DME Forensics Blog

Playing Clips Recovered from the Vineyard_R Filesystem

April 29,2015 /

DVR Examiner, / Technical Posts /

0 Comments

With the 1.10.0 release of DVR Examiner, we introduced support for the Vineyard_R filesystem. One of the difficulties with the system is that the proprietary files are actually created by the proprietary player – not by the DVR. In order to create these files under normal circumstances, you would connect the hard drive to your computer and access it using the manufacturer’s proprietary player.

While the above option is still available, we wanted to give you the flexibility that DVR Examiner provides in filtering, reporting, and other built-in features. When you access this filesystem in DVR Examiner, the clips you export will be exact copies of small amounts of the hard drive (just like a partial forensic image). In order to access them, you’ll need to mount these forensic images so your computer will treat them as a physical disk. Once that is done, the manufacturer’s proprietary player will see them and treat them just as if you had connected a physical disk. The advantage of using DVR Examiner is that you only need to work with the dates/times you’re interested in – rather than the entire hard drive.

Below are instructions to play back clips exported from DVR Examiner using AccessData’s FTK Imager to mount the forensic images. You can use any image mounting program – it doesn’t have to be FTK Imager.

  1. Start FTK Imager and select File | Image Mounting.
  2. The below window will appear. Browse to the clip you exported from DVR Examiner (with the 001 file extension), ensure the Mount Method is Read Only, and click the Mount button.
  3. With the image mounted, you can now start the proprietary player. If you are running a newer operating system, you may need to run the player in compatibility mode and/or with administrative privileges. Once launched, the proprietary player will automatically detect the presence of the data you mounted and begin playback.
  4. In order to view other clips, close the proprietary player, return to FTK Imager and select the option at the bottom to unmount the currently mounted files. You will then be able to repeat the process beginning at Step 2.

As always, if you have any questions, please don’t hesitate to reach out to our support team!