Journal of Forensic Identification

Transcription

Article
Video Frame Comparisons in Digital
Video Authenticity Analyses
Bruce E. Koenig 1
Douglas S. Lacey 1
Gerald B. Richards 2
Abstract: The scientific authentication of digital video-audio
recordings involves the examination of both the visual and acoustic
information through a number of analysis steps. One step in this protocol is determining whether any of the individual images are identical
to any other images within the same digital recording. Additionally,
in some examinations, it is necessary to identify nonmatching pixels
from nearly identical images. These duplicate, or nearly duplicate
images, could be indicative of editing, an irregularity of a specific
recording device, or just identically captured and processed images.
In this paper, three questions involving video frame comparisons are
addressed:
(1) Does a specif ic, commonly available, consumer-quality
camcorder produce any identical images with a static visual
view in standard and high definition modes?
(2) Are there accurate methodologies for determining whether
two recorded digital images are identical?
(3) What digital analysis procedures are available for comparing two nearly identical images?
These questions are answered with the analysis of more than 147,100
frames from a consumer camcorder using digital data analyses and
Photoshop routines.
1
2
BEK TEK LLC, Clifton, VA
Richards’ Forensic Services, Laurel, MD
Received November 9, 2010; accepted May 11, 2011
62 (2), 2012 \ 165
Introduction
Authentication of digital video-audio recordings of ten
involves the examination of both the visual and acoustic [1, 2]
information through a number of analysis steps. One step in this
protocol is the determination of whether any of the individual
video images are bit-for-bit identical with any other images within
the same digital recording, which could be indicative of editing
(e.g., a copy and insert or overlay process) [3, 4], an irregularity
of a specific camcorder or recording device [5], or just identically captured and formatted views. Often the examiner can
visually identify differences between adjacent frames because
of camera movement, lighting, human or other activity, compression artifacts, and so on. However, if the changes are subtle,
with differences due only to limited compression changes, minor
sensor artifacts, and other in-camera signal modifications, or
are nonexistent, an examiner may not be able to visually assess
these slight pixel differences or even whether any interframe
variations have occurred between adjacent images. Additionally,
if the video recording contains repetitive pictorial information
or is lengthy, it would be difficult and very time-consuming for
an examiner to visually compare every image to every other
recorded image to ensure there are no duplications. Though
some digital formats allow the examiner to determine duplicity
through a direct analysis of the digital video data [5], most do
not. As an example, it would be difficult to visually determine
whether there are any matching images from a lengthy recording
produced on a securely mounted surveillance camera containing no motion or obvious changes within its view, such as a unit
located on the interior wall of a bank building in the middle of
the night.
On digital video recorders using highly compressed formats,
often utilized in sur veillance systems, the ar tifacts of the
compression usually produce visual differences between fields
and f rames containing identically received images f rom a
camera. However, not all digital video recordings submitted for
authenticity examination are of low quality; some contain higher
quality, standard definition (SD) NTSC [National Television
System (or Standards) Committee], PAL (phase-alter nation
line standard), or SECAM (séquentiel couleur avec mémoire,
which is French for “sequential color with memory”) formatted
recordings with limited compression and “full” pixel resolution
(720 by 480 for NTSC, for example). Additionally, low-priced,
high-definition (HD) consumer camcorders, which can produce
166 / 62 (2), 2012
high-quality images with resolutions up to 1920 by 1080 pixels,
are rapidly replacing the SD camcorders.
In some digital video authenticit y examinations, slight
differences between images can also be important indicators
of the recording system characteristics or possible signs of
more sophisticated editing. Examples include when two frames
are identical except for differing embedded text information,
