Hi everyone,
I am examining a hdd from a surveillance camera device. They ask for the deleted video files. The hdd has ext3 file sytem. When I filter "deleted files" in Encase, it lists thousands of "lost files" and "lost folders". I copy one of the those "lost files" and it opens and you see the video. However, when I copy/unerase one of the "lost folders" it opens too and you see the video content again.
That sounds interesting isn't it? Normally, folders are containers and they should not act like files and should not contain video content. At least , this is what we see in NTFS/FAT sytems. But how can a "lost folder" act like a "file" and it opens as a video file?
So, is a "file" and a "folder" the same thing in surveillance systems? Or Is this somthing that the manufacturer of camera system encode in the device? Or does it have to do with ext3 file system?
Any ideas?
Any ideas?
What "properties" have those items on a "plain" Linux system?
I.e. what doesls -l
give as output?
Historically in Linux/*nix "everything is a file" and a directory (on EXT2/ext3) is nothing but a "specially formatted file", see
http//
http//
(the above is EXT2 related, but EXT3 is actually the "same" filesystem with some features added and is "backward compatible").
It is possible that Encase (somehow) gets confused or that or that the hardware/firmware (still somehow) sets the "d" flag to the files or that what you are seeing are links (or whatever).
IMHO you need to analyze the actual EXT3 filesystem to understand what is the case, you could have a look at Brain Carrier's book "File system forensic analysis" and analize the inode structure.
This might also be of interest
http//
jaclaz
Thank you jaczlaz. I have read the resources you have suggested. After trying Encase, a few data recovery software I have come to the conclusion;
The hard drives from surveillance systems are really hard to deal with in terms of recovering deleted videos. Some of the reasons are as follows;
1. File systems are almost always ext2/3 or something else. No FAT or NTFS drives. So, most data recovery software including Encase do not seem to work.
2. The encoding of video seems to be differing a lot in each system. No standard. Many different video formats are used such as lvf, .stream, dvr, swf. So, data carving do not yield good results.
3. Even if you seen to have recovered a file, it is in abnornal sizes such as 4GB in size(just one file), but the video is not really a consistent and it includes pictures from more than one cameras. I mean the video, when playing, skip to another camera every two minutes, so you can not make sure what you are watching. In other words, one video file is not showing the same place from, it is always changing.
4. Dates and times of recovered files either missing or wrong. As the dates and times are related to the file system, you can't make sure the dates and times of recovered videos are correct. REcovered videos do not keep their file dates in the pictures. File created coloumn in Encase case is empty. You have other dates(last accessed, modified, etc) but you can't make sure they are correct as they seem abnormal.
5. On some videos itselfyou should see dates and times when watching. But the one I have do not have dates and times on the pictures. So, although I have recovered some video files, I can't make sure those videos are from the dates that the investigation needs.
6. Although Encase (somehow) seems to say it can examine ext3 partiton, it apparently gets confused with hard drives from surveillance cameras and can't show dates and times properly, and it shows you 95.000 lost files, each of which have the same name and abnormal file sizes. All files seems to have the same name, so you can't filter anything. And it is not practically possible to play each file.
In short, recovering deleted videos from surveillance camera drives which use ext2/3/4 or other files system is hardly possible due to lack of standardization and mainstream forensic software can not solve the problem either.
Thank you jaczlaz. I have read the resources you have suggested. After trying Encase, a few data recovery software I have come to the conclusion;
Yes/No.
Namely
The hard drives from surveillance systems are really hard to deal with in terms of recovering deleted videos. Some of the reasons are as follows;
Yes.
BUT
1. File systems are almost always ext2/3 or something else. No FAT or NTFS drives. So, most data recovery software including Encase do not seem to work.
There are many ext2/3 tools suitable.
First one that comes to mind being PHOTOREC
http//
But, specifically, defraser
http//defraser.sourceforge.net/
http//
2. The encoding of video seems to be differing a lot in each system. No standard. Many different video formats are used such as lvf, .stream, dvr, swf. So, data carving do not yield good results.
Yes, it's a PITA.
3. Even if you seen to have recovered a file, it is in abnornal sizes such as 4GB in size(just one file), but the video is not really a consistent and it includes pictures from more than one cameras. I mean the video, when playing, skip to another camera every two minutes, so you can not make sure what you are watching. In other words, one video file is not showing the same place from, it is always changing.
No.
This depends from settings in the actual DVR, of course if you tell it to "rotate camera's" (as opposed to record a "quad" view (or - even worse - in order to save HD space you set it so that only "triggered by motion detect" events are recorded AND you have several camera's), yes, you have "a mess" as result.
4. Dates and times of recovered files either missing or wrong. As the dates and times are related to the file system, you can't make sure the dates and times of recovered videos are correct. REcovered videos do not keep their file dates in the pictures. File created coloumn in Encase case is empty. You have other dates(last accessed, modified, etc) but you can't make sure they are correct as they seem abnormal.
Yes, this is common.
Many DVR's have in some aspects the "same technology" of 1980's VHS recorders when it comes to clock/time..
Recent "good" DVR's may have an internet connection and make use of a NTP server, though.
5. On some videos itselfyou should see dates and times when watching. But the one I have do not have dates and times on the pictures. So, although I have recovered some video files, I can't make sure those videos are from the dates that the investigation needs.
Yes, this is another thing that usually belongs to "settings", i.e. if superimposing on the actual images the date/time is set or not.
6. Although Encase (somehow) seems to say it can examine ext3 partiton, it apparently gets confused with hard drives from surveillance cameras and can't show dates and times properly, and it shows you 95.000 lost files, each of which have the same name and abnormal file sizes. All files seems to have the same name, so you can't filter anything. And it is not practically possible to play each file.
Well, Encase (as I see it) is not the only answer to all questions.
In short, recovering deleted videos from surveillance camera drives which use ext2/3/4 or other files system is hardly possible due to lack of standardization and mainstream forensic software can not solve the problem either.
Or possibly also because being outside your established knowledge, AND being objectively "tricky" you need a whole set of "new" tools and approaches.
But you are right, of course there is not any (senceful) standard, every manufacturer has it's own approach, a few "random" examples (both for CCTV and "Satelite/whatever" consumer level DVR's)
http//
http//
https://
https://
AFAICT, you were actually "lucky" that you found a "known" filesystem, I saw quite a few reports about these thingies using "proprietary" filesystems (obviously UNdocumented).
The approach is a lot more similar to "device hacking" or "low level data recovery" than using the "common" digital forensic tools.
jaclaz
We use
Thanks r3verse.
I have tried ufs explorer however it was not able to recover any file with full date and time fields. By the way, this surveillance system is not using dvr format. This one uses ext3 file system and encodes video files in "*.stream" format which is rare.
I have tried ufs explorer however it was not able to recover any file with full date and time fields.
How does it work – does it look at file system journalling data? (Can't see anything obvious from the web site …)
If it doesn't, you may want to try tools such as ext3grep or extundelete. I've only played with them in test scenarios, though – never used them for any real case.
Maybe useful
http//
Still, to attempt undelete files on an ext3 filesystem I would use "native" Linux tools or a data recovery tool targeted to Ext2/3 rather than "forensic tools", as athulin suggested
http//extundelete.sourceforge.net/
http//
http//
or the previously mentioned Photorec or defraser (which actually is designed to do exactly that)
http//
thugh cannot say if it (and/or ffmpeg) is "compatible" with the .stream format.
jaclaz