It’s been a long time since I posted here. I am the first one to admit that I can get a little passionate about Forensic Video Analysis and CCTV Investigation, and my frustrations with various aspects of this niche field of forensics can take their toll on my wellbeing. Sometimes you just have to take a breath, rather than bang your head harder on the brick wall.
There are though a handful of other analysts who have continued to shout about certain issues for some considerable time. Unfortunately, we often seem to get drowned out and the problems get lost and ignored within the legal system. It was a refreshing change therefore a few weeks ago, to see and hear from one of those respected colleagues on the UK’s Channel 4 news.
It is clear that the news item has probably been heavily edited, cut down and slanted to concentrate on facial analysis BUT there are some important takeaways from this and things that we, as analysts, must consider.
Firstly, let me make this clear. CCTV is not putting innocent people behind bars. Misunderstanding, incorrect handling, poor analysis and biased presentation will put innocent people behind bars. It’s not CCTV’s fault!
Second.. the images and comparative analysis displayed in this video leave a lot to be desired and cause damage to the role of the Forensic Video Analyst…but worryingly, I have seen worse.
Professor Gillian Tully, right at the outset states, “When it comes to the interpretation of CCTV Images, its difficult for us at the moment to have the assurance that it’s done properly across the board…” She then goes onto the fact that people and organisations do not meet the required standards set by the Forensic Science Regulator (FSR).
I am not going to get into the huge mess surrounding the initial setting of the FSR’s guidance in the UK.
I am not going to get into the conflicts between the FSR’s guidance, the training delivered to most police organisations in Forensic Video Analysis, and then the guidance documents published by the National Police Chiefs Council.
I am also not going to get into the ISO accreditation of video units and private service providers and the difficulties this has caused…
We have to go all the way back to the start, and clearly define what a person should do and what is their role to the court.
I have been lucky, or unlucky in many cases, to review lots of Forensic Video and Image reports and there are some constant problems. The most common is an unclear definition of what that person’s role is within the investigation.
In any case where video evidence is to be used, whether that from CCTV, Cellphones or Body Worn Video, an analyst must ensure and report on the integrity of that video, the authenticity of that video and the reliability of the image representation.
Why is an expert in video required to do this? You all watch the TV, you all watch YouTube. The latest viral video of a dog skiing is completely different, however, to a piece of footage recorded on a CCTV system that could result in an innocent person being convicted of a crime they did not commit.
Regardless of the task or question being asked, the analyst has a duty to the court to assess and understand the evidence.
The analyst’s first responsibility is to identify any changes in the image since the time it was first created. This ensures the integrity of the exhibit. Any changes must adhere to a scientific workflow and therefore be repeatable, reproducible and explainable. Any item produced as a result of a change will differ from the original and, as such, will be a new exhibit. Any undocumented changes must be disclosed as these will affect the integrity of the produced item.
The second responsibility is to ensure authenticity. Any item must be a true and accurate representation of that which it purports to be. The video may not be authentic in its original state. The capture and encoding of the video may have changed the shape, dimensions, speed or colour, and consequently, anything in the scene would suffer from this incorrect view. Authenticity therefore not only relates to the identification of fabricated evidence, either through malcous manipulation or incompetence, but more commonly to the method of aquisition. In these cases, authenticity can often be restored through restoration and enhancement.
This is where the third responsibility comes in. Ensuring the reliability of the image representation. This is often termed the scientific stage, as processing, reconstruction, testing, restoring, enhancing, collating, annotating and presenting video evidence must adhere to a scientific workflow. If those are followed, and any required peer review completed, the produced item or presented fact should be reliable.
It is not the analyst’s role to form an opinion as to an item, or a mark. It is an analysts role to inform the judge or jury that the item or mark constructed within the image is reliable and can be trusted.
It is not the analysts role to make up terms and use incorrect, unscientific procedures.
It is not the analyst’s role to fit the narrative of those who are employing them.
Comparative Video and Image Analysis can be extremely time-consuming work…. but also very frustrating. Most CCTV used is not installed for the purpose it is being used for and, as such, identifying and documenting the limitations is key for transparency and trust.
