Tuesday, April 29, 2014

Computer Forensics vs Multimedia Analysis

Over the weekend, Larry Compton posted this excellent article on the differences between computer forensics and multimedia analysis. Check it out by clicking here.

Monday, April 28, 2014

Supreme Court to Weigh Cellphone Searches

This article from the Wall Street Journal points out an interesting fight between privacy advocates and law enforcement.

If you're concerned about your privacy and your phone's contents, always have the latest model phone and make sure it's password/swipe protected. If you're law enforcement, you'll need a very expensive set of tools to crack passwords, JTAG, and chip-off phones when arrestees invoke their Fifth Amendment right to silence, and refuse to give up their password.

Thursday, April 24, 2014

Hiring and training analysts

How did you arrive at being an analyst? Where you a direct hire? Did you transfer in from Patrol or Detectives?

David Watson and Andrew Jones give the following advice on employee issues as regards Digital Forensics Processing and Procedures:

3.1.3.10 Qualifications. The Laboratory Manager must hire employees of sufficient academic qualifications or experience to provide them with the fundamental scientific principles for work in the Forensic Laboratory and must be assured that they are honest, forthright, and ethical in their personal and professional life.

3.1.3.11 Training. The Laboratory Manager shall provide training in the principles and the details of forensic science as it applies to the Forensic Laboratory requirements.

Training must include handling and preserving the integrity of physical evidence. Before analysis and casework are performed, specific training for the processes and procedures as well as for the specific tools to be utilized must be undertaken. A full training program for all Forensic Analysts and Investigators must be developed.

3.1.3.12 Maintaining Employee Competency. The Laboratory Manager must monitor the skills and proficiency of the Forensic Analysts on a continuing basis as well as on an annual basis as required by Human Resources procedures. The Forensic Laboratory has an ongoing program of training, awareness, and competency.

3.1.3.13 Employee Development. The Laboratory Manager must foster the development of the Forensic Analysts and Investigators for greater job responsibility by supporting internal and external training, providing sufficient library resources to permit the Forensic Analysts and Investigators to keep abreast of changing and emerging trends in forensic science, and encouraging them to do so. The Forensic Laboratory has an ongoing program of training, awareness, and competency.

Tons of questions evolve from their book as it relates to Digital Multimedia Analysts. What are the basic qualifications? How much training do you need to start working? Which training? Which training provider? What about continuing education? Is your employer committed to your continuing education and development? Is your agency at the leading edge or always two steps behind? Is it ethical to be two steps behind?

There's certainly a lot to consider when deciding to go down this road.

Tuesday, April 22, 2014

Predictive coding techniques

Independent frames, bi-directional frames, and predictive frames. Which would you rather deal with? How would you explain what's going on?

Last year, I shared this graphic with you. The graphic is an oversimplification, of course. As with everything in life, the devil's in the details. In terms of predictive frames, there are different ways of arriving at those pesky P-frames. Here's some information on a couple of the most popular methods scene in DCCTV.

Digital Modulation (DM): "The signal is first quantised into discrete levels, but the size of the step between adjacent samples is kept constant. The signal may therefore only make a transition from one level to an adjacent one. Once the quantization operation is performed, transmission of the signal can be achieved by sending a zero for a negative transition, and a one for a positive transition. Note that this means that the quantised signal must change at each sampling point.

The demodulator for a delta-modulated signal is simply a staircase generator. If a one is received, the staircase increments positively, and if a zero is received, negatively. This is usually followed by a lowpass filter."


"The key to using delta modulation is to make the right choice of step size and sampling period —an incorrect selection will mean that the signal changes too fast for the steps to follow, a situation called overloading. Important parameters are therefore the step size and the sampling period."


Disadvantages are thus:

  • Usually relatively poor result.
  • Edges and rapid changes are difficult to code.
  • Error propagation at the reconstruction.
  • Granularity noise, due to switching between to levels

If you encounter a DM encoded video with a lot of motion or small fine details that are completely gone, there's really no fixing it. 

