How Do I Know DVR Examiner Found All the Video?

DME

How Do I Know DVR Examiner Found All the Video?

By DME Forensics

During the collection of video evidence, it is vital that you are able to recover all of the available data on the DVR hard drive. There are a few ways that users of DVR Examiner can check to be sure that the program recovering all the data they need for their case.

Comparing Total Video Size

One of the easiest ways to verify the output from DVR Examiner is to compare the total size of video located by DVR Examiner to the expected amount of data. For instance, if a user has a 500GB hard drive that they know is full, they should expect DVR Examiner to identify close to the same amount of data. Typically, DVR Examiner will not recover the full amount of data, due to indexing and partitioning of the drive, but the number will be very close.

To calculate the total size of the video data in DVR Examiner go to the clip list window and select the clip(s) that have been recovered by DVR Examiner. Once all these clips are selected, information about these clips will appear in the upper right hand corner of the screen. This information includes the total number of clips selected, the total clip size, and the total drive size, among other stats.

compare data size

In this example, you can see that the total drive size is listed as 38MB, but the total clip size is 32MB. This is a large enough gap that it would warrant taking some additional steps to verify that all of the data is being recovered.

Other Types of Verification…

If you are getting errors from DVR Examiner and you believe data is not being shown, you should attempt to image the drive. When the image is being created, a log is then created. This log will provide any errors that occurred during the imaging process. If you encounter no errors, attempt to scan the newly created image.

Inaccessible Scanning Options

If the DVR filesystem offers inaccessible scanning, this would be the first step you should take to identify if there is other data available on the drive. Inaccessible scanning searches for data that is not accessible to the DVR (as in because it was deleted or overwritten). This function will show up as the first option on the landing screen of the DVR Examiner as can be seen below.

inaccessible option available https://i0.wp.com/dmeforensics.com/wp-content/uploads/2017/05/Inaccessible-Available.png?resize=803%2C389&ssl=1

For more information on how to use inaccessible scanning, read this blog

If the Data Still Doesn’t Match Up

Let’s say that during the verification process your data isn’t matching up. Your next step is to determine why using the steps below.

  1. Scan the drive with DVR Examiner.
    • Identify the time span of the data found
    • Inspect the time frame where the event occurred
    • Determine the total amount of video data
    • Verify what channels were recorded
  2. Connect a clone to the original DVR.
    • Examine the same information from the DVR itself
  3. Compare the two sets of data.
    • Does the time span of the video available on the DVR match DVR Examiner?
    • Do the # of recorded channels match DVR Examiner?
    • Is the total size of recorded video similar to or the same as DVR Examiner reports?

Keep in mind that the two sets of data may not always be a one-to-one match. Certain filesystems do not provide the data as clips, instead, they let you select a given time range to view or export. In these cases, DVR Examiner will use these time frames to define what the clips will be. If the filesystem saves the data as clips, we will have to occasionally truncate, or create a new clip, using the preexisting data.

Note: Don’t forget to disable any filters in the DVR Examiner Clip List. When a filter has been applied, it can cause video that does not fall under the filter’s requirements do not appear. Filters can be cleared from the clip list window by clicking ‘reset’ and then ‘apply filters’.

If you have followed the above steps and suspect that video is not being found, please contact DME Forensics Technical Support. We can be reached by phone at (800) 413-0363 or by email at support@dmeforensics.com.

Digital Forensic Community