Github: https://github.com/SausCode/Encase-Image-Search
This project uses the Google Vision API as well as the python module
imagemounter
to open an encase file, mount it, and tag image file (png, jpg,
gif). The user can then type in search terms, and the program outputs the path
to the image file. Furthermore the program can show the images to the user
along with the label that it generated.
Setup
Get a Google Cloud Vision credential (json)
Installation
git clone https://github.com/SausCode/Encase-Image-Search.git
cd Encase-Image-Search
pip3 install -r requirements.txt
sudo python vision.py /path/to/imageFile.e01(2,3) <google_vision_credential.json>
- Follow on screen instructions
Background
Our original intention was to roll the functionality of this code directly into Autopsy. In researching that, we ran into a couple problems:
- Autopsy only allows for Java Plugins, which isn't an issue, but we had a lot of trouble getting the Google Vision API installed for Java. In Python, on the other hand, it was trivially easy.
- The greater issue was that Autopsy does not allow plugins to have outside libraries that have native code. This meant that even if we did succeed in getting the Google Vision API installed, Autopsy would not have let it run.
To compromise, we built this script that can:
- Take in an image file
- Mount it (which makes it window-compatible only)
- Walk through the file system
- Finding all the images
- Send the images to be analyzed by the Google Vision API
- Report all the labels to the user and allow the user to search through said labels.
- Show the images themselves along with the label that was generated.
Recommended Use
We believe that this is a valuable tool for forensics experts who are interested in leveraging Google's powerful machine learning techniques to the world of digital forensics. Rather than being used as an ingest module from within Autopsy, we suggest that users run this program alongside Autopsy and use its results to better understand the case at hand.