Tuesday, June 10, 2014

Manual data carving - DVRs vs. Phones

A reader sent a note about how to explain the difference between computer forensics' ability to find deleted files on hard drives, but the relative inability of the team to recover files from a retrieved DVR hard drive. It seems that someone had retrieved a hard drive from one of those systems that will format the drive when you plug it back in, so they needed to retrieve the files without accessing the DVR's hardware (never mind the hardware decoding issues).

Popular mobile phone and computer forensic programs offer the ability to manually carve files of known types from the raw data. When folks delete text messages, images, and videos, forensic experts can often retrieve the files from the raw data dump of the device. This is largely due to the fact that common file types are coded in a certain way.

Because of the standards that are in place, we know that if we can find the JPEG's header (FF D8) and footer (FF D9) in the raw data, we can use our tools to extract / carve the image and save it out to a separate file. In this way, rarely is anything really deleted.

Also because of the standards, there are tools made specifically for carving multimedia files or for recovering multimedia files from hard drives or removable storage media - some are free, some are cheap, some are quite expensive.

The problem with applying this paradigm to DVRs is that coding, the header / footer for the proprietary file type is not generally published and is certainly not standard. If you're able to manually find and carve data from a Q-SEE DVR, the information gathered will not be of much use if you're trying to carve a raw dump from a Pelco DVR. Because of this high variability, the industry standard computer / mobile forensic tools aren't much help in automatic mode. It also means that it will likely take a considerable amount of time to decipher the encoding and begin the retrieval. In private practice, folks might not want to pay for that many hours of work. In public service, command staff might not have the patience required when waiting for results that might take a week or two to materialize.

But, if you have the time and the money to get into this type of work, there are a few training options out there. Your first stop should be with Jimmy and Jason at DME Forensics. They're offering classes on byte level analysis of DVRs. You also have the option to purchase their core product, DVR Examiner. I'd recommend that you do both if you're looking to get into this line of work.

No comments: