Schneier on Security
A blog covering security and security technology.
« Reading Me |
| Filming the Police »
June 16, 2010
Dating Recordings by Power Line Fluctuations
The capability, called "electrical network frequency analysis" (ENF), is now attracting interest from the FBI and is considered the exciting new frontier in digital forensics, with power lines acting as silent witnesses to crime.
In the "high profile" murder trial, which took place earlier this year, ENF meant prosecutors were able to show that a seized voice recording that became vital to their case was authentic. Defence lawyers suggested it could have been concocted by a witness to incriminate the accused.
ENF relies on frequency variations in the electricity supplied by the National Grid. Digital devices such as CCTV recorders, telephone recorders and camcorders that are plugged in to or located near the mains pick up these deviations in the power supply, which are caused by peaks and troughs in demand. Battery-powered devices are not immune to to ENF analysis, as grid frequency variations can be induced in their recordings from a distance.
At the Metropolitan Police's digital forensics lab in Penge, south London, scientists have created a database that has recorded these deviations once every one and a half seconds for the last five years. Over a short period they form a unique signature of the electrical frequency at that time, which research has shown is the same in London as it is in Glasgow.
On receipt of recordings made by the police or public, the scientists are able to detect the variations in mains electricity occurring at the time the recording was made. This signature is extracted and automatically matched against their ENF database, which indicates when it was made.
The technique can also uncover covert editing—or rule it out, as in the recent murder trial—because a spliced recording will register more than one ENF match.
Posted on June 16, 2010 at 7:00 AM
• 45 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
A point to note,
The UK unlike the US is fully synchronous at 50
The met police are not the only people that record this.
And thus it is spoofable to those who know about it and have for many years.
Recently I was evaluating a 'green web camera' product. It supposed to pick the current power usage of the household from AC frequency variation detectable from video signal coming from the off-the-shelf web camera. It worked partially but was not reliable enough to justify further development. It seems to resonate with you posting...
To make this work at all, you'll need to make the same second by second grid recordings the researches did in London. And since the one "national grid" isn't going have the same frequency variations, you'll have to do it all over the country. Sure, they phase match connectors, but variations still exist. Since some variations follow patterns, you'll need a way to differentiate between two seemingly identical recordings. Try hooking up a freq counter to an AC outlet and record readings when your air conditioner or refrigerator kick in; that's a variation localized pretty much to your home.
"Battery-powered devices are not immune to to ENF analysis, as grid frequency variations can be induced in their recordings from a distance."
That statement bothers me. It's possible, but unlikely if everything is grounded correctly. And less likely the lower the AC voltage. And since most modern audio devices incorporate shielding and filters to eliminate such interfence - filters with inductive/capacitive components that can affect the frequency of anything making it through - any possible signature could be altered. And then the signature has to somehow have a great enough amplitude so as not to be masked by the audio being recorded.
And a valid match presupposes you know _where_ the recording was made; you won't always.
If I were on a jury being told this, I'd be extremely dubious unless they could reliably demonstrate the effect in a double-blind experiment, with multiple recording devices all picking up the same signature at the same time.
And Clive makes an excellent point about spoofing. All it takes is a small generator with a variable load. Or masking with a Faraday cage.
Oh, yes; and you'll have be able to verify the recording timestamp or you'll be going through an awful lot of records looking for a match. And you can't go by file creation; that could just be when a WAV was converted to a separate MPG.
Can someone answer the question whether this are analogue recordings or digital? How can such a pattern be visible in digital recordings?
Marc B.: This only works with digital recordings, as they note in the article. You need very accurate timekeeping in the recording, which means digital.
I suspect what they do is measure the frequency of background hum that is picked up acoustically just like the voice that is intentionally being recorded. Most locations have buzzing fluorescent light fixtures, fans, motors, or something that's synchronous with the power line frequency. As a member of a garage (actually den) band, it's amazing how much background noise you pick up if you listen for it.
