DME Forensics Blog

Does DVR Examiner support systems with RAID?

May 3,2016 /

DVR Examiner, / DVR Forensics /

0 Comments

You are recovering video from a DVR system with multiple hard drives and the manual tells you that the system uses RAID - can DVR Examiner help you?

Before attempting the recovery, you should investigate a little further to determine the best course of action.



General Considerations

  • Are you dealing with a PC-based DVR or an embedded DVR? DVR Examiner was designed to be used with embedded DVRs and does not support PC-based DVRs at this time. If the subject DVR runs Windows, for example, DVR Examiner likely wouldn't be able to perform the recovery regardless of whether the hard drives are in a RAID configuration.
  • How many hard drives are you dealing with? We had a customer where the DVR (and the manual) indicated there were two hard drives. In the manual, however, it indicated this was system was configured as RAID 5 - which requires a minimum of three hard drives. If the system was configured with RAID at all, it could have only been RAID 1 (mirror) or RAID 0 (stripe). If you only have two hard drives, you might try processing one with DVR Examiner. If the DVR was only using a mirror, DVR Examiner may be able to process the single drive as if it was the only drive (since both drives contain identical data).
  • Is the system really RAIDed? Many embedded DVRs that we have encountered support multiple hard drives. Some even refer to these as RAIDed hard drives. In reality, they are often simply utilizing multiple hard drives in a round robin fashion. The DVR records to one hard drive until it fills it, then records to the next, and so on before finally looping back to the first drive to begin overwriting the oldest footage. Definitely not the most efficient use of multiple hard drives, but since when do these systems do much in an efficient way? If you determine this to be the case with your system, you should be able to process each hard drive individually with DVR Examiner.

It really is RAID - now what?

On the rare occasion that you encounter an embedded system that actually is utiilizing RAID (beyond a simple mirror), DVR Examiner may still be able to help.

DVR Examiner works by examining the proprietary filesystem of the DVR. In the case of a single drive system, all the data for this filesystem is contained on the single drive. In the case of a RAID 5 system, for example, the data for this filesystem is split out over multiple (at least 3) drives. DVR Examiner needs to be able to see all the data at one time in order to have a chance to examine the filesystem and determine if it is supported or not.

The easiest way to accomplish this is to use software to rebuild the RAID system into a single forensic image. X-Ways Forensics does a great job of this, but there are of course many other tools out there. They all work pretty much the same way - point them at a forensic image (or sometimes a physical disk) of each individual drive, tell it the settings of the RAID (sometimes this is trial and error), and let it attempt to rebuild it into a single volume. Once the RAID has been rebuilt, you can create a single forensic image of the rebuilt system for processing with DVR Examiner.

raidrebuildxways.png

This sounds simple, and in the best cases it can be. However, if you don't have experience rebuilding RAID volumes, I'd recommend seeking out someone local to you that does. Some traditional tools may have trouble due to the proprietary nature of the DVR filesystems. There aren't always the same cues to look for (start of an NTFS partition, etc) to know if the RAID has been rebuilt properly. In addition, it gets more complicated if the RAID configuration included things like multiple volumes, etc.

Hopefully the DVR manual was just being a bit overzealous by calling it a "RAID system", but even if you encounter a true RAIDed system, not all hope is lost.

DVR Examiner can't rebuild the RAID for you, but if you can provide DVR Examiner a forensic image of a rebuilt RAID, it should be able to detect whether the system is supported or not. If the system is supported, it will be able to be processed just like any other drive.