Our approach to digital forensics is rooted in rigorous, ethical, and transparent investigation methods. Drawing on the Berkeley Protocol on Digital Open Source Investigations, and methodologies developed by Bellingcat and the Global Legal Action Network (GLAN), we ensure the integrity, reliability, confidentiality, and accountability of all digital evidence handled during investigations.

1. Data Collection

The collection of digital evidence is the foundation of any forensic investigation. Our process involves gathering material from a variety of open and closed sources. These include public platforms such as social media, news websites, and user-generated content forums, as well as contributions from journalists, human rights defenders, and victims’ families and survivors. First-hand accounts and witness testimonies are also integral to our work.

During collection, our investigators ensure that data is retrieved without compromising its authenticity or metadata. We employ a range of technical tools to preserve digital artifacts in their original state. This includes capturing exact URLs, timestamps, source codes, device details, metadata, and visual context to ensure traceability and transparency. All contributors are informed of their rights, including the ability to withdraw consent at any time.

2. Chain of Custody

Maintaining a verifiable and secure chain of custody is essential to uphold the legal admissibility of digital evidence. We employ a structured approach to track every interaction with the data from the moment of acquisition to eventual dissemination or archiving.

Each piece of evidence is labeled with a unique identifier (TGI UID) and documented with collection details, including the source, time, and method of acquisition. Contributors complete a standardized consent form, affirming the legal and ethical basis for submission. The evidence is stored in encrypted, tamper-proof environments, with limited and logged access. When evidence must be transferred, it is accompanied by a digital record that includes timestamps and authorized signatories. This documentation ensures the authenticity and integrity of the material at every stage.

3. Cataloguing and Preservation

To manage large volumes of evidence, we maintain a centralized Master Catalog. Each item is tagged with relevant metadata fields, including Case ID, Evidence Type (e.g., image, video, testimony), Source Information, Device Details, Creation Date, and Chronological or Geolocation markers.

This cataloging process not only enables systematic storage and retrieval but also ensures long-term preservation of digital evidence. Proper categorization is crucial for cross-referencing multiple sources during analysis or preparing dossiers for legal use.

4. Verification and Authentication

After data collection and cataloging, our forensic investigations team verifies the content using open-source intelligence (OSINT) methods. We aim to confirm what the content shows, when and where the events occurred, and who was involved.

This process includes comparing metadata, verifying visual markers, and triangulating data across multiple platforms or eyewitness accounts. Our goal is to establish the accuracy and reliability of each piece of evidence before it is analyzed or presented.

5. Analytical Techniques

Frame-by-Frame (FBF) Analysis

We closely examine video and image footage using frame-by-frame analysis. Each moment is documented, with particular attention to visible individuals, uniforms, weapons, gestures, and crowd behavior. Investigators annotate actions and sequences to clarify timelines and establish patterns of violence or resistance. This method is especially useful for confirming incidents involving use of force or violations of international law.

Geolocation

Geolocation is used to pinpoint the location of an event captured in visual media. We analyze landmarks, signs, terrain, language, and environmental cues to determine the exact setting. When publicly available maps or satellite imagery is insufficient—especially in under-documented regions—we use visual comparisons and community-led verification strategies to confirm our findings.

Chronolocation

When metadata is missing, we apply chronolocation techniques to estimate when an event occurred. This may involve analyzing shadows, lighting, weather, or concurrent events. Timestamps from related social media posts, news reports, or environmental changes often serve as key indicators. Synchronizing these elements allows us to determine event chronology with a reasonable to high degree of confidence.

Body Detection and Crowd Estimation

In cases involving casualties or large-scale gatherings, we employ body detection and crowd estimation tools. Frame-by-frame analysis helps confirm the presence of injuries or fatalities, using enhancements to clarify motion, wounds, or other physical evidence. For crowd estimation, we rely on both automated tools and manual counting—especially in smaller or low-resolution videos—to differentiate between protestors, bystanders, and security personnel.

Satellite Imagery Analysis

Satellite imagery is a powerful tool for confirming the timing, location, and scale of events such as mass gatherings, destruction of infrastructure, or troop movements. Investigators use both high-resolution imagery and open-source satellite platforms to track changes over time. By comparing before-and-after satellite views, we can identify patterns such as building damage, movement of vehicles or barricades, and the presence of military or police assets. Satellite data also assists in corroborating ground-level evidence.

Facial Reconstruction and Identification

In cases involving unidentified individuals—such as missing persons, victims of violence, or potential perpetrators—we may use facial reconstruction and recognition techniques, always with strict ethical oversight. These methods involve enhancing and comparing facial features from available media (video, photo). Investigators may use AI-assisted tools to generate clearer facial composites or match faces across multiple data points without attribution to any specific named individual. This technique is used sparingly and only when there is a clear public interest or legal mandate, given its sensitive nature and potential implications for privacy and consent.

