AnAnalyticalApproachtotheRecoveryofDatafrom3rdPartyProprietaryCCTVFileSystemsRichardGomm,Nhien-AnLe-Khac,MarkScanlonandM-TaharKechadiSchoolofComputerScience,UniversityCollegeDublin,Dublin4,Irelandrichard.gomm@gmail.coman.lekhac@ucd.iemark.scanlon@ucd.ietahar.kechadi@ucd.ieAbstract: According to recent predictions, the global video surveillancemarket is expected to reach $42.06billion annually by 2020. The market is extremely fragmented with only around 40% of the market beingaccounted for by the 15 top video surveillance equipment suppliers as in an annual report issued by IMSResearch.TheremainingmarketsharewassplitamongstthenumerousothersmallercompanieswhoprovideCCTVsolutions,usuallyatlowerpricesthantheirbrandnamecounterparts.Thiscostcuttinggenerallyresultsin a lower specification of components. Recently, an investigation was undertaken in relation to a seriouscriminaloffence,ofwhichsignificantvideofootagehadbeencapturedonaCCTVDigitalVideoRecorder(DVR).The unit was setup to save the last 31 days of footage to an internal hard drive. However, despite thereferenced footage being within this timeframe, it could not be located. The DVR unit was submitted forforensicexaminationanddata retrievalof specifiedvideo footagewhich,according to theproprietaryvideobackup application,was not retrievable. In this paper, we present the process andmethod of the forensicretrieval of video footage from aDVR. The objective of thismethod is to retrieve the oldest video footagepossible fromaproprietarydesigned file storage system.Wealsoevaluateour approachwithaGanzCCTVDVRsystemmodelC-MPDVR-16toshowthatthefilesystemofaDVRhasbeenreversedengineeringwithnoinitialknowledge,applicationordocumentationavailable.Keywords:CCTVforensics,CCTV-DVRfilesystemsanalysis,videofilecarving,reverse-engineering1.IntroductionTheclosed-circuittelevision(CCTV)isavideosurveillancesystemthatcanbeusedforanytypeofmonitoring.Inthe2012annualreport issuedbyIMSResearch,an independentsupplierofmarketresearch, itestimatedthatthevideosurveillanceequipmentmarketwasworthover$9billionin2010.Yetonlyaround40%ofthemarketwas accounted for by the 15 top video surveillance equipment suppliers (IMS Research 2012). Theremaining market share was split amongst the numerous other smaller companies who provide CCTVsolutions,usuallyat lowerpricesresultingfroma lowerspecificationofcomponents.TheadvancedformsofCCTV normally use Digital Video Recorder (DVR) that allows CCTV video images are recorded and archivedcontinuouslyfromallcamerasfor90daysormore,withavarietyofquality.TheCCTV-DVRdevicesarewidelyusedforsurveillanceinareasthatmayneedmonitoringsuchasbanks,airports,militaryinstallations,stores,etc.Recently,aninvestigationwasundertakeninrelationtoaseriouscriminaloffence,ofwhichsignificantvideofootagehadbeencapturedonaGanzCCTVDigitalVideoRecorder(DVR)modelC-MPDVR-16. Theunitwassetuptosavethe last31daysof footagetoan internalharddrive,howeverdespite thereferenced footagebeingwithinthistimeframeitcouldnotbelocated.TheGanzDVRunitwassubmittedforforensicexaminationandretrievalofspecifiedvideofootagewhich,accordingtotheproprietaryvideobackupapplication,wasnotretrievable. Initial examination of the Ganz DVR unit, under forensic conditions, revealed a proprietary filesystemi.e.afilestoragesystemnotrecognisedasanindustrystandard.InthatfashionthestandardtoolslikeEnCase(https://www.guidancesoftware.com/),X-Ways(https://www.x-ways.net/)etc.wereunabletorecoverany video footage. In fact, DVR’s come from a multitude of manufacturers, each using their own uniquevariantsofbothequipmentandsoftware.Insomecasethispresentsasanindustrystandardoperatingsystem,suchasLinux,whichpresentsasaneasy forensicretrievalusingstandardtools. However inthemajorityofcases the forensic investigatorwillencounteraproprietaryordrasticallycobbled-togetheroperatingsystemwhichprovidesasignificantchallengetodecode.Thelatteristhefocusofthispaper.ThetopicofthispaperaretheCCTVsystemsdescribedinthepreviousparagraphandinparticulartheforensicexamination of a Ganz CCTV DVR model C-MPDVR-16. The research problem was established to reverseengineer (Pooleet al. 2008, Zeltser2010) theproprietary file systemandestablish thedetailsof theoldestrecorded video footage available for retrieval. A secondary objective was set in being able to carve videofootagefromtheGanzDVRunit’sinternalharddiskdriveintoaplayableformat.

