Featured Post

Welcome to the Forensic Multimedia Analysis blog (formerly the Forensic Photoshop blog). With the latest developments in the analysis of m...

Friday, January 24, 2014

Batch processing in Authenticate

Usually, image authentication is a one-at-a-time process. But, what if you have a bunch of images in a folder from a single source? In Amped Software's Authenticate, you can batch process the files ... saving you a ton of time.

The Batch Processing tool allows the user to automatically process many files with one or more filters configured. For example, it is possible to apply all filters to a single image; all filters to entire folders of images; or only one filter to an entire folder of images.

Since the results of processing with heavy filters are saved in the cache folders, this is a very good way to leave the computer do the work without the user intervention (like overnight if there are a lot of big files). At the end of the processing you will have the ability to analyze the results very quickly, without the need to wait the execution of every filter.

A small warning, the full processing of many images with all filters can take very long time, depending on images' size and currently active filter configurations.

But wait, there's more ...

The Batch File Format Analysis tool allows Authenticate to quickly inspect the format of all images in a folder and quickly display detailed information about the formats in a big table. This tool provides a means to do a quick triage of suspicious files that may deserve further analysis without the need to run full processing on them.

You are asked to choose a folder where to perform the analysis, and those results will be displayed in a table. The displayed information is from the files present in the filter [File Format].

Specific features from the analysis of the image that can be a possible warning of image tampering are displayed in red ink. Similarly to the filter File Format filter, it is possible to modify the rules for the comparison by Menu > View > Program Options > File Format.

But wait, there's even more ...

The Batch File Format Comparison tool allows Authenticate to compare the formats of all images in an user selected folder with the current evidence image. The results are displayed in a table. The first row (id 0) represents the current evidence image used for the comparison. All the subsequent lines display the file format for the other images in the compared folder. The value of every cell is written in black if the value is the same as the evidence image, red otherwise. The last column value represents the number of differences found.

This tool is very useful when you need to verify if a certain camera is capable of creating a picture with a certain format. The user can take the camera and shoot as many different pictures as possible, with different types of scenes and different settings. Then the tool can be run to automatically to find if there is some combinations which yields compatible results.

If you want to look deeper at a specific image, just double click on a row of the table and it will load the file as evidence.

How cool is that?

Thursday, January 23, 2014

Omnivore Field Kit Issue

A lot of people have seen the Omnivore Field Kit Detailed Demo on YouTube since it was uploaded a few months ago.

A reader sent me the link and asked an interesting question about what was seen on the screen. He saw today's webinar and went to the web site for more information. The scenario here is that there's no digital output, thus you need the Field Kit. Here's the Field Kit Viewer's screen (from the video).

What jumped out at our eagle-eyed reader is the recorded size setting displayed on the screen, CIF. CIF, or Common Intermediate Format, "is a format used to standardize the horizontal and vertical resolutions in pixels of YCbCr sequences in video signals, commonly used in video teleconferencing systems. It was first proposed in the H.261 standard." The dimensions for a CIF sized video is 352x288.

But, the size of the VGA output, as shown in the video is different. The Viewer is reporting the source as 1024x768. How many times does 352 go into 1024? How many times does 288 go into 768? Are the results a nice, round number? If not, what does that mean?

If the video is recorded at 352x288, and sent to the VGA port at 1024x768 - what's happening? Is aspect maintained? What should you do? Unfortunately, when you examine the spec sheets of DVRs, you'll find this a lot. 720x480 or 640x480 is pushed out the VGA, regardless of what the recorded size setting happens to be.

If you choose the Set Display Dimension option (by clicking on the blue Display/Source link) all you do is resize the viewer screen. This doesn't change what's coming out of the DVR? Does it change the amount of pixels captured? No. It seems that the adjustment just makes the Viewer window smaller/larger.