When the analysis starts with the identification of the facts, it is easy to perform unbiased analysis and, if necessary, report that an object or views representation is unreliable.
And this workflow is not just for comparative analysis. Timelines, storyboards and the tracking of persons through scenes can all be presented incorrectly with unreliable visual information if the original data is not understood and analyzed correctly first. The staged disclosure of video exhibits is also of key importance to reduce unconcious bias.
An analyst is there to identify the facts in the video or image. There should be very little subjective interpretation. The facts are presented after objective analysis. If an analyst analyzes a video and is able to confirm though reconstruction and restoration that an object or person has a number of atributes then those atributes are facts.
However, an analysts most important skill is the ability to identify features that are not reliable or that contrast, rather than compare with a known object or person.
I am sure that Reuben could have said a lot more (I imagine there was a lot edited), but the report has highlighted the scary fact that there are people in the UK and around the world presenting this sort of stuff and they are full of unreliable images caused by a lack of understanding and questionable terms to baffle a jury.
The more times that things like this get shouted about, the better it will be for Forensic Video Analysis and the legal system.
I tend to not write too much these days, as many of the tips and tricks that I once researched and then publicized are now redundant. Forensic Video Software has caught up and often far excels what can be done using a handful of open-source and consumer applications.
However, I will always use this site as a home to air my concerns with the Forensic Video Community, and the legal systems that we serve.
For the UK, I believe that the investigation of Digital Multimedia Evidence (DME) is at the cliffs edge. We can either allow it to fall, or we can pull it back and save it from becoming inadmissible, discredited, misinterpreted evidence. It has taken years for multimedia, and in particular video, to be taken seriously within Digital Forensics but it is still commonly mishandled, poorly understood and disrespected as a piece of evidence.
The purpose of this rather lengthy post is to hopefully help in avoiding possible complications in the future and to ensure that the guidance published is clear and correct. I am passionate about professionalizing the role of Forensic Video technician and Analyst and, as such, I cannot sit back and watch as mistakes are made.
After reviewing, several UK officers and staff have commented that although accurate, it may come across as a bit of a rant. Well, if it avoids a miscarriage of justice in the future, then my rant would have been worthwhile!
So, what has prompted this rather lengthy post today?
The new Digital Imaging and Multimedia Procedure (v.3.0) published by The Defence Science Technology Laboratory (DSTL) , The Ministry of Defence (MoD), and the National Police Chiefs Council (NPCC). To summarize my main concern; the guidance that a working copy of a master video exhibit can be an edited, enhanced, transcoded version is wrong and could be detrimental during an investigation and any legal proceedings.
The original Digital Imaging Procedure was always a particularly good guidance document for UK Policing to refer to but back in 2007 the research, study and understanding of Digital Video was only just beginning. As a consequence, there were some glaring errors that I soon became aware of after receiving training, and conducting self study. Technology has moved on and it was well known that the document was in need of a big update. The adding of the ‘Multimedia’ wording was also a vital and welcome move. However, I believe the relevance and importance in today’s legal landscape has been largely underestimated. It has been written in a way that allows far too much flexibility in the interpretation of the guidance and this is where mistakes can, and already are, being made. The errors in the original 2007 document are still there, and their impact will now be much bigger. There are several slightly confusing paragraphs that conflict with other guidance published, (I will link to all documents at the end). It is not possible to go into all of these here and now, but let’s take this one for instance:
Compression (Page 8) “If image or associated audio data is being presented as evidence and illustrates the facts of the offence then it is evidentially irrelevant whether the data has been compressed or not. What is important is the content of the data should be fit for purpose and that the quality is adequate. It should be noted that various transmission methods used throughout the capture, retrieval and replay chain may adversely affect the quality of the data and steps should be taken to mitigate this.”
My opinion is that it is evidentially relevant if the compression or capture method affects the question being asked of the image. (In this document they use the word image for both still image and video). The compression is relevant if required to be analysed to prove authenticity of the visual representation. Movement, use of force, speed, gait, detail… everything – They are all affected by the compression used. IT IS RELEVANT! Quality is highly subjective, and may be good to answer one question but not good to answer another. Acquisition of the original master evidence should not adversely affect the quality of the data as guidance clearly states that the master should be a bit-for-bit copy of the data as it was at initial creation. Any person deciding to use as master evidence, anything other than the first recorded data , must have the competency to detail the limitations of the process used and have consideration for the rules on disclosure.