Carl Bussjaeger: "Try hooking up a freq counter to an AC outlet and record readings when your air conditioner or refrigerator kick in; that's a variation localized pretty much to your home."
Um, sorry. If the frequency changes when your load changes, that's because you have a local inverter and aren't actually running from the grid. The frequency at your outlet cannot change due to load. The only way the mains frequency changes is if the rotational speed of all the generators supplying power to you changes. Your air conditioner is nowhere near big enough to make that kind of load change. Your voltage will droop, but not the frequency.
Although, putting solar panels up and running your whole house off-grid would certainly be a countermeasure, at least for recordings made in your house.
@Marc B. : Did you read the article?
""ENF has basically been made possible by the move to digital recording," Dr Cooper said.
"Old magnetic cassette and VHS tapes didn't keep time accurately enough to extract reliable data, but now we can analyse even cheap voice recorders."
Oh another point for people to note.
Your mobile phone when it registers with the network outputs a series of high energy pulses at a very very high frequency.
However as many know audio equipment with a mobile phone adjacent to it often produces a burst of "buzzes".
Now in some parts of the world the cellphone companies keep an acurate record of such things.
And as Carl above notes local equipment will produce spikes that may well correlate with noise picked up on a microphone the question is though would it be of any use...
Well it might cross corelate with say a VHS recording or more interestingly a computer download...
And this is where the forensics realy can get fun.
Most computer audio inputs are crap and quite often the SMPSU is likewise crap. which means both can end up recorded on your computer hard disk based on when blocks get written to disk.
Now some operating systems and the PC's they run on are very bad with time stamps but some are good so the actuall time of day may be uncertain by a wide degree but, it's not the time stamps you are checking it's the delta times on actions of writing to the hard disk. So with the right kind of examination you can roll it back to another known point in time such as a network packet being sent etc etc.
The process is a bit like dendrochronology where tree rings alow very very acurate measures of time in wood. As long as you have a succession of pieces of wood that where alive in overlaps of ten to twenty years you can go back many many thousands of years to within a couple of months. Thus volcanos and other atmosphere efecting events can be nailed down to within just a few weeks... Which can then nail down times in ice cores or sea/lake floor mud cores and in some cases even the likes of sedimentry rocks...
Now the question still is, can it be spoofed and if so can the spoofing be detected...
Simple answer watch this space...
Oh and for those thinking how come Clive knows about this...
Simple I have been looking into using micro timing variations as random number generators for years and to be quite honest, most of the stuff on your average PC is either not good enough. Or worse can allow an attacker to back trace the contents of your entropy pool...
Technicaly it's "flucttuations" in line frequency not phase or amplitude "interferance".
Although due to problems or limitations in measurment amplitude interferance can become localised zero crossing point phase modulation of the line frequency so you have to be a bit carefull about what you measure and how...
I was always wonder if there would be a way to detect information imprinted into a video signal whether it's from the electrical grid or even the earth's magnetic field to somehow help pin-point the location of jihadists.
If you make a copy of the digital recording -- you'd get the signature of the copy.
@ Marc B.,
"Can someone answer the question whether this are analogue recordings or digital? How can such a pattern be visible in digital recordings?"
The answer to the first part is both.
Even digital recordings are in most cases analogue recordings. What is actually needed is a highly stable clock refrence.
Now most analoge recordings lack this refrence but sometimes they do have one. Some profesional analogue audio recorders used to use a bias frequency that was derived from a quatz resonator source (often used as the micro controler clock).
But one source of analogue recordings contain a highly acurate refrence by default and that is "video recordings" this is independantly generated and in some cases (Nation wide broadcasters) is derived from an atomic clock (Rubidium lamp etc).
The trick is to find things sufficiently stable that you can use it to measure something else (mains hum if you will).
Now what you are measuring is not absoluts as these cannot be comparfed but changes in the direction of the frequency.
These changes are what you cross corelate just like a spread spectrum signal.
However what has not been menchioned is the wealth of information that would enable you to directly fingerprint the recording device independantly of any tags that might get included.
To find out you need to understand "Impulse analysis" using pesudo random gausian white noise. It tells you all sorts of things about the quality of the analogue front end right from the mechanics of the microphone all the way down to the input of the A-D converter. However although possible to measure I suspect it may well get swamped by other effects such as say room dynamics thus be not that reliable in practice (however I've not had reason before to find out so PhD research project anyone?).
Johnny Vector: "Um, sorry. If the frequency changes when your load changes, that's because you have a local inverter and aren't actually running from the grid."
I've watched it happen; do a lot of work with line freq sensitive electronics. It isn't a matter over amperage load change, but the sudden addition of a big capacitor to the circuit. That high capacitance starter cap on an electric motor very briefly changes the resonance of the electric system. It's not a huge change, but a counter will catch it.
Actually, with an inverter you should see about the same change you would on-grid. But a backup generator scaled to most residential applications will react noticeably to a load change.
"Old magnetic cassette...tapes didn't keep time accurately enough to extract reliable data..."
Not even my Nagra? Oh, dear.
Unfortunately, criminal forensics are rarely based on the scientific method. This sounds like another shaky technique that will be used in place of solid evidence to help convict someone whom the police already suspect. Let's hope it never comes to the US, where someone can be put to death after a wrongful conviction.
See http://www.popularmechanics.com/science/health/... for a really good article about forensics.
Thanks for the explanations. So this depends on pretty high quality digital recordings? Because they need to have very accurately timed background sounds stemming from sources that reflect the grid frequency? Did I get it now?
@ Marc B.,
I don't know how old you are but have you ever seen a B movie of cowboys and indians where sometimes the waggon wheels go forwards and sometimes backwards?
Well it's the same effect the signiture they are looking for is if the wheel moves forwards or backwards and how fast.
There is a significant problem though as anybody playing with DSP's and sampaling will be aware there are multiple frequencies that produce the same rate of rotation it's sometimes known as frequency foldback and it's a problem with all sampaling systems.
So with a 100Hz sample rate 210, 310, 410, 510.... 10000010Hz etc will give a ten Hz baseband signal....
Which is an issue to do with sampling or convolving...
@ Carl, Johnny,
You are both right...
You don't change the frequency of the mains localy what you do is add the interferance signal as phase modulation.
Over a short period of time the frequency of the mains will appear to change and can be measured as such.
It does not realy matter if it is AM or PM modulation (it's usually both) as the process of sampling often converts the effects of one to the other....
The police force that ran the investigation this week declined to name the murderer in response to requests from The Register, citing undisclosed "operational reasons".
But the trial is a matter of public record isn't it?
"digital forensics lab in Penge, south London, scientists have created a database that has recorded these deviations once every one and a half seconds for the last five years. "
What an odd thing to do on a whim
@Clive "The UK unlike the US is fully synchronous at 50
Thanks Clive. Scalable was a question I had. We don't have a grid. We have a grid of grids. The Feebies would have to set up sensors in each local pocket of variation (or order power companies to monitor, record, store and forward.) Given that many power companies are not interstate in scope the Federal Gov't may lack authority to give that mandate under the Commerce clause.
Hmmmmm. I wonder if the smart grid will 'acquire' a new synchronized timing requrirement.
@Carl "That statement bothers me."
Bothers me too. It means that if your pocket device matches their record they claim a time (and maybe place/region). But the ENF pattern could match multiple regions running different time syncs couldn't it?
What about persistence over time as media is overwritten?
@Clive "Your mobile phone when it registers "
Good point. Both the cell tower records and gps would make correlation more certain
@Clive "into using micro timing variations as random number generators for years "
What an odd thing to do on a whim. Must be English.
Time to start making my faraday suit. I think something in pinstripes...maybe seersucker.
In terms of practicality I wouldn't look for the FBI to be establishing a database anytime soon.
They don't yet have control of their case management system.
That CODIS was such a sucess is not attributable to the agency.