So, here's a problem for folks using this solution. How many know the source video dimensions, or made a note of the dimensions in their report? How many know what's being pumped out of the VGA port into the Field Kit? The Field Kit Viewer is supposed to detect the signal and adjust accordingly. Did you remember to write this info in your report?

But even so, when this happens in the example video, it's still not divisible.

As with any tool, validate it for use before you put it into action. Forewarned is forearmed, right?

Wednesday, January 22, 2014

Image Authentication Assumptions

I recently received an e-mail from a reader with a single image attached. The question, has this image been altered? Simple question? Not really, it seems.

As a favor, I loaded it into Amped's Authenticate. Sure enough, the image has been through Photoshop as indicated by the various File Analysis filters. So, the image has been "altered."

It could be contextually accurate, even though it's been through Photoshop. Does a curves adjustment invalidate an image from use? The EXIF info shows a size change and a few other problems. But EXIF information can be spoofed. Other things about an image can be fabricated in an attempt to fool authentication software. So, if this was a trial, what would you do? How would you structure your enquiry?

Should I stake my name and reputation on a software's test against a single image without a reference? No way. Not a chance. Have you ever seen a Black Swan?

Thus, I would want a reference image. If the submission is purported to be a "camera original," then I should be able to test against a reference image from the same camera. In other words, I want your camera in my lab to conduct my authentication experiments.

Here's an example that I use in my Image Authentication classes. A person turns in a cell phone picture to the police as proof that a certain ticket and tow was unjustified. In my example, a person received a parking ticket for parking in front of a fire hydrant. The person is seeking not only to have the ticket voided, but is also seeking a refund on towing and impound fees. On the face of it, there is no hydrant in the image. Case closed? No.

To do a proper test, I need a reference image. I need the camera in my lab - in this case, the person's cell phone. I take the necessary reference pictures and find that the image submitted as evidence in traffic court to be a forgery. Oops! Submitting false evidence to the court is a big, big no-no.

The plot on the top is the DCT Plot of the evidence Image. If I have the phone, and I get the actual "original" image off the storage device, these plots should look the same. Obviously, they don't. There are other mismatches as I go through the process, but you get the idea.

The idea, and the point, is that it may be relatively easy to fool an authentication test without a valid reference. It is, however, very hard (Black Swan notwithstanding) to fool a test when you have a valid reference to test against.

The obvious message here is to not even try to submit forgeries into the court system.

But, the thing that scares me about as much as the above scenario is when law enforcement use their personal cell phones to document crime scenes. Here is one instance where "just trying to get something done" can get you into a bit of a bind. If there's a challenge to the authenticity of the images you've generated, we'll need your phone. Will you like what we find? Will you like us rooting around your phone's contents? Remember, if you receive a lawful order from your command to give up the phone to the investigation, it's a lawful order. Eliminate the potential problem and just use a separate point and shoot camera of decent quality, or engage your agency's official resources for photographing evidence.

Finally, and this one ties the whole thing together with the "screen capture rant" that I've been on. You use your personal cell phone to make a video of the monitor of a DVR at a crime scene. You use the video to make the images that lead to an arrest. All's well that ends well? No, hardly. If it turns out that the DVR had usable digital out options (like USB), and you didn't use it to secure the actual evidence, you've' just recorded yourself not properly securing the actual evidence. Oops. In that case, you may lose more than the use of your phone.

To wrap it all up, authentication is a powerful tool when done properly. It's a complex process that involves many moving pieces - the evidence file, the reference file, the reference source, procedures, chain of command, interviews, and so forth. If you're not able to account for the pieces of the puzzle, you may get an incomplete (wrong) picture.

Tuesday, January 21, 2014

Open and demux native Everfocus .avr files with Amped FIVE

Here's another file type that Amped FIVE can decode, Everfocus' .avr files.

Simply select File>DVR Change Container to AVI and point FIVE to the file. It will repackage the file and open it in the view pane. If there are multiple views, you will see the first frame of the first view.

