Bildanalyse und -verarbeitung
Teil der Erweiterung des Datei-Überblicks.
Des weiteren ermöglicht es eine forensische Lizenz, den Hautfarbenanteil in Bildern in Prozent zu berechnen sowie Schwarz-Weiß-Bilder zu erkennen. Dies kann für die Dateitypen JPEG, PNG, GIF, TIFF, BMP, PSD, HDR, PSP, SGI, PCX, CUT, PNM/PBM/PGM/PPM, ICO geschehen. Wenn ein Ermittler nach Spuren von Kinderpornographie suchen muß, kann das Sortieren aller Bilder nach Hautfarbenanteil (HFA) absteigend die Arbeit stark beschleunigen, weil es das Prüfen der großen Masse von Bildern mit 0-9% HFA (z. B. zig tausende kleine Grafiken im Browser-Cache) und die am wahrscheinlichsten belastenden Bilder ganz oben in der Liste angezeigt werden. Bitte beachten Sie, daß es falsche Treffer geben kann, also hautartige Farben auf einer Oberfläche, die keine Haut ist. Das Erkennen von Schwarz-Weiß- und Graustufen-Bildern ist nützlich, wenn nach elektronisch gespeicherten Faxen und eingescannten Dokumenten gesucht werden soll. Bilder, die nicht erfolgreich auf ihre Farbzusammensetzung überprüft werden können, da z. B. zu groß oder defekt, werden mit einem Fragezeichen aufgelistet. Besonders kleinformatige Bilder (Höhe oder Breite nicht größer als 8 Pixel, oder Höhe mal Breite nicht größer als von Ihnen angegeben) werden als unerheblich klassifiziert, basierend auf der Annahme, daß sie weder belastenden pornographischen Inhalts noch Dokumente sein können.
For large JPEG, PNG, GIF and TIFF files, at the same time when analyzing the colors in the pictures during volume snapshot refinement, X-Ways Forensics can optionally also create thumbnails in advance for much quicker display updates in Gallery mode later. Internal thumbnails are only created if no original thumbnails are embedded in the files and extracted at the same time, and they are actually utilized for the gallery only if auxiliary thumbnails are enabled (see Options | General). It is possible to specify your preferred resolution (maximum width or height in pixels) and quality (JPEG compression factor) of the thumbnails. However, the maximum amount of data that can be stored in the volume snapshot for a thumbnail is limited, to 64 KB, so if a generated thumbnail gets larger than that, X-Ways Forensics will automatically reduce the user-defined resolution accordingly. To discard all internal thumbnails, but keep the computed skin color percentages, you may delete the file "Secondary 1" in the "_" subdirectory of an evidence object behind X-Ways Forensics' back, i.e. when the evidence object is not currently open.
If you have an internal PhotoDNA hash database, known photos can be recognized automatically even if visually altered. If you select more strict matching (allow less variation in a picture), the process can be noticeably faster in huge databases. Any resulting matches can be seen and filtered in the combined Analysis column. Please note that photos that are recognized via PhotoDNA already are not additionally checked for the amount of skin tone. PhotoDNA hash values are computed and matched only if the picture contains a total number of pixels that is larger than a user-defined minimum (width times height). This avoids database look-ups that can be time-consuming in very large PhotoDNA hash databases and typically have no benefit for small garbage pictures. The minimum dimensions allowed as a condition are 50x50 pixels. The PhotoDNA algorithm intrinsically requires a certain minimum number of pixels to provide meaningful results. If you select the lowest possible strictness level for matching (level 1), you will be asked whether you are really certain, as that level is known to occasionally deliver false matches. That level is offered in X-Ways Forensics only because it is provisionally suggested by the original developers of PhotoDNA. The recommended and default level in X-Ways Forensics is level 3.
It is possible to more conveniently match pictures against the PhotoDNA hash database again, for example after having added some hash values to the database or after having assigned hash values to different categories, thanks to a new check box simply labelled "Again". You can still uncheck the "Already done?" check box for the whole picture analysis and processing operation to also discard the results of the skin color computation and precomputed thumbnails and regenerate both plus the PhotoDNA matches from scratch. Please note that with the "Again" option when re-using previously computed PhotoDNA hashes, changes to the state of the check box "Recognize pictures even if mirrored" have no effect. That means if previously unchecked when hash values were computed for the first and stored in the volume snapshot, checking it later when re-using the stored hash values won't do any good.
Matching pictures against the PhotoDNA hash database another time is much faster if during a previous run you have X-Ways Forensics store the computed PhotoDNA hashes in the volume snapshot. Saves the time to read the files from the disk/image again and to decode/decompress the JPEG data or other formats again (time-consuming for high-resolution photos) and to recompute the hash values. Please note that PhotoDNA hashes require considerably more drive space than ordinary hashes. Also, more than one PhotoDNA hash may be required for just one picture. It is recommended to store the hash values in the volume snapshot for future fast re-matching only if you expect your PhotoDNA hash database to change during processing of a case, for example if it is likely that you or your colleagues discover further relevant pictures in that case, forcing you to search for other copies of these pictures.
To discard stored hash values you can either take a new volume snapshot, or alternatively you may delete the file "PDNA" in the "_" subdirectory of the evidence object, where the volume snapshot is internally stored.
Wenn beim Hash-Abgleich sowohl Treffer mit einer herkömmlichen Hash-Datenbank als auch mit der PhotoDNA-Hash-Datenbank erzielt werden, die unterschiedliche Kategorisierungen haben, erhält die "schwerwiegenderen" Kategorie Vorrang bei der Kategorisierung der Datei: unbekannt < irrelevant < unkategorisiert < verdächtig. The option to mark a file as already viewed when it gets categorized as irrelevant is now applied to the combined result of ordinary hash database and PhotoDNA hash database matching.