DVR Examiner help
I just got the free trial version of DVR Examiner and want to try it on a Samsung DVR. I have zero experience with DVRs, I'll only have one shot at accessing the DVR and want to make sure I get what I need. Does it matter which tool is used to image the DVR (I'm working with Paladin and FTK imager)? If I create an E01 instead of a dd image will I be able to determine when the video was last accessed, deleted etc.?
Dependong on your objective of examination of the DVR.
My Standard practice is to extract the recording using the DVR Itself. This has something to do with the law.
I would clone the hdd and make it as a working copy. And extract the recordings from there.
Next is the rest of the process, video analysis or other processes.
Note For DVR, normally, the files is in proprietary format, and running it under FTK or other computer forensics system, may not be practical.
I am not familiar with samsung DVR, but activity logs usually available in the DVR itself.
You have various options
1. You can access the hard drive of the DVR directly - and scan it, using DVR Examiner. This option saves time as it allows you to go directly to a certain date/event.
2. You can connect a HDD with the Forensic image and scan it, and then go directly to the date & time required.
3. You can use the DVR Examiner software to create a forensic image.
The software will recognise the CODEC being used and let you know it can decode the footage. If it does not recognise the CODEC then you have the option to upload a sample of the data and open a case to have the manufacturer create a new codec. There can be some delay here.
Keep in mind that the trial version only allows access to a very limited amount of the footage.
Perhaps knowing the scenario better, we may give slightly different advice..but based on what you have said then I am assuming you are attending a premises, rather than having the DVR in the lab.
You should have Priorities and Parameters for your acquisition. What you MUST get, and what is beneficial if possible. If you have a single, “We need it all”, then that’s a tricky one and I would always go back to the requester and ask them to define some P&P’s.
If you have an incident on the footage that is top Priority, and the duration of the incident is the Parameters, then I usually capture this first as a fail safe.
Before touching the DVR and navigating the menus – do all the usual time checks for DVR Time and Real Time. Also note cables in / out, and damage to DVR (and screwheads that may indicate the box has been opened before).
I usually capture the playback of footage and myself navigating the DVR directly into my laptop.
I use Amped FIVE, and it has a Video Input ability to capture the DVR’s output (taking the place of the monitor).
So, I use the FIVE Interface to view the menu navigation and the playback of the incident. I record all of that for fail safe and integrity purposes.
The amount of DVR’s that have failed as soon as someone touches the menu!
After this has been captured, I use the DVR to extract the native footage (original recordings), and any player etc.
Again, I record all the processes into FIVE, so I have a record of what I selected and the data on the system.
Method of native acquisition will depend on the DVR and research. May be optical disk, USB Drive, external HDD or Network into laptop.
After this has been completed, there are two usual options.
1. Stop recording in FIVE, and load acquired footage into FIVE project for initial review. This way you have your actions, all the DVR details and menu information, and the acquired footage in the same project! I often load any photographs in as well.
2. If you then must extract the HDD for a full recovery. I don’t stop recording until I have gone through the shut down procedure. I’ll then wrap up the FIVE project in the same way as before.
Opening the box should be a careful and last resort. Many DVR HDD’s get really hot and if allowed to cool they may never boot back up again.
Cloning the HDD is an option, if you have access to the DVR, but I think in your case, you may not have that.
Imaging the DVR on site is then possible. You can use either DVRExaminer or VIP from SalvationData to create the image directly. If using FTK imager or another, I would stick with DD and keep your chunks pretty small, say 1.5gb each.
The standard DVR HDD tools can deal with many DVR’s now, but if not then all is not lost.
Drop one of the chunks into Amped FIVE and see if it will be decoded.
Just seeing the footage, may just give you enough to make some further decisions.
I second what badgerau said