Over the last decade, the video surveillance security industry has morphed drastically in attempts to keep pace with both the consumer electronics and enterprise IT markets. This has created a steep learning curve for law enforcement as well as individuals in the judicial system.

A 2012 survey titled “A national survey of judges on judging expert evidence in a post-Daubert world: 2012” states that:

  • 48% of U.S. judges say they are not adequately prepared to deal with the range of “scientific or technical evidence” presented in court
  • 96% could not demonstrate two of the four Daubert Standard criteria. Daubert, named for a specific legal case in 1993, refers to the rules of evidence regarding the admissibility of expert witnesses' testimony during United States federal legal proceedings.

Digital evidence

By definition, any probative information stored or transmitted in a digital format (1s and 0s) falls under the rules of Digital Evidence, as it pertains to the Federal Rules of Evidence; this includes information on computers, audio files, video recordings, and digital images.

Over 95% of all video systems sold and
deployed today consist of IP edge devices
running an operating system, servers, and
some form of network accessible storage

Currently, when video from a video surveillance system is obtained as evidence, it is treated with the old school analogue mentality of “What you see is what you get.” Over 95% of all video systems sold and deployed today consist of IP edge devices running an operating system, servers, and some form of network accessible storage. This places almost all pieces of today’s video systems into the same vector of cyber and data security threats that any other device attached to a network is subject to. With this in mind, let’s look at the U.S. Federal Rules of Evidence (FRE) that pertain to digital evidence, and examine how “digital” video is affected.

FRE 401-403: Relevance

  • FRE 401: Definition of “Relevant Evidence”
  • FRE 402: Relevant Evidence Generally Admissible; Irrelevant Evidence Inadmissible
  • FRE 403: Exclusion of Relevant Evidence on Grounds of Prejudice, Confusion, or Waste of Time

To reduce storage consumption and increase retention times, some integrators and owners will reduce the frame rate along with the resolution to better leverage their storage. Reducing frames per second (FPS) or resolution can produce video that could be misinterpreted by missing key actions within an event. Do a comparison of 15 FPS to 3.75 FPS video in an active scene and see what is missing.

FRE 901 (and 902): Authentication

  • To satisfy the requirement of authenticating or identifying an item of evidence, the proponent must produce evidence sufficient to support a finding that the item is what the proponent claims it is

This rule plays the most crucial role when dealing with digital video evidence in today’s network environment. Typical Network Video Recorder (NVR) manufacturers record and store video in a basic file format such as *. G64 or *.AVI. While this varies from vendor to vendor, recorded files usually follow a naming convention based on time, date, and camera ID. Video files stored in this fashion can be searched, played back, and or tampered with by simply accessing the network share that in most cases is readily available by simple browsing. Besides cyber threats, one of today’s biggest concerns is incident video being leaked or posted on social media by an internal source, and this can still be accomplished without an individual having video system privileges. If the correct codecs are installed, video can be manipulated and reloaded via a simple network connection. 

Most NVR vendors also utilise classic “watermarking” as their only form of video authentication. As specified by the Scientific Working Group Imaging Technology (SWGIT), watermarking is considered video tampering: “Watermarking is a potentially irreversible process of embedding information into a digital signal. It modifies the content of the files and can persist as a part of the file. This process may change the image content as it was captured by the camera. Watermarking may occur at the time of recording, at the time the video or images are exported from the system, or during post- processing. Watermarking is not recommended” (Section 17 Digital Imaging Technology Issues for the Courts)

Law Enforcement typically has to rely on the manufacturer or an integrator to assist in retrieval of incident video
Probably the greatest challenge facing law enforcement today is the process in which digital evidence is collected

FRE 901 B9: Collection process

If an expert can testify about the validity of the process used to image or collect the digital evidence, then it can be deemed admissible

Probably the greatest challenge facing law enforcement today is the process in which digital evidence is collected, and maintaining a reliable chain of custody. Typically, first-responding officers to an incident do not know how to secure and/or gather digital evidence to preserve chain of custody; this can affect admissibility in court. As of 2012, there were between 2500 and 3000 different video file formats and codecs associated with as many vendors and products. To expect law enforcement to be familiar with even a fraction of the devices is unreasonable.

Law Enforcement typically has to rely on the manufacturer or an integrator to assist in retrieval of incident video. If responding law enforcement personnel are confronted with equipment they are not familiar with, SWGIT suggests the following: Section 24_ Best Practices for Retrieval of Digital Video (2013)

  • “Otherwise, searching the vendor’s website or contacting the vendor directly may be necessary”
  • “If the request is for 30 days of video, the best, or only, option may be producing a forensic clone of the hard drive(s) and/or removing the recording unit from the scene”

What if a DVR is from an overseas vendor? Who does the officer call? Is the integrator or installer trained in handling digital forensic evidence?

When dealing with enterprise systems, the second point noted in the SWGIT documentation is impractical as video information can be located anywhere within the system’s storage, be it iSCSI, DAS, SAN, or NAS. In some cases, video may be located off the physical site, on the customer’s cloud for instance. If you have 1,000 cameras and 80 TB of storage configured in RAID 6, what drives contain the 45 seconds of incident video? Does the officer take all 80 TB plus RAID controllers?

Best evidence rule FRE 1002

The best evidence rule stipulates that “original” evidence must be maintained, and if requested by either the defence or the prosecution, the “original” authenticated evidence must be produced. Due to the fact that digital evidence of any kind can be easily manipulated today, this particular rule is critical, and when performing image enhancements of any kind, they must be done using forensic copies or duplicates.

Comparing the average time, it takes
for a major case to go to trial and the
typical DVR retention, in most instances,
all original video has been overwritten

The critical issues that arise concerning FRE 1002 and video relate back to FRE 901 and the collection process. If we are dealing with a basic DVR event, and video is retrieved by law enforcement, all DVR devices record in a First-In-First-Out (FIFO) fashion. Comparing the average time, it takes for a major case to go to trial and the typical DVR retention, in most instances, all original video has been overwritten. Now consider scenarios when video or image enhancement is needed with the assistance of a forensics lab. As of 2013, the average number of “Backlog” cases per U.S. forensic lab was 1,213 (163,806 total nationwide).


With the ease of which video can be edited and manipulated with today’s technology, it is only a matter of time before the focus of the legal system as it pertains to digital video evidence is redirected to the video itself. Are your video devices subject to cyber threats? Can your video system protect video beyond its retention time if needed? Can your video be authenticated by hashing instead of watermarking? A video system is an investment, what will your investment be worth in the future?

This article is an excerpt from a dissertation paper written by David Brent. For more details, register to attend David’s upcoming webinar on the topic hosted by the U.S. Security Industry Association.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version

Author profile

In case you missed it

What is the impact of lighting on video performance?
What is the impact of lighting on video performance?

Dark video images contain little or no information about the subject being surveilled. Absence of light can make it difficult to see a face, or to distinguish the color of clothing or of an automobile. Adding light to a scene is one solution, but there are also new technologies that empower modern video cameras to see better in any light. We asked this week’s Expert Panel Roundtable: what impact does lighting have on the performance of video systems?

Alarm.com adapts during pandemic to enable partners to ‘succeed remotely’
Alarm.com adapts during pandemic to enable partners to ‘succeed remotely’

As a cloud-based platform for service providers in the security, smart home and smart business markets, Alarm.com has adapted quickly to changing conditions during the coronavirus pandemic. In the recent dynamic environment, Alarm.com has kept focus on supporting their service provider partners so they can keep local communities protected. “We moved quickly to establish work-from-home protocols to protect our employees and minimise impact on our partners,” says Anne Ferguson, VP of Marketing at Alarm.com. The Customer Operations and Reseller Education (CORE) team has operated without interruption to provide support to partners. Sales teams are utilising webinars and training resources to inform and educate partners about the latest products, tools, and solutions. Alarm.com’s partner tools are essential for remote installations and support of partner accounts. Helping customers remain connected Adapting to challenges of the coronavirus pandemic, Alarm.com is further investing in solutions that help customers remain connected and engaged. The company has created a resource hub called “Succeeding Remotely” that provides tools, tips and news links that partners can use to adapt their business operations. From adjusting sales and installation techniques to maintaining cellular upgrades, Alarm.com is helping partners stay connected to customers remotely, keep their teams trained, and address rapidly evolving customer concerns without rolling trucks.The company has created a resource hub called “Succeeding Remotely “Additionally, after seeing all that our partners are doing to support their local communities in need, we were compelled to highlight those efforts with ongoing videos called Good Connections, which we’re sharing with our partner community to spark more ideas and ways to help,” says Ferguson. “Though our partners have experienced varying degrees of disruption to their business, we’re inspired by their adaptability, ingenuity and resilience,” says Ferguson. “Along with establishing proper safeguards for operating in homes and businesses, our partners are leveraging our support resources more heavily, while our entire staff has worked tirelessly to deliver new, timely resources.” Do-It-Together solutions Alarm.com partners are successfully employing Do-It-Together (DIT) solutions, focusing on 3G-to-LTE upgrades, and pivoting to new verticals like commercial and wellness. Many are also streamlining their business operations and taking advantage of virtual training opportunities to enhance their technicians’ skills and knowledge, says Ferguson. Do-It-Together installs involve depending on customers to perform part or all of the installation process. Partners can send customers fully configured kits with mounting instructions, or technicians may guide customers on a remote video call. Alarm.com’s tools, training and products help partners modify remote installation options depending on each customer’s needs. End users can validate the Alarm.com Smart Gateway with their central station that sensors they have mounted were done correctly using the Alarm.com mobile app Alarm.com Smart Gateway For example, the Alarm.com Smart Gateway can be pre-configured with indoor and outdoor cameras for easy customer installation and to reduce the likelihood of future service calls. Also, end users can validate with their central station that sensors they have mounted were done correctly using the Alarm.com mobile app. “DIT is helping our partners continue onboarding customers and avoid backlogs,” says Ferguson. “We’ve been pleasantly surprised by the resiliency and level of future investment that our residential and commercial partners have shown in the face of adversity,” adds Ferguson. For example, a significant number of business customers have used the slow period to install systems that are typically too disruptive to put in during normal business hours. Similarly, service providers are adopting new technologies or business models, such as cloud-based access control. “They’re often saying to us, ‘I’m going to take this opportunity to make changes to improve our business,’ and have been working closely with us on training and business consulting to support their efforts,“ she says. Shift to the cloud Ferguson sees a growing preference for cloud-managed surveillance and access systems over ones that have historically been run on-premise. The technology itself is attractive, but especially driving change is the enhancement to the daily lives of service providers and customers, which have been strained during this time. “The foundational benefit of our cloud-based solution is the hassle-free, seamless customer experience it delivers,” says Ferguson. “We make this possible by taking ownership of the servers, software maintenance, firmware updates, health monitoring, and more. With cloud technology, these aspects become invisible to the customer and take a lot off their plate, which is more important than ever.” End users can take advantage of Smart Tip video tutorials to help with DIT installations, or they can use the Alarm.com Wellcam to connect with loved ones anywhere.End users can take advantage of Smart Tip video tutorials to help with DIT installations Partners can attend training workshops focused on remote installation tactics, while driving consumer interest in new offerings through Alarm.com’s Customer Connections platform. The goal is to make it simple for partners to stay connected to their customers to maximise lifetime account value. “We are well-positioned to endure the pandemic because of the strength of our partners in their markets along with our investments in technology, hardware and our team,” says Ferguson. “As restrictions slowly lift, there is cautious optimism that the residential, commercial, property management, plumbing/HVAC, builder and other verticals will recover quickly. We believe that as more partners adopt the DIT model and add commercial and wellness RMR, they will find increasing opportunities to deploy security, automation, video, video analytics, access and more throughout their customer base.”

