Download Scientific Working Group on Digital Evidence

Scientific Working Group on
Digital Evidence
Electric Network Frequency Discussion Paper
Disclaimer:
As a condition to the use of this document and the information contained therein, the SWGDE
requests notification by e-mail before or contemporaneous to the introduction of this document,
or any portion thereof, as a marked exhibit offered for or moved into evidence in any judicial,
administrative, legislative or adjudicatory hearing or other proceeding (including discovery
proceedings) in the United States or any Foreign country. Such notification shall include: 1) The
formal name of the proceeding, including docket number or similar identifier; 2) the name and
location of the body conducting the hearing or proceeding; 3) subsequent to the use of this
document in a formal proceeding please notify SWGDE as to its use and outcome; 4) the name,
mailing address (if available) and contact information of the party offering or moving the
document into evidence. Notifications should be sent to [email protected].
It is the user’s responsibility to ensure they have the most current version of this document. It is
recommended that previous versions used be archived for future reference, as needed, in
accordance with that agency’s policies.
Redistribution Policy:
SWGDE grants permission for redistribution and use of all publicly posted documents created by
SWGDE, provided that the following conditions are met:
1. Redistributions of documents or parts of documents must retain the SWGDE cover page
containing the disclaimer.
2. Neither the name of SWGDE nor the names of contributors may be used to endorse or
promote products derived from its documents.
3. Any reference or quote from a SWGDE document must include the version number (or
create date) of the document and mention if the document is in a draft status.
Electric Network Frequency Discussion Paper
June 1, 2009 (Version 1.1)
This document includes a cover page with the SWGDE disclaimer.
Page 1 of 9
Scientific Working Group on
Digital Evidence
Electric Network Frequency Discussion Paper
1 Purpose
The purpose of this document is to describe the potential use of electric network frequency
(ENF) analysis in the United States for the forensic examination of audio recordings.
2 Introduction
One of the issues that arises in forensic audio is whether a recording is “authentic” – original,
complete, and continuous. Tools that help answer these questions facilitate examiners and make
conclusions more reliable. Part of a robust authentication methodology includes analysis of the
continuity of stable tones that can be isolated within a recording. A common tone found in audio
recordings is the hum generated by the mains current powering a recording device and possibly
induced into portable recorders (directly or indirectly – EMF, acoustic, unbalanced audio
connections, etc.)
The power that comes out of the wall socket is the result of a highly complex system of
generators, transmission lines, transformers, and sub stations. Through all of this, the voltage
and frequency must remain tightly regulated as they fluctuate due to changes in supply and
demand. Independent system operators (ISOs) regionally coordinate multiple generators to
ensure this stability. ISOs can tune the generators within a cycle or two to respond to changes in
demand. Electric reliability organizations (EROs) regionally regulate the compliance of
electricity delivery. The eight North American EROs are coordinated by the North American
Electric Reliability Corporation (NERC).
Due to the widespread regulation of interconnected power facilities, the frequency of the power
grid is remarkably consistent. In recent years, some forensic labs have been exploiting this
consistency to determine the date and time a recording was made by extracting the residual
mains hum from a recording and comparing it to historical reference data continuously being
collected.
The first proof of concept was done in continental Europe by Grigoras [1] and he followed this
up with further study [2][3]. Building on this concept, Cooper published a comprehensive
protocol for the collection, extraction, and comparison of ENF in the United Kingdom, a separate
interconnected grid [4]. These preliminary efforts show much promise in the ability for
examiners to identify the date and time of recordings and have been used in some U.K. casework
already.
Unlike Europe, the United States has three major independent interconnections. These
interconnections are themselves connected by DC lines, but maintain independent coordination
resulting in three distinct power frequency signals that must be recorded continuously. For this
process to be viable in the U.S., studies need to be done to understand how this complex grid
structure affects the utility of ENF as a forensic tool. Preliminary work has been done by
Sanders and others demonstrating that within each interconnection, frequency correlation
appears strong at certain timescales [5], [6].
Electric Network Frequency Discussion Paper
June 1, 2009 (Version 1.1)
This document includes a cover page with the SWGDE disclaimer.
Page 2 of 9
Scientific Working Group on
Digital Evidence
In order to capitalize on ENF data for forensic purposes, methods need to be validated for the
collection of reference databases, the extraction of ENF signals from forensic recordings, the
comparison of extracted data against the reference databases, and the interpretation of
comparison results.
3 Questions for the power engineering community
To further explore how ENF might be used in forensic audio, a more comprehensive
understanding of the nature of this phenomenon is required. We pose the following questions to
the power engineering community. Answering these and others is a first step toward
determining whether the development of a robust forensic methodology is possible.