If you need to Demultiplex (demux) the video, just select Demultiplex from the Select Frames filter group.

Everfocus, like many manufacturers, use standard codecs and wrap their file with a proprietary container. This is an easy problem for FIVE to handle.


Monday, January 20, 2014

Don't ask, don't tell

When retrieving video evidence, law enforcement has to go into some very interesting places to access the CCTV equipment. In the course of my work, I've been in every type of building and dwelling. Given where I live and work, yes, I've been to a few "stars" homes. But, I keep what I see to myself.

Our local Sheriff's office had a hard time of it recently, as TMZ reports. They had a video evidence related warrant, and had to walk past some interesting items in one pop star's home.

Friday, January 17, 2014

What is Video Evidence?

What is video evidence?

According to Elliott Goldstein, a Woodbridge, Ont., lawyer; an acknowledged video evidence expert who lectures at the Ontario (Canada) Police College, and the author of the two-volume book, Visual Evidence: A Practitioner’s Manual, “In the old days, video images were recorded on videotapes. When it came to submitting them as evidence, there was no problem: You just took the original tape into court and played it for the judge and jury. But today most [surveillance] video is recorded on hard disk drives, which are routinely wiped as new data comes in. This means that the video evidence has to be downloaded onto a DVD or digital tape, requiring very careful procedures, witnessing, and documentation to prove that you have an unedited ‘exact duplicate copy’ of the original.”

According to Jonathan Hak, “The party tendering video evidence must establish how the video was recorded, what impact the recording process had on the captured video, whether the exporting of the video evidence has further comprised the reliability of the images and whether all relevant video has been obtained of the incident in question.” As a result, “video evidence must be authenticated in order to gain admissibility in court. Authentication can be accomplished by witnesses familiar with the video content — for example, the person who captured the video images — or technically, showing that the images have not be altered in any improper way. This is a requirement of both the Canada Evidence Act and common law.”

According to LEVA, "Multimedia Evidence. Analog or digital media, including, but not limited to, film, tape, magnetic and optical media, and/or the information contained therein. NOTE: The term Digital Multimedia Evidence (DME) used in this document refers specifically to multimedia evidence in a digital form."

According to the IAI/LEVA Glossary, "Digital Evidence. (CER) Information of probative value that is stored or transmitted in binary form."

Does video evidence in digital form have to be downloaded or exported so that you have "an unedited ‘exact duplicate copy’ of the original?” LEVA's guide notes that in acquiring DME, one should "Transfer all relevant media files from the DVR." Download, export, transfer. Seems like there's some agreement.

LEVA adds what the Flip Book notes, "In addition to acquiring the native video files, a transcoded copy (eg: .avi) may provide an interoperable format for ease of use by investigators." Securing and protecting the native video files (evidentiary data) is the goal of securing video evidence."

Thus, I think that we can say that digital multimedia evidence (video) from digital CCTV systems should be retrieved in digital form. Any deviation from this should be done with extreme care and only in the worst case scenario.

Authenticating digital evidence employs various schemes that look at the underlying math within the container, changes to the container, and so forth. If you've retrieved the proprietary/native data and the authenticity of the data is challenged, you have the original export/transfer to test against and (hopefully) the DVR that produced it. The rest is pretty straight forward time consuming work.

Worst case scenarios call for solutions like screen capture hardware/software and/or scan converters. These options don't actually secure (download, export, transfer) the native data, they take a picture of it.  Can you authenticate screen grabs? Maybe. "This screen grab has not been altered." But, if you didn't actually secure the native data or seize the DVR, how do you show that the screen grab depicts what it's supposed to depict? How do you tell the DVR's story? What if there's a challenge to the authenticity of what's depicted (as happened in People v Abdullah, BA353334 - Los Angeles County Superior Court, December 2009)?

