Wednesday, July 4, 2018

How would you know?

It's been a while since I last presented at a LEVA conference. This time, I'm going to presenting a topic that features some rather interesting information for Forensic Multimedia Analysts.

In editing the Session Descriptions, LEVA's Training Coordinator has seen fit to pay a visit to my web page and lift a bit of information about my educational journey to add to the Speaker's biography that was submitted. That's fine. I'll play along. In this article, I'll illustrate what I've learned along the way to earning the degrees listed in my bio. It's what I've learned along the way that will be the feature of my LEVA talk - introduced here.

Yes, like many in law enforcement (including at least one of my fellow presenters at the Conference), I have degrees in Organizational Leadership. This is a solid degree choice for anyone aspiring to leadership in their organization, public or private. The difference between a "management" degree, like an MBA, and a "leadership" degree like mine (BOL / MOL) is quite simple actually. Managers correct things that have gone wrong. Leaders help things go right in the first place. I happen to have received my degrees (BOL and MOL) from a 130+ year old brick-and-mortar business school. Earning a business degree from a long-established business school leaves you with an incredible foundation in business principles. So what? What does that have to do with Forensic Multimedia Analysis?

Here's the "so what" answer. Let's examine the business of DVR manufacturing from the standpoint of determining the DVR's purpose and if it fulfills its purpose. Attempting to identify purpose / fit for purpose of the parts in the recording chain is one of the elements of the Content Triage step in the processing workflow. Why did the device produce a recording of five white pixels in the area where you were expecting to see a license plate? Understanding purpose helps answer these "why" questions.

What is the purpose of a generic Chinese 4 channel DVR? The answer is not what you think.

For our test, we'll examine a generic Chinese 4 channel DVR, the kind found at any convenience store around the US. It captured a video of a crime and now you want to use it's footage to answer questions about the events of that day. Can you trust it?

Take a DVR sold on Amazon or any big box retailer. There's the retail price, and there's the mark-up along the way to the retailer.

When you drill down through the distribution chain to the manufacturer, you find out something quite amazing, like this from

The average wholesale price of a 4 channel DVR made in China is $30 / unit. Units with more camera channels aren't much more. Units without megapixel recording capability are a bit less. This price is offered with the manufacturer's profit built in. Given that the wholesale price includes a minimum of 100% markup from cost, and that there is a labor and fixed costs involved, the average Chinese DVR is simply a $7 box of parts. The composition of that box of parts is entirely dependent upon what's in the supply chain on the day the manufacturing order was placed. That day's run may feature encoding chips from multiple manufacturers, as an example. The manufacturer does not know which unit has chips from a particular manufacture - and doesn't care as long as it "works."

What's the purpose of this DVR? The purpose has nothing to do with recording your event. The purpose is to make about $15 in profit for the manufacturer whilst spending about $15 on parts, labor, and overhead. Check again for 4 channel DVRs on There's more than 2500 different manufacturers in China offering a variety of specs within this space ... all making money with their $7 box of parts.

Let's say the $7 of parts at your crime scene recorded your event at 4CIF. You are asked to make some determination that involves time. You'll want to know if you can trust your $7 box of parts to accurately record time. How would you know?

One of the more popular DVR brands out west is Samsung. But, Samsung doesn't exist as such anymore. Samsung Techwin (Samsung's CCTV business unit) was sold to Hanwha Group a few years ago and is now sold as Hanwha Techwin (Samsung Techwin) in the US. Where does Hanwha get their $7's worth of parts within the supply chain? China, for the most part. China can make DVR parts a lot cheaper than their Korean counterparts.

Here's the specs from a Hanwha Techwin HRD-440.

This model, recording at 4CIF, for example, can record UP TO 120fps across all of it's channels. UP TO means it's max potential recording rate. It does not mean it's ACTUAL recording rate at the time of the event in question. The "up to" language is placed there to protect the manufacturer of this $7 box of parts against performance claims. If it was a Swiss chronometer, it wouldn't need the disclaiming language. But, it's not a Swiss chronometer - it's a $7 box of parts.

