Concepts

Question 1

Workflow for image analysis

Answer 1

Nondestructive - maintains integrity
Precise - filters used in a logical order to achieve best results
Reproducible - ensure each step can be repeated
Verifiable - must PROVE someone can obtain the same results

Question 2

Name some techniques to clarify digital images

Answer 2

Aspect ratio corrections
Level adjustments
Frame averaging (layer stacking)
Frame averaging on moving target
Pattern removal
Difference

Question 3

Interpolation selections and their applications

Answer 3

Nearest neighbor - no new visual info created; maintains edge patterns and original pixels and uses same pixel values as neighboring pixels to create redundant pixels
Bilinear - average values of four surrounding pixels are used to estimate new pixel values
Bicubic - smoothest interpolation, good for when details aren’t important

Question 4

Steps in DME analysis

Answer 4

Preservation - process of insuring evidence is not lost or altered
Extraction - process of recovering data from native environment so it can be further processed if necessary
Analysis - process of performing clarification techniques/drawing conclusions from clarified images

Question 5

Seven methods of extraction

Answer 5

1. Using built-in functionality of DVr to export native file format
2. Using built-in functionality of DVR to export a universal file format
3. Using a multimedia capture utility to transcode video to a usable format (omnivore, amtas)
4. Copy out logical files related to relevant video
5. Creating binary images of hard drives holding digital video
6. Seizing the DVR
7. capturing digital video using an analog recorder

Question 6

Steps to verify integrity

Answer 6

1. Ensure evidence cannot be tampered with
2. Maintain a chain of custody
3. Hashing/digital signatures to insure evidence is unaltered
4. Verify and Calibrate aspect ratio
5. Visually compare extraction against original (check for compression, artifacts, dropped frames, etc)
6. Remain on scene until you can verify you have the correct data

Question 7

Scientific method

Answer 7

Observe and describe
Form hypothesis
Predict results
Experiment and test hypothesis
Form conclusion/validate

Question 8

13 requirements for recovery reports

Answer 8

1. How did you become involved? Who requested/contact info of agency/how you were contacted/when
2. What is being requested? Need a specifics related to content/date/time/vehicle/person/event; also what you are supposed to do with it
3. Legal authority? Who provided consent/search warrants/etc
4. Where DVR/NVR is located? Location/address/how many recorders/cameras/diagram of cameras
5. Contact info at recovery location? Who is giving you consent
6. Specifics about recording device - make/model/serial number
7. Time/date calibration
8. Extraction method used - USB/network/CD/screen capture/DVR examiner
9. What was recovered? Date/time extractions, which cameras were exported, which are most relevant
10. Any further clarification processes done?
11. Was derivative evidence created? Stills/clips/etc
12. Steps taken for integrity verification?
13. Disposition of recovered video/recovered evidence? What you did with recovered video/derivative evidence

Question 9

JPEG compression algorithm

Answer 9

1. Color transform from RGB to YCbCr
2. Subsample CbCr
3. Discrete Cosine Transform
4. Quantization
5. Encoding
6. Entropy encoding (RLE and Huffman)

Question 10

Blocking artifacts

Answer 10

Blocking - a result of macro locks used during video compression

Mosaic - blocks which contain only low frequency info mayb show blocks caused by encoding blocks independent of each other

Staircasing - blocks which usually appear around diagonal lining in video

False edges - appear near true edge and caused by motion prediction during intraframe compression

Ringing - error caused by quantization of high frequency areas so DCT reconstruction isn’t accurate

Question 11

Authentification of clarified evidence

Answer 11

All steps to clarify evidence must be documented/easily reproduced/based on generally accepted scientific principles

Must positively impact the evidences ability to answer the issue in question

Can be authenticated by knowing/explaining AR/compression/timing/frame rate issues; must demonstrate clarification does not prevent the evidence from answering the courts question

Must use sound scientific methodology

Question 12

How to verify the integrity of DME

Answer 12

Maintain a chain of custody
Use tamper-evident packaging
Visually or aurally verify
Use mathematical base verification techniques

Question 13

3 things necessary to play a video file

Answer 13

1. Media player with compatible operating system
2. Container file supported by media player
3. Correct codec

Question 14

Tools to read info from containers

Answer 14

Mediainfo
ExifTool
Ffprobe

Question 15

Rewrapping

Answer 15

Changing file container

Question 16

Transcoding

Answer 16

Changing codec of a video; may involve a new container

Question 17

Analog to digital conversion

Answer 17

Sampling (analog value is recorded at discrete time intervals)
Quantizing (sampled value is rounded to nearest discrete value)

Question 18

Multimedia capture concerns

Answer 18

Dropped frames/compression