At the heart of DVR Examiner is its ability to read a proprietary DVR filesystem and display and extract the data contained on the device. The ability to read these filesystems is not something that DVR Examiner does automatically – first someone from our Advanced Technical Services (ATS) team has to reverse engineer each filesystem implemented within the program. Only after completing this lengthy process can DVR Examiner recover the video evidence from surveillance DVRs. This post touches on some of the first steps our team takes to understand how each different filesystem works.
The first step to reverse engineering a filesystem is to test the DVR in question in our lab. To do this, we make multiple recordings with known data (dates, times, cameras, resolutions, etc.) that we can later use during the reverse engineering process. Once we record this data, our engineers review the resulting data to look for the known recordings and therefore begin to interpret the binary data that the filesystem is using. Some of the essential elements we look for include, but are not limited to:
- How is the hard drive organized? Is it merely raw data on the drive or are there partitions?
- How is the data organized? What is the indexing structure?
- What type of data is contained within the filesystem (H.264, MPEG, proprietary, etc.)?
- Is there metadata (timestamp, channel, etc.) contained at the frame level? How is it interpreted?
The most common piece of metadata that we need to interpret is the date/time information. In most cases, this information is stored the same way throughout the filesystem. The easiest way for us to find date/time information is to utilize the known recordings; this way we know what information to look for. Using the known values allows us to quickly pick out the date/time from seemingly random binary data. If we still can’t find the information we need, we typically look for values that increment slowly and consistently. Many people think date/time increments quickly, but most digital video is somewhere between 10-20 frames per second (per camera!), so you usually see the same value repeated multiple times before moving on to the next value.
Beyond the basic known recordings that we do here in the office, we also usually like to review at least one set of client data. Client data is information that would be considered “unknown,” however, after completing our known data tests we can usually manually verify anything we are seeing. The benefit of this unknown data is that the DVR in question has often been in service for a long period of time, resulting in multiple overwrites, as well as potential errors and issues that we need to handle or address. These issues may be difficult or impossible to reproduce on our own. We once had a set of client data that contained two frames (out of 2 terabytes of data!) with metadata indicating that they were recorded with a timestamp including the second number “60” (hint: that value should only ever be 0 through 59!). We would have never been able to recreate that situation with our recordings.
With this combination of known and unknown data, we can engineer DVR Examiner to recognize and recover video data from filesystems with ease. It’s this unique system that allows DVR Examiner to locate data that is inaccessible to the DVR itself, such as deleted footage.
One of the unique situations we have with DVR Examiner is that our solutions sometimes need to work on drives that we haven’t seen at all. This is opposed to reverse engineering a filesystem in a single case manually. In a single case, you might be able to look at that specific drive and determine that the video data starts in a specific location and “hard code” that location. On the other hand, we need to find a way to jump to any location we want simply by using the filesystem metadata and indexes. This allows DVR Examiner to work in many different situations – including ones we haven’t explicitly tested.
Reverse engineering a filesystem is something that takes a lot of skill and patience. The good news is that the more you do it, the better you get, and our team gets tons of practice! While we can’t always turn around a filesystem in a matter of days, our expertise gives the best chance for success, particularly in time-sensitive situations.