In a previous blog post, we discussed why it is advantageous to utilize DD forensic images as opposed to E01 when analyzing hard drives from DVRs. In this post, we’ll look at another option – clones.
Clones of the original DVR hard drive are often connected to the DVR in an attempt to recover the evidence. This is a popular method for recovery, and is often successful, but it does come with its own set of issues.
First, you must find a suitable hard drive. The most important attribute to match is sector count (not just size). Ideally you would be able to find the same make/model hard drive with the exact same sector count, but if your choice is between using the same type of hard drive with a different sector count or using a different type of drive with the same sector count, go for the identical sector count.
Second, keep in mind that using a clone is not completely forensically sound. Yes, the original hard drive is not modified, but the evidence in this scenario is being recovered from the clone which almost always will be modified in some way by the DVR when connected. Most of these modifications will be benign, but in the worst cases, the drive may be formatted (see below). You can attempt to use an in-line write blocker, but in many cases that may prevent you from actually exporting the data due to the way the DVR may buffer data.
Third, be aware that introducing (connecting) a hard drive other than the original hard drive increases the risk that the system will associate itself to the new (clone) hard drive. This may or may not cause the drive to be formatted. If the clone is formatted, it isn’t that big of a deal because you have the original hard drive, right? Yes, except if the DVR associated itself to the clone hard drive, what do you think would happen if you reintroduced the original hard drive back into the DVR? In this type of situation, I would highly suggest making a forensic image or another clone before you attempt using the original hard drive.
Finally, if you need to connect the cloned hard drive to your forensic computer, use a write blocker. Windows won’t recognize most of the filesystems that are utilized by DVRs, but there are a few systems out there that utilize FAT32, which Windows can and will modify. Unless you previously viewed the partition structure, you wouldn’t know if you were dealing with a Windows compatible partition type or not. Windows also has a habit of asking to format unrecognized partitions, so a write blocker would prevent any accidental clicks on those types of dialogs.
Not using a write blocker on a clone can also have negative effects on the software you are using to examine the drive. Speaking for our own DVR recovery software, DVR Examiner, we build internal indexes based on the drive contents when it is first scanned. If Windows modifies the cloned hard drive after we have scanned it, those indexes may not work properly. Most of your standard forensic tools operate in the same manner, so we always recommend using a write blocker – even with a clone.
Using clones to recover DVR evidence has been around for a long time. Like any other method, there are advantages and disadvantages. Awareness of some of the common issues we’ve addressed here will increase the likelihood that your evidence will be recovered in the most efficient and accurate way possible.