Differential Pulse Code Modulation (DPCM): "According to the Nyquist sampling criterion, a signal must be sampled at a sampling rate that is at least twice the highest frequency in the signal to be able to reconstruct it without aliasing. The samples of a signal that is sampled at that rate or close to generally have little correlation between each other (knowing a sample does not give much information about the next sample). However, when a signal is highly oversampled (sampled at several times the Nyquist rate, the signal does not change a lot between from one sample to another. Consider, for example, a sine function that is sampled at the Nyquist rate. Consecutive samples of this signal may alternate over the whole range of amplitudes from –1 and 1. However, when this signal is sampled at a rate that is 100 times the Nyquist rate (sampling period is 1/100 of the sampling period in the previous case), consecutive samples will change a little from each other. This fact can be used to improve the performance of quantizers significantly by quantizing a signal that is the difference between consecutive samples instead of quantizing the original signal. This will result in either requiring a quantizer with much less number of bits (less information to transmit) or a quantizer with the same number of bits but much smaller quantization intervals (less quantization noise and much higher SNR)."

Monday, April 21, 2014

Why your fingerprints may not be unique

This just in from the UK Telegraph, "Fingerprint evidence linking criminals to crime scenes has played a fundamental role in convictions in Britain since the first forensic laboratory was set up in Scotland Yard in 1901.

But the basic assumption that everyone has a unique fingerprint from which they can be quickly identified through a computer database is flawed, an expert has claimed.

Mike Silverman, who introduced the first automated fingerprint detection system to the Metropolitan Police, claims that human error, partial prints and false positives mean that fingerprints evidence is not as reliable as is widely believed.

Nobody has yet proved that fingerprints are unique and families can share elements of the same pattern.

And there are other problems, such as scanning fingerprints of the elderly as their skin loses elasticity and in rare conditions leaves some people with smooth, featureless fingertips.

Mr Silverman, who was the Home Office’s first Forensic Science Regulator, said: “Essentially you can’t prove that no two fingerprints are the same. It’s improbable, but so is winning the lottery, and people do that every week.

“No two fingerprints are ever exactly alike in every detail, even two impressions recorded immediately after each other from the same finger.

“It requires an expert examiner to determine whether a print taken from crime scene and one taken from a subject are likely to have originated from the same finger.”
However there are numerous cases in which innocent people have been wrongly singled out by means of fingerprint evidence."

Continue reading the article by clicking here.

Friday, April 18, 2014

What is enhancement

What is enhancement? According to Anil Jain, in his classic Fundamentals of Digital Image Processing, "in image enhancement, the goal is to accentuate certain image features for subsequent analysis or for image display." Thus, again we see that enhancement and analysis are two distinct processes; enhancement setting you up for a better analysis.

Anil Jain also points out that enhancement algorithms are generally "application-dependent." I might add that some are generally accepted and can be found in most image processing texts. Others, are proprietary and found only in a single program. This is an important point when choosing where and how much to spend on equipment and software - and training (you won't find Adobe's "Shadows and Highlights" in Amped FIVE, but you can replicate the results using a mix of FIVE's filters).

This came up in a conversation with a local LE agency. They have an Adobe based workflow and were looking to modernize and get more training. They've been bombarded with solicitations from the various training vendors. My advice was simple, pick your direction first. Decide on what equipment and software you will have. Then your training choices will be simpler. To be more specific, if you aren't an Ocean Systems customer and do not own an Avid Media Composer, then you'll have trouble seeing the value in the LEVA courses as they are mostly based on the offerings from Avid and Ocean. If you're sticking with Adobe, then the choices are similarly clear and plentiful.

Each software vendor offers training. If you're looking to expand to actual analysis and choose Amped Software or Cognitech, both vendors have training in their product lines wrapped in the LE context. Neither vendor is a feature at the LEVA Lab nor do their products feature into the LEVA Level 1-3 curriculum. So, if you buy from Cognitech, you're better off taking their training first and becoming proficient on your new equipment within your own context before branching out into other training venues that are not specific to your software choices.

