[pipeline_tux]

There are two common approaches that forensics tools use: 1) It could be scanning the file system and looking for all files (both present on the drive and deleted), which have an image extension on the filename (.jpg, .gif, etc). The advantage of this approach is speed. 2) It could be going through looking at the raw data on the hard drive, and search byte-by-byte for the magic headers at the start of every image file. For example all GIF files start with GIF87a or GIF89a. This approach takes much longer, but would find all files (possibly even ones deleted years ago, well before the current OS install), and works irrespective of which operating systems are installed.

Given the screenshot, I'm guessing it takes the first approach.

EDIT: There are open source tools for Linux which take the second approach... Probably the best is called Foremost.

[michaelcampbell]

I may have misread, but wasn't the "clever bit" the part that tried to detect if an image was pornographic? (As opposed to just being an image.)

I suppose it could look for fleshtone colors or something; perhaps over a certain % of total, or if the fleshtoned pixels are "bunched up" in certain blobs of areas or something.

[pipeline_tux]

Yep, that's pretty much how they work. I can't find the details of it now, but the "smart" ones also do some colour transformations on the image so detection will work irrespective of what race the people in the porn are.