Friday 10 July 2009

Video Triage

Paul Sanderson's VidReport has been referred to here and there lately. C4M also is regularly brought up in conversations I have with people (such an interesting life I lead). Triage is certainly the flavour of the month right now. So I thought it worth writing a few lines about my recent experiences of triaging videos.

I have often voiced the opinion that reviewing a couple of hundred video files in a case is not that bigger a deal and on that basis I have not been too keen on using C4M. Anyhow I've just had a case with about 170 video clips to review and thought it would be a good case to try out the video triage approach. My normal approach is to use VLC as a file viewer in Encase to preview each video. This took about an hour and a half (some of the videos were quite good ;-) ).

I then used John Douglas's video triage program (which I think he supplies free to LE) to review the same video clips. To use this program you copy out the clips you wish to review and point the program at the folder containing them. It processes each clip by taking a screen capture at a configurable interval and putting each screen capture into a subfolder named after the videos file name. Once the program has processed all the clips you will have a sub folder for each one, containing the screen captures. I then simply dragged the folders into Encase as single files and previewed the contents of each folder in gallery view. I previewed all the clips in fifteen minutes. My scepticism of video triage was clearly unfounded.


4 comments:

johnmccash said...

You can do the same with ffmpeg, which is free to anyone. Take a look at the following blog posting for more details: https://blogs.sans.org/computer-forensics/2009/05/13/automated-recovery-of-multimedia-from-unallocated-space/
John

Mark Woan said...

After reading your posting I created my own version that is free for anyone to use, it basically wraps ffmpeg.

It is multithreaded, produces MD5 and SHA-1 hashes, allows for users to categorise the videos and exports the results to CSV. It requires the .NET Framework v3.5.

More info can be found here: http://www.woanware.co.uk/forensic-video-triage-fvt/

Gary Probert said...

For my money one of the best freeware tools for viewing video files is SMPLAYER. The program allows you to speed videos up to 100x normal speed to quickly view them by a couple of simple keystrokes. It also plays a lot of files that other programs demand codecs for. program, can be obtained here:
http://smplayer.en.softonic.com/

DC1743 said...

Agreed Gary,

It is in fact discussed in a later post at http://forensicsfromthesausagefactory.blogspot.com/2009/10/video-triage-revisited.html

R