image/video review investigations

Next issue I'd like to hear about from the experts in terms of cases whereby you suspect inappropriate images or videos on a PC - is how do you narrow down likely possibilities?

Say you have a naughty exmployee who you suspect of viewing porn vids and images on his/her work PC - I've just imaged my own PC and there are over 40k images listed. Do you manually audit each visiually - or do you use any sort of tool to cut down those that maybe be "inappropriate"? If so can you detail the process for "cutting those that need reviewing down" to a manageable number?

Same for video clips - how to you cut those down to those likely to be inapproprioate? Any tool for this, or strategy for this?

Do you run keyword searches in such investigations - if so can you share a list? How does a keyword search help identify inappropriate images/vids on a PC?

It's a shame you cant cut out known and ok'd system images that you can discard from a search of a PC. like "these come with this OS, or this software package - they havent been changed - therefore you are ok to cut these out your search " - non will be inappropriate.
LVL 3
pma111Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ChopOMaticCommented:
Hi again, PMA...

I'm buried in casework this week so please pardon my brief entries here.

First:  You can download (for free) the NSRL hash sets of a bazillion "known" files:

http://www.nsrl.nist.gov/Downloads.htm

They even have a direct download now for EnCase format so you don't have to do any conversion. This will let you filter out these files quickly.

As for image review, sometimes an image can be so critical that nothing but a manual review will do IMHO. In more routine issues, like checking an employee's machine for porn, it's possible to streamline the process with some tools. My favorite tools for stuff like this are, first, X-Ways, because it has a built-in function that will calculate the percentage of typical skin tones present in pictures and let you filter and sort on that percentage. The second tool is called "Visual Similarity Duplicate Image Finder." (Yeah, a long name!)

http://www.mindgems.com/products/VS-Duplicate-Image-Finder/VSDIF-About.htm

If you don't have X-Ways, there are other tools out there that will calculate skin tone percentage and even run some other algorithms to identify likely porn. Can't think of any of them off the top of my head, tho.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pma111Author Commented:
No need to apologise I am learning a lot and enjoying your replies.

Re the hash sets, would you be so kind to share any "How to" notes how to filter out the known good files in an E01 image ready for a search.

Aside from that, do you have any other technqiues you use to limit which files to search for? I assume a fulll disk (i.e. tick everything) search is probably  needlessly adding to the search time and false hits, but it would be interesting apart from ruling out known good files with hash sets, as to how you guys go about "limiting useful searchable files".
0
pma111Author Commented:
I assume x-ways is a paid tool?

re

>>If you don't have X-Ways, there are other tools out there that will calculate skin tone percentage and even run some other algorithms to identify likely porn. Can't think of any of them off the top of my head, tho.

Any freebies that can do this?
0
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

pma111Author Commented:
Also your feedback on:

Same for video clips - how to you cut those down to those likely to be inapproprioate? Any tool for this, or strategy for this?

Do you run keyword searches in such investigations - if so can you share a list? How does a keyword search help identify inappropriate images/vids on a PC?



most welcome
0
aleghartCommented:
OSForensics (from PassMark)  has hash sets for some Windows OS and office applications, as well as other useful tables.

They also import the NSRL lists, ~10GB after they're decompressed and imported.


0
ChopOMaticCommented:
Yes, XWF (X-Ways Forensic) is a commercial tool. Less than half the other two majors but still $1500. And it's also one of my fave tools for dealing with video because it lets me extract frames from all video files it encounters, and it lets me define that interval. I know there are a ton of freebies or cheapies out there that willl do this, though.

As for keywords, I typically don't use them much when it comes to images, unless they're the type of images I OCR and then search the OCR'd text. I know there are indeed keyword lists out there that police use when doing child porn cases, because that sickening culture has its own language and code words that help the investigators locate web history, etc.

As for an EnCase walkthrough,..hoo-boy...how much have you used it? Do you have a really clear and solid understanding of what green-plating and blue-ticking are used for?
0
pma111Author Commented:
Thanks againChopOMatic

I just mean a walkthrough on how to utilise the hashsets you provided to limit searches for in encase, not an encase demo on the whole. Is it an easy task. To say:

Here is a hash set of known good file
Cut this out of all future searches
Just search the unknown files?

I couldnt find much via google or forensics forums on how to acheive the above, i would have hoped its a relatively simple process?

As for how much have I used it, a limited amount, I have training booked, just going on my predessors notes but it isnt so hard to navigate, search, acquire etc. I have a decent understandign on windows OS but do like to learn more.

Your input onto this thread most welcome also if you have a spare 5 to answer:

http://www.experts-exchange.com/Security/Digital_Forensics/Q_27491411.html

Thanks again
0
pma111Author Commented:
Thanks algehart appreciate the reply.
0
pma111Author Commented:
Also your feedback on:

Same for video clips - how to you cut those down to those likely to be inapproprioate? Any tool for this, or strategy for this?

Do you run keyword searches in such investigations - if so can you share a list? How does a keyword search help identify inappropriate images/vids on a PC?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Digital Forensics

From novice to tech pro — start learning today.