It’s time for the latest installment in our CCTV Acquisition series. This week we are moving on and finally acquiring some CCTV footage and preserving it onto a temporary storage device through a closed-box CCTV acquisition.
Later in the series, we will look more at storage, master copies and working copies. For now though, we will simply be extracting some data from the device and preserving it before it gets overwritten.
There are some systems that will not overwrite and stop when they are full, but they are very rare. Some large systems have the ability to preserve incidents within the device, pending review. This series, however, is concentrating on the smaller systems that will just keep on recording, overwriting the oldest data.
We must start by explaining what is meant by closed-box CCTV acquisition. This basically means that you do not have to use a screwdriver! When learning and gaining competency in evidential CCTV acquisition, this is usually the first stage. Open-Box acquisitions, where you will be accessing the Internal Hard Disk Drive (HDD), will be covered later in the series.
Considerations regarding Closed-Box CCTV Acquisition
In the last post, we covered many of the considerations that must be made when controlling a Video Security System (VSS) and navigating the system to identify potential video of interest. As we are about to recover some video, we must consider the purpose of our attendance. The reason for the data recovery may affect what other data is obtained whilst on scene.
- For a crime allegation involving a staff member at the premises, should you also recover the data logs?
- For an assault inside a nightclub, should you recover all public-facing cameras rather than just the assault? What happened before?
- For a vehicle collision, should you recover all cameras to assess timing differences between the streams. Also perhaps consider performing a sphere tests whilst there, and then downloading that to ensure scene authenticity?
It may be that you consider this, but do not have the necessary equipment. Again, this is where the task of CCTV acquisition must be escalated to ensure attendance by people with the necessary competency and equipment. To learn more about the sphere test, take a read of this post on using the Aspect Ratio filter. Although relating to analog to digital conversion, this is now very common with UHD video being stored with fewer pixels horizontally and then simply stretching out on playback. We will look more at this a bit later.
There are hundreds of different scenarios. However, it is worth taking the time to consider a few “what ifs” whilst you are there.
Temporary Storage Media in Closed-Box CCTV Acquisition
We have talked previously, when handing the responsibility for evidence acquisition to the owner, about what device to use during export. You have the same choices but should have the added advantage of being prepared.
Several Storage Options
For temporary storage media, there are several options. They all utilize a device’s USB port to facilitate the data export process. The device could be flash media or an external Hard Disk Drive (HDD). A few systems support flash cards (such as SD), and some support writing directly to an optical disk. For now, we will stick with using a USB flash drive as it’s the most common and easiest to carry and use. Remember to use a device with a fast write rate, such as USB3. Consider that some older systems may not support this and may not be able to read drives with a large capacity. Having a good selection is a wise decision!
It is best practice to fully wipe the storage devices prior to each use. This means a full format, not just a quick rewrite of the partition table. This ensures that if you need to conduct a full forensic image of the device after acquisition, there are no files left over from previous cases. We will be looking at acquisition kits and equipment later in the series.
Some systems will give you an estimate of file size and the time it will take to export. If you have several cameras to download and a considerable amount of time, calculating this would be beneficial. A good hint is a test of 1 camera for 1 hour. Then multiply that by the number of cameras and the amount of time. Consider using a piece of footage from during the day and with a lot of movement. This will likely have a larger data size than the middle of the night in a dark storeroom.
Exporting Lots of Data
When exporting a lot of data, another consideration should be how to manage it all. Should you do it all at once, or perhaps segment it? A suggestion could be to segment 3 days of footage into six 12hr segments. Then, if something does go wrong, you only have to repeat that part, rather than try to find where the error has occurred.
Format Selection in Closed-Box CCTV Acquisition
Now comes probably the most important decision. Format selection. You may have read many posts here on the Amped Blog, all explaining the importance of the native format. The changes and damage caused to Digital Multimedia Evidence through not acquiring the native format can have a severe effect on the weight and usefulness of the evidence. The term “native format” refers to the original encoding type. Simply put, if the DVR is recording in format A, you want to export format A. This ensures integrity.
