At the Cliffs Edge

I tend to not write too much these days, as many of the tips and tricks that I once researched and then publicized are now redundant. Forensic Video Software has caught up and often far excels what can be done using a handful of open-source and consumer applications.

However, I will always use this site as a home to air my concerns with the Forensic Video Community, and the legal systems that we serve.

For the UK, I believe that the investigation of Digital Multimedia Evidence (DME) is at the cliffs edge. We can either allow it to fall, or we can pull it back and save it from becoming inadmissible, discredited, misinterpreted evidence.
It has taken years for multimedia, and in particular video, to be taken seriously within Digital Forensics but it is still commonly mishandled, poorly understood and disrespected as a piece of evidence.  

The purpose of this rather lengthy post is to hopefully help in avoiding possible complications in the future and to ensure that the guidance published is clear and correct. I am passionate about professionalizing the role of Forensic Video technician and Analyst and, as such, I cannot sit back and watch as mistakes are made.

After reviewing, several UK officers and staff have commented that although accurate, it may come across as a bit of a rant. Well, if it avoids a miscarriage of justice in the future, then my rant would have been worthwhile!

So, what has prompted this rather lengthy post today?

The new Digital Imaging and Multimedia Procedure (v.3.0) published by The Defence Science Technology Laboratory (DSTL) , The Ministry of Defence (MoD), and the National Police Chiefs Council (NPCC). To summarize my main concern; the guidance that a working copy of a master video exhibit can be an edited, enhanced, transcoded version is wrong and could be detrimental during an investigation and any legal proceedings.

Digital Imaging and Multimedia Procedure (v3.0)

The original Digital Imaging Procedure was always a particularly good guidance document for UK Policing to refer to but back in 2007 the research, study and understanding of Digital Video was only just beginning. As a consequence, there were some glaring errors that I soon became aware of after receiving training, and conducting self study. Technology has moved on and it was well known that the document was in need of a big update. The adding of the ‘Multimedia’ wording was also a vital and welcome move. However, I believe the relevance and importance in today’s legal landscape has been largely underestimated. It has been written in a way that allows far too much flexibility in the interpretation of the guidance and this is where mistakes can, and already are, being made. The errors in the original 2007 document are still there, and their impact will now be much bigger. There are several slightly confusing paragraphs that conflict with other guidance published, (I will link to all documents at the end). It is not possible to go into all of these here and now, but let’s take this one for instance:

Compression (Page 8)
“If image or associated audio data is being presented as evidence and illustrates the facts of the offence then it is evidentially irrelevant whether the data has been compressed or not. What is important is the content of the data should be fit for purpose and that the quality is adequate.
It should be noted that various transmission methods used throughout the capture, retrieval and replay chain may adversely affect the quality of the data and steps should be taken to mitigate this.”

My opinion is that it is evidentially relevant if the compression or capture method affects the question being asked of the image. (In this document they use the word image for both still image and video).
The compression is relevant if required to be analysed to prove authenticity of the visual representation. Movement, use of force, speed, gait, detail… everything – They are all affected by the compression used. IT IS RELEVANT!
Quality is highly subjective, and may be good to answer one question but not good to answer another. Acquisition of the original master evidence should not adversely affect the quality of the data as guidance clearly states that the master should be a bit-for-bit copy of the data as it was at initial creation. Any person deciding to use as master evidence, anything other than the first recorded data , must have the competency to detail the limitations of the process used and have consideration for the rules on disclosure.

I could continue, but I need to move onto the biggest problem in this document, the flowchart.

At the end of this flowchart it states, “ For further explanation use accompanying notes and refer to force policy”.
OK, but Force Policies will usually be written or altered using published guidance so the details in this flowchart must be correct. And they are not (IMO)!
Stages 1-5 are all fairly standard, with no major issues.

At stage 6 we have ‘Define Master and produce Working Copy when required.’ Doesn’t sound too difficult does it?

There is no need to dive too deeply into what the Master is. For DME, it is the data first created and acquired. It could be the still image from a cellphone, a voice message stored on a web server, or a CCTV recording stored on a Digital Video Recorder (DVR). That data is identified and acquired (correctly in a bit-for-bit manner), and subsequently becomes the master.
The master could be one file or many files. It’s still the master!

Here comes the HUUUGE mistake…
The Working Copy.

Even a layperson should be able to understand this so how it’s gone wrong I don’t know. A working copy of a digital exhibit is a direct copy of it. No changes at all. It is amazingly simple to copy, and verify the copy, to prove integrity.

Master file(s) > Analyse Master and calculate file hash(s) > Copy file(s) > Analyse copies and calculate hash(s) > cross reference hash(s).
For those not within a digital forensic world, a hash value is an alphanumeric value calculated using a specified algorithm. If the same algorithm is used on two files, the same value is expected. As such, a person may trust that one file, the master, is the same as another file, the working copy. A quite simple process and one commonly used within DME environments worldwide.    

Let’s see what this document says about a working copy:

If you want to see it in the document, it’s on Page 37. I will break it down, bit by bit (no pun intended!)…

“Once the Master has been defined and stored, all use of images should be from a Working Copy. Bit-for-bit copies should be used (where possible) for further reproduction of additional Working Copies or where precise detailed analysis is to be carried out or when images are to be enhanced.”

I am struggling to identify any digital file that cannot be copied bit-for-bit or a scenario when bit-for-bit copying is not possible.  
‘Precise detailed analysis’ – NO! – This should state any Video Transformation, and I’ll refer to this after looking at the next sentence.

“Where further analysis is undertaken, the Video Analysis Appendix to the Forensic Science Regulator’s Codes of Practice should be complied with.”

NOT JUST ANALYSIS! The Forensic Science Regulators (FSR) Codes of Practice details Video Transformation as “Any process that alters the format or information content of video, e.g. digitisation, transcoding (i.e. digital-to-digital conversion of one encoding to another to an alternative file).” These processes include trimming, cropping…….basically any change is a Video Transformation.

The FSR also details the importance of competencies in staff tasked with carrying out video transformations as this is key to ensuring the integrity of the exhibits and the authenticity of the visual representation.

“The Master should not be used, except to produce additional Working Copies when no other Working Copies are available to copy, or by order of the court to establish authenticity. Force procedures will need to detail the circumstances and the relevant processes involved. All actions will need to be entered in the audit trail.”

By order of the court to establish authenticity!
Firstly – I think this should be..”to establish integrity”, not authenticity.
Secondly – this would not be needed if the working copy is a true working copy and there are hash verification files to confirm this. Again – this is documented in the Forensic Science Regulators (FSR) Digital Forensics Codes of Practice.

..and it gets worse!

“Working Copies produced for the investigation, technical investigation, briefings, circulation, and preparation of prosecution evidence and defence can be in any of the forms described:

· Digital file
· Hard copy stills from still or video cameras
· Edited video
· Enhanced still or video
· Converted to non-proprietary format

This list is not exhaustive and other media may be utilized if suitable technology is available. The copying and distribution of Working Copies should be in accordance with force procedures with appropriate audit trails as required.”

NO, NO…and No!

These are not working copies of the master exhibit. They are newly generated derivative exhibits. They have undergone video transformations, as detailed by the FSR and their digital integrity differs from the master exhibit. Generated exhibits within a forensic environment is clearly documented in the guidance agreed by the CPS, the NPCC and the FSR.

Before we move on, we need to look at the problems of this to understand the severity of the situation.

We have already identified that for a working copy to have integrity, and to be classed a working copy, it must be the same as the master. The moment that there is a change to the file, the transformation must be completed within a forensic workflow. This means that there must be documentation on what the changes are, they must be repeatable and reproducible. It should be documented why they have been made and if there are any limitations to the changed file.  

Let us say that exhibit AB/1 is a CCTV export video file of a single camera for an hours duration. The video file is cropped in size and trimmed in time to 20mins. The video is transcoded to a new video file.
According to this guidance, the new video file is a working copy of AB/1 – No, it is not. It is a generated exhibit, originating from AB/1 and it should be newly exhibited accordingly.

