As humans, we are constantly wondering how and why things happen. It is always good to ask questions to better understand how the world works. We don’t verify something once, we run through many verifications in our head without even realizing it. These verifications can be referred to as empirical verifications. So how can we apply empirical verification to DVR Examiner?
One of the easiest ways we can verify what DVR Examiner outputs, is to look and compare. Find the total size of video data that DVR Examiner produces, and compare it to the expected amount of data. If you have a 500GB drive that you know is full, you should expect DVR Examiner to identify close to that same amount of data. Typically, it will not be the full amount of data due to indexing, partitioning of the drive itself, and other system overhead but it should be close. To calculate the total size of video in DVR Examiner, you will need to be in the clip list window. From this window, select the clip(s) that you would like the total size for by holding control and clicking the clips. Once selected, at the bottom of the screen you will see the word “Selected” and the number of clips highlighted in blue. Click on this and you will receive a pop up with approximate size of the clip(s) selected.
Other Types of Empirical Verification
If you are getting errors from DVR Examiner and you believe data is not being shown, attempt to image the drive. When the image is being created, a log is created. This log will provide any errors that occurred during the imaging process. If you encounter no errors, attempt to scan the newly created image.
Let’s say that during one of the verification processes your data isn’t matching up. Your next step is to determine why.
- Scan the drive with DVR Examiner
- Identify the time span of the data found
- Inspect the time frame where the event occurred
- Determine the total amount of video data
- Verify what channels were recorded
- Connect a clone to the original DVR
- Examine the same information from the DVR itself
- Compare the two sets of data
- Does the time span of video available on the DVR match DVR Examiner?
- Do the # of recorded channels match DVR Examiner?
- Is the total size of recorded video similar to, or the same that DVR Examiner reports?
While you can try to compare the DVR Examiner clip list with the list of clips in the DVR, keep in mind that these may not always be a one to one match. Certain filesystems do not provide the data as clips, instead they let you select a given time range to view or export. In these cases, DVR Examiner will use these timeframes to define what the clips will be. If the filesystem saves the data as clips, we will have to occasionally truncate or create a new clip using the preexisting data. Don’t forget to disable any filters in the DVR Examiner Clip List. When a filter has been applied, it can cause video that does not fall under the filter’s requirements to not appear. Filters can be cleared from the clip list window by clicking ‘reset’ and then ‘apply filters’.
No access to the DVR?
You may not have access to the DVR for every case you work. This can be due to damaged, password protected or missing DVRs. Without the original DVR, troubleshooting an issue can be a little harder. Here are a few things that can be done without the DVR.
- Inaccessible scanning – a scan that is supported for certain filesystems. This scan searches for data that is not accessible to the DVR (deleted or overwritten). Useful if the data is missing and suspected to be deleted.
Humans need verification for how something works, we also need verification for DVR Examiner. By asking questions, we can determine how and why video has been found. If we suspect video is not being found, we test the potential causes. If you have followed the above steps and based on your empirical verification DVR Examiner’s results do not seem consistent with the situation, please contact DME Forensics Technical support. We can be reached by phone at 1(800) 413-0363 or by email at firstname.lastname@example.org