Saturday, April 01, 2006

Digital evidence tampering

The Hindustan Times has a news report on a case currently in court where tampering with the video evidence was detected by a laboratory, including multiple edit points and discontinuities. The lab in this case was the Forensic Laboratory, Hyderabad.

In this case, the tampering appears to be pretty obvious, but it will likely only be a matter of time before such attempts become more sophisticated - and common. The forensic community has been looking at the issue of tampering detection for a while and various schemes have been devised to address the issue, including ones for protection (e.g. watermarking, cyclical redundancy checks or CRC, and time & date stamps) and for post-detection (e.g. automated tamper detection algorithms). It should be noted that no matter what protection schemes are implemented, they can not always be applied at the time that the evidence is originally recorded (e.g. evidence from a private citizen's answering machine recording or camcorder).

I personally believe that the idea of adding watermarking to original evidence needs to be examined carefully - watermarking, by its very nature, changes the evidence, which, as a general rule, should only be done when absolutely necessary. Additionally, even though the watermark is 'deeply buried' in the data, post-filtering algorithms could amplify the watermarking and create artifacts (which would sound like noise).

Let me be clear in saying that I am not taking the position that watermarking should not be done, but instead that if it is, then it should be done carefully and, if necessary, in a way that is reversible (for removal for filtering or validation purposes, for instance). Simply deploying a COTS (Commercial Off The Shelf) solution from the music industry should not be seen as a shortcut way for a laboratory to make its evidence tamper-proof.

No comments: