Jimmy: Hello, and welcome to the basics of forensic video recovery and Magnet DVR Examiner. My name is Jimmy Schroering, and we’re today going to be looking at how traditional video recovery works and some of the challenges associated with that. And then towards the end of this presentation, we’ll be taking a look at Magnet DVR Examiner and how it helps solve some of those challenges.
So, my role at Magnet is I’m the director of video forensics technology. I got my start in digital forensics in 2003. Worked…started at the North Carolina State Bureau of Investigation. Had some time at Target Forensic Services and finished up government service at the FBI in the forensic audio, video and image analysis unit.
I created DVR Examiner to help address some of these challenges that I faced in these roles. And hopefully it’s helped many of you as well. Magnet acquired DME Forensics in 2021, which is when I joined Magnet.
So moving forward, I mentioned we’re going to start with some basic video terminology, just to kind of set the stage for some of the later topics. Some of the challenges of traditional surveillance, video recovery, challenges of video playback. And then, as I mentioned, we’ll look at Magnet DVR Examiner and do a quick demo of that as well.
One note is we only have about a half hour in this session and some of these topics are pretty broad and pretty deep. So, we started doing webinar series around video and we’ll probably address many of these topics more in depth in specific webinars. This is just intended to be an overview to get you started. But don’t expect that after this 30 minutes you’ll know everything you need to know about this. But hopefully it’s a good head start.
So, let’s talk about some basic video terminology that we use. We’ll start with “pixel”, which is fitting because it is the smallest addressable unit of data in a frame. We’ll discuss “frame” next, but essentially it’s a dot in the image. And that is…the more of those dots you have, the more likely it is that your image is gonna be discernible.
So, if you’re looking for a license plate, you really want to have a lot of pixels in that image so that you can decide whether it’s an 8 or a 3, for example, on the license plate.
Next we’ll look at “frame”. We really kind of used to find that as a single image that is composed of pixels. So it’s many…one or more really in the frame could be one pixel, but we don’t see that, so up to really as big as we want to get.
“Resolution” is the width and height of a video or a frame. It’s expressed in pixels. So like your HDTV is 1920 by 1080: that means there’s 1920 pixels for width and 1080 pixels for the height. Sometimes you will hear resolution referred to as the ability to resolve something within the image, which goes a little bit more towards, like, quality control, which we’ll discuss here in a second.
“Compression” quite simply is just the technology used to reduce the storage requirement for data. That’s not specific to video. That could be a .zip file, that could be any number of storage mechanisms, but we’re using it in the context of the video today.
And then “quality”: this is a big wild card. It really depends on who’s using it where and how. It could be referred to…or referring to resolution, compression or potentially both. So when you hear the word “quality”, don’t automatically assume it’s one of those things, you kind of have to dig in a little bit deeper.
Because all of those: resolution, compression, they affect the quality overall. If you change one, it’s gonna affect the quality. But on a DVR system, for example, it may be referring to just the compression level that’s used.
(Got three more, and then we’ll get into the meat of this.) “Format”: how the video is encoded. So this is gonna determine what compression, if any, is utilized. So H.264 would be a common example. It does not have to be compressed, a format could still be just uncompressed video. So it…the format at that point would be uncompressed, there would not be any compression. But typically in surveillance video, you’re gonna see compression, but it’s not required.
“Codec” is really just an acronym for encoder and decode. Effectively, this is really the same as format, so it’s used fairly interchangeably. But again, you could have an uncompressed video encoder and an uncompressed video decoder. So, it doesn’t imply compression necessarily.
The “container” is probably the one that gets misused the most. It’s how the video is stored or indexed, but the confusing part is this is typically the file type or file format (which is the “format” word we just defined before), such as AVI or MP4. So the difference here is the containers hold video, which is of the specific format or uses a specific codec.
And really where that comes into play is in order to play a file, your computer must have the software installed that understands both the container and the format or codec. So, if you tell me you can’t play an AVI file, that doesn’t tell me the whole story, because the AVI is just how that format is indexed and what the format is inside also has to be understood.
So if it’s H.264, you have to have something that understands H.264, which most computers do. But if it was some sort of proprietary format or proprietary codec, you would need special software to be able to understand what’s inside of it. You know, it’s not enough to just be able to understand or read AVIs or MP4 containers.
Let’s look at some of the challenges of traditional video recovery. Really all of the problems that you encounter are going to be able to be broken down into one of three different areas. There’s a wide variety of challenges out there, but if we try to put them in boxes, we can usually put them in one of three.