Let us say that exhibit AB/2 is a CCTV export that includes several files and a proprietary player. The files contain the video, but they are not identified as standard. Consequently, a person uses the player and screen captures various pieces of footage.
According to this guidance, the new screen captures are a working copy of AB/2 – No, they are not. They are a newly generated exhibit, originating from AB/2 and they should be newly exhibited accordingly.

Let us say that exhibit AB/3 is a piece of bodycam video and audio footage. A Digital Evidence Management System (DEMS) supplier automatically identifies this as a standard video and then creates the working copy automatically. However, the working copy is a changed version, having been downscaled automatically to fit the set video size, and has frames dropped to go from the original 29.97fps to the UK standard of 25fps.
According to this guidance, this changed version is a working copy of AB/3 – No, it is not! It is a generated exhibit, originating from AB/1 and it should be newly exhibited accordingly.

Let us say, (finally), that exhibit AB/4 is a piece of CCTV Video. It is transformed in video software to increase the brightness and several other filters are applied. The video is saved as a new file.
According to this guidance, the new file is a working copy of exhibit AB/4 – No its not!

I could go on with many different scenarios but hopefully you will get the idea.

Now then, before we move on…. Here comes the problem…in case you have not seen it.

Any person must be able to state exactly what exhibit they handled, viewed, processed, converted, enhanced.. etc etc. If an officer, or Forensic Service Provider (FSP), is sent a working copy of AB/1 – It must be AB/1… Not a transcoded / transformed version of it.  

I spoke with two private UK providers last week about this and they now realise why things are going wrong. They are being sent incorrect working copies!

I spoke with several people from UK forces last week. They are being instructed to use DEMS that incorrectly manage their evidence and are being railroaded into procedures that conflict with their training in Forensic Video Analysis!  

I spoke with an officer, who has to rely on the digital systems they are given, and had no idea that what they thought was a working copy, wasn’t the same as the master. And to top this all off – many UK Forces are accepting already changed and transformed exhibits as masters because they are not allowed to acquire it correctly and are being forced to accept the material being sent to them by unknowledgeable witnesses or victims.

Single Online Home – an evidential nightmare for Multimedia Integrity

Let’s get back to the guidance document…  

“The copying of files within a computer is easy and so needs to be disciplined to prevent unnecessary files being produced. It is not suggested that all Working Copies should require individual audit trails, although certain application specific situations and/or enhancement processes e.g. identification will require audit trails to be maintained for additional Working Copies. Where this is the case records need to be kept contemporaneously. Working copies should however be uniquely identifiable. Reference should be made to individual force procedures.”

This last paragraph is confusing as it mixes up working copies with newly generated derivative exhibits.

Before we come up with an idea for an alternative end to this flowchart, how about we consider the problems that this incorrect guidance could cause.

Officers are asked – what did they view and what did they see… They viewed a working copy of exhibit XX……. No, they have not, they viewed a version of it and may not have all the video, all the frames, all the cameras, and may be constructed very differently from the master exhibit. They may not realise this…and there are cases from courts where officers have mistakenly presented inferior evidence, not knowing about the differences!

The Video unit is sent a working copy of a video for a license plate enhancement. No visual data could be restored and enhanced. It was not a working copy they examined – it was a screen capture and as a result they have given the wrong information. If they had used the correct working copy (bit for bit), then the plate would have been recoverable. I have seen this! I have seen a Forces screen capture and that was used to attempt a license plate recovery because they believed it was a true working copy! – It was not their fault – it was the Force Policy that was in place!

A private Forensic Service Provider (FSP) is sent a working copy of an exhibit. They are relying on the sending agency that this is a working copy. However, as we now know, it may not be! There are various delays in getting a real working copy, as the detective involved is not aware of the issue. All of this delays the Criminal Justice System process. Making decisions about imagery evidence on changed, transcoded, transformed media will cause problems in the CJS. We do not want delays and mistakes caused by incorrect guidance and poorly managed DEMS.  

It is amazingly simple…
If it’s not changed – It’s a copy
If it’s changed – It’s new!

Here is my alternative ending to this guidance, where point 9 now deals with Video Transformations fully covered by the FSR.

Good exhibit management can either be carried out manually, in a spreadsheet, or by a good DEMS. This new change to the flowchart supports both single exhibit creation, such as a still image, a frame sequence or a transcoded clip from a larger video, and also multiple exhibit media such as a CCTV timeline or storyboard.

