SWGDE

Menu
Subscribe
Subscribe

published documents

SWGDE Best Practices for Forensic Audio

08-a-001

View Pdf

Disclaimer and Conditions Regarding Use of SWGDE Documents:

SWGDE documents are developed by a consensus process that involves the best efforts of relevant subject matter experts, organizations, and input from other stakeholders to publish suggested best practices, practical guidance, technical positions, and educational information in the discipline of digital and multimedia forensics and related fields. No warranty or other representation as to SWGDE work product is made or intended.

As a condition to the use of this document (and the information contained herein) in any judicial, administrative, legislative, or other adjudicatory proceeding in the United States or elsewhere, the SWGDE requests notification by e-mail before or contemporaneous to the introduction of this document, or any portion thereof, as a marked exhibit offered for or moved into evidence in such proceeding. The notification should include: 1) The formal name of the proceeding, including docket number or similar identifier; 2) the name and location of the body conducting the hearing or proceeding; and 3) the name, mailing address (if available) and contact information of the party offering or moving the document into evidence. Subsequent to the use of this document in the proceeding please notify SWGDE as to the outcome of the matter. Notifications should be sent to secretary@swgde.org.

From time to time, SWGDE documents may be revised, updated, or sunsetted. Readers are advised to verify on the SWGDE website (www.swgde.org) they are utilizing the current version of this document. Prior versions of SWGDE documents are archived and available on the SWGDE website.

Redistribution Policy:

SWGDE grants permission for redistribution and use of all publicly posted documents created by SWGDE, provided that the following conditions are met:

  1. Redistribution of documents or parts of documents must retain this SWGDE cover page containing the Disclaimer and Conditions of Use.
  2. Neither the name of SWGDE nor the names of contributors may be used to endorse or promote products derived from its documents.
  3. Any reference or quote from a SWGDE document must include the version number (or creation date) of the document and also indicate if the document is in a draft status.

Requests for Modification:

SWGDE encourages stakeholder participation in the preparation of documents. Suggestions for modifications are welcome and must be forwarded to the Secretary in writing at secretary@swgde.org. The following information is required as a part of any suggested modification:

  1. Submitter’s name
  2. Affiliation (agency/organization)
  3. Address
  4. Telephone number and email address
  5. SWGDE Document title and version number
  6. Change from (note document section number)
  7. Change to (provide suggested text where appropriate; comments not including suggested text will not be considered)
  8. Basis for suggested modification

Intellectual Property:

Unauthorized use of the SWGDE logo or documents without written permission from SWGDE is a violation of our intellectual property rights.

Individuals may not misstate and/or over represent duties and responsibilities of SWGDE work. This includes claiming oneself as a contributing member without actively participating in SWGDE meetings; claiming oneself as an officer of SWGDE without serving as such; claiming sole authorship of a document; use the SWGDE logo on any material and/or curriculum vitae.

Any mention of specific products within SWGDE documents is for informational purposes only; it does not imply a recommendation or endorsement by SWGDE.

Table of Contents

1. Purpose

The purpose of this document is to provide forensic audio practitioners recommendations for the handling and examination of forensic audio evidence in order to successfully introduce such evidence in a court of law.

Audio is an auditory perceptual phenomenon. Most courts use some version of the “fair and accurate representation” standard as a measure of acceptance. The same general principles apply regardless of the format in which the audio is recorded and the physical media onto which the recording is stored. This document will describe best practices for the receipt, documentation, handling, and examination of audio evidence, irrespective of the tools and devices used to perform the examination.

This document is not intended to be a training manual nor a specific operating procedure. Nor does this document intend to describe best practices for the collection of surveillance or other investigative material. This document will comment on only those matters that may affect the forensic examination process. This document is not all inclusive and does not contain information relative to specific commercial products. If dealing with technology outside your area of expertise, consult with an appropriate specialist. For recommendations on forensic audio training, refer to SWGDE Core Competencies for Forensic Audio [1] and SWGDE/SWGIT Guidelines and Recommendations for Training in Digital and Multimedia Evidence [2]. For recommendations on developing standard operating procedures refer to SWGDE/SWGIT Recommended Guidelines for Developing Standard Operating Procedures [3].

2. Audio Laboratory Considerations

When building and configuring a forensic audio laboratory, there are several factors that must be considered to ensure an optimal environment and produce the best results.

2.1 Environment

The physical environment, independent of equipment, in and around a forensic audio laboratory can have profound effects on the quality of work products. Audio laboratory design is a complex task and comprehensive references should be consulted, including [4], [5], [6], and [7].

2.1.1 Acoustics

The acoustic environment of a forensic audio lab is the collection of ambient sounds and influences (e.g., materials, resonances, echo), which can affect the quality of a forensic audio analysis. Eliminate or minimize sound distractions in the audio laboratory to prevent confusion as to what sounds are present on a recording [8].

Distractions may come from:

  • background conversation, TV, radio, and music
  • computer and equipment cooling fans
  • air conditioning units and airflow
  • vibration

Steps can be taken to mitigate noise in the laboratory, such as:

  • using acoustic foam or other materials to absorb reverberation and echo
  • designing the laboratory with acoustic traps
  • rerouting unnecessary HVAC ducts
  • using acoustic baffling within the HVAC ducts that are present
  • using heavy doors that seal tightly all around when closed
  • using high-quality headphones during examinations to reduce extraneous sounds and maximize the audibility of the signal being examined

2.1.2 Temperature & Humidity

Ensure the temperature and humidity of the laboratory is within the manufacturer’s specifications of the equipment. Equipment itself generates heat and requires adequate ventilation to prevent heat buildup that could affect the signal [9], [10], [11].

2.1.3 Electromagnetic Interference (EMI)

Interference from a variety of electromagnetic sources can affect signal quality [12], [13], [14], [15].

  • Alternating current (AC) sources, such as power lines, motors, lamp dimmers, fluorescent lights, and uninterruptible power supplies, can create magnetic pickup loops that can induce noise into improperly routed signal cables. Separate transformers and power lines from signal lines. If power and signal lines must cross, have them cross at 90° to one another.
  • Improper grounding can create ground loops. Many factors contribute to this phenomenon. Properly ground equipment and racks to minimize ground loops.
  • Items that generate magnetic fields strong enough to affect the integrity of any magnetic media nearby, such as loudspeakers, should be kept as far away as possible from evidentiary recordings or removed from the laboratory.
  • Cell phones, pagers, radios and other radio frequency (RF) transmitting devices may interfere with cables or equipment and should be turned off or removed from the laboratory.
  • Cathode ray tube (CRT) video monitors can induce audible noise in nearby or connected audio equipment. Do not place recording devices next to CRT monitors [16].

Documentation

  • How equipment is interconnected during exam.
  • Signal formats used.
  • New or temporary equipment.
  • Verification tests done on new equipment

2.2 System Configuration

The quality and arrangement of equipment, cables, connectors, interfaces, and software directly affects the audio signal [5], [8], [12], [17].

2.2.1 Signal Path

The signal path is the complete route of the audio data from the source through all of the connectors, interfaces, cables, and software to the destination. Design signal paths with the least amount of degradation. Use cables and connectors of sufficient quality and minimal length to minimize signal loss and reduce the opportunity for interference. For analog audio runs, maximize the use of balanced lines over unbalanced lines [14], [18]. Avoid stacking adapters to interconnect equipment. It is preferable to use a cable designed for the particular interfaces involved. Be aware of the impedance and level of analog interfaces [12]. Choose loudspeakers capable of reproducing the full frequency spectrum of the material.

2.2.2 Transmission Format

Choose the signal format that transmits the audio data with the least amount of degradation, loss, or attenuation. This decision depends upon what formats are available on the equipment being used. Minimize the number of digital to analog and analog to digital conversions [19], [20].

2.2.3 Equipment

Choose equipment suitable for the task at hand, using professional and broadcast grade equipment where possible.

2.2.3.1 Protecting Digital Media

For evidence received on writeable digital media, it is recommended to use a read-only media reader to prevent modification of media content. If no such reader is available, use write blocking hardware or software to prevent modification.

2.2.3.2 New or Temporary Equipment

Some submitted exhibits will require equipment that is not a regular part of the laboratory. This new or temporary equipment can include:

  • submitted devices
  • equipment or codecs acquired to support the format of submitted media
  • older or archived equipment
  • newly acquired equipment

Optimizing the playback of audio exhibits may require interfacing this equipment to the system. Refer to any available user manuals to ensure proper use of unfamiliar equipment. Take reasonable precautions when installing unknown or untested software onto the system, such as backup and virus scanning. Due to the possible instability within or incompatibility between third-party codecs or utilities, it is recommended that the use of these programs be limited to a stand-alone computer or virtual machine. Test any new or unfamiliar software or equipment on known data before use on examination materials. Refer to SWGDE Recommendations for Validation Testing [21].

2.2.4 Computer and Network Systems

Process evidence on a system isolated from people not authorized to access the evidence.

2.3 Calibration

Calibration is the process of establishing the relationship between measurements and known standard values [22]. If a piece of equipment is the basis for measurements in which the numerical results themselves have decisive relevance to examinations, then it is critical that it be calibrated. Equipment producing these measurements, such as signal generators and spectrum analyzers, should be calibrated to a traceable standard [9]. Calibration should occur according to the manufacturer’s specifications, after any significant maintenance, or repair, or if it fails a control test.

2.4 Maintenance

Equipment with moving parts, subject to wear, or periodically updated by the manufacturer should undergo maintenance. Records should be kept to ensure that this task is performed regularly and according to the manufacturer’s specifications. Maintenance can include, but is not limited to:

  • cleaning and demagnetizing electromagnetic heads in tape decks
  • cleaning and checking the capstans and rollers in tape decks
  • azimuth alignment
  • defragmenting hard drives
  • updating anti-virus software and performing a virus check on computers
  • updating computer operating systems as necessary
  • updating software, firmware, drivers, and codecs

2.5 System Verification

Once the equipment and interconnections are configured, updated, or changed, run test signals through the various components to verify that everything is operating as expected.

3. Advising the Submitter

Parties submitting evidence to the laboratory might not be familiar with the best practices for audio recording or evidence handling. The laboratory should advise them of the best practices in this document, even if it is too late to affect the case being submitted, as it might improve the quality of future submissions.

Refer submitters to ASTM Practice E1188 for Collection and Preservation of Information and Physical Items by a Technical Investigator [23] and ASTM Guide E1459 for Physical Evidence Labeling and Related Documentation [24] for more information on general evidence handling procedures.

Wiretapping laws vary by jurisdiction. Review the legal and ethical issues. Incoming phone calls of seized phones may present non-consensual eavesdropping issues.

4. Evidence Retrieval

Once the laboratory understands the nature of the audio evidence and the requested examination, the laboratory must work with the submitter to ensure that the most appropriate form of the evidence is submitted. See Error!

Reference source not found..

4.1 Original Recordings

As a general rule, a forensic audio laboratory should request the original recording or the earliest generation available. An original recording is the first manifestation of sound in a recoverable stored format.

If the original recording is on analog media, playback and duplication rely on physical processes that introduce noise and degrade the signal, even if slightly. A copy of an analog recording can never be an exact duplicate.

An original digital recording is a bit stream from which the acoustic audio signal can be generated. Exact copies of that bit stream can be made. With digital evidence, each stage of copying can be exact with no loss of quality between generations. The exactness can be tested and confirmed through the use of a hash function. Therefore, a bit stream duplicate of a recorded file is equivalent to the original.

4.2 Retrieval Methods

Means of securing the recorded evidence must be evaluated based on their effect on the recorded signal, and the available method of transfer preserving the evidence in a condition as close to the original as possible should be chosen. Use multiple means of collection if it is not apparent which available means will produce the highest quality.

4.2.1 Original Media

If the original evidence is a recording stored on removable media such as a CD/DVD, a magnetic tape cassette, or a nonvolatile memory card (e.g., SD, Compact Flash, USB drive), that original media should be submitted to the laboratory.

If the original media is a magnetic tape, a submitter might wish to retain a working copy of a recording to be submitted to the lab. The laboratory should offer to produce a working copy once the original is received to avoid possible damage to the original evidence.

4.2.2 The Original Digital Recorder/System

The original recording system contains the audio data in its native format, original modified/access/creation (MAC) time stamps of files, metadata, internal time clock, and the settings of the recorder. Having the original system allows for test recordings to be made. Additional interface cables or accessories, power supplies, software, access codes, and manuals may be necessary to use the device and should be requested with the device. It may not be possible, practical, or permissible to retrieve the original system. In this case, use the best alternative below.

4.2.3 A Forensic Image of the Original Storage Media

A bit stream duplicate of the original storage media made using forensic tools intended for this purpose will preserve the audio stream in its native format, metadata stored within the file, the original MAC time stamps of files, metadata external to the audio file, and other related files or sessions. This method will not transfer the original recording system’s internal time clock or physical settings. In some cases, the only way to retrieve a bit-stream duplicate is to perform a physical acquisition of the memory chip on the recording device [25].

4.2.4 A Forensic Image of the Original File(s)

A bit stream duplicate of the original file(s) imaged using forensic tools intended for this purpose will preserve the audio stream in its native format, metadata stored within the file, the original MAC time stamps of files, metadata external to the audio file, and other related files or sessions. This method will not transfer the original recording system’s folder structure, internal time clock, or physical settings [25].

4.2.5 A File Transfer of the Data from the Original Media

Preferred transfer methods (e.g., file copy, email) will allow for the hash verification of the result. A transfer may require the use of proprietary software. If the results cannot be hash verified, make multiple transfers to verify the repeatability of the process. The MAC time stamps of the copied files may not match those of the originals.

4.2.6 Other Retrieval Methods

If none of the above transfer methods is available, other methods can be used, but may have greater limitations than the preferred methods above.

4.2.6.1 Transcoded File Transfer

Recording systems that do not provide for transfer of the recording in its native encoding may allow for transfer into a standard audio container format with transcoded audio (e.g., WAV). Export to pulse code modulation (PCM, uncompressed) while preserving the sampling rate and bit depth of the original recording, whenever possible. If more than one option for transcoded export is available, all options should be evaluated.

Re-encoding and resampling should be avoided due to the possible introduction of audible artifacts (upsampling, re-encoding) or loss of frequency content (downsampling, re-encoding).

4.2.6.2 Digital Signal Transfer

A transfer can be made using a digital signal (e.g., S/PDIF or AES3) over a wire or fiber optic cable. This can create a bit stream duplicate of the recorded signal. This method may or may not preserve metadata (e.g., start and end of tracks in the subcode data).

4.2.6.3 Analog Transfer

For systems that have no digital interface (e.g., older dictation recorders having only a line out or headphone jack, some digital answering machines), a transfer can be made using an analog signal over a wire. This process should only be done by qualified personnel and should follow the guidelines in sections 2.2.1 and 7.2.

If a loudspeaker is the only means of reviewing the audio content, it is recommended that retrieval be performed by tapping the analog audio from a point internal to the device. If tapping at the loudspeaker, it is recommended that the loudspeaker be disconnected to minimize artifacts. This process should only be done by qualified personnel and appropriate cautions should be taken.

It is never recommended to do an acoustic transfer from loudspeaker to microphone “over the air.”

Before performing invasive techniques that may permanently alter the state of evidence or equipment, formal permission from the submitter or owner should be established and documented.

4.2.6.4 Other

If another transfer method must be used, document the process and its limitations. Determine the limitations by testing the process on known data.

4.3 Volatile Memory

Digital devices might use volatile memory. Volatile memory is lost if the power supply to the device is interrupted. Before the submitter ships an unfamiliar device, determine if constant power must be maintained to preserve the integrity of the evidence. Only if the device is capable of running off of battery power for a sufficient amount of time to transfer the item to the lab should this option be used. If this is not possible, the examination or data extraction might have to be performed in place or via remote access.

