Ever since I’ve been involved in digital & multimedia evidence, the traditional computer forensics community has been engaged in an ongoing debate. When you arrive on scene to a running computer, do you pull the plug or do you conduct an orderly shutdown of the computer?
The argument for pulling the plug mainly amountedto the idea that by conducting a shutdown, the computer will close what it is working on and perform other clean-up operations, thereby changing the data on the drive. In addition, there may be rogue programs installed that may delete data (or at least attempt to) on shutdown. The “shutdown” camp argued that if you pull the plug, you risk corrupting critical information on the drive by abruptly interrupting any potential read/writes going on at the time you remove power.
Since surveillance DVRs are essentially mini-computers with hard drives in them, some of these same questions and arguments persist. To make matters worse, some DVRs don’t even have a software shutdown option. So, what should you do when you need to power off a DVR to use DVR Examiner or seize?
There are several factors to consider before making this decision:
- Does the DVR have an expiry feature and is it active?
Many DVRs include the ability to only keep footage for a certain number of days. When footage reaches that expiration date, it is “deleted”. This check may run at start-up or shutdown, increasing the odds of deleting potentially critical footage by conducting an orderly shutdown. If you can locate this feature in the DVR settings, be sure to document it and then disable it prior to conducting an orderly shutdown.
- Does the DVR have a software shutdown option?
If not, you are going to be forced to “pull the plug” one way or another. But, there is one critical step I would take prior to doing so. Disable all the recording abilities of the cameras in the DVR settings and wait 30 seconds or so prior to removing power. This should force the DVR to finish up what it was working on and make sure it makes its way onto the disk in an orderly fashion. If you can’t access the DVR interface because of a password, or there is no menu option to disable recordings, you should disconnect the cameras from the back of the DVR as this will often stop the recording operation.
- How long has it been since the incident of interest occurred?
The longer it has been since the incident, the more likely the incident has already been overwritten, or may be very close to be. In these situations, you don’t want to take a lot of time making calculations or decisions as it can make the difference between the video being recoverable and not. If you suspect you are in the situation, I would just remove power from the DVR. Due to the length of time that has passed since the incident, it is highly unlikely that the DVR is still actively recording in the area of the drive that you are interested in. The indexes and data that you are most interested in should have already been written and finalized long ago.
If you arrive on-scene immediately after the incident, there is a high probability that the currently active recordings contain your incident. You’ll definitely want to make sure that these recordings are finalized prior to shutting down or removing power from the DVR. If there is a software menu option to shut down the system, I recommend checking for any expiry settings described above and then shutting down the DVR using that option. If no software shutdown menu exists, I would opt for disabling the recordings, waiting a bit, and then removing power from the DVR.
Whatever route you choose, make sure you document what you did and why you did it. This will help in the unlikely event you later find you can’t access the footage you are interested in. Within DVR Examiner, we try whenever possible to account for conditions like missing finalizing index entries, but because of the many factors involved, we can’t account for everything. If you process the drive with DVR Examiner and don’t find the clips you are interested in (such as the very last clips on the drive), please reach out to us and we’ll see if there is something we can do to help. As a last resort, our Laboratory Services division can likely recover the footage manually if it hasn’t yet been overwritten.