Ourpaper issetoutasfollows:Section2showsrelatedworkofCCTV-DVRforensics.Wediscussonforensictechniquesapplied forCCTV-DVR investigationsaswellas forensicchallenges inSection3.Wedescribeanddiscussacasestudyof forensicacquisitionandanalysisofGanzCCTVDVRmodelC-MPDVR-16 inSection4.Finally,weconcludeanddiscussonfutureworkinSection5.2.RelatedworkAriffin et al (2013) describe a forensic technique to carve video files with timestamps. Within this paper,authorsalsoproposedanextensionto thedigital forensic frameworkestablishedby (McKemmish,R.1999),whichhadfoursteps:(i)Identification,(ii)preservation,(iii)analysisand(iv)presentation.ItiswithinStep3:Analysis that authors specifically reference the issues with proprietary file systems. Due to the amount ofvariables and unknown systems available it would not be feasible to produce a technical guide to reverseengineeringaproprietaryfilesystem.Insteadadetailedanalysisoftherequiredstepswasgiven;insummarythe followingwasestablished: (i)First thebytestoragemethodmustbedetermined (little/bigendian); (ii)Filesignaturescanthenbederivedandusedtocorrelateeachfilesignaturetothechannelvideothatcapturedthescenewithtimestampsand(iii)Video coded must be located and installed. In this paper, we providesdetailsoftheanalysisoftheGanzDVRunitconductedinaccordancewiththeframeworkoutlinedby(Ariffinetal 2013). Another research was performed by Dongen (2008) on a Samsung CCTV system. This researchfocuseshoweveronawell-knownfilesystem:ext3.InWang(2009),authorfocusedonDigitalVideoForensicsthatcouldapplyinthecontextofCCTVforensics.Han et al (2015) present the forensic analysis of a CCTV-DVRofwhich the hard disk using aHIKVISION filesystem.Authorsalsomentioneditisanunknownfilesystem.Inthisresearch,theyidentifythestructureandmechanismofaHIKVISIONfilesystem.Authorsshowmoreoverthattheprocedureinthecaseanalysiscanbeusefultocounteranti-forensicactivities.ThispaperonlyhoweverfocusesonHIKVISIONfilesystemthatisnotpopularinvideosurveillancedevicesinwesterncountries.Recently, Tobin et al. (2014) conducted a CCTV-DVR forensics. Authors produced a short report into hisexaminationofthefilesystemusedontheGanz internalharddiskdrive. Thisreportwasnon-technicalandaimedforthelegalinvestigativefunction.AuthorsfoundthattheGanzinternalharddiskdrivewassplit intothreeregions,eachofwhichhadaspecificaction:(i)Region1–date1block,(ii)Region2–date2block,(iii)Region3– videodata.Todatethere isanytechnicalpaperthathasbeenpublishedbyauthorsonhowthefindingswerereached;itisbelievedtheyusedasoftwaretooltowatchthediskaccesswhilstusingtheAvTechproprietaryapplication,DiskTools.exe,toaccessacopyoftheGanzinternalharddiskdrive.ThisprocesshasadistinctdisadvantageasyouarereliantontheDiskTools.exeprogramming,whichisprovenlaterinthispapertonotprovidefulldetailsoftheoldestvideofootageavailablefromtheGanzDVRinternalharddiskdrive.3.CCTV-DVRforensicsFollowing the literature survey in Section 2,we notice that there is very little information available on theproprietaryfilesystemusedbytheGanzDVRunit,orthespecifiedAvTechharddiskdrivesystem.WhilstCCTVfootage canand shouldbeobtained through theproprietaryapplication shippedwitheachunit, this leavesverylittleroomforforensicexaminationandleavestheinvestigatoratthemercyofproprietaryprogrammers.Additionallytheremayremainremnantsofvideofootagewhicharenotcompleteandthereforenotavailablethroughanysuchproprietarysystem.ByreverseengineeringtheAvTechfilesystemtheinvestigatorobtainsfullaccesstoallinformationontheDVRharddiskdrive.Additionallythiscanbedoneinaforensicmannerandwithouttheneedtorelyontheabilityofanunknown3rdpartyprogrammer.Followingtheforensicacquisitionasampleofvideofootagemustbeextracted from the DVR hard disk drive and converted for playback. This will require codec, headers andencodingidentification.BeforelookingatacasestudyonforensicacquisitionandanalysisofGanzCCTV-DVRinthenextsection,wediscussontheidentificationoffilesystemsof internalharddriveofGanzCCTV-DVR(Ganzinternalharddiskdrive).Infact,filesystemssuchasFAT16,FAT32,NTFS,HFS,Ext2aresomeexamplesofindustrystandardfilesystem. These file systems are used to keep track ofwhere data is located on a disk, providing a tree likestructure comprising of files and folders. Each of the industry standard file systems referenced above are

requiredtoidentifythemselveswithauniquehexadecimalcodeintheMasterBootRecordatthebeginningofeachharddiskdrive. Thisuniquehexadecimalcode iscommonly referred toasa ‘MagicMarker’or ‘MagicByte’(Haideretal.2012).However,forensicexaminationofSector0,theMasterBootRecord,oftheinternalharddiskdrivefromtheGanzCCTV-DVRcontainednoMagicMarkerandthereforedidnotcontainoneoftheindustry recognised file systems. In order to progress it would be a requirement to reverse engineer theunknownfilesystemusedontheinternalharddrive.Inordertodothisyoumustfirstreviewhowafilesystemstoresdata.Ingeneralbeforeafilesystemcanbecreatedapartitionisrequiredtospecifyhowmuchoftheharddriveistobeused.Thesepartitionsequateouttoastartpoint(cylinder)ontheharddriveandanendpoint(cylinder).Onceapartitionisidentifieditispossibletoestablishthecontentofeachareaandhowtheyrelatetoeachover,buildingupapictureofcommunicationastheyprogress.DespiteMasterBootRecordareaoftheGanzinternalharddiskdrivecontainsnomagicmarkertoassistintheidentificationofthefilesystem,thereisotherdatawhichgaveastartingpointforresearch.TheMasterBootRecordoftheGanzinternalharddiskdrivewasexaminedinX-WaysForensictool, itdisplayedthefollowing(Figure1):

