIC will automatically do that based on category. So you can see here, everything is up on top. During my scan I can see I have what I want. These are the ones I was looking for. These are the ones that match the uniqueness of my case. Same with keywords in that case.

But another one I want to show you here, this is an iPhone. It took 25 minutes to make the logical acquisition, and that was on a computer that only had 8 gigs of RAM, so good times. Twenty-five minutes to make the acquisition, another hour to parse everything out of it. So you’re talking an hour and 35 minutes of processing time for this device. That’s fine. That’s still quick. But let’s say you’re on a critical case, early case assessment triage, right? So I’d made the 25 minutes, I’m okay with that. So instead of scanning it all out, I can just scan that for the information I want. Calls, messages, save contacts, right? That’s what I’m looking for. Maybe it’s a missing person, some other kind of case where I’m trying to find somebody. So 25 minutes to make the acquisition, 30 seconds to parse out this information, probably another 30 seconds to put it in a standalone viewer and hand it off to somebody else. So within a minute to two minutes I can have somebody working on this information once that is done. So customization really helps you in that way.

We have classifiers. You can see here we have vehicles, weapons, currency, all your different pornography, bestiality, child abuse, portraits. So we have classifiers. We also have age detection that runs. These are all post-scan. So this is filtered by age group. You can see out of the 24,000 images on here, I’m down to 4,400 images, and most of these have a child in it, foreground, background, pretty good at going through and doing that, helping you weed through your cases. So you put in your age group detection, your classification along with your hashes and your keywords, and you could really filter this down and get through your information fast.

We also have, for using this, we have a token server. So if you have multiple users spread out, you can run this through the token server, download licenses. We have audit trail which show you how your users are using that license. And we also have a cloud-based case review coming out soon. So lots of things to do, lots of ways to use it. High level overview still took me about an hour to go through, but it was hopefully a lot of good information, show you how it can be used out in the field. Hopefully you were thinking around the same way, as like, “Oh yeah, that would be good here. That would be good there.” Again, you could set it to be very, very quick and say, “Show me these images, and that’s it. Or give me a little bit more information. Let me work my case when I get back to my desk.”

Or you’re an in-between; you always use a lab, but you want to keep the case going. You can grab as much information off of that, and most of the time put that case to bed. Because it’s going to get pled out. It’s never going to go. You can still send the computer up, the computer’s going to get it. But now you may have closed that case by the time you get the computer back, which is something you weren’t doing before.

Thank you. Rfrawley@adfsolutions.com. TryADF here. If you would like a version of it, give it a call, give me a call, send me an email, let’s have a conversation. We’ll get you hooked up with an account executive. We’ll set you up with a further demo into further into what you are specifically looking for. Support second to none, evaluations are fully functional. Support 100%. Give us a ring and have a great day. Thank you very much.

Leave a Comment