Reminder: Data integrity ensures that it has not changed since the time it was created.
If you exported in format B, the video may appear the same but the pixels, the size, the shape, the frames, and the timing could be different.
This is where research, the manual, and obtaining data from the systems can all help. You may though have to conduct tests to identify what the native format is.
As we now navigate the DVR, we must take into consideration all of the information that we discussed in the last post. Our first question, therefore, is, what format is being used by the system?
Within the Encode menu of the DVR, we have a clue. It states that the compression is H265X.
This is another trick that CCTV manufacturers like to play on unsuspecting Forensic Video personnel. They can name things however they want. This system states that the data being encoded is using H265X compression. Well, there is technically no such thing. There is H265. It could be that, or is it something else?
There are a few other pieces of important information here. Firstly, what is 1080N as a resolution? You may have heard of 1080i or 1080p but what is this one. This is something else to document and come back to. A clue will be how it is being presented on the monitor, as this may help us further down the road. Remember, though, how things are recorded, how they are displayed, and, importantly, what is authentic, could all be very different.
Lastly, we have an Extra Stream. This is a reduced-quality version for when accessing over the network on a tablet or cellphone. Later in the series, we will look more at these streams as they are one of the many challenges being faced by international law enforcement. Have you been sent the best evidence or has the CCTV owner simply sent you a much lower quality sub-stream via their mobile phone?
Back to our DVR and the clean USB drive has been detected by the software. Most systems will have the ability to format the drive for use. This is often a good idea, even if you have a clean device, as it ensures the internal table structure is compatible with the export process.
You may remember in the previous post that there were two methods of reviewing data on the device. Observing the dates and times of recorded material without actually viewing any footage, and then watching the video for an event.
Backup in Closed-Box CCTV Acquisition
In the same way, there are usually two different methods of exporting data. Whilst watching, or simply by camera, date and time.
Thousands Systems and GUIs, Similar Process
Let us start with watching an event and remembering that there are thousands of different systems and Graphical User Interfaces (GUI). The process, though, will be similar.
After entering playback mode, we navigate to the date and time required. After playing, we identify our incident of interest. Within this interface, there is an icon for a pair of scissors that allows us to set a start point and an end point.
All systems are different, and the function could be named differently, such as Trim, Clip, Export, Save, etc.
With our In and Out points selected, the Hard Drive Icon allows us to enter a Backup menu. Several clips can often be created at the same time, with more advanced systems also allowing immediate backup of other camera views from the same time range.
Entering the Backup menu reveals a question on what format to select.
You may remember that our encoding format was listed as H265X. However, we now only have H264 listed as an option, with one placed into the AVI container.
File Analysis and Comparison
This difference means that more research and testing is required to ensure that what is on the internal HDD, is also the data that is exported. Let us come back to that later. For now, we will select both, one backup in H264 and another in AVI. We can then assess what is happening.
Later in the series, we will look at the correct transfer process between temporary storage and the creation of master copies. For now, let us just look at what was acquired.
Two single files have been exported. The AVI file has a thumbnail displayed within Windows which suggests that the Microsoft Media Framework is able to decode it. We also downloaded a H264 file, which is being associated with Amped Replay on this computer.
Are there any differences? Yes, there are a few, but they are not always easy to spot. In comparing the two files in Amped FIVE, I can see one big difference straight away. (The H264 file has been cleaned and stream copied into the MKV container by Amped FIVE.)
They report the same encoding, size, and frame count. However, the AVI has a marker to adjust the aspect ratio to widescreen upon playback. This is easily confirmed when reviewing in a standard video player. The footage should look like this, with a size of 944px X 1080px.
In a standard player however, the decoding is stretched to present a 16:9 aspect ratio.
The data that is in the file, is not what is being presented by the standard player. It is being stretched out, using some form of interpolation. This now brings further questions that we will have to deal with during the analysis of the file, regarding how to interpolate the width and what size to increase the width to. Remember the sphere test? We may have to use that.
