Forensic Data Recovery of Digital Media Recordings
Forensic data recovery of digital media recordings is the process of recovering digital information or digital media recordings from various storage medium types. The data recovery includes recovery of deleted recordings, damaged recordings as well as storage mediums that have been damaged from fires or catastrophic events. Common recording systems consist of IP or server based phone systems, CCTV DVR or NVR surveillance video systems, MDVR video recorders, police dash camera systems, and many more.
Once recovered, the analog or digital audio & video evidence can be used in the forensic enhancement and forensic authentication investigations. Evidence recovery requires an accurate attention to detail and documentation so that the audio & video evidence is preserved correctly for further investigation. Sometimes traveling to the location where the recording system is located in order to forensically extract a clone of the audio or video evidence becomes necessary to maintain an authentic chain of custody.
The courts must know what exactly the expert did to retrieve the recording, as to prove that the recording was not retrieved under false pretenses or inaccurately. If the expert cannot provide this, the evidence may not be seen as applicable, which can diminish the credibility of the expert and the investigation as a whole. A forensic expert must ensure thorough documentation of the retrieval, or their evidence may not make it into the courtroom.
For example, when recovering digital video evidence from DVR, NVR, or MDVR CCTV surveillance systems, degradation of quality, or introduction of compression can harm the recording, and reduce the success of forensic enhancements during the investigation stage. It is a forensic experts job to coordinate accessing the device or devices that created the recording, and to extract the audio & Video evidence so the trier of fact can weigh the evidence and its importance to any case.
Primeau Forensics has developed a proven methodology used when forensic evidence recovery is necessary:
- Establish an evidence recovery protocol when another forensic expert is involved from the opposing side in the litigation.
- Establish and document a chain of custody of the audio & video evidence, and all litigators and experts present.
- Identify the recovery scope of work. How much and what type of digital video needs to be recovered?
- Research must be done to determine the status of the device, along with its nuances. The forensic experts must know not only how the device works from initial research, but they must also study the manufacturers specifications, technical information, and other information about the product. In addition, it is common for an expert to reach out to the manufacturer for further inquiry about the device. This helps the expert accurately obtain the evidence in an authentic and non-destructive manor
- Discover by inquiring that all system components will be on site when you arrive. These components may include remote control, DVR locking key, power supplies and other cables.
- Determine if the system was connected to the Internet or networked to other computers. Who had access and monitoring to the system at the time of the incident.
- Obtain the software necessary to access the audio & video evidence or digital information. Though many media players support various formats, the change in codec can alter the recording. Even if the recording is altered slightly, this is a big problem in the grand scheme of maintaining chain of custody. Learning about the software necessary, along with the codec being used to encode recordings, can ensure that the evidence is obtained properly, with no risk of alteration.
- Photograph the evidence or equipment used to create it before you begin the inspection.
- Document the recovery process using a video camera or audio recording. This is another element that has to do with chain of custody. The courts must know what exactly the expert did to retrieve the recording, as to prove that the recording was not retrieved under false pretenses or inaccurately. If the expert cannot provide this, the evidence may not be seen as applicable, which can diminish the credibility of the expert and the investigation as a whole. A forensic expert must ensure thorough documentation of the retrieval, or their evidence may not make it into the courtroom.
- Take detailed notes during your entire forensic recovery process. Pay careful attention to any markings or signs of tampering. This includes scratched screw heads or broken manufacturer seals, which may reveal prior disassembly of the equipment.
- The expert will identify the scope of what needs to be recovered. Using the correct interfaces to the device, the expert will create a carbon copy clone of the evidence for further analysis. The clone of the evidence will assist the trier of fact in analysis of the digital information or other details that surrounded the events as they occurred at the time of the incident.
- Make sure your forensic computer’s power configurations are set to always on so as not to interrupt the recovery process with computers going into power save mode, or sleeping mode.
- Access the system administrative or event log and note or print all activity before, during, or after the incident.
- The evidence must be retrieved in a way that will maintain quality to the highest degree. The expert should bring the manual to the retrieval so they can best understand the methods that will warrant the highest quality recordings.
- Establish the system process for naming and numbering of digital video files and note in the chain of custody log as well as work product notes for future reference and authentication.
Successful retrieval of audio & video evidence always requires preparation and research beforehand. Best practices require the forensic expert to browse the Internet, contact the manufacturer, and read the manuals inside and out to determine the best way to preserve this digital evidence in its best quality prior to arriving at the scene to clone. As trial verdicts may turn on the outcome of analysis of evidentiary audio & video evidence, the forensic expert must personally recover the video to establish a clear and accurate chain of custody. Furthermore, they must also prevent accidental loss of files, and preserve the audio & video quality through recovery and trans coding to a court room ready format.
If you have a video that you question or need help understanding, please give us a call for a pro bono conversation. We apply all forensic expertise to cases in the United States and many countries around the globe. Any and all formats of audio and video accepted. Retainer agreement available on request; travel expenses will be quoted in advance excluding meal expenses and flat rate time for travel instead of hourly.