Editor’s note: In many cases, it needs to adopt the surveillance videos to find the case clues or evidence. If the DVR hard drive discovered at the crime scene is initialized artificially, qualitative aging of case investigation will have very great influence.
If the video exists, the evidentiary data can be extracted directly for DVR, but how to quickly get video clips if the DVR hard drive is initialized artificially? Professional engineers of SalvationDATA shared a typical case that the video data is recovered after the DVR hard drive is initialized.
Case attribute: housebreaking case in residential area
Case demand: on January 22nd, 2017, housebreaking case clue video (the DVR has been calibrated as per Beijing time, no obvious time error)
Case description: after the housebreaking case occurs, the investigators take the surveillance video of the residential area to discover that all the surveillance videos before January 23rd have no display, but the video data in the current day of January 23rd can be only found from the DVR.
Through field investigation and comprehensive analysis of clues in other aspects, law enforcement suspect that the DVR hard drive may be artificially initialized (similar to hard drive partition formatting). Then, the investigators immediately contact SalvationDATA to hope that can assist the data retrieval of the DVR, so as to find the lost videos as soon as possible.
After receiving the demand, our professional engineers are all in for assistance of the case at the first time and retrieve the video data successfully at last.
Identification and analysis of inspection materials
Through analysis on the log of the DVR involved in the case, our engineers can judge that the DVR hard drive is initialized at 14:04:26, January 23rd, to cause the data loss of DVR; furthermore, after being initialized, it continues to record video so overwritten of lost video may exist.
In summary, video loss is caused by artificial initialization of the DVR hard drive, for getting this part of lost data, it needs to disassemble the DVR hard drive, recovery and extraction of the lost video shall be carried out through the professional tool such as VIP.
1. Disassemble the DVR hard drive, then use VIP to make image and calculate hash to ensure the integrity of the video data
2. Load image to directly perform recovery and extraction for the video data
3. Scanning results shall be screened
4. Fast condition filtering shall be carried out according to the required time of video clips.
5. It has helped the law enforcement find out the video evidence to the burglary case through the professional software VIP for DVR forensics.
When dealing with DVR hard drive data loss, first, we need to identify the cause of DVR data loss, especially if some video files in the period of time that we need cannot be looked over normally in the DVR, we shall observe and study its existential state from multiple aspects, and this is the real way of realizing “justice has long arms”. Common causes of DVR data loss are as follows:
1. Delete artificially
2. DVR fails to record video if not started up, video channels are lost, etc.
3. Software recording is not started up
4. The storage space is full, and the videos overflow (cyclic overwritten)
5. DVR hard drive is initialized
6. The videos are in the lost state because of an abnormal shutdown
The above situation may be simply identified by looking up the log information of the DVR. The log information will record the daily operation as well as the running state of the system in detail, e.g. in this case, you can directly see that the DVR hard drive is initialized; meanwhile, if it needs to find out lost video, immediately stop recording to ensure that the DVR will not be used again to cause that the video is cyclic overwritten.