Forensic Multimedia Authentication

What is multimedia evidence?

According to Elliott Goldstein, a Woodbridge, Ont., lawyer; an acknowledged video evidence expert who lectures at the Ontario (Canada) Police College, and the author of the two-volume book, Visual Evidence: A Practitioner’s Manual, “In the old days, video images were recorded on videotapes. When it came to submitting them as evidence, there was no problem: You just took the original tape into court and played it for the judge and jury. But today most [surveillance] video is recorded on hard disk drives, which are routinely wiped as new data comes in. This means that the video evidence has to be downloaded onto a DVD or digital tape, requiring very careful procedures, witnessing, and documentation to prove that you have an unedited ‘exact duplicate copy’ of the original.”

According to Jonathan Hak, “The party tendering video evidence must establish how the video was recorded, what impact the recording process had on the captured video, whether the exporting of the video evidence has further comprised the reliability of the images and whether all relevant video has been obtained of the incident in question.” As a result, “video evidence must be authenticated in order to gain admissibility in court. Authentication can be accomplished by witnesses familiar with the video content — for example, the person who captured the video images — or technically, showing that the images have not be altered in any improper way. This is a requirement of both the Canada Evidence Act and common law.”

According to LEVA, “Multimedia Evidence. Analog or digital media, including, but not limited to, film, tape, magnetic and optical media, and/or the information contained therein. NOTE: The term Digital Multimedia Evidence (DME) used in this document refers specifically to multimedia evidence in a digital form.”

According to the IAI/LEVA Glossary, “Digital Evidence. (CER) Information of probative value that is stored or transmitted in binary form.”

Does video evidence in digital form have to be downloaded or exported so that you have “an unedited ‘exact duplicate copy’ of the original?” LEVA’s guide notes that in acquiring DME, one should “Transfer all relevant media files from the DVR.” Download, export, transfer. Seems like there’s some agreement.

LEVA adds what the Flip Book notes, “In addition to acquiring the native video files, a transcoded copy (eg: .avi) may provide an interoperable format for ease of use by investigators.” Securing and protecting the native video files (evidentiary data) is the goal of securing video evidence.”

Thus, I think that we can say that digital multimedia evidence (video) from digital CCTV systems should be retrieved in digital form. Any deviation from this should be done with extreme care and only in the worst case scenario.

In the world of “deep-fakes,” how do you know that you can trust the evidence you’ve received?

Authenticating digital evidence employs various schemes that look at the underlying math within the container, changes to the container, and so forth. If you’ve retrieved the proprietary/native data and the authenticity of the data is challenged, you have the original export/transfer to test against and (hopefully) the DVR that produced it. The rest is pretty straight forward time consuming work.

Worst case scenarios call for solutions like screen capture hardware/software and/or scan converters. These options don’t actually secure (download, export, transfer) the native data, they take a picture of it. Can you authenticate screen grabs? Maybe. “This screen grab has not been altered.” But, if you didn’t actually secure the native data or seize the DVR, how do you show that the screen grab depicts what it’s supposed to depict? How do you tell the DVR’s story? What if there’s a challenge to the authenticity of what’s depicted (as happened in People v Abdullah, BA353334 – Los Angeles County Superior Court, December 2009)?

We’ve processed DME from recorders that we didn’t download, from scenes that we’ve never been to. We rely on chain of custody documents, notes from the field, and etc. Remember, thanks to Melendez-Diaz, everyone in the chain of custody may have to testify. So, if you, your first responders, or your investigators are using worst case tools as their main option – they may eventually have to testify.

  • Did you secure the evidence from the recorder?
  • How did you secure the evidence from the recorder?
  • Are your field and/or processing notes available?
  • Are these the native/proprietary files from the recorder?
    If not, why not?
  • What is your training and experience with your tools?
  • Did your agency approve your tools’ use for collecting evidence?
  • Did your collection method comply with your agency’s procedures for collecting and securing evidence of this type?
  • Are your methods and tools commonly accepted in the industry?
  • Are you aware of people in your field of expertise who may not agree with yours / your agency’s methodology for retrieving this type of evidence? What are their arguments against your methods?

These are all questions that we’ve faced. How will you answer them if/when asked?

We realize that agencies are overtasked and understaffed. We understand that well-meaning folks are “just trying to get things done.” We understand that most have the best interests of all parties in mind. We also understand that video evidence (DME) is evidence – and should be treated as such. It’s not “just video.” Often times, its the only witness to the events of the day. Please don’t let expediency guide your path. “Video evidence is a lot like nitroglycerin: Properly handled, it can demolish an opposing counsel’s case. Carelessly managed, it can blow up in your face.”

If you’d like to know more, we offer comprehensive training / education in Forensic  Multimedia Authentication. Contact us today for more information on this offering.