DME Forensics Blog

Why Traditional Computer Forensics Fails on Embedded DVRs

June 5,2017 /

DVR Forensics /


Before I start talking about technical information and processes, I would like to propose a question. What does traditional computer forensics mean to you? If you can’t seem to find a definite answer, you are not the only one. Many times, when I mention my career in a conversation, the next question follows with “so what does that mean?”

Individuals with the skills to collect and analyze digital evidence in a lab, the field, or a court of law have training to analyze digital evidence.  Traditionally, computer forensic investigations were performed using dead forensics where the computer has been powered off. The other side, live-analysis technique, involves working with the computer before it is shut down.  Whether a dead or live analysis is performed, the examiner will decide the proper steps to ensure no loss or damage of data. Comprehensive software tools can be used in an investigation to ensure the data’s integrity. The tool that is used for the investigation, is left up to the examiner. Depending on the type of digital evidence, a few tools that are used in traditional computer forensics are: Encase, X-Ways, FTK, etc.

Working with stand-alone computers, any tool mentioned above will provide accuracy in preserving data and performing proceeding steps in the investigation. But, working in the computer forensics field, it is important to recognize the rapid growth in technology and computer crimes. The traditional computer forensics tools mentioned above may not always be correct steps in an investigation when dealing with other types of digital evidence. Because of the wide variety of implementation, the myriad of forensics creates diverse ways on how to interpret evidence.  

For this post, we are specifically referring to embedded DVRs as the “other” digital evidence types that would not use the same tools as a stand-alone computer. For example, a DVR was seized by law enforcement and they need footage from a specific date and time. Would you be able to use EnCase or FTK to look at the video footage with specific date and times? The answer is no. Different tools and software are frequently created to maintain proper investigations.

So, now you might find yourself asking why embedded DVR’s are so different. There are many aspects of a DVR that will not work with traditional computer forensics. Carving is an ingenious tool used in the realm of computer forensics. Traditional file carving can use Encase or FTK to find corrupt or missing information in a file. These tools produce segmented files, which the user can easily click on the starting sector and copy the content to the end of information that is needed. Carving out DVR files are not as simple. The data found when looking at a DVR requires the user to find the starting sector and ending sector of the file or clip that is necessary for the carve. This process contains many trial and errors to identify the correct start and end offsets. 

Day-by-day, there are new aspects of computer forensics, so the learning process will never stop growing. Staying up to date with the latest developments, as well as making sure evidence is properly being investigated, are the challenging aspects of working in a high-paced technology atmosphere. Forensics is a thought-provoking and exciting profession due to need for uncovering digital evidence in an ever-changing environment.






Recent Posts