Home About Us Laboratory Services Forensic Science Communications Back Issues April 2008 standards Standards and Guidelines - Forensic Science...

Standards and Guidelines - Forensic Science Communications - April 2008

Standards and Guidelines - Forensic Science Communications - April 2008

fsc_logo_top.jpg
fsc_logo_left.jpg

April 2008 - Volume 10 - Number 2

 

Standards and Guidelines

Best Practices for Maintaining the Integrity of Digital Images and Digital Video

Scientific Working Group on Imaging Technology (SWGIT)

Introduction | Maintaining and Demonstrating Integrity | Methods for Maintaining Integrity | Methods for Demonstrating Integrity | Example Work Flows |
Suggested Readings | Disclaimer

Introduction

Integrity ensures that the information presented is complete and unaltered from the time of acquisition until its final disposition. Files that are copied from storage and processed result in new files. These files also must have their integrity maintained.

Integrity differs significantly from authentication. Authentication is the process of substantiating that the content is an accurate representation of what it purports to be. For example, authentication of a digital image of a gun on a table could be authenticated by a person at the scene stating that the picture fairly and accurately represents the gun on the table. The integrity of the image can be established by methods covered in this document. For further information on image authentication, see SWGIT’s Best Practices for Image Authentication in this issue.

This document covers the issues that can affect the integrity of digital media files. It does not cover extraction of digital media files from devices.

The integrity of a digital image or video file is best demonstrated through a combination of methods. This document discusses specific methods and provides examples of how those methods can be applied. Maintaining integrity requires both documentation and security of the files throughout the work flow. A standard operating procedure (SOP) should describe the work flow.

Maintaining and Demonstrating Integrity

When working with digital image and video files, one needs to maintain the integrity of the files and also demonstrate that the steps taken were effective. Maintaining integrity requires security of the files during transport and storage. Demonstrating integrity uses methods to show that the file has not changed.

The diagram (Figure 1) shows a generic work flow. The arrows and the boxes indicate security measures used to protect the file integrity, and the circles indicate means used to demonstrate that integrity has been maintained. The variety of methods for securing files are explained in Section 2.1.

When a digital image or video file is obtained, a reference is created for future demonstrations of integrity. The reference can be accomplished in a variety of ways, which are described in Section 2.2.

The file is then transported to a storage device or location. When it is removed from storage for use, the integrity is demonstrated by the method used to create the reference.

Figure 1 shows a generic work flow. The arrows and the boxes indicate security measures used to protect the file integrity, and the circles indicate means used to demonstrate that integrity has been maintained.

Figure 1: Overall maintenance with demonstration steps

Methods for Maintaining Integrity

The following is a list of some of the more common methods of maintaining integrity and is not exhaustive.

  • Written documentation: SOP documenting the steps required to properly maintain security. This documentation may include chain of custody, if required by agency policy.
  • Physical security/environment: Mechanical or physical systems for preventing unauthorized access to data or loss of data, e.g., door locks, security guards, personal control, fire-suppression systems, isolated computer systems.  
  • Redundant physical copies: Duplicates of files kept in an alternate location to prevent loss of files in the case of disaster.
  • Logical security (WAN [wide area network]/LAN [local area network]): Operating system or software-based devices to prevent access to files, e.g., password protection, firewalls.
  • Third-party escrowing: This requires transferring files to third parties, which relinquishes control. Although it may be appropriate under certain circumstances, the agency must have a viable method for demonstrating integrity that is independent of the vendor, and an appropriate contract that clarifies the vendor’s obligations should be in place before any files are transferred.

Methods for Demonstrating Integrity

The following is a list of some of the more common methods of demonstrating integrity and is not exhaustive.  

  • Hashing function: An established mathematical calculation that generates a numerical value based on input data. This numerical value is referred to as the hashhash value. Hashing computes a number using a complex formula and is very sensitive to changes in the input values. or
  • Visual verification: The process of confirming the accuracy of an image through visual inspection.  
  • Digital signature: This process is used along with a hash process. The resulting hash is encrypted with a specific private key. File integrity can be verified using the hash value, and the source of the signature is validated using the public key. The advantage of a digital signature is that the source of a digital file can be attributed to an individual.
  • Written documentation: Notes/narrative written by the operator at various steps to document the work flow.
  • Checksums/Cyclical redundancy check (CRC): Checksums are often used in file transfer to verify that the data transfer was successful. Some checksums are as powerful as hashes. It is recommended that those checksums that are not as powerful as hashes be used in concert with other methods (such as hashing or visual verification) to the degree possible.
  • Encryption: This process modifies the content of the files and does not in and of itself demonstrate that the file has not been altered. Encryption can be used in concert with other methods.
  • Watermarks: This process modifies the content of the files and can persist as a part of the file. This method is not recommended.
  • Proprietary methods: Methods offered for sale or license by a vendor that controls the source code may not be independently verifiable. Likewise, it may not be possible to validate the methodology independently. Therefore, this method is not recommended.

