Ciao dear Tip Tuesday friends! Have you ever noticed that, somewhat surprisingly, it is much easier to see that two things are different rather than the same? Proving two things are the same, indeed, requires checking carefully that they don’t have any difference even in the subtlest detail. Now, if you’re facing eight million pixels, that could take a while! That’s why Amped FIVE helps you to see whether two frames are exact duplicates in a second! Keep reading to learn how…
In the forensics framework, being able to assess whether two objects are the same is of the utmost importance. In the case of digital forensics, this is commonly easier than in other branches, for several reasons: digital objects can all be narrowed down to a long sequence of bits, and computers process these bits very quickly.
If you attend any digital forensics course, it is likely that in the very first day you’ll be taught how hashing functions are the best solution when it comes to comparing two digital objects. A hashing function is an algorithm which takes an arbitrarily long sequence of bits as input and computes a (short), fixed length, sequence of bits as output.
Of course, you can’t go back from the hash value to the original data. A good hash function produces little collisions, which means, it is very difficult to find two inputs that end up in the same output. Famous hash functions are MD5, SHA-1, SHA-256, SHA-512, etc.
Now, suppose you are working on a case and you receive both a proprietary video stream plus some bitmap (.bmp) images that seem to have been obtained as “snapshots” of the video. If you can confirm they are so, you could safely discard them, and work only on the video data. What’s the best way to check whether frame, say, 120 of the video and image 000.bmp contain the very same pixels?
In this case, of course, you can’t just run a hash function on the video and the image: the video is encoded in a file as a whole, no way can you “isolate” the single frame and compute the hash. You need to compare the frames of the video after they’ve been decoded.
With Amped FIVE, there’s a quick way to work: drag the video into the program, browse to the frame of interest, and then click on the Inspector icon in the Tools panel:
You’ll notice that the last entry in the box reads Hash. That’s the MD5 hash value computed on pixel values shown for the current frame. By default, only the first and last four digits are shown, separated by dots, but just hovering with the mouse over the string will popup the entire hash:
Now we just need to drag the bitmap image in Amped FIVE, so that it will be loaded in a new chain. We head for the Inspector once again, and…yeah! The hash value is just the same:
We can be reasonably sure that all pixels in the video frame are equal to those in the bitmap image (we can’t say “totally sure” because by definition a match of hash values cannot guarantee a match of the inputs).
As a side note, the fact that we’re dealing with a bitmap image is important here. Bitmap images are uncompressed, so it makes sense to check whether their pixels match those of the video frame. The same holds for other formats that use lossless compression, e.g. PNG or TIFF-LZW. On the contrary, if the images were saved as JPEG, which is a lossy format, there would be virtually no chance to find a match, because pixel values change as part of the compression.
Besides the example above, checking the pixels hash is useful in other scenarios. For example, you may want to check:
- Whether two frames in a video are precisely the same (which would be a rather strange fact in a typical, lossy coded video);
- Whether an export operation was carried in a lossless way or not (e.g., in Amped FIVE, writing to RAW video with the Video Writer filter, or using Lossless Trim to export a range of frames) by comparing the exported video frames with the original frames.
That’s all for today! We hope you’ve found this issue of the Video Evidence Pitfalls series interesting and useful! Stay tuned and don’t miss the next ones. You can also follow us on LinkedIn, YouTube, Twitter, and Facebook: we’ll post a link to every new tip so you won’t miss any!