In the fight against such abuses, CAID is a necessary tool. It works by bringing together all of the images that both the police and the National Crime Agency encounter, and uses their unique identifiers (hashes) and metadata to improve investigations. ADF software collects and analyzes CAID hashset data to make it easier for DMIs and Forensic Examiners to analyze matches and create court-ready reports for prosecutors to assist in child exploitation cases.
In this short 5-minute video, ADF digital forensics trainer Rich Frawley demonstrates how a Digital Media Investigator can easily prepare CAID hash data for an investigation.
Adding CAID Hashes to an ADF Search Profile
To get started, you'll want to create your own Search Profile and want to add your own unique hashes.
Switch from opening screen to screenshot of Search Profile and Select New Capture → Search for files by hash value.
You can search for files by hash value(s) using MD5 or SHA1 hash values. When creating any Capture, a Capture Group and name must be provided for the Capture (Hash Sets & CAID).
On the Define Hash Values screen it is possible to define the hash values to search for and the scope of search. The right-hand side function toolbar offers the following actions:
- Add Files - you can create a hashset from all files in a folder by clicking on the Add Files button and navigating to and selecting the folder containing the files.
- Import CSV - Click on the Import CSV button and navigate to the .CSV or text file.
- Import VICS - It is possible to import CAID formatted JSON files containing hash values. CAID JSON files containing category information will auto-tag matching files during a scan with that category number.
A message will be displayed showing the outcome of the import. If the JSON format is unsupported a warning will appear here as well as duplicate hashes that will not be added. Once the values have been added Select the Next button to Define the Files to Hash.
Pick a File Type: Select the file type that matches the hash values.
Select the Capture Options:
- File identification method – Fast identification identifies file types using the file extension only
- Thorough identification - for files without extensions uses file signature analysis to identify files that have no file extension and fast identification on those that do.
Thorough identification for all files uses file signature analysis to identify all files. This will increase the time the scan takes to run.
Search selected file types in - Archives Searches for all selected file types within archives
Documents Searches for all selected file types embedded within Document file types
Picture DB files - Searches for all selected Picture file types within thumbcache and thumbs.db files
Select the File Properties for the File Collection:
File Size: The left-hand size specifies the minimum file size while the right-hand size specifies the maximum file size. It is possible to specify Bytes, Kilobytes, Megabytes, and Gigabytes by clicking on the arrows next to the size unit
Pixel size Limit the pictures collected by setting the minimum pixel width and height. Created Date Specifies a UTC created date range for the selected file types. Modified Date Specifies a UTC modified date range for the selected file types
Select the File Source options:
- Entire file system - Searches all live files
- Targeted folders - May be used to limit the extent of the scan making it run quicker. These can be used to limit the search to areas where evidential material is likely to exist. In addition, Targeted folders are searched before other folders and are not searched again if both Targeted folders and the entire file system are selected.
- Files referenced by artifact records Used to target files referenced by Artifact Captures (e.g. email attachments)” If any files are located in the P2P, Email, Messages, or download, or have a recent file entry, the artifacts will be linked to the file.
- Deleted Files Targets - deleted files for which references can still be found in the file system.
- Carve pictures from Unallocated space - this searches unallocated space and collects any picture files when their header signature is identified.