DME Forensics Blog

Analysis of Hikvision Date/Time

February 25,2016 /

Forensic DVR Recovery, / DVR Forensics /

0 Comments
 

When it comes to adding support for new DVRs into DVR Examiner, or recovering video manually for a laboratory case, understanding the proprietary metadata of a given DVR filesystem is critical. 

While I will be posting a series of posts over the next few months on understanding the proprietary structure of DVR filesystems, I wanted to share some information about Hikvision systems that was recently requested. 

Most DVR filesystems store key metadata in 2 different places: the index(es) and at the beginning of each frame. In the case of the Hikvision-based systems, the index information is stored at the end of each data block, and provides a date time range per channel for the clips within that block. In this metadata, the date time is stored as a traditional Unix epoch timestamp (seconds since 1970). However, the date/time metadata at the frame level is stored in a very different manner. 


As a part of the process that we use to implement support for new DVRs into DVR Examiner, we conduct a series of test recordings with known variables. This way, when we are trying to decipher date/time metadata, we know exactly what we are looking for, and since we use the same dates and times in every recording, we begin to recognize the common date time formats. In this case, Hikvision DVRs also 'burn in' the date time into the video, so we know exactly what we are looking for in metadata for a given frame. 

Hikvision-DateTime.png

 

In this situation, we are looking for 2013-12-31 at 23:44:40. While the block or clip level metadata is an

easy Unix epoch timestamp, the frame level metadata is stored in what we refer to as binary date time. The exact structure of this format can vary from format to format, but this is a pretty common one.

Hikvision_binary_start.png

 

By converting the 5 bytes to binary, we are able to identify a pattern for the date time. I have highlighted the 'bit to time maps' above. As always, when deciphering proprietary metadata, you want to double check and make sure that what you discovered is consistent and repeatable. 

I conducted the same analysis below, but later in our test recording with a date/time that includes a new year, month, and day to help verify the findings. 

 

Hikvision-DateTime_end.png

 

Hikvision_binary_end.png

CONCLUSION:

When it comes to conducting byte level analysis of DVRs, understanding as much metadata as possible is essential. While some systems are easier than others, this is an example of a one that is 'bit' more complicated!