Forensic recovery

What is forensic recovery?

The main principle of forensic recovery is repeatability. The GPR software works to conform. The other very important aspect is that nothing is ever changed.

A very important part of GPR software is the log. All versions of the software see the basic features, but for forensic opertion there are two very important additions - fragments and MD5 hash values.

Fragments
A typical GoPro, or DJI video will be saved in often a few hundred fragments. By clicking on the frgament column in the log, the forensic version of the software will display all fragment locations. This means that if it was required, a third party could take the same basic chip image and generate the same video file using the information in the log.
log_extract

This extract from the log shows file names, and also the fragment count.
When the frgament count is clicked in the Forensic version, this is expanded to give each fragment detail - as below
In the example above we can see the sectors that each fragment is found, and the length, in sectors, or clusters of the fragment

Hashing
With the forensic option, every file is hashed with an MD5 hash. An MD5 hash value that is in effect unique for a specific file. If even a single bit is changed, the hash value will be totally different. The advantage of this is if a file is transmitted, or copied anywhere, as long as the hash value is the same, then we know the file has not been changed on transmission. Also, for evidence, it means that the file has not been edited or changed in anyway. The Hash value is a 16 byte number, normally displayed as a Hex string

E01 files
Many forensic investigations start by imaging a device and creating an .E01 file. This is a compressed file, but also has many securoty features built in. In effect, it is not possible to tamper with the data within the file. The forensic version of GPR will read these files in the same way as a normal image file.