All a prosecutor has to do is convince a jury that it's meaningful and valid, without having to undergo a rigorous peer review. You and I might be doubtful, but most juries are selected because they seem easily led, not independent thinkers. A juror who applies sound logic--no pun intended--is a rarity.
Regarding the article, very interesting, especially when one is dealing with recording devices daily. Makes a very good case for performing simultaneous backups against which comparisons can be made. I imagine there would be some differences due to location of the recording devices, but there would probably be some common variations/deviations as well.
@ BF Skinner,
"What an odd thing to do on a whim. Must be English"
Don_ let my ancestors hear you say that yould find a dirk an unhealth addition to your anatomy 8)
More seriously trying to find sources of entropy that don't have hidden bias or are modulated in a predictable way is an activity that more of us should be doing.
It's that bit of "key managment" that everybody glosses over and thus gets badly wrong and gifts the resulting insecurity to their foes...
@Carl Bussjaeger, who wrote "you'll have be able to verify the recording timestamp or you'll be going through an awful lot of records looking for a match."
I believe that it is not necessary even to have a timestamp, because computers can make such searches quickly (even with no timing clue). For example, if you have 10 years of reference data, and 10 minutes of unknown data, locating the needle within the haystack should not take much time.
If you take a moment to think about it, this search problem is analogous to fingerprint match searching, which was computerized long ago.
Phillip raises an interesting point.
If one makes an acoustic "dub" (speaker to microphone) of the original, they would almost certainly imprint the dub with a new signature. If the new signature is assumed to be valid and original, the technique has been easily spoofed.
The questions are, to what degree would this dubbing be discernable, and, would any of the original signature be detectable in the dub?
To add to my point above: the dub wouldn't necessarily have to be acoustic. Direct, wired, analog out to analog in would be better.
Additional thoughts, on the feasibility of this technique:
 Notwithstanding that there are many grids in the USA, it would not be very expensive to set up a few hundred logging stations. Assistance from utility companies is not necessary.
 Local power line conditions will indeed cause phase fluctuations that will show on a frequency counter. If the spectrum of the grid's fingerprint is significantly different from that of the local disturbance, then the local variations will not prevent the technique from working.
 Clive posted an interesting idea concerning analog video recordings and atomic clocks, but it would seem to apply only to recordings of broadcast video signals. I guess that most video cameras have a crystal-controlled time base; it would be interesting to see the experts' analysis, as to why the technique doesn't work with "VHS tapes".
 If the technique won't work for crystal-controlled video recordings (see above), then it presumably won't work for analog audio recordings even with a Nagra-style pilot tone. For audio tapes without a pilot tone, the situation would seem to be hopeless. Because tape must be under tension to be recorded and played -- and it stretches, under this tension -- even defining "tape speed" is very difficult (example: if the nominal speed is 7.5 inch/sec, is it 7.5 inches of "relaxed tape", or 7.5 inches of "stretched tape" over the recording heads, which will be shorter when relaxed?) For this and other mechanical reasons, it is hard to imagine how minute frequency variations could be detected.
I bet anonymizing software could be written to remove or at least obscure, this kind of signal in digital audio/video files. It wouldn't be that different from smudging out a digital watermark. This kind of software already exists for a variety of other reasons (scrubbing identifying info inserted by the cameras, etc) and it sounds like it would be straightforward to extend it to obscure these frequencies as well, perhaps by adding artificial "hum" around the same frequencies that confounds attempts to extract detect the original signature.
Sorry, the Metropolitan Police Lab has done a good job of dressing this technique up in impressive language, but it doesn't sound any more scientific to me than using polygraphs for lie detection.
During the Thatcher era miners strike coal shortage the mains frequency in the UK dropped below the tolerance threshold, enough for mains sync'd clocks to run a few minutes slow during the day. The problem was solved by letting the frequency run above 50 Hz during the night when demand was low. I wonder if anybody noticed their timestamps were inaccurate?
