Citation
Source identification of high definition videos

Material Information

Title:
Source identification of high definition videos a forensic analysis of downloaders and YouTube video compression using a group of action cameras
Creator:
Giammarrusco, Zachary Paul ( author )
Language:
English
Physical Description:
1 electronic file (62 pages). : ;

Subjects

Subjects / Keywords:
Video recordings ( lcsh )
Source separation (Signal processing) ( lcsh )
Signal processing -- Digital techniques ( lcsh )
Genre:
bibliography ( marcgt )
theses ( marcgt )
non-fiction ( marcgt )

Notes

Review:
Video cameras are a large part of today's mainstream society, where many people feel the need to record and share their life's experiences. YouTube, created in 2007, has become the most popular host of Internet videos from around the world with an estimated 1 billion unique monthly users (Youtube.com). YouTube is localized in 61 countries and across 61 languages. Over 100 hours of video are uploaded every minute. These videos can contain important information about a crime, or event, that might have occurred. For example, in September of 2014, the terrorist group called ISIS released a set of videos on YouTube that portrayed the beheadings of American and British citizens. These videos were called into question, and their authenticity needed to be determined. It is the job of the forensic investigator to determine if a particular video, in question, is a complete and accurate representation of what it purports to be. This research paper will address the effects of YouTube on source camera identification while seeking to quantify the amount of change that can occur during the conversion process. It is well understood that YouTube re-encodes all video uploaded to the site, which has several implications for forensic authentication analysis [1]. The testing material described in this paper was comprised of 11 different cameras and three different downloader tools. Chapter 1 describes a variety of established image authentication techniques used to determine the origin of a video. Chapter 2 describes the underlying framework of YouTube, how it works, and the effects it can have on video. Chapter 3 describes and compares three tools that can be used for downloading YouTube videos. Chapter 4 describes how the test data was acquired. Chapter 5 addresses structure and source identification techniques using the test results. Chapter 6 describes all conclusions reached during analysis. Chapter 7 ends with future research in the field.
Thesis:
Thesis (M.S.)--University of Colorado Denver.
Bibliography:
Includes bibliographic references.
System Details:
System requirements: Adobe Reader.
General Note:
College of Arts and Media
Statement of Responsibility:
by Zachary Paul Giammarrusco.

Record Information

Source Institution:
University of Colorado Denver
Rights Management:
All applicable rights reserved by the source institution and holding location.
Resource Identifier:
904250089 ( OCLC )
ocn904250089

Downloads

This item is only available as the following downloads:


Full Text

PAGE 1

! SOURCE IDENTIFIC ATION OF HIGH DEFINITION VIDEOS: A FORENSIC ANALYSIS OF DOWNLOADE RS AND YOUTUBE VIDEO COMPRESSION USING A GROUP OF ACTION CAMERAS. By ZACHARY PAUL GIAMMARRUSCO B.A ., U niversity of C olorado D enver 2012 A thesis submitted to the Faculty of the Graduate School of the University of Colorado in partial fulfillment o f the requirements for the degree of Master of Science Recording Arts 2014

PAGE 2

! "" ! ! ! ! ! ! ! ! ! ! ! #$%&' ()*+),-!./)00),,12*3 )44!,/.+52!,626,768

PAGE 3

! """ 59":!;9<:":!=>?!;9=!2A"! 9@:!E<J?!;9?C"BD:!)?;: K?>D?@G ! LF ! ! ! *@;@M"B! .?"D>?@:N!*9@"? O<==!0P!2G";9 *@?>M!!.>M:Q" ! ! ! ! R>J
PAGE 4

! "J ."@GG@??H:A>N!(@A9@?FN!K@HM!S0P2PN!,?C"BD!)?;:NT! ! 2>H?AB!>=!+"D9!8<="B";">B! 7"C<>:U!)! V>?=! 8>WBM>@CH5HE!*>GI?<::">B!1:"BD!@!. ?>HI!>=! ) A;">B *@G=<::>?!*@;@M"B!.?"D>?@: ! "#$%!&$ ' Video cameras are a large part of today's mainstream society where many people feel the need to record an d share their life's experiences. YouT ube, created in 2007, has be come the most popular host of Internet videos from around the world with an estimated 1 billion unique monthly users (Youtube.com) YouTube is localized in 61 countries and across 61 languages. Over 100 hours of video are uploaded every minute. These video s can contain important information about a crime or event that might have occurred. For example in September of 2014, the terrorist group called ISIS released a set of videos on YouTube that portrayed the beheadings of American and British citizens These videos were called into question and their authenticity needed to be determined. It is the job of the forensic investigator to determine if a particular video in question, is a complete and accurate representation of what it purports to be This r esearch paper will address the effects of YouTube on source camera identification while seeking to quantify the amount of change that can occur during the conversion process. It is well understood that YouTube re encodes all video uploaded to the site, whi ch has several implications for forensic authentication analysis [1] The testing material described in this paper was comprised of 11

PAGE 5

! J different cameras and three different downloader tools Chapter 1 describes a variety of established i mage authentication techniques used to determine the origin of a video. Chapter 2 describ es the underlying framework of YouT ube how it works, and the effects it can have on video. Chapter 3 describes and compares three tools that can be used for downloading YouT ube video s Chapter 4 describes how the test data was acquired. Chapter 5 addresses structure and source identification techniques using the test results. Chap ter 6 describes all conclusions re ached during analysis. Chapter 7 ends with future research in the field. The form and content of this abstract are approved. I recommend its publication. Approved: Catalin Grigoras.

PAGE 6

! J" DEDICATION I would like to dedicate this paper to my mother Chiara Giammarrusco. She dedicated her life to giving me every opportunity I could have ask ed for. Not a day goes by where I don't think about her and the hard work that sculpted the person I am today. I'm forever grateful and always striving to make her proud.

PAGE 7

! J"" ACKNOWLEDGEMENT S I would like to thank my advisor Catalin Gri goras for his help and support with my thesis as well as Jeff S mith and Carol Golemboski W ithout their guidance I would have never finished this research I would also like to thank Tom Hills who has help ed me consistently improve my writing t hroughout my academic carrier. Thank you for all of your help along the way. I hope this paper is a testament for all the work you' ve invested in me. Last but not least I would like to thank Amy F ogarty, who has supported me throughout my graduate work. Thank you for all of your patience and help along the way. Your love and grace in life inspires me more than you will ever know.

