Category Archives: How to

Proving a negative

I have a dear old friend who is a brilliant photographer and artist. Years ago, when he was teaching at the Art Center College of Design in Pasadena, CA, he would occasionally ask me to substitute for him in class as he travelled the world to take photos. He would introduce me to the class as the person at the LAPD who authenticates digital media – the guy who inspects images for evidence of Photoshopping. Then, he’d say something to the effect that I would be judging their composites, so they’d better be good enough to fool me.

Last year, I wrote a bit about my experiences authenticating files for the City / County of Los Angeles. Today, I want to address a common misconception about authentication – proving a negative.

So many requests for authentication begin with the statement, “tell me if it’s been Photoshopped.” This request for a “blind authentication” asks the analyst to prove a negative. It’s a very tough request to fulfill.

In general, this could be obtained with a certain degree of certainty if the image is verified to be an original from a certain device, with no signs of recapture and, possibly verifying the consistency on the sensor noise pattern (PRNU).

However, it is very common nowadays to work on images that are not originals but have been shared on the web or through social media, usually multiple consecutive times. This implies that metadata and other information about the format are gone, and usually the traces of tampering – if any – have been covered by multiple steps of compression and resizing. So you know easily that the picture is not an original, but it’s very difficult to rely on pixel statistics to evaluate possible tampering at the visual level.

Here’s what the US evidence codes say about authentication (there are variations in other countries, but the basic concept holds):

  • It starts with the person submitting the item. They (attorney, witness, etc.) swear / affirm that the image accurately depicts what it’s supposed to depict – that it’s a contextually accurate representation of what’s at issue.
  • This process of swearing / affirming comes with a bit of jeopardy. One swears “under penalty of perjury.” Thus, the burden is on the person submitting the item to be absolutely sure the item is contextually accurate and not “Photoshopped” to change the context. If they’re proven to have committed perjury, there’s fines / fees and potentially jail time involved.
  • The person submits the file to support a claim. They swear / affirm, under penalty of perjury, that the file is authentic and accurately depicts the context of the claim.

Then, someone else cries foul. Someone else claims that the file has been altered in a specific way – item(s) deleted / added – scene cropped – etc.

It’s this specific allegation of forgery that is needed to test the claims. If there is no specific claim, then one is engaged in a “blind” authentication (attempting to prove a negative). Continue reading

The Importance of Using Images as Evidence

How many cases have you worked on lately that involved video footage or a photo as evidence? Are you really sure everything possible has been done regarding the proper use of those images for investigations and if they have been exploited to their full potential? Are you really sure that images and videos have been properly validated and are not the result of some tampering? Was the image of sufficient quality to prove or disprove some testimony? Has the image and video been analyzed by an expert with the proper tools?

These, and many more, are the question we will try to answer in our monthly column in the Lawyer Monthly magazine.

There’s a lot to know and to discuss, and in this brief overview we don’t expect you to become an expert, but at least we hope to point you in the right direction for further study.

Read the first issue:  The Importance of Using Images as Evidence

Why PDF/A?

One of the more frustrating aspects of the forensic multimedia analyst’s world is dealing with legacy technology. You arrive at a crime scene to find a 15-year-old DVR that only accepts Iomega Zip disks, or CD+RW disks, or a certain size / speed of CF card. What do you do?

You curse and swear and scour your junk drawers. You call / email friends. You wonder why folks keep these systems knowing that there are newer / better / cheaper systems out there.

If you’ve ever worked a cold case, you know the problems interfacing with old technology. If you’re working at a large agency, chances are there are several old computer systems cobbled together with new middleware. Replacing systems is costly and time consuming.

For reports, agencies are faced with a similar problem. My old agency used a product from IBM that required a stand-alone program (PC only) to read / edit the reports when saved in the native format. That’s not at all helpful.

When generating a report in Amped FIVE, the user is given a choice in the production of the file between PDF, DOC, and HTML. Many states / jurisdictions require the user to output a PDF file for reports. But, PDF is a very robust standard with several variants. When generating PDF report files, it’s important to understand the variants and what they’re for.

According to the PDF Association, “PDF/A is an ISO-standardized version of the Portable Document Format (PDF) specialized for use in the archiving and long-term preservation of electronic documents. PDF/A differs from PDF by prohibiting features ill-suited to long-term archiving, such as font linking (as opposed to font embedding) and encryption.”

If you want to make sure that your report can be viewed now, and long into the future, by the largest group of people, choose PDF/A – the archival version of PDF. Understanding this, the report generated by FIVE is PDF/A compliant. We understand that many court systems and police agencies are standardized on this version of PDF because it’s not only built with the future in mind, it’s the cheapest to support.

Continue reading

The problems of the GAVC codec solved

In my years of working crime scenes in Los Angeles, I would often come across Geovision DVRs. They were usually met with a groan. Geovision’s codecs are problematic to deal with and don’t play nicely within analysts’ PCs.

With Amped FIVE, processing files from Geovision’s systems is easy. Plus, Amped FIVE has the tools needed to correct the problems presented by Geovision’s shortcuts.

Here’s an example of a workflow for handling an AVI file from Geovision, one that utilizes the GAVC codec.

If you have the GAVC codec installed, Amped FIVE will use it to attempt to display the video. You may notice immediately that the playback of the video isn’t working right. Not to worry, we’ll fix it. Within FIVE, select File>Convert DVR and set the controls to Raw (Uncompressed). When you click Apply, the file will be quickly converted.

Continue reading

PRNU-based Camera Identification in Amped Authenticate

Source device identification is a key task in digital image investigation. The goal is to link a digital image to the specific device that captured it, just like they do with bullets fired by a specific gun (indeed, image source device identification is also known as “image ballistics”).

The analysis of Photo Response Non-Uniformity (PRNU) noise is considered the prominent approach to accomplish this task. PRNU is a specific kind of noise introduced by the CMOS/CCD sensor of the camera and is considered to be unique to each sensor. Being a multiplicative noise, it cannot be effectively eliminated through internal processing, so it remains hidden in pixels, even after JPEG compression.

In order to test if an image comes from a given camera, first, we need to estimate the Camera Reference Pattern (CRP), characterizing the device. This is done by extracting the PRNU noise from many images captured by the camera and “averaging” it (let’s not dive too deep into the details). The reason for using several images is to get a more reliable estimate of the CRP, since separating PRNU noise from image content is not a trivial task, and we want to retain PRNU noise only.

After the CRP is computed and stored, we can extract the PRNU noise from a test image and “compare” it to the CRP: if the resulting value is over a given threshold, we say the image is compatible with the camera.

Camera identification through PRNU analysis has been part of Amped Authenticate for quite some time. However, many of our users told us that the filter was hard to configure, and results were not easy to interpret. So, since the end of last year, a new implementation of the algorithm was added (Authenticate Build 8782). The new features included:

Advanced image pre-processing during training
In order to lower false alarms probability, we implemented new filtering algorithms to remove artifacts that are not discriminative, something that is common with most digital cameras (e.g., artifacts due to Color Filter Array demosaicking interpolation).

Continue reading

What’s in a name? How to rename in Amped FIVE

I’ve been on the road a lot lately. By the end of this month, I’ll have spent two weeks with District Attorney’s Offices in New Jersey (US) training users in the many uses of Amped’s flagship product, Amped FIVE. Every user has a slightly different use case and needs. Prosecutors’ Offices are no different.

Field personnel / crime scene technicians / analysts might not be very concerned with trail prep and the creation of demonstratives for court. But, DA’s offices are. That being said, there are a few things that every user of Amped FIVE can do – beginning with the end in mind – to make the trial prep job a bit easier.

Hopefully, by now you know that you can rename processing chains in Amped FIVE to aid in your organization.

Right click on the Chain and select Rename Chain. Then, name it something unique that describes what you’re working with or the question you’re trying to answer in the file. Examples include camera number, vehicle determination, license plate determination, etc.

This is quite helpful. But, did you know that you can also rename the Bookmarks? Additionally, you can add a description to the bookmark. Let’s see what this looks like.

Continue reading

Using Project Files as Templates in Amped FIVE

People often ask, “How can we speed up the processing of files in Amped FIVE ?” (As if it’s not fast enough :). “Can we create actions/templates?” The answer is yes. Here’s how.

Load a video file. In this case, we’ll load a BWC file from an Axon Body 2 camera.

Then, we’ll rename the processing chain. Right mouse click on the processing chain – Rename Chain.

Continue reading

The Beginner’s Guide to Suspect Height Calculation from CCTV

Otherwise known as ‘The Science of Single View Metrology’

The first common question asked to a forensic video analyst is, “Can you tell me what that license plate is?”. The second question is, “What is the height of that person?”.

It is then the forensic video analyst’s responsibility to analyze the video, assess its suitability to answer the question, process and prepare the images, and then finally use science to provide the answer, based on facts.

Taking a ‘workflow’ approach can often safeguard the user from missing vital information that may be relevant further along in the process.

There are a few different methods to attempt an answer to this height question, with different constraints, reliability, and drawbacks. In this post I will be taking an in-depth look at the technique built into Amped FIVE, using the filter Measure 3d.

Continue reading

What’s wrong with this video?

What’s wrong with this video? Hint: look at the Inspector’s results for width / height.

Unfortunately, the answer in many people’s minds is …. nothing. I can’t begin to count the number of videos and images in BOLOs that attempt to depict a scene that looks quite like the one above. If you don’t know what you’re looking at, it’s hard to say what’s actually wrong with this video.

Continue reading

Amped FIVE and Griffeye Analyze: Introducing the Integration

You may remember the announcement of our partnership with Griffeye, some months ago.  This partnership is especially interesting since we both work on images and videos, but in a different, yet complementary way. Griffeye focuses on finding the needle in a haystack, while Amped focuses on sharpening the needle and verifying it is actually a needle and not a stick.

In the latest release of  Griffeye Analyze, the Amped FIVE plugin has been added to the Analyze Forensic Market, but in the near future we plan to also add apps for Amped Authenticate and Amped DVRConv. In this post, we will show you how to start with the integration and how the two software work together.

First of all, we assume that you have installed Amped FIVE (build 9010 or later) and Griffeye Analyze (17.1.0 or later) on the same machine.

In order to enable the integration, you need to click on the button “Analyze Forensic Market”.

Continue reading