AVI Decoding Problem
Finally, whilst reviewing the exported files, we also identify a decoding problem with the AVI. There are two frames missing!
Here we can see one of the missing frames, 24564. Although the file presents metadata with the same amount of frames as the H264 file, the two missing frames are added whilst decoding by duplicating the previous frame. They are both the last P frames of that specific H264 GOP and are at the CCTV time of 17:00hrs and 18:00hrs.
Analyzing video timing in conjunction with the real-world timing data is so important to interpret the video correctly. These missing frames are now something else we will have to investigate. This testing and analysis now help us make decisions while we complete the next acquisition.
In this case, we will not be reviewing the footage first. We can therefore skip the Playback, and head straight to Backup. This method would commonly be selected when the viewing is to be conducted at a later time to identify possible intelligence or evidence.
This can also often be quicker as navigating visually is often a slow process.
After entering the dates and times required, taking into consideration the incorrect time caused by the system being 1hr out, we can select the H264 format only and quickly complete the backup.
Now then, do you remember our missing frames in the previously exported AVI?
Note how the system has split this export into 2 files, with the end time being on the hour. This now gives a possible cause to the 2 frames missing from the AVI, when the visual backup was completed. The system has failed to correctly join the 3 part hour segments. The 16:59 to 17:00 join, and the 17:59 to 18:00 join lost a frame at the end of each hour.
Further analysis confirms that using the time backup, rather than the visual editing, and using H264 and not AVI, gives the correct output with no loss in frames.
Many systems offer several format options for Backup/Export/Download. Another hint is that if immediate viewing is required, but the native file is recovered in an obscure format, a standard format can also be selected for viewing. This will enable the quick preview, pending data analysis and decoding of the native. This is for quick viewing only. It is not the native footage so any pixel level analysis can not be completed on that file type.
Last Questions to Answer
We still have two more questions to answer, though. We have H264 exported, but the device reports H265X as being the encoding format. One of the clues in exporting the native format is the speed in which it is written to the storage device. All of our exports were relatively quick, which suggests no transcoding was occurring during the process. Next, some internet research suggests that the device records in H264. Finally, and we will come onto this later in the series, an analysis of the data stored on the internal HDD revealed the data was, in fact, H264. We told you that CCTV companies like to play tricks on us.
The last one, deals with this 1080N resolution. We have the correct height. What should the width be to give an authentic view of the scene? Well, just for consistency, we did a sphere test within Amped FIVE.
After downloading a small piece of footage where we placed a sphere into the field of view, using the standard 16/9 aspect ratio looks about right. But, for this system, it’s not authentic. The stored horizontal pixels were 944 in length. Doubling this to 1888, then correcting the lens distortion, produces a perfect circle on the sphere placed into the camera view. 16/9, although appearing OK, created 32 extra lines in the image that resulted in the sphere being slightly too wide.
When Crime Scene Investigators (CSI) attend at a scene, they do not just have one small bag of equipment and do the same thing every time. They will assess the scene, assess what is required, and then may conduct some tests to ensure that the fluid or powder being used reacts in the required way to the material or surface being examined. CCTV acquisition must start with a similar assessment.
We have learned how the export is conducted can affect the reliability of the evidence. Even when different options are using the same codec, they can affect the integrity of the data. We have also learned that the image being recorded may not be how it should be presented to ensure an authentic view of the scene.
In the next posts, we will move from using the physical device to accessing it over a computer network. For now, though, we have evaluated the system, conducted an evidential closed-box CCTV acquisition, and preserved the native format data on a temporary storage device.
In case of emergency
We cannot finish off without mentioning the times when the immediate dissemination of an image or video is required to protect life or the immediate recovery of property. In these instances, it is quite justifiable to use an inferior version of the native format to achieve a fast press release.
It is, though, only a version of the evidence. The native format must always be acquired to ensure the integrity of the evidence within the investigation.