In our previous article, we described the call for automation in Digital Forensics and what can be automated within Belkasoft X. In this text, we would like to go through the ways that our customers are able to couple Belkasoft X with Amped FIVE.

Why Amped FIVE?

Amped FIVE is the product of an Italian company called Amped Software, renowned for developing solutions for the analysis and enhancement of images and videos for forensic, security, and investigative applications. While Belkasoft X has a wide range of media forensics features, the Amped FIVE product is much more focused on them. In particular, you can employ various picture and video enhancement techniques, measure object sizes, and even read the unreadable, such as the ability to recover license plate numbers from a blurry or low quality video.

For these reasons, Belkasoft has linked arms with Amped Software to allow our customers who need in-depth media forensics analysis capabilities and wish to export pictures and videos, recovered by Belkasoft X, to Amped FIVE.

How-To

Before creating your Amped FIVE workflow, refer to our previous article to learn how you can acquire and analyze an image with Belkasoft X.

In order to export your media files, the best option for selection would be the Semantics 21 format (S21). You can use our Automation Configurator tool to select this option.

As a result, all media files from your case will be exported. Under the target report folder, you will find an XML file that will be named after your case name, for example, "Digital Forensic Case.xml", with a subfolder called "Files":

The XML file describes all the media files exported, while the actual files are stored under the Files subfolder. Now, you are ready to run Amped FIVE and continue your analysis.

If your goal is to review all of the files exported, you can simply add the folder to the Amped FIVE product by utilizing this simple command:

five.exe "C:\Cases\Digital Forensic Case\Reports\Files"

You can iterate files from the XML or, if you have other search criteria, employ that logic in the script, which brings Belkasoft and Amped together. In this case, you can add one or multiple files per your criteria:

five.exe /i "C:\Cases\Digital Forensic Case\Reports\Files\img1.jpg"

This will open a single file called img1.jpg.

pushd "C:\Cases\Digital Forensic Case\Reports\Files\"
five.exe /i "img1.jpg|img2.jpg|img3.jpg"

This small batch script first "remembers" the report folder so that we can use relative paths versus full paths, and then opens three pictures mentioned inside quotation marks, in Amped FIVE.

Adding video files has the exact same syntax. The tool supports adding mixed contents as well (both video and picture files).

At the moment of this writing, Amped FIVE does not support unattended execution. The commands above will open the tool and add referenced media files within its user interface. This is still, however, a good time saver for you when you work with a handful of cases involving media forensics.

Conclusion

Automation and, particularly, unattended execution provides a DFIR examiner with multiple benefits, including the integration of tools from different vendors. In this article we described a brief walkthrough of how to couple Belkasoft X and Amped FIVE, a prominent media forensics software.

Starting with the X Forensic edition, Belkasoft X comes standard with the built-in automation, which does not imply any extra cost. You can easily configure multi-step workflows with a simple configurator tool included within the product package, which includes media files export and import options to other tools. You can create your own batch files or scripts to achieve more complex workflows, involving multiple DFIR products.

Did you like the article?

See also