But the bottom line, from Anil Jain, enhancement is not analysis.

Thursday, April 17, 2014

Jeremiah MacKay Memorial Highway

This week, a stretch of Highway 138 was dedicated as the Jeremiah MacKay Memorial Highway. Detective Jeremiah MacKay was fatally shot in the line of duty February 12, 2013.

May it serve as a monument to his courage, bravery, and ultimate sacrifice to protect our community.

Wednesday, April 16, 2014

Authentication and Content Analysis of Images

This story has me laughing. "How many books has Jay Carney read? DC mag Photoshops the White House press secretary's bookshelves to fill in the blanks."


How many instances of forgery can you spot in this image? How's this for an overly Photoshopped image?


Wow!!! They even cut the kid's finger off. That's just plain lazy.

Check out the whole article by clicking here.

Tuesday, April 15, 2014

FIVE now supports around 70% of proprietary formats on the market

Yesterday, Amped Software announced a significant update to FIVE. Here's what's new and improved:

  • Video Loader: if format is not properly decoded, tries to apply the DVR conversion
  • Video Loader: added buttons to panel for DVR conversion
  • Video Writer: fixed rounding error which was not always setting the precise output frame rate
  • Component Separation: additional parameter to extract a specific channel without the need of an additional filter
  • Software protection: corrected bug on systems with multiple Amped dongles (only the first was recognized) [I noticed this when leaving dongles in for FIVE and Authenticate]
  • Filter Settings: on/off button icon changes when toggled
  • DVR Change Container To AVI: improved support for proprietary DVR formats conversion (now supports around 70% of formats on the market)
  • DVR Change Container To AVI: if the input file path is not writable (e.g. DVD) it saves the converted file on the Desktop
  • User Interface: improved Filters panel mouse over behavior to avoid inadvertently change filter group
  • Video decoding: avoid crash for videos that have a frame rate of zero (variable frame rate), setting it to 1 as default.
With the conversion of format being the bulk of my current work, this is huge news. FIVE is a great time saving tool given that you have the proprietary file preserved - and most times the investigator just needs a quick look to see if the video is relevant.

UFED Phone Detective for your Android Phone

This just in from the folks at Cellebrite: "The UFED Phone Detective mobile app is a fast, easy way to view forensic extraction and decoding capabilities, as well as connectivity methods, for any mobile device profile supported by UFED 4PC/Touch/Classic.

Use the UFED Phone Detective mobile app to search vendors and mobile device names. If needed, easily drill down to specific support information, including whether the extraction can bypass the device's lock."

Pretty cool idea. Now you can ditch that crazy spreadsheet.

Monday, April 14, 2014

Senate Commerce Committee Approves Bill Ensuring Forensics Practices are Based on Best Science

The Senate Committee on Commerce, Science and Transportation approved the Forensic Science and Standards Act of 2014, establishing scientific review and standards for forensic sciences, Wednesday. The bill, which was introduced by Committee Chairman John D. (Jay) Rockefeller IV, was unanimously voted out of committee by a bipartisan voice vote and clears the way for the bill to be considered by the full Senate.

Unvalidated and improper forensic science is one of the greatest contributors to wrongful convictions, playing a role in nearly half of the 316 cases later overturned by DNA evidence. The landmark 2009 National Academy of Sciences’ report, Strengthening Forensic Science in the United States: A Path Forward, found that there is a desperate need to improve the validity and scientific quality of forensic evidence.

The Forensic Science and Standards Act would employ existing scientific agencies to develop and direct forensic research and set and implement standards for the forensic disciplines, helping to ensure that these disciplines are based on solid, reliable research.

Here's some interesting quotes from the text of the bill:

"The term forensic science means the basic and applied scientific research applicable to the collection, evaluation, and analysis of physical evidence, including digital evidence, for use in investigations and legal proceedings, including all tests, methods, measurements, and procedures."

