Hikvision DVR data ...
 
Notifications
Clear all

Hikvision DVR data recovery

Lukamo
(@lukamo)
New Member

Hello everyone.
I've tried searching through these forums for information about a solution to my problem, but I haven't found anything conclusive.

Here's my situation. (excuse my english as it is not my main language)

During a preparation for the analysis of one of our cases, we had many HDD's in multiple DVRs to copy, so that we could replace the original drives with the copies so that the investigators assigned to the case could watch the footage on the DVR's we were sent.

To do the copy, we used Solo4 devices to copy 2 hard drives at a time (1 disk of 1TB, 1 of 2TB)

During the preparation, a tech mistakenly plugged the empty drives (Destination) into the source slot, and the actual evidence into the destination drives.
Once the copy started, a minute or two passed before the tech realized the mistake and immediately stopped the process.

The result of this is that a portion of the hard drives (about 35gb on the 2TB) has zeroed out, and the rest is still intact.

DVR Examiner fails to recognize anything (i assume it uses the start of the disk to parse out the files).

After messing with the hex, we were able to recognize a sort of pattern that started with A.HK (hex 41 12 48 4B) that seemed to include one frame of a video (when carving a full cycle from a.hk to a.hk, it would give me a video with one frame).

I am guessing the video is an assembly of frames. i have not yet found out how to isolate a full video and separate camera channels.

We have tried taking the full set of data (from the first A.HK to the last on the drive) and carve it as a mp4. It ended up being a very long video with a mix of all the channels and a series of recordings that did not seem to follow a particular order (seemed chronological for the most part though, but it jumped back and forth on the timestamps once in a while).

We tried carving with Belkasoft Evidence center, Encase, X-Ways, DVR Examiner, but everything failed.

—–

So here's what we're looking for Is there a way to carve out the videos in a way to isolate each video sequence (channel/date/time) with the meta data parsed out? We do not have the time to do the R&D to that extent so if anyone has any idea how to do this… It would be very appreciated.

Let us know

Quote
Topic starter Posted : 07/03/2018 7:20 pm
jaclaz
(@jaclaz)
Community Legend

There is a 2015 paper, specific to that make.
https://link.springer.com/chapter/10.1007%2F978-3-319-25512-5_13

Maybe it contains something useful?

Check also this one, it seems liek explaining the format in detail
https://www.shs-conferences.org/articles/shsconf/pdf/2015/01/shsconf_icitce2014_02010.pdf

(though the actual frame headers are different)

Have you tried
http//www.hxdvr.com/

AND check this related thread, where - besides some more info - some members offered their services

https://www.forensicfocus.com/Forums/viewtopic/t=14950/

jaclaz

ReplyQuote
Posted : 07/03/2018 7:49 pm
Lukamo
(@lukamo)
New Member

There is a 2015 paper, specific to that make.
https://link.springer.com/chapter/10.1007%2F978-3-319-25512-5_13

Maybe it contains something useful?

Check also this one, it seems liek explaining the format in detail
https://www.shs-conferences.org/articles/shsconf/pdf/2015/01/shsconf_icitce2014_02010.pdf

(though the actual frame headers are different)

Have you tried
http//www.hxdvr.com/

AND check this related thread, where - besides some more info - some members offered their services

https://www.forensicfocus.com/Forums/viewtopic/t=14950/

jaclaz

Thanks for the quick reply

Concerning the paper, i do not think expenses would be allowed for this case. I will have to consult our administration officers to see if such an expense would be permitted.

The PDF you linked… i tried reading it but it falls completely outside my understanding/competences. As i said, english is not our main language and it begins to be too technical for me to understand. I will try to go through it a couple of times or send it to someone who might be more knowledgeable, so i can get step-by-step guidance on how to recover it.

I will look into hxdvr right away. Unfortunately, since it's a purchase, once again I am not sure the expense will be allowed but i will definitely try the trial to see if it is even possible

I looked at the other thread before, and i did notice people offering their services. Once again, as expenses will probably not be allowed for this file, i restrained myself from messaging those people, and since it was more than a year ago, i was thinking maybe someone had more information today than on that thread.

ReplyQuote
Topic starter Posted : 07/03/2018 8:35 pm
passcodeunlock
(@passcodeunlock)
Senior Member

We can recover Hikvision recordings without any indexes and headers, I sent you a PM.

ReplyQuote
Posted : 07/03/2018 8:41 pm
mobileforensicswales
(@mobileforensicswales)
Active Member

Many others can also! Please be sure to get further quotes. There are rules about pedaling for business on the forum. This was not a services requested post

ReplyQuote
Posted : 07/03/2018 10:21 pm
passcodeunlock
(@passcodeunlock)
Senior Member

@mobileforensicswales what is exactly your problem with my previous post ?! Did I publish any company name, quote, price, etc. ?! No, I didn't, I just simply let the OP know about a possibility, which he doesn't have to choose, if he got other better or cheaper ways to fix his issue.

Besides forensic users there are many forensic developers and vendors on this forum as well - which is great! I don't think that I shared publicly more information about our solutions then any other forensic developers or vendors do, but if any of my posts triggers a moderator's attention in a bad way and the post gets deleted, I don't got anything to argue against it.

Next time please keep your useless opinions on other's posts for yourself, FF contains already too many useless remarks like your is in this thread!

ReplyQuote
Posted : 08/03/2018 3:49 pm
Lukamo
(@lukamo)
New Member

After PMing a couple of people, i just want to clarify this

I don't necessarily need to carve out data as precisely as a manual analysis of every chunk of data.

I would just need to know how to recognize the start of a sequence for a video, and tell any carving software to recover from the X sequence of hex to the next X sequence of hex

OR if the videos are fixed length, i could just say from X sequence of hex, carve out Y bytes of data

because from my tests, i can carve out the full 2TB and it would just create a lengthy video with all the sequences mashed together

So as long as i can just locate the start of a sequence, if other parts of video are seen at the end of the carved file, it'S not the end of the world, because i know i'd retreive it in another carved video if i can identify the start of a sequence of a file.

As stated earlier, i was able to identify a hex sequence that would identify one frame.
I am merely looking to identify a hex sequence that would identify the start of a recording.

ReplyQuote
Topic starter Posted : 08/03/2018 3:51 pm
passcodeunlock
(@passcodeunlock)
Senior Member

As stated earlier, i was able to identify a hex sequence that would identify one frame.
I am merely looking to identify a hex sequence that would identify the start of a recording.

Unfortunately you won't have that when the H.264 codec is involved in the video compression. The informations for your chunks of data regarding time stamps and camera informations were stored in the index, which is gone by now.

From what I know, NeGrusti also worked on a solution for this kind of tasks, but his solution isn't public either, maybe you should try reaching him as well for some details.

ReplyQuote
Posted : 08/03/2018 4:12 pm
Jamie
(@jamie)
Community Legend

Just a very quick summary regarding posts which may be viewed as promotional or commercial

1. New topics created for the purpose of advertising a product, service etc. are strictly prohibited.

2. Replies to posts which make reference to a product/service which is clearly relevant to the topic under discussion are acceptable, within reason.

By "within reason" I mean that we want to balance the free flow information in the forums so that everyone can benefit from knowing about potential solutions with the need to make sure that the forums don't become a commercial free-for-all. In practice, if you sell something which you're confident can solve someone's problem then feel free to mention it but be very sure that the majority of your posts are non-commercial. If your forum usage is predominantly self-serving then that would likely be seen as going against the spirit of this site's terms of use.

This is undoubtedly something of a grey area in terms of moderation - there are personal judgments to be made which others may not agree with - but I hope the above helps to clarify things.

Jamie

ReplyQuote
Posted : 08/03/2018 4:57 pm
passcodeunlock
(@passcodeunlock)
Senior Member

Hi Jamie and thanks for your remark!

ReplyQuote
Posted : 09/03/2018 8:56 pm
Lukamo
(@lukamo)
New Member

Just wanted to update everyone

HX-DVR Solved the issue for us. It recovered every file along with the meta data of every recording.

Thanks to everyone who chimed in!

ReplyQuote
Topic starter Posted : 14/03/2018 7:04 pm
MrMacca
(@mrmacca)
New Member

When i try to visit their site, I get a Malware Warning from my BitDefender AV.

ReplyQuote
Posted : 15/03/2018 9:54 am
jaclaz
(@jaclaz)
Community Legend

When i try to visit their site, I get a Malware Warning from my BitDefender AV.

Only as a single data point, other 66 AV engines seemingly don't

https://www.virustotal.com/it/url/c5e4ecb457d7a21beb2b5ea7efd6983a87d1db787a6ac6ef8bcbe9e1878c6f0f/analysis/1521113431/

Should Bitdefender (and Bitdefender only) be trusted?
Or it may be a "false positive" and thus the "majority" is to be trusted?

decisions, always decisions ….

jaclaz

ReplyQuote
Posted : 15/03/2018 11:31 am
passcodeunlock
(@passcodeunlock)
Senior Member

It is just a false positive, a visit from sandbox was harmless.

ReplyQuote
Posted : 15/03/2018 3:01 pm
soft512byte
(@soft512byte)
New Member

I am a software developer for the DVR. I can answer questions within reason.

ReplyQuote
Posted : 07/04/2018 6:04 pm
Share:
Share to...