or when slight changes are produced between known identical
images due to an added compression step, possibly ref lecting
duplication, editing, or transcoding processes.
In this article, three questions involving video frame comparisons are addressed:
(1) Does a specif ic, com monly available, consumerquality camcorder produce any identical images with
a static visual view in standard and high definition
modes?
(2) Are there accurate methodologies for determining
whether two recorded digital images are identical?
(3) What digital analysis procedures are available for
comparing two nearly identical images?
These questions are answered with the analysis of more than
147,100 frames from a consumer camcorder using digital data
analyses and Photoshop routines.
Preparation of Camcorder Test Samples
Using a consumer Sony Handycam HDR-CX100 camcorder
(Sony Corporation, Tokyo, Japan), video test recordings were
prepared of two indoor views: (1) a light-color, blank wall lit
only with overhead, recessed f luorescent lighting and (2) a
very detailed stained-glass mosaic with overhead, incandescent
lighting. This color NTSC camcorder has three SD and four
HD record modes, all with variable video bit rates (based on
the effects of compression) and 59.94 interlaced fields (29.97
frames) per second, as ref lected in Table 1.
In Table 1, the pixel resolution column ref lects the dimensions of each full frame (two fields) image. The pixel aspect ratio
column ref lects the factor by which the horizontal dimension of
the pixels is scaled to achieve the respective display aspect ratios
for the NTSC-based video formats. The nominal bit rate column
provides the megabits per second (mbps) data rates provided by
the camcorder manufacturer and show increasing quality from
62 (2), 2012 \ 167
LP to HQ for the SD modes, and LP to FH for the HD modes.
The moving picture experts group (MPEG) lossy compression
encoding formats are heavily used in the consumer video field,
with MPEG-2 being older and less efficient compared to the
MPEG- 4 standard. The AVC (advanced video codec)/H.264
AVCHD configuration is commonly used in smaller camcorder
units. A thorough explanation of these compression schemes is
well beyond the scope of this article, but many excellent texts
are available on the subject [3, 4, 6, 7]. Figure 1 provides an
example of one frame from the HD FH test recording of the
stained-glass mosaic.
Test video recordings of both views were prepared using the
following procedures:
1. The recordings were all produced at night with only
the artificial light sources present, in rooms where the
air conditioning and ventilation systems were turned
off.
2. The camcorder was mounted on a sturdy tripod and
powered with its AC/DC adaptor.
3. The camcorder controls were set as follows: manual
focus, manual exposure, fader off, automatic white
balance off, automatic slow shutter mode off, automatic
back lighting correction off, SD formats in the 4:3
aspect mode, and image stabilization off.
4. Five-minute recordings were prepared onto Memory
Stick PRO Duo (16 GB) media using all seven record
modes available on the camcorder: HD FH, HD HQ,
HD SP, HD LP, SD HQ, SD SP, and SD LP.
5. Additionally, 12-minute recordings were prepared of
just the blank wall view, onto the Memory Stick PRO
Duo media using all four HD modes.
168 / 62 (2), 2012
Record Mode
Pixel
Resolution
Pixel Aspect
Ratio
Display
Aspect Ratio
Nominal Bit
Rate
Video
Encoding
SD LP
720 x 480
0.91
4:3
3 Mbps
MPEG2-PS
SD SP
720 x 480
0.91
4:3
6 Mbps
MPEG2-PS
SD HQ
720 x 480
0.91
4:3
9 Mbps
MPEG2-PS
HD LP
1440 x 1080
1.33
16:9
5 Mbps
MPEG4AVC/H.264
AVCHD
HD SP
1440 x 1080
1.33
16:9
7 Mbps
MPEG4AVC/H.264
AVCHD
HD HQ
1440 x 1080
1.33
16:9
9 Mbps
MPEG4AVC/H.264
AVCHD
HD FH
1920 x 1080
1.00
16:9
16 Mbps
MPEG4AVC/H.264
AVCHD
Table 1
A listing of the seven recording modes on the Sony Handycam HDR-CX100
camcorder and their display, bit rate, and video encoding characteristics.
Figure 1
Sample frame from the HD FH test recording of the stained-glass mosaic.
62 (2), 2012 \ 169
Digital Data Analyses to Identify Identical Digital Video
Frames
Using a nonlinear, digital video editing system, all of the
recordings were impor ted in their native for mats, thereby
preserving the video encoding, pixel dimensions and aspect
ratio, display aspect ratio, and frame rate. The ability to preserve
these characteristics and avoid transcoding of the recorded video
was crucial, because visual changes may be introduced during
such processes.
After being imported, each of the 5-minute recordings was
