Computer Forensics & Multimedia Analysis: What’s the big difference in #DFIR?

Computer Forensics & Multimedia Analysis: What’s the big difference in #DFIR?

Originally Published: 26 April 2014 on DME Resources

It’s sometimes difficult for traditional Computer Forensic (CF) examiners to understand why they should treat video and multimedia any differently than other types of digital evidence. After all, a bit is a bit, and a byte is a byte. Right? CF examiners are typically highly trained and highly technical people. If anyone is going to understand how to recover and interpret multimedia data, one would think that a traditional CF examiner would be at or near the top of your go-to list. The problem with this assumption is that multimedia data is fundamentally different than most other types of data, and in more than one way.

It is what it is, isn’t it?

Let’s take a step back for a minute to try to understand a fundamental misconception about video and multimedia; the misconception that “it is what it is.” First, it’s important to understand that video technology is specifically designed to be able to provide the illusion of reality and full, fluid motion. This is important because most of us have been watching video since we were in diapers, and the vast majority of the video content that we’ve watched is specifically designed/engineered to immerse the viewer in this illusion. In other words, we have all been trained from a very early age to trust and/or believe what we see when we watch a video.

I am not saying that the general public believes or trusts every video they see, but rather that the general public believes that what they see is the same as what everyone else sees, because it is what it is; isn’t it? In other words, most people believe that if we are both able to play the same multimedia file, then we are both looking at or listening to the same thing.

Just the other day I had a very seasoned analyst argue that their video file is just like any other file, and that they can prove via cryptographic hashing that the file has not changed. Therefore, they argued, it is what it is and it should play the same every time it is played. Unfortunately, nothing could be farther from the truth.

It is true that the data inside the file does not change, unless someone or something changes it, of course. However, multimedia data is generally not interpreted at the bit, nibble, or byte level; it is most often interpreted at the file or stream level. Interpreting this data at the file or stream level is dependent on a plethora of variables, many of which that can and do affect the presentation and interpretation of the data.

Multimedia is Time & Resource Dependent

Unlike other types of data, multimedia is both time and resource dependent. Timing is critical to the proper playback and interpretation of multimedia data, whereas most other types of data are relatively “static”; they are not as, if at all, reliant on having sufficient hardware and software resources in order for the data to be displayed or output as originally intended. Drop a few frames or play it too slow or too fast, among other things, and you could be looking at or listening to something that may be interpreted completely differently than what was originally recorded to the file.

The process of going from a multimedia file to something that is displayed or output to a device can be a very complicated one. The original data that is stored in the multimedia file may be converted or transformed multiple times before it is displayed on your screen, again depending on a multitude of variables. There are several multimedia frameworks, hundreds of multimedia file formats, thousands of multimedia codecs, and then we have to factor in the software and hardware variables.

What operating system are you using? What playback software? What about graphics and sound cards? Display devices? Transmission mediums? Storage mediums? Storage bus speeds? CPU and GPU? RAM? These are just some of the resource variables that can affect the presentation and interpretation of your multimedia file.

What if the colors are crushed? What if frames are dropped? What if high or low frequencies are lost? What if the streams are presented out of sync? What if the aspect ratio is incorrect? What if you’re not even seeing all of the data? These and many other issues may or may not affect your interpretation of the data, depending on the questions being asked of the evidence.

Do you have special eyes?

I’ve actually been asked this question. What the attorney was arguing is, “Why do we need you to interpret the video, when we can all watch it ourselves?” Well, it’s not because I believe you have inferior eyes or eyesight. Nor is it because I think you’re an inept jackass. It’s because I know multimedia technologies. I understand how multimedia is created and consumed, from the moment it’s turned into bits & bytes, all the way through to the moment it is received by your analog-based human senses. I can explain to you why playing the exact same multimedia file on the exact same computer using the exact same software can produce different results.

No, it’s not because of my eyes my friend, it’s because I’m a multimedia geek. A geek that knows both the strengths and weaknesses of the technologies behind the evidence.

You’re more than welcome to simply hit the play button in court and assume you’re seeing and hearing all of the evidence as it was originally recorded and intended to be presented. You had better hope, however, that someone like me isn’t sitting on the other side of the courtroom patiently waiting their turn, because that's probably not a good sign.

#DFIR #VIDEOEVIDENCE #FORENSICVIDEO #MULTIMEDIA

要查看或添加评论,请登录

Larry A. Compton的更多文章

社区洞察

其他会员也浏览了