Featured Post

Welcome to the Forensic Multimedia Analysis blog (formerly the Forensic Photoshop blog). With the latest developments in the analysis of m...

Friday, November 15, 2019

Windows Sandbox vs Virtual Machine

Recently, I spent a week in New Jersey teaching a week-long course on forensic multimedia analysis with Amped FIVE. On day four of the class, we spent the morning installing, configuring, and working within virtual machines.

I've been using Oracle's Virtual Box for a while now. It's what we were working with in the course. It's easy to set-up and use. Plus, it's free.

But, the inevitable question came up. Why not use the new Windows Sandbox feature instead of Virtual Box, or other VM?

In their specific case, the answer was easy - the computers in their training room would not support Sandbox. To use Sandbox, your computer must meet minimum specifications.

  • Windows 10 Pro or Enterprise build 18305 or later
  • AMD64 architecture
  • Virtualization capabilities enabled in BIOS
  • At least 4GB of RAM (8GB recommended)
  • At least 1 GB of free disk space (SSD recommended)
  • At least 2 CPU cores (4 cores with hyperthreading recommended).
If your computer is capable of running Sandbox, setting it up is as simple as turning the feature on in the Windows Features dialog box.
Turn Windows Sandbox on in the Windows Features dialog box.
The training machines at this agency were 32bit with only 4GB of RAM. 

Yes, ICYMI, FIVE will run in a VM. I've installed FIVE in the popular VMs out there and it works just fine. The nice thing about FIVE is that it runs off a license key (dongle). With a VM, I can assign the USB port with the dongle to the VM to let FIVE run in the VM. Some of the other analysis programs out there require machine codes on installation, which will complicate matters. Some vendors allow only a single installation per license. With FIVE, you can install it everywhere. The dongle is portable. The software installation is quite agile.

FIVE running inside of Windows Sandbox
In my laboratory work, I have VMs set up for specific cases. I also have VMs set up for specific codecs / players (like Walmart's Verint / March Networks codecs). I can save these VMs. I can share these VMs for discovery.

Not so with Sandbox. Sandbox is volatile. Once you shut it down, everything you were just doing is gone for good. But, don't worry about accidents. Microsoft warns you of this.

Windows Sandbox warning about losing everything once you close the window.
My worry with Sandbox is that I've created something for a case. Then, when I shut it down, I necessarily destroy it. I'm just not comfortable with that. Thus, I still use Virtual Box.

Additionally, with a Virtual Box, I set things up once. Then, in the case of test/validate, I can use the space multiple times if needed. With Sandbox, I must set things up from scratch each time. Such a waste IMHO.

That's not even considering Windows stability issues and crashes. There's no "auto recovery" feature to Sandbox if the host OS crashes.

If you haven't tried working in virtual machines, give it a go for yourself. If you'd like hands-on guidance, you're welcome to sign up for one of our upcoming training sessions. Check the calendar on our web site for available dates. We teach VMs within the Advanced Processing Techniques course. If you don't see a date that works for you on our calendar, but want to schedule a class, contact us about bringing a course to your agency or adding a course to our local training calendar ... or about our new micro learning options for self-directed learners.

Have a great day, my friends.

Monday, October 21, 2019

Right to Silence and the collection of evidence

"You do not have to say anything, but it may harm your defence if you do not mention when questioned something which you later rely on in court. Anything you do say may be given in evidence." - Right to Silence (UK)
When I retired from police service, I had spent a third of my life working for the LAPD. One of the questions that someone with my resume will eventually face is the balance of case types worked, the implication being that I would have mostly worked for the prosecution of criminal defendants. But, in Los Angeles County, there's an over 90% plea rate. In reality, I worked on the major criminal cases about 50% of the time, with the remainder working in the defence of the my self-insured city. I've also worked in the defence of officers falsely accused of perjury (People v Abdullah) and have donated a lot of time for case review in support of Innocence Project type cases.

If you're an American, you will be more familiar with the Miranda warning than the warning shown above from the UK. But, I think the Miranda warning, and the 5th Amendment in general, is setting people up for failure in successfully defending themselves in court (assuming they're innocent of all charges). Here's what I mean.

Americans generally believe that it's up to the State to prove guilt. Whilst this is true in theory, there are so many stories about innocent people pleading guilty to charges based on a "risk assessment" that they make about their potential to succeed at trial. The Prosecution has their theory of a case. The State's investigative might has been focussed on the Prosecution's theory in the collection of evidence. They're not necessarily concerned with the collection of alibi evidence for you. They may stumble upon potentially exculpatory evidence, but that's not their job - it's yours.

This is where I think the UK's standard admonition is more honest. Sure, you have the Right to Silence. But, by remaining silent, you may actually harm your defence. 