The first one being, gaining access to the system. So, just finding the system, getting into it, even being able to work with it.
Once you’re into the system, locating the video of interest becomes the next challenge.
And then finally, once you’ve done that, actually getting that video out and getting it playing, that would be sometimes the most difficult, but it varies depending on the system, which of these is going to give you the most problems. But we’re gonna look at them a little bit more in depth here now.
So gaining access to the system. First step: can you find, and physically access the system? Owners are notorious for placing them in drop ceilings or in really high shelves in the office, or somewhere covered in grease in a fast food restaurant.
So, they’re not always the easiest to work with, even if you can find it. I have had cases where the owners forgot where they had them, or the lovely case where the business was purchased with the surveillance system installed. The new owner had no idea it was there and it was still running. It just kept going.
And so the law enforcement officer showed up and said, “I need to look at your surveillance system”. They told me they don’t have one. They’re like, “well, I was here last year and you did”. And sure enough, there was an actual system still running there that was purchased unknowingly from the business when the business was sold. So this is the first step, obviously, but it is not an uncommon challenge to encounter.
Is the system functioning? So, once you find the system does it still work? Could you use it to recover video. In cases like arson and robberies, it’s not unusual for the system to be damaged. Sometimes it’s smashed with a baseball bat in a robbery. Other times the fire burns up the system.
The good news is in those cases, the hard drive is fairly well insulated by the system itself. So while the system doesn’t work anymore, we may have some options with the hard drive which we can talk about later.
And then, is the password known? This is probably the most common challenge that people bring and say, “I can’t get into the system. How am I going to recover the video?” It’s not always that the owner’s uncooperative, unfortunately, sometimes they have been fatally injured or they can’t be reached, not answering their phone, whatever it is. But without that password, it’s oftentimes really hard to get into that specific system to use that to get recovery.
Moving on to locating the video of interest. Once you have access to the system you still have to use that system to actually find what you’re looking for. It’s not uncommon for system menus to be in different languages. And then you have to figure out how to change the language to your language so that you can use the menus to navigate.
And even if it is in whatever your native language is, it doesn’t mean that it’s easy to navigate. Sometimes the menu can be confusing. It’s not always clear what the different options mean.
And you are working with a live system that’s probably still recording data. And if you hit the wrong button, it is possible that you accidentally format the hard drive or do something that’s destructive to the evidence, so you have to be really careful doing this.
The date and time of the system is often not set properly. Most commonly, it’s something like daylight savings time where the system isn’t configured to use it. So part of the year, it’s correct, and then the other part of the year, it’s not. Sometimes it’s not correct at all.
But you have to find what time your incident happened, according to the system, if that date and time is off. And sometimes that can be difficult. There are calculators out there that’ll help you with that. It’s just one more step you have to do.
And then if you’re looking for a large timeframe, like say, several times over the course of several weeks, you often aren’t gonna be able to just search for all of those times within those couple weeks and just get a list of everything that’s there.
Usually you’re gonna have to pick out some small increment of time, like an hour or a day, and it’ll tell you what’s there, and then you have to do that for each of your various different times. So it’s more tedious than it is impossible. It’s just another hurdle you have to jump through.
And finally recovering and playing the video of interest. So once you find the video of interest on the system, you have to pick how you’re gonna get it out of that system.
So, one of the ways you could do that is exporting the footage to a USB flash drive. It’s probably the most common today. Back in the day, we had systems that had CD and DVD burners in them, and we’d have to burn it to CD or DVD.
So flash drives are a lot easier to use, but they can still be challenging because certain systems may not accept flash drives that are formatted a certain way or a certain size. So, it’s not always easy as plugging in your brand new 256 gigabyte flash drive. If it’s an older system, it may not support that.
One other option that comes up is recording the output of the screen while playing back the video of interest. I put this option in here largely to tell you not to do it. This is an old school way of…when all else fails, yes, hold your phone up and record the screen, but don’t expect that to be the best quality video.
There’s a lot of problems with doing that. Not the least of which is, it’s gonna be shaky probably. But really you’re not getting the original evidence at that point, you’re getting a picture of the evidence. And so you want to get as close to the original evidence as you can. So this is not a good method, but we list it in here because it mainly just tell you not to do it! If it is the only resort, then that’s better than nothing, but don’t rely on this. You’ll just run into problems later.
Some of the specific drawbacks for example, when you’re exporting to USB flash drive, it’s still possible that the system may export a file format, which requires proprietary playback software. If you don’t have that software, you’re not gonna be able to playback that file. It may or may not be provided to you at the time you export.