Figure1:Ganzinternalharddiskdrive–MBR(Sector0)TheASCIItextAVTECHandFSS16Abecamerelevantwhenitwasestablishedthattheinternalcomponentsofthe Ganz DVR unitweremanufacturedwith the brand AvTech.We conduct a search on both the brandedcompany, Ganz and also themaker of the internal components AvTech.We realise that Ganz is a productbrandofCBCAmericaCorp.ItwouldappearthattheGanzDVRunitmodelC-MPDVR-16isanoldproductandassuch therewasvery little informationavailableon theunit.Theonlynotable information is that theunitrecordswithaMPEGformat(http://en.cbc-cctv.com/uploads/tx_n21products/05_tab_088_01.gif).OfparticularimportancetothispaperisathreadontheCCTVforums.comwebsite(CCTVforums.com),whichdiscussesretrievingdatafromAvTechbasedunits.ThisthreadidentifiedthatAvTechdevicesuseaproprietaryfilesystemwhichhasnotbeendecoded,howeverAvTechhadreleasedaprogramtoassistintheinterrogationofsuchDVRharddrives.TheprogramiscalledDiskTools.exeandadownloadlinkwasprovided.Wealsousethistooltocompareforensicresultswithourapproach.SignificantlytheAvTechwebsitealsoprovidesawarningthatdatamaybedestroyediftheDVRinternalharddiskdrivewasconnectedtoaPCandaccessed.ThiswouldlikelybeduetoMicrosoftWindowstryingtowriteanewrecognisedMasterBootRecordtotheharddiskdriveonitsinitialization.Infact,ourpaperrelatestoaforensicexaminationwith theuseofadisk imagecreatedthrougha readonlydevice.TheactualGanzDVRinternalharddiskdrivewasneverconnecteddirectlytoanycomputer.4.ForensicacquisitionandanalysisofGanzCCTV:ACasestudy4.1AcquisitionThe forensic processweused in this section is adopted from theAriffin’smodel (Ariffin et al 2013). In ourexperiment,weperform forensicacquisitionandanalysisofaGanzDVRUnit.The first step is identificationwhere a Ganz C-MPDVR-16 DVR was photographed. We also take the photos at various stages of theexamination.Figure2showstheinternalviewofthisGanzDVRUnit.The next step is preservation. Within the law enforcement environment it is imperative that any data isrecoveredinaforensically-soundmethod.Thegeneralacceptedcriterionisthatnochangesaremadetotheoriginaldatasource,andthatanycopiesmadeareidenticaltotheoriginaldatasource.Inourexperiment,theGanzDVRunitwasseizedfromtheworkingenvironmentbylawenforcementagentsonthe4thofApril2013

shortlyafter08:00hrs.AstrictchainofcustodyfromseizuretoexaminationwasinplaceandnoaccesstotheGanz DVR Unit was permitted. For this examination the DVRs internal hard disk drive was removed andconnectedtoaforensicdeviceknownasawriteblocker.Nextabitcopywasmadeoftheharddiskdrive.Thisisamethodtoensurethatanexactcopyoftheentireharddiskdriveisproduced;includingallusedandusedspace.

Figure2:InternalviewoftheGanzC-MPDVR-16DVRunit.

Figure3:OverviewoftheAvTechProprietaryFileSystem4.2AnalysisTheanalysistookplaceonthecloneharddiskdrive,examiningtheinformationatthestorageleveltoidentifyanyrecognisedfilesignature.Thekeychallengewithaproprietary file format is to locatethevideostreamswithouttheassistanceofpredefinedstoragemethods(FAT,NTFSetc.)4.2.1 InitialActionsTheclonedharddiskdrivewasopenedwithinX-WaysForensics,EnCaseandWinHexnoneofwhichwereabletorecognisethefilesystemoranyvideofile.So,weexaminethefirstsectorofaharddiskdrive(MasterBoot

Record).Theonlyidentifiabledatainthesector0wasthelabelUAvTechandFSS16A.Notechnicalinformationwasobtainable,otherthanFSS16AwhichisaproprietaryfilesystemofAvTech.4.2.2 IdentifyingthedataFurther examination was conducted to review the type of data visible. We found there are totally threedistinctareasontheharddrive;thefirstcontainsentrieswhichprovideageneraldateandtimeforrecordedfootageandapointertothesecondarea.Thesecondareaprovidesseparateentriescontainingrefineddateand time stamps for each of the individual 16 cameras video footage recorded, and a pointer to the videofootage.Thethirdareacontainstheactualvideofootage(Figure3).Duetothelimitationofthepapersize,wedonotpresentindetailstheforensicprocessweusedtolocatethesethreeareas.Besides,themainobjectiveofourpaperistoshowhowtorecoverandplaybacktherecoveredvideodata.4.2.3RetrievingdataIn our experiment, one second period timeframe retrieval was attempted, 04/04/2013 08:00:00 hrs to08:00:01 hrs. The data of this period is located in sector 28,978,208 / offset 0374584070 thru to sector28,978,211/offset0374584720.Byanalysisoftheheadersinthosesectorswenoticethatthevideofootagewascapturedat6framespersecond.Thiscarveddataalsorevealedduplicateentriesforcameras0C,0D,0E,0Fonthe2ndand5thframes,representedbybytes1ofeachentryshowingFF.Thispatterncontinuedthroughalldataandispossiblyrecordinganerror. Inordertorecoveronesecondofvideofootageforcamera00(6framespersecond)datarequiredcarvingfromthefollowingsectors:

Alldatawascarvedandcompiledintoonefile;ittotalled21.5kinsize.4.2.4CarvedDataIdentificationIn order to identify the data within the carved file, we tried a number of industry standard applicationsincludingMediaInfo0.7.69,GSpotv2.70a,VideoInspector2.6.0.129.However,noneoftheabovesoftwarewasabletodetectthevideoformatcontainedinthecarvedfile,indicatingthatitwaslikelyaproprietaryencoding.TheGanzDVRsystemwassuppliedwithproprietaryviewingsoftwarecalledVideoPlayerMFC,version1.1.6.1.The application stated it played the following proprietary file formats: .VS4, .VSE, .DVR, .AVC, .DV4. So,wemadefivecopiesofthecarveddatafileandeachprovidedwithoneofthefivefileextensionsabove.ThesewerethenloadedintoVideoPlayerMFC.Theonlysuccessfulaccesswithinthevideoplayerwasthecopyofthecarveddatagiventhe.DVRextension.Thusthevideoplayeridentifiedtheclipasbeingfromthe04thApril2013at0800hrsasexpected, it alsodisplayed that the footagewas recorded in the720x576pixel format(Figure4).Basedonourinvestigation,theGanzDVRis listedasrecordinginMPEG4format.Areviewofthecarvedfileusedpreviouslyshowedthateachsegmentofvideodatastartedwiththehex:0000E001.AccordingtotheaboveMPEGfileheaderformat(http://mpeg.chiariglione.org/)astandardMPEGfilewouldstartwith:000001 ??.With the ?? being replaced by the relevant bit above,which for a video streamwould be E0 to EFdependingonthestream.So,ifweplacethetwosectionsofhexcodestogetherthereisaclearsimilarity:Carveddatafile-000000E001MPEGFormat- 00000001E0 (firstvideostream)ItwaspossiblethattheGanzDVRsimplytransposedbytes3and4.Inordertotestthistheory,weusedahexeditor tomodifyacopyof thecarveddata fileswappingbytes3and4 ineachof thestreamheaders. Thismodified data was saved as carved.mpg file and attempted to be opened in a number of media players.However the carved.mpg file would not play. The carved.mpg was further analysed with the previouslyreferencedapplicationMediaInfo.On thisoccasionMediaInfo recognised thecarved.mpg fileasaMPEG-PSstream,but it refused toprovideanydetailsof codecused forencoding. Indeed, it appeared that theGanz

Sectors 959991976 +3 Sectors 959992277 +26 Sectors 959992461 +5 Sectors 959992544 +3 Sectors 959992616 +3 Sectors 959992704 +3

DVRusesaproprietarycodecforencodingandstoringthevideostreamsintheDVRfiletype.Furtherresearchwasrequiredintotheactualdatastreams,itwaselectedtoanalysethefirst32bytesofthestartofeachvideostreamfortwospecificchannels(channel1&2)ataspecifictime(08:00hrs)overa4dayperiodspanningamonthchangetoprovideareferenceguidetodecodingthefileheader.