What does the recording performance of the channel in question in the specific evidentiary DVR look like when it alone is under load (maximum potential recording rate)? What about the recording performance of the channel in question (at max) when the other channels move in and out of their own maximum potential recording rate? What happens within the system when all channels are at the max? Remember also that systems like these allow for non-event recording to happen at lower resolutions than event recording (alarm / motion). How does the system respond when a channel or all channels are switching resolutions up / down? How does what's happening internally compare with the files that are output to .avi or .sec files? How do these compare to data that's retrieved and processed via direct acquisition of the hard drive?

How would you know? You would build a performance model. How would you do that if you have no experience? I'll introduce you to experimental science in San Antonio - at the LEVA conference. Experimental science is the realm of any with a PhD, regardless the discipline (this is where Arizona v Romero comes into play). If you think the LEVA Certification Board is a tough group, try defending a dissertation.

Why a PhD in Education, you might ask. Three reasons. There are no PhDs in Forensic Multimedia Analysis for one. The second reason, and the subject of my dissertation, deals with the environment on campus and in the classroom that causes such a great number of otherwise well qualified people to arrive on campus and suddenly and voluntarily quit (withdraw). The results of my research can be applied to help colleges configure their classes and their curriculum, as well as to train professors to accommodate a diverse range of students - including mature adults with a wealth of knowledge who arrive in class with fully formed and sincerely held opinions. The third reason has to do with a charity that I founded a few years ago to help bring STEM educational help to an underserved community and population of learners in the mountain communities of northern Los Angeles / southern Kern counties in California.

Imagine that you've been told by your chain of command that you must have certain level of education to promote at your agency. That's what happened to me. I was minding my own business with a AS in Political Science that I cobbled together after my college football career, such as it was, crashed and burned after injury. I later found myself in police service when these new rules were instituted. But, thankfully, our local Sheriff had approached the local schools promising butts in seats if they'd only reduce their tuition. So I finished my Bachelors degree at an esteemed B-school for $7k and stayed there for a MOL for only $9k. The PhD path wasn't cheap, but it was significantly cheaper than it would have been without the Sheriff's office's help. As to why I chose to go all the way to PhD, that was the level of education necessary to make more pensionable money had I decided to switch from being a technician making more than half-again my salary in overtime (which isn't pensionable, sadly) to management. But, I digress. Back to work, Jim.

Sparing you the lecture on time and temporality here, the basic tenet of experimental science is that you can only measure "now." If you want to know what happened / will happen, you need to build a model. Meteorologists build a model of future environmental patterns to forecast the weather for next week. They don't measure next week's weather properties today. The same hold true across the sciences. Moneyball was a Quant's attempt to model behavior in order to achieve a future advantage in sports.

When modeling performance, it's important to use valid tools and to control for all variables (as best as possible). At a minimum, it's important to know how your tools are working and how to not only interpret the results produced but to spot issues of concern within the results.

As an example, pretty much everyone in this space is familiar with FFMPEG and it's various parts. Let's say that you use the command line version to analyze the stream and container of the .avi file from our example DVR (it's all you have to work with). It's an NTSC DVR and the results from your analysis tool indicate a frames per second (fps) of 25. Is this correct? Would you necessarily expect 25fps from an NTSC DVR? Is this FFMPEG's default when there's no fps information in the file (it's a European tool after all)? Does total frames / time = 25fps? If yes, you're fine. If not, what do you do? You test.

Is your single evidentiary file (sample size = 1) sufficient to generalize the performance of your $7 box of parts? Of course not. In order to know how many samples are needed to generalize the results across the population of files from this specific DVR, you need to test - to build a performance model. How many unique tests will gain you the appropriate number of samples from which to build your model? Well, that depends on the question, the variables, and the analysts' tolerance for error ... and that's the focus of my talk at the LEVA conference.