The last thing anybody wants to see is a mistake in a court room, which could have been avoided if the guidance given to UK forces was correct. We must protect the integrity of the evidence and ensure that any supplier of digital storage services understands the needs for such safeguards. Protecting the evidence will then protect any officer handling and working with DME from any allegations or errors.

In researching this issue, I have reviewed the following websites and documents (I know that some are currently being rewritten):

https://www.cps.gov.uk/legal-guidance/exhibits

https://www.app.college.police.uk/app-content/investigations/investigative-strategies/passive-data-generators/

FSR Digital Forensics

FSR Video Analysis

FSR Codes of practice for FSP’s

FSR Guidance of Image Comparison

SWGDE Image Integrity

SWGDE Video Data Acquisition

SWGDE Forensic Video Analysis

UK Criminal Procedures and Investigations Act

UK Attorney Generals Guidelines

NPCC Guidance to FSP’s re Storage, retention and Destruction of Materials

NPIA – Police use of CCTV

NPIA – Police use of Digital Images

Final comment

If you are a person involved in the acquisition, analysis, processing and presentation of imagery and video evidence then you do have the right to ignore published guidance if you are able to justify your actions. The well-managed generation of multimedia exhibits ensures a clear continuity and integrity chain back to the original data therefore allowing for transparent disclosure and full understanding by everyone involved.
Protect yourself by protecting the evidence.

By Spreadys Posted in EEPIP

Allowing the Public to decide on the Video Evidence

I thought I would write this here as I have a feeling that I may need to repeat it a few times over various locations and it will save me re-typing.

For many years now I have seen the increase in evidential screen-snaps. This is where an image is being used in evidence that is a photograph of a screen showing an event or image. This is usually a CCTV image.
Whats with all the screen snaps?

Just to clarify – This is not relating to the urgent screen snaps that are obtained in the valuable first few hours of an investigation, where the publics assistance is needed to identify a dangerous suspect. What I am referring to is the ‘easy option’ of grabbing the screen snap, rather than obtaining the evidence in the correct manner.
Why this happens is another post in itself, but it’s mainly due to the complete lack of understanding by the security industry with regards to how surveillance video is used……and this is compounded by the fact that Law Enforcement is ridiculously under funded and they don’t have enough people to deal with the video evidence and deal with it correctly.

At this point then I want to take you back around 12-13 years, where I was highlighting some of these issues at a pretty high level in the UK. As a result, a Proof Of Concept project was funded to identify how we could link and acquire CCTV evidence using remote access, to speed up video evidence acquisition. This would not only avoid poor screen snaps by officers and incorrect evidence obtained from owners not understanding what was required, but also avoid CCTV retrieval officers from travelling to the locations.
Here is the important bit! – We were not going to wait for it to be delivered to us…. we would be the ones recovering it.
Rather than CCTV owners making the evidence decisions, it would be us. They would give us access, that access was recorded and there was a full data trail for monitoring and transparency.

It was a success, and this was even with all the various firefalls and restrictions of police networks. I could recover evidence remotely, with a full evidencable trail.

A few years later this was worked on again but unfortunately this was at a time where funding had completely dried up. It was again shelved.

I now read that the UK Police are developing a repository to accept video evidence from the public..
https://www.policeoracle.com/news/police_it_and_technology/2020/Nov/24/-single-online-home-could-accept-video-evidence-by-next-year-_106264.html

They appear to be handing the job of evidence recovery to the public. This is, in my opinion, wrong.

Video evidence is easily changed, misinterpreted, misused and misunderstood. The moment it is changed, its integrity and authenticity is reduced. The original pixels, those small little squares of light and color that make up the image, are the evidence. Most CCTV owners don’t know what’s the best evidence, and what they should give to the police.

Let me give you an example….

A CCTV System records its video. The owner accesses the system using his mobile device and saves the video on his device, where he then forwards it to an investigator. It looks OK from the untrained eye.

The received video is dramatically different from the original, with much less data, half the pixels, changes to the field of view and also the timing/speed.