4.4 Write Protection

Instruct the submitter to enable whatever appropriate mechanism that will preserve the recording (safety tabs, write protection, etc.) before transferring the item to the lab. Ideally, this should be done as soon as the recording is finished. If the submitter is not certain how to do this and the transfer process poses minimal risk to the evidence, have them submit the item to the lab and perform this operation upon receipt.

Documentation

  • Note any conversations with the submitter.
  • Record your efforts to obtain the original evidence and peripheral items.
  • Make efforts to preserve volatile memory

5. Submission of Request

Follow your laboratory’s records retention policy or quality assurance program regarding requests for forensic services, shipment receipts, and chain of custody [26], [27]. The request for forensic services should include the following, at a minimum:
  • Identify the party requesting the services and the date of the request.
  • Identify the type of examinations requested. Pay particular attention to whether the request includes examinations by other disciplines. Consult with examiners in the other disciplines to determine an appropriate sequence of examinations and precautions to take.
  • Include necessary details, such as the acoustic events recorded, the method used to record them, subjects of interest, and portions of interest.
  • List safety hazards, if present (sharp objects, poisons, bacteria, blood borne pathogens, etc.). Follow your laboratory’s policies for handling such situations.
  • Describe each evidence specimen, including hash values if available, with each item assigned a unique identifier.
  • Document chain of custody to account for all individuals handling and/or processing the evidence, including shipping documentation, tracking numbers, and dates shipped and received.

5.1 Shipping/Submission

Once the request has been formalized, the items for examination must be transferred to the lab.

Physical items should be physically sealed in an evidence bag or other container with a tamper- evidence seal, and the container should be uniquely marked with an item number, case or incident number, identification of person who collected item, date the item was collected, and a brief description of the content and the original source if not collected [23], [24].

Each piece of evidence and other items should be protected from damage or alteration and be accompanied by a chain-of-custody. Specific care should be taken appropriate for the item. For example, CDs and DVDs should be protected from scratches and breakage, and magnetic tape cassettes should be protected from physical compression, breakage, strong magnetic fields, and electrostatic discharge.

Ship evidentiary items using a trackable method.

Digital items can be transmitted to the lab electronically. The digital transfer process must ensure the integrity of the data. This can be accomplished by determining that the hash values of the received items match the original. Scan digital exhibits for viruses before any files are opened. Document the hash comparison and the results of the virus scan.

6. Receiving Evidence

When a request or evidence is received in the laboratory, acknowledge receipt to the submitter.

Documentation

  • Note condition of the evidence.
  • Photograph, photocopy, or scan damage to items submitted.
  • Evidence receipt and marking.
  • Shipment records.
  • Communications.
  • Write protection actions.
  • Safety hazards.
  • Areas of interest

6.1 Physical Inspection

The exhibits submitted with the request should be inspected to ensure that the physical items match those described on the inventory. Take appropriate precautions based on any safety or special handling issues identified in the request for forensic service.

An inspection should consider the following:

6.1.1 Damage

Inspect the items for physical damage that may impact the proper function of the media or device. If damaged, document and photograph the condition in which the item was received. Consider:

  • damage to cassette housings and tape reels
  • scratches and cracks on CDs and DVDs
  • the presence of contaminants or water damage

Follow your laboratory’s policies for handling such situations or execute standard operating procedures for repairs, etc.

6.1.2 Power Source

If a submitted device needs constant power to preserve evidence stored in volatile memory, take all necessary steps to ensure there is no interruption in power.

6.2 Documenting Exhibits

Note the packaging and any features relevant for further identification or verification. For physical media, this can include:

  • the manufacturer and media format (e.g., “SD card”, “½ inch tape”)
  • manufacturing marks and labeling
  • labeling by other parties
  • marks and scratches
  • the state of any write protection mechanism

For devices that do not contain internal removable media, this can include:

  • the manufacturer, model, and serial number of the specific device
  • the positions or settings of switches or other physical controls

For electronically transmitted media, this can include:

  • hash values of files
  • the list of files and folders

A scan or photograph of the exhibit and packaging can be a simple way of documenting many of these features.

Documentation

  • Note the description of each exhibit.
  • How non-physical exhibits were handled.

6.3 Marking Exhibits

Uniquely identify each examined item as per laboratory policy [24].

Be aware of how and where the data is stored on the media to avoid damaging it with your mark. If the media cannot be marked without interfering with its contents or function, or obscuring prior markings, mark its container, seal it, and initial and date the seal.

Some suggestions for common media include the following:

6.3.1 CDs and DVDs

  • If possible, write only within the inner hub of the disc, in an area where no data is written, so as not to obscure manufacturer’s numbers/designations that are imprinted or printed in the hub.
  • Use a CD/DVD-safe marker, never a ball point pen, or other sharp-pointed writing instrument, to mark optical media. The layers of the disc underneath the label surface could be scratched, deformed, or otherwise damaged, which could result in data loss.
  • Do not apply adhesive paper labels to CD and DVD media. They can cause de-lamination and create the risk of spin imbalance.
  • When marking the disc, be careful not to touch the readout surface of the disc. Fingerprints and smudges can result in data read errors [28].