The information from my workshop plugs in rather nicely with many of the other presentations on offer at the Conference. There's a rather synergistic menu from which to choose from this year. Many presentations will feature how-to's of different techniques. Mine will show you how to identify the variables within those exercises, as well as how many repetitions of the tests will be needed at a minimum to validate your attempts at these new techniques.

I hope to see you there. :)

Tuesday, July 3, 2018

LEVA 2018 Conference - corrections

It's time to start planning for the next LEVA Conference. This time, the tour stops in San Antonio, TX.

The schedule's out and it looks like I'll be presenting on the morning of Wednesday, November 7, 2018. I'll be presenting my latest paper entitled Sample Size Calculation for Forensic Multimedia Analysis: the quantitative foundations of experimental science.

Abstract: The 2009 National Academy of Sciences report, Strengthening Forensic Science in the United States – A Path Forward, outlined specific structural deficits in the practice of forensic science in the US. A few years later, the Organization of Scientific Area Committees on Forensic Science (OSAC) was created within the US Department of Commerce (NIST) to address the issues raised and to publish standards in all of the recognized disciplines. Forensic Multimedia Analysis falls within the scope of the Digital / Multimedia Area Committee. In 2017, in an attempt to harmonize the various definitions of “forensic science,” the OSAC’s Task Group on Digital/Multimedia Science produced the following  consensus definition, “Forensic science is the systematic and coherent study of traces to address questions of authentication, identification, classification, reconstruction, and evaluation for a legal context.” In clarifying the definition, they noted, “[a] trace is any modification, subsequently observable, resulting from an event.” An impression left behind is certainly “a trace,” as is biological materials; but so is the recording of a person or a thing a trace of their presence at a scene.

In harmonizing practices across the comparative sciences, it has been recommended that all involved in the work have some familiarity with quantitative analysis and experimental science. This is evidenced in a recent Arizona Supreme Court case, Az. v Romero. In presenting this paper, “Sample Size Calculation for Forensic Multimedia Analysis: the quantitative foundations of experimental science,” I will introduce the science of quantitative analysis in general and sample size calculations in particular as they relate to three common examinations performed by forensic multimedia analysts. Attendees will learn the basics of experimental science and quantitative analysis as well as a detailed information on the calculation of the sample sizes necessary for many analytical experiments. The quantitative underpinnings of “blind” image authentication, forensic photographic comparison, and speed calculations from DME evidence will be presented and explored.

How many samples would you need for a 99% confidence in your conclusions that result from a “blind” image authentication exam? Hint: the answer isn’t 1 (the evidence image). Depending on the examination, and the evidence type, the number of samples varies. In this module, you will learn how to determine the appropriate number of samples for a particular exam as well as how to explain and defend your results.


My reason for this post? Why post the complete abstract here? It was edited in the Session Descriptions on the LEVA web site, removing some vital information and shifting the context a bit. Also, there were mis-statements made in my bio below the Session Description that incorrectly listed the duration of my employment at the LAPD as well as naming me the "founder" of the multimedia lab there. I'm posting the complete description as well as my professional biography to correct the record, in case a correction isn't made to the LEVA site.


Jim Hoerricks' Professional Biography:

Jim Hoerricks, PhD, is the Director of Customer Support and Training (North America) at Amped Software, Inc.

Previously, Jim was the Senior Forensic Multimedia Analyst for the Los Angeles Police Department. Jim co-founded the LAPD’s forensic multimedia laboratory in 2002 and helped set the standard for its handling of this unique type of evidence.

Jim is the author of the best-selling book, Forensic Photoshop, and a co-author of Best Practices for the Retrieval of Video Evidence from Digital CCTV Systems (DCCTV Guide). Jim also serves on the Organization of Scientific Area Committees for Forensic Science’s (OSAC) Video/Imaging Technology and Analysis (VITAL) subcommittee as the Video Task Group Chair.


Now, that's sorted. See you in November in San Antonio.