Over the last decade, the video surveillance security industry has morphed drastically in attempts to keep pace with both the consumer electronics and enterprise IT markets. This has created a steep learning curve for law enforcement as well as individuals in the judicial system.
A 2012 survey titled “A national survey of judges on judging expert evidence in a post-Daubert world: 2012” states that:
- 48% of U.S. judges say they are not adequately prepared to deal with the range of “scientific or technical evidence” presented in court
- 96% could not demonstrate two of the four Daubert Standard criteria. Daubert, named for a specific legal case in 1993, refers to the rules of evidence regarding the admissibility of expert witnesses' testimony during United States federal legal proceedings.
By definition, any probative information stored or transmitted in a digital format (1s and 0s) falls under the rules of Digital Evidence, as it pertains to the Federal Rules of Evidence; this includes information on computers, audio files, video recordings, and digital images.
Over 95% of all video systems sold and
Currently, when video from a video surveillance system is obtained as evidence, it is treated with the old school analogue mentality of “What you see is what you get.” Over 95% of all video systems sold and deployed today consist of IP edge devices running an operating system, servers, and some form of network accessible storage. This places almost all pieces of today’s video systems into the same vector of cyber and data security threats that any other device attached to a network is subject to. With this in mind, let’s look at the U.S. Federal Rules of Evidence (FRE) that pertain to digital evidence, and examine how “digital” video is affected.
FRE 401-403: Relevance
- FRE 401: Definition of “Relevant Evidence”
- FRE 402: Relevant Evidence Generally Admissible; Irrelevant Evidence Inadmissible
- FRE 403: Exclusion of Relevant Evidence on Grounds of Prejudice, Confusion, or Waste of Time
To reduce storage consumption and increase retention times, some integrators and owners will reduce the frame rate along with the resolution to better leverage their storage. Reducing frames per second (FPS) or resolution can produce video that could be misinterpreted by missing key actions within an event. Do a comparison of 15 FPS to 3.75 FPS video in an active scene and see what is missing.
FRE 901 (and 902): Authentication
- To satisfy the requirement of authenticating or identifying an item of evidence, the proponent must produce evidence sufficient to support a finding that the item is what the proponent claims it is
This rule plays the most crucial role when dealing with digital video evidence in today’s network environment. Typical Network Video Recorder (NVR) manufacturers record and store video in a basic file format such as *. G64 or *.AVI. While this varies from vendor to vendor, recorded files usually follow a naming convention based on time, date, and camera ID. Video files stored in this fashion can be searched, played back, and or tampered with by simply accessing the network share that in most cases is readily available by simple browsing. Besides cyber threats, one of today’s biggest concerns is incident video being leaked or posted on social media by an internal source, and this can still be accomplished without an individual having video system privileges. If the correct codecs are installed, video can be manipulated and reloaded via a simple network connection.
Most NVR vendors also utilise classic “watermarking” as their only form of video authentication. As specified by the Scientific Working Group Imaging Technology (SWGIT), watermarking is considered video tampering: “Watermarking is a potentially irreversible process of embedding information into a digital signal. It modifies the content of the files and can persist as a part of the file. This process may change the image content as it was captured by the camera. Watermarking may occur at the time of recording, at the time the video or images are exported from the system, or during post- processing. Watermarking is not recommended” (Section 17 Digital Imaging Technology Issues for the Courts)
|Probably the greatest challenge facing law enforcement today is the process in which digital evidence is collected|
FRE 901 B9: Collection process
If an expert can testify about the validity of the process used to image or collect the digital evidence, then it can be deemed admissible
Probably the greatest challenge facing law enforcement today is the process in which digital evidence is collected, and maintaining a reliable chain of custody. Typically, first-responding officers to an incident do not know how to secure and/or gather digital evidence to preserve chain of custody; this can affect admissibility in court. As of 2012, there were between 2500 and 3000 different video file formats and codecs associated with as many vendors and products. To expect law enforcement to be familiar with even a fraction of the devices is unreasonable.
Law Enforcement typically has to rely on the manufacturer or an integrator to assist in retrieval of incident video. If responding law enforcement personnel are confronted with equipment they are not familiar with, SWGIT suggests the following: Section 24_ Best Practices for Retrieval of Digital Video (2013)
- “Otherwise, searching the vendor’s website or contacting the vendor directly may be necessary”
- “If the request is for 30 days of video, the best, or only, option may be producing a forensic clone of the hard drive(s) and/or removing the recording unit from the scene”
What if a DVR is from an overseas vendor? Who does the officer call? Is the integrator or installer trained in handling digital forensic evidence?
When dealing with enterprise systems, the second point noted in the SWGIT documentation is impractical as video information can be located anywhere within the system’s storage, be it iSCSI, DAS, SAN, or NAS. In some cases, video may be located off the physical site, on the customer’s cloud for instance. If you have 1,000 cameras and 80 TB of storage configured in RAID 6, what drives contain the 45 seconds of incident video? Does the officer take all 80 TB plus RAID controllers?
Best evidence rule FRE 1002
The best evidence rule stipulates that “original” evidence must be maintained, and if requested by either the defence or the prosecution, the “original” authenticated evidence must be produced. Due to the fact that digital evidence of any kind can be easily manipulated today, this particular rule is critical, and when performing image enhancements of any kind, they must be done using forensic copies or duplicates.
Comparing the average time, it takes
The critical issues that arise concerning FRE 1002 and video relate back to FRE 901 and the collection process. If we are dealing with a basic DVR event, and video is retrieved by law enforcement, all DVR devices record in a First-In-First-Out (FIFO) fashion. Comparing the average time, it takes for a major case to go to trial and the typical DVR retention, in most instances, all original video has been overwritten. Now consider scenarios when video or image enhancement is needed with the assistance of a forensics lab. As of 2013, the average number of “Backlog” cases per U.S. forensic lab was 1,213 (163,806 total nationwide).
With the ease of which video can be edited and manipulated with today’s technology, it is only a matter of time before the focus of the legal system as it pertains to digital video evidence is redirected to the video itself. Are your video devices subject to cyber threats? Can your video system protect video beyond its retention time if needed? Can your video be authenticated by hashing instead of watermarking? A video system is an investment, what will your investment be worth in the future?
This article is an excerpt from a dissertation paper written by David Brent. For more details, register to attend David’s upcoming webinar on the topic hosted by the U.S. Security Industry Association.