6.3.2 Memory Cards

  • Memory cards may be too small or may not otherwise feature a space large enough in order to make complete markings. In these cases, place it into a separate container, seal it, and mark as described above.

6.3.3 Magnetic Tape

  • Mark the cassette housing.
  • If marking the tape is required by laboratory policy, mark magnetic tape on the backing (non-oxide) side using a felt-tip pen.

6.3.4 Solid State Recorders

  • Solid state devices are typically reused and marking on them may not be desirable. Note the make, model, and serial number to identify the device, and mark the evidence container (e.g., bag, envelope).

6.3.5 Downloaded Files

  • For files downloaded from a server or the Internet, document the source location (e.g., URL, server path, etc.), the date and time the files were downloaded, and the hash value of the files. Uniquely identify the container folder or the media as above.

6.4 Write Protection

If the submitted media has a mechanism designed to preserve the recording (safety-record tabs, jumper, software setting, etc.), document its state upon receipt. If not already engaged, activate the mechanism and document that fact. If there is a clear reason not to engage the write protection (e.g., to preserve fingerprints) document that it was not engaged and the reason. Refer to the user’s manual, the appropriate published standard, or talk to the manufacturer about unfamiliar media.

6.5 Evidence Storage

Preserving evidence during examinations and while in storage requires taking the necessary steps to safeguard the evidence from alteration (physical, electronic, magnetic, etc.), deletion, or damage. Ensure that devices requiring constant power have it. Be aware of sources of magnetic fields, such as loudspeakers, that can affect magnetic media located in the laboratory and in any storage areas [26].

The temperature and humidity normally maintained in an office environment are suitable for most audio media. Ensure that the environment within any audio evidence storage location is appropriate for the media. Refer to SWGDE Minimum Requirements for Quality Assurance in the Processing of Digital and Multimedia Evidence [27], SWGDE Data Archiving [29], and SWGIT Best Practices for Archiving Digital and Multimedia Evidence in the Criminal Justice System [30] for further recommendations.

7. Preliminary Evidence Exam

This section describes best practices common to all examinations that should be followed in preparation for a more specific procedure. The native media, format, and intended use of the audio data will determine the available options for playback or transfer. Also, consider the desired output format when making these determinations.

If during the course of the examination (e.g., through file metadata, indication of a conversion process, etc.) it becomes apparent that an earlier generation recording may exist, contact the submitter. If the original is not provided, document that fact and inform the submitter of any limitations imposed on the examination.

Documentation

  • Equipment used.
  • Azimuth adjustments made.
  • Playback speed.
  • Number of recorded channels.
  • Existence of audio on each side.
  • Bit depth.
  • Sampling rate.
  • File Format.
  • Proprietary codec.
  • Format conversions.

7.1 Preparing for Digital Audio Exam

A virus scan of evidence should be done on a stand-alone system with updated virus definitions. This is to prevent possible contamination of evidence files on the forensic workstation. If possible, digital exhibits should be scanned for viruses before any files are opened.

To preserve the integrity of a digital original, make a bit stream duplicate to use as a working copy.

Audio can be contained in a wide variety of physical or file-based formats, encoded by one of many available audio codecs, and/or stored on a variety of physical media. Depending on the recording system, digital audio files can contain a number of different channel configurations which may affect audio authentication and enhancement:

  • Mono (1 channel)
  • Stereo (2 channel)
    • Common left/right independent channels
    • Joint Stereo – encoding of the left and right channels to reduce file size
    • Dual Mono – identical audio data on each channel or independent sources e.g., in-car camera system with separate source inputs (body-worn mic and in-car mic)
  • Multichannel – multiple independent audio channels recorded simultaneously e.g., courtroom recording systems, microphone arrays

Determine the details of the submitted media or recording.

For digital files, appropriate computer software applications and settings are needed to ensure proper playback. Be aware of audio artifacts that can arise with playback software and data format combinations (e.g., resampling “under the hood”).

If the digital audio data is in a format that can be transferred to the system without transcoding, that is the preferred method.

7.1.1 Transcoding

Transferring digital audio data might require a conversion. Transcoding could affect the audio content (aliasing, compression, etc.). Avoid degradation of the audio by limiting unnecessary conversions. When transcoding is required do the following:

  • Convert to or between uncompressed formats (e.g., PCM) whenever possible.
  • Maintain the sampling rate and bit depth of the original recording if it appropriately preserves the signals of interest for the intended examination or output format. Some output formats may require bit depths or sampling rates (e.g., 16-bit/44.1 kHz for Red Book-compliant audio CDs, 16-bit/48 kHz for video DVDs) which differ from those of the original recording. Use an anti-aliasing filter when resampling and document settings.

7.2 Preparing for Analog Audio Exam

The following factors need to be considered to optimize the playback of analog media:

  • format
  • track configuration
  • applied noise reduction
  • azimuth
  • speed
  • signal levels

Determine the proper equipment for playback based on the above factors. Using the frequency response and channel separation of the audio signal, adjust the playback device to optimize the output signal quality. To limit the introduction of noise or transport problems, use professional quality devices if possible [31].

Once the playback system is optimized, capture the analog signal to an uncompressed digital format. Capture the signal using a sampling rate and bit depth that is sufficient to reproduce the signal of interest. Use this digital copy as the working copy for further examinations.

