Picture Analysis and Processing

WinHex & X-Ways

Picture Analysis and Processing

 

Part of volume snapshot refinement.

 

A forensic license additionally allows to compute the percentage of skin colors in pictures and to detect black & white pictures. This can be done for the file types JPEG, PNG, GIF, TIFF, BMP, PSD, HDR, PSP, SGI, PCX, CUT, PNM/PBM/PGM/PPM, ICO. The detection of black & white or gray-scale pictures is useful when looking for documents that were scanned and faxes that were stored electronically. A forensic examiner who has to look for traces of child pornography can sort pictures by skin color percentage in descending order to immensely accelerate the job. Checking the mass of 0%..9% skin color percentage pictures (e.g. thousands of browser cache garbage files) may not be necessary any more as the most likely incriminating files will be sorted near the top of the list. Please note that there may be false positives, i.e. skin-like colors of a non-skin surface. Pictures that cannot be correctly scanned for their color contents, e.g. because they are too large or corrupt, will be listed with a question mark instead of the skin color percentage. Pictures with very small dimensions (width or height no more than 8 pixels, or width times height no more than you indicate) will be marked as irrelevant with the assumption that they cannot contain incriminating pornography or documents.

 

For large JPEG, PNG, GIF and TIFF files, at the same time when analyzing the colors in the pictures during volume snapshot refinement, X-Ways Forensics can optionally also create thumbnails in advance for much quicker display updates in Gallery mode later. Internal thumbnails are only created if no original thumbnails are embedded in the files and extracted at the same time, and they are actually utilized for the gallery only if auxiliary thumbnails are enabled (see Options | General). It is possible to specify your preferred resolution (maximum width or height in pixels) and quality (JPEG compression factor) of the thumbnails. However, the maximum amount of data that can be stored in the volume snapshot for a thumbnail is limited, to 64 KB, so if a generated thumbnail gets larger than that, X-Ways Forensics will automatically reduce the user-defined resolution accordingly. To discard all internal thumbnails, but keep the computed skin color percentages, you may delete the file "Secondary 1" in the "_" subdirectory of an evidence object behind X-Ways Forensics' back, i.e. when the evidence object is not currently open.

 

If you have an internal PhotoDNA hash database, known photos can be recognized automatically even if visually altered. If you select more strict matching (allow less variation in a picture), the process can be noticeably faster in huge databases. Any resulting matches can be seen and filtered in the combined Analysis column. Please note that photos that are recognized via PhotoDNA already are not additionally checked for the amount of skin tone. PhotoDNA hash values are computed and matched only if the picture contains a total number of pixels that is larger than a user-defined minimum (width times height). This avoids database look-ups that can be time-consuming in very large PhotoDNA hash databases and typically have no benefit for small garbage pictures. The minimum dimensions allowed as a condition are 50x50 pixels. The PhotoDNA algorithm intrinsically requires a certain minimum number of pixels to provide meaningful results. If you select the lowest possible strictness level for matching (level 1), you will be asked whether you are really certain, as that level is known to occasionally deliver false matches. That level is offered in X-Ways Forensics only because it is provisionally suggested by the original developers of PhotoDNA. The recommended and default level in X-Ways Forensics is level 3.

 

It is possible to more conveniently match pictures against the PhotoDNA hash database again, for example after having added some hash values to the database or after having assigned hash values to different categories, thanks to a new check box simply labelled "Again". You can still uncheck the "Already done?" check box for the whole picture analysis and processing operation to also discard the results of the skin color computation and precomputed thumbnails and regenerate both plus the PhotoDNA matches from scratch. Please note that with the "Again" option when re-using previously computed PhotoDNA hashes, changes to the state of the check box "Recognize pictures even if mirrored" have no effect. That means if previously unchecked when hash values were computed for the first and stored in the volume snapshot, checking it later when re-using the stored hash values won't do any good.

 

Matching pictures against the PhotoDNA hash database another time is much faster if during a previous run you have X-Ways Forensics store the computed PhotoDNA hashes in the volume snapshot. Saves the time to read the files from the disk/image again and to decode/decompress the JPEG data or other formats again (time-consuming for high-resolution photos) and to recompute the hash values. Please note that PhotoDNA hashes require considerably more drive space than ordinary hashes. Also, more than one PhotoDNA hash may be required for just one picture. It is recommended to store the hash values in the volume snapshot for future fast re-matching only if you expect your PhotoDNA hash database to change during processing of a case, for example if it is likely that you or your colleagues discover further relevant pictures in that case, forcing you to search for other copies of these pictures.

 

To discard stored hash values you can either take a new volume snapshot, or alternatively you may delete the file "PDNA" in the "_" subdirectory of the evidence object, where the volume snapshot is internally stored.

 

If matches are returned from regular hash databases as well as the PhotoDNA hash database at the same time with conflicting categorizations, the "more severe" category prevails: unknown < known good < known, but uncategorized < known bad. The option to mark a file as already viewed when it gets categorized as irrelevant is now applied to the combined result of ordinary hash database and PhotoDNA hash database matching.