Forensic Analysis of CCTV Digital Video Recorders (DVRs)
5/26/2016
Forensic Analysis of CCTV DVRs
1
Forensic Analysis of CCTV DVRs
Jimmy Schroering President – Research & Development •
Active in the Digital & Multimedia Evidence field since 2003
•
Previously employed as a forensic examiner at the Federal Bureau of Investigation, North Carolina State Bureau of Investigation, and Target Forensic Services
•
Specializes in the forensic recovery of data, including “deleted” data from CCTV digital video recorders (DVRs) 2
Jimmy Schroering ‐ DME Forensics
1
Forensic Analysis of CCTV Digital Video Recorders (DVRs)
5/26/2016
Forensic Analysis of CCTV DVRs •
Presentation Overview •
Common Issues Encountered During Recovery/Analysis
•
How DVR Filesystems Differ From Traditional File Systems
•
Carving & Proprietary Metadata
•
DVR Recording Process
•
Methods for Recovery
3
Master Title
Common Issues Encountered During Recovery/Analysis
4
Jimmy Schroering ‐ DME Forensics
2
Forensic Analysis of CCTV Digital Video Recorders (DVRs)
5/26/2016
Common Issues Encountered During Recovery/Analysis •
When using the DVR •
Inconsistent, archaic menus make navigating the interface difficult
•
Passwords are often required
•
Exports can be difficult •
Limited number and/or size of files at one time
•
Slow speeds (USB 2.0 at best typically)
5
Common Issues Encountered During Recovery/Analysis •
When examining the hard drive directly: •
Drive (or partitions within it) appears unallocated or of unknown type
•
Searches for known video headers or magic numbers return no (or invalid) results
•
Even when video/images are recovered, key metadata may not be
•
Files are extracted from a traditional file system (such as FAT32), but won’t play
•
Carved video appears corrupted
6
Jimmy Schroering ‐ DME Forensics
3
Forensic Analysis of CCTV Digital Video Recorders (DVRs)
5/26/2016
Master Title
How DVR Filesystems Differ From Traditional File Systems
7
How DVR Filesystems Differ From Traditional File Systems •
Traditional file systems (such as FAT32, ext2/3/4, etc.) are self contained entities within a volume.
•
While a hard drive can have multiple partitions each containing a distinct file system, each one is independent of the others (think Mac with Boot Camp).
•
Proprietary DVR filesystems occupy the entire drive and may (or may not) create multiple partitions for different purposes.
•
When multiple partitions exist, these volumes will often require each other to operate properly (the indexes may be stored on one partition, with the data on another, for example)
8
Jimmy Schroering ‐ DME Forensics
4
Forensic Analysis of CCTV Digital Video Recorders (DVRs)
5/26/2016
Examples of Proprietary DVR Filesystem Structures MBR ext2 Volume Containing Indexes Volume of Unknown Type Containing Data (Proprietary)
MBR FAT32 Volume Containing Sequential Files Containing Proprietary DVR Filesystem Blocks
XFS Volume Containing Proprietary Video & Index Files
Volume of Unknown Type Containing Proprietary Indexes & Data
Empty Volume 9
Master Title
Carving & Proprietary Metadata
10
Jimmy Schroering ‐ DME Forensics
5
Forensic Analysis of CCTV Digital Video Recorders (DVRs)
5/26/2016
Carving & Proprietary Metadata JPEG Header
EXIF Metadata
Image Content
JPEG Footer
11
Carving & Proprietary Metadata Proprietary Metadata
JPEG Header
Image Content
JPEG Footer
12
Jimmy Schroering ‐ DME Forensics
6
Forensic Analysis of CCTV Digital Video Recorders (DVRs)
5/26/2016
Carving & Proprietary Metadata
13
Carving & Proprietary Metadata
14
Jimmy Schroering ‐ DME Forensics
7
Forensic Analysis of CCTV Digital Video Recorders (DVRs)
5/26/2016
Carving & Proprietary Metadata
15
Carving & Proprietary Metadata
16
Jimmy Schroering ‐ DME Forensics
8
Forensic Analysis of CCTV Digital Video Recorders (DVRs)
5/26/2016
Carving & Proprietary Metadata •
Manually deciphering filesystem structures and interpreting proprietary metadata in order to accurately carve data can be a complex process
•
In general, goals (in no particular order) are: •
Identify how the filesystem is structured (including block size, if applicable)
•
Identify the underlying video/image type
•
Identify & interpret DVR metadata such as camera/channel number, date/time, frame length
•
Adhering to a methodical approach (along with a lot of patience) will yield the best results
•
In general, looking for patterns is a good first step •
Don’t forget to consider big/little endian (MSBF/LSBF) and byte swapping possibilities 17
Carving & Proprietary Metadata •
Look near whitespace, not “walls of data”
18
Jimmy Schroering ‐ DME Forensics
9
Forensic Analysis of CCTV Digital Video Recorders (DVRs)
5/26/2016
Carving & Proprietary Metadata •
Look near whitespace, not “walls of data”
19
Carving & Proprietary Metadata •
Look for human readable text (e.g. ASCII)
20
Jimmy Schroering ‐ DME Forensics
10
Forensic Analysis of CCTV Digital Video Recorders (DVRs)
5/26/2016
Carving & Proprietary Metadata •
Look for known video/image magic numbers •
JPEG – FF D8 / FF D9
•
JPEG-2000 Start: 00 00 00 0C 6A 50 20 20 0D 0A 87 0A 00 00 00 14 66 74 79 70 6A 70 32 20 … Stop: FF D9
•
H.264 SPS: [00] 00 00 01 67 PPS: [00] 00 00 01 68 Reference Frame: [00] 00 00 01 65 Non-reference frame: [00] 00 00 01 61 Other possibilities: [00] 00 00 01 x7 / x8 / x5 / x1
•
MPEG Frame: 00 00 01 B6
21
Carving & Proprietary Metadata
22
Jimmy Schroering ‐ DME Forensics
11
Forensic Analysis of CCTV Digital Video Recorders (DVRs)
5/26/2016
Carving & Proprietary Metadata
23
Carving & Proprietary Metadata
24
Jimmy Schroering ‐ DME Forensics
12
Forensic Analysis of CCTV Digital Video Recorders (DVRs)
5/26/2016
Carving & Proprietary Metadata
25
Carving & Proprietary Metadata
26
Jimmy Schroering ‐ DME Forensics
13
Forensic Analysis of CCTV Digital Video Recorders (DVRs)
5/26/2016
Carving & Proprietary Metadata
27
Carving & Proprietary Metadata
28
Jimmy Schroering ‐ DME Forensics
14
Forensic Analysis of CCTV Digital Video Recorders (DVRs)
5/26/2016
Carving & Proprietary Metadata
29
Carving & Proprietary Metadata
30
Jimmy Schroering ‐ DME Forensics
15
Forensic Analysis of CCTV Digital Video Recorders (DVRs)
5/26/2016
Carving & Proprietary Metadata
31
Carving & Proprietary Metadata
32
Jimmy Schroering ‐ DME Forensics
16
Forensic Analysis of CCTV Digital Video Recorders (DVRs)
5/26/2016
Carving & Proprietary Metadata
33
Carving & Proprietary Metadata
34
Jimmy Schroering ‐ DME Forensics
17
Forensic Analysis of CCTV Digital Video Recorders (DVRs)
5/26/2016
Carving & Proprietary Metadata
35
Carving & Proprietary Metadata
36
Jimmy Schroering ‐ DME Forensics
18
Forensic Analysis of CCTV Digital Video Recorders (DVRs)
5/26/2016
Carving & Proprietary Metadata
37
Carving & Proprietary Metadata •
These errors are referred to as compression artifacts, and are caused by the incorrect ordering of frames when temporal compression is in use.
•
Temporal compression is compression over time. In short, complete “reference” frames are only stored periodically, while the remainder of time only changes from those references are stored.
•
Typically, the DVR takes care of playing back the correct frames from the correct camera(s) in the right order, but when recovered incorrectly (usually via carving), results similar to the previous video are common.
•
Understanding how the DVR records data to the filesystem is highly beneficial to identifying potential recovery options
38
Jimmy Schroering ‐ DME Forensics
19
Forensic Analysis of CCTV Digital Video Recorders (DVRs)
5/26/2016
Master Title
DVR Recording Process
39
DVR Recording Process System Information Index Information
Data Area
Empty Space
40
Jimmy Schroering ‐ DME Forensics
20
Forensic Analysis of CCTV Digital Video Recorders (DVRs)
5/26/2016
DVR Recording Process System Information Index Information Data Area, Block 0 Data Area, Block 1 Data Area, Block 2 Data Area, Block 3 Data Area, Block 4 Data Area, Block 5 Data Area, Block 6 Data Area, Block 7 Data Area, Block 8 Data Area, Block 9 Data Area, Block 10 Data Area, Block 11 Empty Space
41
DVR Recording Process System Information Index Information Data Area, Block 0 (empty) Data Area, Block 1 (empty) Data Area, Block 2 (empty) Data Area, Block 3 (empty) Data Area, Block 4 (empty) Data Area, Block 5 (empty) Data Area, Block 6 (empty) Data Area, Block 7 (empty) Data Area, Block 8 (empty) Data Area, Block 9 (empty) Data Area, Block 10 (empty) Data Area, Block 11 (empty) Empty Space
42
Jimmy Schroering ‐ DME Forensics
21
Forensic Analysis of CCTV Digital Video Recorders (DVRs)
5/26/2016
DVR Recording Process System Information Index Information Data Area, Block 0 (Camera 1) Data Area, Block 1 (empty) Data Area, Block 2 (empty) Data Area, Block 3 (empty) Data Area, Block 4 (empty) Data Area, Block 5 (empty) Data Area, Block 6 (empty) Data Area, Block 7 (empty) Data Area, Block 8 (empty) Data Area, Block 9 (empty) Data Area, Block 10 (empty) Data Area, Block 11 (empty) Empty Space
43
DVR Recording Process System Information Index Information Data Area, Block 0 (Camera 1) Data Area, Block 1 (Camera 2) Data Area, Block 2 (empty) Data Area, Block 3 (empty) Data Area, Block 4 (empty) Data Area, Block 5 (empty) Data Area, Block 6 (empty) Data Area, Block 7 (empty) Data Area, Block 8 (empty) Data Area, Block 9 (empty) Data Area, Block 10 (empty) Data Area, Block 11 (empty) Empty Space
44
Jimmy Schroering ‐ DME Forensics
22
Forensic Analysis of CCTV Digital Video Recorders (DVRs)
5/26/2016
DVR Recording Process System Information Index Information Data Area, Block 0 (Camera 1) Data Area, Block 1 (Camera 2) Data Area, Block 2 (Camera 1) Data Area, Block 3 (empty) Data Area, Block 4 (empty) Data Area, Block 5 (empty) Data Area, Block 6 (empty) Data Area, Block 7 (empty) Data Area, Block 8 (empty) Data Area, Block 9 (empty) Data Area, Block 10 (empty) Data Area, Block 11 (empty) Empty Space
45
DVR Recording Process System Information Index Information Data Area, Block 0 (Camera 1) Data Area, Block 1 (Camera 2) Data Area, Block 2 (Camera 1) Data Area, Block 3 (Camera 2) Data Area, Block 4 (empty) Data Area, Block 5 (empty) Data Area, Block 6 (empty) Data Area, Block 7 (empty) Data Area, Block 8 (empty) Data Area, Block 9 (empty) Data Area, Block 10 (empty) Data Area, Block 11 (empty) Empty Space
46
Jimmy Schroering ‐ DME Forensics
23
Forensic Analysis of CCTV Digital Video Recorders (DVRs)
5/26/2016
DVR Recording Process System Information Index Information Data Area, Block 0 (Camera 1) Data Area, Block 1 (Camera 2) Data Area, Block 2 (Camera 1) Data Area, Block 3 (Camera 2) Data Area, Block 4 (Camera 3) Data Area, Block 5 (empty) Data Area, Block 6 (empty) Data Area, Block 7 (empty) Data Area, Block 8 (empty) Data Area, Block 9 (empty) Data Area, Block 10 (empty) Data Area, Block 11 (empty) Empty Space
47
DVR Recording Process System Information Index Information Data Area, Block 0 (Camera 1) Data Area, Block 1 (Camera 2) Data Area, Block 2 (Camera 1) Data Area, Block 3 (Camera 2) Data Area, Block 4 (Camera 3) Data Area, Block 5 (Camera 1) Data Area, Block 6 (empty) Data Area, Block 7 (empty) Data Area, Block 8 (empty) Data Area, Block 9 (empty) Data Area, Block 10 (empty) Data Area, Block 11 (empty) Empty Space
48
Jimmy Schroering ‐ DME Forensics
24
Forensic Analysis of CCTV Digital Video Recorders (DVRs)
5/26/2016