7.3 Controls

A control is a known audio test signal that is run through a signal path to ensure that the system produces the expected result. This gives an examiner confidence that the system will perform as expected when processing evidence. The complete signal path includes playback, processing, and recording equipment, cables, and connectors. A control test should be run before processing evidence.

The interval at which control tests are run should be appropriate for the specific equipment used. A control test should be run:

  • whenever a system configuration change occurs
  • regularly for equipment that experience wear
  • when infrequently used equipment is put into service
  • if a failure occurs

If a control test fails, evidence should not be processed through the system. When failure occurs:

  • Notify other examiners of the failure.
  • Troubleshoot the system to isolate the failed component. Recognize that the failure could be in a piece of equipment, a cable, a connector, or in an interconnection itself.

Take the failed component out of service until it can be replaced, repaired, or recalibrated, or it otherwise demonstrates reliable performance.

Documentation

  • When controls were run.
  • Results of control.

8. Forensic Examination

A forensic audio examiner should be specifically trained in the procedures performed. Refer to [1] and [2] for recommendations on forensic audio training. Do not attempt an examination on evidence without training, experience, and meeting laboratory qualifications.

8.1 Documentation

Notes should be kept throughout the examination process to document how exhibits were handled and what processes were performed. The notes should be detailed enough to allow a comparably trained examiner to explain the results or derive similar conclusions. Refer to [27] and the sidebars in this document for suggested elements to be included in the notes.

8.2 Enhancement

The goal of audio enhancement, also referred to as clarification, is to increase the intelligibility of voice information or to improve the signal to noise ratio of a target signal by reducing the effects that mask it. Refer to SWGDE Best Practices for the Enhancement of Digital Audio [32].

8.3 Authentication

An audio authentication examination seeks to determine if a recording is consistent with the manner in which it is alleged to have been produced. Consequently, there is no catch-all means of declaring a recording “authentic” without having a clear understanding of what claims the creator holds true about its nature and what specific allegations are being levied against the recording. SWGDE recognizes that audio authentication is a complex examination that requires specific training. Refer to SWGDE Best Practices for Digital Audio Authentication [36].

8.4 Acoustical Signal Analysis

Signal analysis is the application of scientific and engineering principles in the analysis of acoustic events. This requires an understanding of the mechanisms which produced the acoustic events in question.

8.5 Speaker Comparison and Identification

A subject matter expert should be consulted as speaker comparison and identification go beyond the technical aspects of audio and are considered outside the scope of SWGDE.

8.6 Video

Audio and video are frequently recorded together. Forensic audio examiners not qualified to process video should consult a video analyst. Refer to SWGDE Best Practices for Digital Forensic Video Analysis [40] for more information.

8.7 Physical Media Repair/Recovery

Repair of damaged media is a complex and critical task. A policy or program of instruction should outline the step-by-step cleaning, drying, and, if necessary, ironing processes for different situations. Any damaged evidence should always be photographed or photocopied.

8.7.1 Media Housings

Inspect the housing for cracks, dirt, and debris that may interfere with playback. If the media housing is cracked or broken in such a manner that it may affect playback, the media should be transferred to a new housing. If any cracks are found, inspect the housing to determine if any loose pieces or other debris may have contaminated the media.

Determine if any parts of the housing are not in their proper position (e.g., a cassette felt pad) and repair or replace as necessary.

Ensure that the new housing has its write protection enabled and that both housings are properly marked. Return the old housing with the repaired media.

8.7.2 Contaminants

Media should be cleaned of contaminants such as foreign liquids, solids, etc. Use an air puffer, a small vacuum, or a lint-free swab to dislodge debris. Clean media surfaces with solvents that do not harm the materials in the media. Remove contaminants from the surface of optical discs using water based detergent or isopropyl alcohol, not organic solvents that may damage the disc materials [28]. For magnetic tape, use distilled water or another solvent appropriate for the particular materials found in the tape concerned [11], [41], [42].

8.7.3 Magnetic Tape and Reels

Look for evidence of sticky shed (binder hydrolysis), pack slip, torn or wrinkled tape, and damage to tape reel. Consult references specific to the problems found to identify a process appropriate for the specific media [11], [10], [43], [41], [42].

8.7.4 CD/DVD Scratches

First try reading the disk with a different drive. If that fails, use of a commercially available disk polisher may allow the data to be recovered. Caution should be used as polishing could further damage the disk.

8.7.5 Un-Finalized Optical Discs or Unfinished Tracks

Un-finalized tracks and sessions can be recovered using software dedicated to this purpose. Although it may be possible to recover some data by finalizing in the lab, some data may not be recovered by this process. If unsure about the process, consult a computer forensics examiner to recover data from the disc.

9. Results of Examination

Upon completion of the forensic audio examination, communicate results to the submitter. If applicable, return submitted items, work products, and reports per laboratory policy [27].

9.1 Output Media

The format of output media should be chosen to preserve signal quality and meet the needs of the submitter. Normalize signal levels to a nominal value and consider format, track configuration, and speed. A submitter may not be aware of the effects that different formats have on the audio. Use or include an uncompressed format when applicable. If a compressed format is requested or required, it should be noted in the documentation and the consequences of that choice should be explained to the submitter.

Use high quality archival grade media and enable whatever write protection mechanism is available for the output format selected. Use write-once digital media and finalize or close to prevent alteration. Output media should be marked for identification. Return the results in proper packaging to prevent damage to evidence specimens and to the output media being shipped. See Section 5.1 for more information.

