Blog

Screen Capture: It’s Not the Evidence, It’s a Video of the Evidence

Reading time: 6 min
screen capture is not the evidence, it's a video of the evidence

Dear friends, welcome! Here we are with one more post for the “best possible evidence” mini-series. In the past two weeks, we’ve seen that you should not film the display and that proprietary players often alter the original pixels. Today, we’ll close this mini-series talking about screen capture. We’ll see that, while being much better than filming, this approach still has its issues and should be used only as a last resort. Keep reading!

Issue: Screen Capturing Makes You Lose Information

When facing an exhibit video file in its native, proprietary format, you normally have two possible ways to access its visual and metadata content:

  1. Use the proprietary player;
  2. Use forensic video software capable of dealing with proprietary video formats.

Resorting to the proprietary player has several drawbacks. Not only is it hard to make sure you’re viewing the originally recorded pixels, but it’s also very difficult to export them without losing integrity and quality. Indeed, when it comes to getting the video out of the player, you have to choose between:

a. Filming the display with a smartphone/camera (which, as we said, is evil);
b. Using the “exporting features” of the player (this will often cause recompression with some awful legacy codec, which means, quality loss);
c. Scan converting, or using a digital capture device to output the screen as a video signal;
d. Using screen capture software to record your display while the video plays.

frame of a video of two cars in a parking space

This player belongs to the category “drag the window border and you’ll get whatever video size”, as shown below.

Luckily, however, we can set the video back to “100%”, which hopefully matches the original size. As you’ve probably guessed by looking at the player GUI, there’s no way to export the video to a “compatible” format. You can only export single image screenshots. This is a typical case where screen capture becomes the only viable solution (if you can only access the video through the proprietary player).

Then, we use a paid and very popular screen recording tool to capture the player. When configuring the tool, we can only choose a “Video Quality” option which allows selecting “Very low”, “Low”, “Medium”, and “High” quality. There is an option to automatically downscale captures to 1920×1080 (enabled by default). We set the quality to “High”, disable any scaling and audio recording (our video exhibit has no audio) and record the video. Then, we load the obtained video into Amped Replay for inspection.

video of two cars in a parking space in amped replay

The captured video retained the original size (960×576), the frame rate is higher than the original (~30 fps), and the codec employed by the screen capture tool is H.264, a fairly good one.

Since Amped Replay can directly import the proprietary video, we can load it as well and compare the information available in the File Info panel. And we start noticing some issues…

comparison between original and captured video information in file info panel

First of all, despite we disabled audio recording, the captured video has an audio stream (why?). The captured video is slightly longer (and that makes sense since we started recording before pressing “play” and stopped after the original video was over). But it has much more frames than the original one since the capturing frame rate is higher. Indeed, browsing frames of the captured video we find couples of identical frames. The question then is: did we maintain all of the original frames and “only” added some duplicates? Or did we lose some of the original frames?

Explanation: the Player and the Capturing Software Are Minefields

What’s making our captured video different than the original is a combination of the player and the screen capture software.

As we’ve seen last week, the player alone is often responsible for several quality issues. Let’s now focus the attention on the screen capture software. During our setup, we could not choose the capture frame rate. Now, if we can’t set the frame rate, how can we be sure that we’re not losing frames? And even if we can set it, how can we be sure that the software actually manages to capture the target amount of frames? If the CPU is too busy and some frames are not captured, will the software warn us? The one we’ve used did not. Does yours do that?

Since we’ve detected some issues with the number of frames and the presence of duplicate frames, let’s use Amped FIVE to investigate a bit more. We load both the original video and the captured video, and we use the Remove Duplicates filter on both. When applied to the original video, the filter only removes two duplicate frames at the very beginning of the file, which is not unusual. However, when applied to the captured video, it removes 175 duplicated frames.

“Of course it has duplicates, it was captured at a higher framerate than the original!”. That’s certainly true, but remember that:

  1. If you saved the captured video to a lossy compression, as our screen capture software did, even identical frames become slightly different because of compression noise so that understanding where the duplicates are is not trivial.
  2. It’s not guaranteed at all that you did not miss some of the original frames.

Let’s dig a bit deeper and see where duplicates are located in the captured video. By checking the Frames panel we can see the list of retained frames. We can paste the list of some similar software in Excel and build up a plot showing the position of duplicated frames in the video.

plot showing the position of duplicated frames in the video

As you can see, we have duplicates everywhere along with the video, and the “density” is not constant. Unfortunately, after removing duplicates the video has 825 frames, which is lower than the original 831 frames. We probably lost 6 of the original frames!

On top of that, the captured video has been re-encoded. The software we’ve used did not choose an aggressive compression, so we didn’t lose too much quality. But of course, pixel values have changed; they are not the original. We can use Amped FIVE’s Video Mixer tool to sync the videos in time and compute the difference, which will look very dark (since the frames are very similar). But if we apply Histogram Equalization, we’ll see that pixels are different almost everywhere — by a tiny amount, but different. This amount could make the difference between recovering a letter on a vehicle license plate or not. 

histogram equalization filter applied on a frame in amped five

Finally, screen capturing generates a brand new video file, with its own encoding, metadata, etc. Therefore, you cannot check the integrity of the original recording looking at the captured video.

Solution: Work With Native Files Whenever Possible, Be Cautious Otherwise

As we said last week, when doing video forensics it is essential to use the best possible evidence. If there is a way to access the originally recorded pixels, then you should find and use that way.

Often, videos in proprietary formats can still be properly decoded and played if you have the right tool, without even resorting to the proprietary player. That’s why Amped invests so much effort in its video conversion engine. We want you to be able to just drag-and-drop your file in our software. Amped Replay will automatically convert and play most formats. Amped FIVE will offer you a large range of options to customize the conversion.

If there’s really no way to play the native video file, then screen capturing can be a justifiable solution. But even then, you need to act prudently:

  1. Make sure the player is configured to play the video at its real, native resolution (this is often less trivial than you may think!);
  2. Make sure your monitor is at its native resolution, so as to avoid implicit scaling of pixels;
  3. Lower the computation burden of your computer before capturing frames (close unnecessary apps, virtual machines, etc.);
  4. Configure the screen capture software so as to capture at a sufficiently high frame rate, usually double the playback rate to adhere to the Nyquist Theorem of digital sampling, and choose to save the captured video to an uncompressed or lossless compression format if possible. Amped FIVE’s built-in DVR Screen Capture tool, for example, allows you to set the capture frame rate, the output codec, the compression quality, and it will warn you if some frames could not be captured;
  5. Remember to clarify in your report that you’ve acquired the video this way, and clearly state that you have not worked on the original pixels.

Above all, remember that the screen capture is not the evidence, but more like “a video” of it. Doing a forensic analysis on it is like doing a ballistic analysis on the photo on a bullet rather than the bullet itself. There’s so much more in a video file than just the perceived visual part. Finally, the original proprietary video, the master evidence, should NOT be discarded or deleted after any capture or recording has been made. That may sound obvious but it is all too common.

 

Table of Contents

Share on

Subscribe to our Blog

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Subscribe to our Blog

Related posts