Revolutionize Your CSAM Investigations with ArtifactIQ by Grayshift

Debbie Garner, Solutions Evangelist — Debbie Garner
Grayshift Solutions Evangelist

Child Sexual Abuse Material (CSAM) is an overwhelming problem in today’s digital age. With over 6.5 million smartphone users worldwide, coupled with 29.3 million reports of suspect child sexual exploitation in 2021, the use of mobile devices in CSAM-related cases is inherently on the rise. With the rise of technology, especially mobile phones, it has become easier for predators to access, collect, distribute, and produce this material. Law enforcement agencies are constantly battling against this issue, striving to bring justice to the victims and prosecute the perpetrators. But, with the right tools, you can increase your chances of solving cases faster and more efficiently.

We realize that as experienced investigators, you know how to investigate child sexual exploitation investigations. ArtifactIQ by Grayshift can help your investigations become more efficient and in this blog we’ll explain how.

What is ArtifactIQ?

ArtifactIQ is a cloud-based analytics tool designed to help examiners and investigators look at the most common categories extracted from mobile devices and easily share that information with those that need it. When a phone is connected to GrayKey and access is achieved, data is available for collection and analysis. A traditional mobile device collection workflow requires saving the extraction and uploading the data into analysis software. With GrayKey and ArtifactIQ you can simultaneously collect and upload the data to the cloud. Once ArtifactIQ receives the data, it shows some of the most important categories found in mobile devices in an easy-to-use interface so that investigators can review and get the information they need quickly. This new workflow enables users to analyze large amounts of data quickly. Another amazing feature of ArtifactIQ is collaboration. You can share the extracted data immediately with other investigators all within the user interface.

The Scenario

You obtained information related to CSAM distribution while running peer-to-peer (P2P) software. Once you seize the suspect’s device, you connect it to GrayKey and start the extraction while simultaneously sending extracted data to ArtifactIQ. Instead of having to wait for the extraction to complete and then upload to an analysis solution, you can begin analyzing those artifacts in minutes.

Let’s look at readable information and features in ArtifactIQ and discuss some tips on using them in your CSAM investigations.

TIMELINE

ArtifactIQ’s interactive timeline allows you to view messages, photos,, contacts, location data, and call details all at the same time in an organized format. This will provide the ability to view pieces of seemingly separate information and make connections more easily.

Read more about the importance of having a timeline overview and drilling down into specific moments by reading this blog.

CSAM Investigation Tips

Using the timeline feature inside AIQ, you can view pieces of information that specifically relate to your cybertip or P2P download. ArtifactIQ allows you to isolate specific dates and times within the timeline so you can focus on the evidence that matters to your CSAM, online enticement, or child sex trafficking case. By drilling down to specific dates and times related to your specifc cybertip, P2P download or chat, you can focus on specific clues – saving you even more time by focusing on what is important.

ArtifactIQ User Tips

Top Contacts show a roll-up count of the total number of messages sent and received from that contact.
Filter by source to view contacts by application
Keyword search for a specific contact name or phone number
Click on a contact to open a clue detail pane for additional details

CONTACTS

When selecting the Contacts menu, you will see all the contacts from the native phone contacts address book and supported 3^rd party applications*. The contacts list will display the contact’s name and phone number, the total message count between the owner and the contact, the last message sent date/time stamp, and the source of contact. Learn more about contacts in ArtifactIQ.

CSAM Investigation Tips

Sometimes predators document their different personas in their own contacts. They may add their fake names, usernames, and email addresses associated with those personas.
Contacts could reveal like-minded individuals communicating or trading CSAM images or grooming strategies.

ArtifactIQ User Tips

Top Contacts show a roll-up count of the total number of messages sent and received from that contact.
Filter by source to view contacts by application
Keyword search for a specific contact name or phone number
Click on a contact to open a clue detail pane for additional details

MESSAGES AND CALLS

The Messages menu populates messages from native phone SMS/MMS and 3^rd party applications*. Messages are grouped by Contact/Contact Group and appear in date/time order. The Conversation view shows messages for Contact/Contact Group. Read more about the Calls Category in ArtifactIQ.

CSAM Investigation Tips

Native text messages between a child and offender would be important in any CSAM case – as would the messages between multiple offenders sharing images and information. ArtifactIQ also pulls 3rd party application messages and places them in the Messages in ArtifactIQ ,which can reveal in-app messages alongside native text messages.
Predators have been known to move victims to another communication application than the one where they initiated contact. ArtifactIQ allows you to see when and how this occurred.

ArtifactIQ User Tips

Search for phrases or a specific contact name or identifier across all messages with the Keyword search.
Filter messages by date or time range.
Filter messages based on the source like native SMS/MMS or 3^rd party application.
Click on an individual message to open the Clue Detail pane to gain more detail
From the Clue Detail pane, mark the message with the “Tag as Important” and add your notes to artifact for quick access later.
Make sure to view attached images within messages and if needed, you can flag the image as explicit.

LOCATION DATA

When you select the Location menu, you’ll see location data in an easy-to-read format that shows artifacts like Significant Locations, Photo Locations, WiFi Connections, GPS, Cell Tower, and Media GPS Metadata on a visual map.

CSAM Investigation Tips

Was a suspect at the victim’s residence, hotel or another location on a particular date and time? Location data would be critical in cases where a child has met with an adult for sexual purposes or a child has been abducted.
Was that device at the upload location for a CSAM image on the date and time of the upload? If you have an IP address provided in a cybertip or gathered during a P2P investigation and have identified the physical address corresponding to the IP address, you can compare the data to the extracted location data and potentially determine the location where a file or image was uploaded or distributed.
This data can also be compared with GPS coordinates in EXIF data and used to place an offender in the same place a photo was taken.

ArtifactIQ User Tips

Zoom in and out of the map to show additional details. As you zoom in, location data becomes more granular.
Filter only to show locations in a displayed area or to only look at locations over a certain date and time range.
Filter results based on source data like location details from photo records, Wi-Fi connections, or locations of interest to name a few.
Click on a location to open the Clue Detail Pane for additional details.
Use the Location Search to search for specific addresses

MEDIA AND IMAGES

The Media menu displays images from the native photo library and 3^rd Party Applications. ArtifactIQ provides media categories as it parses and displays the images. Read more about the importance of media and images.

CSAM Investigation Tips

Media and images are the main source of evidence in CSAM cases. Whether it is possession, distribution, or production of CSAM, finding the actual images on the phone will likely result in arrest.
Images may also help identify a child or identify the location where a child may be. They may also reveal additional victims.

ArtifactIQ User Tips

You can use the “Detect CSAM” function in ArtifactIQ to compare images from the phone to known CSAM hash sets. If you have a Pro ArtifactIQ license, you can compare images to our unique artificial intelligence in addition to known hash sets which assists in finding possible CSAM that is not in the known hash sets.
Downloaded images automatically flagged as explicit and are not shown. One must click on “Click to View” before the image can be seen. No CSAM images will automatically be shown so that persons who should not or don’t want to see these images will not have to view them.
Filter images by date and time to narrow your search
Enter a keyword category to search for items inside a photograph
Filter images by date and time range
Click on an image to open the Clue Detail Pan to display more details about the image like hash value, media source, file paths, modified date and time, and more.

ArtifactIQ by Grayshift is the ideal tool for investigators looking to investigate CSAM cases efficiently. It provides an intuitive interface and advanced features like cloud-based storage, secure protocols, and quick data analysis that can save time during investigations. Additionally, when used with GrayKey, it can even analyze data as it is extracted – further streamlining the process.

To learn more about how this powerful platform can help with your investigations, take a product tour and explore the full range of possibilities ArtifactIQ has to offer.

*As of May 2, 2023, ArtifactIQ supports the following 3^rd Party Applications: Facebook, Instagram, Snapchat, WhatsApp, and Signal. Use the Installed Apps table within ArtifactIQ to review the level of support ArtifactIQ offers. To learn more about the Installed Apps table, visit support.grayshift.com.