Friday, 29 March 2013

Retrieval of video & CCTV evidence


Digital CCTV installations vary greatly in terms of the recording methods used and export 
functionality provided. The systems often do not allow quick and easy access to data in a suitable 
form by police investigators. This procedure is designed to enable police technical staff to select the 
most appropriate method for retrieving video from digital CCTV systems. 

The guidance is aimed at video content investigators, 
rather than computer systems investigators, who are 
advised to refer to the relevant Digital Evidence Group 
guidelines. The key difference in approach is that this 
procedure is intended for those whose priority is to
extract video sequences from PCs and Digital Video 
Recorders (DVRs), rather than to forensically examine 
the entire system.

The procedure is based around a flow chart which poses 
four fundamental questions in sequence:
• Is the request reasonable?
• Is the method possible?
• Is the method practical?
• Does the method lead to the creation
of an evidential master copy?
On being confronted with an unfamiliar CCTV system,
the first step is to determine which options for download 
are available. Then, it is important to select the method 
that is best suited to the volume of data required.
The final stage is to produce a master copy of the
video sequence.
The priority should be to extract data in its native file 
format and the flow chart only includes those techniques 
that enable this to be achieved. Options such as recording 
to tape via an analogue output or scan conversion of 
the VGA signal, are not included as they do not result in 
bit-for-bit copies of the original, as required in the Digital 
Imaging Procedure6
. However, in circumstances where
it is not possible or practical to extract the data in its 
native format, alternative methods may be justifiable.
These other techniques will be covered in more detail 
in the second part of this guidance, which covers 
the production of working copies, where, in certain 
applications, a bit-for-bit copy is not essential or would 
prevent necessary processing from being undertaken.
Most of the techniques described are relatively 
straightforward and could be undertaken by a competent 
and experienced user of computers and DVRs.

The part of the procedure that deals with removal and 
replacement of hard drives, however, requires a higher 
level of competence and familiarisation with health
and safety issues.
Download Checklist
There are certain procedures that should be followed 
whatever method is ultimately selected for downloading 
the data.
1. Contemporaneous notes should be kept, detailing
the course of action taken, to provide an audit trail.
2. Note the make and model of the CCTV system
and the number of cameras. Take photographs
of the system if possible, particularly if the recorder
is unfamiliar or the manufacturer uncertain.
3. Note the basic system settings (e.g. current record
settings and display settings), so that, if changes have
to be made to facilitate the download, it is then
possible to return the system to its original state.
4. Time check – compare the time given by the
speaking clock with that displayed by the CCTV
system. Any error between the system time and real
time should be noted and compensated for when
carrying out the download. This will ensure that the
correct section of data is copied.
5. Determine time period required in conjunction with
Senior Investigating Officer (SIO), if this has not
already been specified in the request.
6. Determine which cameras are required and whether
they can be downloaded separately. Depending on
the nature of the incident, there might, for example,
be a requirement to archive all cameras with external
views. Some systems enable video from individual
cameras to be downloaded, but some do not,
in which case data from all cameras will need
to be taken. The decision taken, and the reasons
for it, should be documented in the audit trail.

7. Check storage / overwrite time – to determine how
long the relevant data will be retained on the system.
This is particularly important if the download cannot
be carried out immediately, or needs to be prioritised
against other tasks.
8. The recording should not be stopped during the
archiving process unless (a) this is an unavoidable
feature of the system or (b) there is an immediate
risk that important data will be overwritten, before
it can be archived.
9. Protect data. Some systems offer the option of writeprotecting a selected video sequence to prevent
it from being overwritten before it can be archived.
However, it should not be assumed that this facility
will be present.
10. Confirm that the data can be archived in its native
file format. It is preferable to extract the CCTV
sequence in its native format in order to maintain
image quality and provide best evidence, even
where this file format is proprietary to the CCTV
manufacturer. Some systems may provide an option
to write the sequence to AVI file, which may seem to
be an advantage, in that the video will be replayable
using standard software. However, the generation 
of the AVI file often requires the video to be 
recompressed, resulting in a loss of quality, so 
this method should be avoided. Time and date 
information may also be lost, along with any stored 
bookmarks.
11. Replay software. Is the data format proprietary?
If so, it is necessary to download a copy of the
replay software alongside the data. Some CCTV
systems provide this facility, but others do not
and the software has to be obtained separately,
e.g. from the manufacturer’s website. It should be
established that the facility exists to replay the data
before leaving the scene and allowing the system
recording to be overwritten.
12. Confirm success of download. The downloaded
data should be checked before leaving the scene
(or immediately on returning to the lab) to confirm
that (a) the archiving process was successful and
(b) that any associated replay software functions
correctly. This check should be done on a machine
other than the original recorder.

