Inaccessible Data Recovery with DVR Examiner

We thought this article would be beneficial to the community. “The term “inaccessible to the DVR” is used to denote data which the DVR no longer has access to. It is often commonly referred to as “deleted”, however that is a less precise term because it isn’t often known why the DVR no longer has access to the data. The term “deleted” also tends to have a negative connotation associated with it.”

 

Inaccessible Data Recovery with DVR Examiner

By DME Forensics

This post reviews information presented in the recent Inaccessible Data & DVR Examiner webinar hosted by Jimmy Schroering. Click here to watch the full webinar for a more in-depth review of inaccessible data recovery. 

What is Inaccessible Data?

The term “inaccessible to the DVR” is used to denote data which the DVR no longer has access to. It is often commonly referred to as “deleted”, however that is a less precise term because it isn’t often known why the DVR no longer has access to the data. The term “deleted” also tends to have a negative connotation associated with it.

Sometimes this inaccessible data can be recovered, but it depends on how the video came to be inaccessible, how much recording has occurred since that time, and where the video exists in the filesystem.

Data can become inaccessible for a variety of reasons, including but not limited to:

  • Intentional deletion
    • Format operation performed on the hard drive
    • Individual clip deletion
  • Normal recording operations
    • Overwriting” older data
    • How this occurs depends greatly on the filesystem
  • System malfunction
    • Can almost never be eliminated as a possible cause

How Does Data Become Inaccessible?

The storage of most DVRs is divided into four areas: system information, index information, data area, and empty space. The data area is typically divided up evenly into “blocks.” These blocks can vary in size depending on the filesystem and the size of the drive. These blocks are marked as free, or ready for recording, when a drive is initially formatted within the DVR.

When the DVR starts recording, it will begin at the top of the data area. Often, only one camera is recorded per block, though that isn’t always the case. Once a block is full, the DVR continues recording on to the next block until it reaches the bottom of the data area. If overwrite is disabled, the DVR would stop recording.

DVR storage area

DVR camera recordings

At this point, the earliest footage is at the top of the data area and the latest footage is at the bottom of the data area and the index is intact, so it is easy for the DVR to locate the exact positions of the data. However, if the DVR continues to record it will begin to overwrite footage at the top of the data area. Now the earliest footage is located below the latest footage, which can provide unexpected results when carving. It is also possible that the DVR leaves traces of data from previous recordings (known as slack) during the overwrite process.

DVR continued recording

DVR slack

If the DVR is formatted at any point, the indexes identifying the earliest and latest footage point are removed, but the data remains until it is overwritten. This is data that DVR Examiner can access.

How Does DVR Examiner Recover Inaccessible Data?

DVR Examiner is able to recover this inaccessible data by looking deeper into areas not referenced by the DVR index. For many filesystems, DVR Examiner can do this rather quickly because it first looks for accessible (indexed) data, then looks closer in areas which were not referenced by the index. If this feature is available for the filesystem you are using, simply select “Scan for Inaccessible Data” from the “Scan Options” menu.

https://i1.wp.com/dmeforensics.com/wp-content/uploads/2019/06/inaccessible-5.png?resize=842%2C396&ssl=1

Once the inaccessible areas have been identified, what happens next depends on the type of inaccessible scan.

  • For basic inaccessible scans, DVR Examiner attempts to identify the metadata (date/time, cameras, etc.) for the contiguous block of data. This data then becomes a clip.
  • For frame level inaccessible scans, DVR Examiner attempts to identify all the recoverable frames within that area. These frames are then combined into one or more clips.

In most cases, the time it takes to scan for inaccessible data depends on how much accessible data exists. If the drive is “full” of data that is accessible to the DVR, then there is typically fewer potential areas to look for inaccessible data.

If the drive was formatted in the DVR, then typically no (or very little) accessible data remains. In these cases, an inaccessible scan can take quite some time because DVR Examiner will need to read through the entire drive to find inaccessible data.

In some cases, the DVRs indexes are available but incorrect.  In these situations, it may be necessary to ignore indexes when running an inaccessible scan. This option is available from the “Scan Options” screen after selecting “Scan for Inaccessible Data”. If the option does not appear, it is not yet available for the filesystem you are working on.

What if Inaccessible Scanning is Not Supported?

If inaccessible recovery for a particular filesystem is not yet supported by DVR Examiner, you can request it by contacting DME Forensics at support@dmeforensics.com or by calling 800-413-0363.

Due to technical limitations, it may not be possible or feasible to implement inaccessible recovery within DVR Examiner for every DVR filesystem. Some systems or situations may require a manual recovery. For time sensitive or complex recoveries, the Advanced Technical Services (ATS) team within DME Forensics offers various recovery options.

Interested in learning more about the advanced features of DVR Examiner? Sign up for our next feature webinar by clicking here.

Digital Forensic Community