"… the term applied scientific research means a systematic study to gain knowledge or understanding necessary to determine the means by which a recognized and specific need may be met."

"Forensic science standards
(a) Establishment
(1) In general
The National Institute of Standards and Technology shall—
(A) identify or coordinate the development of forensic science standards to enhance the validity and reliability of forensic science activities, including—
(i) authoritative methods, standards, and technical guidance, including protocols and best practices, for forensic measurements, analysis, and interpretation;
(ii) technical standards for products and services used by forensic science practitioners;
(iii) standard content, terminology, and parameters to be used in reporting and testifying on the results and interpretation of forensic science measurements, tests, and procedures; and
(iv) standards to provide for the interoperability of forensic science-related technology and databases;
(B) test and validate existing forensics standards, as appropriate; and
(C) provide independent validation of forensic science measurements and methods."

Three cheers for the Senate Commerce Committee.

Friday, April 11, 2014

Photoshop works great for creating composite images

As an artistic tool, Photoshop is awesome for creating composites. But, if you want to know why the courts are increasingly concerned with the use of artistic tools, watch this video. Photoshop Principal Product Manager Bryan O'Neil Hughes explains how to add people to images in this helpful episode of Photoshop Playbook.

Thursday, April 10, 2014

Avid news

Good news. I had a brief e-mail exchange with the folks at Ocean Systems. They assure me that the dTective tools will work in the new version of Media Composer that will soon be released.

A lot of folks out there rely upon their Media Composer on a daily basis. For me, Media Composer is more of a trial support specialty tool. There are some things that it does quite well and it's been a life saver on several occasions. And, I know it can be an expensive solution, but it's better to have it and not need it that need it and not have it.

Wednesday, April 9, 2014

RIP LAPD Motor Officer Christopher Cortijo


Los Angeles, April 9, 2014 - On behalf of all members of the Los Angeles Police Protective League (LAPPL), President Tyler Izen responded to the tragic news that the Los Angeles police motorcycle officer who was struck by a DUI driver in Sun Valley on Saturday has passed away. The accident occurred at the intersection of Saticoy Street and Lankershim Boulevard around 5:34 p.m. Motor Officer Christopher Cortijo was stopped a traffic light when he was struck from behind by a red Chevrolet Blazer traveling at a high rate of speed. The officer ended up pinned between two vehicles.

“Our hearts are broken,” Izen said. “The LAPPL is saddened to learn of the tragic death of Officer Christopher Cortijo who was killed upholding the oath he swore: To protect his community. We extend our deepest condolences to the Cortijo family, friends and coworkers. Officer Cortijo paid the ultimate sacrifice in service to his community. We ask that the community please keep Officer Cortijo and his family in their prayers, and remember the sacrifices paid by law enforcement officers to keep our communities safe.

Tuesday, April 8, 2014

Update: Large Emergency Event Digital Information Repository Test

Please consider taking a few minutes on April 10th to participate in the LEEDIR Operational Test!

What: LEEDIR (Large Emergency Event Digital Information Repository) Operational Test

When: Thursday, April 10, 2014 - 9:00am - Noon (Pacific Time)

How: Simply upload a random 1-3 minute video or still images shot with your cell phone, laptop, iPad, or computer. The video can be of anything. Please consider your agency policy and local laws regarding capturing video of the public without their consent.

NOTE: This is an operational test and NOT a human research project. The purpose is to test the system’s ability to accept large amounts of digital information (video) from diverse sources. All data will be purged at the end of the test.

The LEEDIR Eyewitness Platform INVITES YOUR PARTICIPATION! See: HTTP://leedir.us/howitworks for additional information.

The LEEDIR technology enables law enforcement and relief agencies to receive and rapidly analyze eyewitness videos and photos submitted by citizens during large emergency events.

Your participation in this exercise is being requested to help simulate a level of eyewitness photo and video submissions that would be expected during a major emergency event.

