The CCTV Acquisition series continues here with another installment. This post features an acquisition from a cloud-based service provider. In previous posts, we have always started with a device that contains the data required to be preserved as evidence. With full cloud-based storage, the data is on a remote server, owned and managed by a separate entity. There are several different types of cloud-based CCTV. It is vital to recognize what system you may be dealing with as some may also be storing data on-site. Read on to learn more!
Cloud Systems
NAS Cloud
These hybrid systems first store the data locally on a device such as a Network Video Recorder (NVR) or Network Attached Storage (NAS). Access to that data will be controlled via a PC interface or an app connected to that network. It is common for these systems to store a reduced timescale, higher-quality video locally and for the long-term footage to be reduced in quality before uploading. The quality reduction may be as simple as removing 50% of the frames. This allows users to have a short time of high-quality footage but several months of lower-quality footage can be searched if required.
Edge Cloud
Edge systems retain the video data within the camera for a short time before uploading to the cloud. The cameras will either use an embedded storage chip or, a temporary storage device such as a MicroSD card similar to the one seen and discussed here.
Some of these cards will be user-extractable. However, some will be built into the camera housing as they were never designed to be removed. Edge storage ensures that data is retained, even if the network connection is interrupted.
Direct-to-cloud
A direct-to-cloud camera has no method of storing the video data locally and simply transmits the data to the storage provider. As you can imagine, if there are network issues or no storage plan is up-to-date, then no data will be retained. These are the types of systems that we will look at further in this post, but let us spend some time considering the requirements of a local acquisition.
Local Acquisition
NAS or NVR stored data should ideally be dealt with in the same way as detailed in the previous posts.
System evaluation and testing would be vital to ensure that recovered data was able to be decoded correctly. This is especially important with proprietary CCTV NAS devices that may utilize RAID (Redundant Array of Independent Disks) configurations and/or network encryption. It would be very quick to just perhaps swap out the drives, in a similar way as we detailed in this post, but they may never be readable outside of that network.
Edge storage devices are easier to deal with due to their portability, but may also be encrypted. We will take a much deeper look into storage card data preservation in the next post when considering master and working copies.
Cloud-based Systems
There are many different types of cloud-based systems but some of the ones you may know are:
- Arlo
- Ring
- Nest
- Canary
They all generally work the same way.
The cameras will communicate to the internal network either wirelessly or through a wired connection. They will transmit the data, via the internet, to a storage system within “the cloud”. This data can be reviewed, and hopefully recovered, at a later time. Most of the services also provide general motion analytics, such as sending notifications when persons are detected.
For users, the set-up of the cameras is usually fairly easy and controlled via an app. After giving the camera access to the local network, again controlled through the app, it will automatically start transmitting data once any storage plan is activated.
For this post, we will look at the Nest camera system, which is part of the Google family.
Using the App
After downloading the app and following the instructions for setup, the camera’s live view was visible within the app.
Access to all the settings for motion detection, notifications, naming and location were available within the dropdown near the top. There were also some settings regarding quality. They are only related to bandwidth, with a slider range between low and high. Further information on the quality settings can be found here.
Tapping on the camera image quickly brought up a list of recent motion detections.
The motion clips could be viewed easily and further searching was possible using the button at the bottom. Clips could also be created from the app but let us move to the web browser to complete this task. The functions are the same, whether using the app or the Nest Home webpage and the data recovered is also the same.
Using a Web Browser
Once logged in to the Nest Home webpage, a similar camera view was displayed, allowing access to the live view and motion activations. Selecting a motion activation allowed further options.
At the bottom is a timeline and you will notice that only 6am to 6.15am is dark. Within the dark bar, there are small dots. Footage has only be retained for this time period and the dots signify motion in the scene at that time. At 6.10am a person was detected. This is the clip that is needed to be preserved and shared.
When conducting a CCTV acquisition from a cloud-based service provider, this is the stage that must be completed with care. The recording is out of our control, but the acquisition must be controlled to preserve the integrity of the recorded evidence.
Creating a Clip
Now that we have identified the required footage, we must create a clip using the menu at the bottom.
The clip can be named, and after using a simple control to set the start and end point, it’s possible to select “Save“.
Although the clip has been saved, it’s still sitting somewhere out in “the cloud”. By using the Clips menu, it is now possible to view and share it.
Along the bottom are the sharing and sending options.
- Sharable link
- YouTube
- Nextdoor
- Download
Selecting the Download option first, the clip was already named Person Leaving Building, and had the .mp4 file extension.
Sharing the Video
What happens to this file now is important to consider. If the CCTV owner has been requested to obtain this file for an investigation, then how they share it can decide if the video retains integrity, or not.
An example could be that they have used their cellphone and the app. The file is now in their image and video gallery. These often sync with a backup service that allows sharing.
As you can see, sharing the backup copy may be easier, but it will be different and of lesser quality.
The next option tested was Sharable Link. This provides a web link that can be sent to persons, which then opens up a dedicated webpage that features the specific clip.
Depending on the browser used and the settings, there is a capability to then download the clip as a file.
