ARCHIVE

Posts Tagged ‘Digital Audio Authentication’

10: How to Authenticate Digital Audio Evidence

Friday, November 14th, 2014

digital audio evidenceAuthenticating digital audio evidence and the importance of the authentication process for use in court. The chain of custody is the first step in the authentication process but does not in and of itself authenticate a piece of evidence. I have seen audio evidence that was not authentic and was stored in the original digital audio recorder that supposedly recorded it.

So why is audio authentication so important? 

The authentication process determines whether or not the audio recording in question has been tampered with.  In this age of digital audio, edits can be made and covered up very easily. There are free versions of audio editing software available on line that can make edits that alter the events or conversation that originally occurred in digital audio recordings. Most of the time, if an audio recording is edited after downloading to a computer and before authoring a CD, the editing can be detected by analyzing the audio file.

What is the process of authenticating digital audio evidence?

There are five steps that one must complete to properly authenticate digital audio evidence.

1. Establish a chain of custody. If the expert is able to retrieve the evidence from the original source, in most cases that will automatically create and establish a chain of custody. If it’s not possible for the forensic expert to retrieve the recording, then the forensic expert must carefully go through all of the documents and reports that arrived with the evidence. When the chain of custody cannot be established, the forensic examiner must rely on other techniques as well as their own expertise to determine the authenticity of the evidence.

2. Critically listen to the audio recording. During this process the expert should note unusual sounding sections in the recording, referred to as anomalies. They should place markers near any anomalies they hear for later reference when compiling a forensic report. Inconsistencies in sound quality, noise floor, and level of the recording are all important to pay attention to.  The forensic expert should use both studio monitors and headphones with flat frequency responses to best hear everything that is going on in the recording.

3. Electronically measure aspects of the recording. The forensic expert should use the audio forensic software they have to note the frequency ranges, levels and other aspects of the recording. Marking what frequency ranges voices or other sounds are in compared to the noise floor can also help the expert better detect sudden changes and other anomalies in the recording that may indicate tampering.

4. Visually inspect the audio recording. This step will go hand in hand with electronic measurement. The forensic expert should analyze the waveform characteristics and look for any anomalies present. The expert can also use spectrum analysis and spectrograms to better see the behavior of the frequencies and detect breaks or changes in the signal or noise floor.

5. Analyze the metadataThe forensic expert will also need to inspect digital information of the recording such as the hex information, sampling rate, bit depth and file format. This will need to be compared with an exemplar recording so that anomalies can be properly detected. Digital footprints are almost always left on recordings when they are created and when they are edited using other software.

For a forensic examiner to authenticate a piece of audio evidence, the examiner must prove beyond any doubt that the recording is in its original form and has not undergone any tampering.  If a piece of evidence is not authentic, it should not be used in court because it may be incomplete or altered to purport events that did not occur.

7: Importance of the Chain of Custody for Digital Media Evidence

Monday, October 27th, 2014

chain of custodyEstablishing chain of custody when authenticating digital media evidence for use in the courtroom is extremely important. The chain of custody must account for the seizure, storage, transfer and condition of the evidence.  The chain of custody is absolutely necessary for admissible evidence in court.

Importance to the expert

My forensic software allows me to look at the metadata or digital information of an audio or video recording, but does not always allow me to understand how a recording was created.  Just because the information is missing from the metadata does not mean that a recording has been compromised.  This is why the chain of custody information is important to a forensic examiner. It helps show where the file came from, who created it, and the type of equipment that was used.  That way, if I want to create an exemplar, I can get that equipment, create the exemplar and compare it to the evidence to confirm the file properties.

Importance to the court

When I testify in court with a piece of evidence, I am always prepared with the chain of custody.  As I mentioned earlier, without a complete chain of custody, it can become very easy for the opposing attorney or prosecutor to challenge or dismiss the evidence presented.  Having a complete chain of custody form, as well as any other accompanying forms and including any visual proof of retrieval, such as pictures or video, greatly helps prove the authenticity and admissibility of the evidence in the courtroom.

Recently, new ways of establishing a chain of custody have come about and are slowly becoming accepted in the legal community.  Online services are now available for digital evidence that record the chain of custody and who has received the evidence.  The evidence is stored in cloud space and eliminates the need for repeated transference of physical copies.  It maintains standardized security procedures and is also useful as a backup storage space for surveillance cameras.

Chain of custody is important to the court because if I find something wrong with the evidence during the authentication process, it allows me to go back and determine who was responsible for the evidence up until that point. 

Importance to the investigation

The chain of custody is important to the investigation process because it is the first step when authenticating digital audio and video evidence.  Identifying this chain of custody provides information about whether or not this evidence has been copied or cloned.  As technology advances and becomes more accessible, digital media evidence has become easier to edit, modify and alter.  The Scientific Working Group on Digital Evidence (SWGDE & IOCE) defines Original Digital Evidence as, “Physical items and the data objects associated with such items at the time of acquisition or seizure.”  It is not always possible to receive the evidence from its original source at the time of acquisition or seizure.  Very often, I receive digital media evidence from a client who may have received it from the police or another source.  When this occurs, I have to pay careful attention to the reports, depositions and other legal documents that accompany the evidence.  This paper trail must be part of an unbroken timeline that shows exactly where the evidence has been between its creation and my examination of it.  When I encounter any gaps in this timeline that can raise questions to the authenticity of the evidence, further investigation becomes necessary.

There are occasions when I am asked by the client to physically retrieve the evidence directly from the recorder that created it.  This process creates the chain of custody for my investigation.  When an expert creates the chain of custody, it removes all doubt as to the authenticity of the evidence.   This process has become more common throughout my investigations when the original evidence is available for my retrieval.  To further authenticate this process, I create audio and video recordings of the retrieval process, which becomes part of the chain of custody. In addition, when I am at the site and I retrieve the digital evidence, I have access to the administrator information about that evidence, such as an administrative log, date and file info, and who accessed the files.  The more information an expert can retrieve strengthens the authentic chain of custody that is created.

Primeau Forensics’ chain of custody process

  • Save original package materials
  • Take photos of physical evidence
  • Take screenshots of digital evidence content
  • Document date, time and any other information of receipt
  • Ingest a bit for bit clone of digital evidence content into our forensic computers
  • Perform a hash test analysis to further authenticate working clone

All of the above information outlined in our forensic procedure for creating a chain of custody is important and necessary to include when creating a forensic report.

When examining digital media evidence, especially digital audio and video recordings, you should never examine the original file.  Always make sure that when you process a piece of evidence, you work on the copy of that file so that the original remains untouched at all times.  That way, if you have to go back to compare your work product to the original, you’ll have that original file preserved.

It doesn’t matter what forensic science you are an expert in.  The chain of custody is always important.  Maintaining that chain of custody is crucial for the credibility of your work product and eventual testimony.

 

 

 

 

 

Download Edward Primeau’s C/V

cv

Video

 Check out our other Forensic Services Websites:

logo-othersites-afelogo-othersites-vfe