I've processed DME from recorders that I didn't download, from scenes that I've never been to. I rely on chain of custody documents, notes from the field, and etc. Remember, thanks to Melendez-Diaz, everyone in the chain of custody may have to testify. So, if you, your first responders, or your  investigators are using worst case tools as their main option - they may eventually have to testify.
  • Did you secure the evidence from the recorder?
  • How did you secure the evidence from the recorder?
  • Are your field and/or processing notes available?
  • Are these the native/proprietary files from the recorder?
  • If not, why not?
  • What is your training and experience with your tools?
  • Did your agency approve your tools' use for collecting evidence?
  • Did your collection method comply with your agency's procedures for collecting and securing evidence of this type?
  • Are your methods and tools commonly accepted in the industry?
  • Are you aware of people in your field of expertise who may not agree with yours / your agency's methodology for retrieving this type of evidence? What are their arguments against your methods?
These are all questions that I've faced. How will you answer them if/when asked?

I realize that agencies are overtasked and understaffed. I understand that well-meaning folks are "just trying to get things done." I understand that most have the best interests of all parties in mind. I also understand that video evidence (DME) is evidence - and should be treated as such. It's not "just video." Often times, its the only witness to the events of the day. Please don't let expediency guide your path. "Video evidence is a lot like nitroglycerin: Properly handled, it can demolish an opposing counsel’s case. Carelessly managed, it can blow up in your face.

Thursday, January 16, 2014

Oops, they did it again

Our friends at Ocean Systems sent a spam recently, announcing their Omnivore Field Kit overview webinar. I'm wondering if attendees are allowed to ask questions.

In the webinar, you will learn how to "quickly and easily [capture] uncompressed crime scene video directly from any DVR source." Really?! We went over this already. Omnivore is a nice "last / worse case" option. While you are capturing the contents of the graphics buffer for the computer on which you are running the Omnivore, the actual data (evidence) is still sitting on the DVR. The Omnivore does not actually retrieve the evidence (data) from the system. It takes a picture of the screen that displays the video signal.

The fact that it does screen scrapes in an uncompressed and easy fashion is great. However, they're still screen scrapes. You're still grabbing video signal - when your evidence is the data on the DVR.

So, if you are interested in retrieving digital multimedia evidence from crime scenes, there are a number of ways to do it. On your list of ways, grabbing the signal from the graphics buffer should be your last option - after seizing the DVR is ruled out.

Seriously, why are we still talking about this?!

CCTV schemes face budget realities

Citywide CCTV schemes often are started with great fanfare and media hype. Today, whilst preparing for work, I had the news on blaring the announcement of a major west coast LE agency testing body worn video.

But, as this article illustrates, once the news cameras are gone and the realities of maintaing the service set in, cuts are made.

There seems to be no limit to grant funds and special allocations to purchase gear to solve particular problems. The initial group of operators get trained. A few media-worthy events are highlighted, proving the worth of the scheme.

But, what about 3 years later? What happens when the service contract expires? What happens when new employees need training? What happens when …

Politicians love soundbites and headlines. They'll get the ribbon-cut they need in order to get re-elected, or elected to a different office. Yet, the real work begins long before the cameras show up. The real work begins at the planning stage.

Maintenance budget? Training budget? Storage budget? FOIA budget? Staff budget? Then, say five years later, when the gear is obsolete, you'll need to replace it all and start over.

Wednesday, January 15, 2014

Adobe resets the Photoshop trial clock

Adobe announced an update to Photoshop (14.2). "Today we’re announcing the immediate availability of new Photoshop CC features for Creative Cloud members. This update to Photoshop CC (version 14.2) includes many new features, including Perspective Warp for manipulating multiple perspectives in an image, and linked Smart Objects for easier reuse of design elements. We are also delighted to deliver support for 3D printing in Photoshop CC. Now you can design, edit and print in 3D using the world’s best imaging tool.

We want everyone to have a chance to try out these new features, as well as other features like Adobe Generator, which was introduced last September with the release of Photoshop CC version 14.1, and those released in the first version of Photoshop CC (version 14). We are excited to announce that we are resetting the trial clock for everyone today. Even if you have previously tried Photoshop CC and your trial has expired, now you can try the latest version of Photoshop CC for an additional 30 days and test-drive these awesome new features."

Tuesday, January 14, 2014

Hidden files

I recently received a help request. The investigator had a Lorex DVR and was trying to download files to his USB flash drive. He seemed to be doing everything right. Yet, no files were on the drive after completion of the process … or were there?

For some reason, Windows had assigned .264 files as hidden or an unknown file type. As such, the .264 files weren't being displayed. The fix is quick and simple. In Tools>Folder Options, make sure to show hidden files and folders.

With this quick fix, the problem was solved.

Monday, January 13, 2014

Bunker Hill Security DVR

If you've encountered a Bunker Hill Security DVR (Harbor Freight) at a crime scene, ask the owner about the software CD that came with the system.

Harbor Freight (USA) is selling this 8 channel recorder with 4 cameras for $299. Needless to say, a lot of folks are responding to those adds and snapping up this deal. Hopefully for you, they've kept the software CD that came with the unit.

At $299, there's no support outside of the 90 day limited warranty. The manual is no help either. The CD has a .264 to AVI converter as well as the playback software … for better or worse.

Monday, January 6, 2014

FBI drops Law Enforcement as its Primary Mission

This just in from Foreign Policy Magazine: "The FBI's creeping advance into the world of counterterrorism is nothing new. But quietly and without notice, the agency has finally decided to make it official in one of its organizational fact sheets. Instead of declaring "law enforcement" as its "primary function," as it has for years, the FBI fact sheet now lists "national security" as its chief mission. The changes largely reflect the FBI reforms put in place after September 11, 2001, which some have criticized for de-prioritizing law enforcement activities. Regardless, with the 9/11 attacks more than a decade in the past, the timing of the edits is baffling some FBI-watchers."

" … FBI spokesman Paul Bresson told Foreign Policy. He noted that the FBI's website has long-emphasized the agency's national security focus. "We rank our top 10 priorities and CT [counterterrorism] is first, counterintel is second, cyber is third," he said. "So it is certainly accurate to say our primary function is national security." On numerous occasions, former FBI Director Robert Mueller also emphasized the FBI's national security focus in speeches and statements …"

"Whatever the reason, the agency's increased focus on national security over the last decade has not occurred without consequence. Between 2001 and 2009, the FBI doubled the amount of agents dedicated to counterterrorism, according to a 2010 Inspector's General report. That period coincided with a steady decline in the overall number of criminal cases investigated nationally and a steep decline in the number of white-collar crime investigations."

"Violent crime, property crime and white-collar crime: All those things had reductions in the number of people available to investigate them," former FBI agent Brad Garrett told Foreign Policy. "Are there cases they missed? Probably."

This might explain the rise in the number of LE agencies who reported that the FBI lab was little/no help in their criminal investigations.

Friday, January 3, 2014

It's time to update your antivirus software

Trend Micro reported, "We recently came across a CryptoLocker variant that had one notable feature—it has propagation routines.

Analysis of the malware, detected as WORM_CRILOCK.A, shows that this malware can spread via removable drives. This update is considered significant because this routine was unheard of in other CRILOCK variants. The addition of propagation routines means that the malware can easily spread, unlike other known CRILOCK variants.

Aside from its propagation technique, the new malware bears numerous differences from known CryptoLocker variants. Rather than relying on a downloader malware—often UPATRE— to infect systems, this malware pretends to be an activator for various software such as Adobe Photoshop and Microsoft Office in peer-to-peer (P2P) file sharing sites. Uploading the malware in P2P sites allows bad guys to easily infect systems without the need to create (and send) spammed messages …"

Don't steal software.
Get a good antivirus / internet security solution and keep it up to date.