13. Restart the CCTV system (if necessary) and confirm
in the presence of the owner/operator that it is
operating as it was originally.
14. Complete evidence sheet. The following information
should be included with the evidence to assist the
investigator with subsequent replay and analysis:
• Make and model (important when trying
to identify suitable replay software, or hardware).
• Error in display time and date.
• Time period covered by download.
• Include replay software if available.
Equipment
Suggested field kit list for operational retrieval from digital 
CCTV systems:
• Laptop, with USB and network connectivity. A selection
of proprietary replay software could be installed,
to enable the downloaded data to be checked.
• External CD/DVD writer.
• USB hard drives (capacity 200GB+).
• Replacement hard disks (range of sizes 80-400GB).
• Network cables (crossover and patch). 
• Replacement (loan) DVR units.
• Blank media, e.g. CD-R, DVD-R, DVD+R, DVD-RAM.
• Extension cables (e.g. 4-way power distribution cables).
• Analogue/digital video monitor.
• Digital camera – to record cabling and connections
before disconnecting system.
• Tool kit (plus torch, mirror, pens and labels for
cable marking). 
• Appropriate forms for documenting the audit trail.

Explanatory Notes for Chart
1. Request received
An initial assessment should be made to determine 
whether the request seems reasonable, i.e. whether the
volume of data asked for is appropriate to the nature
of the incident being investigated. If a general request
has been submitted for all available video from a site, 
then an attempt should be made, in conjunction with
the SIO, to narrow down the period of interest before 
starting the download.
It should also be confirmed that alternative routes for 
obtaining the data have already been explored before 
requesting technical support, i.e. has the owner been 
asked to undertake the download, or is help available 
from the installer or manufacturer of the CCTV system?
2. CD/DVD writer present
Many digital CCTV systems have a built-in CD/DVD writer 
for archiving data, in which case there should be an 
option within the CCTV software to facilitate the back-up 
of the selected video sequences (in the native file format). 
There may also be the option to include the replay 
software on the disk along with the data. Write-once disks 
should be used.
3. Assess practicality of download 
The practicality of a particular export method
is determined by the resource (e.g. staff hours),
cost (e.g. media/hardware), time (e.g. data transfer time), 
and quality (e.g. WORM vs HD) implications for the 
volume of data to be retrieved. Before an export method 
is chosen, it should be assessed against each of the 
criteria to determine whether it is appropriate. 
For example:
• Long sequences of video from multiple cameras
may require an impractically large number of CDs
for storage. The download process may also take
several hours to complete. Archiving to a USB hard
drive or via a network connection may be a more
practical option than the use of a CD writer, as no
regular changing of disks is required during the
download process. 
• It may be more time-efficient to replace the hard
drives or remove the DVR and undertake the
download in the laboratory, although this may be
more expensive in replacement hardware/media cost.

• To assess whether archiving to CD is time-efficient
for large downloads, the time taken to create one
CD should be checked, and the percentage of the
required video that fits on this disk noted. From this
information, the total number of disks required and
the total archiving time can be calculated. 
• For other archiving methods such as via USB hard
drive and network, the file transfer rate should be
monitored and the total transfer time estimated.
4. Other internal drives present
If the facility exists to back-up data to memory cards/
sticks such as compact flash, this may be utilised for 
extracting short video sequences. The storage capacity for 
compact flash is approximately the same as a CD (albeit 
increasing with time) and therefore similar problems may 
be encountered if archiving large volumes of data.
Memory cards are not the ideal medium for storing 
master copies, as cards are more expensive than CDs
and drives are less common so are likely to provide 
difficulties in accessing data for playback. Thus, if 
a memory card is used to extract data from a CCTV 
recorder, it is recommended that this is used as a 
transport medium only and the data files are then
copied to the master medium e.g. CD/DVD. 
5. USB (or other external) hard drive
Archiving to USB hard drive may be the preferred option 
in several scenarios, for example: 
• For downloading smaller quantities of data where there
is no other easy option (e.g. CD writer). The USB drive
in this case is just a transport medium and the data
may then be copied to DVD/CD later, at the lab,
to make the master copy. 
• For downloading large quantities of data, where it is
quicker or more practical than writing to several CDs.
When copying large quantities of data, it may be more
efficient to exit the CCTV system software (which
may be possible on a PC Windows-based system)
and copy the required files directly using Windows
Explorer. This may also be necessary if the CCTV
software does not recognise the addition of the
USB device and consequently offers no suitable
menu option.

