SANS Digital Forensics and Incident Response Blog

Digital Forensics: Too Much Porn, Too Little Time

I recently had a case where one of the requirements was to determine if the PC had been used to view and or download pornographic images from the Internet. First let me say that in my view the only party that can ultimately determine if an image is pornographic is the court. That being said we agreed in the onset of the investigation that any image that clearly showed sexual organs would be the definition we would use in determining if a particular image met the client's definition of a pornographic image.

Processing the case with FTK 3.12 and both collecting images in allocated space as well as carving for images in unallocated space revealed well over 60,000 images. The client needed and answer quickly hence manually reviewing and classifying the large number of images was not an option. If you simply did a quick view of each image for just 5 seconds you would burn about 2 weeks of labor. The process needed to be automated and sooner than later. I had heard AccessData had an optional module called "Explicit Image Detector" (EID) and decided to give it a try. I contacted my sales rep and purchased a one year license for around $800, my license file was updated and it was then just a matter of updating my FTK dongle.

To add EID processing to the already processed image it was simply a matter of:

Click Evidence > Add/Remove Evidence?

In the detailed options > Evidence processing, turn on File Signature Analysis

Select Explicit Image Detection > I selected the X-DFT (default) option as well as the X-ZFN (more accurate) options:

Figure 1 EID OptionsFigure 1 EID Options

As I was at the end of the day I decided to simply let the process run overnight. The following morning it was complete and looking at the case log the processing time took approximately 6 hours to complete. With the images now loaded into the case along with their respective EID classification label. A quick cursory view of the images showed that an image with a X-ZFN score above 90 eliminated most false positives. A filter (see Figure 2) was constructed to select only those images that were members of X-ZFN with a score above 90.

Figure 2 EID FilterFigure 2 EID Filter

This brought the total number of suspect images from 60,000 down to 6,000 just 1/10 of the total number of images and a much more manageable task. It is important to remember that EID works using flesh tones hence any image with a high level of flesh tones whether a basic portrait or a pornographic image is detected as meeting the EID threshold hence a manual review was still necessary. Using the above filter set at a score of greater then 90 and then viewing the images with the FTK thumbnail viewer, checking select all and then deselecting any images that did not meet the definition of pornographic images as defined by the client took about 6 hours and brought the number of images to be presented down to 4,886.

The images were bookmarked along with the balance of the evidence relative to the client's request and a report was generated and burned to DVD for submission to the client. Using EID not only prevented impact on other cases due to my current workload, it also saved the client roughly 60 or more hours of billable time that would have easily been spent had the images been only manually processed.

5 Comments

Posted September 13, 2010 at 3:06 PM | Permalink | Reply

Joël Gomez

Hi everyone,
very interesting option, but if the question is only on "view and download porn images", why do you want to view all images?
You can select some images and write in your report :
ok for view and download, and extract some of them.
Cheers

Posted September 13, 2010 at 4:38 PM | Permalink | Reply

Alex Bond

It seems that it saved you a lot of time, great! I wonder how many false negatives you got with that X-ZFN score. When you were looking for this software, did you see any advertised software that would do similar for video? There are so many streaming movie sites and downloadable movies that something like that would be useful.

Posted September 15, 2010 at 2:34 PM | Permalink | Reply

Paul Henry

Joel
Grabbing a few images in some instances may be enough however I always prefer to simply do a more through analysis, it is more work but can eliminate doubt.
Paul

Posted September 15, 2010 at 2:39 PM | Permalink | Reply

Paul Henry

Alex
I saw surprisingly few false negatives for the case I ran it on. I had heard about the EID option for FTK and did not research other offerings as it was the first one I tried and it got the job done. Agree that a product with this capability that could handle streaming video would be a huge help for the community.
Best;
Paul

Posted October 15, 2010 at 1:59 PM | Permalink | Reply

K Murphy

My image data carver processor would have been perfect for what you needed. You could have reviewed all 60,000 images in less than 30 minutes after the script finished processing the images.
Website for the tool:
http://www.citadelsystems.net/index.php/forensics-tools/34-data-carver/59-data-carver-processor-images
K Murphy