At the Cliffs Edge

I tend to not write too much these days, as many of the tips and tricks that I once researched and then publicized are now redundant. Forensic Video Software has caught up and often far excels what can be done using a handful of open-source and consumer applications.

However, I will always use this site as a home to air my concerns with the Forensic Video Community, and the legal systems that we serve.

For the UK, I believe that the investigation of Digital Multimedia Evidence (DME) is at the cliffs edge. We can either allow it to fall, or we can pull it back and save it from becoming inadmissible, discredited, misinterpreted evidence.
It has taken years for multimedia, and in particular video, to be taken seriously within Digital Forensics but it is still commonly mishandled, poorly understood and disrespected as a piece of evidence.  

The purpose of this rather lengthy post is to hopefully help in avoiding possible complications in the future and to ensure that the guidance published is clear and correct. I am passionate about professionalizing the role of Forensic Video technician and Analyst and, as such, I cannot sit back and watch as mistakes are made.

After reviewing, several UK officers and staff have commented that although accurate, it may come across as a bit of a rant. Well, if it avoids a miscarriage of justice in the future, then my rant would have been worthwhile!

So, what has prompted this rather lengthy post today?

The new Digital Imaging and Multimedia Procedure (v.3.0) published by The Defence Science Technology Laboratory (DSTL) , The Ministry of Defence (MoD), and the National Police Chiefs Council (NPCC). To summarize my main concern; the guidance that a working copy of a master video exhibit can be an edited, enhanced, transcoded version is wrong and could be detrimental during an investigation and any legal proceedings.

Digital Imaging and Multimedia Procedure (v3.0)

The original Digital Imaging Procedure was always a particularly good guidance document for UK Policing to refer to but back in 2007 the research, study and understanding of Digital Video was only just beginning. As a consequence, there were some glaring errors that I soon became aware of after receiving training, and conducting self study. Technology has moved on and it was well known that the document was in need of a big update. The adding of the ‘Multimedia’ wording was also a vital and welcome move. However, I believe the relevance and importance in today’s legal landscape has been largely underestimated. It has been written in a way that allows far too much flexibility in the interpretation of the guidance and this is where mistakes can, and already are, being made. The errors in the original 2007 document are still there, and their impact will now be much bigger. There are several slightly confusing paragraphs that conflict with other guidance published, (I will link to all documents at the end). It is not possible to go into all of these here and now, but let’s take this one for instance:

Compression (Page 8)
“If image or associated audio data is being presented as evidence and illustrates the facts of the offence then it is evidentially irrelevant whether the data has been compressed or not. What is important is the content of the data should be fit for purpose and that the quality is adequate.
It should be noted that various transmission methods used throughout the capture, retrieval and replay chain may adversely affect the quality of the data and steps should be taken to mitigate this.”

My opinion is that it is evidentially relevant if the compression or capture method affects the question being asked of the image. (In this document they use the word image for both still image and video).
The compression is relevant if required to be analysed to prove authenticity of the visual representation. Movement, use of force, speed, gait, detail… everything – They are all affected by the compression used. IT IS RELEVANT!
Quality is highly subjective, and may be good to answer one question but not good to answer another. Acquisition of the original master evidence should not adversely affect the quality of the data as guidance clearly states that the master should be a bit-for-bit copy of the data as it was at initial creation. Any person deciding to use as master evidence, anything other than the first recorded data , must have the competency to detail the limitations of the process used and have consideration for the rules on disclosure.

I could continue, but I need to move onto the biggest problem in this document, the flowchart.

At the end of this flowchart it states, “ For further explanation use accompanying notes and refer to force policy”.
OK, but Force Policies will usually be written or altered using published guidance so the details in this flowchart must be correct. And they are not (IMO)!
Stages 1-5 are all fairly standard, with no major issues.

At stage 6 we have ‘Define Master and produce Working Copy when required.’ Doesn’t sound too difficult does it?

There is no need to dive too deeply into what the Master is. For DME, it is the data first created and acquired. It could be the still image from a cellphone, a voice message stored on a web server, or a CCTV recording stored on a Digital Video Recorder (DVR). That data is identified and acquired (correctly in a bit-for-bit manner), and subsequently becomes the master.
The master could be one file or many files. It’s still the master!

Here comes the HUUUGE mistake…
The Working Copy.

Even a layperson should be able to understand this so how it’s gone wrong I don’t know. A working copy of a digital exhibit is a direct copy of it. No changes at all. It is amazingly simple to copy, and verify the copy, to prove integrity.

Master file(s) > Analyse Master and calculate file hash(s) > Copy file(s) > Analyse copies and calculate hash(s) > cross reference hash(s).
For those not within a digital forensic world, a hash value is an alphanumeric value calculated using a specified algorithm. If the same algorithm is used on two files, the same value is expected. As such, a person may trust that one file, the master, is the same as another file, the working copy. A quite simple process and one commonly used within DME environments worldwide.    

Let’s see what this document says about a working copy:

If you want to see it in the document, it’s on Page 37. I will break it down, bit by bit (no pun intended!)…

“Once the Master has been defined and stored, all use of images should be from a Working Copy. Bit-for-bit copies should be used (where possible) for further reproduction of additional Working Copies or where precise detailed analysis is to be carried out or when images are to be enhanced.”

I am struggling to identify any digital file that cannot be copied bit-for-bit or a scenario when bit-for-bit copying is not possible.  
‘Precise detailed analysis’ – NO! – This should state any Video Transformation, and I’ll refer to this after looking at the next sentence.

“Where further analysis is undertaken, the Video Analysis Appendix to the Forensic Science Regulator’s Codes of Practice should be complied with.”

NOT JUST ANALYSIS! The Forensic Science Regulators (FSR) Codes of Practice details Video Transformation as “Any process that alters the format or information content of video, e.g. digitisation, transcoding (i.e. digital-to-digital conversion of one encoding to another to an alternative file).” These processes include trimming, cropping…….basically any change is a Video Transformation.

The FSR also details the importance of competencies in staff tasked with carrying out video transformations as this is key to ensuring the integrity of the exhibits and the authenticity of the visual representation.

“The Master should not be used, except to produce additional Working Copies when no other Working Copies are available to copy, or by order of the court to establish authenticity. Force procedures will need to detail the circumstances and the relevant processes involved. All actions will need to be entered in the audit trail.”

By order of the court to establish authenticity!
Firstly – I think this should be..”to establish integrity”, not authenticity.
Secondly – this would not be needed if the working copy is a true working copy and there are hash verification files to confirm this. Again – this is documented in the Forensic Science Regulators (FSR) Digital Forensics Codes of Practice.

..and it gets worse!

“Working Copies produced for the investigation, technical investigation, briefings, circulation, and preparation of prosecution evidence and defence can be in any of the forms described:

· Digital file
· Hard copy stills from still or video cameras
· Edited video
· Enhanced still or video
· Converted to non-proprietary format

This list is not exhaustive and other media may be utilized if suitable technology is available. The copying and distribution of Working Copies should be in accordance with force procedures with appropriate audit trails as required.”

NO, NO…and No!

These are not working copies of the master exhibit. They are newly generated derivative exhibits. They have undergone video transformations, as detailed by the FSR and their digital integrity differs from the master exhibit. Generated exhibits within a forensic environment is clearly documented in the guidance agreed by the CPS, the NPCC and the FSR.

Before we move on, we need to look at the problems of this to understand the severity of the situation.

We have already identified that for a working copy to have integrity, and to be classed a working copy, it must be the same as the master. The moment that there is a change to the file, the transformation must be completed within a forensic workflow. This means that there must be documentation on what the changes are, they must be repeatable and reproducible. It should be documented why they have been made and if there are any limitations to the changed file.  

Let us say that exhibit AB/1 is a CCTV export video file of a single camera for an hours duration. The video file is cropped in size and trimmed in time to 20mins. The video is transcoded to a new video file.
According to this guidance, the new video file is a working copy of AB/1 – No, it is not. It is a generated exhibit, originating from AB/1 and it should be newly exhibited accordingly.

Let us say that exhibit AB/2 is a CCTV export that includes several files and a proprietary player. The files contain the video, but they are not identified as standard. Consequently, a person uses the player and screen captures various pieces of footage.
According to this guidance, the new screen captures are a working copy of AB/2 – No, they are not. They are a newly generated exhibit, originating from AB/2 and they should be newly exhibited accordingly.

Let us say that exhibit AB/3 is a piece of bodycam video and audio footage. A Digital Evidence Management System (DEMS) supplier automatically identifies this as a standard video and then creates the working copy automatically. However, the working copy is a changed version, having been downscaled automatically to fit the set video size, and has frames dropped to go from the original 29.97fps to the UK standard of 25fps.
According to this guidance, this changed version is a working copy of AB/3 – No, it is not! It is a generated exhibit, originating from AB/1 and it should be newly exhibited accordingly.

Let us say, (finally), that exhibit AB/4 is a piece of CCTV Video. It is transformed in video software to increase the brightness and several other filters are applied. The video is saved as a new file.
According to this guidance, the new file is a working copy of exhibit AB/4 – No its not!

I could go on with many different scenarios but hopefully you will get the idea.

Now then, before we move on…. Here comes the problem…in case you have not seen it.

Any person must be able to state exactly what exhibit they handled, viewed, processed, converted, enhanced.. etc etc. If an officer, or Forensic Service Provider (FSP), is sent a working copy of AB/1 – It must be AB/1… Not a transcoded / transformed version of it.  

I spoke with two private UK providers last week about this and they now realise why things are going wrong. They are being sent incorrect working copies!

I spoke with several people from UK forces last week. They are being instructed to use DEMS that incorrectly manage their evidence and are being railroaded into procedures that conflict with their training in Forensic Video Analysis!  

I spoke with an officer, who has to rely on the digital systems they are given, and had no idea that what they thought was a working copy, wasn’t the same as the master. And to top this all off – many UK Forces are accepting already changed and transformed exhibits as masters because they are not allowed to acquire it correctly and are being forced to accept the material being sent to them by unknowledgeable witnesses or victims.