Law enforcement agencies around the nation have been invited to submit photos and videos to the LEEDIR platform through the LEEDIR website (leedir.us), iPhone app (available now at the App Store) or the Android app (available March 23rd at the Google Play Store).

As submissions are uploaded, investigators at the LASD Cyber Investigations Center (CIC) will review, manage, analyze and distribute the photos and videos as they would during a real major emergency event, to simulate better information flow to their emergency response teams and to “gather evidence”. During the event, analytics and statistics will be published, followed by a press conference at Sheriff’s Headquarters Bureau to broadcast the results.

More info at: http://www.leedir.us/about

Monday, April 7, 2014

Avid Everywhere Strategic Vision

Whilst you were deeply ensconced in baseball's opening weekend, Avid shifted gears completely - as announced at Avid Connect.

Avid just announced their new AvidCentral platform - or Avid in the cloud. This means that they've embraced Adobe's Creative Cloud vision for software as a service, but with a very significant difference.

This from Avid's web site:

"Whether you create music, movies, television shows, news broadcasts, video, or other media, competition and consumer demand have led to overwhelming pressure for greater efficiency. But today’s workflows often involve piecing together a puzzle of disparate products, services, and technologies to build your digital media value chain, from media creation and management tools, to monetization solutions.

We’re solving this challenge by introducing the Avid MediaCentral Platform — an open, extensible, and customizable foundation that streamlines and simplifies workflows by tightly integrating all products and services that run on top of it, bringing the Avid Everywhere vision to life. The platform provides the utmost security and protection, enabling you to create and deliver content in smarter, faster, and easier ways — with the Avid and third-party solutions you choose to use.

Avid MediaCentral doesn’t require any additional software purchase or installation to access or use, as it’s built into the framework of many Avid products you may own, though additional components and installation may be needed to extend workflows. What’s more, you can customize your platform functionality by adding services and components when you need them, and turning them off when you don’t."

It looks like Media Composer will be offered both as a stand-alone software product (boxed?) and as cloud based software. Media Composer Cloud used to be called Interplay Sphere.

In any event, Media Composer has been completely overhauled to accommodate this new initiative. The interesting development is with the new Application Manager - how Media Composer is handling third-party plug-ins.

"Media Composer comes with a new application manager that keeps you up to date with your software. See what Avid software, AMA plug-ins, and related third-party applications you have installed on your system. Get notified when new updates, upgrades, and renewals are available. Activate and download new software, updates, and upgrades from the interface. And if you’re interested in a new product or upgrade, you can even see if a software trial is available to try it out first. It will even alert you about special offers, upcoming webinars, and events."

Like the problem with older versions of Photoshop, upgrading from one version to the next sometimes meant that your favorite plug-ins wouldn't work in the new version. If your plug-in vendor couldn't/wouldn't make the change and release an update, you were stuck with a choice - or two versions of PS on your computer.


So, given the way that Avid works, upgrading to the new version will cost money. How much that will cost has yet to be announced. I'm sure our friends at Ocean Systems got word of this change early on as they are Avid partners. Hopefully, they're hard at work making their popular Avid plug-ins ready for the new Application Manager environment.

So, as Avid goes chasing after Adobe, they're completely oblivious as to your needs in law enforcement. They're excited for the new creative options that this new initiative will bring their Hollywood customers. For law enforcement, you'll need to up your budget a bit to take advantage of this new technology. Or … you can do as I did and select a purpose built solution that accommodates both your qualitative and quantitative needs. Currently, there are just a few options that fit this bill - Cognitech and Amped Software's FIVE. Of these two, FIVE is by far the least expensive (total cost of ownership) and easiest to use.

Friday, April 4, 2014

Quantitative, Qualitative, and Trial Support

We've discussed Quantitative vs. Qualitative before. But, a few readers are upset about the way it's been presented. So, I wanted to address their issues buy going over a few popular solutions from the standpoint of - what does the tool actually do, and is that "analysis?"