3.1 What features are present within the ENF data?
3.1.1 What events affect frequency?
The primary driver of frequency change is the differences between load and generation. Other
transient events such as line operations, generator trips, load shedding, and brake operations
occur daily but and are much less likely to be apparent in audio recordings (especially relatively
short ones). However, these transient events could possibly be used as a signature to confirm the
time of recording if present in the audio data.
Larger interconnections have smaller frequency variations of shorter duration, and smaller
interconnections have larger variations over a longer duration. Therefore, the Eastern
Interconnection is most “stable,” followed by the Western Interconnection and then Texas.
3.1.2
How does ENF vary between points within the same interconnection?
¾ At steady-state, there are no variations in the ENF across the interconnection. Transients can
affect frequency across the interconnection; however, these events are usually less than one
minute in length.
¾ The type of power generator (wind, nuclear, coal, etc.) has no effect on ENF.
¾ Variables
•
•
•
•
•
Which ISO?
Which generator/generation company within ISO?
Which transformer/switching station within generator distribution region?
Which “building” within transformer region?
Which wall socket within building?
¾ Generally, local variations can be observed, however they are on such a small time scale that
they would not likely be measurable in an audio recording.
¾ How do these variations affect the comparison results?
•
Unknown, but will greatly depend on the quality and length of the questioned recording.
Electric Network Frequency Discussion Paper
June 1, 2009 (Version 1.1)
This document includes a cover page with the SWGDE disclaimer.
Page 3 of 9
Scientific Working Group on
Digital Evidence
3.1.3
Are physical distances and grid topology information present in the ENF data? Can
ENF be used to geolocate the source?
¾ Without extremely accurate time correlation of the audio recording, it is not possible to
determine geographical location.
¾ Virginia Tech’s Frequency Disturbance Recorders (FDRs) have been used to estimate the
location of a major disturbance on an interconnection by comparing the time of the event as it
propagates across the grid.
3.1.4
Are there any patterns in the data over time?
¾ Yes – Sub-second oscillations from the fluctuation of generator interactions (voltage
variations) ranging from approximately 0.1 Hz to 0.5 Hz. Below that (longer time) variations
in frequency itself are the interesting signal.
¾ Imbalance patterns (generation vs. load) show a trend over time:
•
•
•
•
•
•
Load following (minutes)
Scheduling (hourly)
Load behavior, time correction (daily)
Weekday vs. weekend (weekly)
Special days (holidays, major sporting events, etc.)
Seasonal trends (DST, lighting, climate control)
3.2 Data currently archived varies by interconnection.
3.2.1
Western Interconnect
¾ The Pacific Northwest National Laboratory (PNNL) records phasor measurement unit (PMU)
data from the Bonneville Power Administration (BPA), and also wall socket data. The
PNNL wall socket data exists for approximately 90% of May 2002 to the present with some
gaps. PNNL’s PMU data spans from 2004 to the present with some gaps in collection.
¾ Phasor Data Concentrators (PDCs) – BPA, the California Independent System Operator
(CalISO), the Los Angeles Department of Water & Power (LADWP)
¾ Virginia Tech (VT) has FDR data from 2004 to the present.
¾ The University of Colorado at Denver has been collecting wall socket data for the Western
Interconnect from mid-2008 to present.
¾ TVA
3.2.2
Texas Interconnect
¾ Virginia Tech has FDR data from 2005 to the present with some gaps.
¾ ERCOT
Electric Network Frequency Discussion Paper
June 1, 2009 (Version 1.1)
This document includes a cover page with the SWGDE disclaimer.
Page 4 of 9
Scientific Working Group on
Digital Evidence
¾ TVA
3.2.3
Eastern Interconnect
¾ Virginia Tech has FDR data from 2004 to the present.
¾ TVA
3.2.4
Potential sources and projects
¾ Power generators
¾ Power transmitters
¾ ISOs
¾ EROs (NERC, others)
¾ University (Virginia Tech, Washington State, others?)
¾ National Labs (PNNL, Oak Ridge, others?)
¾ CERTS (Oak Ridge)
¾ SmartGrid (PNNL)
¾ GridStat (WSU)
¾ Frequency Disturbance Recorder data (Virginia Tech)
¾ SyncroPhasor (NASPI, Virginia Tech)
3.2.5
Concerns
¾ What format is the real time data?
•
•
•
Binary stream
GPS Time, Frequency, Voltage, collector ID/location
IEEE C37.118-2005 defines data standard for PMU output
¾ What format is the archived data?
•
TBD
¾ How long is data archived?
¾ Can we get the data?
¾ Can we use the data?
¾ Liability and other legal issues.
¾ Are there other concerns that we should be aware of?
Electric Network Frequency Discussion Paper
June 1, 2009 (Version 1.1)
This document includes a cover page with the SWGDE disclaimer.
Page 5 of 9
Scientific Working Group on
Digital Evidence
4 Questions for the forensic community
If the engineering concerns about ENF are adequately addressed, more scientific questions must
be answered by the forensic audio community in order to discover valid methodologies for using
ENF in examinations.
