In the world of digital forensics, every item of evidence should / must be hashed upon receipt. And ... the same is true for DVR files in the world of forensic video analysis. You should hash all files upon receipt.
You receive a couple of .264 files from a crime scene, you hash them, then you make copies, and begin your work. If you're working a computer forensic style of workflow, then your copies are "true and exact copies of the originals." But, you're working a forensic video analysis type workflow. Your copies are not true and exact copies of the originals - they're proxy files. Proxy means substitute / stand-in. They're "converted." The process of creating the proxy - re-wrapping the data stream, carving out the time stamp ... all of those convenient things we do to make our lives easier ... means that the resulting proxy file will not have the same hash value as the original from the crime scene. And ... that's OK. That's normal.
Using a tool like FTK imager, one can hash a whole project folder. In the folder are the original files, the proxy files, any other derivative files, etc. A quick examination of the hash values clearly shows that the hash of the original .264 files (green) does not match the hash of the .avi proxy files (red). Again, that's OK. That's normal.
As forensic video analysts, we need to know that (a) this is happening and (b) it's normal. If you have to create a proxy file in order to work and respond to the request, this mismatch of the hash values will happen. Just hash the resulting files in the working folder to keep a record of them as they were created. Pull a still frame out as a separate file? Hash it. Carve out the time stamp as a separate file? Hash it.
As worlds converge, there will be a bit of sorting out of procedures and dialog. It's OK.
No comments:
Post a Comment