We have all heard the saying, “not all that glitters is gold” and when it comes to selecting and retaining a forensic expert, you want the real deal, not just a shiny pretty rock! Everything we discuss in this series is relevant when you are hiring any type of expert – forensic or otherwise. You should thoroughly vet any expert you wish to retain – and that includes us as well.
You are recovering video from a DVR system with multiple hard drives and the manual tells you that the system uses RAID - can DVR Examiner help you?
Before attempting the recovery, you should investigate a little further to determine the best course of action.
When it comes to adding support for new DVRs into DVR Examiner, or recovering video manually for a laboratory case, understanding the proprietary metadata of a given DVR filesystem is critical.
While I will be posting a series of posts over the next few months on understanding the proprietary structure of DVR filesystems, I wanted to share some information about Hikvision systems that was recently requested.
Most DVR filesystems store key metadata in 2 different places: the index(es) and at the beginning of each frame. In the case of the Hikvision-based systems, the index information is stored at the end of each data block, and provides a date time range per channel for the clips within that block. In this metadata, the date time is stored as a traditional Unix epoch timestamp (seconds since 1970). However, the date/time metadata at the frame level is stored in a very different manner.
Occasionally, you will encounter video clips that only appear to display the first frame when played in VLC. When this occurs the progress bar continues to move but no additional video frames appear to be displayed. “Scrubbing” across the video will sometimes allow you to move to a certain position beyond the first frame, but even this doesn’t always work. We recently had a DVR Examiner user ask us about this. They were reviewing AVI files exported from DVR Examiner and some of them played fine in VLC and some simply froze at the first frame.
At DME Forensics, we get clients from all different spectrums of the professional gambit, from detectives to prosecutors, lawyers and insurance representatives – it is a good cross-section of the criminal and civil litigation worlds. As we talk with these individuals about their cases involving digital multimedia evidence, there seems to be some repeating themes which arise. Typically when someone calls us, we spend approximately 30 to 40 minutes conducting an “impromptu” training session on digital and multimedia evidence. These conversations seem to lead to the same types of questions and misconceptions. With that in mind, in this blog post we’re going to explore some of the more common and repeating questions/concerns we have received over the years to better educate first responders and professionals in dealing with digital and multimedia evidence.