Smile, You’re on Camera: A Lawyer’s Guide to DVR Forensics
THEY’RE ALWAYS WATCHING
Big brother is everywhere these days. You can’t run to a coffee shop for a morning boost without being caught on the traffic camera down the street, the gas station camera en route to the coffee shop, the camera in the drive-thru, the camera at the window when you pull up to pay, and possibly several cameras at surrounding businesses throughout your trip. The average American is caught on camera 50+ times per day according to this blog post by the world’s leading video surveillance information source, IP Video Market. The amount of times we are caught on camera per day is alarming to some, but to those looking for concrete evidence for a client’s alibi, among many other scenarios, it could be the key to making or breaking your case. Odds are good that your client(s) were caught on camera either before, during or after the activity or incident they are allegedly accused of. It’s up to you to determine what footage is available, how to obtain and preserve that footage, how to navigate available data to ensure you are strategically using all footage possible to build your case and how to turn the footage you are reviewing into a forensically recognized digital product that is presentable in court.
Time is off the essence when it comes to DVR Forensics. Typically we will see DVR systems with 30, 60 or 90 days worth of storage capacity. This means that after that time frame, the hard drive that is storing the footage is full and new footage begins to overwrite / delete potentially valuable content. The faster you can identify and properly preserve these systems, the more likely you will be to recovery the data you are looking for.
Start with the basics, map out the location of the alleged incident – this could be in a home, along a highway, or in an office building – what cameras are in the area that could provide valuable footage? Were there any cameras in your client(s) general vicinity that could assist in proving an alibi? Once you have your list of available footage, start your research. Who owns which camera and what are the proper steps to the legal process for obtaining the footage from each business or home? Once you can obtain the video or DVR systems you are after, the real work begins. You need to get this raw data from its original format into a product that is easily digestible. This is where organization is key to success. At times, you may be dealing with 3-5 different DVR’s, all using different file systems, with 8-10 cameras per DVR.
After working a large volume and variety of DVR cases over the years, we recommend keeping it simple from the start: research your options, take inventory, parse and extract the relevant available data, document your findings and procedures, review the exported data for accuracy and verification, and repeat processes as needed.
UNDERSTANDING DVR SYSTEMS
Most DVR systems are proprietary and built overseas, thus making them tough to find more support for than is supplied with the original user manual. There is a large variety of file structures, storage capacity and capabilities, playback options, features, etc. being used with each manufacturer. To make things even more confusing, often we find ourselves dealing with multiple DVR’s from several manufacturers that are using a variety of different file structures and features (motion, steam, etc.). A few questions you will want to ask yourself to understand each DVR system involved during your initial investigation:
What is the storage capacity of this DVR system? Am I dealing with terabytes of data, or just a few gigabytes? This will ultimately help you understand the total volume of data and what your storage and transfer options are for exported footage. Is this something that can easily be sent via email, or does it need to be transported via an external drive?
NOTE: It’s always recommended (and standard practice) to first create a forensic image of each hard drive within each DVR system. If you’re dealing with a time sensitive case and say 30+ TB of data, do you have time to create all the forensic images needed? If not, what options do you have to work off original drives and still forensically preserve the data? If you have the time and knowledge to make a forensic image, which programs are compatible with this DVR file system?
NOTE: If you create a forensic image, be sure to compare it to the original hard drive to ensure you were able to acquire all the data from the original – if not, you could be missing valuable footage in your video export.
Does this DVR have a user manual available for download online? If so, download it and read through thoroughly. Typically, all manufactures have a downloadable version somewhere online. This will arm you with the most current and accurate information available for the specific model you will be working with. It will also help you understand that system’s capabilities and limitations.
Is the DVR compatible with just video, or audio as well? If the DVR is audio compatible, what type of camera(s) were used with the DVR system? Did the camera have audio compatibility? Was it activated during the footage you are looking for? This will help you determine the value of your footage depending on your needs. Are you looking to prove something an individual said or something an individual did?
Is this DVR system capable of storing “inaccessible” or deleted / overwritten footage?
How is this data stored? If it is capable of storing deleted data, does it offer recovery options for deleted / over-written content via the native playback system? If not, what other options do you have to recover any inaccessible data? Are there any external hard drives that footage was regularly back-up to that is also recoverable? Several of these DVR systems allow for backing up your video when the internal drive is full. This way you can avoid the oldest data from being overwritten. Those additional hard drives, thumb drives, etc. may contain valuable data for your case.
What are your format options for exporting relevant video? Some of these DVR systems will simply provide an Audio Video Interleave (.AVI) file export option, which is compatible with most media players such as VLC or Windows Media Players. Other DVR systems will only allow for MPEG-4 (MP4), DAV or some alternate format.
Once you have identified the available export format options, what are your options for playing / reviewing the exported footage? Are you able to find and play exported video files on a downloadable native DVR player, or are you limited to a universal video player for footage review? It’s important to understand what you are after with the footage you have exported, this way you know if you can accomplish your goals with the media player you are going to be using. Some media players are more limited than others in their video playback options, such as no fast-forward setting, no zooming, no slow play, etc.
NOTE: When you are attempting to review multiple days of footage from several camera angles, what are your options for viewing more than one camera angle at once in chronological order to streamline the review process?
Upon initial review of all available footage, we recommend making yourself a “KEY” or “SUMMARY” to help you conceptualize the big picture. Document your naming convention for each DVR system and their associated cameras. By organizing, you can quickly associate say Camera 8 with DVR 2 to make things less convoluted when you are hours deep in footage review. Once you have each DVR and camera properly named, attach a screen shot of the view for each camera angle. This will help you to quickly recall coverage of each camera and whether it would have caught a specific activity. For instance, if camera 3 covers the back door of a single-family dwelling, I could safely assume it would not have captured vandalism that occurred on the front door, hence eliminating hours of footage review from camera 3. This summary or key is a valuable tool for quick reference throughout your review process.
Export structure is invaluable when it comes to your time management. Some DVR systems only offer a single export format and playback option. How are you going to organize all the exported data? In some cases, it’s best to organize the exported footage by date. In other cases, it might be best to export by camera channel and then date. Understand what option is going to be most efficient for playback and reviewing the data before beginning your video export.
Often, we find ourselves being called to testify to our final work product. For this reason, we find it is always best practice to document every step you take throughout this process. By documenting your steps, you can easily reference your notes during litigation and accurately speak to the actions you took to forensically preserve, acquire, image, review and export all the data you present. The amount of detail you document is up to you, but at a minimum, we recommend documenting the programs (and their version) used to acquire, image, export and review the DVR footage.
YOU’RE NOT ALONE
We understand that DVR Forensics can be a massive time constraint on your case. As your client’s expert counsel, you must be dynamic and strategic with your time management. Roloff Digital Forensics has an experienced team of Digital Forensic Examiners with extensive backgrounds ready to help you with all your DVR forensic needs. Whether it’s just an initial review and summary of the data available to you, consultation on your options moving forward, exporting footage in a format that’s compatible with your systems, or a full-on acquisition to testimony need, Roloff Digital Forensics has you covered. If you have questions about DVR Forensics, you can reach us at 509-443-9293 and one of our Digital Forensic Examiners would be happy to help!
Travis M Kensok
Digital Forensic Examiner
Roloff Digital Forensics
Roloffdf.com – (509) 443 9293
Current and Future Challenges for the Digital Forensics’ Community
Although the digital forensics’ community has been around for decades (remember when it was called ‘Computer Forensics’?), instead of processes becoming easier and more streamlined, the Mobile challenges have become more progressive and cumulative.
From the sheer number of devices a person or household may maintain, to the total volume of data now being stored on cell phones and network attached storage devices, quantity has become a major challenge. Digital forensics examiners must be taught how to examine digital devices with such large volumes to be efficient and meet customer’s needs in a reasonable amount of time.
Another challenge is major vendors changing their products in significant ways. As an example, Apple Inc., has made significant changes that are challenging to the acquisition of their devices as well as the ability of examiners to properly analyze the data being examined. As many are aware, Apple Inc. has a process called “Continuity” which allows a user to answer FaceTime, text messages and phone calls with any of their devices that have been set up for Continuity. An individual with this capability can also move from device to device to carry on text and phone conversations. The challenge becomes determining which device originally received the incoming communication and when it was received. Apple Inc. has also recently changed their computer file system from HFS to APFS (Hierarchical File System, Apple File System). This major change has had enormous impact on examiners and the companies that design digital forensic software.