Figure4:VideoPlayerMFCshowingcarveddatafile4.2.5VideoFileHeaderInvestigationIn this experiment, we extract the first 32 bytes of the video stream for channel 1 & 2 at 0800hrs on the30/03/2013,31/03/2013,01/04/2013and02/04/2013(Figure5).Inordertoestablishwhetheroffsets30and31(thelasttwobytes:0080)provideatimestamp,weretrievedatafromthecamera1onthe30thofMarch2013foreachhourrecordedbetween0800hrsonthe30thuntil0000hrsonthe31st.WethenfindthatOffset30and31was linkedtothetime, itwasclearthattheGanzDVRrecordedthehourdirectlyuntil it reached1600hrs.Atthatpointitresetsoffset31to00butincreasedoffset29by1.Inthisfirsttest,weonlyfocusonhours:08:00,09:00,10:00hrsetc.Therewasnoprovisionforminutesorsecondstobeaccounted.Inordertolocate theminute changeadditionaldatawas retrieved splittingout the08:00hrs timeframe for the30thofMarch2013. Inreviewingtheresultswenoticesthatoffset31didnotremainat80asexpected if itwastoindicate08:00hrs.Neitherwasoffset30remainingconstantwiththetimestampforminutes.Ratheroffset30appeared to initially be recording secondswithin the firstminute 08:00 – 08:01hrs. This appeared to be indirecthexnotation,i.e.00–3B(Dec00to59).Howeveratthebeginningof08:01hrs,offset30becamehex40.Thenatthebeginningof08:02hrs,offset30becamehex80.Thenatthebeginningof08:03hrs,offset30returnedtohexC0.Finallyat08:04hrsoffset30resetto00.Itwasnotedthatoffset31increasedby1,from80to81.Invisualformoffset30represented:Hex00–3B=0to59Sec,Minute0Hex40–7B=0to59Sec,Minute1Hex80–BB=0to59Sec,Minute2HexC0–FB=0to59Sec,Minute3Theanalysingofheaders isshowninFigure6.Thedifferencebetweenthestartsofeachcyclewasnotedasdecimal 64. (64, 128, 192). The value in seconds could be established from the hex code in the followingmanner:Example:offset30=hexFB=Dec251Dec251/64(cycle)=192r59Dec192/64=3ThereforeHexFB=3rdMinutecycle,59secondsOffset31wasclearlyrecordingtwoseparateportionsofdata.Bit1wasthedirecthexvalueofthehour.Bit2wasarecordkeeperofhowmanycyclesoffset30hadcompletedwithinthathour.Example:offset31=hex8EBit1readshex8=dec8,therefore0800hrs.Bit2readshexE=dec14,there14x4minutecycles=56Timestampwouldread:08:56hrs+valuefromoffset31

30thMarch2013–0800hrs

31stMarch2013–0800hrs

1stApril2013–0800hrs

2ndApril2013–0800hrs

Figure5.Thefirst32bytesofthevideostreamforchannel1&2

Figure6.Videostream–HeaderAnalysisNext,lookingatanoverallexamplewhereweextractavideoheaderfromSector696,662,102(Figure7).Iftheabove is to be proven then the video footage in Sector 696,662,102 should relate to footage taken at08:32:42hrs.Sowereversethelookupmethodforsectorsfromdate.Wehavesector696,662,102=Hex29863856,transposedintolittleendianforsearch=56388629produced(Figure8).

Figure7.Videoheaderfromsector696,662,102

Appeared to show 0800 in reverse format, same as time of clip concerned.

Appeared to increase by 2 on subsequent days until FF then next offset increased by 1 (34 to 35).

Appeared to remain the same throughout all dates.

offset31shows:Bit1–hex8=Dec08Bit2–hex8=Dec08Thereforetimestampis:0800hrs+8x4minutecycles=08:32hrs+42seconds(valuefromoffset30)=08:32:42hrs

offset30shows:Hex2A=4242/64=0r42Thereforehex2A=0minutesand42seconds

Figure8.FootageAnalysisThis resultestablishedthat the footage insector696,662,102was for the30/03/2013at08:32:42hrsaspertheexampleworkingsaboveanddemonstratesthetimefunctionhasbeencorrectlydeciphered.Next,wearelookingatthedatestampartefacts.Basedonthetimestampanalysisitwasevidentthatthedatestampwassomehow linkedwith offsets 28 and 29, and that 16:00hrs played a crucial role in increasing the offset 28counter.Inordertoestablishthesystemusedforthedatestamp,wetakethevideofootagefromCamera1at0000hrsand1600hrsonthe30thMarch,31stMarch,1stofApriland2ndofApril.Thisselectionwouldprovidefourdaychangesandonemonthchange.(Figure9)

