Similar Image Analysis Finds What Hashes Can’t

It is natural for a criminal to try to conceal their tracks. Oftentimes, they will manipulate a file to make it undetectable in the event of a hash search. However, while hashes don’t have the ability to locate files that have been changed, Similar Image Analysis can do that instantly.

What is Similar Image Analysis?

Similar Image Analysis is the latest analytic tool introduced by Oxygen Forensic® Detective v.13.5. Using PhotoDNA technology, this feature is capable of examining up to 300 thousand photos and identifying their matches in seconds.

Hash vs. PhotoDNA

Before going any further, let’s review the difference between hashes and PhotoDNA.

Hashing is a great tool for finding an exact duplicate of a file or identifying whether a file has been altered from its original form. This can be vital in proving or disproving the validity and authenticity of evidential data in a case. However, because hashes use binary information to identify exact copies, it’s impossible to use them to find images that are similar in appearance but have a different hash value. This isn’t an issue for PhotoDNA technology. Because PhotoDNA bases its matches on visual similarity and not binary information, it will locate any and all images that appear to be similar.

How to find similar images:

Similar Image Analysis is done automatically when entering the Files section of an extraction or a case. To access results, simply navigate to the Similar Images tab within the Files section, as shown in the panel below.

To view the similar images for a particular photo, click it. That will prompt a list of all similar images that were found within the device using the PhotoDNA algorithm. Investigators can view basic file information, such as date created, date modified, date accessed, file path, and hash function.

Note: PhotoDNA hash is calculated at data import. If PhotoDNA has not been calculated, similar images cannot be found.

Conclusion:

More often than not, a suspect will make some kind of attempt to cover their tracks and hide incriminating information. This is evident most commonly among child pornography cases, unfortunately. If the criminal is aware of hashing, they will manipulate files in any way possible as to not make them detectable.

Now, with the PhotoDNA technology built into Oxygen Forensic® Detective v.13.5, it doesn’t matter whether the image is resized, renamed, edited or saved in a different file format, Similar Image Analysis will find it.

For additional help with this feature, leave a comment or contact us.

Leave a Reply

Your email address will not be published. Required fields are marked *