When arriving on the scene and finding a DVR, your main task will be to get usable video evidence from the device. But what is the best way to do this? There are a few ways to export video from a DVR, and each can be a viable path to your evidence. Each method has its strengths.
As most of you who have had interactions with surveillance DVRs have probably experienced, DVRs are a pain in the butt. Ignoring the physical conditions of where the DVR is located (the attic/drop ceiling, next to the grease trap in the kitchen, under 5 inches of dust), the DVRs themselves can be really finicky, really slow, and they all behave a little differently. While we have designed DVR Examiner to work with the DVR hard drive directly, bypassing the need for the DVR itself, it may still sometimes be necessary for you to work with the DVR itself to export video or determine the DVR settings.
Ever since I’ve been involved in digital & multimedia evidence, the traditional computer forensics community has been engaged in an ongoing debate. When you arrive on scene to a running computer, do you pull the plug or do you conduct an orderly shutdown of the computer?
We have all heard the saying, “not all that glitters is gold” and when it comes to selecting and retaining a forensic expert, you want the real deal, not just a shiny pretty rock! Everything we discuss in this series is relevant when you are hiring any type of expert – forensic or otherwise. You should thoroughly vet any expert you wish to retain – and that includes us as well.
You are recovering video from a DVR system with multiple hard drives and the manual tells you that the system uses RAID - can DVR Examiner help you?
Before attempting the recovery, you should investigate a little further to determine the best course of action.
When it comes to adding support for new DVRs into DVR Examiner, or recovering video manually for a laboratory case, understanding the proprietary metadata of a given DVR filesystem is critical.
While I will be posting a series of posts over the next few months on understanding the proprietary structure of DVR filesystems, I wanted to share some information about Hikvision systems that was recently requested.
Most DVR filesystems store key metadata in 2 different places: the index(es) and at the beginning of each frame. In the case of the Hikvision-based systems, the index information is stored at the end of each data block, and provides a date time range per channel for the clips within that block. In this metadata, the date time is stored as a traditional Unix epoch timestamp (seconds since 1970). However, the date/time metadata at the frame level is stored in a very different manner.
Occasionally, you will encounter video clips that only appear to display the first frame when played in VLC. When this occurs the progress bar continues to move but no additional video frames appear to be displayed. “Scrubbing” across the video will sometimes allow you to move to a certain position beyond the first frame, but even this doesn’t always work. We recently had a DVR Examiner user ask us about this. They were reviewing AVI files exported from DVR Examiner and some of them played fine in VLC and some simply froze at the first frame.
At DME Forensics, we get clients from all different spectrums of the professional gambit, from detectives to prosecutors, lawyers and insurance representatives – it is a good cross-section of the criminal and civil litigation worlds. As we talk with these individuals about their cases involving digital multimedia evidence, there seems to be some repeating themes which arise. Typically when someone calls us, we spend approximately 30 to 40 minutes conducting an “impromptu” training session on digital and multimedia evidence. These conversations seem to lead to the same types of questions and misconceptions. With that in mind, in this blog post we’re going to explore some of the more common and repeating questions/concerns we have received over the years to better educate first responders and professionals in dealing with digital and multimedia evidence.