Victim ID - Skills Check Flashcards
Victim ID Summary
- One of the most important aspects of online CSA investigation. Has massive prevention role, as well as identifying perpetrators, preventing further child absue and harm. It is an international issue and process.
- First step is to compare the hash values with your national or international database (CAID). Is it a known image or not a known image. If known then victim may already have been identified. Remember images usually come in ‘series’.
- Work on copies!!
- Triage based on victim, triage based on offender, triage based on background.
Are the images ‘old’ or current? Do they contain ‘clues’ or ‘no clues. Prioritise full analysis of images that appear to contain clues.
Analysis of material
3 main areas of analysis:
- CONTENT Analysis
- METADATA Analysis
- COLLECTION Analysis
CONTENT ANALYSIS
Analysising the content of the file. Examine, the victim, the background and the offender in turn.
What can you see, flip / rotate image, examine background details as well as the subject of the image. Zoom in and use automated visual searches to assist (but don’t rely). Can you obtain any location info / plug sockets / language info, time of year, identifying marks / scars tatoos etc, vehicles, dates, clothing premises / examine systematically and try to corroborate any finding with other sources.
If video extract the audio and examine seperately.
METADATA Analysis
Remember metatdata can be manipulated. Do not rely on it, use it as an intelligence tool then try to corroborate or refute it.
EXIF data includes:
- Camera make & model (searches post arrest)
- Camera serial numbers, lens info, shutter info, flash (can link different images to one camera - can ‘age’ the image / provide a location potentially).
- Date & time digitised / modified. Remember these depend on the device settings / time zone etc.
- Software used / manipulation
- File format (may provide device info)
- Compression info
- GPS data
COLLECTION ANALYSIS
This is viewing the files in situ in the native environment. What can their collection tell us about the offender / Victim.
Where are they stored?
Folder Structure? Organised / disorganised?
Service used to store? Cloud based? Accidental download? Are there more images from the same series? Chat logs between offender & victim or offender and offenders - can we ID anyone?
File names. Automated or has the offender re-named them. Do names give clues to devices or software used or names of series / victims?
Victim ID Reports
- Professional
- work on copies
- add notes to images
- be clear concise and sure
- if in doubt leave it out
-be systemmatic and use headings
International Tools to facilitate VicID
International vic ID network
Interpol set up ICAID International Child Exploitation database developedICSE international Child Sexual Abuse Database - UK has CAID that feeds directly into ICSE
60 countries are feeding into ICSE plus Europol
Photo DNA has a process used to identify copies online, not using traditional hash algorithms, but it hashes it by converting it to black and white & uniform size, then breaking it up into tiny squares and assigns a number to each square based on the unique shading within each square. Works even if image is resized or colours altered hash is same.
Microsoft use it on the azure cloud.
Cloudflare have similar scan to check your website hosted by them to scan for CSAM
National strategy
IWF does victim ID work as well
NCMEC massive hash sets - deconflicfion between agencies and countries.
Project Vic - national system called ICACS
Victim ID workshops run internationally,
Interpol has Victim ID mobile Lab
Eurpol runs specialist Vic ID conferences where they can share and work together on different series
National hash sets, photodna
