How I successfully defended CCTV evidence in a Murder trial – Part#1

In 2015 I was subpoenaed by the South African National Prosecuting Authority (NPA) in South Africa to appear in court as an expert witness. I subsequently testified in court regarding a CCTV system that my company installed a few years previously.

The police investigating officer had used the CCTV footage to track down a suspect who was arrested and charged. The suspect was granted bail and appeared in court for the trial.

I did not realise at the time of giving the police statement the road I would have to walk and the scrutiny I would undergo to defend a video surveillance system in a court of law. I share with you my experience in defending the admissibility of the video surveillance evidence during the trial and my battle to defend my own reputation and that of my business.

This 3-part series of articles is NOT about the guilt of the accused person, nor the poor person who was murdered during the event. It is a sharing of my experiences that i hope will guide the security industry and help people prepare for similar such situations.

Please remember video surveillance (CCTV) footage can also be used to defend a person’s innocence not only prove guilt.

CCTV integrators or installers may not realise what a big responsibility it is to install a security system and that they may one day be called to defend the system they have installed.

After the trial started and the evidence was presented, the judge decided to have a trial within a trial to decide on the admissibility of the CCTV evidence.

Let’s start from the beginning.

[Step 1] – Prior to the Incident – Operational Readiness Phase

One may never know when video surveillance footage will be required as evidence. It is, therefore, best to be prepared from the outset as soon as the recording system is installed and operational.

Based on my experience over the years and items raised during the trial some key points that should be considered include:

(1.) Secure Recorder Location:

The video surveillance recording system should be in a secure location with physical security measures in place so as to prevent unauthorised physical access.

Secure Server Room
  • A separate windowless server room with a single security door, solid roof and limited user access would be best.
  • The recorder storage cabinet should be locked with appropriate key control.
  • Shared storage rooms, guardrooms or general offices are not ideal locations for recording systems. The minimal amount of people who have physical access to an area the better.
  • Electronic access/control measures are recommended as these quickly identify who and who didn’t have physical access to a system. They also provide an audit log which can be added to the chain of evidence.
  • A video surveillance camera covering the recording system or physical access to the recording system is critical. Many corporate clients have the CCTV video surveillance system installed inside a data centre which has many security measures already in place.

(2.) Unique Passwords:

A password policy should be in place where each authorized system user has a unique system password for the video surveillance recording system.

  • Default manufacturer passwords are to be changed at the installation stage and NOT used at all.
  • In addition, groups should be created where only certain users have administrator rights where settings can be changed.
  • Passwords are also NOT to be shared or written down and pasted to the CCTV monitor and/or control room desk.
  • When users leave a site these user accounts should be disabled.
  • Recently manufacturers have become more aware of security issues and have added product features to make the user aware of the importance of secure credentials and to increase password protection levels.
Password Protection Screenshot

(3.) Correct Time/Date:

The recording system’s time should be correct and ideally connected to a network time server which will automatically sync the time (NTP).

NTP Time Sync on Recorder
  • Most recorders (embedded or software-based) suffer from time-drift where the time ‘deteriorates’ over a period.
  • A procedure should be in place to check this on a regular basis. It weakens your case if you have to explain that a system’s time is out.
  • The electronic access/control protecting the recording system’s location should also have the same time sync.
  • If the customer plans to have the system stand-alone (i.e not connected to the internet), GPS based time sync accessories are available.

(4.) Camera Video Overlay:

Ensure the correct camera info overlay is in place for each video channel.

  • This should include the time/date and camera identification number and/or name. This is normally overlaid’ by the recording system onto the camera image.
  • When video evidence is backed up from the system this info is imprinted onto the video and will form a critical part of your chain of evidence. 
No alt text provided for this image

(5.) Choice of Continous or Motion Activated Recording:

The system ‘owner’ should decide whether or not continuous or motion-activated recording should be used on the site.

