DME Forensics Blog

Top 5 Things to Ask About Digital and Multimedia Evidence

February 27,2015 /

Technical Posts, / DVR Forensics /

0 Comments

At DME Forensics, we get clients from all different spectrums of the professional gambit, from detectives to prosecutors, lawyers and insurance representatives – it is a good cross-section of the criminal and civil litigation worlds. As we talk with these individuals about their cases involving digital multimedia evidence, there seems to be some repeating themes which arise. Typically when someone calls us, we spend approximately 30 to 40 minutes conducting an “impromptu” training session on digital and multimedia evidence. These conversations seem to lead to the same types of questions and misconceptions. With that in mind, in this blog post we’re going to explore some of the more common and repeating questions/concerns we have received over the years to better educate first responders and professionals in dealing with digital and multimedia evidence.

These are the top five questions we typically ask all clients when we are dealing with digital and multimedia evidence. More often than not the response to these questions is, “I have no idea”. By outlining these questions and why they are important, we hope to start a dialogue between the first responders and attorneys on some of the considerations when digital and multimedia evidence is involved in a particular investigation or matter.

  1. Is this digital and multimedia evidence the “original”?
  2. What is the make and model of the DVR?
  3. Does the DVR that recorded this evidence still exist?
  4. Were the DVR settings documented?
  5. Was there a chain of custody for this evidence item?

1. Is this digital and multimedia evidence the “original”?

Most of the time when I ask this question, the response is, “I don’t know” or “what do you mean by ‘original’“? Fair enough, this is a bit of a loaded question. What we mean by “original” is, is the item an accurate and true “copy” of the original. In more simplistic terms when we’re talking about digital images and video we are really asking has there been any additional lossy compression applied to the data. The quality of the evidence has a direct result on what type of analysis can be conducted and the results. We always strive to work on as close to original data as we can. Lossy compression is a killer of detail in digital surveillance images and video data. Every effort should be made, particularly on the more serious matters, to obtain the original recording and/or images. This will ensure the forensic examiner will have the best opportunity to conduct a useful analysis.

Many times this is a simple math problem. Let’s say the original DVR has a 1 TB hard drive and can store up to a month’s worth of video from 16 cameras. The primary investigator goes to the scene and walks away with a DVD containing a weeks’ worth of footage from six cameras. What had to happen to get all that video on a single DVD? Additional lossy compression had to be applied in order to fit that much data onto a single DVD. So the question is, “what did the video look like on the DVR”? Was it better “quality” than what was on the DVD? Was enough information lost due to lossy compression so now I can’t resolve the license plate on the subject vehicle?

These are the type of considerations one should evaluate when dealing with original versus lossy compressed evidence.

2. What is the make and model of DVR?

This seems like a trivial amount of information, but you would be amazed at how often this information is not captured. Now to be fair, some DVRs do not have this information. There are many DVR’s out there that are simply “black boxes” of unknown origin and they don’t have a discernable make and model. For the devices that do have make/model information, the 30 seconds it takes to record this information can save hours of frustration and time.

When DVR systems are involved in a case, the make and model are very important pieces of information. Typically these types of cases start out as a research project. Knowing the make and model of the DVR allows us to look up the technical specifications. This can tell us some very important pieces of information such as but not limited to:

  • How big is the “typical” hard drive for this model?
  • Is it possible there are other devices connected to the system?
  • The available compression schemes (a hint at the overall quality of the data and useful information when it comes to authenticity).
  • What tools will be needed to extract the data off the DVR?
  • What’s the maximum number of cameras which can be recorded by this device?

3. Does the DVR which recorded this evidence still exist?

There are certain situations where “THE” DVR responsible for the initial recording is needed for the analysis. This is typically the case when it is believed data has been deleted or altered on the DVR. Having the DVR allows us to make test recordings to determine what “normal” operation looks like. From these known recordings, we then can compare the findings to the original data to determine if the DVR was malfunctioning or there has been alteration. Without the original DVR this can be extremely difficult and in some cases impossible. If the original DVR is no longer available, it may still be possible to perform these types of examinations using another DVR of the same make/model. This is another reason we recommend documenting the make/model. Unfortunately in the case of an authenticity examination, not using the original DVR will very likely have a significant effect on the type and strength of conclusions available.

4. Were the DVR settings recorded?

It can be frustrating to extract image and video data from a DVR system. This can be an extremely time-consuming adventure. Many times an investigator is happy they retrieved some video from the system. In the rush to leave the scene, one thing that sometimes gets forgotten is to record the DVR system settings. The settings contain a wealth of information such as the number of cameras actively recorded, camera names, compression scheme used, quality and size of the video recording, export options and much more information. Documenting the DVR settings will help the forensic examiner in their analysis.

5. Was there a chain of custody for this evidence item?

There seems to be a complacency about DVR’s. In the past five years they become commonplace in our homes and one would be hard-pressed to find someone who didn’t know what a DVR was. But make no mistake the DVR that you have recording your TV programs is a far cry from the DVR at the local gas station. We’ve noticed over the years this “familiarity” has led to a somewhat cavalier attitude towards the evidence which they contain. Many times first responders view the data on DVRs as just “video of the robbery” not as “evidence of the robbery”.

This is a very important distinction. If the video data was exported from the DVR and then the DVR overwrote the video data, the exported video would be promoted to “original best evidence”. If a firearm was found at a crime scene, does the investigator just hold onto it until “it’s needed as evidence”? One would hope not. The chain of custody procedure is in place to ensure the integrity of the evidence is maintained from the point of collection to its final deposition. Why should this be any different with digital and multimedia evidence? 10 minutes of proper documentation and handling of digital multimedia evidence may mean the difference between the video evidence being admissible or not.

Conclusion

In summary, whether you are a first responder recovering the digital multimedia evidence or if you’re a prosecutor/attorney having to deal with it downstream, these five questions should come to mind to ensure you’re getting the best evidence possible. Ultimately, you want evidence that is describable, usable and defendable. Having the simple answer to these five questions will help eliminate some unnecessary surprises later on.