Forensic Video Recovery

 

What many trial lawyers, those who engage experts like myself, fail to recognize is the crucial importance of recovering digital video data forensically. There are three main factors:

  1.   When we recover evidence on site, we shoot a video of the process, which establishes an indisputable chain of evidence.
  2.   We take special precautions during the recovery process and with the copy or original recording we leave the scene with.
  3.   We recover the recordings so as to minimize any degradation in quality. Clearly, when a multi-million dollar lawsuit may hinge on the analysis of a surveillance video evidence fore example. It is imprudent to entrust the recovery of digital evidence to an untrained security guard or police officer.

 

Forensic Video Data Recovery is the process of traveling to the location where the recording system is located in order to forensically extract a clone of the  video evidence. Common recording systems consist of IP or server based phone systems, CCTV DVR or NVR surveillance video systems, MDVR video recorders,  police dash camera systems, and many more. Once recovered, the analog or digital  video evidence can be used in the forensic enhancement and forensic authentication investigations. Data recovery requires an accurate attention to detail and documentation so that the audio & video evidence is preserved correctly for further investigation. The courts must know what exactly the expert did to retrieve the recording, as to prove that the recording was not retrieved under false pretenses or inaccurately. If the expert cannot provide this, the evidence may not be seen as applicable, which can diminish the credibility of the expert and the investigation as a whole. A forensic expert must ensure thorough documentation of the retrieval, or their evidence may not make it into the courtroom.

For example, when recovering digital video data from DVR, NVR, or MDVR CCTV surveillance systems, degradation of quality, or introduction of compression can harm the recording, and reduce the success of forensic enhancements during the investigation stage.  It is a forensic experts job to coordinate accessing the device or devices that created the recording, and to extract the audio & Video evidence so the trier of fact can weigh the evidence and its importance to any case.  

Primeau Forensics has developed a proven methodology used when forensic evidence recovery is necessary:

  1. Establish an evidence recovery protocol when another forensic expert is involved from the opposing side in the litigation.
  2. Establish and document a chain of custody of the audio & video evidence, and all litigators and experts present.
  3. Identify the recovery scope of work. How much and what type of digital video needs to be recovered?
  4. Research must be done to determine the status of the device, along with its nuances. The forensic experts must know not only how the device works  from initial research, but they must also study the manufacturers specifications, technical information, and other information about the product.  In addition, it is common for an expert to reach out to the manufacturer for further inquiry about the device. This helps the expert accurately obtain the evidence in an authentic and non-destructive manor
  5. Discover by inquiring that all system components will be on site when you arrive. These components may include remote control, DVR locking key, power supplies and other cables.
  6. Determine if the system was connected to the Internet or networked to other computers. Who had access and monitoring to the system at the time of the incident.
  7. Obtain the software necessary to access the audio & video evidence or digital information. Though many media players support various formats, the change in codec can alter the recording. Even if the recording is altered slightly, this is a big problem in the grand scheme of maintaining chain of custody. Learning about the software necessary, along with the codec being used to encode recordings, can ensure that the evidence is obtained properly, with no risk of alteration.
  8. Photograph the evidence or equipment used to create it before you begin the inspection.
  9. Document the recovery process using a video camera or audio recording. This is another element that has to do with chain of custody. The courts must know what exactly the expert did to retrieve the recording, as to prove that the recording was not retrieved under false pretenses or inaccurately. If the expert cannot provide this, the evidence may not be seen as applicable, which can diminish the credibility of the expert and the investigation as a whole. A forensic expert must ensure thorough documentation of the retrieval, or their evidence may not make it into the courtroom.
  10. Take detailed notes during your entire forensic recovery process. Pay careful attention to any markings or signs of tampering. This includes scratched screw heads or broken manufacturer seals, which may reveal prior disassembly of the equipment.
  11.  The expert will identify the scope of what needs to be recovered. Using the correct interfaces to the device, the expert will create a carbon copy clone of the evidence for further analysis. The clone of the evidence will assist the trier of fact in analysis of the digital information or other details that surrounded the events as they occurred at the time of the incident.
  12.  Make sure your forensic computer’s power configurations are set to always on so as not to interrupt the recovery process with computers going into power save mode, or sleeping mode.
  13.  Access the system administrative or event log and note or print all activity before, during, or after the incident.
  14.  The evidence must be retrieved in a way that will maintain quality to the highest degree. The expert should bring the manual to the retrieval so they can best understand the methods that will warrant the highest quality recordings.
  15.  Establish the system process for naming and numbering of digital video files and note in the chain of custody log as well as work product notes for future reference and authentication.

 

Successful retrieval of  video evidence always requires preparation and research beforehand. Best practices require the forensic expert to browse the Internet, contact the manufacturer, and read the manuals inside and out to determine the best way to preserve this digital evidence in its best quality prior to arriving at the scene to clone. As trial verdicts may turn on the outcome of analysis of evidentiary  video evidence, the forensic expert must personally recover the video to establish a clear  and accurate chain of custody. Furthermore, they must also prevent accidental loss of files, and preserve the audio & video quality through recovery and trans coding to a court room ready format.

 

If you have a video that you question or need help understanding, please give me a call for a pro bono conversation. I apply my forensic expertise to cases in the United States and many countries around the globe. Any and all formats of audio and video accepted. Retainer agreement available on request; travel expenses will be quoted in advance excluding meal expenses and flat rate time for travel instead of hourly.

Click HERE to email your questions or

Call 800-647-4281 in the USA or +01-248-853-4091 Internationally.

Ed Primeau’s Curriculum Vitae has several references which include cases he has testified in as well as clients he has worked for in these cases.

download-cv