From Ocean Systems (italics are mine):

Each Complete dTective system provides the the following capabilities:
Process Digital (DVR) or Analog Video Evidence
DVR security video - decode digital video (DVR) files from proprietary security systems into uncompressed video [change of format is a trial support function]
Demultiplex video [qualitative improvement]
Enhance dark video and poor quality video security and surveillance video [qualitative improvement]
Print stills from Video to photo paper or digital files for fast distribution [trial support]
Archive to CD or DVD [trial support]
Highlight or obscure an important areas of forensic video tapes [qualitative / trial support]
Magnify video to display the result either full screen, or to a user defined portion on screen. [qualitative / trial support]
De-interlace field recorded forensic video to avoid blurry stills printed from video [qualitative improvement]
ClearID Forensic video and image enhancement tools [qualitative improvement - Photoshop plug-in]
Contrast and brightness adjustment [qualitative improvement]
Video stabilization [qualitative improvement]
Insert case notes linked to forensic video evidence [trial support]
Automatic project archiving [trial support]
Variable slow motion speed adjustment to compensate for time lapsed video [qualitative improvement]
Picture in Picture [trial support]
Titling and labeling [trial support]
Combine and stack tools [UI flexibility]
User definable layout and keyboard/interface short cuts [UI flexibility]

Not one of the above are quantitative in nature - counting, measuring, comparing, or authenticating.

Cognitech's Tri-Suite 2011 contains VideoInvestigator [qualitative improvements], VideoActive [qualitative improvements], and AutoMeasure [quantitative analysis - photogrammetry].

There may be an additional cost to using Cognitech software in that you'll need their Video Acquisition card. If your PC can't support it, then you'll need a new PC.

Amped Software's product selection includes FIVE [quantitative and qualitative tools in one package] and Authenticate [quantitative analysis - authentication]. Trial support functions are shifted to their friends at GP SIFT. The nice thing about this approach is that the quantitative / qualitative tools are mostly in one place, FIVE. If you don't do trial support, you won't need to spend extra on GP SIFT. Likewise if your not doing authentication, you won't need Authenticate.

So, there it is. You decide what's best for you.

Thursday, April 3, 2014

Crop in Amped FIVE

I've had a few questions come in about reading the automatically generated report from Amped Software's FIVE. Today, we'll deal with the report as it deals with the Crop command.

First, it's important to remember that things in the Amped world go clockwise from the top left of the screen. Thus, the position at the top left of your image is X=0, Y=0.

The report features a set of four numbers. These are X=, Y=, W=, H=. This can be read as, from the X,Y position, the crop is W,H.

As an example, 463, 176, 272, 376 can be read as from X=463, Y=176, the cropped area is 272 wide by 376 high. Remember, the X,Y position is the top left of the cropped area. Thus, the 272 goes to the right of the image and the 376 goes down.

Enjoy.

Wednesday, April 2, 2014

The importance of SOPs

Standard Operating Procedures. Do you know the term? Does your agency have SOPs for digital multimedia forensics?

Judging on the amount of questions I receive, and the amount of questions received by friends in the field, agencies are trying to get their house in order as regards SOPs. Folks are asking around, "hey, does anyone have an SOP for analyzing mobile phones?" Audio analysis and video analysis are other frequent topics.

But what happens if you don't have an SOP, and your asked about it in testimony? How will you respond? Does your agency allow you to create your own SOP without getting appropriate permissions and sign-offs?

Here's an example of an SOP from NIST. It's not for video, audio, or mobile phones ... but it lays out the important elements. There's an introduction, a list of steps, forms, tables, etc. Another good item to include is a log of changes to the SOP.

It doesn't have to be complicated, but you should at least have something on paper that governs your work.


Tuesday, April 1, 2014

Scientific Method


Here's a helpful reminder of the steps involved in the Scientific Method.

If you are a "forensic scientist," do you follow this method of enquiry?