I could continue, but I need to move onto the biggest problem in this document, the flowchart.
At the end of this flowchart it states, “ For further explanation use accompanying notes and refer to force policy”. OK, but Force Policies will usually be written or altered using published guidance so the details in this flowchart must be correct. And they are not (IMO)! Stages 1-5 are all fairly standard, with no major issues.
At stage 6 we have ‘Define Master and produce Working Copy when required.’ Doesn’t sound too difficult does it?
There is no need to dive too deeply into what the Master is. For DME, it is the data first created and acquired. It could be the still image from a cellphone, a voice message stored on a web server, or a CCTV recording stored on a Digital Video Recorder (DVR). That data is identified and acquired (correctly in a bit-for-bit manner), and subsequently becomes the master. The master could be one file or many files. It’s still the master!
Here comes the HUUUGE mistake… The Working Copy.
Even a layperson should be able to understand this so how it’s gone wrong I don’t know. A working copy of a digital exhibit is a direct copy of it. No changes at all. It is amazingly simple to copy, and verify the copy, to prove integrity.
Master file(s) > Analyse Master and calculate file hash(s) > Copy file(s) > Analyse copies and calculate hash(s) > cross reference hash(s). For those not within a digital forensic world, a hash value is an alphanumeric value calculated using a specified algorithm. If the same algorithm is used on two files, the same value is expected. As such, a person may trust that one file, the master, is the same as another file, the working copy. A quite simple process and one commonly used within DME environments worldwide.
Let’s see what this document says about a working copy:
If you want to see it in the document, it’s on Page 37. I will break it down, bit by bit (no pun intended!)…
“Once the Master has been defined and stored, all use of images should be from a Working Copy. Bit-for-bit copies should be used (where possible) for further reproduction of additional Working Copies or where precise detailed analysis is to be carried out or when images are to be enhanced.”
I am struggling to identify any digital file that cannot be copied bit-for-bit or a scenario when bit-for-bit copying is not possible. ‘Precise detailed analysis’ – NO! – This should state any Video Transformation, and I’ll refer to this after looking at the next sentence.
“Where further analysis is undertaken, the Video Analysis Appendix to the Forensic Science Regulator’s Codes of Practice should be complied with.”
NOT JUST ANALYSIS! The Forensic Science Regulators (FSR) Codes of Practice details Video Transformation as “Any process that alters the format or information content of video, e.g. digitisation, transcoding (i.e. digital-to-digital conversion of one encoding to another to an alternative file).” These processes include trimming, cropping…….basically any change is a Video Transformation.
The FSR also details the importance of competencies in staff tasked with carrying out video transformations as this is key to ensuring the integrity of the exhibits and the authenticity of the visual representation.
“The Master should not be used, except to produce additional Working Copies when no other Working Copies are available to copy, or by order of the court to establish authenticity. Force procedures will need to detail the circumstances and the relevant processes involved. All actions will need to be entered in the audit trail.”
By order of the court to establish authenticity! Firstly – I think this should be..”to establish integrity”, not authenticity. Secondly – this would not be needed if the working copy is a true working copy and there are hash verification files to confirm this. Again – this is documented in the Forensic Science Regulators (FSR) Digital Forensics Codes of Practice.
..and it gets worse!
“Working Copies produced for the investigation, technical investigation, briefings, circulation, and preparation of prosecution evidence and defence can be in any of the forms described:
· Digital file · Hard copy stills from still or video cameras · Edited video · Enhanced still or video · Converted to non-proprietary format
This list is not exhaustive and other media may be utilized if suitable technology is available. The copying and distribution of Working Copies should be in accordance with force procedures with appropriate audit trails as required.”
NO, NO…and No!
These are not working copies of the master exhibit. They are newly generated derivative exhibits. They have undergone video transformations, as detailed by the FSR and their digital integrity differs from the master exhibit. Generated exhibits within a forensic environment is clearly documented in the guidance agreed by the CPS, the NPCC and the FSR.
Before we move on, we need to look at the problems of this to understand the severity of the situation.
We have already identified that for a working copy to have integrity, and to be classed a working copy, it must be the same as the master. The moment that there is a change to the file, the transformation must be completed within a forensic workflow. This means that there must be documentation on what the changes are, they must be repeatable and reproducible. It should be documented why they have been made and if there are any limitations to the changed file.
Let us say that exhibit AB/1 is a CCTV export video file of a single camera for an hours duration. The video file is cropped in size and trimmed in time to 20mins. The video is transcoded to a new video file. According to this guidance, the new video file is a working copy of AB/1 – No, it is not. It is a generated exhibit, originating from AB/1 and it should be newly exhibited accordingly.
Let us say that exhibit AB/2 is a CCTV export that includes several files and a proprietary player. The files contain the video, but they are not identified as standard. Consequently, a person uses the player and screen captures various pieces of footage. According to this guidance, the new screen captures are a working copy of AB/2 – No, they are not. They are a newly generated exhibit, originating from AB/2 and they should be newly exhibited accordingly.
Let us say that exhibit AB/3 is a piece of bodycam video and audio footage. A Digital Evidence Management System (DEMS) supplier automatically identifies this as a standard video and then creates the working copy automatically. However, the working copy is a changed version, having been downscaled automatically to fit the set video size, and has frames dropped to go from the original 29.97fps to the UK standard of 25fps. According to this guidance, this changed version is a working copy of AB/3 – No, it is not! It is a generated exhibit, originating from AB/1 and it should be newly exhibited accordingly.
Let us say, (finally), that exhibit AB/4 is a piece of CCTV Video. It is transformed in video software to increase the brightness and several other filters are applied. The video is saved as a new file. According to this guidance, the new file is a working copy of exhibit AB/4 – No its not!
I could go on with many different scenarios but hopefully you will get the idea.
Now then, before we move on…. Here comes the problem…in case you have not seen it.
Any person must be able to state exactly what exhibit they handled, viewed, processed, converted, enhanced.. etc etc. If an officer, or Forensic Service Provider (FSP), is sent a working copy of AB/1 – It must be AB/1… Not a transcoded / transformed version of it.
I spoke with two private UK providers last week about this and they now realise why things are going wrong. They are being sent incorrect working copies!
I spoke with several people from UK forces last week. They are being instructed to use DEMS that incorrectly manage their evidence and are being railroaded into procedures that conflict with their training in Forensic Video Analysis!
I spoke with an officer, who has to rely on the digital systems they are given, and had no idea that what they thought was a working copy, wasn’t the same as the master. And to top this all off – many UK Forces are accepting already changed and transformed exhibits as masters because they are not allowed to acquire it correctly and are being forced to accept the material being sent to them by unknowledgeable witnesses or victims.
“The copying of files within a computer is easy and so needs to be disciplined to prevent unnecessary files being produced. It is not suggested that all Working Copies should require individual audit trails, although certain application specific situations and/or enhancement processes e.g. identification will require audit trails to be maintained for additional Working Copies. Where this is the case records need to be kept contemporaneously. Working copies should however be uniquely identifiable. Reference should be made to individual force procedures.”
This last paragraph is confusing as it mixes up working copies with newly generated derivative exhibits.
Before we come up with an idea for an alternative end to this flowchart, how about we consider the problems that this incorrect guidance could cause.
Officers are asked – what did they view and what did they see… They viewed a working copy of exhibit XX……. No, they have not, they viewed a version of it and may not have all the video, all the frames, all the cameras, and may be constructed very differently from the master exhibit. They may not realise this…and there are cases from courts where officers have mistakenly presented inferior evidence, not knowing about the differences!
The Video unit is sent a working copy of a video for a license plate enhancement. No visual data could be restored and enhanced. It was not a working copy they examined – it was a screen capture and as a result they have given the wrong information. If they had used the correct working copy (bit for bit), then the plate would have been recoverable. I have seen this! I have seen a Forces screen capture and that was used to attempt a license plate recovery because they believed it was a true working copy! – It was not their fault – it was the Force Policy that was in place!
A private Forensic Service Provider (FSP) is sent a working copy of an exhibit. They are relying on the sending agency that this is a working copy. However, as we now know, it may not be! There are various delays in getting a real working copy, as the detective involved is not aware of the issue. All of this delays the Criminal Justice System process. Making decisions about imagery evidence on changed, transcoded, transformed media will cause problems in the CJS. We do not want delays and mistakes caused by incorrect guidance and poorly managed DEMS.
It is amazingly simple… If it’s not changed – It’s a copy If it’s changed – It’s new!
Here is my alternative ending to this guidance, where point 9 now deals with Video Transformations fully covered by the FSR.
Good exhibit management can either be carried out manually, in a spreadsheet, or by a good DEMS. This new change to the flowchart supports both single exhibit creation, such as a still image, a frame sequence or a transcoded clip from a larger video, and also multiple exhibit media such as a CCTV timeline or storyboard.
The last thing anybody wants to see is a mistake in a court room, which could have been avoided if the guidance given to UK forces was correct. We must protect the integrity of the evidence and ensure that any supplier of digital storage services understands the needs for such safeguards. Protecting the evidence will then protect any officer handling and working with DME from any allegations or errors.
In researching this issue, I have reviewed the following websites and documents (I know that some are currently being rewritten):
If you are a person involved in the acquisition, analysis, processing and presentation of imagery and video evidence then you do have the right to ignore published guidance if you are able to justify your actions. The well-managed generation of multimedia exhibits ensures a clear continuity and integrity chain back to the original data therefore allowing for transparent disclosure and full understanding by everyone involved. Protect yourself by protecting the evidence.
I thought I would write this here as I have a feeling that I may need to repeat it a few times over various locations and it will save me re-typing.
For many years now I have seen the increase in evidential screen-snaps. This is where an image is being used in evidence that is a photograph of a screen showing an event or image. This is usually a CCTV image. Whats with all the screen snaps?
Just to clarify – This is not relating to the urgent screen snaps that are obtained in the valuable first few hours of an investigation, where the publics assistance is needed to identify a dangerous suspect. What I am referring to is the ‘easy option’ of grabbing the screen snap, rather than obtaining the evidence in the correct manner. Why this happens is another post in itself, but it’s mainly due to the complete lack of understanding by the security industry with regards to how surveillance video is used……and this is compounded by the fact that Law Enforcement is ridiculously under funded and they don’t have enough people to deal with the video evidence and deal with it correctly.
At this point then I want to take you back around 12-13 years, where I was highlighting some of these issues at a pretty high level in the UK. As a result, a Proof Of Concept project was funded to identify how we could link and acquire CCTV evidence using remote access, to speed up video evidence acquisition. This would not only avoid poor screen snaps by officers and incorrect evidence obtained from owners not understanding what was required, but also avoid CCTV retrieval officers from travelling to the locations. Here is the important bit! – We were not going to wait for it to be delivered to us…. we would be the ones recovering it. Rather than CCTV owners making the evidence decisions, it would be us. They would give us access, that access was recorded and there was a full data trail for monitoring and transparency.
It was a success, and this was even with all the various firefalls and restrictions of police networks. I could recover evidence remotely, with a full evidencable trail.
A few years later this was worked on again but unfortunately this was at a time where funding had completely dried up. It was again shelved.
They appear to be handing the job of evidence recovery to the public. This is, in my opinion, wrong.
Video evidence is easily changed, misinterpreted, misused and misunderstood. The moment it is changed, its integrity and authenticity is reduced. The original pixels, those small little squares of light and color that make up the image, are the evidence. Most CCTV owners don’t know what’s the best evidence, and what they should give to the police.
Let me give you an example….
A CCTV System records its video. The owner accesses the system using his mobile device and saves the video on his device, where he then forwards it to an investigator. It looks OK from the untrained eye.
The received video is dramatically different from the original, with much less data, half the pixels, changes to the field of view and also the timing/speed.
Video Evidence is already an easy target but Defence lawyers will be lining up if we allow evidence recovery to be done by people who don’t know what they are doing.
They appear to be choosing the easy option. Do they do this with any other physical evidence?
I hope that the people involved in this reach out to the few Certified Forensic Video Analysts and Technicians in the UK and ask to be shown what the problem is here.
