NTI - Computer Forensics Processing Tips

Graphic Image File Evidence Identification

It is unfortunate that the Internet has become a haven for pedophiles and distributors of pornography. The viewing of pornography on corporate and government computers has also become a serious problem in the workplace. Thus, many law enforcement computer crime resources and corporate investigation resources are devoted to this growing problem. A traditional computer forensics approach would be to identify and view graphic images files and previously deleted graphic image files one at a time. This type of review is time consuming and inefficient. However, hundreds of law enforcement computer crime specialists have done it this way for years.

It is possible to manually review all files on the computer using GUI visualization tools but that is extremely time consuming. If the case involves just one category of computer files, i.e., GIF, BMP and JPG files, it makes no sense to review the contents of the entire computer hard disk drive.

NTI's Graphics File Extractor software can be used to identify essentially all Internet-related graphic image files contained on a specific computer hard disk drive when a Bit Stream Backup of the subject hard disk drive has been made with NTI's SafeBack 3.0 software. These backup files (when stored on a computer hard disk drive) can quickly be evaluated using Graphics File Extractor software and essentially all of the GIF, BMP and JPG files will be extracted and reconstructed for review. This process takes a few hours but it is automatic and when compared to the alternative of a manual review, it is much more accurate and efficient.

The output from Graphics File Extractor software can be quickly reviewed using a graphic image viewer like Firehand Ember which NTI recommends. It is inexpensive and it works well.

This technique can save many tedious hours of analysis and most of the process is automated through the use of SafeBack 3.0 Graphics File Extractor and Firehand Ember software.

Be aware that this is a leads identification technique and the findings are not evidence of wrongdoings. Also, the finding of a few inappropriate graphic image files on a specific computer may have no relevance because of the possibility that one or more URLs were unintentionally accessed on the Internet by the computer user. Thus, the output from Graphics File Extractor software should be treated as a source of investigative leads rather than conclusive evidence of wrongdoing. The leads can become evidence after the graphic file images are evaluated by the forensics investigator and after the leads have been corroborated through interviews and a more detailed examination of the computer evidence in the case.

Back To NTI's Home Page