Tuesday, July 24, 2012

Best Practices for the Analysis of Digital Video Recorders - my public comment

First off, let me say that I'm not representing any "agency," as defined by the SWGs, in my comments. The following comments and observations come from me - a practitioner. As the document was published in public, I'll give my comments in public. Consider this me talking out loud as I read it - asking questions and noting observations as I go along ... If I sound confused about this document, it's because I am. Sorry.

My first observation is this - the rapid shift from "retrieval" in the beginning of the document to "analysis" later on. This is an important distinction. Evidence my be retrieved by one employee and analyzed by another. The person doing the analysis may have no access to the crime scene and therefore must rely on the accuracy and completeness of the retrieved information/data. Again, this is part of my confusion - retrieval vs. analysis.

Secondly, this document seemingly proposes a "bag it and tag it" approach, seizing the DVR and processing it as evidence. The workflow mainly reads as a quasi-computer forensic (CF) procedure. I'm not arguing that the workflow is necessarily bad - but confusing. Once you've performed the CF functions of opening the case, cloning the drive, putting the clone in, and turning the DVR back on - you're right back to where you were with the TSWG book, checking settings and etc. Should this new procedure replace the one in the TSWG book - or supplement it only when getting the data on scene is problematic?

Many agencies will have issue with this move to equip retrieval agents with CF drive cloning gear and etc. Others may have an issue with cracking the DVR case and performing this procedure in the field, and will opt simply to bag/tag when they didn't previously. Either way, there will be a big shift in the way many agencies process DVRs at crime scenes (or not, and they'll have to explain why under cross?)

Thirdly, the technical considerations were learned by practitioners over time, often the hard way (loss of data). Often, DVRs are so poorly designed/documented that you won't know that these are issues until it's to late - you've already pulled the HDD and it want's to format it for first use when you put it back in. Moving from a retrieve in place method, to a bag and tag CF method, may prove problematic when an agency lacks proper funds/staff/training to perform the CF part effectively.

Finally, given that you move back to the TSWG book's retrieval procedure as soon as you put the clone in place, are you actually "analyzing" the DVR? What does it mean to you when you hear the term "analysis of Digital Video Recorders?" I think, researching chips, compression schemes, indexes, etc - not doing a CF drive clone to facilitate a retrieval. Again, confusion on my part?

I guess that my comments can be summed up as confusion as to why? Why merge CF functions with DME retrieval in the same document? Why call it DVR analysis when you're not really analyzing what makes the DVR do what it does? (How many agencies have engineers that could do an analysis of chips, boards, OS, etc?) Why did SWGIT feel it necessary to write this draft? What issue were they trying to address that isn't adequately covered by the TSWG book? Why is this a SWGIT document and not a SWGDE document? This document seemingly fits better with SWGDE's mission.

Again, the discussion draft is public, so I chose to make my initial thoughts public. I know that many privateers aren't included in the various list-serves and discussion groups - so I'm trying to get the public to be as inclusive as possible.



Dave Thorne said...

Jim thank you for "talking out loud" there is general confusion among law enforcement here in the UK with who should retrieve digital evidence from a DVR. Does it fall into the realm of CF just because it holds the data on a hard drive? Is that different from producing it on a CD or DVD? Most CF departments have more than enough work to be getting on with, if the Video analysts are trained/experienced in data recovery then I feel it should remain in their remit to carry out that function.

Anonymous said...

I would argue that the workflow for a First Responder would be completely different than an "analyst."

At first blush, you'd want to view the evidence and try to capture it in place -- it may not be viable or necessary to impound the DVR yet.

And can you IMAGINE how hard it would be to keep track of all of the DVRs, not to mention removal and replacement of them for all of the cases that DV may come from? The hue and cry from those affected?

This is a two stage process:

1) First Responder rules and procedures
2) The Full Monty

This requires a description of how to get the DV off the box and actually analyze it beyond "hashing" the media files.

Jim Hoerricks said...

Again the confusion - the document is titled such that the topic should be the analysis of the DVR itself, not necessarily the analysis of the derivative DME, which is contained in a separate best practices document.

I'd expect a workflow similar to JTAG or chip-off techniques from mobile phone forensics, testing compression schemes, etc.