trimmed to 3 minutes, with the first and last minutes removed;
the 12-minute recordings were trimmed to 10 minutes, again
with the f irst and last minutes removed. This trimming was
done to avoid any camera movements, shadows, or other artifacts
that may have been added during the manual record start and
stop procedures. Using the same software, the individual frames
from the trimmed files were exported as separate, uncompressed
image files in a bitmap file format (BMP), using the appropriate
image characteristics (Table 1). All of these exported color BMP
files contained a 54-byte header followed by the image data.
As ref lected in Table 2, these headers included two portions of
administrative information: the first 14 bytes listed the American
Standard Code for Information Interchange (ASCII) designator
“BM”, the total file size in bytes, and the header size; the last
40 bytes of the header are designated as a “device-independent
bitmap” (DIB) and included the size and structure of the image
data. A review of Table 2 ref lects that all of the exported SD
image files had a size of 1,036,854 bytes, no compression, and
dimensions of 720 by 480 pixels; the three lower-quality HD
exported files (HQ, SP, and LP) were 4,665,654 bytes, with no
compression, and dimensions of 1440 by 1080 pixels; and the HD
FH exported files were 6,220,854 bytes, with no compression,
and dimensions of 1920 by 1080 pixels.
The data portion of the BMP image files allocated three bytes
to define each pixel in the frame, representing the colors blue,
green, and red, respectively, with each color having an intensity
range of 8 bits [2 8 or 256 values from 0 (darkest) to 255 (lightest)].
Therefore, for example, the 720 by 480 pixel SD files consisted
of 1,036,800 bytes (720 x 480 x 3) of image data plus the 54 bytes
of header information. Compared to the actual image, the digital
data bytes are listed in an inverted style, starting with the three
color values for the pixel in the lower left corner of the image,
then proceeding from left to right across the image, and finally
170 / 62 (2), 2012
going row by row from the bottom to the top of the image. In
other words, the digital data starts at the beginning of the last
row of the image, proceeds to the end of that row, jumps to the
beginning of the row above, and continues in this fashion to the
end of the top row of the image [8].
Header
Bytes
Description
SD HQ, SD SP,
& SD LP
HD HQ, HD SP,
& HD LP
HD FH
1–2
File Identifier
ASCII “BM”
ASCII “BM”
ASCII “BM”
6,220,854
3–6
File Size in Bytes
1,036,854
4,665,654
7–10
Reserved
0
0
0
11–14
Header Size in
Bytes
54
54
54
15–18
DIB Header Size
in Bytes
40
40
40
19–22
Image Width in
Pixels
720
1440
1920
23–26
Image Height in
Pixels
480
1080
1080
27–28
Color Planes
(always 1)
1
1
1
29–30
Number of Bits
per Pixel
24
24
24
31–34
Compression
(0 = none)
0
0
0
35–38
Image Data Size
1,036,800
4,665,600
6,220,800
39–46
Resolution
Parameters
0
0
0
47–54
Color Palette
Parameters
0
0
0
Table 2
A summary of the header information in the extracted BMP files from the
Sony camcorder.
Using a f ile comparison program, the exported BMP f ile
sets from each of the 18 trimmed recordings were analyzed
to determine whether any of the images were identical to any
other images within a particular recording. This software first
analyzed the extracted BMP files to compute a unique numerical representation (totaling 256 bits), which is often referred to
as a hash value, for each file’s contents [1]. The program then
compared all of the separate hash values to one another and
provided a listing of any files with identical values, indicating
that the files were duplicates.
62 (2), 2012 \ 171
The process of hashing files is a widely accepted practice not
only in the computer forensics field, but also in examinations of
file-based, digital video and audio recordings [1, 9–14]. For a
hash process using a 256-bit value, as was the case with the file
comparison program used here, there are 2 256 or approximately
1.18 x 10 77 possible hash values. Taking into account the number
of files compared or hash values computed (k), the probability
(P) that two nonidentical files will result in identical hash values
of n size is calculated as follows [9]:
Generally, as the number of bits comprising the hash value
increases and the number of files being compared decreases, the
probability that nonidentical files will falsely be attributed as
being identical (referred to as a “collision”) drops significantly
[9]. As an example of the robustness of the hashing process, the
256-bit hash value of one of the extracted BMP image files from
the SD HQ was computed as
CAA5E70502B29E62D3882DFA7B2D4F4A071FBC95A6244645B4B124D05EBFD413
(hexadecimal notation). Then, the blue color value of a single
pixel was changed from 61 to 60, which resulted in a 256-bit
hash value of
9E43ADB1A43A6AF1989BE1EC239A5F29909C8F4E7E0C7EC0964E8AD4ED051029.
This example ref lects that the smallest possible modification
(one bit) within an image file resulted in a completely different
hash value.
Digital Data Analyses to Identify Nearly Identical Digital
Video Frames
In some digital video authenticity examinations, slight differences between images can be important. Examples include when
two frames are identical except for differing embedded text
information or when slight changes are produced between known
identical images because of an added compression step, possibly
ref lecting a transcoding or editing process. Such images will
not be identified using the file hashing and comparison method
above, because the slight variances in the images will produce
different hash values.
172 / 62 (2), 2012
One direct way to identify differences is to use a digital data
analysis program that performs a bit-for-bit comparison between
the selected uncompressed images. These software programs
highlight all of the byte value differences between the files,
allowing for the identification of specific pixels and their exact
color or gray scale differences through an understanding of the
BMP file format. However, if there are a large number of pixel
differences that need to be reviewed, the process of translating the digital data to pixel locations and color changes can be
quite time-consuming. Figure 2 is an example of a data analysis
comparison, in hexadecimal notation, of the 106th through 190th
pixels in the bottom-most rows of two consecutive images from
the SD LP mosaic test recording. The separate image portions
are in a vertically stacked arrangement with identical bytes
having a white background and different-valued bytes having
a black background.
Figure 2
Byte-value differences (with black background) for the same portion of
consecutive images from the SD LP mosaic test recording using X-Ways
Forensics (X-Ways Software Technology AG, Cologne, Germany).
62 (2), 2012 \ 173
Another technique is to use a Photoshop routine to visually
identify and compare the pixels that are different [15]. This
method readily identifies the pixels that vary between the images
and their relative differences; however, it does not directly
specify the individual bytes that differ. Using Photoshop CS3
Extended and CS5 Extended (the CS4 version was not evaluated), the procedure is as follows:
1. The two video frames that are to be compared must be
in the same noncompressed image format, including
identical pixel dimensions, color profile, and so on.
2. In Photoshop, open copies of the two images to be
compared. Select “Window” on the menu bar, then
“Arrange ►”, and then either “Tile Horizontally” or
“Tile Vertically” (“Tile” in CS5 Extended), as appropriate for the images’ dimensions. This will allow both
images to be seen simultaneously on the computer
screen.
3. Place a duplicate layer of one of the images into the
Layer palette of the other. This can be done in at least
four different ways, after selecting one of the images
(the “first”):
a. Lef t click “Layer” on the menu bar, and then
“Duplicate Layer...”. Type in a new name for the
layer, such as the name of the first file, change the
destination document to the second image, and then
click “OK”.
b. In the Layer palette of the first image, right click the
“Background” layer and select “Duplicate Layer...”.
Type in a new name for the layer, such as the name
of the first file, change the destination document
to the second image, and then click “OK”.
c. In the Layer palette of the first image, left click the
“Background” layer and drag and drop it onto the
second image.
d.Press the <Ctrl> and “A” keys to select the entire
first image, hold down the Shift key, left click on
the first image, and then drag and drop it onto the
second image.
4. In the Layer palette of the two-layer image, select the
non-“Background” layer, set Opacity and Fill controls
at 100%, and the Blending Mode to “Difference” (from
the drop down menu). The “Difference” blending
174 / 62 (2), 2012
mode subtracts one layer from the other, on a pixelby-pixel basis for each of the colors in the profile, and
then combines them for the final result. The ordering
of the layers does not affect the result because the
absolute values of the differences are used. A resultant
pixel that is a black “0” means the two corresponding
pixels of the two images were identical. If the pixels
are different, the result will be a color pixel (grayscale
for black and white images) [16].
5. Combine the two layers by selecting “Layer” in the
menu bar and then “Flatten Image”.
6. On the menu bar select “View” and then “Act ual
Pixels”. When the images are identical, all of the
pixels will be black. If the images are not identical,
there will be colored pixels (or grayscale for black and
white images) showing all the areas in the image with
differences.
7. If it is not visually obvious whether all of the pixels in
the image are totally black, the following three procedures can be utilized:
a. Using the “Histogram” palette, select its menu using
the upper right corner icon, and choose both “Show
Statistics” and “Expanded View”. Select “Entire
Image” as the source in the main histogram palette.
If the Cache Level is not “1”, left click the Uncached
Refresh button ( just above the upper right corner of
the histogram). The number of “Pixels:” should now
equal the total number of pixels in the displayed
image. In succession choose red, green, and blue as
the “Channel:” source and place the mouse pointer
in the far left end of each histogram so that the
“Level:” reads “0”; if all the pixels in the image
are of value “0”, then the “Count:” number will be
identical with the “Pixels:” number for each color.
b. Select “Image” on the menu bar, then “Adjustments”
and finally “Levels”. In “Levels”, view the histogram to determine whether there are any obvious
values above “0” (total black); if not, adjust the
highlights slider to a low value such as “10”, which
should visualize most of the pixels that are not
totally black.
62 (2), 2012 \ 175
c. Select “Image” on the menu bar, then “Adjustments”,
and finally “Threshold”. The f lattened image will
be conver ted to a “two-value” black and white
image, with an adjustable crossover point for which
pixels will display as black or white. By moving
the slider to a “Threshold Level” setting of “1”,
only those pixels that contained a difference of one
or greater in any of the RGB values (indicating a
difference in the pixels between the two images)
will become pure white. Those pixels that were pure
black in the f lattened image (indicating identical
pixels between the two images) will remain black.
Fig u re 3 illu st r ates t he Photoshop rout i ne u si ng t he
“Threshold” adjustment method for the production of a different image for two generated source images.
Figure 4 displays the Photoshop routine, again using the
“Th reshold” adjustment method, for the same consecutive
images utilized (in part) for Figure 2.
Results and Discussion
In answer to the first question – does a specific, commonly
available, consumer-quality camcorder produce any identical
images with a static visual view in standard and high definition modes? – the answer is yes for the tested Sony Handycam
HDR-CX100, but only using the static blank wall view and when
recording in the two lowest-quality HD modes (Table 3).
In answer to the second question – are there accurate methodologies for determining whether two recorded digital images
are identical? – the answer is yes. The hashing and comparison software accurately identified the duplicate images within
the test recordings, using a 256-bit hashing process, and then
provided a detailed listing of the findings. A review of these
duplicate frames revealed that all occurred in pairs of consecutive frames, always separated by multiples of 30 frames (Table 4
lists the 36 pairs and the number of frames between them for the
three-minute HD SP recording of the wall view). There were no
sets of identical frames that were not adjoining or that contained
more than two images in a sequence.
176 / 62 (2), 2012
Figure 3
Pixel difference analysis of two generated images using layering,
difference blending, and threshold adjustment in Photoshop CS5 Extended.
Figure 4
Pixel difference analysis of two consecutive images from the SD LP
mosaic test recording using layering, difference blending, and threshold
adjustment in Photoshop CS5 Extended.
62 (2), 2012 \ 177
Mode
Trimmed
Length
View
Frames
Actual Bit
Rate
Duplication Results
SD LP
3 Minutes
Mosaic
5395
2.963 Mbps
No duplicate frames
SD SP
3 Minutes
Mosaic
5395
5.385 Mbps
No duplicate frames
SD HQ
3 Minutes
Mosaic