Video Evidence is already an easy target but Defence lawyers will be lining up if we allow evidence recovery to be done by people who don’t know what they are doing.

They appear to be choosing the easy option. Do they do this with any other physical evidence?

I hope that the people involved in this reach out to the few Certified Forensic Video Analysts and Technicians in the UK and ask to be shown what the problem is here.

I can see the job having to be done twice – An owner submits footage, and then someone has to check it and go out and attempt to get it correctly. If its been deleted or lost then what happens? Can decisions be made on a reduced quality format, or has its ability to answer questions been reduced because it was not obtained correctly? ..and if nobody checks it and an attempt to get the best evidence is not made – is that a breach of process?

Lets do it right first time. Is that not the most simplest option?

By Spreadys Posted in EEPIP

UK Forensic Science Regulator – FVA Code Review

The UKs Forensic Science Regulator will shortly be conducting an update to the Video Analysis Appendix to the Forensic Science Providers Codes of Practice and Conduct.

All members of the Forensic Image Analysis Division have been asked to submit comments in support of this update.

The current document can be downloaded here:

https://www.gov.uk/government/publications/video-analysis-codes-of-practice-for-forensic-service-providers

If readers of this blog wish to comment through me, I will collate and send through as one.

Please be concise and specific.

Remember that images and video have to to pass through a forensic architecture to ensure integrity and reliability in any judicial process. This is our chance to ensure that the codes support this, eliminating the two tier image/video pathway currently being utilized within the UK Criminal Justice System. When there are no safeguards in place, images and video can get into the System that are incorrectly acquired, processed, interpreted and presented.

Use the comments section below so others do not duplicate issues.

Thanks

By Spreadys Posted in EEPIP

An Open Format

OK, lets get this out of the way at the start and then work backwards!

What is an ‘Open Format’?

“An open format is a file format for storing digital data, defined by a published specification usually maintained by a standards organization, and which can be used and implemented by anyone. … In contrast to open formats, closed formats are considered trade secrets”

Wikipedia

Things get a bit more tricky for the multimedia community as formats are merely the boxes that contain the audio, video and other data such as text, date/time or speed information.

The video and audio components will be coded using a codec, allowing for the correct decoding of the information during playback. Think of it as a language. If its been written in Italian, it needs to be read or listened to in the same language!

There are hundreds, if not thousands of codecs. There are also open codecs.

Now that we have an understanding of the term ‘open’, let us look at what this means to the average Forensic Video Analyst having to deal with surveillance footage from a CCTV system.

They are a small cog in the public safety and justice system. The start point for their workflow starts with the products provided by the security industry.

Cam2Court

This is known as the Camera to Court evidence chain for CCTV.

If any of the components leading up to the Analysis are ‘closed’ or ‘proprietary’ then we hit a problem……..And, just to make matters a bit more complicated, every manufacturer can do it differently, so there are thousands of unknowns!

To be honest, it’s one of the enjoyable parts of my job, everything starts out as research and testing…but it shouldn’t be that way as we should all playing for the same team!

I honestly think that some kit has been made purely to frustrate the hell out of any investigator required to deal with the footage!

There are a few manufacturers that still use completely closed recording methods, codecs and players. There is no method to analyze and understand the original recording method and deal with it quickly and effectively within a forensic framework.

There are many manufacturers that have closed components. They may use an open format, and an open video codec, but they then use a closed audio codec, and a proprietary method for storing the date and time text information.

There are many manufacturers that use open codecs, but then store the data in a closed, proprietary format.

There are many manufacturers that use open codecs and open formats….but then ruin it all by providing a player that distorts and changes the footage when played!

Many years ago, I was lucky to work alongside those writing the National CCTV Strategy under the then ACPO lead for CCTV, Mt Graeme Gerrard. Some of the unfinished components of this should have been picked up by the Security Camera Commissioner (SCC), and the Forensic Science Regulator.

One of those Components was the establishment of standards for storing and exporting.

In the most recent update from the standards group from the SCC, there is still no sign of anything happening.

Perhaps it is in the new Surveillance Camera Commissioner’s Buyers Toolkit.

Or is it still stuck in the ‘too hard to do box’?

