Monthly Archives: September 2017

HEIF Image Files Forensics: Authentication Apocalypse?

If you follow the news from Apple you may have heard that the latest iOS 11 introduces new image and video formats.

More specifically, videos in H.264 (MPEG-4 AVC) are replaced by H.265(HEVC) and photos in JPEG are replaced by the HEIF format.

Files in HEIF format have the extension “.heic” and contain HEVC encoded photos. In a nutshell, a HEIF file is more or less like a single frame encoded H.265 video. Here there is a nice introduction. And, if you want to go more in depth, here there is some more technical documentation.

For people like us, that have been working for years on image authenticity exploiting the various characteristics of the JPEG formats and various effects which happen when you resave a JPEG into another JPEG, this is pretty big – and somewhat worrying – news.

If you want to do image forensics in the real world – not in academia, where the constraints are usually quite different – it means that the vast majority of images you will work with will be compressed in the JPEG format. A lot of filters in Amped Authenticate actually work only on JPEG files, because that’s the most common case. On the contrary, a lot of the algorithms published in journals are almost useless in practical scenarios since their performances drop dramatically when the image is compressed.

JPEG has been on the market for ages, and many tried to replace it with something better, with formats like JPEG 2000 and, more recently, Google WebP. However, with the decreasing costs of storage and bandwidth and the universal adoption of JPEG, it has been impossible to displace. In contrast, video formats and codecs have seen a very rapid progression at the same time, since storage and bandwidth for video is always an issue.

I think this time will be different, for better or worse, since when Apple introduces radical changes, the industry normally follows. This means a lot of work for those of us working on the analysis of image files. Nowadays the majority of pictures are done on a mobile device, and a good part of them are Apple devices so the impact cannot be neglected.

If the HEIC format becomes the new standard, many of the widely used algorithms must be heavily modified or replaced. Don’t hope to save many of those. After all, despite what some are saying, most of the image authentication and tampering detection algorithms don’t work on videos at all. The exception is having a Motion JPEG video modified and resaved as another Motion JPEG video. But that’s a very rare case, and most times the quality will be so low that it will be impossible to use them anyways.

Now let’s see what the situation is like in practice. Continue reading

The Investigator – Amped Workshop: Evidential use of video and images in an investigation

On the 7th December 2017, David Spreadborough, Amped Software’s International Trainer, will be presenting a workshop on the use of images and video within investigations.

David will provide investigators with all the latest knowledge and best practice to ensure they make maximum use of video and images that withstands the scrutiny of the courts. David will carry out practical demonstrations throughout the day and draw on relevant case studies of his recent experience.

Download the brochure for more info.

The Investigator magazine regularly runs workshops on many techniques and services.

This workshop is primarily aimed at the decision makers, but open to all frontline investigators who will benefit from having an increased knowledge of what is, and what is not, possible within the world of visual multimedia.

To register and for more information:

+44 (0)844 660 8707 or email info@the-investigator.co.uk

What’s in a name? How to rename in Amped FIVE

I’ve been on the road a lot lately. By the end of this month, I’ll have spent two weeks with District Attorney’s Offices in New Jersey (US) training users in the many uses of Amped’s flagship product, Amped FIVE. Every user has a slightly different use case and needs. Prosecutors’ Offices are no different.

Field personnel / crime scene technicians / analysts might not be very concerned with trail prep and the creation of demonstratives for court. But, DA’s offices are. That being said, there are a few things that every user of Amped FIVE can do – beginning with the end in mind – to make the trial prep job a bit easier.

Hopefully, by now you know that you can rename processing chains in Amped FIVE to aid in your organization.

Right click on the Chain and select Rename Chain. Then, name it something unique that describes what you’re working with or the question you’re trying to answer in the file. Examples include camera number, vehicle determination, license plate determination, etc.

This is quite helpful. But, did you know that you can also rename the Bookmarks? Additionally, you can add a description to the bookmark. Let’s see what this looks like.

Continue reading

Cowboys versus Bureaucrats: Attitude and Tools

There were a couple of interesting discussions this week which prompted me to write this blog post. One is related to the scientific methods used during the analysis of images and videos, the other relates to the tools used.

There was a pretty interesting and detailed conversation that happened on an industry specific mailing list where a few experts debated about the scientific and forensic acceptability of different methodologies. This discussion began with the reliability of speed determination from CCTV video but then evolved into a more general discussion.

There are two extreme approaches to how forensic video analysts work: let’s call one group the cowboys and the other the bureaucrats. I’ve seen both kinds of “experts” in my career, and – luckily – many different variations across this broad spectrum.

What is a cowboy? A cowboy is an analyst driven only by the immediate result, with no concern at all for the proper forensic procedure, the reliability of his methods and proper error estimation. Typical things the cowboy does:

  • To convert a proprietary video, he just does a screen capture maximizing the player on the screen, without being concerned about missing or duplicated frames.
  • Instead of analyzing the video and identify the issues to correct, he just adds filters randomly and tweaks the parameters by eye without any scientific methodology behind it.
  • He uses whatever tool may be needed for the job, recompressing images and videos multiple times, using a mix of open source, free tools, commercial tools, plugins, more or less legitimate stuff, maybe some Matlab or Python script if he has the technical knowledge.
  • He will use whatever result “looks good” without questioning its validity or reliability.
  • If asked to document and repeat his work in detail he’ll be in deep trouble.
  • If asked the reason and validity of choosing a specific algorithm or procedure, he will say “I’ve always done it like this, and nobody ever complained”.
  • When asked to improve a license plate he will spell out the digits even if they are barely recognizable on a single P frame and probably are just the result of compression artifacts amplified by postprocessing.
  • When asked to identify a person, he will be able to do so with absolute certainty even when comparing a low-quality CCTV snapshot with a mugshot sent by fax.
  • When sending around results to colleagues he just pastes processed snapshots into Word documents.
  • When asked to authenticate an image, he just checks if the Camera Make and Model is present in the metadata.

Continue reading

Can you trust what you show in Court?

If you present an object, an image, or a story to a courtroom, you must be able to trust that it is accurate.

How then, do you trust an image – a digital photograph, a snapshot in time of an object, a person or a scene? Do you trust what the photographer says? Or do you check it? Do you attempt to identify any signs of manipulation that could cast doubt on the weight of the evidence?

How many members of the public are aware of the Digital Imaging Procedure? What about the guidance surrounding computer based information, which includes digital images and video? What about the person that is receiving that file? Perhaps the investigating officer. Are they aware of the importance of image authentication?

Is the Criminal Justice System naive to believe that fake images do not end up being displayed in court and presented as truth? Even if it is a rarity now, we need to think of the future. To start with, we must ask ourselves, “Can we rely on the image we see before us? Has it been authenticated?”

Read the article published by The Barrister magazine to learn about the importance of authenticating images before submitting them as evidence.

From cameras to the court: How to make full video integration a reality

David Spreadborough, international trainer at Amped Software, and a regular expert witness in criminal investigations, charts the technical history of bringing CCTV images to court and provides an insight into the challenges associated with preparing surveillance images as evidence.

Read the article published on IFSEC Global

 

Amped FIVE Update 9722: Genetec Omnicast G64/G64X Support, Full Uncompressed AVI Export Compatibility, Filter Panel Options and much, much more!

Here we are again with another Amped FIVE update, full of user enhancements and product refinements, designed to help you in your analysis and forensic reporting.

Before we dive in, it’s worth saying that, here at Amped we strive to provide you with the very best product for image and video analysis, and enhancement. If you want our software to do something that it doesn’t do, just let us know. Many of the new functions in this update come directly from user feedback and requests.

Genetec File Support

Genetec is the latest surveillance system manufacturer to allow integration between the export format and forensic analysis.

Currently utilizing the .G64 and .G64X file extensions, most Genetec exports can now either be reformatted using the original H264 encoding or, when this is not possible due to the export type, transcoded into .ASF to aid in initial analysis and preview.

When you load a Genetec export into Amped FIVE, either using the loader or drag and drop, the Direct Play dialogue box will appear.

After selecting ‘Yes’ to attempt conversion, ensure that ‘Copy Stream if possible, or else Transcode’ is selected in Convert DVR.

The file will then be scanned and either reformatted or transcoded if required.

There is a new configuration tab specifically for Genetec G64 and G64X files.

Continue reading

To seize or to retrieve: that is the question

A crime occurs and is “witnessed” by a digital CCTV system. The files that your investigation wants/needs are in the system’s recording device (DVR). What do you do to get them? Do you seize the entire DVR as evidence (“bag and tag”)? Do you try to access the recorder through its user interface and download/export/save the files to USB stick/drive or other removable media?

Answer: it depends.

There are times when you’d want to seize the DVR. Perhaps 5% of cases will present a situation where having the DVR in the lab is necessary:

  • Arsons/fires can turn a DVR into a bunch of melted down parts. You’re obviously not going to power up a melted DVR.
  • An analysis that tests how the DVR performs and creates files. For example, does the frame timing represent the actual elapsed time or how the DVR fit that time into its container? Such tests of reliability will require access to the DVR throughout the legal process.
  • Content analysis questions where there’s a difference of opinion between object/artifact. For example, is it a white sticker on the back of a car or an artifact of compression (random bit of noise)?

If you’re taking a DVR from a location, you can follow the guidance of the computer forensics world on handling the DVR (which is a computer) and properly removing it from the scene.

Continue reading