I can see the job having to be done twice – An owner submits footage, and then someone has to check it and go out and attempt to get it correctly. If its been deleted or lost then what happens? Can decisions be made on a reduced quality format, or has its ability to answer questions been reduced because it was not obtained correctly? ..and if nobody checks it and an attempt to get the best evidence is not made – is that a breach of process?
Lets do it right first time. Is that not the most simplest option?
If readers of this blog wish to comment through me, I will collate and send through as one.
Please be concise and specific.
Remember that images and video have to to pass through a forensic architecture to ensure integrity and reliability in any judicial process. This is our chance to ensure that the codes support this, eliminating the two tier image/video pathway currently being utilized within the UK Criminal Justice System. When there are no safeguards in place, images and video can get into the System that are incorrectly acquired, processed, interpreted and presented.
Use the comments section below so others do not duplicate issues.
OK, lets get this out of the way at the start and then work backwards!
What is an ‘Open Format’?
“An open format is a file format for storing digital data, defined by a published specification usually maintained by a standards organization, and which can be used and implemented by anyone. … In contrast to open formats, closed formats are considered trade secrets”
Things get a bit more tricky for the multimedia community as formats are merely the boxes that contain the audio, video and other data such as text, date/time or speed information.
The video and audio components will be coded using a codec, allowing for the correct decoding of the information during playback. Think of it as a language. If its been written in Italian, it needs to be read or listened to in the same language!
There are hundreds, if not thousands of codecs. There are also open codecs.
Now that we have an understanding of the term ‘open’, let us look at what this means to the average Forensic Video Analyst having to deal with surveillance footage from a CCTV system.
They are a small cog in the public safety and justice system. The start point for their workflow starts with the products provided by the security industry.
This is known as the Camera to Court evidence chain for CCTV.
If any of the components leading up to the Analysis are ‘closed’ or ‘proprietary’ then we hit a problem……..And, just to make matters a bit more complicated, every manufacturer can do it differently, so there are thousands of unknowns!
To be honest, it’s one of the enjoyable parts of my job, everything starts out as research and testing…but it shouldn’t be that way as we should all playing for the same team!
I honestly think that some kit has been made purely to frustrate the hell out of any investigator required to deal with the footage!
There are a few manufacturers that still use completely closed recording methods, codecs and players. There is no method to analyze and understand the original recording method and deal with it quickly and effectively within a forensic framework.
There are many manufacturers that have closed components. They may use an open format, and an open video codec, but they then use a closed audio codec, and a proprietary method for storing the date and time text information.
There are many manufacturers that use open codecs, but then store the data in a closed, proprietary format.
There are many manufacturers that use open codecs and open formats….but then ruin it all by providing a player that distorts and changes the footage when played!
Many years ago, I was lucky to work alongside those writing the National CCTV Strategy under the then ACPO lead for CCTV, Mt Graeme Gerrard. Some of the unfinished components of this should have been picked up by the Security Camera Commissioner (SCC), and the Forensic Science Regulator.
One of those Components was the establishment of standards for storing and exporting.
In the most recent update from the standards group from the SCC, there is still no sign of anything happening.
Perhaps it is in the new Surveillance Camera Commissioner’s Buyers Toolkit.
Or is it still stuck in the ‘too hard to do box’?
If so, can someone please take out!
It’s a pretty simple problem to solve…
Manufacturers will not make stuff that people won’t buy.
Buyers will purchase the products that that fit their needs.
In the middle is the shop, the installer, or the consultant…. Lets use the term now being used by the SCC – The ‘Service Provider’.
If we can empower the Service Providers with better knowledge, to ensure that only those products with open formats, offering transparency and understanding throughout the Camera to Court model are sold or installed, then the entire system will improve.
And then what happens? – the evidence gets obtained faster and is of a higher quality.
Take a look at one of the tests I completed at IFSEC back in 2014..
These problems are just a handful of the issues we have to deal with, but could so easily be eradicated if only the service providers understood what was needed further down the chain.
Now… I know that ‘some’ do. I actually work with a few consultants and am very aware that they take the Criminal Justice System into account when specifying equipment. They would not install a XXXXXXX DVR for instance because they know that it records in a closed format.