Most DVRs have proprietary software and custom video formats specific to the man- ufacturer. There are many
different manufacturers and a wide
array of DVR models, which can make
DVR forensics a difficult and tedious
DVR Hard Drives are Different
As a digital forensic examiner, the goal
is to not change or damage the original
evidence; however, imaging a DVR’s
hard drive could be the worst retrieval
strategy of all. In many cases, the imaged drive will not mount on forensic
computers, which run Windows or Apple operating systems.
Proprietary files will often be invisible outside their native environment.
These files may not be accessible by
any operating system other than the
native operating system (“OS”) running
on the DVR. In many cases, the video
files will be encoded using non-stan-dard formats. Some DVRs will even
automatically format drives that are
removed or plugged into a DVR!
In addition, DVRs can have passwords, or be missing parts like power
supplies. They could also be damaged
or be non-functional due to fire or vandalism, accidentally or intentionally.
Even if you have access to the DVR,
the menus and associated software
is almost always slow; reviewing and
capturing the data from the exact time-
line that you need can be a painstaking
All of these aspects present problems for proper forensic processing.
So, how can DVR units be successfully
Specialized Tools to get
Data from a DVR
As with any forensic evidence, it is important to note that these processes
should only be performed by qualified
forensic specialists. Proper evidence
handling and preservation are required
even before getting to the point of examining the data on the device.
Typical forensic tools can be used to
image DVR drives and in some cases,
recover data, but there are specialized
tools that are better suited to do so.
These tools are dedicated to translating the proprietary operating systems,
software and codecs as well as circumventing passwords and the cumbersome interfaces resident on most DVR
devices. Use of these specialized tools
can significantly reduce risk of damage to the original system and dramatically decrease data recovery time.
DVR in Your Case: Key Steps
If you have a DVR in your case, the first
step is to identify if the device is still
in use. If it is in use, the DVR could overwrite the video that you need. Advise
the client to discontinue use of the device until the data can be preserved.
Next, preserve the DVR/drives. Get
the make and model of the DVR and
immediately consult a forensic specialist. If the DVR is in active use, most
systems allow for removal and replacement of the hard disk drive(s) inside
of the device. Typically, reviewing the
Please note, accepting a DVD/thumb
drive with evidence is not as good as
the original. Typically, the simple act
of copying the data out of the DVR will
result in a loss of quality on the copy.
It is far better to preserve the original
unit if possible.
DVR devices appear to be similar to computers: they have hard drives;
you use mice, keyboards and internet browsers to access them.
But DVR devices present different challenges for forensic examiners.
In many cases, it’s not just as simple as downloading a snippet of
video from the DVR.
KARL EPPS, ENCE, CEH, CCFE, CHFI, CCPA
EPPS FORENSIC CONSULTING
Karl Epps is an EnCase Certified Examiner (EnCE); Certified Ethical
Hacker (CEH); Certified Computer Forensic Examiner (CCFE);
Certified Hacking Forensic Investigator (CHFI) and a Cellebrite Certified
Physical Analyst (CCPA).
What You Need to Know About
Forensics from a DVR
13880 N. Northsight Blvd., Suite 115, Scottsdale, AZ 85260
I would be happy to sit down with you to discuss the scope of discovery that may be required to capture all relevant data.
Please call or email me directly.