Some systems are known to just export the file and you have to go find a player for it. It’s not included in that download. And then there is the possibility that it modifies the data, which lowers the overall quality of the data. And, again, quality meaning could be compression, it could be resolution, but it may change. And again, just like I was saying with the recording the output, you want to get as close to the original as you can, so you don’t wanna lower that quality.
After recovering a file, we always recommend that you attempt to playback on your computer prior to relinquishing access to the system. So you wanna make sure that it plays and that you have everything you need because once you turn that system back over, there’s no telling if that video will be there again for you to attempt another export or another method.
So, couple of notes on video playback: whether you performed the recovery or someone brought a video file to you to do something with, playback is often a challenge. One of the first things you should look at is what’s the extension of the file. Is AVI, is it DVR, MP4? There’s hundreds of them out there.
So, it just might give you some hints as to what your next step should be. So remember, you must have software available that understands both the container and the format codec, so just because you have an AVI doesn’t mean it’s gonna be smooth sailing.
And just as in traditional digital forensics, the file extension can’t always be trusted. We’ll hit on an example of that here in a second. General rule: if you don’t recognize the extension, you’re likely dealing with a proprietary video file, but some proprietary video files use standard video file extensions just to make our lives harder.
A really common example of that is a really popular DVR that exports out what it says are MP4s (that’s the extension), but it’s actually proprietary video inside, and many people just try to play it back. The worst part is, is it kind of plays back a little bit, but not correctly. So, you really wanna make sure you know what you’re dealing with and not just relying on the extension.
So, if you do think you’re dealing with a proprietary video file, did you get a player with the output from the system? Hopefully you did. If you did, make sure you scan that to make sure there’s not viruses, other malware, that’s not uncommon.
And if not, then hopefully it’s a manufacturer on the system that you can talk to their support or go to their website. That would be the easiest way to get a player. But there’s plenty of what we call “black box systems” out there that have none of that. At that point you’re in for a lot more Googling to try to find a player that would work for that file.
The correct proprietary video player should be able to play the video. That seems obvious and you know, could say, will be able to play the video, but it says “should” because you could run into additional challenges about how the player represents the video.
So things like aspect, ratio, cropping. I know those are things we haven’t defined in this session, but just let it be known that just because you get the video playing in the proprietary player doesn’t mean that it’s showing you the whole image. There’s some things that can happen with that typically with older systems, but it’s just a word of warning at this point. We may do a future session on some of these topics.
If you’re dealing with standard video files, you obviously are gonna try common players like VLC, GOM, even Windows Media Player. If it doesn’t work you may not have the correct codec installed. That’s a lot like finding a proprietary player at that point.
And as you’re trying to find that codec, try to only install that one that’s required, as opposed to large codec packs, those have been known to have some viruses or malware. So, make sure if you do use those, virus scan them just like anything else. But they can also cause you to playback issues in the future with conflicts between codecs. So try to get only the one you need.
And just a big note here, because you have a standard video filed, doesn’t mean that it wasn’t modified during the export or recovery process.
So, one of the ways to deal with this is to compare specific details, like if the subject was wearing a hat and you could see the logo clearly on the system playback, but when you look at the exported file, that logo is now washed out or blurry or something like that, you should get basically the same level of detail from what was on the system to what you exported. And if not, you may wanna try another recovery method.
Okay. We’re gonna move pretty quickly through these, but I just want to define “transcoding”. So, when you are talking about converting a file, one of the ways that that happens is through transcoding, which changes the codec or format or resolution of the video file. It may or may not change the container.
So, you can transcode something from an AVI to an AVI, and maybe it was an AVI with H.264, and now it’s an AVI with H.265. If compression is applied, you will get a lower quality output file because anytime you’re applying additional compression to your output, you already started with something of higher quality, now it’s gonna be less.
“Recompression” is applying additional compression to video, which is not…or which has been compressed previously. “Rewrapping” is where you change the container of the video file, but you don’t change the codec or format. So in the example I used before you have an AVI with H.264 in it, maybe you want an MP4 with the same exact H.264 in it.
So, it doesn’t change the quality, the resolution, the compression at all. It’s just how it’s indexed into a file. And then just be careful with the term “converting”, because it could mean any of those things (rewrapping or transcoding), and you really want to know what the tool is gonna do before you actually make the choice to do that.
So, a few quick words on converting files to kind of hit this point home: transcoding can result in recompression and therefore a lower quality output file. So, as most of you are forensic people, we want to use caution when performing this operation. Whereas rewrapping only changes the container, so it leaves the original video unchanged, which makes this a much better option in forensic settings.