So far, we have shared the clip in two different ways. All other social media sharing is not suitable for evidence, so those have not been used. First, we downloaded the file and shared it, taking care to use a service that would not reduce the integrity. Second, we used the Nest service to share the clip and then sent a link. The file was then downloaded using the link.
Obtaining a large timescale in this manner could prove tricky, but read on to learn how things can be made a little easier.
Before we get to that, are the two files the same? Yes.
With both files loaded into Amped FIVE, the timestamps are extracted from the file and loaded automatically. By adding in the Hash Code filter, it was possible to compare the values to verify that both files were exactly the same.
The timestamps are based on the times selected when the clip was created and are based on running time, rather than per frame. They are not millisecond (MS) accurate and so further analysis and adjustment would be required to assess any timing issues and interpolate for MS accuracy.
Frame Timing
If timing is relevant, then understanding what is reliable within the data becomes essential.
The Advanced File Info revealed a not unusual variable frame rate, but we had better take a closer look.
One of the many great things about Amped FIVE is its ability to allow all the various analysis stages within the same project as you would be conducting any restoration and enhancement. It then allows all preparation of video, images and data for demonstrative presentation. After placing some relevant visual data onto the video, it’s easy to use the Frame Analysis to go immediately to that frame or time.
Using the Open-in-Excel function, you can go one step further and quickly graph the relevant data, depending on the questions being asked.
The visual graph is a great way to spot timing changes that could be relevant to your investigation. As you can see, there are some big spikes in frames that need to be held for longer durations.
If you wish to learn more about the powerful and unique methods to detect, analyze and interpret Advanced File Information, then take a look at our training module on the subject.
Before we move on, let us summarize. We have downloaded a clip using two different methods and verified that they are the same. We have interrogated and interpreted the timing information. There is one last thing to do, identify if the clip downloaded is different than the file in “the cloud”.
Google Takeout
Nest is part of the Google world and, as such, it is possible to view and acquire any stored data, including all Nest recordings.
Navigating takeout.google.com can be tricky, but in the huge list of options, a Nest owner should be able to see their Nest data.
This not only makes things easier to ensure that the best, native, original file is obtained, but it also provides a method to recover large amounts of data quickly and easily. However, as is always the case with CCTV, there is one small downside.
After completing the request to acquire all video data, a compressed zip file was downloaded.
All video clips covering all activations were now acquired. This included the file that we downloaded initially. However, the file was now named with a date and time.
This is the first difference. The file is named with a date and time and the time is one hour out, possibly due to Summer Time adjustment. There is also a one-second difference in the filename and the timestamp downloaded with the original clip.
- Filename 5:00:24
- Timestamp 6:00:25
The next difference is that files downloaded directly do not contain the embedded timestamp. Consequently, the files hash value will not match the ones obtained via the Nest app or web interface as clips. We will have to check on the visual data to assess any loss in frame integrity. First though, let us quickly look at some of the associated data that was recovered along with all the video.
Within a JSON data table, were several recording sessions.
The start time is in Unix Epoch time: seconds since Jan 1st, 1970.
We have now found all the timing data relative to our evidential file, with start time, end time and also motion activation times.
Video Mixer
The last thing is to check if the pixel data is the same between the files acquired as clips and the files obtained via Google. This, again, is really easy to do in Amped FIVE. It is often quite tricky to find the same frame if files have different start and end points and this is where Video Mixer helps out.
After finding roughly the same moment in time in the two videos you need to compare, select the two chains in Video Mixer.
Select one of the chains to seek, either the first or second. Then move to the Blend tab and select the Mode, Absolute Difference.
As you can see above, the frames are not exactly correct. By seeking forward or back it’s possible to find the same frame. If the entire frame is black, then there are no differences. There is a Gain option within Blend to help you increase the luminance to observe minimal compression differences.
You can double-check by moving to the Similarity Metrics tab.
Sum of Absolute Difference = 0. No changes; the frames are the same. And then, just to verify your findings, now that you have found the matching frame, what about the frame hash?
Matching frame hashes across the 3 different files.
Summary
When conducting a CCTV acquisition from a cloud-based service provider, the key is to never assume. Always research, test and verify that you have the best evidence. Most CCTV owners will not understand that linking their video through iCloud may transcode and reduce the quality of the video. They may say it’s not possible to get 24hrs worth of footage.
For cloud systems, such as the ones listed earlier, it is vital that local Standard Operating Procedures (SOPs) are written. This ensures all technicians and analysts know the best practices in the acquisition, handling, analysis and verification processes of the various files created by those common providers.
We identified that there are timing issues. We determined that the nature of the download does affect how the timing is dealt with. Importantly though, we understood the differences and can deal with them correctly. We have also confirmed that the image data is the same, regardless of the acquisition method selected.
In the next post, we will be moving on and dealing with all the files that we have correctly acquired. To do this we need to go through a very important, but often misunderstood, process, the creation of master and working copies. We will then look at what happens during processing and the creation of further demonstrative exhibits.
Until then, remember: research, test and verify that what is in the cloud is the same as what you have in the file.