PAGE 8

! J""" TABLE OF CONTENTS CHAPTER I. I NTRODUCTION .. 1 Defective Pixel Analysis... .. ...1 Sen s or Dust Analysis. .. ... .. .2 Color Filter Array Analysis. .. 2 Photo Response Non Uniformity Analysis. .. .3 Structure Anal ysis ... .. .5 Metadata A nalysis ... .. .6 I I. YO U TUBE FRAMEWORK .... .. ..7 Re Encoding .. 7 Downloading ... ... .. 8 Available Formats .. .. .. 8 III DOWNLOADER TOOLS .. ...10 Real Player One... .. .11 YouTube Downloader .. 11 A Tube Catcher... .. 12 Other t ools .. ..14 IV. MATERIALS AND METHODS.. .. .15 D atab ase Acquisition ... .. .15 Database Upload and Download. .. ..16 Meth ods17 Str u c t ure Analysis.. .. 17

PAGE 9

! "Y Photo Response Non Uniformity... .. 18 V R ESULTS .. ... ... ...22 Structure and Metadata Analysis.....22 Consistencies ............................................................................................... .24 Inconsistencies ... ..25 (PRNU Ana lysis).26 V I. CONCLUSION ... .. .. . 3 8 V II. FUTURE RESEARCH 41 BIBLIOGRAPHY .. .. .. 43 APPEN DIX .. 44 A. File Structure for all Videos 44

PAGE 10

! Y LIST OF TABLES Table 1 Exif Data acquired using Exiftool version 9.72 .. .. ..2 5 2 Inter Variability (YTD Vs. Original) .. . 2 7 3 Inter Variability (aTube Vs. Original) .. .. .27 4 Inter Variability (RPO Vs. Original) .. .. ... 28 5 Inter Variabilty (YTD, RPO, aTube, Vs. Original ) .. .. .28 6 Intra Variability Plot (RPO Vs. Original) .. . 29 7 Intra Variability Plot (aTube Vs. Original) .. .. .29 8 Intra Variability (YTD Vs. Original) ... . ..... .. 30 9 Intra Variability (aTube, YTD, RPO, Vs. Original) ... 30 10 Mean Average Correlation Values .. .. 31 11 Histogram (Intra Variability Original Vs. YTD) .. . 32 12 Histogram (Intra Variability Original Vs. RPO) .. .33 13 Histogram (Intra Variability Original Vs. aTube) . 34 14 Histogram (Inter Variability Original Vs. YTD) .. ..35 15 Histogram (Inter Variability Original V s. RPO)...... .36 16 Histogram (Inter Variability Original Vs. aTube) . 37 17 Proposed Structure... .40 !

PAGE 11

! Y" LIST OF FIGURES Figure 1 Median filtering to reduce "salt and pepper noise." .. ... 4 2 Container Structure... .. ... 5 3 YouTube Resolution options for a 1080p upload .. 9 4 RPO Version info rmation.. .. .. .11 5 YTD Use r Interface. .. .12 6 aT ube Catcher User Interface.. ... .. .. 13 7 aT ube Catcher Download resolution options .. ... 13 8 Go Pro Cameras ..15 9 Wall Color and Texture ...16 10 Inter Variabi lity.....19 11 Intra Variability ... ..20 12 Hex data comp arison.23 !

PAGE 12

! & ! CHAPTER I INTRODUCTION Recent advancements in digital imaging technology have allowed users to easily create video through the use of smartphones tablets and other mobile devices. The desire for people to share their videos online has been supported by different online social media websites. As these video s are sh ared on the Internet it can become extremely difficult to determine the origin of a video in an event that a crime has been committed. Recorded video of a ny illegal activity has a unique a bility to serve as evidence if determined to be consistent with an authentic recording or, in piracy cases, the v ideo itself can be illegal in its creation and possession. Digital camera identification is the process of linking images to a source camera. A reliable method to identify a source camera from other possible cameras can help assist in the authentication process significantly in a case that involve s piracy, child pornography, or espionage. Camera identification methods include bu t are not limited to : defective pixel analysis, s ensor dust analysis, photo response non u niformity (PRNU) f ile structure analysis, metadata analysis and identification based on color filter array (CFA) The research in this study briefly discusses these methods then focuses on structure, metadata and PRNU for the study. Defective Pixel Analysis When an imaging sensor in a digital camera fails to sense the light level s of a scene correctly it is known a s a defective pixel A defective pixel can leave traces in

PAGE 13

! $ every image generated by a digital camera. Therefore, this technique can be use d as a unique camera identifier [1] Upon acquisition of the image t he location of a defective pixel will be identical in subsequent image s Thi s method is very limited since a unique pixel defect can be corrected after image acquisition in the integrated post processing stage As advancements in technology continue to develop this method has become less relevant in camera authentication as the chances of having a defective pixel in question are extremely rare. Sen s or Dust Analysis The lenses on DSLR cameras are interchangeable and upon the removal of the camera lens, the sensor is exposed to hazards such as dust and moisture. The particles are attracted to the imaging sensor by electrostatic fields. Once the dust settles onto the senor it creates a pattern. Sensor dust patterns are displayed as artifacts on the capture d images and they become largely visible at smaller aperture values [2]. Normally, this unique dust patter n is not changed unless the sensor surface is cleaned T herefore, it can be used to match a given image to a source DSLR camera. This method is very l imited, as with defective pixels but should be noted as a possible source identification technique. Color Filter Array Analysis Another method in camera identification uses the c olor filter array The CFA is a mosaic of tin y color filters placed over the matrix (pixel sensor) of an image sensor to capture color information. M ost st ate of the art digital cameras employ a single mosaic structured CFA to cut costs rather than having different filters for each color component [3] As a consequence, each pixel in the image has only one col or

PAGE 14

! Z component associated with it. In order to obtain the missing color each digital camera employs a prop rietary interpolation algorithm. This introduces a specific statistical periodic correl ation between subset s of pixels, per color channel [4 ]. This can be estimated as a digital signature of a camera model. When a JPEG image is r e saved with an image editor, the original CFA correlation is changed as well A CFA analysis can reveal inconsist en cies with an original JPEG and/ or indicate traces of image recompression. Photo Response Non Uniformity Analysis P hoto resp onse non uniformity (PRNU) is a tool that makes use of pixel identification and can be used as a unique tool in identifying the "fingerprint" of digital sensors In theory when uniform light falls on a camera sensor, each pixel should output exactly the same value, or an ideal uniform response. The differing sensitivity of individual pixels to the same amo unt of li ght is called PRNU [5]. This technique looks at the individual pixels that may report slightly lower or higher values than their neighbors, even when these pixels are illuminated uniformly. By extracting invisible sensor pattern noise from images left behind by the image sensor a device signature or camera's sensor fingerprint can be determined The ability to extract the signal is affected by the quality of the sensor, the amount of light i nteracting with the sensor, and the scene content. Cell p hones and lower priced cameras are more susceptible to the de fects of the sensor components than higher end model cameras Every sensor has its own unique pattern due to the manufacturing processes. Small variations in a sensor's cell size and material result in slightly different output values per cell. When two patterns show a strong level of similarity,

PAGE 15

9;;I[\\WWWPG@;9W>?Q:PA>G\9
PAGE 16

! ] image structure in tact, most notably around edges where the local variance is high. S tructure Analysis All d igital cameras create files in a particular way, each with its own unique structure. It is important to understand that when an image file is created a huge surplus of information is carried along with it. This information is needed in order for compute rs and other devices to recognize and process the contents of the file. Figure 2 shows some of the information that is stored within a video container file. Figure 2 Container Structure An image file typically contains : the digital information about the image, a list of contents within the file, the location of the contents within the file, instructions on how to decode, then reassemble the physical image and information abo ut the file or

PAGE 17

! ^ container itself [8]. All this information is embedded into the image file and can be distinct between manufacturers and cameras. When computer s, or image processing software interact with the file, this structure can be altered. While this type of alteration does not necessarily mean t hat image content itself has been altered, it can raise concern about the authenticity of the image Metadat a A nalysis Modern digital cameras may write EXIF (Exchangeable Image Format) or XMP (Ex tensible Metatdata Platform) metadata to the image. The EXIF data is embedded with the image in the header of the digital file. This metadata can contain tags such as date and time, camera settings, geo graphical locations, or the serial number of the camera that produced the image. Although metadata can prove to be very us eful in camera identification, it can easily be deleted or manipulated. Social media websites may remove or alter metadat a information to decrease file size and maintain user privacy [9]. A framework of specific authentication techniques that should be used by forensic investigators can be found by (Anderson, Scott, 2001). It is very important to know the limits of your tools and combine techniques when providing camera identification analy sis.

PAGE 18

! CHAPTER II YOUTUBE FRAMEWORK I t i s important to think of the files uploaded to YouTube as a master video that will be used as source material to generate various quality video streams at different resolutions Simply stated the better the quality of file that is uploaded, to YouTube, the better quality that will be received upon download When uploading video to YouTube one of the following formats must be used in order for YouTube to re cognize the video: .MOV, MPEG4, .MP4, .AVI, .WMV, .MPEGPS, .FLV, .3GPP, .WebM. Re Encoding YouTube re encodes all video uploaded to the site, which has several implications. First, there's no value in trying to match YouTube's output to avoid re encoding. The video will always re encode regardless if the dimensions are identical upon upload and download [1] This fact is significant and should not be overlooked when providing authentication analysis. Second ly YouTube uses dynamic adaptive s treaming over HTTP (DASH ) for delivering videos DASH is an adaptive bitrate streaming technique that enables high quality streaming of media content over the Internet delivered f r o m conventional HTTP web serve r s (MPEG.ORG). Once video is uploaded to YouTube the content is made available at a variety of different bit rates and resolutions to prevent re buffering during playback. The DASH format serves audio and video in two separate streams for some resolutions/formats including 1080p an d 480p.

PAGE 19

! ` Downloading It i s important to un derstand the legal ramificat ions of downloading video from YouT ube In general, downloading videos that other people have posted on YouTube is not allowed. YouTube only provides an option to download MP4s of the user's own videos Consequently, this limit s the extent of downloading capabilities by excluding other user s videos However, i n a real world application the video in question would be comin g from an unknown source and this research is based upon that principle. Various YouTube downloading util ities were used in this study These tools play an important role in acquiring the video used for authentication analysis Fortunately for the user there are hundreds of freeware and software downloader tools available for Mac and PC. Most tools can easily downl oad all available formats while others are restricted in downloading capabilities. Available Formats A list of available formats can be viewed using Exift ool This tool works by reading t he m etadata from a source file on YouTube The information is then printed out in a list form This is one method to view the formats available upon download. Other tools which are mentioned in the next chapter work in a similar manner using metadata from the source file on YouTube. This research uses a 1080p resolution and an MP4 format for all videos upo n uploading to the site. Figure 3 displays a list of the available downloading formats and resolutions that were available from the 1080p video.

PAGE 20

! a Figure 3 YouT ube Resolution options for a 1080p upload.

PAGE 21

! &% CHAPTER III DOWNLOADER TOOLS A downloader tool is any type of free ware, software, or command line scr ipt that allows the user to download video off the I nternet. In this study, the tools must recognize the Dynamic Adaptive Streaming over HTTP ( DASH ) video hosted by YouTube s server. I t is not po ssible to acquire video from an unknown user on YouTube by simply clicking download from the host T herefore these tools are relevant and need to be validated and verified for accuracy and precision A comprehensive list of validated downloading tools is currently unavailable a nd relative ly unfeasible considering the constant advancement of technology. It i s not possible to verify and validate all the tools. That sa id, the focus of this study highlight s the three most popular downloading tools at this time It is i mportant to understand that e ach tool acts like a black box when downloading video in formation from the host website T he user is unable to observe the inner workings or alterations that are occuring until the video output is obtained. S ome tools work in the same w ay and output identical videos It is understood that some type of recompression is occurring since the DASH format comes as two separate tracks one for video and o ne for audio. H owever it is difficult to determine what change s o ccur during this proces s due to the "black box" principle It is crucial for an examiner to understand his or her tools as well as the effects they can have during analysis, on a video that is being scrutinized

PAGE 22

! && It is recommended to avoid video capture programs that record a computers video display output (such as Cam Studio, Snag It, Video Capture, ect ) These programs have poor analysis results due to the fact that what is played on the screen has the artifacts of the decoding and is not the original resolutio n. Real Player One Real player one (RPO) is a downloader tool developed by RealNetworks, Inc for Mac and PC Recently this program has changed to a cloud based format R PO works as a n ext ension within an I nternet browser. Once a video is recognized on the browser, RPO will provide the option to download the video displayed. Instead of providing the option of downloading different resolutions it will download any resolutio n that is currently displayed at th e time. In order to download a 1080p resolution video from YouT ube the user needs to display the video at 1080p under the quality settings on YouT ube. Figure 4 RPO Version info rmation YouT ube D ownloader YouTube Downloader v ersion 2.0 (YTD) is a downloader tool developed by GreenTree Applications for b oth PC and MAC This tool uses FFmpeg licensed under

PAGE 23

! &$ the LGPLv3 and its source code can be easily downloaded and viewed. The following formats were available for download once the URL is recognized by YTD: HD 1080, HD 720p, HQ 480p, HQ 360p (flv), HQ 360p (mp4), 240p, and 144p. No other settings are necessary or available within this tool. All research videos downloaded using YTD were 1080p. Figure 5 YTD User Interface A Tube Catcher ATube Catcher v ersion 3.8 is a freeware downloader tool developed by Diego Uscanga This tool can be thought of as a small web browser that interprets the content and downloads the video in the directory selected. It then converts a video to the format requested. All f ormats created by YouTube were available for download within this tool ATube cat cher provides a large list of recompression options that should be avoided for research purpose s The no recompression option displayed by figure 6 was used during this research.

PAGE 24

! &Z ! Figure 6 aTube Catcher User Interface Figure 7 aTu be Catcher Download Resolution O ptions Very little research has been published on YouTube compression effects and no research has been published so far on the tools or cameras used in this paper. A fellow student at the National Center for Media Forensics has done research in this area looking at cell phone images in social media websites [9]. His focus was determining the changes social media web sites such as MySpace and Facebook had on the cell phone images.

PAGE 25

! &' Other T ools It was diffic ult to select three tools to implement during research due to the large population of tools widely available. Prior research was done to study the trends and ensure the tools selected were some of the most widely used. O ver a dozen tools were tested before determining the best options. Some YouTube downloader tools may contain viruses upon download T his paper recommends having some form of anti virus software prior to downloading any tools to protect against a possible attack. Some of the tools that were studied but not used, include Clip grab, MacX, and a command line script tool called YouTube dl Unfortunately, Clip Grab encountered many consistent er rors while trying to preform the download. Therefore, Clip G rab was not selected as one of the primary tools for research. MacX is a tool designed for mac plat forms. The PRNU results of the Mac X downloader yielded identical results as YTD. I nstead of repe ating identical results MacX was not used as one of the three primary tools. This tool should be noted, however, as a high quality tool for downloading video from YouT ube, a nd the results mirrored YTD. A command line script using brew called Y o uT ube dl was also used in preliminary research. This script works well for some formats but would n ot allow a playable download of the 1080p resolution needed due to the DASH format used by YouT ube. The yout ube dl script can be used a s a tool for some YouTube video s but is not applicable in this research due to resolution limitations.

PAGE 26

! &] CHAPTER IV MATERIAL AND METHODS Data Base Acquisition The video camera database was collected using 10 Go Pro Hero black E dition s and one Nikon Cool P ix S 9. Two videos were produced using each of the 11 cameras. Each video has a time frame of roughly 15 20 seconds. Ideally a large number of frames should be used to calculate the Photo Response Non U niformity All camera dimensions were set at 1920x1080p during recording The codecs used to encode the videos were H.264, AAC. Th e color profile settings on all cameras used for research was HD (1 1 1). Figure 8 shows some of the cameras used for the experiment Figure 8 Go Pro Cameras

PAGE 27

! &^ The research videos were produced in a controlled setting on a wall illuminated by florescent lighting. The wall was uniform ly lit and painted a neutral, flat cream color The controlled lighting conditions selected were ideal for extracting uniform images. Extra attention was given to ensure no shadows were cast o n the image during acquisition, as this would hinder results. Figure 9 sho ws the color and texture of the wall used for researc h. Figure 9 Wall Color and Texture Database Upload and Download After the video data was acquired and saved, the entire collection of video s was uploaded to YouT ube This process was done using the uploading manager on the YouTube web site At this time t here is no other way to upload video s to YouTube. D u r ing the uploading process, n o special settings or inadvertent changes were ma de Attention to detail is important during this process to ensure the correct

PAGE 28

! &_ video is uploaded and titled accurately for proper download. By u sing three to ols selected for analysis RPO, YTD and aTube C atcher, all 22 v ideos were downloade d from each tool and saved. It was now possible to begin the experiment with three video sets, one from each of the tools, and the original set th at was not uploaded to YouTube Methods S tructure analysis metadata analysis, and PRNU analysis was used to determine how well a source camera can be identified from the other videos collected First the changes foun d after the downloading process within the structure and metadata of the video file are discussed Next t he s tructural and metadata analysis section describe s the consistencies and changes that occurred during the up loading and downloading process. The PRNU analysis described last, looks to reach a conclusion for camera identification with the YouTube videos Structure To analyze the structure of the files a program called MediaInfo v0.7.69 was used This program provides easy access to technical information about video and audio files. E ach of the video files were reviewed in order to determine if any changes in size, s tru cture, or information loss were present. During the structure analysis a tool called E xiftool v9.72 was also used This program is a command line application tool for reading, writing, and editing meta data information in a wide variety of files. This tool preforms well at reading the information within the metadata and pulling it out in a cohesive and organized format. E xiftool provided the most detailed information about the file structure.

PAGE 29

! &` Photo Response Non Uniformity A basic algorithm for linking a camera to an image can be described in a few simple steps First the camera reference patterns need to be calculated in order to develop a correlation between each of th e pat terns and the noise of an image [10]. The easiest way to calculate an approximation to the camera reference pattern is to average multiple images. Next, a ll frame averaging was done using a custom script in Matlab version 2012a. To speed up this process the scene content needs to be removed using a median filter de noising algorithm T he noise residuals are then average d If a larger quantity of image s is available to average, a greater suppress ion of random noise or scene content can be obtained It has been suggested that a minimum of 50 images sho uld be used for frame averaging [1 ] After an established reference pattern has been created, a correlation can be determined with the noise of a parti cular image [10]. To find the random noise simply empl oy the same principal as before; Use the de noising filter to approximate the noise free image and subtract this from the original, leaving only the noise residual. To find the correlation between this noise n and a particular reference patter n r use the standard formula corr (n r) = (n n) (r r) b n n bb r r b Every video from every camera 22 total, were compared against each other using c orrelation c oefficients (CC) to ultimately determine a possible conclusion for a source camera. This research was focused at looking for an inter variability and intra v ariability comparison An i nter variability comparison in this research uses two

PAGE 30

! &a videos created by different cameras. For example a video from camera one would be compared against a video from camera three. This inter variability c omparison uses all videos and all cameras against each other. This comparison is against others cameras and does not compare one camera against itself. Fi gure 10 Shows an example of an inter variability using Go pro Cameras. F igure 10 Inter V ariability An i ntra variability comparison in this research uses two videos created by the same camera. For example a video from camera one would be compared against another video from camera one. This comparison is against a single camera and does not compare one camera against another. Figure 11 shows an example of an Inter variability comparison using Go Pro Camera s.

PAGE 31

! $% Figure 11 Intra Variability These two terms will be used throughout the rest of this paper and are important to understand. This research compares the non YouTube origina ls between themselves and against the others to study both the i ntra and inter variability before YouTube. T he inter and i ntra variability was also tested for the downloaded videos that were acquired though each of the tools If a frame averaged image were compared and calculated for correlation against itself the value of the correlation would be 1.0 meaning the images are identical This exact match means that out of the three possible color channels (red, green, and b lue ) a perfect correlation of identical pixel noise was reported. When an im age is compared in correlation, to other frame averaged videos taken from a

PAGE 32

! $& different camera, the value of the correlation coefficien ts would begin to drop This drop is expected due to the fact that two different source cameras are being used. The lowes t possible correlation that c ould theoretically be calculated would be a 1. This result would indicate that out of all possible pixel noise in each of the r ed b lue and g reen channels not a single pixel displayed any identical properties.

PAGE 33

! $$ CHAPTER V RESULTS Structure and M etadata A nalysis The findings showed some very interesting differences between each of the downloader tools when given the exact same file to download off YouTube. Substantial differences in file size, file type, media duration, and movie data size were present. A single randomly selected video from the data set was used during the structure analysis as an example to avoid redundancy. Video structure data for all th e files can be found in the appendix (S ection 1). The single video randomly selected gave an accurate representation of how the tools function when they encounter a video file regardless of length. Unique changes in video structure were also apparent between tools The Hex information within the video file was re encoded when the video was downloaded from Youtube using each of the three downloader tools. The original video file that was not uploaded to YouTube contained valuable information including camera model, serial number, and encoder information. This hex data, upon download, was replaced with hex information f rom each of the tools. Figure 12 displays these change s :

PAGE 34

! $Z Figure 12 Hex d ata comparison Each column of hex information within figure 12 shows the data from the beginning of the video file. The original video file, display ed on the left side in figure 12 contains valuable hex information that is highlighted in yellow When comparing the original file to e ach o f the three tools it is apparent that the hex information has been manipulated. Each tool replace d the information with its own unique hex structure and consequently, the original camera information was lost The camera info rmation in this example included firmware, camera model, serial number, and gamma settings. An extensive list of information, from the camera, can be encoded within the hex. To the untrained eye this hex information can look overwhelming and

PAGE 35

! $' impossible to understand. It is up to the examiner to learn the camera encoding structure and decipher the relevant data. Consistencies The results show ed t he file size and duration were consistent when YTD and RPO were compared against each other. These tools work in a very similar fashion since their results are nearly identical The original video had a file s ize of 38MB before it was uploaded to YouTube. After the video was downloaded using RPO and YTD, the file size had changed to 4.8MB. ATube reported a file size of 6.8MB upon download. A large amount of data loss occurred after the download, which was anticipated due to the compression scheme that YouTube uses. However, i t was unexpected and interesting to see th e differences between file siz e and media duration between the various tools. Other c onsistencies found included image dimensions and matrix structure. The file type was not converted to any other file format with one exception RPO changed the file type in all videos to M4V. The M4V file format is a n iTunes video format [11 ] and it is not understood why RPO changed specifically to this format. The tools preformed well at recognizing a nd downloading the correct 1080x1920 version from YouTube. This is a crucial first step that cannot be overlooked during analysis The Results were consistent amongst all tools when reporting the correct size of the videos. The matrix structure was not changed and was confirmed as identical to the original file. Inconsistencies The structure results that deviated from the originals included media duration

PAGE 36

! $] and movie data size. The original duration of the mo vie randomly selected for file analysis, as a sample for the entire collection, had a time of 15.25s. This media duration ch anged when the video was downloaded from YouTube. All of the tools seemed to be adding time to the o riginal file. ATube reported a video duration of 15.33s which is 08 s longer than the original. Both YTD and RPO displayed a duration time of 15.30s which i s .05 s longer than the original. Table 1 shows the data found within the selected sample video and the changes that occurred. Table 1 Video 1 1 Exif Data acquired using Exiftool version 9.72 (Note File Size, Data Size and Media D uration I nconsistencies ) PRNU Analysis From the research in thi s paper, it is clear that YouTube degraded the PRNU Data Type Original YTD RPO aTube File Size 38 MB 4.8MB 4.8MB 6.8MB File Type MP4 MP4 M 4 V MP4 Image Width 1920 1920 1920 1920 Image Height 1080 1080 1080 1080 Video Frame Rate 29.97 29.97 29.971 29.97 Matrix Structure 1 0 0 0 1 0 0 0 1 1 0 0 0 1 0 0 0 1 1 0 0 0 1 0 0 0 1 1 0 0 0 1 0 0 0 1 Media Duration 15.25 s 15.30 s 15.30 s 15.33 s Movie Data Size 39289830 5039051 5039051 7166451 Image Size 1920x1080 1920x1080 1920x1080 1920x1080

PAGE 37

! $^ noise that was used to determine a source camera. This d egradation and loss of PRNU noise was expected due to the compression scheme that YouTube uses It was also apparent that the C. C values of the original videos were higher than those of any of the YouTube videos. Figure 2, 3 and 4 exhibit each of the tool s i nter variability results when compared to the originals. Figure 5 shows all of the i nter variability results located on one plot for a reference. T he YouTube videos within fi gure 5 scatter ed roughly around the .03 CC mark The aTube tool shows the largest range in values with some of the highest and lowest C.C values. T he results from the downloaded YouTube videos were w ell below those of the original videos which were densely scattered above the .10 C.C mark. Table 6, 7 and 8 exhibit each of the tool's i ntra variability results when compared to the originals. Table 9 shows all of the intra variability results on one plot for a reference. Within Table 9 it is clear that the single Nikon camera used in the experiment has preformed very uniformly with all the other Go Pro action camera s. The results from the aTube tool show ed the highest level of correlat ion out of any of the tools. The correlation data from the group of tools populate d dense results at the .5 mark T he o riginal video correlation results populate d heavily around the .3 mark. The highest va l u e was determined to be the original GP C amera 10 with a value of .53426. This was coincidentally the longest video which leads us to believe in future research a longer time frame when acquiring video could produce higher c orrelation values.

PAGE 38

! $_ Table 2 Inter Variability (YTD Vs. Original ) Table 3 Inter Variability (aTube Vs. Original) Table 4 Inter Variability (RPO Vs. Original)

PAGE 39

! $_ Table 5 Inter Variability (YTD, RPO, aTube, Vs. Original) Table 6 Intra Variability Plot (RPO Vs. Original)

PAGE 40

! $a Table 7 Intra Variability Plot (aTube Vs. Original)

PAGE 41

! Z% Table 8 Intra Variability (YTD Vs. Original) Table 9 Intra Variability (aTube, YTD, RPO, Vs. Original)

PAGE 42

! Z& The mea n correlation values of the original video s were determined to be higher than those of any of the tools. This was expected since a significant data loss after all YouTube downloads would cause degradation of quality and extractable noise. Table 10 shows a plot of the in tra and inter variability when all c orrelation values were averaged for each of the three tools and the original. Table 10 Mean Correlation Values The intra v ariability PRNU results show a clear threshold of separation where a consistent video, an inconclusive video, and an inconsistent video can be determin ed using a histogram plot. The h istogram plot demonstrates how to determine if an intra v ariability comparison of a camera in question is consistent, inconclusive, or inconsi stent with an ori ginal or compressed video from Y ouTube. Histogram tables 11, 12, and 13 show an i nconclusive area of se paration using a black

PAGE 43

! Z$ circle. YTD, RPO and aTube each show a clear area of intra variability camera separation. If a camera's correla tion v alue were to fall within this black area of separation the res ult would be inconclusive. If the correlation value were to fall below the inconclusive area of separation the result would be consistent with YouTube compression Additionally, a video in question can be determined to be an origin al video if the threshold of the c orrelation is above the inconclusive area of separation. Table 11 Histogram (Intra Variability Original Vs. YTD) Area of Separation (.063971 to .22584)

PAGE 44

! ZZ Table 12 Histogram (Intra Variability Original Vs. RPO) Area of separation (.08466 to .22584)

PAGE 45

! Z' Table 13 Histogram (Intra Variability Original Vs. aTube) Area of Separation (.093963 to .22584) The i nter variability PRNU results do not exhibit a ny clear threshold of separation where an inconclusive video would fall. The results were interlaced within each other and no threshold was apparent. For inter v ariability, if a camera s c orrelation value were to be significantly higher than the "grey" area, whe re the

PAGE 46

! Z] correlations are interlaced, a verbal decision can be reached as being consistent with an original uncompressed, video. On the other side of the histogr am if a camera s correlation value were to be significantly lower than the "grey" area, w h ere the correlations are interlaced, a verbal decision could be reached as being inconsistent with an original uncompressed video. Table 14 Histogram (Inter Variability Original Vs. YTD) No clear separation is present

PAGE 47

! Z^ Table 15 Histogram (Inter Variability Original Vs. RPO) ( No clear separation is present )

PAGE 48

! Z_ Table 16 Histogram (Inter Variability Original Vs. aTube) ( No clear separation is present )

PAGE 49

! Z` CHAPTER VI CONCLUSION The first conclu sion reached from analysis showed that the downloader tools affect the PRNU measurements This conclusion is also supported by the file sizes from table 1. A higher compression ratio for YTD and RPO was present due to the fact that an identical number of frames per second reported a lower file size than aTube. The high frequency small details were lost when large compression ratio s were present This compression can degrade the PRNU data and the discrimination po wer of the analysis The research demonstrated that when downloading videos from YouTube for analysis, one should test their downloading tools and select the method which will incorporate the least amount of compression. If a video is called into question and a reference video database is available, the examiner can look for a match In a forensic case it is recommend to a build database collected over time, with thousands of cameras and videos to help determine the origin of a video. Since a re ference population was available in this research a threshold and a conclusion can be determined. This is the same principle that should be applied in al l forensic cases. The results suggest that using a combination of techniq ues including format, structure and PRNU will yield the most accurate results. PRNU can be relied upon when the structure analysis exhibits signs of change. In a ny video forensic case an examiner should build a sample database, and calibrate all system 's before forensic

PAGE 50

! Za analysis It's very important to know the limits of your science and combine techniques when providing camera identification and authentication analysis. The techniques discussed in this paper are limited in providing positive proof of ca mera identification s ince the number of possible combinations between cameras, their settings, and eventually digital edits and recompressions before uploading to YouTube or other video hosting services is almost impossible to compute Due to the number of different variables the following conclusions are proposed that can be used within a frame work for forensic cases: Consistent with an authentic v ideo Inconclusive Inconsistent with an authentic video A conclusion i n a forensic case contain s the forensic results obtained by the examiner R eport ing the result s in a clear and concise manner i s crucial in conveying the report during legal proceedings Table 17 was c reated to show an example of a basic conceptual structure for video authentication The table is divided into three main sections: file structure, global structure analysis and source camera identification. Within each of these sections the authentication and identification techniques listed can be removed replaced or built upon U sing all analysis techniques listed in table 17 might not be practical or even feasible for an examiner due to time constraints or fin an cial resources It is up to the judgment of the

PAGE 51

! '% exa m in er to determine what techniques are necessary to provide a logical and unbiased conclusion as to the authentication or source of the video in question. Table 17 Proposed Structure

PAGE 52

! '& CHAPTER VII FURTHER RESEARCH New action cameras are constantly being developed. Since the publication of this paper the developers at Go P ro have come out with the newest line of action cameras. Further research into action camera identification using YouTube should include this li ne of cameras and others that become relevant. New Video sharing hosts will inevitably be created for distributing video. Although YouTube is currently the most popular video sh aring web service, other websites like Vimeo are gaining huge popularity N ews organizations are also now shar ing their video content ov er the I nternet through their w ebsite New resolutions will become relevant as action cameras currently allow acquisition of 4k and 8k videos. A higher resolution vide o with would improve PRNU results giv en the same lighting conditions The structure of the video files along with the principles of acquisition and saving should generally remain the same while resolution improves. New downloader tool s will be available in the future and will beco me relevant to acquire a video in question. These tools will work with new hosting websites to allow users the option to save higher resolution videos. YouTube has not created the option to download any video as of 2014 Other algorithms to ex t ract PRNU n oise (e.g Wavelet) should be tested and used in further experimentation. Combinations of algorithms have proven to be effective and should be tested on action cameras [7] New or updated algorithms will

PAGE 53

! '$ be developed that will process data more efficiently and allow for even higher c orrelation values.