Documentation

  • Date of return.
  • Shipment method.
  • Media returned.
  • Copy of final chain of custody

9.2 Recommendations for the Presentation of Results

The quality of playback equipment and the listening environment affect the perception of audio material. Recommend that the submitter use the highest quality playback system available, which may include external loudspeakers or headphones. Caution the submitter against the use of low- quality internal laptop, computer, tablet, phone, or television loudspeakers.

10. Administrative and Technical Review

A written policy should be established outlining protocols for technical and administrative review. A written policy should determine the course of action if an examiner and reviewer fail to reach agreement.

Documentation

  • Date and initials of Admin Review.
  • Date and initials of Tech Review.

11. References

[1] Scientific Working Group on Digital Evidence, “SWGDE Core Competencies for Forensic Audio”.

[2] Scientific Working Group on Digital Evidence and Scientific Working Group on Imaging Technology, “SWGDE/SWGIT Guidelines & Recommendations for Training in Digital & Multimedia Evidence”.

[3] Scientific Working Group on Digital Evidence and Scientific Working Group on Imaging Technology, “SWGDE/SWGIT Recommended Guidelines for Developing Standard Operating Procedures”.

[4] Forensic Science Laboratories Facilities Working Group, “Forensic Science Laboratories: Handbook for Forensic Planning, Design, Construction, and Relocation,” June 2013.

[5] F. Jorgensen, The Complete Handbook of Magnetic Recording, 4th ed., New York, NY: McGraw-Hill/TAB Electronics, 1996.

[6] F. Everest and K. Pohlmann, Master Handbook of Acoustics, 5th ed., New York, NY: McGraw-Hill/TAB Electronics, 2009.

[7] F. Everest and K. Pohlmann, Handbook of Sound Studio Construction: Rooms for Recording and Listening, New York, NY: McGraw-Hill/TAB Electronics, 2012.

[8] B. Koenig, D. Lacey and N. Herold, “Equipping the Modern Audio-Video Forensic Laboratory,” Forensic Science Communications, vol. 5, no. 2, April 2003.

[9] General requirements for the competence of testing and measurement laboratories,
ISO/IEC Standard 17025:2005.

[10] AES recommended practice for audio preservation and restoration – Storage and handling – Storage of polyester-base magnetic tape, AES Standard 22-1997, reaffirmed 2008.

[11] J. Van Bogart, Magnetic Tape Storage and Handling: A Guide for Libraries and Archives, Washington, D.C.: The Commission on Preservation and Access, 1995.

[12] G. Ballou, Handbook for Sound Engineers, 4th ed., Burlington, MA: Focal Press, 2008.

[13] N. Muncy, “Noise Susceptibility in Analog and Digital Signal Processing Systems,”
Journal of the Audio Engineering Society, vol. 43, no. 6, pp. 435-453, June 1995.

[14] B. Whitlock, “Balanced Lines in Audio Systems: Fact, Fiction, and Transformers,” Journal of the Audio Engineering Society, vol. 43, no. 6, pp. 454-464, June 1995.

[15] K. Fause, “Fundamentals of Grounding, Shielding, and Interconnection,” Journal of the Audio Engineering Society, vol. 43, no. 6, pp. 498-516, June 1995.

[16] J. Brown, “New Understandings of the Use of Ferrites in the Prevention and Suppression of RF Interference to Audio Systems,” in Audio Engineering Society 119th Convention Fall Preprints, New York, NY, October 2005.

[17] B. Koenig, “Enhancement of Forensic Audio Recordings,” Journal of the Audio Engineering Society, vol. 36, pp. 884-894, 1988.

[18] S. Macatee, “Considerations in Grounding and Shielding Audio Devices,” Journal of the Audio Engineering Society, vol. 43, no. 6, pp. 472-483, June 1995.

[19] K. Pohlmann, Advanced Digital Audio, Indianapolis, IN: Sams Publishing, 1991.

[20] K. Pohlmann, Principles of Digital Audio, 3rd ed., New York, NY: McGraw-Hill Inc, 1995.

[21] Scientific Working Group on Digital Evidence, “SWGDE Recommendations for Validation Testing”.

[22] Standard Terminology in Forensic Science, ASTM Standard E1732 – 12, 2012.

[23] Standard Practice for Collection and Preservation of Information and Physical Items by a Technical Investigator, ASTM Standard E1188 – 11, 2011.

[24] Standard Guide for Physical Evidence Labeling and Related Documentation, ASTM Standard E1459 – 13, 2013.

[25] Scientific Working Group on Digital Evidence, “SWGDE Best Practices for Computer Forensics”.

[26] Standard Practice for Receiving, Documenting, Storing, and Retrieving Evidence in a Forensic Science Laboratory, ASTM Standard E1492 – 11, 2011.

[27] Scientific Working Group on Digital Evidence, “SWGDE Minimum Requirements for Quality Assurance in the Processing of Digital and Multimedia Evidence”.

[28] F. Byers, “Care and Handling of CDs and DVDs – A Guide for Librarians and Archivists,”
NIST Special Publication 500-252, October 2003.

[29] Scientific Working Group on Digital Evidence, “SWGDE Data Archiving”.

[30] Scientific Working Group on Imaging Technology, “Section 15: Best Practices for Archiving Digital and Multimedia Evidence (DME) in the Criminal Justice System”.

