One ongoing debate within the traditional computer forensics community has been how to respond to a running computer in the field. When you arrive on scene to a running computer, do you pull the plug, or do you conduct an orderly shutdown of the computer?
The argument for pulling the plug primarily comes from the concern that computer will perform clean-up operations that change data on the drive when conducting a shutdown. In addition, there may be rogue programs installed that may delete data (or at least attempt to) on shutdown. In comparison, some people are concerned that you risk corrupting critical information on the drive by interrupting any potential programs when you remove power.
Since surveillance DVRs are essentially mini-computers with hard drives in them, we took a look at how to best power off a DVR before using DVR Examiner or seizing the device, especially when the DVR doesn’t even have a shutdown option.
There are several factors to consider before making this decision:
Does the DVR have a feature for “expired” footage and is it active?
Many DVRs include the ability to only keep footage for a certain period of time. When footage reaches that expiration date, it is “deleted”. This check may run at start-up or shutdown, increasing the odds of deleting potentially critical footage by conducting an orderly shutdown. If you can locate this feature in the DVR settings, be sure to document it and then disable it prior to conducting an orderly shutdown.
Does the DVR have a software shutdown option?
If not, you are going to be forced to “pull the plug” one way or another. But, there is one critical step I would take prior to doing so. Disable all the recording abilities of the cameras in the DVR settings and wait 30 seconds or so prior to removing power. This should force the DVR to finish up what it was working on and make sure it makes its way onto the disk in an orderly fashion. If you can’t access the DVR interface because of a password, or there is no menu option to disable recordings, you should disconnect the cameras from the back of the DVR as this will often stop the recording operation.
How long has it been since the incident of interest occurred?
The longer it has been since the incident, the more likely the incident has already been overwritten, or may be very close to be. In these situations, you don’t want to take a lot of time making calculations or decisions as it can make the difference between the video being recoverable and not. If you suspect you are in a time-sensitive situation, I would just “pull the plug” and remove power from the DVR. Due to the length of time that has passed since the incident, it is highly unlikely that the DVR is still actively recording in the area of the drive that you are interested in. The indexes and data that you are most interested in should have already been written and finalized long ago.
If you arrive on-scene immediately after the incident, there is a high probability that the currently active recordings contain your incident. You’ll definitely want to make sure that these recordings are finalized prior to shutting down or removing power from the DVR. If there is a software menu option to shut down the system, I recommend checking for any expiry settings described above and then shutting down the DVR using that option. If no software shutdown menu exists, I would opt for disabling the recordings, waiting at least 30 seconds, and then removing power from the DVR.
Whatever route you choose, make sure you document what you did and why you did it. This will help in the unlikely event you later find you can’t access the footage you are interested in. Within DVR Examiner, we try whenever possible to account for conditions like missing finalizing index entries, but because of the many factors involved, we can’t account for everything. If you process the drive with DVR Examiner and don’t find the clips you are interested in (such as the very last clips on the drive), please reach out to us and we’ll see if there is something we can do to help.
As a last resort, our ATS team can likely recover the footage manually if it hasn’t yet been overwritten.