PAGE 54

! 'Z BIBLOGRAPHY Sources [1] Houten W. van, Geradts Z.: Source video camera identification for multiply compressed videos originating from youtube Digital Investigation, Issues 1 2, pages 48 60, September (2008) [2] Dirik, Ahmet Emir, Husrev T. Sencar, and Nasir Memon. "Digital single lens reflex camera identification from traces of sensor dust." Information Forensics and Security, IEEE Transactions on 3.3 (2008): 539 552. [3] S. Bayram, H. T. Sencar, and N. Memon, "Source Camera Identification Based on CFA Interpolation," Proc. of IEEE ICIP, 2005 [4] J. Lukas, J. Fridrich, and M. Goljan, "Determining Digital Image Origin Using Sensor I mperfections," Proc. of IS&T SPIE vol 5680, 2005 [5] Zeno J Geradts, Jurrien Bijhold, Martijn Kie Kenro Kuroki, and Naoki Saitoh. Methods for identification of images acquired with digital cameras, 2001. [6] Luk‡", Jan, Jessica Fridrich, and Miroslav Goljan. "Detecting digital image forgeries using sensor pattern noise." Electronic Imaging 2006 International Society for Optics and Photonics, 2006. [7] Cooper J. Allen, "Improved photo response non uniformity (PRNU) based source camera identification. Forensic Science International 226 (2013) 132 141 [8] Anderson, Scott "Digital Image Analysis: Analystical Framework fro Authenticaitng digtal images." 2001. [9] NG, Nicholas "Cell phone images in social media: An analysis of cellphone image structure b efore and after social media compression." 2011 [10] Jenkins, Neil "Digital Camera Identification" 2009 [11 ] http://support.apple.com/kb/SP521 [12 ] Lukas, Jan, Jessica Fridrich and Miroslav Goljan. "Digital Camera Identification From Sensor Pattern Noi se." IEEE Transactions on Information Forensics and Security 1.2 (2006): 205 214.

PAGE 55

! '' APPENDIX Section 1 File Structure for all Videos Camera 1 2 Information Original YTD RPO aTube File Size 42 MB 5.3 MB 5.3 MB 7.6 MB File Type MP4 MP4 M4V MP4 Image Width 1920 1920 1920 1920 Image Height 1080 1080 1080 1080 Frame Rate 29.97 29.97 29.97 29.97 Media Duration 16.98 s 17.04 s 17.04 s 17.07 s Movie Data Size 43717774 5554012 5554012 7972646 Camera 2 1 Information Original YTD RPO aTube File Size 42 MB 4.8 MB 4.8 MB 6.9 MB File Type MP4 MP4 M4V MP4 Image Width 1920 1920 1920 1920 Image Height 1080 1080 1080 1080 Frame Rate 29.97 29.97 29.97 29.97 Media Duration 15.42 s 15.46 s 15.46 s 15.49 s Movie Data Size 39736173 4999733 4999733 7232631 Camera 1 1 Information Original YTD RPO aTube File Size 38 MB 4.8 MB 4.8 6.8 MB File Type MP4 MP4 M4V MP4 Image Width 1920 1920 1920 1920 Image Height 1080 1080 1080 1080 Frame Rate 29.97 29.97 29.97 29.97 Media Duration 15.25 s 15.30 s 15.30 s 15.33 s Movie Data Size 39289830 5039051 5039051 7166451

PAGE 56

! '] Camera 2 2 Information Original YTD RPO aTube File Size 37 MB 4.5 MB 4.5 MB 6.6 MB File Type MP4 MP4 M4V MP4 Image Width 1920 1920 1920 1920 Image Height 1080 1080 1080 1080 Frame Rate 29.97 29.97 29.97 29.97 Media Duration 14.81 s 14.88 s 14.88 s 14.91 s Movie Data Size 38255882 4747095 4747095 6947857 Camera 3 1 Information Original YTD RPO aTube File Size 42MB 5.4MB 5.4MB 7.7 MB File Type MP4 MP4 M4V MP4 Image Width 1920 1920 1920 1920 Image Height 1080 1080 1080 1080 Frame Rate 29.97 29.97 29.97 29.97 Media Duration 17.15 s 17.20 s 17.20 s 17.23 s Movie Data Size 44062209 5687497 5687497 8070707 Camera 3 2 Information Original YTD RPO aTube File Size 36 MB 4.4 MB 4.4 MB 6.5 MB File Type MP4 MP4 M4V MP4 Image Width 1920 1920 1920 1920 Image Height 1080 1080 1080 1080 Frame Rate 29.97 29.97 29.97 29.97 Media Duration 14.45 s 14.51 s 14.51 s 14.54 s Movie Data Size 37280960 4645405 4645405 6795142

PAGE 57

! '^ Camera 4 1 Information Original YTD RPO aTube File Size 27 MB 3.4 MB 3.4 MB 4.9 MB File Type MP4 MP4 M4V MP4 Image Width 1920 1920 1920 1920 Image Height 1080 1080 1080 1080 Frame Rate 29.97 29.97 29.97 29.97 Media Duration 10.84 s 10.91 s 10.91 s 10.94 s Movie Data Size 28240322 3559080 3559080 5121068 Camera 4 2 Information Original YTD RPO aTube File Size 34 MB 4.5 MB 4.5 MB 6.2 MB File Type MP4 MP4 M4V MP4 Image Width 1920 1920 1920 1920 Image Height 1080 1080 1080 1080 Frame Rate 29.97 29.97 29.97 29.97 Media Duration 13.95 s 14.00 s 14.00 s 14.02 s Movie Data Size 36031905 4731901 4731901 6527835 Camera 5 1 Information Original YTD RPO aTube File Size 47 MB 5.8 MB 5.8 MB 8.5 MB File Type MP4 MP4 M4V MP4 Image Width 1920 1920 1920 1920 Image Height 1080 1080 1080 1080 Frame Rate 29.97 29.97 29.97 29.97 Media Duration 19.02 s 19.09 s 19.09 s 19.11 s Movie Data Size 48811178 6108459 6108459 8935926

PAGE 58

! '_ Camera 5 2 Information Original YTD RPO aTube File Size 40 MB 5.2MB 5.2MB 7.4 MB File Type MP4 MP4 M4V MP4 Image Width 1920 1920 1920 1920 Image Height 1080 1080 1080 1080 Frame Rate 29.97 29.97 29.97 29.97 Media Duration 16.45 s 16.51 s 16.51 s 16.53 s Movie Data Size 42301985 5392419 5392419 7766282 Camera 6 1 Information Original YTD RPO aTube File Size 42 MB 5.2 MB 5.2 MB 7.8 MB File Type MP4 MP4 M4V MP4 Image Width 1920 1920 1920 1920 Image Height 1080 1080 1080 1080 Frame Rate 29.97 29.97 29.97 29.97 Media Duration 17.25 s 17.30 s 17.30 s 17.32 s Movie Data Size 44276724 5487463 5487463 8116226 Camera 6 2 Information Original YTD RPO aTube File Size 33 MB 4.1 MB 4.1 MB 6.1 MB File Type MP4 MP4 M4V MP4 Image Width 1920 1920 1920 1920 Image Height 1080 1080 1080 1080 Frame Rate 29.97 29.97 29.97 29.97 Media Duration 13.45 s 13.51 s 13.51 s 13.54 s Movie Data Size 34724321 4288379 4288379 6383676

PAGE 59

! '` Camera 7 1 Information Original YTD RPO aTube File Size 32 MB 4.1 MB 4.1 MB 5.8 MB File Type MP4 MP4 M4V MP4 Image Width 1920 1920 1920 1920 Image Height 1080 1080 1080 1080 Frame Rate 29.97 29.97 29.97 29.97 Media Duration 12.98 s 13.03 s 13.03 s 13.05 s Movie Data Size 33603400 4292800 4292800 6119916 Camera 7 2 Information Original YTD RPO aTube File Size 36 MB 4.5 MB 4.5 MB 6.6 MB File Type MP4 MP4 M4V MP4 Image Width 1920 1920 1920 1920 Image Height 1080 1080 1080 1080 Frame Rate 29.97 29.97 29.97 29.97 Media Duration 14.61 s 14.67 s 14.67 s 14.70 s Movie Data Size 37702498 4743947 4743947 6910318 Camera 8 1 Information Original YTD RPO aTube File Size 36 MB 4.6 MB 4.6 MB 6.6 MB File Type MP4 MP4 M4V MP4 Image Width 1920 1920 1920 1920 Image Height 1080 1080 1080 1080 Frame Rate 29.97 29.97 29.97 29.97 Media Duration 14.71 s 14.77 s 14.77 s 14.79 s Movie Data Size 37897629 4781548 4781548 6909869

PAGE 60

! 'a Camera 8 2 Information Original YTD RPO aTube File Size 36 MB 4.6 MB 4.6 MB 6.6 MB File Type MP4 MP4 M4V MP4 Image Width 1920 1920 1920 1920 Image Height 1080 1080 1080 1080 Frame Rate 29.97 29.97 29.97 29.97 Media Duration 14.75 s 14.81 s 14.81 s 14.84 s Movie Data Size 37959174 4757307 4757307 6958366 Camera 9 1 Information Original YTD RPO aTube File Size 37 MB 4.5 MB 4.5 MB 6.8 MB File Type MP4 MP4 M4V MP4 Image Width 1920 1920 1920 1920 Image Height 1080 1080 1080 1080 Frame Rate 29.97 29.97 29.97 29.97 Media Duration 14.95 s 15.00 s 15.00 s 15.02 s Movie Data Size 38598176 4688087 4688087 7070215 Camera 9 2 Information Original YTD RPO aTube File Size 34 MB 4.3 MB 4.3 MB 6.3 MB File Type MP4 MP4 M4V MP4 Image Width 1920 1920 1920 1920 Image Height 1080 1080 1080 1080 Frame Rate 29.97 29.97 29.97 29.97 Media Duration 13.88 s 13.93 s 13.93 s 13.96 s Movie Data Size 35939341 4464201 4464201 6565152

PAGE 61

! ]% Camera 10 1 Information Original YTD RPO aTube File Size 90 MB 7.5 MB 7.5 MB 8.9 MB File Type MP4 MP4 M4V MP4 Image Width 1920 1920 1920 1920 Image Height 1080 1080 1080 1080 Frame Rate 23.976 23.976 23.976 23.976 Media Duration 24.52 s 24.59 s 24.59 s 24.61 s Movie Data Size 93709849 7890852 7890852 9316208 Camera 10 2 Information Original YTD RPO aTube File Size 84 MB 6.8 MB 6.8 MB 9.4 MB File Type MP4 MP4 M4V MP4 Image Width 1920 1920 1920 1920 Image Height 1080 1080 1080 1080 Frame Rate 23.976 23.976 23.976 23.976 Media Duration 22.98 s 23.03 s 23.03 s 23.06 s Movie Data Size 87936948 7062568 7062568 9839232 Camera nikon 1 Information Original YTD RPO aTube File Size 38 MB 6.4 MB 6.4 MB 8.4 MB File Type MOV MP4 M4V MP4 Image Width 1920 1920 1920 1920 Image Height 1080 1080 1080 1080 Frame Rate 29.97 29.97 29.97 29.97 Media Duration 21.01 s 21.08 s 21.08 s 21.11 s Movie Data Size 40041284 6639946 6639946 8767773

PAGE 62

! ]& Camera nikon 2 Information Original YTD RPO aTube File Size 42 MB 7.1 MB 7.1 MB 9.2 MB File Type MOV MP4 M4V MP4 Image Width 1920 1920 1920 1920 Image Height 1080 1080 1080 1080 Frame Rate 29.97 29.97 29.97 29.97 Media Duration 23.02 s 23.08 s 23.08 s 23.10 s Movie Data Size 43894492 7446439 7446439 9641933