So, you’ve just been handed a hard drive from your boss who gives instructions to find all the vital information on a storage device. You are immedietly excited for your first solo assignment, until you look down at the hard drive and think: “Now what do I do?” Do you plug it in to your computer and start to investigate? Do you use one of the tools that you find in the lab to interrogate the hard drive? Let’s discuss the options available that may come inhandy if you ever find yourself stuck in this position.
We are often asked what type of DVR system someone should purchase for their home or business and if there is a specific brand or model we recommend. The truth is, it is usually more about how you configure the system (including the cameras) than which system you buy. Sure, there are some really cheap systems out there which will limit your capabilities, but there are plenty of very expensive systems out there which (when configured incorrectly) can result in even worse video.
With the 1.10.0 release of DVR Examiner, we introduced support for the Vineyard_R filesystem. One of the difficulties with the system is that the proprietary files are actually created by the proprietary player – not by the DVR. In order to create these files under normal circumstances, you would connect the hard drive to your computer and access it using the manufacturer’s proprietary player.
Two questions I am often asked are “What type of forensic video analysis system should I buy?” and “I have “X” system and I’m really comfortable with it, should I get another one or is there something better out there?”. I’ve answered this enough times that I figured I’d actually put it down in a blog post. As you’ll see, my goal in this post isn’t to recommend one specific system over another, but to present some things for you to consider when looking to acquire a new system.
Occasionally, you will encounter video clips that only appear to display the first frame when played in VLC. When this occurs the progress bar continues to move but no additional video frames appear to be displayed. “Scrubbing” across the video will sometimes allow you to move to a certain position beyond the first frame, but even this doesn’t always work. We recently had a DVR Examiner user ask us about this. They were reviewing AVI files exported from DVR Examiner and some of them played fine in VLC and some simply froze at the first frame.
At DME Forensics, we get clients from all different spectrums of the professional gambit, from detectives to prosecutors, lawyers and insurance representatives – it is a good cross-section of the criminal and civil litigation worlds. As we talk with these individuals about their cases involving digital multimedia evidence, there seems to be some repeating themes which arise. Typically when someone calls us, we spend approximately 30 to 40 minutes conducting an “impromptu” training session on digital and multimedia evidence. These conversations seem to lead to the same types of questions and misconceptions. With that in mind, in this blog post we’re going to explore some of the more common and repeating questions/concerns we have received over the years to better educate first responders and professionals in dealing with digital and multimedia evidence.
So you just got in the latest and greatest version of XYZ software. This will be a useful tool in your workflow and, according to the manufacturer’s specifications, will greatly increase your capacity and efficiency. You install the software on your workstation and now you’re ready to go. Or are you?
Let’s start with a basic distinction between certification and accreditation. When we talk about accreditation, we are referring to the vetting of the standards and practices of an entire laboratory system. With certification, the individual’s training, experience, and competency is what is under the microscope, so to speak. There is tremendous value in the accreditation process, but the remainder of this blog will focus on certification.
In a previous blog post, we discussed why it is advantageous to utilize DD forensic images as opposed to E01 when analyzing hard drives from DVRs. In this post, we’ll look at another option – clones.
Many computer forensic examiners utilize the E01 forensic image file format to store bit for bit copies of hard drives used in their examinations. It is the default imaging option for many computer forensics tools and has become a defacto standard of sorts.