Rock, Paper, Scissors, Knife, Gun, Elephant: Nuix Investigation Workflows Part 2
There are high profile examples of when the sheer volume of material that needed review during a criminal investigation led to mistakes happening. As I talked about in part one of this series, use of images in communications is growing at a tremendous rate, which also means they show up more than ever in criminal evidence sets.
When faced with this potentially unclimbable mountain of data, law enforcement agencies urgently need to consider new, and perhaps quite radical ways to prioritize evidence.
Getting to the (Meta)Data
Extracting huge volumes of metadata (essentially data about data) is part of the Nuix Engine's processing and indexing capabilities, giving law enforcement a powerful tool to handle massive data volumes. When this is applied to photographs or videos—particularly those from mobile devices—a wealth of information known as “EXIF data” (Exchangeable image file format) is exposed to the investigator, including device and camera-specific information:
Deeper analysis of this metadata often tells us what device was used to take the photograph, and indeed whether the photograph was taken on the front "selfie" camera or back main camera (we can often even see if the flash fired or not).
Armed with this information, we can easily create a metadata profile in Nuix to show us all relevant camera information and apply it across our entire case. This is especially useful if we have tens or hundreds of devices to review.
With this in mind, you can follow a simple workflow—‘let’s focus on just images taken from a phone’—rather than also looking in the internet browser cache. If the main suspect had an iPhone XS on them when they were arrested (as can be seen in the graphic above) you can narrow down your search parameters to just that device and review those images first.
Where in the World?
You can also choose to quickly show any of the images containing GPS information (the latitude and longitude data shown above) in order to help put the device (and therefore its owner) at a location or crime scene. Using Nuix Investigate’s® "pivot" capability, you can quickly see which other photographs were taken within a given distance of a suspicious photograph:
A pivot on 100 meters from the GPS coordinates taken from a suspect image reveals:
In case you’re wondering why the photograph and Google Maps above are pointing to the middle of a field, it's the location a classic car show was held. The two red pins accurately map the position of a couple of classic Ford Escorts that I had the pleasure to photograph. It has absolutely nothing to do with the hiding spot for my stash of drugs that I plan to sell when the field is used by a local music festival in a couple of weeks-time.
You can further enrich the data processed by the Nuix Engine by utilizing several built-in technologies, including:
- Skin tone analysis. Examine the contents of images and establish if they contain high/medium/low numbers of colors that could indicate the presence of skin.
- Facial identification. Examine the contents of images and look for characteristics that potentially indicate a face being present.
- Child exploitation. Law enforcement agencies can take advantage of Microsoft’s donated PhotoDNA engine, which helps to fight the horrendous creation and distribution of indecent images of children through the amazing work of organizations such as Project VIC.
- Deep learning. Use a neural network trained with over a million images that can classify pictures into categories like paper, rock, guns, drugs, knives, etc. If you've ever used Google Images you’re already familiar with the technology.
And Get Concise
Building on our original workflow—and obviously depending on the case type—you can use a mixture of these technologies to quickly filter down a huge quantity of images to enable our investigators to view the ones that are potentially most relevant first.
Following are all examples of searches than can be run in Nuix using our powerful query language:
- All photographs taken on an iPhone using the front selfie camera
- All photographs not taken on an iPhone that contain high levels of skin tone
- All photographs that were taken within 1km of a GPS location
- All photographs that contain, with high confidence, pictures of guns or drugs or knifes
- All photographs that are ‘known bad’ images for which there are duplicates in different devices.
Applying these searches (which can easily be saved and therefore are easily repeatable) can empower digital media investigators to quickly separate the ‘wheat from the chaff.’
Dealing with Attribution and Association
There comes a time during an investigation when the investigating officer(s) needs to present their evidential findings to the suspect(s), normally during an interview. I’m still amazed after being involved in so many of these by the number of times you hear the same two responses to questions aimed to elicit information surrounding the circumstances of an offense or incident:
- “That’s not my [drugs/phone/laptop/etc]. I was looking after it for a friend/guy in the pub/etc.” This is known as ‘attribution.’
- “I don’t know/I’ve never seen/I’ve never met the other people you also arrested.” This is known as ‘association.’
If you have a suspect’s mobile device or computer there are many ways to try and link them to it. It could be something as simple as searching for the phone number stored for ‘mum’ or ‘dad’ and ringing to ask who their son or daughter is.
That’s the low-tech approach. Alternatively, you can filter on the ‘selfie’ images recovered from the device and see if your suspect appears in any or all of them. You could even show ownership by plotting all photographs onto a map and see if any of the locations revealed match known addresses for your suspect (or indeed their associates) and cross-reference this with the times of the images. A bunch of images at the same house taken in the morning or evening tends to suggest that might be where they live—or at least sleep.
Proving association is a lot harder, but not impossible. Establishing if any images have been shared with others is a great start. If you can identify the same photograph stored on different devices, it’s a good indication that the owners of the devices have something in common. This is a similar workflow for following the downloading and sharing (distribution) of illicit images.
Filtering on ‘Images’ in Nuix Investigate's Canvas view can help here by showing both the ownership and movement of photographs (and other items such as documents) between individuals.
If you’re trying to ‘put people’ at the scene of an incident, your good friend GPS can help. We often see incidents on TV where people are seen filming a car crash or fight on their mobile devices. Whilst each photograph or video would be forensically different, the GPS coordinates stored alongside each file (back to my field example above) allow you to plot them onto a map, confirming your suspects or witnesses were all at the same place at the same time.
Building a Strategy for Success
It's important to note that I'm not advocating not looking at all the images recovered from a device—far from it! By setting out with a strategy to help focus and drive an investigation, you can utilize some of Nuix's powerful built-in capabilities to help quickly filter down what might seem like an insurmountable volume of material and bubble to the surface the potentially relevant items to review first.
From there, you can then use our built-in analytics to help join the dots, helping attribute devices to owners, link suspects together, and hopefully help to make the world a safer place for us all.
If you're interested in learning more, we'll be at the ICDDF Conference in Heathrow, London next week, March 16-21, and hope you stop by to see us.