SWGDE

Menu
Subscribe
Subscribe

published documents

SWGDE Guidelines for Video Evidence Canvassing and Collection

20-v-002

View Pdf

Disclaimer and Conditions Regarding Use of SWGDE Documents:

SWGDE documents are developed by a consensus process that involves the best efforts of relevant subject matter experts, organizations, and input from other stakeholders to publish suggested best practices, practical guidance, technical positions, and educational information in the discipline of digital and multi-media forensics and related fields. No warranty or other representation as to SWGDE work product is made or intended.

As a condition to the use of this document (and the information contained herein) in any judicial, administrative, legislative, or other adjudicatory proceeding in the United States or elsewhere, the SWGDE requests notification by e-mail before or contemporaneous to the introduction of this document, or any portion thereof, as a marked exhibit offered for or moved into evidence in such proceeding.. The notification should include: 1) The formal name of the proceeding, including docket number or similar identifier; 2) the name and location of the body conducting the hearing or proceeding; and, 3) the name, mailing address (if available) and contact information of the party offering or moving the document into evidence. Subsequent to the use of this document in the proceeding please notify SWGDE as to the outcome of the matter. Notifications should be sent to secretary@swgde.org.

From time to time, SWGDE documents may be revised, updated, or sunsetted. Readers are advised to verify on the SWGDE website (www.swgde.org) they are utilizing the current version of this document. Prior versions of SWGDE documents are archived and available on the SWGDE website.

Redistribution Policy:

SWGDE grants permission for redistribution and use of all publicly posted documents created by SWGDE, provided that the following conditions are met:

  1. Redistribution of documents or parts of documents must retain this SWGDE cover page containing the Disclaimer and Conditions of Use.
  2. Neither the name of SWGDE nor the names of contributors may be used to endorse or promote products derived from its documents.
  3. Any reference or quote from a SWGDE document must include the version number (or creation date) of the document and also indicate if the document is in a draft status.

Requests for Modification:

SWGDE encourages stakeholder participation in the preparation of documents. Suggestions for modifications are welcome and must be forwarded to the Secretary in writing at secretary@swgde.org. The following information is required as a part of any suggested modification:

  1. Submitter’s name
  2. Affiliation (agency/organization)
  3. Address
  4. Telephone number and email address
  5. SWGDE Document title and version number
  6. Change from (note document section number)
  7. Change to (provide suggested text where appropriate; comments not including suggested text will not be considered)
  8. Basis for suggested modification

Intellectual Property:

Unauthorized use of the SWGDE logo or documents without written permission from SWGDE is a violation of our intellectual property rights.

Individuals may not misstate and/or over represent duties and responsibilities of SWGDE work. This includes claiming oneself as a contributing member without actively participating in SWGDE meetings; claiming oneself as an officer of SWGDE without serving as such; claiming sole authorship of a document; use the SWGDE logo on any material and/or curriculum vitae.

Any mention of specific products within SWGDE documents is for informational purposes only; it does not imply a recommendation or endorsement by SWGDE.

Table of Contents

1. Purpose

Video can be used to establish a timeline of events and help visualize an incident from various perspectives and vantage points. Additionally, video evidence can be acquired from many devices with video recording capabilities, such as digital video recorders (DVRs), doorbell cameras, Internet of Things (IoT) devices, social media platforms, and smartphones. This typically requires investigators to canvass a geographical area for sources of video. The purpose of this document is to provide guidance to personnel tasked with locating video from various sources and locations during an investigation.

2. Scope

This document provides guidance for locating video sources during large scale events; however, it could also be applied to singular, smaller incidents.

For more information on acquisition of video files, see SWGDE Best Practices for Data Acquisition from Digital Video Recorders.

For more information on data acquisition from cloud storage, see SWGDE Best Practices for Digital & Multimedia Evidence Video Acquisition from Cloud Storage.

For more information on documenting recovered video, see SWGDE Requirements for Report Writing in Digital and Multimedia Forensics.

For the purpose of this document, personnel tasked with the collection and review of video will be referred to as “investigator,” and digital video recorders (DVRs) will be inclusive of Network Video Recorder (NVR), Hybrid Digital Recorder, Dedicated Computer, Personal Computer, and Server-Based video recorder. In this document, evidentiary video data from a security system or video provided by a witness, and any included audio within that video file, will hereafter be referred to as “third-party video.”

3. Limitations

Incident locations, video sources, and assigned investigative resources vary greatly by incident and jurisdiction. The responding investigator should have knowledge of DVRs and a basic understanding of digital video files. For more information, see SWGDE Technical Overview of Digital Video Files.

Proper legal authority should be obtained before seizing or acquiring video evidence from any source. Refer to organizational policy regarding specific requirements for warrants, consent, or exigent circumstances.

This is not intended to replace general policy for investigations, but may be used to supplement current organizational policy with an emphasis on video evidence.

4. Environmental Familiarity

An understanding of the geographic area in which the incident occurred will assist in establishing search patterns to locate cameras and video evidence. Investigators who are not familiar with the geographical area should receive direction from personnel with a complete understanding of the location to allow for the expeditious collection and review of video. Street view imagery may be used to identify potential sources of video; however, every effort should be made to physically canvass the area for cameras regardless of environmental familiarity as new recording sources are continually being employed or removed from areas.

In addition to static locations for video, transitory video sources (e.g., public transportation, public safety video, both private and public in-car cameras) should be considered and identified as soon as possible.

5. Operation Plan

Prior to acquiring videos, an operation plan should be implemented. The plan should include the date(s) and time(s) of interest, geographical location of canvass areas, expected storage media needs, and investigative assignments. If a multi-day event has occurred, regular updates and briefings should be considered.

Video acquisitions should originate at, or nearest, the incident location. Subsequent recoveries may result from information obtained from this original location. Investigators should obtain the time of occurrence from a reliable source like Computer Aided Dispatch, or automated report management systems. If multijurisdictional assistance is required, then the request for assistance should be made as soon as possible.

For field collection of video files, organizations should use reliable storage media capable of rapidly transferring files. Additionally, a computer with video software installed for reviewing, recording, tagging, and disseminating video content in the field should be available. A list of equipment can be located in SWGDE Best Practices for Data Acquisition from Digital Video Recorders.

6. Proactive Video Contact for Public Video Recordings

It is recommended that investigators make proactive contact with businesses and citizens who own surveillance cameras located in high volume call areas or common thoroughfares on an ongoing basis. Strong community relationships may expedite acquisition of video.

Retention periods for the video sources and contact information for those who are capable of providing the video upon request should be documented and retained. Organizational policy should address the storage of personally identifiable information (PII) in searchable databases.

Contact can be accomplished through a variety of methods, including, but not limited to:

  • Physical canvassing
  • Camera registration database searches
  • Social media networks
  • Broadcast media
  • Collaboration with other organizations
  • Collaboration with corporate manufacturers/providers of streaming home security video cameras.

Additionally, governmental agencies and partners may retain video, images, or vehicle databases, such as license plate readers (LPRs) or visitor logs, which may be accessed in the course of an investigation and may aid in narrowing the scope of video acquisition. During critical incidents, it may be necessary for an organization to use a community web submission portal to collect witness video and other types of multimedia evidence. A secure online submission form, upload feature, and CAPTCHA system are key elements to a web portal. An example of a web submission portal and multimedia forms can be located at https://tips.fbi.gov/digitalmedia/.

Prior to launching the community portal and sharing a link, it is also important to consult with your organization’s information technology experts to test the submission form for privacy and security purposes.

Requests for citizens and businesses to provide video should be completed using the organization’s public communication policy (e.g., press secretary, public information officer). When soliciting video from the community, it is important to provide clear messaging about the incident and reason for requesting public video, how information will be collected and used, and required information (e.g., name, contact info, description, file size limitations, etc.).

Organizations may receive videos from businesses or citizens related to the incident directly. Documentation should be made to include the submitters contact information. As with all video acquired for the investigation, the provided video should be reviewed for investigative value. If video is determined to be of value, investigators should contact the owner of the video source to document video source settings and identify if there are additional cameras of interest.

Consideration should be given to the fact that some privately owned video may be submitted anonymously. This may require additional efforts to authenticate, should there be evidentiary value to the content. In anonymous submission scenarios, it would be advantageous to ascertain the original recording device’s make and model that captured the video in the event that the recording is required to be authenticated in the future.

Multiple videos, especially those available on social media sites, may be submitted from numerous sources. The duplicate videos may require further analysis to determine if they are redundant.

Emerging research [1][2] denotes important issues related to the export or extraction of digital media files from mobile and other personal devices. Configurations within the device effect how the video will be recorded by the device. The method used to export the video from the device may also have a spectrum of possible effects on the quality and composition of the media file that is ultimately acquired. For example, using options such as email, messaging over Wi-Fi connection, MMS messaging, Bluetooth transfer, or third-party applications on the device to deliver the recording may result in different container formats, frame rates, or encoding methods, which may ultimately affect an attempt to authenticate the file or result in a lesser quality video.

7. Documentation

When responding to multiple locations for the same event, it is recommended the investigator document each source of video separately. The investigator should follow the workflow listed in section 10, “Steps to Take During Acquisition,” workflow from the SWGDE Best Practices for Data Acquisition from Digital Video Recorders document.

8. Sources of third-party video

Below is a non-exhaustive list of resources that may provide video to aid in the investigation:

  • Municipal surveillance systems (e.g., downtown cameras, pole cameras, waste collection)
  • Business stand-alone digital video recorders
  • Corporate video systems
  • Public transportation
  • Freeway and Toll Road Cameras
  • Public safety (e.g., body worn cameras, in-car video systems, interview rooms, license plate readers)
  • Rideshare, taxi, or private dash camera recording systems
  • Residential security video systems (e.g., doorbell cameras, Wi-Fi monitoring cameras)
  • Smartphones (e.g., native camera roll, third-party apps)
  • Commercial unmanned aerial vehicles (e.g., drones)
  • Consumer recording devices (e.g., action sports camera, digital cameras with video capabilities)
  • Video gaming consoles
  • Social media platforms (e.g., TWITCH, YouTube, Facebook, Instagram)
  • News media outlet websites
  • Game and wildlife cameras
  • Cloud-based video storage solutions

9. Exigency of Video Collection and Field Review

Video evidence is perishable and should be acquired as soon as possible. Digital video security systems have retention periods of various durations before the data is overwritten. Do not solely rely on the system owner for the overwrite schedule. Investigators should be aware of these retention periods and prioritize acquisition accordingly, in order to assure the video of interest is collected before it is overwritten. To protect the integrity of the data, efforts should be made to mitigate remote access to any recording systems, including video servers and smartphones.

Alternatively, if the investigator’s organization has the software capability of identifying and viewing the proprietary DVR filesystem used by the surveillance system, it may be advantageous to remove the hard drive. This should be attempted by a trained video or computer forensic examiner (see SWGDE Training Guidelines for Video Analysis, Image Analysis and Photography Section 7). This may be appropriate when a timeline has not been determined. Should the hard drive be removed from the DVR, a replacement hard drive should be provided to ensure that the owner / business is still able to record on their DVR.

In addition to proper preservation of video, expediency will focus the video collection effort and ensure proper resources are being deployed to efficiently collect all relevant video. Reviewing video in the field may help identify additional video sources, and narrow the scope of relevant time period(s) or camera(s). Provided or acquired video should be reviewed in a timely manner to continue to correctly focus the trajectory of the investigation and provide investigative leads.

10. Establishing Search Patterns and Collection of Video

Understanding event chronology and identification of person(s) and/or vehicles(s) of interest will significantly expedite the video review process; therefore, it is recommended that the same investigator from the early stages of the investigation continue throughout the investigation. If additional investigators are assigned after the initial response period, a comprehensive briefing is required.

Note: The responding investigator should be cognizant of the need for situational awareness, personal safety, personal protective equipment, biological hazards, and additional physical evidence.

Listed below is a basic framework of steps that should be taken:

  1. Obtain the date and time of the incident.
  2. Establish the primary area of interest where the incident occurred.
  3. Conduct a physical canvas of the primary area.
  4. Review and acquire video known to have captured the incident while documenting the DVRs settings and overwrite pattern. For additional acquisition information, see SWGDE Best Practices for Data Acquisition from Digital Video Recorders.
  5. Acquire or request any additional video within the established primary area of interest.
  6. To minimize delays in receiving video, priority should be placed on requesting video from commercial institutions where video may be maintained offsite or will require legal authority to obtain.
  7. Establish auxiliary areas of interest which may include persons or vehicles arriving or leaving the scene or activity preceding the incident.
  8. Identify all possible routes of travel.
    1. When multiple routes of travel are identified, begin canvassing for video sources on the most commonly traveled route. Video sources should be in close proximity to the incident location. Review video onsite, when possible, to narrow the scope of the canvas.
    2. When a small number of possible routes of travel are identified, the proximity of the video source to the incident location may be expanded.
  9. Continue to expand search areas and efforts based on any new information obtained through the course of the investigation.

11. Live Stream and Social Media Video

In addition to canvassing a geographical area for video sources, it may be of equal importance to search for relevant videos posted on social media and on the internet. Prior to collecting public, unlisted, or private video, proper legal authority should be obtained and the investigator should be aware of any local ordinances that govern the collection and retention of video from online sources. The collection of these types of video should be performed as soon as possible as these videos may be removed or deleted from social media accounts.

For these types of videos, the investigator will need to perform a direct download or screen capture from live stream and social media platforms to preserve video evidence. When feasible, the investigator should make an attempt to offload the embedded video directly from the web platform, which may provide the best quality video. If a direct download option is not available, then the investigator should explore the use of a web browser extension or software developed specifically for downloading video from social media platforms. As a last resort to preserve live stream video evidence, it may be necessary to perform a screen capture recording of a website. Investigators should have an understanding of the technical limitations of screen capture software and make the appropriate system setting configurations to obtain the best evidence under the circumstances.

Regardless of video preservation method, the investigator should document where the video was sourced from and document the user account name, hashtags, URL link, snapshot of website, and date/time of acquisition. Hashtags associated with the video content may provide relevant information such as mottos, slogans, or other tag lines of the event.

Consider making a preservation request as soon as practical to ensure cloud stored files are still available in their original format and codec prior to acquisition. For information on acquiring Cloud recordings refer to SWGDE Best Practices for Digital & Multimedia Evidence Video Acquisition from Cloud Storage.

12. Review of Video Considerations

The cursory and critical review of video may require the organization to invest many hours, if not days or months. An action plan for reviewing large amounts of video should be established. The review of the video(s) may require the organization to consider the creation of a multi-unit task force to share information between other organizations, and help maintain chain of custody. To make this process more efficient, it may be advantageous for the review process to take place within a central repository, with a structured workflow to minimize duplicative work, and if possible, software to and maximize video review efficiency.

Listed below is a proposed cursory video review workflow:

  1. Locate the cameras that contain the view(s) of interest and perform a cursory review.
  2. When an area of interest is located, document the time from the video timeline and any additional identifying information. Organizations may use an annotation feature within software to mark the video timeline which will assist in locating the area of interest later.
  3. Perform a critical review of video being considered for investigative or forensic analysis in real time as fast-forward or reverse playback may cause information to be missed. Additional annotations may be required. Additional information on Forensic Video Analysis can be found in SWGDE Best Practices for Digital Forensic Video Analysis.
  4. Expand to other camera views as time permits.

13. Management of Acquired Video

Collection of video from different locations may result in numerous types of video formats. The files for the incident will need to be transferred to a more permanent solution. The files can be logically transferred to the organization’s choice of storage. The files should be organized, verified (e.g., validating checksums) and protected from alteration. Documentation of the video files should include the date and time of transfer, as well as the location from which the files were collected. A digital evidence management solution for retaining, organizing, and managing large video data sets should be considered.

If the video evidence is inventoried on optical media, a complete copy, or record of convenience, should be maintained for a period of time. This record should be accessible to investigators for future reference.

Organizations should develop, maintain, and adhere to standard operating procedures (SOPs) governing the archiving of data, maintenance, and management of those archives. This may depend on the type of event and legal retention policies.

14. Reference Material

[1] Bertram Lyons, and Walter Bruehs. “Structural Signatures: Using Source-Specific Format Structures to Identify the Provenance of Digital Video File.” Presented at the 104th IAI International Educational Conference, Reno, August 15, 2019.

[2] Lyons, Bertram, and Daniel Fischer. “Structural Signatures: Using Source-Specific Format Structures to Identify the Provenance of Digital Video Files.” Presented at the Joint Technical Symposium, Amsterdam, October 5, 2019.

https://weareavp.aviaryplatform.com/collections/6/collection_resources/13957.

History

Revision Issue Date Section History
1.0 DRAFT
09-17-2020
Video
Initial draft created and submitted to membership for vote for release as a Draft for Public Comment.
1.0
01-14-2021
Video
Final document released for publication
Version 1.0 (January 14, 2021)
View Pdf