Apple Inc. has also introduced on some of their computers Fusion Drive. This is a combination of a spinning hard disk drive and a solid-state drive working in tandem as one drive, transparent to the user. If this type of computer is not recognized by an examiner as having Fusion Drive or is not properly acquired, a great deal of data will not be examined and potential evidence can be lost.
And although not a current requirement, many judges across the land are looking at examiners who testify in their courts to have certifications in the tools that they use. Many of the major forensic software tool manufacturers have their own certification processes. These certifications are challenging and costly to obtain and maintain. But when an examiner is on the stand, they can be invaluable to declaring an individual an expert in his or her specialty.
Naturally, there are a large variety of issue that are challenging to the digital forensics’ community like encryption, anti-forensics and wait times for examinations. It would take a book to delineate all of the challenges.
But to achieve positive outcomes in the digital world today, a Prosecutor’s or Defender’s Office, as well as a civil attorney’s office, needs to know that the company they select to overcome these obstacles is prepared to do so.
Roloff Digital Forensics is such a company.
RDF’s personnel have achieved and maintain Cellebrite’s certifications: Cellebrite Certified Logical Operator (CCLO), Cellebrite Certified Physical Analyzer (CCPA), and Cellebrite Certified Mobile Examiner (CCME).
Also, OpenText’s (previously known as Guidance Software) Encase Certified Examiner certificate is maintained by many employees. In all levels of court proceedings today, criminal and civil, judges are looking to see digital forensic examiners with the appropriate level of certifications.
With proper training, team collaboration, the necessary software tools for forensic acquisitions, extractions and analyzes, RDF has been able to achieve great success in meeting its client’s goals in the digital forensics’ community and overcoming the many challenges in the digital forensics’ community.
Location Data: The Story Our Devices Communicate
For many people, the notion that our digital devices communicate our location is concerning, and understandably so. The truth is, however, that our locations and associated activities are being monitored more closely and consistently than ever before. Location-based data can provide detailed insights into a person’s life, habits, and interests. Imagine your location being logged every time your mobile phone checks for new e-mail, when you post a tweet, “check-in” to a location/business, refresh your Facebook or other social media feed, update your “status”, take a picture or video with your phone’s camera, purchase something online, request a ride with Uber, Lyft, and whatever comes next, or otherwise check your proximity to a location via a mapping tool – the list goes on. This isn’t a hypothesis, these actions, right now, can cause the consequence of your location being logged, often in multiple places, by multiple sources, many of them using this information to assist in their future dealings with your “profile”.
At Roloff Digital Forensics, we target and utilize such information to assist attorneys in the representation of their client. This can occur by demonstrating a location-based alibi (e.g., my client couldn’t have committed that crime, they were at a location too far away to be present), demonstrating that their client’s digital devices were in a general vicinity that could be problematic (e.g., “yes, it appears your client’s phone was in a geographical location that could place them at the location in question on that critical day and time”), to pointing out the issues location-based data may have in presenting facts about a person’s digital device location (e.g., the specific geographical location, overlap/location of surrounding cellular towers, the terrain, all add uncertainty to the accuracy/specificity the location data presents).
Depending on a person’s digital/online footprint, location-based data can be voluminous and stems from many places:
- The digital devices: phones, tablets, computers, etc.
- Images and videos you create, installed applications, wireless access points, global positioning system (GPS), wireless and cellular networks, etc.
- The service providers electronic devices interact with: AT&T, T-Mobile, Verizon, Comcast, etc.
- Call/text records (CDRs) with accompanying site location, historical precision location data/nelos reports, etc.
- The applications and services utilized on the device: Facebook, Kik, Google applications, Apple applications, third-party applications of many varieties and sorts that you’ve installed and given permission to access your “location data”, etc.
- Much of this information isn’t easily visible to the user. But it can be found by forensically analyzing the digital devices, issuing subpoenas, court orders, reviewing locations/applications on digital devices, and with certain service providers; by accessing your account and locating the data that has been logged about your locations.
Although location-based data can seem daunting and is at times quite intrusive, if found, collected, and analyzed correctly, it can be of immense value in litigation.