In the recent Amped FIVE Update (Rev. 9010), there were some big additions to the advanced “File Info”.
The updated tool has already received high praise from regular users who can now do all their frame, stream, hex and format analysis from within the same application – Amped FIVE!
It’s time therefore to take a much closer look at this new and powerful functionality.
The first file I’m going to look at is a proprietary file. It is unknown to the system, but displays a naming convention that indicates possible Video Surveillance System creation, and is of a large file size.
It is worth pointing out here that after conducting any immediate work in Amped FIVE, when dealing with proprietary files it is important that the format is researched and the correct manufacturer player is analyzed. Comparisons should be made and validated to ensure all information required is available to the analyst.
When loaded into Amped FIVE, certain information can be decoded, such as size and codec, but it is not possible to display the actual image. This is quite common with video streams that are not in a standard container.
I can see, from the “Video Loader Filter Settings”, that it is being decoded with the FFMS Video engine. I have attempted other engines but none are able to decode the full information.
It is at this point then, that I may want to analyze the “File Information” prior to conducting any stream formatting process using “Convert DVR”.
Remember: The advanced File Info is accessed from the disk icon at the top with the question mark.
When opened, the multi-tabbed window will appear with the “Summary” first.
The “Summary” gives a breakdown of information that the FFMS decoder is able to interpret.
As the file is open within a chain, Amped FIVE starts to read the information immediately. However, you do not need a file to be open within a chain. You could attempt to read a file that Amped FIVE would not open, or that you only need to view the information on, by using the button at the bottom.
When chosen, this “Load File” button will open a Windows Explorer box, allowing you to navigate and then select any specific file.
The next tab utilizes the “MediaInfo” library. It will only present the information that it can decode and, as the file is currently an unwrapped stream, there is only basic stream information.
The “ffprobe” tab reveals a lot more information. It is separated into a number of sections.
Stream & Format
This file only reports a single stream so there is only one [STREAM] section.
The “ExifTool” tab really comes into its own when the file has come from a device that supports EXIF, such as DSLR’s or Cellphones. For this file, there is not a lot of information.
The new tabs now come into play. When you select “Frame Analysis” you need to select how to proceed.
Remember, that you only need to start Frame Analysis, if it’s needed. With large files, this may take a few moments so don’t use if it not required!
When completed, a tabled view of the frame data is presented.
There is a lot of information here, but I want to point out some interesting results.
The first is the Decoding and Presentation Time Stamps – DTS & PTS
You will notice that they start at a very high number…why?
The usual reason is that this file has simply been copied from the original stream recording on the DVR. When being recorded, these details are inserted to allow for correct frame timings. We are simply looking at a section of the entire DVR recording.
Let’s move further along the table to see the other details such as Width/Height, Picture Type and Coded Picture Number.
There are many systems that allow different image sizes within the same stream. The change usually occurs when there is Video Motion Detection or an alarm activation.
The proprietary players do not usually show this as they either upscale the smaller or downscale the larger.
But as analysts, we need to see what pixels were recorded – not what the player wants to show us!
Whilst we are on the subject of width and height – what about those players that present the video at a certain size, such as 640×480? Is that how it was recorded, or is the player adjusting for a field based recording and then adjusting for aspect ratio? Most importantly – how is it doing it?
You can see from the “width” and “height” information on this file that each frame was recorded at 720 x 240… guess what the player presents it at… 590×430! How the developer came up with that one, I’m not too sure, but linked with the strange 12:11 “sample aspect ratio”, it’s a good thing we can manage this file ourselves…
Anyway, let’s get back to Amped FIVE, where we can deal with thing correctly!
Amped FIVE’s advanced “Frame Analysis” enables you to select a frame and then view it in a number of formats.
By right clicking a frame, you have a number of options…
The video window in Amped FIVE’s interface will take you directly to that frame if you select “Go to Frame”.
The “GOP Analysis” displays the GOP structure and a summary.
This makes it really easy to identify changes in the GOP and then perhaps identify missing Coded Pictures in the stream.
These errors could be really important if timing was being calculated… or miscalculated!
Lastly, the “Hex Viewer”…
It’s great to be able to navigate directly to a frame’s hex view, especially for those formats that store their Unix date and time near to the frame header. It will now be possible to identify this, and easily visualize what frame it relates to.
We have talked briefly about time. Now let’s just go back to the PTS and DTS of the frames around Frame 9.
What I want to concentrate on here is the duration between frames.
Looking at the Presentation Time (The third column with data), I can quickly calculate the duration between each frame as being 0.266 seconds.
Let’s keep that in mind whilst we go back into Amped FIVE and use “DVR Convert” to place this stream into the AVI container. When completed it loads into a new chain.
Now that the stream has been indexed, and resides inside a container, we can view the video correctly.
The advanced “File Info” also now provides a lot more information. Let us look at the timings under the “Frame Analysis”.
The column order is slightly different but look at the timings…the duration of 0.266 seconds between frames is the same as before.
The timebases of the original stream and the newly formatted AVI file may be different, but the duration of the frames stays the same.
There are times where differences can occur and analyzing these can ensure that the issue is firstly identified and perhaps, another container may be better suited to the stream.
Before wrapping up, it’s time to quickly look at another file, this one being in AVI format.
It loads and plays fine, but very quickly I identify that there are other cameras that I knew nothing about! Look at the “Video Stream” count in the basic “File Info”, it is 11!
If we were to view this file in the “ffprobe” tab, we would see 11 [Stream] sections.
In the “Frame Analysis”, we see all the frames, of all the streams!
Notice the Stream Index column, 0-10.
It makes reading the time and specific stream information rather difficult.
In this circumstance, heading back into the main Amped FIVE interface and utilizing “DVR Convert” does a slightly different job. It simply separates the streams and places them into individual AVI container files, all within a couple of mouse clicks.
That is our original multi-stream file, all our new files, and all the logs detailing the process for each stream.
These are now much easier to review and analyze.
Understanding and interpreting the data behind a video is a vital starting point within an investigation. Amped FIVE now has the tools to conduct high-level analysis, giving you the confidence to correctly deal with that video.
Proprietary Surveillance Video is probably the only forensic evidence that is not standardized. Analysts are required to investigate an exhibit that has no formalized structure or documented creation. Your training, understanding, experience and competency all play a part in knowing what to look for and why, and more importantly, what not to rely on.
When reviewing multimedia at frame level, work with what you know, and work towards learning what you don’t know!