Audio & Video File Authentication

Dear All,

Hello, long time browser of FF and now 1st time poster.

I work in the UK as a consultant for audio and video forensics having worked in professional AV & broadcast for 12+ years. I've always had an interest in computing too (with some file recovery and software R&D for the above) and find I'm now having to think about digital / computing forensics as more and more work comes in on a digital format and with a digital work flow in mind too.

And so I'd like some thoughts on the follow scenario.

At what point can I say a video clip is authentic? Ignoring the content of said video at what point can I truly say a piece of evidence no longer has provenance?

A recent case as thrown up some issues, and days of googling hasn't really resolved anything, certainly there seems nothing set in stone from a video forensics point of view, which is why I need to consider the issue from a computing forensics point of view as well.

Example

I am asked to analyse video from You Tube.

It is of terrible quality, no one in my opinion can be identified.

I argue that

As evidence it has no provenance as
It is clearly an excerpt.

I would need the original medium on which the data was captured to, i.e. the memory card, to image, verify and then work from.

From then I can analyse the data as well as the video/audio content of the file which would be of higher quality.

The camera is no longer available, nor is the memory card which is stated as being over written.

The PC on which the video was originally extracted to (propitiatory format mpeg1) is not available.

The CD on which this extracted file is not available either.

It is from this CD after a passage of years the video is uploaded to You Tube.

Researching the camera I find it shoots at a very low quality 8fps 240x160 max (a still camera with video function) SonyEX mpeg1. A 25fps version was made by converting the file on the aforementioned PC by decompressing the file with the propitiatory format codec which uses motion compensation and estimation to generate and extra 2 frames to give 24fps.

It was then saved in another unknown format (presumed container is AVI, unknow codec) burnt to CD, kept for a number of years, handed to third party, up loaded to You Tube where it is then converted once more.

So in my professional opinion there is no verifiable chain of custody, no digital audit trail, and the video was low quality to start with and has been irrevocably changed by the the number of times its been converted from one format to another.

So for the future

Am I right on the above?

Should I insist on the original memory card / media? (as would be expected for CCTV etc)

Would an image of the memory card be suffecient?

Or a copy of any given file (drag & drop between media/disks)?

Would you consider an excerpt or edit from say an image file or word document as authenticated with no original?

Any other thoughts with handling digital media in a lab environment. I adhere to the Association of Chief Police Officers (UK) guidelines with regards to Chain of Custody and digital evidence, and take these issues seriously. With that in mind I want to run as professional lab as possible. My workstations for examining items are off the net, the media drives get zeroed between jobs, I work from hashed images, or hashed 1st generation copies if from an analogue source.
I've worked for both prosecution and defence.

Pheeew, you can tell I've been saving this lot up for some time and would like some what I would consider 'working in the field' professional opinions!

Thanks for reading,

Richard