COVID-19 worries boost prospects of touchless biometric systems
COVID-19 worries boost prospects of touchless biometric systems

Spread of the novel coronavirus has jolted awareness of hygiene as it relates to touching surfaces such as keypads. No longer in favour are contact-based modalities including use of personal identification numbers (PINs) and keypads, and the shift has been sudden and long-term. Both customers and manufacturers were taken by surprise by this aspect of the virus’s impact and are therefore scrambling for solutions. Immediate impact of the change includes suspension of time and attendance systems that are touch-based. Some two-factor authentication systems are being downgraded to RFID-only, abandoning the keypad and/or biometric components that contributed to higher security, but are now unacceptable because they involve touching. Touchless biometric systems in demand The trend has translated into a sharp decline in purchase of touch modality and a sharp increase in the demand for touchless systems, says Alex Zarrabi, President of Touchless Biometrics Systems (TBS). Biometrics solutions are being affected unequally, depending on whether they involve touch sensing, he says. Spread of the novel coronavirus has jolted awareness of hygiene as it relates to touching surfaces such as keypads “Users do not want to touch anything anymore,” says Zarrabi. “From our company’s experience, we see it as a huge catalyst for touchless suppliers. We have projects being accelerated for touchless demand and have closed a number of large contracts very fast. I’m sure it’s true for anyone who is supplying touchless solutions.” Biometric systems are also seeing the addition of thermal sensors to measure body temperature in addition to the other sensors driving the system. Fingerscans and hybrid face systems TBS offers 2D and 3D systems, including both fingerscans and hybrid face/iris systems to provide touchless identification at access control points. Contactless and hygienic, the 2D Eye system is a hybrid system that combines the convenience of facial technology with the higher security of iris recognition. The system recognises the face and then detects the iris from the face image and zeros in to scan the iris. The user experiences the system as any other face recognition system. The facial aspect quickens the process, and the iris scan heightens accuracy. TBS also offers the 2D Eye Thermo system that combines face, iris and temperature measurement using a thermal sensor module. TBS's 2D Eye Thermo system combines face, iris and temperature measurement using a thermal sensor module Another TBS system is a 3D Touchless Fingerscan system that provides accuracy and tolerance, anti-spoofing, and is resilient to water, oil, dust and dirt. The 2D+ Multispectral for fingerprints combines 2D sensing with “multispectral” subsurface identification, which is resilient to contaminants and can read fingerprints that are oily, wet, dry or damaged – or even through a latex glove. In addition, the 3D+ system by TBS provides frictionless, no-contact readings even for people going through the system in a queue. The system fills the market gap for consent-based true on-the-fly systems, says Zarrabi. The system captures properties of the hand and has applications in the COVID environment, he says. The higher accuracy and security ratings are suitable for critical infrastructure applications, and there is no contact; the system is fully hygienic. Integration with access control systems Integration of TBS biometrics with a variety of third-party access control systems is easy. A “middleware” subsystem is connected to the network. Readers are connected to the subsystem and also to the corporate access control system. An interface with the TBS subsystem coordinates with the access control system. For example, a thermal camera used as part of the biometric reader can override the green light of the access control system if a high temperature (suggesting COVID-19 infection, for example) is detected. The enrollment process is convenient and flexible and can occur at an enrollment station or at an administration desk. Remote enrollment can also be accomplished using images from a CCTV camera. All templates are encrypted. Remotely enrolled employees can have access to any location they need within minutes. The 3D+ system by TBS provides frictionless, no-contact readings even for people going through the system in a queue Although there are other touchless technologies available, they cannot effectively replace biometrics, says Zarrabi. For example, a centrally managed system that uses a Bluetooth signal from a smart phone could provide convenience, is “touchless,” and could suffice for some sites. However, the system only confirms the presence and “identity” of a smart phone – not the person who should be carrying it. “There has been a lot of curiosity about touchless, but this change is strong, and there is fear of a possible second wave of COVID-19 or a return in two or three years,” says Zarrabi. “We really are seeing customers seriously shifting to touchless.”