[31] AES recommended practice for professional digital audio –Preferred sampling frequencies for applications employing pulse-code modulation, AES Standard 5-2008, reaffirmed 2013.

[32] Scientific Working Group on Digital Evidence, “SWGDE Best Practices for the Enhancement of Digital Audio,” [Online]. Available: https://www.swgde.org/documents/current-documents/

[33] Scientific Working Group on Digital Evidence, “SWGDE Best Practices for Digital Audio Authentication,” [Online]. Available: https://www.swgde.org/documents/current-documents/

[34] Scientific Working Group on Digital Evidence, “SWGDE Best Practices for Digital Forensic Video Analysis,” [Online]. Available: https://www.swgde.org/documents/current-documents/

[35] “Capturing Analog Sound for Digital Preservation: Report of a Roundtable Discussion of Best Practices for Transferring Analog Discs and Tapes,” Washington, D.C., March 2006.

[36] R. Hess, “Tape Degradation Factors and Challenges in Predicting Tape Life,” ARSC Journal, vol. 39, no. 2, Fall 2008.

[37] G. White and G. Louie, The Audio Dictionary, 3rd ed., Seattle, WA: University of Washington Press, 2005.

[38] “Perceptual Audio Coders: What to Listen For,” New York, NY, 2002.

[39] C. Grigoras, D. Rappaport and J. Smith, “Analytical Framework for Digital Audio Authentication,” in AES 46th International Conference, Denver, CO, USA, 2012.

[40] B. Koenig and D. Lacey, “Forensic Authentication of Digital Audio Recordings,” Journal of the Audio Engineering Society, vol. 57, no. 9, pp. 662-695, 2009.

[41] B. Koenig, D. Lacey and S. Killion, “Forensic Enhancement of Digital Audio Recordings,” Journal of the Audio Engineering Society, vol. 55, no. 5, pp. 352-371, May 2007.

[42] F. Everest, Critical Listening Skills for Audio Professionals, 2nd ed., Boston, MA: Cengage Learning, 2006.

[43] B. Koenig, “Authentication of Forensic Audio Recordings,” Journal of the Audio Engineering Society, vol. 38, no. 1/2, pp. 3-33, 1990.

Appendix A: Decision Tree for Evidence Retrieval and Submission

History

Revision Issue Date Section History
1.29
All
Approved by SWGDE as DRAFT version 1 to release for public comment.
1.37
2008-01-31
All
Approved by SWGDE for release as version 1 FINAL.
1.44
2008-03-03
Formatting
Converted to PDF and released as version 1 FINAL.
Ver 1
2008-03
Version 1 posted to SWGDE website.
2.01
2012-01-12
Copy of v.1 final designated as first draft of v.2 for review by SWGDE Audio Committee.
2.02
2012-09-13
Posted on Google Docs for collaborative comments and references.
2.03
2013-09-12
All
Updated in Audio Committee to incorporate comments, references, and discussions.
2.04
2013-09
Editorial updates
2.09
2014-01-16
All
Approved by SWGDE for release as a Draft for Public Comment.
2.10
2014-02-14
All/9
Updated accumulated list of references. Formatting and tech edit performed for release as Draft for Public Comment.
2.14
2014-06-06
All
Updated to incorporate public comments.
2.15
2014-06-16
All/ 11/ Disclaimer
Updated accumulated list of references. Updated with new draft document Disclaimer. Formatting and tech edit performed for re- release as Draft for Public Comment.
2.17
2014-08-28
4.2.6.2, 6.3.1, 6.3.5, 7.1, 8.4
Updated in response to public comments.
2.18
2014-09-05
Formatting
Approved by SWGDE for release as version 2 FINAL. Converted to PDF and released as version 2 FINAL.
Ver 2
2014-09-08
Version 2 posted to SWGDE website.
2.19
2015-01-15
3, 4, Appendix
Added reference to Appendix A in Evidence Retrieval; Minor changes to Submission of Request; Added Appendix A. Approved by SWGDE for release as a Draft for Public Comment.
2.20
2015-02-21
Formatting
Formatting and tech edit performed for release as Draft for Public Comment and posted to the SWGDE website.
2.21
2015-06-04
References
Corrections made to references section. Approved by SWGDE for release as version 2.1 FINAL.
Ver 2.1
2015-06-30
Appendix, Formatting
Corrected error in Appendix A Decision Tree. Formatting and tech edit performed for release as Approved and posted to the SWGDE website.
2.23
2016-09-15
7.3.5
Minor edit: Changed “CD, DVD” to “optical discs” to include Blu-ray and other formats. Approved by SWGDE as Approved Version 2.2
Ver. 2.2
2016-10-08
Formatting
Formatting and tech edit performed to publish as Approved.
2017-02-21
Appendix Footer
Correction made to the footer on the Appendix. No version change.
Ver. 2.3
2020-09-17
3.2.6.1 6.1.1
Update the “Transcoded File Transfer” paragraph Update the “Transcoding” paragraph
Ver 2.4
2021-01-14
1.1.1 3.2.6.1 6.2 7
Minor edits for accuracy. Updated for clarity Added “applied noise reduction” Reformatted, new SWGDE references added.
Ver 2.5
2021-09-16
6.1
Added multichannel audio, released for public comment
Ver 2.5
2022-06-09
No comments received, released as a final publication

Version: 2.5 (June 9, 2022)

View Pdf