Digital Hide and Data Seek – DVR Forensic Assistance on an Investigation

This week, another tale from our catalog of cases surveillance-dvr-forensicsover the years.  This one didn’t start out as a typical “digital investigation” but instead originated with our traditional business investigation group.  We were called in by a client to assist in an investigation revolving around an employee’s claim of a personal injury occurring on company property during work hours.  The subject of the investigation had claimed they were properly using a piece of equipment in the course of their job and it suddenly broke, thus they blamed “faulty equipment” as the cause and thought the company bore responsibility.  This claim had no corroborating evidence or statements by observers which struck our client as odd since there were a number of folks the subject worked with on a daily basis.  One of the typical pieces of an investigation, closed circuit television (or CCTV) footage was inquired about.  We were told that it had been reviewed and evidence was not there to support the claim, yet something about the digital video recording (DVR) system seemed “off” to the client.  There was good reason to believe the subject had been injured but they were trying to figure out where it had taken place; on the subject’s time off, car accident, etc.  In light of a lack of corroborating or perhaps missing footage from the CCTV system, and the client wanting to make sure to exhaust all possible avenues of evidence, we were granted access to the DVR.  Many DVR’s are essentially specialized computers with a high capacity hard drive inside to capture digitized footage from video systems.  This one was no different.

Upon receiving the device it was processed with a forensic image made with a write block device to preserve its data integrity. The data was then indexed, file tables rebuilt and data was carved in an attempt to locate any possible video not already noted by the video recording system.  In our analysis, dvr-hard-drive-forensicsit was quickly apparent that the time period since the incident was just outside the range that was kept on the DVR. This meant there was no additional useable video data or carved files since the capacity was fully used (it essentially wrote over itself at just about 40 days).  However, in the course of examining the DVR we were able to locate logging information of computers that had connected to the DVR.  And this data went beyond 40 days.  Looking at the logging information, we discovered that about half a dozen computers (7) had remotely connected to the digital video recorder.  From the information available at this point, we didn’t know what had taken place when these connections were made.  We surmised video was viewed but beyond that was unable to be determined.  Now would be a good point to note that all DVR access was made via one account with administrative or super user access.  If you guessed that the account name was Admin then pat yourself on the back.  Not only did we not know what had taken place because it was an Admin account but we didn’t know who actually connected to it.

Using the only information we had from the logging, which were IP addresses, we audited computers at the business to know whom they were typically used by.  Not wanting to do this in an alerting fashion to tip off any further malfeasance that might have taken place by a current employee, we worked in concentric circles and took a few passesdvr-network-investigation at different computers over a period of time to not disturb normal business operations or tip off an employee.  Once we knew the IP addresses of the machines and their users, we got gut feeling feedback from management on the individuals and we narrowed the list down to two computers that we thought that were applicable, and warranted a closer look.  Both machines were forensically imaged and some cursory processing was conducted.  Their content was analyzed for logging information consistent with connecting to the DVR as well as evidence of video content perhaps being stored on the computers.  The first one analyzed had without a doubt connected to the video system and had a fair bit of video located on it from the DVR system, but none of the stored video was for the date in question nor was the content particularly beneficial to the investigation.  The other computer had no video downloaded from the DVR or a history of connecting to the device.  In fact, we thought it looked too clean.  The Internet history was non-existent which is consistent with a computer having been “cleaned.” With this newfound discovery, and upon further analysis, we determined this had been facilitated with a program called CCleaner.  This program does a number of things to rid a computer of “junk” that might slow it down by deleting files, clearing cache files and temporary files.  Although the program had recently been run, we didn’t find evidence of another feature of the software having been performed, namely the actual writing over of data files or wiping.

In light of this, we decided to have a go at carving the contents of the hard drive for video files,especially the pagefile and all unallocated areas of the drive.  We literally found hundreds of video files or pieces of video files.  We were about two-thirds through reviewing these video files when we equipment-damage-investigationcame across what turned out to be the proverbial “smoking gun”; video of the subject who had alleged the injury claim.  The video depicted the subject jumping up and down on the piece of equipment. It’s safe to say this was clearly the opposite of its intended use and function.  Additionally, this occurred after hours with no one else visible in the video.  After searching through most of the remainder of the carved video we located one more video that took place right before the incident just referenced.  With this video evidence, management was ecstatic and our digital forensics’ piece of the investigation ended there.

In order to close out the story properly I’ll tell you the conclusion.  With evidence in hand, the subject of the investigation was interviewed and as Paul Harvey used to say, we got the “rest of the story.” In short, the subject had planned to merely damage the equipment in an attempt to not have to work and still get paid.  In the course of trying to damage the equipment, the employee had accidentally slipped and injured himself. He initially thought (despite a bit digital-investigation-evidenceof pain) this could turn out to be more profitable and he’d finagle an even more substantial payday.  He then realized that there was a video camera covering the area he had been when he damaged the equipment.  Fortunately for him one of his friends had access to the DVR so he was able to work with him to delete it from the DVR.  But of course they had to view the video first which is how we were able to carve and discover it on the machine they had used to login to the DVR.  At the end of the day, the subject’s claim was denied due to his actions and he and his partner in crime were dismissed from their employment with the company.  This incident just goes to show not only the ways technology affects nearly every aspect of our lives but that oftentimes the failing (and catching of people) is in their limited understanding of how everything works and is interconnected.  We’re thankful for that as there is almost always evidence, especially digital evidence, unknown to the malfeasant party, which can help shed more light on their misdeeds.  Good Day!

Share this: