Featured Post

Welcome to the Forensic Multimedia Analysis blog (formerly the Forensic Photoshop blog). With the latest developments in the analysis of m...

Friday, July 26, 2019

SWGDE Practical Considerations for Submission and Presentation of Multimedia Evidence in Court - initial draft for public comment

Today's post deals with SWGDE Practical Considerations for Submission and Presentation of Multimedia Evidence in Court, the initial draft for public comment. My comments on this guide deals more with foundation than specific technical details. Let's take a look.

In Section 4, you'll find this guidance, "This should also include documentation of any persons contacted in relation to the evidence." Wow!

Consider whom you may have contacted?

  • Your coworkers.
  • Your supervisor.
  • Others in your chain of command.
  • Others outside of your chain of command.
  • The FVA List.
If you sent a query to the FVA list, did you turn over a copy of your correspondence to the process in discovery? But more fundamentally, if you sent a query to the FVA list, did you have specific permission to do so. So many list members share copies of evidence on this relatively un-secure platform. If members of the FVA List shared opinions, did those opinions make it to discovery? Did you properly account for their opinions / their work if their opinions / work differs from yours?


In Section 5.1, there are a number of points that need to be considered.

First,"Has the proffered evidence been properly authenticated? F.R.E. 901, 902."

Wow again. Remember, "authentication" is different than "hash." Authentication deals with accuracy in context, not integrity in transport.

Also remember that the majority of programs used these days do not actually interact with the evidence files but create a proxy file via FFmpeg. This is certainly true of the major players in this space, Input-Ace and Amped FIVE.

I remember, when working for Amped Software, Inc., that many customers would contact us because FIVE's "conversion" of files (the creation of a proxy file) would result in a different frame count vs. the original data file. Naturally, the resulting file would not hash the same. But, testing the contextual authenticity is what FRE 901 & 902 is all about. Was there a material change in context that resulted from the creation of the "working copy?"

You wouldn't know if you didn't conduct even a basic authenticity exam.

Remember, contextual authentication is not a feature of LEVA's CFVT / CFVA programs. Neither is it a feature of the IAI's CFVE program. It is, however, one of the tested domains in the AVFA certification (see this post on these programs).

There are precious few people trained in contextual authentication or enabled by a valid and reliable tool set. If you're interested, please come to one of our upcoming training sessions or take our on-line authentication course.

Included in the discussion of contextual authenticity is the next statement in the document, "Is the proffered evidence an original or an accurate reproduction of the original? F.R.E. 1002 and F.R.E. 1003."

Again, how would you know if you don't test? How do you test if you don't know how to conduct authenticity exams? What tools do you use? What does your experimental design look like?

The FRE, in 901(a) deals with "true and exact" or "bitstream" copies. These copies will hash the same - copy vs. original. But, when you create a proxy / working file, and there are errors in the process, the hash values will be different.

"Authentication testimony may include:
The retrieval method.
The condition of the original recording device and the accuracy of the resultant multimedia.
Time offsets and other observations noted during the retrieval.
Agency evidence and storage protocols.
Chain of custody documentation."

The retrieval method should be documented.

  • Did you retrieve it? If not, who did? Are they on the witness list?
  • Are all of the device settings noted?
  • Is the complete signal path - lens to hard drive - accounted for?
"The condition of the original recording device and the accuracy of the resultant multimedia" speaks to ground truth. How do you know that the resultant multimedia file is an accurate representation of events. How would you know? You test. Did you test? Did you disclose your test design / reports / results?


By placing the FRE notes in the document, but giving them a "drive-by" treatment, they're setting up the typical examiner for problems. Why? The audience for this document is not the examiner, per se. It's trial support technicians and attorneys. They're pointing out an obvious problem in the system - that contextual authentication must happen - without noting that so few examiners have the knowledge, skills, experience in this vital process.

Don't get me wrong, I'm not advocating for the elimination of authenticity exams. Quite the opposite, I'm one of the biggest proponents. What I'm saying here is that the document should do only one thing - render marginal technical advice on the "display" of evidence at trial. Leave the legal advice out completely. SWGDE is a loose collection of practitioners, not lawyers.

As always, if you have any issues with what you've read, please leave your (polite) comments below.

Have a good weekend my friends.

No comments: