Skip to main content

Images Are Everywhere: Nuix Investigation Workflows (Part 1)

Police Line
Written By:

One of the questions that I often get asked when speaking with customers around image review workflow—especially if they come from a law enforcement background—is about how best to use some of the technology built into Nuix such as deep-learning to speed up the review of image heavy cases.

Most police agencies (especially those in the US and UK) are already using shared HASH databases to assist in offenses that relate to child exploitation as well as technologies such as Microsoft's PhotoDNA in conjunction with the excellent work undertaken by the Project VIC team. What’s interesting about these technologies is that they all essentially are focused on quickly identifying ‘known’ images—either in their original or edited format (via HASH/digital fingerprint/dHASH). It's a simple and yet powerful workflow: If someone else has already seen, reviewed, and validated an image, then you shouldn't have to. You can simply rely on their findings, thus reducing the number of images requiring review.

But what about images that haven't been previously seen and therefore reviewed and categorized? What about images that sit outside these offenses or aren't in themselves considered illegal?

Changing Times

To give you an example I, like many parents of millennial children with their mobile-centric lifestyle, have had to adapt how I communicate with them. Long gone are the days of phone calls and even text messaging is "soooo yesterday." Today, I'm more likely to receive a picture of something in order to facilitate a conversation.

Here's a classic example.

Me: "Where are you?"

Response:

University library
In case you’re wondering, this is a picture of the University library.

Me: “What are you having for dinner?”

Response:

Typical Manchester Dinner
That's steak and kidney pudding with peas, chips, and gravy—a very Manchester dish. I trained my daughter well!

Sometimes, I don't even need to ask a question in order to get a status update. Some great examples include:

An adult beverage
I don’t think anyone needs me to explain what this is.

Or:

Another adult beverage
Again, no explanation necessary!

As you might guess, these tend to come at 5:30(ish) on a Friday afternoon, and maybe indicates a bit of a theme if someone was ever to run analytics against my device(s)!

Not Just for the Innocent

I am reliably informed that the phrase “a picture paints a thousand words” also applies to nefarious communications, with images often being sent to indicate an event or action. Instead of sending "I'm here," the words are replaced with a picture of a house or a street.

The "[insert drug name here] has arrived" SMS messages recovered from a suspect’s phone in my day have now been replaced by a picture sometimes of the drugs themselves, other times something more innocuous or innocent such as a picture of a cat, dog, or everyday object to indicate the arrival (or not) of said substance.

This practice even extends into the workplace, with slang terms used to indicate an event between wrong-doers now often replaced by photos shared via email or instant messenger to indicate theft, fraud, or NSFW so breaches of HR or IT policies.

Within certain parts of society, it’s also now very common to post and share images that show allegiance to a cause, with many people feeling safe sharing images using an encrypted app or perhaps hiding behind an alias and/or VPN. Sadly, this method is often used by those linked to gangs and potentially suspected street and knife crime. Even worse, the seem to revel in sharing these types of images.

Man with a knife
It's not uncommon to see images like this shared by criminals.

Obtaining a ‘Single View’

As part of any investigation including multiple data sources and suspects, one of the first challenges is bringing all of the various evidence sources together to give investigators a ‘single view’ into the case evidence. If you’ve read any of my other blogs, you’ll know this is something both I and Nuix are passionate about. We truly believe that the only way an investigation team will be able to ‘see the big picture’ is if they look at all the evidence—across mobile, computer, and cloud within a single platform—with Nuix Investigate being an obvious choice.

To help simplify the process of collecting and processing all evidence—particularly from mobile devices—we’ve deepened our existing partnership with MSAB, a pioneer in forensic technology for mobile device examination. We’ll be announcing some very exciting news at this year’s ICDDF conference in London to make it even easier to bring MSAB captured and processed mobile device data into the Nuix platform.

Once collected and processed, and typically faced with the contents of one or many mobile devices and computers as part of an investigation, sadly most law enforcement agencies quickly become overwhelmed by the sheer quantity and volume of data that needs to be processed and reviewed. It’s not unusual for a single device to contain thousands of pictures and messages.

Compound this with duplication across devices, a symptom caused by the ecosystems driven by manufacturers such as Apple whereby an iMessage is seen (and therefore stored) on phone, tablet, and laptop simultaneously, the challenges of review can seem overwhelming.

MSAB photo list
Screenshot from MSAB, showing over 1.4 million pictures recovered from a single device!

Next Up: Building a Better Investigation Workflow

Now that I’ve discussed some of the challenges law enforcement agencies face thanks to the proliferation of images and how they’re used, in the second half of this two-part series I’ll talk about some options to consider for your investigation workflows using the technology available in Nuix.