THEY’RE ALWAYS WATCHING
Big brother is everywhere these days. You can’t run to a coffee shop for a morning boost without being caught on the traffic camera down the street, the gas station camera en route to the coffee shop, the camera in the drive-thru, the camera at the window when you pull up to pay, and possibly several cameras at surrounding businesses throughout your trip. The average American is caught on camera 50+ times per day according to this blog post by the world’s leading video surveillance information source, IP Video Market. The amount of times we are caught on camera per day is alarming to some, but to those looking for concrete evidence for a client’s alibi, among many other scenarios, it could be the key to making or breaking your case. Odds are good that your client(s) were caught on camera either before, during or after the activity or incident they are allegedly accused of. It’s up to you to determine what footage is available, how to obtain and preserve that footage, how to navigate available data to ensure you are strategically using all footage possible to build your case and how to turn the footage you are reviewing into a forensically recognized digital product that is presentable in court.
Time is off the essence when it comes to DVR Forensics. Typically we will see DVR systems with 30, 60 or 90 days worth of storage capacity. This means that after that time frame, the hard drive that is storing the footage is full and new footage begins to overwrite / delete potentially valuable content. The faster you can identify and properly preserve these systems, the more likely you will be to recovery the data you are looking for.
Start with the basics, map out the location of the alleged incident – this could be in a home, along a highway, or in an office building – what cameras are in the area that could provide valuable footage? Were there any cameras in your client(s) general vicinity that could assist in proving an alibi? Once you have your list of available footage, start your research. Who owns which camera and what are the proper steps to the legal process for obtaining the footage from each business or home? Once you can obtain the video or DVR systems you are after, the real work begins. You need to get this raw data from its original format into a product that is easily digestible. This is where organization is key to success. At times, you may be dealing with 3-5 different DVR’s, all using different file systems, with 8-10 cameras per DVR.
After working a large volume and variety of DVR cases over the years, we recommend keeping it simple from the start: research your options, take inventory, parse and extract the relevant available data, document your findings and procedures, review the exported data for accuracy and verification, and repeat processes as needed.
UNDERSTANDING DVR SYSTEMS
Most DVR systems are proprietary and built overseas, thus making them tough to find more support for than is supplied with the original user manual. There is a large variety of file structures, storage capacity and capabilities, playback options, features, etc. being used with each manufacturer. To make things even more confusing, often we find ourselves dealing with multiple DVR’s from several manufacturers that are using a variety of different file structures and features (motion, steam, etc.). A few questions you will want to ask yourself to understand each DVR system involved during your initial investigation:
What is the storage capacity of this DVR system? Am I dealing with terabytes of data, or just a few gigabytes? This will ultimately help you understand the total volume of data and what your storage and transfer options are for exported footage. Is this something that can easily be sent via email, or does it need to be transported via an external drive?
NOTE: It’s always recommended (and standard practice) to first create a forensic image of each hard drive within each DVR system. If you’re dealing with a time sensitive case and say 30+ TB of data, do you have time to create all the forensic images needed? If not, what options do you have to work off original drives and still forensically preserve the data? If you have the time and knowledge to make a forensic image, which programs are compatible with this DVR file system?
NOTE: If you create a forensic image, be sure to compare it to the original hard drive to ensure you were able to acquire all the data from the original – if not, you could be missing valuable footage in your video export.
Does this DVR have a user manual available for download online? If so, download it and read through thoroughly. Typically, all manufactures have a downloadable version somewhere online. This will arm you with the most current and accurate information available for the specific model you will be working with. It will also help you understand that system’s capabilities and limitations.
Is the DVR compatible with just video, or audio as well? If the DVR is audio compatible, what type of camera(s) were used with the DVR system? Did the camera have audio compatibility? Was it activated during the footage you are looking for? This will help you determine the value of your footage depending on your needs. Are you looking to prove something an individual said or something an individual did?
Is this DVR system capable of storing “inaccessible” or deleted / overwritten footage?
How is this data stored? If it is capable of storing deleted data, does it offer recovery options for deleted / over-written content via the native playback system? If not, what other options do you have to recover any inaccessible data? Are there any external hard drives that footage was regularly back-up to that is also recoverable? Several of these DVR systems allow for backing up your video when the internal drive is full. This way you can avoid the oldest data from being overwritten. Those additional hard drives, thumb drives, etc. may contain valuable data for your case.
What are your format options for exporting relevant video? Some of these DVR systems will simply provide an Audio Video Interleave (.AVI) file export option, which is compatible with most media players such as VLC or Windows Media Players. Other DVR systems will only allow for MPEG-4 (MP4), DAV or some alternate format.
Once you have identified the available export format options, what are your options for playing / reviewing the exported footage? Are you able to find and play exported video files on a downloadable native DVR player, or are you limited to a universal video player for footage review? It’s important to understand what you are after with the footage you have exported, this way you know if you can accomplish your goals with the media player you are going to be using. Some media players are more limited than others in their video playback options, such as no fast-forward setting, no zooming, no slow play, etc.
NOTE: When you are attempting to review multiple days of footage from several camera angles, what are your options for viewing more than one camera angle at once in chronological order to streamline the review process?
Upon initial review of all available footage, we recommend making yourself a “KEY” or “SUMMARY” to help you conceptualize the big picture. Document your naming convention for each DVR system and their associated cameras. By organizing, you can quickly associate say Camera 8 with DVR 2 to make things less convoluted when you are hours deep in footage review. Once you have each DVR and camera properly named, attach a screen shot of the view for each camera angle. This will help you to quickly recall coverage of each camera and whether it would have caught a specific activity. For instance, if camera 3 covers the back door of a single-family dwelling, I could safely assume it would not have captured vandalism that occurred on the front door, hence eliminating hours of footage review from camera 3. This summary or key is a valuable tool for quick reference throughout your review process.
Export structure is invaluable when it comes to your time management. Some DVR systems only offer a single export format and playback option. How are you going to organize all the exported data? In some cases, it’s best to organize the exported footage by date. In other cases, it might be best to export by camera channel and then date. Understand what option is going to be most efficient for playback and reviewing the data before beginning your video export.
Often, we find ourselves being called to testify to our final work product. For this reason, we find it is always best practice to document every step you take throughout this process. By documenting your steps, you can easily reference your notes during litigation and accurately speak to the actions you took to forensically preserve, acquire, image, review and export all the data you present. The amount of detail you document is up to you, but at a minimum, we recommend documenting the programs (and their version) used to acquire, image, export and review the DVR footage.
YOU’RE NOT ALONE
We understand that DVR Forensics can be a massive time constraint on your case. As your client’s expert counsel, you must be dynamic and strategic with your time management. Roloff Digital Forensics has an experienced team of Digital Forensic Examiners with extensive backgrounds ready to help you with all your DVR forensic needs. Whether it’s just an initial review and summary of the data available to you, consultation on your options moving forward, exporting footage in a format that’s compatible with your systems, or a full-on acquisition to testimony need, Roloff Digital Forensics has you covered. If you have questions about DVR Forensics, you can reach us at 509-443-9293 and one of our Digital Forensic Examiners would be happy to help!
Travis M Kensok
Digital Forensic Examiner
Roloff Digital Forensics
Roloffdf.com – (509) 443 9293