But again, I know I’ve driven this point home a lot, but transcoding and rewrapping require the original codec and container to be understood by the utility that’s doing the operation. I.e., if it can’t read the file to begin with properly, you can’t then put it into something else. So, you can’t just do a conversion if you can’t really play the file as it is right now.
Final notes on proprietary video files, and then we’ll get to the Magnet DVR Examiner overview and demo here. Proprietary video files, they often have date/time, channel number, all this individual metadata, and if you do a conversion, you will likely lose that data unless what tool is doing it actually understands that metadata, and specifically retains it somewhere.
Because whatever container you’re putting it in (or format you’re putting it in) likely isn’t gonna have a method to store that data, so it has to be retained some other way. So FFmpeg is a really popular tool. If you use FFmpeg you will lose this metadata because it doesn’t understand the proprietary…every one of them’s a little bit different. So, just be aware that that’s the drawback.
And then finally, along those same lines for proprietary video files have that metadata that sometimes looks like the beginning of a traditional frame in say, H.264, H.265, and so standard video tools like FFmpeg will see that and think it’s a new frame and it can cause some problems where you’ll either get errors in the video, or you could even potentially loose data by dropping frames, so just be aware of that.
All right, now let’s briefly look at DVR Examiner. I’ve already started up DVR Examiner in the interest of time. So, it will work with either a hard drive (obviously we recommend write-blocking) or an image file. Our preference is DV because it’s much faster and you don’t really get the benefits of E01, which are typically additional compression like you would have in computer forensics.
Since all of the data on the hard drive is already compressed, you won’t really get the compression benefits from E01, and it’ll just be slower. So we prefer DV, but we will work with an E01. We’re gonna do a future webinar on that at some point here soon.
So, I’m just gonna go to this recent file that I accessed before. You don’t have to tell us what type of DVR it is, we just detect it based on information that’s on the disc or image. So, right now we’re just looking at that and trying to determine which specific type of system we’re dealing with, and in just a second, that will pop up.
Okay. So the scan’s completed, and we now have a clip list. So this clip list shows you all of the video clips that are available on the DVR. We have some options to filter and find the video of interest that we’re looking for. I just wanna demonstrate a couple of quick features here.
So, one of the features that you can have is to be able to preview. So, for example, I could take this clip right here and just double click and we’ll load that clip up directly from the hard drive. You notice the scan went really fast. We don’t actually read, in most cases, any of the video data until we’re actually looking at the preview or export.
So, in this case we can pull video up, we can play it back, see if we can find…we can scrub across it, look for your video of interest. We have some people exiting the driveway here. You’ll notice that we have two dates and time stamps. The one over here is actually the date and time that’s burned into the actual video itself. So, there’s nothing you can do to remove that it was encoded at the same time the video was written.
But you’ll also notice over here, we have another date and time, and I can actually remove or move that data. So, I moved it to the lower left, or the lower right. I can get rid of it completely. That is actually us being able to read that proprietary metadata from the individual frames.
It seems a little redundant because we have a burned in date and time over here, but not all systems burn in at date and time, and so that gives you the ability to know the timestamp of a specific frame without having anything burned into the actual image itself.
And finally, I’m just gonna do a quick export here in the interest of time. So, after we did that preview, I can select a couple clips here. I’ll do write it around a gigabyte worth of data to give you a speed comparison between if any of you have exported a gigabyte of data from a DVR, what that looks like. I can pick different video formats.
So, I’m gonna do open video again, no transcoding, no recompression. I’m gonna skip the proprietary video, but in this case I could do that if I wanted to. And then pick an export destination here (sure, we’ll send it to my desktop), and begin the export. And this will just take a second or two to get a gigabyte of data out, which is much faster than thumb drives.
And you can imagine if you had to export out all the video from the entire hard drive, how tedious that could be on the DVR. You could just select all the clips here and pick export and come back when it’s done.
So, we’re actually done exporting and I’m gonna open the export folder, turn that over so you can see it. And you can see, we have all the video files out as AVIs. And if I double click on one of those, it plays back right in Windows Media Players, so you don’t really need any additional software to play that.
And finally, very quickly, show you the report. So, this is an export report. We have options in there I didn’t use like hashing. It shows you what videos you got out and it’s all bundled up into a nice report for you. So it’s designed to save you a lot of time and make sure you get the right video out without any additional recompression or having to have special proprietary players and go find those.
That’s all the time we have for today, but thank you for attending. And if you have questions, feel free to reach out to us and we’ll be happy to answer them for you. Have a good day.