Digital Forensics: Too Much Porn, Too Little Time

I recently had a case where one of the requirements was to determine if the PC had been used to view and or download pornographic images from the Internet. First let me say that in my view the only party that can ultimately determine if an image is pornographic is the court. That being said we agreed in the onset of the investigation that any image that clearly showed sexual organs would be the definition we would use in determining if a particular image met the client's definition of a pornographic image.

Processing the case with FTK 3.12 and both collecting images in allocated space as well as carving for images in unallocated space revealed well over 60,000 images. The client needed and answer quickly hence manually reviewing and classifying the large number of images was not an option. If you simply did a quick view of each image for just 5 seconds you would burn about 2 weeks of labor. The process needed to be automated and sooner than later. I had heard AccessData had an optional module called "Explicit Image Detector" (EID) and decided to give it a try. I contacted my sales rep and purchased a one year license for around $800, my license file was updated and it was then just a matter of updating my FTK dongle.

To add EID processing to the already processed image it was simply a matter of:

Click Evidence > Add/Remove Evidence?

In the detailed options > Evidence processing, turn on File Signature Analysis

Select Explicit Image Detection > I selected the X-DFT (default) option as well as the X-ZFN (more accurate) options:

Figure 1 EID Options

As I was at the end of the day I decided to simply let the process run overnight. The following morning it was complete and looking at the case log the processing time took approximately 6 hours to complete. With the images now loaded into the case along with their respective EID classification label. A quick cursory view of the images showed that an image with a X-ZFN score above 90 eliminated most false positives. A filter (see Figure 2) was constructed to select only those images that were members of X-ZFN with a score above 90.

Figure 2 EID Filter

This brought the total number of suspect images from 60,000 down to 6,000 just 1/10 of the total number of images and a much more manageable task. It is important to remember that EID works using flesh tones hence any image with a high level of flesh tones whether a basic portrait or a pornographic image is detected as meeting the EID threshold hence a manual review was still necessary. Using the above filter set at a score of greater then 90 and then viewing the images with the FTK thumbnail viewer, checking select all and then deselecting any images that did not meet the definition of pornographic images as defined by the client took about 6 hours and brought the number of images to be presented down to 4,886.

The images were bookmarked along with the balance of the evidence relative to the client's request and a report was generated and burned to DVD for submission to the client. Using EID not only prevented impact on other cases due to my current workload, it also saved the client roughly 60 or more hours of billable time that would have easily been spent had the images been only manually processed.

More Blogs


The highest levels of industry certification

VCP-DCV (5.5), vExpert, Florida PI License C2800597