5395
9.253 Mbps
No duplicate frames
HD LP
3 Minutes
Mosaic
5395
4.569 Mbps
No duplicate frames
HD SP
3 Minutes
Mosaic
5395
5.981 Mbps
No duplicate frames
HD HQ
3 Minutes
Mosaic
5395
10.831
Mbps
No duplicate frames
No duplicate frames
HD FH
3 Minutes
Mosaic
5395
17.073
Mbps
SD LP
3 Minutes
Wall
5395
2.476 Mbps
No duplicate frames
SD SP
3 Minutes
Wall
5395
4.901 Mbps
No duplicate frames
SD HQ
3 Minutes
Wall
5395
8.474 Mbps
No duplicate frames
HD LP
3 Minutes
Wall
5395
4.459 Mbps
248 duplicate frames
(124 pairs)
HD SP
3 Minutes
Wall
5395
6.544 Mbps
72 duplicate frames
(36 pairs)
HD HQ
3 Minutes
Wall
5395
7.509 Mbps
No duplicate frames
HD FH
3 Minutes
Wall
5395
17.084
Mbps
No duplicate frames
HD LP
10 Minutes
Wall
17,983
4.453 Mbps
(496 pairs)
HD SP
10 Minutes
Wall
17,983
6.837 Mbps
(58 pairs)
HD HQ
10 Minutes
Wall
17,983
6.611 Mbps
No duplicate frames
HD FH
10 Minutes
Wall
17,983
17.114
Mbps
No duplicate frames
Table 3
List of the trimmed test recordings with their corresponding total number of
frames and the number of duplicated frames.
178 / 62 (2), 2012
Relative offset
from previous
pair (# of frames)
Pair #
Duplicate Pair
(frame #s)
1
0061 / 0062
-
2
0361 / 0362
300
3
0571 / 0572
210
4
0751 / 0752
180
5
0811 / 0812
60
6
1021 / 1022
210
7
1081 / 1082
60
8
1141 / 1142
60
9
1351 / 1352
210
10
1411 / 1412
60
11
1471 / 1472
60
12
1651 / 1652
180
13
1771 / 1772
120
14
1981 / 1982
210
15
2131 / 2132
150
16
2221 / 2222
90
17
2881 / 2882
660
18
2911 / 2912
30
19
3421 / 3422
510
20
3481 / 3482
60
21
3511 / 3512
30
22
3541 / 3542
30
23
3721 / 3722
180
24
3781 / 3782
60
25
3811 / 3812
30
26
3841 / 3842
30
27
3871 / 3872
30
28
3961 / 3962
90
29
4081 / 4082
120
30
4231 / 4232
150
31
4441 / 4442
210
32
4561 / 4562
120
30
33
4591 / 4592
34
4621 / 4622
30
35
4771 / 4772
150
36
4921 / 4922
150
Table 4
List of the 36 duplicate frame pairs found in the three-minute HD SP test
recording of the wall view and the number of frames between each pair.
62 (2), 2012 \ 179
Based on the number of images compared in the test sets
and the program’s use of a 256-bit hash value, the probabilities
(based on the previously listed formula) that collisions occurred
are approximately 1.26 x 10 -70 for 5395 images and 1.40 x 10 -69 for
17,983 images. These probabilities are infinitesimally small, due
mostly to the large hash value (2 256 ). As a real world example,
even a 12-hour video recording at 29.97 frames per second
(producing a total of 1,294,704 images) would have a collision
probability of only 7.24 x 10 -66 .
In answer to the third question – what digital analysis procedures are available for comparing two nearly identical images?
– there are two different techniques that provide the same
information, but in different formats. The first uses digital data
analysis software to identify all of the different byte values
between the two images, allowing for the identification of the
specific pixels and their exact color or gray scale differences
th rough an understanding of the uncompressed image f ile
format. The second uses Photoshop software routines to visually
identify and compare the pixels that are different. Details of both
of these techniques have been set forth previously in this article.
Conclusions and Recommendations
Based on this research and routines, the following conclusions and recommendations are set forth by the authors:
A viable hash methodology was identif ied to deter mine
whether there are any identical images within digital video
recordings. The only practical limitations are (1) the ability of
the specific nonlinear, digital video editing system being used
by an examiner to import a particular recording in its native
format (with no transcoding) and (2) sufficient computer storage
space for the exported image files. With regard to the latter, the
separate BMP images from a one-hour HD FH recording would,
for example, total about 670 gigabytes. Because such an examination would provide valuable information to an examiner, it is
highly recommended that, whenever possible, this analysis step
be included in the authenticity protocol when a complete video
authenticity analysis is conducted of a digital recording.
If identical images are identified, an examiner should utilize
the information to help determine whether this occurred because
of editing (e.g., a copy and insert or overlay process), an irregularity of a specific camcorder or recording device, identically
180 / 62 (2), 2012
captured and processed views (as found for certain recording
