This script searches specified items with a view to finding Exif picture files containing Global Positioning System (GPS) data.
The examiner can choose to search all items, those that are selected, tagged, or those that are entries representing unallocated clusters. Note that the option to parse items that are selected in the current view does not work with records.
Be careful when parsing deleted or deleted-overwritten files; also areas of unused disk space. These may contain corrupt data, which can cause the script to crash and/or cause EnCase to hang due to excessive memory usage. If this happens you will need to re-run the script without processing the problematic areas. The console output can help you to determine these either in EnCase or, if the program crashes, using the console log-files in `%USERPROFILE\Documents\EnCase\Logs`.
The examiner can choose to have the script specifically identify pictures whose Exif GPS coordinates are located within a specified distance (in kilometres) from a designated point.
Subject to additional filtering (see below), any occurrence of an Exif picture will be bookmarked and checked to see if the data that follows contains GPS information. The script will bookmark an Exif picture into one of three bookmark folders depending on (a) whether it contains any GPS coordinates and (b) whether those coordinates fall within the geographical range specified by the examiner. If no range is specified then every Exif picture with GPS coordinates will be placed in the 'In Range' bookmark folder.
Any GPS information found for pictures that are 'in-range' will be written to a single Keyhole Mark-up Language (KML) file that can be opened using Google Earth. The examiner is required to specify the path to the file when the script runs; he/she can also opt to export the associated picture so that a thumbnail of it can be seen from within Google Earth. Note that the latter option is not possible with pictures from unallocated clusters nor pictures embedded within other files.
In order to display HEIC pictures in Google Earth, the examiner must choose to convert them to JPEG, which will lengthen processing time. If the examiner disables this option, an empty placeholder will be displayed.
The KML file written by the script can be opened using the online version of Google Earth or the installable application.
Please note that the online version of Google Earth cannot display the photos extracted by the script because it does not have access to the examiner's local file-system.
It's important to remember that the GPS information embedded within an Exif image will only be as good as the accuracy of the GPS fix at the time the picture was taken.
An additional data bookmark will be created in order to store the Exif metadata that's been parsed for each picture. This data can be filtered so that only Exif tags with a given name or ID will be included. In most cases the name will have the same value as the ID but there are two exceptions to this:
- The first exception is where an unknown tag is encountered. When this happens, the tag-name property will contain the hex value of the tag-id so that the examiner can still search for that value should he or she know of its significance.
- The second exception is where the examiner has chosen to use one or more custom tag names; these names will override the default Exif tag-names shown in bookmarks created by the script; they will also be used for the purpose of filtering. Custom tag-names can be entered manually; they can also be imported from a tab-delimited text file.
Note that Exif GPS tag information will always be shown for any picture that contains it regardless of the name/ID filter-condition that's been set. The examiner does however have the option of hiding detailed GPS information so that only the latitude and longitude will be shown.
In addition to being able to filter the tags that are bookmarked, the examiner can choose to bookmark an image only if it contains a tag matching a secondary filter, one based on value. This allows, for instance, the examiner to target pictures taken by a particular make or model of camera.
It's important to note a few things with regards to the value filter.
- Firstly, this filter will only be applied to metadata tags that have passed the name filter. Taking this into account, there's no point testing the value of the camera-model tag as part of the value filter if the examiner hasn't opted to include that tag in the name filter.
- Secondly, it's not possible to test a combination of tags. You can't, for instance, check to see if the camera make is 'Apple' and the camera model is 'iPhone'.
- Lastly, the value-filter is evaluated on an inclusive `OR` basis. This means that a picture will be bookmarked if just one of the tags that it contains is evaluated as true when examined by the filter.
Please note that this EnScript incorporates the ImageMagick library authored by Dirk Lemstra. The library has been made available under the terms of the following licence:
Last updated using EnCase 22.3.
This script was developed for use in EnCase training. For more details, please click the following link:
Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox