1

I am wondering if there is a way to timestamp a video. (e.g. Security camera footage)

I know that there is a way to timestamp a document with a trusted time authority, and it will certainly be possible to cut the video, send it to a time authority and get it timestamped. But it won't ensure that the footage is exactly from a specific time.

Could there be any trust-able methods to timestamp the video while it's being recorded, so that there will be a method to verify that the exact frame of a video footage is from exactly that time?

Luc
  • 31,973
  • 8
  • 71
  • 135
  • A possible way would be to split the stream in clips of few minutes and then timestamp each clip as soon as it is available. The shortest the clip, the hardest to forge images and the most resource consumption on the timestamping system. – Serge Ballesta Oct 12 '18 at 12:38
  • @SergeBallesta True. But that method can't ensure that the footage is not from the past (e.g. a previous recording). –  Oct 12 '18 at 12:40
  • @MoonsikPark: You cannot prove that some digital information you timestamp just where created now. The most you can prove that they were created not after the timestamp. – Steffen Ullrich Oct 12 '18 at 12:48

2 Answers2

4

You mention surveillance cameras as one possible application, and I assume you want its footage to hold up in court, but for that it usually does not need to be accurate to a single frame (with dozens of frames per second). Therefore I'm not sure I understand your exact purpose, but here is what I can think of:

  • You can prove that something was recorded at "a certain time or later" by including unpredictable events, such as the most recent news headlines or stock data.
  • You can prove that the footage is from "before a certain time" by using a trusted third party (TTP) which timestamps (or keeps a copy of) the data.
  • You can sometimes correlate audio with the electricity grid's frequency, called electrical network frequency analysis: https://en.wikipedia.org/wiki/Electrical_network_frequency_analysis

I'm not sure if there are TTPs that can do timestamping of a video stream in realtime, but as far as I know it's impossible to prove (without TTP) that something happened before a certain time: with hindsight, you can always apply/include things from the past. Even the electric hum can be applied afterwards. The question is: would the judge (or in some countries, random people off the street) believe that you went through all that effort to forge surveillance video evidence? Are there any indications of forgery? Could it reasonably have been done in the time that you had between the crime and the submission of evidence?

Luc
  • 31,973
  • 8
  • 71
  • 135
  • I've thought of some solution. Say I want to timestamp a certain range of time of a video. If I include(overlay) a hash of the most recent bitcoin block in the video, updated real time, and cut it after certain time (1 hr) and get it immediately timestamped from a certain timestamp authority, can I prove that the footage is a)taken after the certain bitcoin block creation time b)edited before the timestamped date of the video? –  Oct 13 '18 at 00:09
  • @MoonsikPark Yes, that's pretty much what I tried to describe in the answer ;) – Luc Oct 13 '18 at 09:50
0

A passing knowledge in digital forensics informs us of the fact that all activity on machines leaves evidence, just like evidence in a crime scene, that can be detected. This is why the famous "gutman wipe" involves 35 passes of wiping the data. Intuitively, we'd think only one, but at the lower level it's far more complicated.

As for how this applies to your particular situation, I'd have to know what you mean by trustable. However, within the confines of a court, a timestamp that is made by your operating system actually should suffice, save you do silly things which call it into question.

We can see this with existence of the tool timestomp, which is used to counter forensics. Even though with that tool we can change timestamp entires to believable values, this still only will serve to pass undetected through casual glance. A forensics investigator who takes a closer look at a file will be able to tell that it was changed, and conversely, if it has not been.

Therefore, it's fair to conclude that if you present an unaltered file, it would be possible to prove with relative accuracy that it is indeed unaltered.

Now, to tie that all the way back in to truly proving that your entire footage is real, and that each frame is indeed occurring at that exact time: You could grab one of the open-source security-cam softwares that timestamp the footage as it's rolling. It's a standard security cam feature where each frame actually has a timestamp in the image. Since it's open source it can be verified that the software is indeed functioning correctly, and since you're a good boy and having it write straight to the as it goes, we'd be able to reasonably conclude that the footage stored in that file was unedited, and that the frames listed in the footage were accurate.

HOWEVER, nothing is perfect, and I could go into more detail into ways in which you could up it's reliability further. But, for most applications, just having a good open source software which timestamps as it's recording, and leaving it in it's original unaltered state coming right off the software should make it good enough for most cases.

John Quinn
  • 9
  • 2
  • 1
    Actually the 35-pass wipe _is_ unnecessary, and only one wipe is needed. The 35 passes were required when drives were MFM and had a wide variety of different low-level formats, making each pass (or group of passes) designed to wipe a specific kind of drive. For modern drives, a single pass is completely sufficient. Also, you can _certainly_ perform actions on a computer without leaving evidence. – forest Oct 14 '18 at 03:20
  • I'm not sure if we've been reading the same information then. For example, the DOD has adopted the stance that there is no way to fully guarantee the information cannot be recovered from the device without physical destruction of the medium. And there have been several white papers on solid state drives to the subject that there is no effective way to wipe them at all. Best we do is encrypt the whole drive and throw away the key, which good enough for now, but not future proof should moores law hold up. – John Quinn Oct 14 '18 at 16:53
  • There's more, I suppose I should pull some sources at this point. Operating systems like TAILS target the problem of hard drive footprints by avoiding touching the hard drive at all. – John Quinn Oct 14 '18 at 16:57
  • Solid state drives work completely differently. You are correct that overwriting the block device is ineffective for them, however even a 35 pass overwrite is ineffective for an SSD. For a (non-hybrid) HDD, a single pass is equivalently secure to 35 overwrites. The DoD requires physical destruction due to e.g. damaged sectors that cannot be overwritten. The fact is, a single write and 35 writes are equally effective. – forest Oct 15 '18 at 03:09