Investigating DVR H...
 
Notifications
Clear all

Investigating DVR HDD - Orion L SC184 - with WFS filesystem?

12 Posts
8 Users
0 Likes
3,382 Views
(@brasskazoo)
Posts: 7
Active Member
Topic starter
 

I'm investigating the contents of a DVR security camera system, with a focus on recovering deleted footage if at all possible.

In analysing a dd image of the drive, there is no partition table or recognisable partitions (using parted & testdisk). The hexdump of the first few bytes shows a string "WFS 0.4" which I assume is the type of filesystem.

I have been unable to find any information on the WFS filesystem as it related to DVRs - there are some other filesystems that use those initials but I can't find a connection to security or video.

I have found that DVR Examiner is able to interrogate the image and identify video clips, but I am currently unable to fork out several grand to purchase a licence.

Does anyone have information on analysing WFS hard drives, or suggest some other method of retrieving existing and deleted video from this device?

Thanks.

 
Posted : 11/02/2016 6:58 am
(@yunus)
Posts: 178
Estimable Member
 

Hxrecovery might also work for WFS 0.4 file system.

 
Posted : 11/02/2016 12:02 pm
(@mobileforensicswales)
Posts: 274
Reputable Member
 

I've found a lot of DVRs still use quite a linear storage protocol. Even without reconstucting the FS do you have headers for the footage?

You may not need a file system if the videos have embedded capture date/time meta data

 
Posted : 11/02/2016 2:57 pm
(@anirudhrata)
Posts: 17
Active Member
 

Can you provide the Metadata shown in DVR Examiner regarding the format. That might be useful in locating a free tool that extracts videos.

 
Posted : 11/02/2016 4:29 pm
(@brasskazoo)
Posts: 7
Active Member
Topic starter
 

Thanks for your replies!

Hxrecovery might also work for WFS 0.4 file system.

Indeed it does - the trial version of HxRecovery at least let me see what deleted files exist, and gives me 2mb worth of video to export for each. Thats enough to see the timestamps on the videos and determine if they are relevant. That may be the extent of my investigation as they are not the desired dates.

I've found a lot of DVRs still use quite a linear storage protocol. Even without reconstucting the FS do you have headers for the footage?

Good to know, I wondered if it would be encrypted or obscured somehow.
I tried to use Defraser to carve out the files - but the H264 detector is a paid plugin, too much for a one-off.

I also am not familiar with working out the headers manually.

Can you provide the Metadata shown in DVR Examiner regarding the format. That might be useful in locating a free tool that extracts videos.

I know that the video is H264 format from the device's spec, which is a good starting point! I may be able to search for the headers as suggested above.

 
Posted : 11/02/2016 5:00 pm
(@mobileforensicswales)
Posts: 274
Reputable Member
 

Carve a 1GB chunk from a H264 header and force VLC to render with a H264 demuxer in the settings

That should work

 
Posted : 11/02/2016 5:23 pm
(@einstein9)
Posts: 50
Trusted Member
 

I'm investigating the contents of a DVR security camera system, with a focus on recovering deleted footage if at all possible.

In analysing a dd image of the drive, there is no partition table or recognisable partitions (using parted & testdisk). The hexdump of the first few bytes shows a string "WFS 0.4" which I assume is the type of filesystem.

I have been unable to find any information on the WFS filesystem as it related to DVRs - there are some other filesystems that use those initials but I can't find a connection to security or video.

I have found that DVR Examiner is able to interrogate the image and identify video clips, but I am currently unable to fork out several grand to purchase a licence.

Does anyone have information on analysing WFS hard drives, or suggest some other method of retrieving existing and deleted video from this device?

Thanks.

http//support.dmeforensics.com/ is your friend here

 
Posted : 13/02/2016 4:58 pm
tito
 tito
(@tito)
Posts: 24
Eminent Member
 

Each manufacturer DVR for recording and storing of data develops and uses its own codec that is contained in the chip on the motherboard of the device. Therefore, a single specialized program to extract video to date does not exist.
In the DVR using cyclic recording. That section of the video sequence recorded on the disc (without fragmentation).
When I studied the DVR, I was able to delete the data as follows.
used
1. Distribution "Kali Linux";
2. Program "foremost".
3. Hex browser
First I set the DVR to your hard drive and performed several test videos.
Then, using hex browser signature and determined tracker video (beginning and end of the file).
Then, having learned of the signature and the tracker, I introduced the configuration foremost that information on file (feces linuh - nano /etc/foremost.conf) and searched. I got the result with a given signature files that are contained in the target hard disk recorder. The files worked out with the help of video converter. So I got the videos that were available for viewing standard video player.
The only problem I could not solve - this time point. Dates of creation, I found no.

Another way - to find a similar brand DVR, set him to study hard drive and extract video standard means of software DVR =)

By the way, do not connect a hard disk recorder to a computer running OS Windows without special equipment, which block writing to media. When connected, the OS Windows rewrites 0 sector. Consequently, destroyed all the metadata about the placement of data on the hard drive of the DVR.

 
Posted : 19/02/2016 5:31 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

When connected, the OS Windows rewrites 0 sector. Consequently, destroyed all the metadata about the placement of data on the hard drive of the DVR.

No, it doesn't. 😯

IF the Magic Bytes 55AA exist on the MBR (offset 510) AND IF the disk signature (bytes at offset 440) is 00000000 THEN it will write a "random" disk signature to those four bytes (and to those 4 bytes only).

jaclaz

 
Posted : 19/02/2016 7:15 pm
tito
 tito
(@tito)
Posts: 24
Eminent Member
 

In the hard drives used in video recorders, MBR has. When you plug the drive Windows initializes it, that writes and deletes MBR disk overhead data recorded video.

 
Posted : 19/02/2016 7:43 pm
Page 1 / 2
Share: