Lessons Learned from Video Forensics Expert Grant FredericksBy: IPVM Team, Published on Jun 28, 2013
How video is used in court is a source of great interest and, often, confusion. Many ask: Will H.264 be thrown out of court? Does video need to be watermarked? How much resolution is necessary? Is a certain frame rate too low?
We spoke with Grant Fredericks, a leading video forensics expert and the the coordinator of Law Enforcement and Emergency Services Video Association (LEVA) Forensic Video Emergency Response Team. Inside, we present answers to these questions and more.
Here are the key findings from the interview:
- Codec choice itself makes no difference, but how video is compressed can be critical
- Frame rate and jitter can cause problems in analyzing speed / force
- Long I-frame intervals increase doubt / risk of video problems
- DVR/VMS watermarking means nothing
- Avoid transcoding
Codec Choice Not Important, but Compression Is
Fredericks explained that codec choice itself does not guarantee or exclude any type of video, so just because a video is H.264, MPEG-4 or MJPEG does not determine its acceptance in court. Rather, video forensics experts will analyze the details of the video.
For MJPEG, a common problem seen, is that video is too heavily compressed to reduce bandwidth, causing loss of critical details. On the other hand, for H.264, common problems include long I frame intervals and variations in timing of P frames.
Frame Rate and Jitter Can Cause Problems Analyzing Speed / Force
Analysts can try to “reverse engineer the video” to determine image refresh rates, but higher frame rates provide the most detail when it comes to determining movement. The space between images, sometimes milliseconds, can be the difference determining whether and action was a punch or a push. Generally, the shorter the GOP the more reliable the information in the video, Fredericks said. There have been cases where because of time lapse, images have been misinterpreted.
One example he mentioned was:
"When you look at a video that is 10 images per second and you're trying to opine on speed, motion or force, you might actually have 10 refresh rates per second, but the first images might be 10 milliseconds apart, then a big gap, and the next image 400 milliseconds later. So when someone is seen moving their hand toward someone (like a police officer moving their hand toward somebody's shoulder) it may seem like they're moving their hand slowly and then suddenly punching someone in the shoulder.
“We see that all the time. We see accusations of police abuse and they're saying. 'Look there's where he hit him,' but we say he's moving his hand at an even interval until this moment, and then there is a third of a second delay. But when you look at the images, it looks like a regular refresh rate -- like his hand moved three times further in the same time period. It gives the illusion of force that didn't exist."
“One of the main things analysts are looking for is edge pattern," Fredericks says. "When the images are predictive or bi-directional they don’t have proper edge pattern, so if you’re trying to measure an object for speed, identification or height analysis, you have to be really cautious of the image you choose or make sure what you choose is reliable,” he said.
Long I-Frame Intervals Increase Risk / Doubt
As the examples above show, compression errors or delays in generation of subsequent frames can make video distort what actually happened. A common culprit / confounding factor is long I-frame interval (i.e., the amount of time between one initialization frame and the next). Fredericks mentioned examples of 5 or 10 second I-frame intervals, recommending that the interval be kept to 1 per second or less.
Here's an example of a real world problem involving I frames:
"The other thing, too, is edge pattern. When you see light in an MPEG video, where you have a motion vector, and the motion vector is only updated at the I-frame, in some areas, there are people who look at video, and you can see a person standing in a certain position, their head turned in a certain way. Until that reference frame is updated, their head isn't recorded looking in the other direction, toward the crime. That person may take the stand and say, "Yeah, I watched the guy knife the guy." Yet you look at the video and he's turning the other way when the actual knife was pulled up. But the video was wrong."
DVR/VMS watermarking means nothing
"Watermarking means nothing," said Fredericks. "Manufacturers who claim their stuff is admissible [because of watermarking] are not being honest. Using forensic tools we can extract the native files without ever having to go through watermarking or the encryption process. Watermarking really doesn't mean a thing to us."
Defense attorneys can and often object to the authenticity of manufacturer watermarking, even if it is digital. Video forensic experts typically analyze the details of the video as well as examining visible signs that would indicate tampering. Ultimately, this is the strongest way to validate the authenticity of the video, not a manufacturer watermark.
The biggest frustration for analysts is that many CCTV systems are designed for the user to get a convenient copy of video, but not the original uncompressed footage.
“It’s transcoding an already compressed medium into a additionally compressed convenient copy,” Fredericks says. “The process changes everything about the information. It changes color. It changes edge pattern. It changes GOP structure. And that does sometimes impact reliability and authenticity."
Fredericks says he trains analysts to acquire the native files when pulling video for evidence. “Those data files, whatever they happen to be, are going to be the best evidence,” he said. Using “forensic tools that allow us to sample the signal going to the monitor and intercept an uncompressed copy” they are able to pull those files.
To authenticate, "we can do a pixel value comparison to make sure it was done accurately. The files are large, but they are pixel for pixel the same as the original file”, he says.
Multiplexing in Old Systems
Multiplexing is not an issue in IP cameras, but when pulling video from older analog systems, analysts will occasionally run into issues with “missing video.” Fredericks explains:
“In cold cases, that still deal with analog we see it. The suspect used [the victim’s] ATM card and when investigators went to examine the video, the person doing the examination didn’t understand multiplexing. They didn’t realize the second camera (the system was switching from camera one to camera two) was there. When you go frame by frame you’re missing camera two every time. Ten years later I’m asked to review the video and I get the analog video and review it and there’s the images of their suspect close up using the victim's ATM card.”
LEVA's response team [link no longer available], of which Fredericks is the coordinator, is made up of video forensic analysts from the UK, US and Canada and was established to provide a facility for training and a venue to process large amounts of video in the event of a large scale incident. Any member agency can call on its activation to help examine video evidence. So far, it has only been called to assist in analyzing footage from the Vancouver Riots in 2011. The team examined more than 5,000 hours of video in 14 days, tagged more than 15,000 criminal acts and provided evidence that led to more than 400 people being charged with crimes. The team was also contacted by the White House after the Boston Bombings, but was not activated.