6. Data Transfer
Where a USB hard drive has been used to archive the 
data at the premises, either for convenience or out of 
necessity, it is suggested that a master copy is then made 
from this on a write-once medium such as CD-R/DVD-R. 
This is also more cost-effective than retaining the USB 
drive permanently as evidence. The USB drive can then 
be wiped and reused.
If very large volumes of data have been extracted (several 
tens of GB), it may be deemed impractical to archive 
to CD/DVD, in which case a decision could be made to 
retain the USB drive as the master.
7. Network connection
Where CCTV software provides for network connectivity, 
a laptop could be linked to the system and IP address 
specified to allow transfer of data to a back-up medium. 
With a PC-based CCTV system, it may be possible to exit 
from the CCTV software and create a connection to a 
laptop via Windows. Video data can be downloaded to the 
hard disk on the laptop or to a USB hard drive connected 
to it and a master copy then created from this on an 
appropriate medium.
Some systems may provide a remote network connection 
for off-site monitoring or download. Before using this 
facility, the network speed should be checked and it 
should be confirmed that the transmitted video is of the 
same quality as that which is stored locally.
8. Replace Hard Drives
This can be a quick method for extracting large volumes 
of data from a system. The recorder may be equipped 
with a removable hard drive in a caddy, or the casing of 
the unit may need to be opened and the storage drives 
extracted and replaced. Depending on the system, the 
disk could be replaced with a blank (the quickest option) 
or a clone could be taken and the original disk replaced. 
There are several risks with this approach, however,
and it should only be attempted with caution, by an 
experienced engineer.
• It should first be clearly established that it will be
possible to replay the data from this hard drive in the
laboratory. A DVR may have a fully removable hard
drive for storing data, but this drive may not be
compatible with anything other than the original recorder.

• Where the casing of the DVR needs to be removed
to access the drive, care must be taken to follow
appropriate health and safety procedures,
particularly with regard to potential exposure
to electricity. The possibility of invalidating the
manufacturer’s warranty or damaging the storage
media by undertaking this procedure also needs
to be considered.
• A hard disk removed from a stand alone DVR may
not be in Windows compatible format and therefore
the data files will not be accessible via connection
to a PC. It may be possible to replay the data from
the hard disk by fitting the disk to another similar CCTV
recorder (e.g. if there is a unit in stock from a previous
job) but, in the worst case scenario, the hard drive will
be locked to a specific CCTV recorder and will only play
on that one machine.
• The data drive may appear to be in a removable caddy
and thus easy to extract. However, there may be
a second data drive within the DVR, which is only
accessible by removing the case.
• The DVR may not recognise any replacement drive
fitted, even a clone of the original. If this is the case,
there may be no option but to take the whole CCTV
recording unit.
9. Remove whole recording unit
In circumstances where all other download options
have been rejected as impractical or impossible, the 
decision may be made to remove the recorder, assuming 
that it is physically possible to do so and that the severity 
of the incident justifies this course of action. However, 
the implications (legal, insurance etc.) of removal should 
be considered and a decision taken as to whether a 
replacement recorder should be provided, or other 
arrangements made in order to maintain security at the 
premises.
Where the volume of data required is very large, it may 
be time-efficient to remove the recorder, rather than 
wait at the site for a download to complete. Alternatively, 
for some poorly designed systems, there may no 
straightforward method for extracting the required video 
(e.g. no CD writer or data output ports and a hard disk 
that cannot be replayed in another machine). In this 
scenario, it may be necessary to take the recorder and 
retain the unit as evidence. 

10. Extracting data from portable recorders
If a DVR unit has been removed from the premises 
because it was more time efficient to do so than to wait 
while the video was downloaded, then the data should 
be archived to CD/DVD on returning to the lab. For those 
systems where it is impossible to extract the data in a 
replayable format, the DVR unit itself may need to be 
retained as evidence.
11. Refer back to SIO
Where it is impractical or not economically viable
to download the required data and the CCTV recorder
is too large or complex to be removed, the request should 
be referred back to the SIO for a policy decision.
The SIO should be presented with alternative options
to enable data to be retrieved. For example: 
• It may be possible to reduce the volume of data
required by reconsidering the time period of interest
or the number of cameras needed. By reducing the
volume of data, it may then be possible to use some
of the methods that had previously been rejected. 
• It may at this stage be necessary to consider using
other techniques such as recording of the system
analogue output or scan conversion, which does not
provide a bit-for-bit copy of the original data, but
which may be the only practical way of recovering
video evidence from the system. 
read more here;http://www.7safe.com/electronic_evidence/ACPO_guidelines_computer_evidence.pdf









Print Page

No comments:

Post a Comment