Figure9.HexdumpofVideofootageoffourdaysWe notice that the hexadecimal value present in offset 28 increases at 0000hrs and 1600hrs of each day.However thedataofoffsets28,29and30donotappear tomatchanyof the industrydate stamp formats(UNIX, MS-DOS etc.) and is likely a time counter from some point set by the manufacturer. Furtherexaminationwouldberequiredtoestablishthedatestampencodingmethod.4.3ProprietaryApplicationvsForensicExaminationInthissection,weuseDiskTools.exetoexaminetheGanzDVRunit internalharddiskdrivetocomparewithourforensicresults.TheDiskTools.exeapplicationstatedthattheearliestavailablevideofootagerecoverablewasfromthe18thofMarch2013at00:48:09hrs.(Figure10)

Figure10:DiskTools.exe

So our forensic analysis was conducted for the date / time stamp 0D 03 12 00 30 09. The first referenceappearedat Sector63,343whichpointed toSector23,943,068and finally toSector973,078,543where thevideodatawaslocated.Thehexcodeforthetimestampwasequatedas:0000hrs + (12x4)mins + 9secs = 00:48:09 hrs,whichwas identical to the timestamp expected. The footagesuggestedbyDiskTools.exewasverified. Inordertotest theDiskTools.exeaccuracytheprevioustimestampfromSector63,343wastakenandthepointersfollowed:

ThispointedtoSector23,933,333:

ThispointedtoSector971,303,982

Thishadvideo footagepresent,witha timestampreflecting00:00hrs. Inorder toviewwhether the footagewas the correct footage the data was extracted and converted using the methods within this paper. Thesectorsconcernedwere:Sector971303982-(10sectors),Sector971304138-(6sectors),Sector971304220-(6sectors),Sector971304320-(5sectors),Sector971304398-(5sectors)andSector971304475-(5sectors).Thecarveddatawassavedtothefile0000hrs.DVRandopenedintheVideoPlayer.

Figure11.CarveddataplaybackTheVideoPlayerdisplayed footage from the18thMarch2013at00:00hrs. This footagewasnot retrievablethroughtheDiskTools.exeapplication.Inordertoestablishtheoldestvideofootageavailableatrialanderrorsystemwasdeployed,startingwiththeattempttoretrievefootagefrom2300hrsonthe17thMarch2013.Sector23921205containedthepointerfor0D0311170000orinnormalterms17thMarch2013at2300hrs.Sector23921205pointedtoSector969083922.Sector969083922containedvideodatawiththeheaderof:

Thisheaderindicatesthatthefootageisfor23:00hrs(0070withthe+16hrsfromE3).Thenexttrialanderrorsearchwasconductedforthe16thofMarch2013at2300hrs.Sector23630109containedthepointerfor0D0310 17 00 00 and pointed towards Section 916459161. However Sector 916459161 contained video datawithoutaheader:

