Tuesday, 17 January 2012

New Maltego Transform for Local Image Forensic Location Data Mining

We're very happy to announce a new set of local Maltego transforms and supporting entity types. These transforms will be available to customers in the next week or so (contact maltego@recx.co.uk for purchasing and pricing information) and are currently going through the final throws of beta testing.

We recognized the problem that having a large collection of images in a forensic case can mean it's difficult to make sense of them. During a case investigation you may want to do a number of different investigative procedures on the images:
  • See images taken in the same location.
  • See images taken in the same location but with different devices.
  • See images taken in the same location but altered via software.
  • Search for images taken in a certain location across your acquired set.
As a result we developed a new set of local transforms and entity types for Maltego to address these needs. To start we introduced a new entity type called 'Filesystem Path', as the name implies it allows you to specify the local path upon which to run the transform.

The 'Filesystem Path' as has an optional field of 'Location' which allows you to specify a physical location for only the images you're interested in. This physical location might be for example:
  • Road or street name.
  • A town or city.
  • State or country.
  • Country.
At which point we can run our first transform 'Discover Images with EXIF Data'. This transform will search the provided path for all the images that contain EXIF data that have GPS properties. If you do a location search for each image the GPS data is extracted, resolved and compared to the location you provided. In return you'll receive a number of image entities back including thumbnail views (contact us if you wish to have this feature disabled due to the material you're working with).

In the detail view of the image entity there are a number of other features which can be seen in the screenshot  below. These include a larger view of the image and a link to view the full sized version.

Click for Larger Version

Next we're able to run our next transform 'Extract EXIF Data'. This transform then goes through each selected image and extracts a number of properties as separate entities, as can be seen below:

Click for Larger Version
The transform is able to extract the following image properties:
  • Manufacture and device type.
  • GPS location.
  • Image time.
  • Original image time.
  • GPS image time.
We're now free to use Maltego's existing transforms on the GPS location to convert it into a place name or specific street. We've also populated the detailed view of the GPS object with a quick link to Google maps.

This gives us an end to end workflow looking something like:
Click for Larger Version

In the above example we worked with a single image to walk you through the process. If we now scale this up to work with a larger set. We can get something like this:

Click for Larger Version - Download full size version here

Anyway we hope you've enjoyed this brief introduction to our upcoming release. We think the Recx EXIF GPS Image Forensics Pack for Maltego combined with the new Casefile entities in the upcoming Maltego 3.1 make a powerful combination for photo forensic investigators.  If you're interested in purchasing a copy or finding out more please contact us via e-mail (maltego@recx.co.uk), use our on-line form or give us a call.

No comments:

Post a Comment