Chapter 7
Preparatory analysis
Introduction
Before any forensic audio examination can commence, there are several preparatory steps which must first be performed (Reith et al., 2002). As much care and consideration should be given to these stages as any other part of an examination as any errors here could affect all future analyses or processes which follow, and subsequently, the reliability of the final outcome.
Exhibit imaging
Although in some respects digital evidence is less volatile than some of the more traditional forensic sciences, such as fingerprints and DNA (which can become contaminated solely through physical contact), it is still an extremely fragile format and can be altered beyond repair relatively easily (National Institute of Justice, Office of Justice Programs, 2004). For this reason, original exhibits should be treated with extreme caution, and this cannot be emphasised enough. Errors such as the pressing of the wrong button on a recorder, placing the evidence within a magnetic field, or using an incompatible power adapter are simple to make but can be irreversible. In a worst-case scenario, these types of mistakes could result in data loss, and potentially (depending on the evidence and its bearing on a case), the wrongful conviction or release of an individual.
Exhibit imaging pertains to the creation of a bit-stream digital copy of an exhibit. The bit-stream refers to the binary digits of which the exhibit is composed, ensuring an accurate and complete replica of the original version is created. The procedure for imaging of evidence is highly dependent on the format and the manner in which the recording was received. Extreme caution should always be practised with evidence provided on the original device with which it was purported to have been captured, but there is no harm in treating every exhibit received as the ‘original’ version, regardless of whether it is a digital copy or not. In treating each exhibit in the same manner, it ensures consistency, good practice, and mitigates against any issues concerning the chain of custody (Casey et al., 2009). The formats in which digital audio evidence can be received will be in one of two media, that of physical or digital.
Physical
This relates solely to original audio evidence contained on recording devices. There are several possibilities for imaging in these cases as the recording may exist on a device with USB connectivity, removable external memory, both, or neither of these possibilities. As specific considerations are required for mobile phones and computers, they are outside the scope of this book, and further information should be sought from other sources regarding how they should be processed. Recordings which have been previously extracted by a third party will generally have been imaged to a storage format such as a disc or an external USB device (for instance, a USB flash drive or external hard drive).
Upon receiving an original device on which the audio is purported to have been captured, the following steps must be taken to ensure the integrity of the exhibit is not compromised (SWGDE, 2016):
1Information should first be obtained from the instructing party as to whether any other forensic work is to be instructed, such as the recovery of fingerprints. This allows precautions to be taken to ensure the physical evidence is not contaminated. All latent forensics should have been performed before the device is provided for a digital forensic examination, but best practice would always be to ask the question.
2Original recording devices should be photographed upon receipt and any external damage to the unit (which should be ensured is visible in the photographs) documented.
3The user manual should be thoroughly reviewed to gather an overview of the functioning of the device to ensure buttons which could affect the recordings are not pushed, that the correct power adaptor is used, and the optimal method for the extraction of the data is used.
4Attempts should be made to turn the device on. If the power has drained due to the time elapsed since it was first seized, the relevant power lead must be sought. Steps must always be taken to ensure power adaptors are of the correct voltage and current so as not to damage the circuitry of the device.
5A case folder must be created on the workstation pertinent to the case, with a structure which includes an exhibit folder to store the digital working copy.
6A write blocker should always be connected to the workstation and verified to be working by attaching a test device such as an external hard drive and attempting to write to the device, change file names, and image a file from the device to the workstation.
7If the workstation does not have a regularly updated virus scanner always running as a background process, one should be activated before connecting the exhibit to ensure the examiner is alerted to any viruses which may be contained on the exhibit.
8Once the write blocker is shown to be working correctly, the exhibit can be connected to the workstation and files imaged from the device to the exhibit folder. It is good practice to image all recordings, thus ensuring no data is missed which may be relevant to the work instructed, and to prevent imaging of the device a second time if additional work is instructed in the future.
9The file options of all exhibits imaged to the workstation should be changed to read-only, thus removing any write permissions. This prevents accidental changes being made to the data.
10A log of the exhibit should be created, documenting information such as the evidence bag number, the client name, the case name, the date the exhibit was received, the date imaged, and the name of the examiner who performed the imaging.
11The hash checksums of both the original evidence and that imaged to the workstation should be compared to ensure exact bit-stream copies have been made. When a write blocker is in use, this will not affect the data on the device as the hash checksum is a calculation based on the file, so does not change the actual data. The write blocker also prevents any changes to the access date, ensuring the original evidence metadata is preserved.
12Once the imaging has been completed, the recording device can be disconnected, powered down, and placed within a labelled evidence bag.
13The exhibit bag must be sealed and placed in secure storage such as a safe, and kept away from any electromagnetic radiation and other potential risks to its integrity.
14It is best to keep the exhibit for the duration of the examination in case further information is required from the device. Once the work is complete, the exhibit should be returned to the party who provided it and the date it was returned internally logged.
The above assumes a portable digital recorder, but the process can be applied to any form of external media. Mobile phones are increasingly more complicated due to automated backups and the requirement for passcodes. A mobile phone examiner should, therefore, be recruited to perform an extraction of audio files from these types of devices to avoid any issues relating to contamination and to ensure the chain of custody is maintained. The pertinent files can then be provided to an audio examiner, whether they exist as audio, video, or voicemail recordings.
Digital
As we are concerned solely with digital audio, the distinction should be made as to the difference between physical and digital data. The previous subsection refers to digital data provided via a physical medium. This section relates to recordings provided via digital means such as from the cloud or an email attachment. As digital methods create a digital copy of the file automatically when copied to a workstation, they are, by definition, bit-stream copies, but best practice would be to treat them as the original. If the party who provided the exhibit deletes their copy, and the device from which they were obtained is damaged, having a copy on the workstation in the original state in which it was provided will ensure that a copy of the original version is still available. The same general process should be applied as for physically received exhibits, namely, imaging the files to an exhibit folder, implementing write protection, and making a working copy if processing is to be performed.
A point to note about exhibits is that the most original version should always be requested to ensure the most robust possible chain of custody. If a recording is provided via email, but the provider states that the device is available, the evidence should be extracted directly from the device rather than using the version supplied via email to ensure all possible steps have been taken to work with the most original version. Although digital data does not degrade when copied (unlike electrical or magnetic recordings which degrade with each iteration), by extracting the audio from the purported capture device the examiner can be confident that the audio is, in fact, the original version (although an authentication triage should be carried out regardless).
In sourcing the most original exhibit, or at least a bit-stream copy of it, there are limited opportunities for manipulation of the recording which may have occurred since the capture. If this is not the case, the possibility always exists that the original recording was copied from a device to a computer by a party with an interest in the case, who then purposely manipulated it before providing it as evidence. Conversion of an uncompressed WAV PCM version to MP3 is also an all too common occurrence as many people believe that is the most ubiquitous format and thus will play on all computers, but do not understand the quality degradation this may cause to the content.
A prime example of this relates to an enhancement case in which I received an audio recording captured using a mobile phone, which had subsequently been extracted and ‘enhanced.’ When I requested a copy of the original, I was repeatedly sent the enhanced version, which was severely clipped. I assumed this was because the original was clipped and the examiner who performed the enhancement had decided not to de-clip the recording for some reason. When I finally received a bit-stream working copy of the original, it was not clipped in the slightest. It was, in fact, of a much higher quality than the ‘enhancement.’
In many cases, access to the original recording device is not a viable option, for instance, when access to specific systems is not possible, such as emergency call centre recording software and that used for undercover recordings. Access can also be a problem when the device belongs to a private citizen or has since been lost or destroyed. In these cases, the steps taken to attempt to obtain the original versions, the response received, and any limitations related to the version provided should be documented to be fully transparent. An example limitation would be that it may be possible for another examiner using the original version to produce an enhancement of higher quality.
Instruction
Instructions are provided by the party for whom the work is being undertaken, and can vary, based on the type of case and the reason the work is required. For complete clarity and conciseness, it is recommended that the instruction is broken down, for example, imagine the following is received from the instructing party:
We have a recording of an alleged bribery attempt, but it is low in volume and was recorded in a room with a noisy air conditioning system. It is, therefore, difficult to hear what is being said. We also believe that there is a section which has been removed from the recording based on one of the parties’ recollection of the meeting.
The points of instruction can, therefore, be refined as:
1authentication of a single (1) audio recording;
2enhancement of a single (1) audio recording.
These points can then be relayed to the instructing party to ensure their request has been understood. It should be made clear that an instruction should be used as guidance as to the requirements of the instructing party. The work process should be completely impartial and unbiased, regardless of who the instructing party is and the conclusions they hope will be reached.
Summary
To ensure a forensic audio examination is performed with the highest integrity possible, and in accordance with best practice guidelines, preparation is critical. It could be argued that this stage is the most important, as it is here that mistakes such as changes to the original exhibit cannot be rectified. The preparatory stage also has an influence on the rest of the examination so it must be undertaken logically. Only once working copies have been made, the original evidence secured, and the request made by the instructing party fully understood and agreed, should the examination in chief begin.
References
Casey, E., Ferraro, M., and Nguyen, L., 2009. Investigation delayed is justice denied: Proposals for expediting forensic examinations of digital evidence. Journal of Forensic Sciences 54, 1353–1364.
National Institute of Justice, Office of Justice Programs. Forensic examination of digital evidence: A guide for law enforcement: (378092004-001). U.S. Department of Justice, Washington, DC.
Reith, M., Carr, C., and Gunsch, G., 2002. An examination of digital forensic models. International Journal of Digital Evidence 1(3), 1–12.
SWGDE, 2016. Best practices for forensic audio. October 8, 1–28. Available at: www.swgde.org/documents/published