If so, can someone please take out!

It’s a pretty simple problem to solve…

Manufacturers will not make stuff that people won’t buy.

Buyers will purchase the products that that fit their needs.

In the middle is the shop, the installer, or the consultant…. Lets use the term now being used by the SCC – The ‘Service Provider’.

If we can empower the Service Providers with better knowledge, to ensure that only those products with open formats, offering transparency and understanding throughout the Camera to Court model are sold or installed, then the entire system will improve.

And then what happens? – the evidence gets obtained faster and is of a higher quality.

Take a look at one of the tests I completed at IFSEC back in 2014..

DVR Test

These problems are just a handful of the issues we have to deal with, but could so easily be eradicated if only the service providers understood what was needed further down the chain.

Now… I know that ‘some’ do. I actually work with a few consultants and am very aware that they take the Criminal Justice System into account when specifying equipment. They would not install a XXXXXXX DVR for instance because they know that it records in a closed format.

Open! – Documented, transparent and open.

Not proprietary, non-standard and closed.

 

 

 

 

 

 

 

 

 

 

 

By Spreadys Posted in EEPIP

Happy Birthday to Amped Software

Big day today…. It’s Amped Software’s 10th Birthday!

When I look back to 2008, and my life within Forensic Video Analysis, things were a little different.

I had started my path to becoming a Certified Forensic Video Analyst and was learning the various techniques and skills required for me to provide the best video evidence.

I was working within an environment linked with cellphone and computer examinations. One thing that I liked about these forms of investigation, was that there were various dedicated applications to assist them.

The advantage those investigators had, was that they were starting with standardized start points. They had standard operating systems and formats.

With video, and specifically CCTV, we did not, and many formats were being analysed for the first time. Even when we did have a known format, each case and frame changes, so each process needs to change depending on the question being asked.

As a result, I may have needed to utilize multiple different pieces of software. If you look back to some of my early blog posts on analysing CCTV, I may have been using (and not limited to)….

  • Virtualdub
  • Defraser
  • Gspot
  • FFmpeg
  • Jpegsnoop
  • Forevid
  • HXD
  • Photoshop
  • Edius

……and not on separate cases…………On the same File!!!!

I was after the single solution to do everything I needed.

As I was unable to move beyond the programming language of Batch files, and as such could not write my own software, I built Spreadys Software Pack. This made my life a lot easier (and many other people’s apparently), by putting everything together in one place.

The problem though was that I was spending a lot of time moving between applications and validating each process… and then having to deal with the different ways each program was dealing with this non-standard video.

As my experience grew, I was observing more changes and inconsistencies. I needed that single solution more now….

I then came across this fast growing company… called Amped Software.

They had developed FIVE – Forensic Image and Video Enhancement

…..and everytime I went back and checked them out – they had made updates, and then brought out new software for Image Authentication.

Towards the end of my career in Policing, I had started to trial FIVE and was using it with every case. I couldn’t use if for the official case work but found that it could have saved me hours everyday, in decision making, processing, analysis and presentation.

I could never understand the reluctance to purchase due to price, when staff’s time is the most expensive component in any investigative role.

…..and the rest, as they say is history!

Upon leaving the police service I was lucky to have choices…. And, if I’m honest, it was a tough time.

As many of you now know – I took on the role of International Trainer at Amped Software. My decision was based all the way back to my early days in needing a single solution for my workflow.

FIVE was fast becoming that solution… and I felt that I could help in getting some of the other components included.

So…. Here we are 10 years down the line….

Multiple applications, huge development… and much more to come.

To Martino, the CEO of Amped Software (and the guy that sends me to train officers and staff worldwide)…

Congratulations! You had idea’s and the skills to put those ideas into software. Most importantly though, you listened to users worldwide in what they needed… and then put those idea’s and requests into the software.

And this is the true power of Amped… it is not just Martino, or the huge team around the world…. It is the users…. You will not find another group of developers, more willing to listen and learn from users, to make the application that you need to make your life easier!

…and to the rest of the team, Well done! It is an honour to work alongside a group of people dedicated to the same goal.

It’s not the final destination – It’s the journey!

 

By Spreadys Posted in EEPIP