Example Work Flows

The following is a list of specific work-flow examples. The list is not exhaustive because each situation requires tailoring a specific process that should be outlined in an organization’s SOPs.

Example 1

A series of digital still pictures is taken at a scene and visually verified on the camera. The memory card is removed and placed in a self-contained CD writer, which creates two read-only copies of the pictures on CDs. The CDs are labeled with the photographer’s name and signature, the date, and the case number. Until the files are stored, they are in the hands of the photographer. The files on the CDs are visually verified, and then the CDs are stored in separate secure locations. At that point the memory cards are wiped and reused. In preparation for court, one CD is removed from storage; the signature on the CD is verified, and the files are visually verified. Then prints are prepared for court. Figure 2 shows the work-flow diagram for this example.

Figure 2 depicts a work-flow diagram for digital photos taken at a scene and stored on CD as described in Example 1.

Figure 2: Example work-flow diagram for digital photos taken at a scene and stored on CD

Example 2

A series of digital still pictures is taken using multiple flash cards at a scene and is visually verified on the camera. Each flash card is sealed in an envelope with the photographer’s name and signature, the case number, and the case details. The flash cards are transported to another site, and the person transporting them provides physical security. They are logged in at the other secure facility and placed in a locked box. Another worker removes the cards and signs the log. The files are downloaded from the memory cards to a workstation, and a hash reference is created. The data is transferred to a secure network server. The hash numbers are then verified.

Later the photographer creates working copies of the files from the server, checks the hash references, and visually verifies them. The files are printed for court, and some are used for further processing. The processing results in new files, which are saved at the processing workstation. Visual and hash references are created. The processed files and hash references are then saved to the secure network server. Figure 3 shows the work-flow diagram for this example.

Figure 3 depicts a work-flow diagram for digital photos taken at a scene and transferred using flash cards as described in Example 2.

Figure 3: Example work-flow diagram for digital photos taken at a scene and transferred using flash cards

Example 3

In the course of an investigation, a digital video camera is seized. The mini DV tape is removed, and the write-protection tab is engaged. The cassette is placed in an evidence envelope and sealed, and an entry on an inventory log is completed. The envelope is transported to and stored in a physically protected facility. When the material is removed for use or viewing, the write-protect, signature, and inventory information are verified. Figure 4 shows the work-flow diagram for this example.

Figure 4 depicts a work-flow diagram for the seizure of a digital video camera as described in Example 3.

Figure 4: Example work-flow diagram for the seizure of a digital video camera

Suggested Readings

The following SWGIT and SWGIT/SWGDE (Scientific Working Group on Digital Evidence) documents may be accessed at http://www.theiai.org/guidelines/.

Section Title

Section 1

Overview of SWGIT and the Use of Imaging Technology in the Criminal Justice System

Section 2

Considerations for Managers Migrating to Digital Imaging Technology

Section 3

Guidelines for Field Applications of Imaging Technologies in the Criminal Justice System

Section 4

Recommendations and Guidelines for Using Closed-Circuit Television Security Systems in Commercial Institutions

Section 5

Recommendations and Guidelines for the Use of Digital Image Processing in the Criminal Justice System

Section 6

Guidelines and Recommendations for Training in Imaging Technologies in the Criminal Justice System

Section 7

Recommendations and Guidelines for the Use of Forensic Video Processing in the Criminal Justice System

Section 8

General Guidelines for Capturing Latent Impressions Using a Digital Camera

Section 9

General Guidelines for Photographing Tire Impressions

Section 10

General Guidelines for Photographing Footwear Impressions

Section 11

Best Practices for Documenting Image Enhancement

Section 12

Best Practices for Practitioners of Forensic Image Analysis 

Section 13

Best Practices for Maintaining the Integrity of Digital Images and Digital Video

Section 14

Best Practices for Image Authentication

Section 15

Best Practices for Archiving Digital and Multimedia Evidence (DME) in the Criminal Justice System

SWGIT/SWGDE

Proficiency Test Program Guidelines

SWGIT/SWGDE

Guidelines and Recommendations for Training in Digital & Multimedia Evidence

SWGIT/SWGDE

Recommended Guidelines for Developing Standard Operating Procedures

SWGIT/SWGDE

SWGDE and SWGIT Digital & Multimedia Evidence Glossary