DVR Recording Process System Information Index Information Data Area, Block 0 (Camera 1) Data Area, Block 1 (Camera 2) Data Area, Block 2 (Camera 1) Data Area, Block 3 (Camera 2) Data Area, Block 4 (Camera 3) Data Area, Block 5 (Camera 1) Data Area, Block 6 (Camera 2) Data Area, Block 7 (Camera 3) Data Area, Block 8 (Camera 1) Data Area, Block 9 (Camera 2) Data Area, Block 10 (Camera 3) Data Area, Block 11 (Camera 1) Empty Space
49
DVR Recording Process System Information Index Information Data Area, Block 0 (Cam 1) *earliest* Data Area, Block 1 (Cam 2) Data Area, Block 2 (Cam 1) Data Area, Block 3 (Cam 2) Data Area, Block 4 (Cam 3) Data Area, Block 5 (Cam 1) Data Area, Block 6 (Cam 2) Data Area, Block 7 (Cam 3) Data Area, Block 8 (Cam 1) Data Area, Block 9 (Cam 2) Data Area, Block 10 (Cam 3) Data Area, Block 11 (Cam 1) *latest* Empty Space
50
Jimmy Schroering ‐ DME Forensics
25
Forensic Analysis of CCTV Digital Video Recorders (DVRs)
5/26/2016
DVR Recording Process System Information Index Information Data Area, Block 0 (Cam 2) *formerly Cam 1* Data Area, Block 1 (Cam 2) Data Area, Block 2 (Cam 1) Data Area, Block 3 (Cam 2) Data Area, Block 4 (Cam 3) Data Area, Block 5 (Cam 1) Data Area, Block 6 (Cam 2) Data Area, Block 7 (Cam 3) Data Area, Block 8 (Cam 1) Data Area, Block 9 (Cam 2) Data Area, Block 10 (Cam 3) Data Area, Block 11 (Cam 1) Empty Space
51
DVR Recording Process System Information Index Information Data Area, Block 0 (Cam 2) *latest* Data Area, Block 1 (Cam 2) *earliest* Data Area, Block 2 (Cam 1) Data Area, Block 3 (Cam 2) Data Area, Block 4 (Cam 3) Data Area, Block 5 (Cam 1) Data Area, Block 6 (Cam 2) Data Area, Block 7 (Cam 3) Data Area, Block 8 (Cam 1) Data Area, Block 9 (Cam 2) Data Area, Block 10 (Cam 3) Data Area, Block 11 (Cam 1) Empty Space
52
Jimmy Schroering ‐ DME Forensics
26
Forensic Analysis of CCTV Digital Video Recorders (DVRs)
5/26/2016
DVR Recording Process System Information Index Information Data Area, Block 0 (Cam 2) *latest* Data Area, Block 1 (Cam 2) *earliest* Data Area, Block 2 (Cam 1) Data Area, Block 3 (Cam 2) Data Area, Block 4 (Cam 3) Data Area, Block 5 (Cam 1) Data Area, Block 6 (Cam 2) Data Area, Block 7 (Cam 3) Data Area, Block 8 (Cam 1) Data Area, Block 9 (Cam 2) Data Area, Block 10 (Cam 3) Data Area, Block 11 (Cam 1) Empty Space
53
DVR Recording Process System Information Index Information Data Area, Block 0 (Cam 2) Data Area, Block 1 (Cam 3) Data Area, Block 2 (Cam 1) Data Area, Block 3 (Cam 2) *latest* Data Area, Block 4 (Cam 3) *earliest* Data Area, Block 5 (Cam 1) Data Area, Block 6 (Cam 2) Data Area, Block 7 (Cam 3) Data Area, Block 8 (Cam 1) Data Area, Block 9 (Cam 2) Data Area, Block 10 (Cam 3) Data Area, Block 11 (Cam 1) Empty Space
54
Jimmy Schroering ‐ DME Forensics
27
Forensic Analysis of CCTV Digital Video Recorders (DVRs)
5/26/2016
DVR Recording Process System Information Index Information Data Area, Block 0 (Cam 2) Data Area, Block 1 (Cam 3) Data Area, Block 2 (Cam 1) Data Area, Block 3 (Cam 2) *latest* Data Area, Block 4 (Cam 3) *earliest* Data Area, Block 5 (Cam 1) Data Area, Block 6 (Cam 2) Data Area, Block 7 (Cam 3) Data Area, Block 8 (Cam 1) Data Area, Block 9 (Cam 2) Data Area, Block 10 (Cam 3) Data Area, Block 11 (Cam 1) Empty Space
55
DVR Recording Process System Information Index Information Data Area, Block 0 (empty) Data Area, Block 1 (empty) Data Area, Block 2 (empty) Data Area, Block 3 (empty) Data Area, Block 4 (empty) Data Area, Block 5 (empty) Data Area, Block 6 (empty) Data Area, Block 7 (empty) Data Area, Block 8 (empty) Data Area, Block 9 (empty) Data Area, Block 10 (empty) Data Area, Block 11 (empty) Empty Space
56
Jimmy Schroering ‐ DME Forensics
28
Forensic Analysis of CCTV Digital Video Recorders (DVRs)
5/26/2016
Master Title
Methods for Recovery/Analysis
57
Methods for Recovery/Analysis •
Primary methods for recovering data include: •
DVR Examiner
•
Manual Extraction of Open Format Data •
Recovering the data in a format which is non-proprietary and playable in open format players.