Single Online Home – an evidential nightmare for Multimedia Integrity

Let’s get back to the guidance document…  

“The copying of files within a computer is easy and so needs to be disciplined to prevent unnecessary files being produced. It is not suggested that all Working Copies should require individual audit trails, although certain application specific situations and/or enhancement processes e.g. identification will require audit trails to be maintained for additional Working Copies. Where this is the case records need to be kept contemporaneously. Working copies should however be uniquely identifiable. Reference should be made to individual force procedures.”

This last paragraph is confusing as it mixes up working copies with newly generated derivative exhibits.

Before we come up with an idea for an alternative end to this flowchart, how about we consider the problems that this incorrect guidance could cause.

Officers are asked – what did they view and what did they see… They viewed a working copy of exhibit XX……. No, they have not, they viewed a version of it and may not have all the video, all the frames, all the cameras, and may be constructed very differently from the master exhibit. They may not realise this…and there are cases from courts where officers have mistakenly presented inferior evidence, not knowing about the differences!

The Video unit is sent a working copy of a video for a license plate enhancement. No visual data could be restored and enhanced. It was not a working copy they examined – it was a screen capture and as a result they have given the wrong information. If they had used the correct working copy (bit for bit), then the plate would have been recoverable. I have seen this! I have seen a Forces screen capture and that was used to attempt a license plate recovery because they believed it was a true working copy! – It was not their fault – it was the Force Policy that was in place!

A private Forensic Service Provider (FSP) is sent a working copy of an exhibit. They are relying on the sending agency that this is a working copy. However, as we now know, it may not be! There are various delays in getting a real working copy, as the detective involved is not aware of the issue. All of this delays the Criminal Justice System process. Making decisions about imagery evidence on changed, transcoded, transformed media will cause problems in the CJS. We do not want delays and mistakes caused by incorrect guidance and poorly managed DEMS.  

It is amazingly simple…
If it’s not changed – It’s a copy
If it’s changed – It’s new!

Here is my alternative ending to this guidance, where point 9 now deals with Video Transformations fully covered by the FSR.

Good exhibit management can either be carried out manually, in a spreadsheet, or by a good DEMS. This new change to the flowchart supports both single exhibit creation, such as a still image, a frame sequence or a transcoded clip from a larger video, and also multiple exhibit media such as a CCTV timeline or storyboard.

The last thing anybody wants to see is a mistake in a court room, which could have been avoided if the guidance given to UK forces was correct. We must protect the integrity of the evidence and ensure that any supplier of digital storage services understands the needs for such safeguards. Protecting the evidence will then protect any officer handling and working with DME from any allegations or errors.

In researching this issue, I have reviewed the following websites and documents (I know that some are currently being rewritten):

FSR Digital Forensics

FSR Video Analysis

FSR Codes of practice for FSP’s

FSR Guidance of Image Comparison

SWGDE Image Integrity

SWGDE Video Data Acquisition

SWGDE Forensic Video Analysis

UK Criminal Procedures and Investigations Act

UK Attorney Generals Guidelines

NPCC Guidance to FSP’s re Storage, retention and Destruction of Materials

NPIA – Police use of CCTV

NPIA – Police use of Digital Images

Final comment

If you are a person involved in the acquisition, analysis, processing and presentation of imagery and video evidence then you do have the right to ignore published guidance if you are able to justify your actions. The well-managed generation of multimedia exhibits ensures a clear continuity and integrity chain back to the original data therefore allowing for transparent disclosure and full understanding by everyone involved.
Protect yourself by protecting the evidence.

By Spreadys Posted in EEPIP

One comment on “At the Cliffs Edge

  1. Your usual well thought out presentation. I like your alternative flowchart. OK, to be honest, it’s because it is almost precisely the same as mine.
    Absolutely agree with your comment on sole practitioners. We get what we get! All we can do is discuss it with our clients and request more information. It’s a little easier when dealing with Crown Attorneys and police agencies as they can sometimes follow up on requests for information with respect to how video files and images were collected, preserved, copied etc. Unfortunately, defense attorneys rarely have this information and are often unable to acquire it; mostly because they decide too late in the proceedings to engage an analyst.
    In my reports I usually refer to the master as “original file as received from …” and outline attempts made to obtain more information if necessary, and sometimes the CYA statement that I have been given no information with respect to the collection or subsequent handling of the files.
    As to relying that the sending agency has supplied a true working copy; if no other information is forthcoming my workflow has one additional step. I interrogate the files (MediaInfo, HxD etc.) to see what else can be gleaned, occasionally finding evidence that the file has been changed in some manner. I should point out that this is usually with video files from cell phones submitted by the owner and not collected by police; most commonly it turns out that they have submitted short clips of what they believe is relevant, rather than the entire recording.
    In the end, to quote every detective I ever worked with: “It is what it is”. All we can do is exhaust every avenue available to authenticate what we have, and apply processes that are reasonable, defensible and repeatable. As for the rest; we must continue to evaluate procedures in light of new technologies and adjust as necessary.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s