Thisdataisclearlynotastartofavideostreamasthe0000E001startingbytesaremissing.FurtherreadingshowedthatSector916459161containedvideodatafromastreamthatstartedinSector916459157,whichcontained a timestamp for 12:53:51 hrs. Continuing the trial and errormethod established that the oldestfootageavailablewasfrom20:00hrsonthe17thofMarch2013.Thereforeanadditional4hrsand48minutesof footagewasavailable throughmanualexaminationof theGanzDVRharddrive, compared to theofficialDiskTools.exe application. In criminal investigations any additional time recoverable may result in crucialevidence, which if reliant on the official application would not have been recovered.Why the official toolmissedthese4hrsand48minuteswasconcerningsofurtherinvestigationwasconducted.5.ConclusionandFutureworkInthispaperweproposedanewmethodofreverseengineeringtheproprietaryfilesystemofaCCTVDigitalVideo Recorder. By conducting the examination as shown in this paper the file system has been reversedengineered with no initial knowledge, applications or directions available. Further it has been reversedengineered to a sufficient degree to allow for the identification and retrieval of video footage from anyspecifiedcameraforanyspecifieddaterecordedwithouttheuseofanyproprietaryapplications.Whilstthispaperwasunabletoevidencehowtodecodethedatestampfromwithintheactualvideofootagedata,thisisaredundantstepasthedateandtimestampsareavailablefromthefirsttwolocatorsasreferencedinSection4.Furtherresearchintotheactualvideodatastreammayrevealhowthedatestampisrecorded,thiswouldassist when presentedwith a raw partial data streamwas provided for examination i.e. no locator data isavailableduetodamagedharddriveetc.OveralltheresultsaredirectlytransferabletoanyCCTVDigitalVideoRecordersystemthatusestheAvTechfilesystem. Withminoralterationstheprocesscontainedwithinthispapercanbeutilisedwithanyproprietaryfilesystem.WearealsolookingatcombiningsimilarapproachesinVehicle Forensics (Jacobs 2016) and Mobile Device Forensics (Faheem 2015, Sgaras 2015) to improve ourmethod.ReferencesAriffin, A., Slay, J., Choo, K-K. (2013), Data Recovery from Proprietary Formatted CCTV Hard Disks DigitalForensics,Chapter inAdvances inDigitalForensics IX,Volume410oftheseries IFIPAdvances in InformationandCommunicationTechnologypp.213-223Poole,N.R.,Zhou,Q.andAbatis,P. (2008),AnalysisofCCTVdigitalvideorecorderharddiskstoragesystem,DigitalInvestigation,vol.5,no.1,pp.85-92,May2008.McKemmishR.(1999)Whatisforensiccomputing?Trends&IssuesinCrimeandCriminalJustice1999;118:1-6.Dongen,W.S.V (2008)CaseStudy: ForensicAnalysisofaSamsungdigital video recorder, JournalofDigitalInvestigation,vol.5,pp.19-28,2008.Wang,W.(2009),DigitalVideoForensics,PhD.Thesis,DarthmouthCollege,NewHampshire,USA,June2009Han, J., Jeong,D. and Lee, S. (2015)Analysisof theHIKVISIONDVRFile System,Digital Forensics andCyberCrime:7thInternationalConference,ICDF2C2015Tobin, L., Shosha, A., Gladyshev, P., (2014) Reverse engineering a CCTV system, a case study, DigitalInvestigationvol.11(3)pp.179-186Haider,Dr.,Al-KhateebM.,(2012)AnalyzingtheMasterBootRecord,Webspace,2012CCTVforums.comhttp://www.cctvforum.com/viewtopic.php?f=56&t=24717IMSResearch(2012),Trendsfor2012Zeltser, L. (2001) “Reverse Engineering Malware” https://zeltser.com/reverse-engineering-malware-methodology/Jacobs(2016)Jacobs,D.,Le-Khac.N-A.,VehicleEntertainmentSystemForensics:ACaseStudyofVolkswagenAutomobile, Twelfth Annual IFIP WG 11.9 International Conference on Digital Forensics, New Delhi, India,January2016Faheem (2015) Faheem,M., KechadiM., Le-Khac,N-A., The State of theArt Forensic Techniques inMobileCloud Environment: A Survey, Challenges and Current Trends, International Journal of Digital Crime andForensics(IJDCF),Vol7(2)p.1-19Sgaras(2015),SgarasC.,Kechadi,M-T.,Le-Khac,N-A.ForensicsAcquisitionandAnalysisofInstantMessagingandVoIPApplications,ComputationalForensics,SpringerInternationalPublishing,2015p.188-199