•
Method may be used to recover accessible or inaccessible video
•
Manual Extraction of Proprietary Data •
Recovering the data in a format which is proprietary and playable in the manufacturer designed player.
•
Method may be used to recover accessible or inaccessible video
•
Index Reconstruction •
Manually rebuilding index entries which were lost in order to allow the DVR to access data that was previously inaccessible to it
•
Method is ONLY for inaccessible video
58
Jimmy Schroering ‐ DME Forensics
29
Forensic Analysis of CCTV Digital Video Recorders (DVRs)
5/26/2016
Methods for Recovery/Analysis •
DVR Examiner •
Forensic software for simplified recovery of data from DVRs
•
Accesses proprietary DVR filesystems in a forensic manner and recovers the data with no additional loss in quality (i.e. from compression)
•
Interprets proprietary metadata (such as date/time, camera, etc.) and displays it to the user
•
Detects the type of filesystem automatically
•
Allows for filtering of data based on date/time, camera, etc.
•
Recovers data inaccessible to the DVR (when available)
•
Bypasses the need for the DVR password
•
Utilizes consistent user interface elements regardless of the interface of the DVR
•
Free trial available at dmeforensics.com/enfuse 59
Methods for Recovery/Analysis •
Manual Extraction of Open Format Data •
•
Requirements •
The DVR must store data in an open format (e.g. H.264, JPEG, etc.)
•
In order to positively identify metadata, the DVR and/or a sample proprietary file is often required
Pros •
•
The data extracted is playable by a traditional player (such as VLC or Windows Media Player)
Cons •
Will not contain metadata that is not included in the image content (“burned in”) 60
Jimmy Schroering ‐ DME Forensics
30
Forensic Analysis of CCTV Digital Video Recorders (DVRs)
5/26/2016
Methods for Recovery/Analysis •
Manual Extraction of Proprietary Data •
•
•
Requirements •
The DVR must be able to output a proprietary file, and the manufacturer must have produced a proprietary player
•
Access to the same type of DVR that recorded the data, or sample proprietary files produced by that type of DVR
Pros •
The data is playable in the manufacturer’s proprietary player with all metadata
•
Can be easier to demonstrate validity of process and data
Cons •
Depending on the system, this process may be more complex than extracting open format data
61
Methods for Recovery/Analysis •
Index Reconstruction •
•
•
Requirements •
Access to the same type of DVR that recorded the data
•
Ideally, the DVR should not “associate” with a specific hard drive
Pros •
Works well for recovering large amounts of data when little to none of it has been overwritten
•
Once the index is rebuilt, data may be exported in the same manner as accessible data
Cons •
Most complex of the methods
•
Even after rebuilding the index, the data must still then be exported (in a proprietary format, which may be limiting) 62
Jimmy Schroering ‐ DME Forensics
31
Forensic Analysis of CCTV Digital Video Recorders (DVRs)
5/26/2016
Master Title
Questions?
63
Thank You Jimmy Schroering | President – Research & Development | DME Forensics
[email protected] | 800.413.0363
64
Jimmy Schroering ‐ DME Forensics
32