modes on the tested Sony Handycam HDR-CX100), or for some
other reason.
There are digital data analysis and Photoshop routines that
can accurately reveal the differing bytes and pixels between
two images. These procedures allow an examiner to determine
when two frames are identical except for differing embedded
text information, compression artifacts, or when slight changes
are produced between known identical images due to an added
compression step, possibly ref lecting duplication, editing, or
transcoding processes. Therefore, whenever possible, these
procedures should be followed to identify nearly identical images
within the data stream of the video recording under examination.
Based on this research, the authors have show n that a
consumer camcorder can produce identical pairs of frames in
an unaltered recording, and the authors have provided protocols to identify identical and nearly identical video frames.
Examinations involving digital video authenticity can use this
infor mation and the procedures set for th previously, along
with other recognized scientific steps, to accurately determine
whether a submitted file is original, continuous, or unaltered.
Acknowledgments
The authors would like to thank the following individuals who
reviewed this paper prior to submission and provided important
technical and grammatical improvements: Suzana Galić Price
(BEK TEK LLC, Clifton, VA); John Br unetti (Connecticut
State Police Forensic Laboratory, Meriden, CT); Jason Ferridge
( Victor ia Police Forensic Ser vices Depar t ment, Victor ia,
Australia); Carl Kriigel (U.S. Army Crime Laboratory, Forest
Park, GA); and Joel Zlotnick (Homeland Security Investigations,
U.S. Immigration and Customs Enforcement, McLean, VA).
For further information, please contact:
Bruce E. Koenig and Douglas S. Lacey
BEK TEK LLC
12115 Sangsters Court
Clifton, VA USA 20124-1947
(703) 631-7099
[email protected]
www.BEKTEKLLC.com
62 (2), 2012 \ 181
References
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
Koenig, B. E.; Lacey, D. S. Forensic Authentication of Digital
Audio Recordings. J. Audio Eng. Soc. 2009, 57 (9), 662–695.
Koenig, B. E.; Lacey, D. S. An Inconclusive Digital Audio
Authenticity Examination: A Unique Case. J. For. Sci. 2012,
57 (1), 239–245.
Weise, M.; Weynand, D. How Video Works, 2nd ed.; Focal
Press: Amsterdam, 2007; pp 164–176, 253–254.
Watkinson, J. The Art of Digital Video, 4th ed.; Focal Press:
Amsterdam, 2008; pp 276 – 277, 317–396.
Lacey, D. S.; Koenig, B. E. Identification of Identical and
Nearly Identical Frames from a Lawmate PV-500 Digital
Video-Audio Recorder. J. For. Ident. 2012, 62 (1), 36– 46.
Jack, K. Video Demystif ied: A Handbook for the Digital
Engineer, 5th ed.; Newnes: Amsterdam, 2007; pp 257–387,
578–763.
Shi, Y. Q.; Su n, H. Image and Video Compression for
Multimedia Engineering: Fundamentals, Algorithms, and
Standards, 2nd ed.; CRC Press: Boca Raton, FL, 2008; pp
345–528.
Microsoft Corporation. Bitmap Header Types-Developer
Ne t wo r k . h t t p: // m s d n . m ic r o s of t .c o m /e n - u s / l i b r a r y/
dd183386%28v=VS.85%29.aspx (accessed January 2012).
Swenson, C. Modern Cryptanalysis: Techniques for Advanced
Code Breaking; Wiley Publishing, Inc.: Indianapolis, IN,
2008; pp 32–38.
Koen ig, B. E.; La cey, D. S.; K ill ion , S. A. Foren sic
Enhancement of Digital Audio Recordings. J. Audio Eng.
Soc. 2007, 55 (5), 352–371.
SWGDE. SWGDE Data Integrity Within Computer Forensics
(ver. 1.0). http://www.swgde.org. pp 2–3 (accessed January
2012).
SWGDE; SWGIT. SWGDE and SWGIT Digital & Multimedia
Evidence Glossar y (Version 2.4). http://www.swgde.org
(accessed January 2012).
Marcella, A. J. Jr. Cyber Forensics: A Field Manual for
Collecting, Examining, and Preserving Evidence of Computer
Crimes, 2nd ed.; Auerbach Publishing: Boca Raton, FL,
2008; pp 56 –57.
Caloyannides, M. A. Computer Forensics and Privacy;
Artech House: Boston, MA, 2001; pp 172–174.
Br unetti, J. Analyzing Pre- and Post-Event Surveillance
Video Frames. J. For. Ident. 2007, 57 (3), 338–347.
Doyle, M.; Meek, S. Photoshop CS3 Layers Bible; Wiley
Publishing, Inc.: Indianapolis, IN, 2008; pp 283–284, 302–
303.
182 / 62 (2), 2012

Journal of Forensic Identification

Transcription

Similar documents

a new state-of-the-art eyewear in our practice

Track Frame Catalog.indd

TRUPIX Info Sheet - TRUPIX Video Scaler

spaceframes

Clearwave Communications, Delta

Everyday Value

XL Tech, XL Internet

WJZ-TV upgrades their patching and distribution system

XMPlayer Express

Cass Telephone Company, Cass Cable TV, Inc