Digital File Authentication and Integrity Examinations

The verification of the authenticity and integrity of a digital media file is an important component of digital forensics.  At Media Forensics we strive to keep abreast of the latest techniques, training and software to meet the challenges in this field to ensure you of the best possible and most accurate and reliable results.

Authentication and integrity testing is not a trivial process and should not be requested on a whim or as a result of wishful thinking.  A 1 minute video or CCTV file can involve analysing 1500 frames or images, a 1 minute audio recording has in excess of 2.6 million samples. It can become very time consuming and costly while the outcome may not be conclusive as there are often unexplainable characteristics identified which do not necessarily indicate clear evidence of malicious tampering.

With any of these forms of authentication and integrity testing, the more information you can provide relating to the provenance (origin and handling history) of the recording, the more we have to work with and the better the chances of a reliable and confident outcome. Ideally, you should provide information relating to the make, model and settings of the recording device. It is also important to provide information as to all and any handling of the recorded material i.e. who, what, where, when and why for each instance where someone handled the recording or something was done to the recording, such as copied from one machine or system to another, file was renamed, file was edited in any way, changed into another format or burnt to disc, etc. The legal fraternity call this the “Evidence Chain-of-Custody” and it is extremely important to the verification process. If you are provided with a recording as an item of evidence from another party, you should ask for the ‘Chain-of-Custody” documentation (which may be in the form of a Statutory Declaration) to support any claims relating to the item’s provenance.

To minimise costs and maximise results, please provide as much guidance as possible as to what has prompted you to believe that the integrity of the file is in question. Where possible, provide details of time or frame offsets within the file where these discrepancies occur and a description of what you believe should or should not be present.

Key Video and CCTV Authentication and Integrity Testing Steps

Review of associated statements or chain-of-custody documentation relating to handling and prior history.

Inspection of the encoding algorithms used and their correlation with the claimed recording device capabilities.

Analysis of metadata associated with, and held within, the file container and video streams.

Analysis of the video stream’s structural integrity i.e. frame count continuity, dropped, missing or out-of-order frames or packets and timestamp discrepancies.

Inspection of inter-frame and intra-frame compression algorithms for consistency and relevance to format and recorder settings and capabilities.

Determine instances of editing, scene cuts, audio dubbing, image overlays.

Analysis of background image noise (digital fingerprint).

Bit-level analysis of the data to detect specific instances and types of tampering or modifications to the pixels of the images.

Inspection and analysis of the continuity of reflections, shadows, perspectives, level of detail, direction and consistency of lighting.

Key Still Image Authentication and Integrity Testing Steps

Review of associated statements or chain-of-custody documentation relating to handling and prior history.

Inspection of encoding used and correlation with the claimed recording device capabilities.

Analysis of metadata and timestamp discrepancies associated with the photograph or related thumbnail images.

Analysis of the photo’s structural integrity i.e. pixel depth, distribution and consistency of image data.

Inspection of image compression algorithm for consistency across all image components and level of compression compared with claimed history.

Inspection of bandwidth responses and continuity of spectral components.

Analysis of background noise and dropped, missing or fixed value pixels (digital fingerprint).

Bit-level  analysis of the data to detect specific instances and types of tampering or modifications to the pixels of the images such as cutting and pasting, copying or duplicating blocks of image data (pixels) to overwrite other areas of the image.

Inspection and analysis of the continuity of reflections, shadows, perspectives, level of detail, consistency of direction of lighting etc.

Comparison of all of the above with other photos claimed to have been taken by the same device or a device of the same make and model.

Key Audio Authentication and Integrity Testing Steps

Review of associated statements or chain-of-custody documentation relating to handling and prior history.

Review of encoding and compression formats and their correlation with the claimed recording device’s capabilities.

Analysis of all metadata associated with and held within, the audio file container and streams under review.

Analysis of the audio stream’s structural integrity i.e. frame count continuity, dropped, missing or out-of-order frames or packets and timestamp discrepancies.

Inspection of compression algorithm for consistency and continuity throughout the recording.

Unexplained audio waveform anomaly
Unexplained audio waveform anomaly

Inspection of sampling rate, bit rate and word size for indications of prior format usage and structure.

Inspection of audio bandwidth responses and continuity of spectral components and any filtering applied.

Analysis of the consistency and makeup of background noise levels.

Analysis of power supply or other external source induced tones and spectral components.

Analysis of continuity of recording device induced tones and spectral components.

Identification of tampering or modifications to the quantisation levels of audio samples.

Comparison of all of the above with other audio recordings claimed to have been taken by the same device or a device of the same make and model.