  • During court, an explanation may need to be given as to how motion detection works and why frames before or after an incident are missing from the video.
  • Sometimes this creates an impression the video has been tampered with, even though it obviously hasnt.
  • In an ideal world, it would be best to record continuously with motion markers for easy review.
  • However, this may not always be possible due to real-world factors such as the available budget of video storage for continuous recording.
No alt text provided for this image

(6.) Internet-Connected System or Closed Network:

Most video surveillance systems are connected to the internet for convenience sake (i.e remote monitoring, maintenance etc.). It does, however, increase the workload of defending the system in court.

  • Most corporates would have suitable security firewall/network measures in place to protect and control access to the site from the internet.
  • However private businesses and homes often neglect network security measures due to a DIY installation or budget.
  • I was fortunate with the CCTV system I had to defend as it was a CCTV system in the true sense of the word (closed-circuit television system).
  • The digital video recorder was completely stand-alone (air-gapped), not connected to any network on the site and not connected at all to the internet. I was, therefore, able to prove fairly effectively that it was not possible to get access to the video recordings without physically getting access to the recorder.

(7.) Network Security:

The majority of video surveillance systems in operation today are IP or network-based.

  • Organisations operating video surveillance systems, especially those operating on corporate networks should have suitable policies and measures in place in order to protect against threats to the network.
  • This could include network sniffing, snooping, man-in-the-middle threats or Trojan horse attacks.
No alt text provided for this image
  • Protection measures that could be considered would include but are not limited to suitable credential management, individual network port security, the use of VPN’s, network logging and the use of video stream encryption.

(8.) System Logging:

Most modern surveillance systems have a system log which records all events such as users logged in/out, reboots, system errors, camera disconnects and system changes.

No alt text provided for this image
  • Please ensure that this log function is enabled, cannot be deleted by a standard user and that it is reviewed on a regular basis.
  • It is a critical item to be backed up as part of step 2.

(9.) Maintenance Calls to Site:

During the trial, I was queried several times by the defence advocate as to when the CCTV system was maintained and if it was fully operational during the incident.

  • It is very important to ensure a log or record is kept of all work conducted on the system at the site including changing/upgrading of cameras, software updates, hardware replacements and the names and times of those that attended to the work onsite.
  • Records should also be kept of the status of the system once the technicians left the site and if cameras were recording properly.
No alt text provided for this image

(10.) Video Evidence Request Procedure:

A procedure should be in place in terms of handling requests for video surveillance footage.

  • Senior organisational management would need to decide who, what and why video evidence would be provided.
  • This is very time sensitive as most systems have limited recording storage retention before the video is ‘overwritten’.
  • Often footage is only requested long after an incident has occurred.
  • Official police requests for footage may come too late and a decision needs to be made by management if the footage is to be backed up pending an official request.
  • At times non-critical non-law enforcement requests should be rejected as they could provide the public or a criminal with an insight into a site’s security measures or lack of measures.

(11.) Evidence Handling Procedure:

Ensure that suitable video evidence handling procedure is in place for the video surveillance system. This should be applied to all incidents requiring investigation. It should include but is not limited to the following:

  • Backup/investigation authorised by.
  • A formal checklist as to the backup procedure.
  • What to backup (camera, time of the incident, location etc).
  • Confirmation of correct recording system time/date or note of any time differential (critical).
  • Backup of recording system logs and access/control system logs.
  • Backup of the camera/s covering the recording system.
  • Choice of media to use for the backup (USB, HDD, Multiple copies etc).
  • Use of Evidence Bags.
  • What video format to use for the backup (AVI, Proprietary etc).
  • The creation of a chain of evidence log.

(12.) Certificate of Competency:

The video surveillance system operator and/or the individual backing up the video evidence should be able to provide his/her competency with the recording system.

This would normally be in the form of a system training certificate provided by the service provider and/or manufacturer. An example below:

No alt text provided for this image

(13.) Camera Site Layout Plan:

It is very important to have an up to date plan of your site with the camera positions marked out with approximate camera angles.

No alt text provided for this image
  • During the initial police investigation, I was asked to provide a layout showing the CCTV camera positions at the site.
  • Many VMS packages have integrated mapping that can be used for this purpose as well as being helpful in deciding what cameras need to be backed up for the particular incident.
Scroll to Top