BChaseAZ wrote:
I have a hard drive created by LE, which is made up of everything they collected. It's not a hard drive image, rather just an external drive where they dumped all of their data. So I can't filter by folders, users, access dates, etc.
The problem I have is I don't know what is relevant. It is not a CP case. Some relevant pictures may have people, others may show items, but we don't really know what we are going to find that is useful.
The attorney really want to filter down the list of images into something more manageable, because he needs to be able to go through them.
This is a bit outside "common" forensics "standards", then, it is more like re-organizing a "mixed/shuffled" archive.
BTW (and as a side note) I believe that (at least in many countries) the LE/Prosecution has to provide to the defense the actual unmodified hard disk images and not a bunch of files copied to a hard disk.
If the images have been copied maintaining date/time of the original filesystem, dividing them in folders by date would make a lot of sense.
As well IF the images have still their EXIF data (with date/time) but not the actual filesystem timestamps it would also be possible to make a "big" selection between those that have not EXIF data and order the rest in folders by date based on EXIF data.
There are also tools that allow to preview the images sorting them by appearances/colours, as an example this oldish one often worked for me:
http://download.chip.eu/it/ImageSorter-2.02_1756890.html
The original home page is "dead" though it can be accessed through the Wayback machine:
https://web.archive.org/web/20100327205424/http://mmk.f4.fhtw-berlin.de/Projekte/ImageSorter
This should be the latest available version:
http://www.pixolution.de/index.php?id=18
but I believe there are other softwares with similar approach/functions, like (examples):
http://www.mindgems.com/products/VS-Duplicate-Image-Finder/VSDIF-About.htm
http://www.visipics.info/index.php?title=Main_Page
http://www.keronsoft.com/dupdetector.html
jaclaz
↧