So, anybody can measure this, and anybody can spoof it, provided they have the data for the time stamp they want to spoof. Sounds like security by obscurity.
I wonder how long before someone makes an Audacity plug-in that will add any time stamp you want to audio files.
"I wrote every song in this week's top 10 five years ago, and I can prove it!"
The police seem to love this kind of highly dubious forensic evidence. Let's look at their record.
Fingerprints - not unique and never a perfect match like on TV, in fact matching is very much an art. Unreliable.
DNA - started out as a 1 in 1,000,000,000 chance of a sample matching two people, now it turns out that even with a good sample it's more like 1 in 1,000,000 (i.e. 60 other people in the UK match).
DNA amplification - taking a small sample of DNA and build it up. The Omagh bombing trial collapsed after it was revealed to be bunk.
Firearms residue - a single spec was enough to convict Barry George until it was revealed that it was worthless as evidence. An innocent man spends years in jail.
CCTV - video evidence is powerful and solves crimes, except that most of the time it doesn't.
Lie detectors - need I even go into them?
'Thanks Clive. Scalable was a question I had. We don't have a grid. We have a grid of grids. The Feebies would have to set up sensors in each local pocket of variation (or order power companies to monitor, record, store and forward.) Given that many power companies are not interstate in scope the Federal Gov't may lack authority to give that mandate under the Commerce clause.'
Even better, that would add some degree of location to the monitoring. I'd have thought machines to do the recording would be very cheap to build and set up once you've had the initial idea, maybe only a few thousand dollars each. For less than a million you could cover the larger population centers in the US.
Then some more money for processing and setting up the archives for access.
The best thing about it is that with a database of such variations going back years, you can fabricate recordings which will pass this test and therefore be judged genuine, no matter how inherently unlikely they seem otherwise.
For any point in the past where you have records.
And with a synchronous grid and sound editing software, anyone in the UK can make these records, and fabricate this evidence to a high quality.
on a related topic: Analog recordings can be cleaned up (to a point) to eliminate wow and flutter by digitally re-synchronizing to a frequency normal, such as power-line frequency or tape bias. Examples are a wire recording of Woodie Guthrie and optical soundtracks to films. See http://www.plangentprocesses.com - there is a link to an interesting NPR program http://www.npr.org/templates/story/story.php?...
Almost makes you ask "Can this be real? I haven't seen it on CSI yet." I'm always so sceptical of the "scientific forensics" on CSI ... this story should temper my thoughts from now on.
@Ben "you can fabricate recordings "
Which is why courts exist to challange evidence.
The thing is it provides is a timing signal to an entire region / country.
The database would / should have every record made authenticated against that signal/standard.
Star Trek does it so it should easily be doable.
back trace the contents of your entropy pool... - lifeguards frown on this
Actually, many of the power grid companies have Phasor devices recording grid frequencies, etc. at the 30 sample per second frequency. At least one company is collecting 9GB of power data a day from over a hundred Phasor systems in the central south. Data isn't the problem.
maybe all 'evildoers' will go and get solar panels with UPSs now ... but then you may want to track solar panels sales from now on ...
for every tech there's a counter-tech and for that there's a counter-counter-tech and so forth
Are there any published peer-reviewed studies which demonstrate that this is possible?
"Are there any published peer-reviewed studies which demonstrate that this is possible"
Probably not yet however it does not mean the basic idea is not sound (it is actually very sound effectivly it is just observing Delta f of a signal [50Hz] against a stable sample signal [~40KHz]).
As for the application well the devil is in the details, I would need to check how they got their 50Hz signal out of the other audio etc. Especialy as 50Hz sits outside of the normal audio range for recordings and some recorders have T filters or their equivalent to notch it out. Thus what they are seeing may be not what you would regard as "scientificaly sound".
As with all "forensic science" I'd aproach it with a very large and quite pointed stick. Afterall we still use the so called evidence of "Identification Parades" and "Finger Prints" even though most scientists would regard them as being little better than random blotches of snake oil drifting down the river of time.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.