If you are innocent, you know where you've been, with whom you've associated during the time in question, places you've visited, and etc. Your defence team must begin it's own evidence collection process. Your movements throughout the day all leave traces - the store, the gas station, the coffee shop, highway tolls, and etc. There's very little about one's life these days that isn't tracked or recorded. In addition to CCTV video of you going about your day, your phone has likely recorded even more details about where you've been and what you've been doing. Now, there's even the personal home assistants like Alexa and Siri that can serve as a witness to your movements.

All of this data must be preserved. However, the average person doesn't have the resources or the know-how to collect and preserve digital evidence properly. Some items, like cell tower logs, may require a warrant to acquire. You must have a capable and aggressive lawyer working on this for you. 

I'm here to help. I've seen all sides of this and have been working on standards for digital evidence collection and processing for well over a decade. I've taught classes to public and private audiences on this as well (click here for more info).

Yes, in the US we have the presumption of innocence. But, the best defense is a good offense. You must go on the offense and collect the evidence that proves your innocence. The evidence shows that it will harm your defence if you don't.

Tuesday, October 15, 2019

Tuesday, October 8, 2019

Mind the Communication Gap

I received a panicked email and phone call last week that can easily be summarized by the graphic above. Yes, there are still vendors selling to the police services that don't understand or accommodate the agencies needs or schedules.

As most in government service know, often the ability to spend money on tools and training happens within a short window of time. Such a window had opened for this person and they reached out to a company in response to a bit of marketing on new redaction functionality in a particular piece of software.

In the email that was shared with me, the requestor made it clear that they wanted to redact footage from body worn cameras. A trial code was shared for the company's tool. The requestor eagerly downloaded and installed the software, then assembled his supervisors and stakeholders to evaluate the new software. That's when the problems began.

Redacting the visual information was relatively straight forward, but cumbersome. However, he couldn't figure out how to redact the audio portion of the file. He reached out to the company's rep. Unfortunately, it was late on Friday in California. He received no reply from the company's rep, who'd likely gone home for the weekend. Thus, having previously communicated with me on technology issues, he reached out hoping that I'd still be around.

I let him know that to the best of my knowledge, none of Amped SRL's products redact audio. Yes, they'd promised audio redaction in FIVE at the 2016 LEVA conference. But, it's never materialized. As it's not been developed, it's quite likely that there is no audio redaction functionality in Replay.

He received a note from the sales rep on Monday. It informed him that the redaction functionality was built around a CCTV use case, and as such, did not concern itself with audio. The order taker that responded to the inquiry could have saved the requestor a ton of time and stress by simply reading the request - redaction of BWC footage - adding a helpful disclaimer in the reply that the tech doesn't redact audio.

Redaction remains a huge issue in California. Agencies are looking for a quick fix, but no easy solutions have presented themselves. The marketing from Amped seemed to provide a glimmer of hope to the requestor. But those hopes were dashed when the advice from the order taker, three days late, was that there is no single redaction solution - which isn't entirely true.

As I informed the requestor on Friday evening, the Adobe Creative Suite has all the necessary tools to perform a standards-compliant redaction for California's new laws. The automatic tracking in PremierePro is the best currently available. Plus, at $52.99/month, the cost savings is substantial vs. FIVE or Replay.

Given that the requestor had until 1700 PDT to spend the allocated funds, not receiving a reply until the following Monday was not an option. Thankfully, I was able to answer his questions and get him on the right path. Next stop for him is my redaction class, featuring the Adobe tools (link).

Have a great day friends.

Tuesday, September 17, 2019

Generic Conditionals

In my retirement from police service, I'm busier than ever. One of the projects that I'm involved with is the creation of an instructional program in report writing for a national police service. In defining the instructional problem, I've found that the learner population has a problem with "factual conditionals." I've also noted this problem in the report writing samples of their forensic science practitioners.
Because people have problems with the relationship between the dependent and independent clauses, their reports are hard to read and interpret. What should be a clear statement - (dependent variable / action) resulted in (independent variable / result) - is often a confusion of meanings.

Often, what should be written as a conditional is written as a declarative statement. This problem hides potential meanings, and obscures avenues for inquiry.

For example, one of the sample videos that I use in my Content Analysis class (link) examines a traffic collision scene. A collision occurs as V1 attempts to turn left whilst exiting a parking garage. In the declarative statement, fault is obvious - turning left eludes to issues of right of way. What is missing is the conditional. If V1's progress is purposefully impeded, then the inquiry turns from a simple traffic collision to a "staged collision," - an entirely different line of inquiry.

When the responding officer records the statements of those involved, as well as witnesses, it becomes important to consider the statements in a "conditional sense." If Person 1's statement is true, then the scene would be arrayed thus." or "If Person 2's statement is true, then Person 1's statement is untrue." The conditional statements help frame the analysis of the statements and the evidence.

Using an example from the weekend's posts, "If headlight spread pattern analysis is a subset of digital / multimedia forensic science (comparisons), then the analysis must examine the recording of the pattern and not the pattern itself."

Just something to ponder on this beautiful Tuesday morning. Have a great day, my friends.