Audio Verification and Voice Biometrics

Audio evidence can provide critical insight when analyzed rigorously. Our approach includes verifying authenticity, identifying speakers, and extracting contextual clues.

Spectrogram and Waveform Analysis
We examine spectrograms (visual representations of audio frequencies over time) and waveforms (amplitude over time) to detect anomalies such as splicing, distortion, or compression artifacts. Investigators analyze acoustic signatures, background noise, and silences to determine whether a recording has been edited or manipulated.

Voice Biometrics and Speaker Identification
In cases requiring voice attribution, we use biometric voice profiling to compare known samples with unknown speakers. This involves examining voiceprints—unique vocal characteristics such as pitch, cadence, and formant structure. We use this technique selectively and only when ethically and legally appropriate, such as in confirming identity in high-profile accountability cases or verifying testimonies. All voice analysis is conducted with attention to consent, privacy rights, and the broader security context.

6. Expert Review

All findings undergo a rigorous peer review process involving external experts such as legal professionals and weapons specialists. Each reviewer operates under non-disclosure agreements and follows ethical review standards.

This multidisciplinary review ensures the reliability and objectivity of our conclusions. It also prepares our analysis for use in legal proceedings, advocacy, or human rights reporting, minimizing the risk of misinterpretation or misuse.

7. Event Reconstruction and Documentation

Reconstructing the full scope of an event is vital to understanding patterns of abuse or systemic violence. Our investigators compile details from individual incidents to create larger timelines that link people, places, and actions.

Through this process, we document not just isolated incidents but also broader patterns of violence, protest movements, and state responses. This structured reconstruction allows us to identify perpetrators, timelines, and potential accountability mechanisms.

8. Secure Sharing and Safeguarding

When digital evidence needs to be shared with external actors, such as courts, journalists, or advocacy groups, we implement stringent safeguarding protocols. Access is limited to vetted individuals and institutions, and formal contracts specify permitted uses and data security responsibilities.

To prevent harm or retribution, sensitive information is redacted or anonymized. Encryption, watermarking, and access control technologies are used to preserve the integrity and confidentiality of all shared materials.

9. Ethical Considerations

Ethical responsibility is central to our methodology. We approach every investigation with a commitment to protecting the dignity, safety, and privacy of those depicted or involved. Transparency, consent, and respect are non-negotiable values in every stage of our forensic work. Specifically, in case of eyewitness accounts or testimonies from victims’ families, we prioritise consent throughout the investigation, and dissemination. 

Special care is taken when handling graphic content. We provide psychological support to staff investigators exposed to violent material and take measures to prevent secondary trauma or burnout. 

10. Challenges in Digital Forensics

Locating Incidents in Unmapped Areas

Many conflict zones lack adequate digital mapping. In such cases, investigators rely on environmental cues such as terrain, language, or architectural features, often triangulated with open-source or community-based data. This can be a slow and iterative process, especially when digital infrastructure is minimal or deliberately obscured.

Counting Casualties in Chaotic Footage

Body counting in protest or conflict footage is often hindered by low resolution, poor lighting, and crowd density. Overlapping bodies or obstructed views make it difficult to assess fatalities or injuries. Where automated tools fail, our team relies on direct observation and corroboration from eyewitness accounts or related footage. These numbers may be constantly varying depending on availability of new information. 

Dealing with Metadata Loss and Media Compression

Social media platforms often strip metadata or compress images and videos. This poses challenges in verifying authenticity or extracting time/place details. To address this, we use visual analysis, manual annotation, and cross-referencing with external sources like news reports, live streams, eyewitness testimonies, or archival copies.

Managing Exposure to Violent Content

Repeated exposure to violent or traumatic content places a psychological toll on investigators. We provide mental health resources, team debriefing sessions, and workload rotation to help investigators process these experiences and maintain their well-being and focus.

11. Archived Materials

The Monsoon Protest Archives is underpinned by a comprehensive archive to support future research, legal processes, truth-recovery, and historical record-keeping. Our archive includes:

• Digital files (video, audio, photos) documenting protest events and state violence
• First-hand interviews and witness testimonies
• Legal, medical, and identification documents for victims
• Open-source content from news and social media platforms
• Investigative reports by journalists and human rights organizations
• Links to external resources relevant to our investigations
  

This archive is structured to be searchable, secure, and accessible to authorized investigators and partners. For security reasons, and to respect the consent of contributors, the archive is not publicly accessible.