4.1 What audio test recordings should be used as known controls?
¾ Vary the source of the ENF in the recording.
¾ Vary the SNR of the ENF within the recording.
¾ Vary the geographic location of the recording.
¾ Vary type of recording equipment.
¾ Additional signal content that may mask ENF (speech, music, etc.).
¾ How do real-world recordings compare to the controls?
•
Where should audio test recording corpora be stored?
4.2 What is the optimal methodology to create reference databases?
¾ Where should the data be collected?
•
PMU at transmission level vs. FDR at distribution level.
¾ How much redundancy is necessary?
•
Aggregate PMU data would not be affected by single PMU failure
¾ What format should the database be stored in?
¾ How should data be stored and retrieved?
¾ How should the data be collected (equipment)?
¾ How will the time synchronization be maintained?
¾ How do we optimize these factors for comparison?
•
Possible online database/secure web portal to query with unknown recording data.
Search results returned via email with known data set.
¾ With whom will the data reside?
•
•
TVA?
NASPI?
4.3 What is the optimal methodology to extract data from forensic recordings?
¾ How should ENF be isolated?
¾ How should ENF be prepared for analysis?
Electric Network Frequency Discussion Paper
June 1, 2009 (Version 1.1)
This document includes a cover page with the SWGDE disclaimer.
Page 6 of 9
Scientific Working Group on
Digital Evidence
•
Bandpass to fundamental/harmonic, use sliding window FFT?
¾ What are the limitations?
•
•
•
Time/frequency domain spectrograms (visual)
Frequency domain FFT (peak values)
Time domain analysis (zero-crossings)
¾ How do you distinguish between the evidence and your system?
•
Run control test of your system
4.4 What is the optimal methodology to compare signals?
¾ How will performance be measured (error rate)?
¾ How do we search a database?
¾ What lengths of data should be compared?
¾ How does error rate change with sample length?
¾ How do we answer the open set vs. closed set problem?
•
Is this recording in the database at all?
¾ Should results be reported as likelihood ratios based on SNR and other factors?
¾ Can we quantify systems performance by measures such as a decision error threshold (DET)
curve for various SNL levels and other factors?
4.5 How should these methodologies be validated and who should validate
them?
¾ Compare slices of source A vs. all of A (autocorrelation).
¾ Compare slices of source A vs. all of B
¾ Compare slices of source B vs. all of A
¾ Can we decide on a North American “standard”?
4.6 Does the potential value of ENF justify the effort to establish and maintain
databases?
¾ Will analysis only be valid for AC-powered devices, or is there a measurable ENF
component in portable recorders?
¾ Does analog tape wow/flutter prevent collection of any useful ENF data from cassette
recordings?
¾ Can we estimate the percentage of cases to which this technique applies?
Electric Network Frequency Discussion Paper
June 1, 2009 (Version 1.1)
This document includes a cover page with the SWGDE disclaimer.
Page 7 of 9
Scientific Working Group on
Digital Evidence
5 References
[1] Grigoras, C., Forensic analysis of digital audio recordings – the Electric Network Frequency
Criterion’, Forensic Science International, 136 (Supp. [1]), 368–9 (2003).
[2] Grigoras, C., “Digital Audio Recording Analysis: The Electric Network Frequency (ENF)
Criterion”, The International Journal of Speech Language and the Law, vol. 12, no. 1, pp. 63-76
(2005).
[3] Grigoras, C., “Applications of ENF Criterion in Forensic Audio, Video, Computer and
Telecommunication Analysis”, Forensic Science international, vol. 167, pp. 136-143 (2007).
[4] Cooper, A., “The Electric Network Frequency (ENF) As An Aid To Authenticating Forensic
Digital Audio Recordings – An Automated Approach”, Proceedings of AES 33rd International
Conference, Denver, CO, USA (2008).
[5] Sanders, R., “Digital Audio Authenticity Using The Electric Network Frequency”,
Proceedings of AES 33rd International Conference, Denver, CO, USA (2008).
[6] Kundur, P., “Power System Stability and Control,” in The EPRI Power System Engineering
Series. New York: McGraw-Hill (1994).
Electric Network Frequency Discussion Paper
June 1, 2009 (Version 1.1)
This document includes a cover page with the SWGDE disclaimer.
Page 8 of 9
Scientific Working Group on
Digital Evidence
History – Electric Network Frequency Discussion Paper
Rev
Issue Date
Article
Section
History
1.0
1.1
2009-01-15
2009-05-20
All
All
Approved by SWGDE for release.
Revisions from 2009-05 Committee meeting.
Approved by SWGDE for release.
Electric Network Frequency Discussion Paper
June 1, 2009 (Version 1.1)
This document includes a cover page with the SWGDE disclaimer.
Page 9 of 9