Abstract
The purpose of this study is to explore some different ways of extracting data from closed-circuit television (CCTV) Digital video recorder (DVR) systems which have proprietary operating systems and proprietary file systems. DVRs for CCTV commonly have an in-built capability to export stored video files to optical storage media. In the cases that a DVR is damaged or forensics examiners have only the hard disk of the DVR, its contents cannot be easily exported. This renders the forensically-sound recovery of proprietary-formatted video files from a DVR hard disk an expensive and challenging exercise
Introduction
Recently, a large amount of video contents have been produced in line with a wide spread of surveillance cameras, digital video recorders and automobile black boxes. Video surveillance and closed-circuit television (CCTV) systems serve as deterrents to crime, and can be used to gather evidence, monitor the behavior of known offenders and reduce the fear of crime. CCTV systems can be broadly categorized into analog, digital and Internet Protocol (IP) based systems. Analog systems have limited abilities to store, replicate and process large amounts of video data, and the quality of images and video files is generally quite low. Digital CCTV systems use digital cameras and hard disk storage media. IP based CCTV systems stream digital camera video using network protocols. In digital CCTV forensics, it is extremely challenging to recover evidence in a forensically-sound manner without data recovery expertise in a wide range of storage media with different filesystems and video formats. The challenge is compounded if the storage media of a digital video recorder (DVR) is damaged or forensics examiners have only the hard disk of the DVR. The variety of digital CCTV systems further complicates the digital forensic process, as many of the systems use proprietary technologies. Therefore, digital forensic practitioners need to have an intimate understanding of digital CCTV systems.
Identify Video File formats
Usually in CCTV DVRs, there is a mechanism for video compression. Most of the time the OS and the file systems of CCTV DVRs are proprietary, but they use standard video compression techniques. Video compression is the process of using a codec to go through the video files to reduce or eliminate unnecessary frames (A video file is a combination of a set of still images called frames). This makes the video files smaller and saves the storage of a CCTV DVR’s hard disks. There are two main types of compression, H.264 and MJPEG, while MPEG4 is an older version. Each compression type has their unique file structure with attributes. Thomas Gloe in 2014 [1] extended the idea of file format forensics to popular digital video data container formats. In his study he identifies manufacturer and model-specific video file format characteristics and point to traces left by processing software. Such traces can be used to authenticate digital video streams and to attribute recordings of unknown or questionable provenance to (groups of) video camera models. Thomas Gloe in 2014 [1] identified all the header attributes, footer attributes and all other segments in AVI and MP4 video container formats and constructed attribute structure diagrams of each video file format. The standard order of each attribute and the case of each attribute name were identified. The purpose of each attribute in each video file format is also illustrated. This knowledge can be used to identify and extract the video files in the CCTV DVRs which use AVI or MP4 video container formats. However his study did not cover identifying and extracting of video files other than AVI or MP4 video container formats in CCTV DVR Systems. If a video file saved in a CCTV DVR hard disk is corrupted or partially overwritten this proposed method cannot be used to extract the remaining video data from the CCTV DVR System. Thomas Gloe in 2014 [1] relied on file structure internals and there are tools that would allow users to forge such information with advanced programming skills.
Video file restoration using the meta-information
Conventional techniques for video file restoration use the meta-information of the file system to recover a video file stored in a CCTV Hard disk. The file system meta-information contains the information such as the address and the link of a video file that can be used for file restoration. Carrier in 2005 [4] proposes a file restoration tool based on the file system, which was implemented in a software toolkit, The Sleuth Kit [5].This program is based on the information from the file and directory structure of a storage file system. Video file restoration may not be possible with his solution, when the file system meta-information is not available or video files are corrupted or partially overwritten.
Analyze the Hex dumps of the videos
Although most CCTV DVR hard disks have Proprietary OS and Proprietary file systems we can perform byte-level analysis (Fig. 1) using tools as WinHex [8]. This kind of byte-level analysis helps forensics examiner to identify the video files saved in a CCTV hard disk in hexadecimal form. Aswami Ariffin, Jill Slay and Kim-Kwang Choo in 9th IFIP WG 11.9 International Conference on Digital Forensics, Orlando, FL, USA, January 28-30, 2013 [2], explained a hex based Solution to retrieve videos from proprietary formatted CCTV hard disks. They extended the McKemmish’s [3] digital forensic framework and analyzed the cloned hard disk, examined the video stream, byte storage method, format, codec, channel and timestamp to identify the file signatures for searching and carving the video files with timestamps. They determined the byte storage method is little endian or big endian and derived the file signatures This information can be used to correlate each file signature to the channel video that captured the scenes with timestamps.
Fig 1 - Proprietary file formatAswami Ariffin, Jill Slay and Kim-Kwang Choo [2] performed a search for repetitive hexadecimal patterns in the channel video (from one to the number of channels) interleaved with timestamp tracks. They were able to identify the header file signatures for each channel, footer file signature and hexadecimal timestamps. They used WinHex to search and carve out the digital video evidence according to the channel (video header and footer) and timestamp signatures. Although their proposed solution enables video files with timestamps to be carved without referring to the filesystem, they depend on a player which is capable of playing the curved video files to verify their findings. Most of the time in proprietary formatted CCTV hard disks we can’t easily obtain the repetitive hexadecimal pattern. Corrupted videos or partially overwritten files cannot be recovered by Aswami Ariffin, Jill Slay and Kim-Kwang Choo’s [2] method.
File carving in video file recovery
Eoghan Casey in 2014 [6] presented a various designing trade off in video recovery technique. He identified the practical problems in video recovery and describes tradeoffs that developers must consider when creating file carving tools for identifying and reassembling fragmented AVI, MPEG, and 3GP video files. He also explains if the location of individual video frames can be detected directly within a video container using the relevant specifications, one would not be so dependent on availability of indexes from container formats and the video frame locations could then be determined more locally. Such location information could be used to generate an appropriate container video file index for a partial file.
According to Eoghan Casey’s [6] study because of the complexities encountered in real world hex dumps of CCTV data, there is no single approach to identify fragmented video files, rendering them as playable video files.
Gi-Hyun Na, Kyu-Sun Shim, Ki Woong Moon,Seong G. Kong and Joong Lee in 2014 [7] proposed a method to recover corrupted video files using video codec specification which uses a frame. A video data consists of a sequence of video frames as the minimum meaningful unit of video file. They propose a technique to restore the video data on a frame-by frame basis from its corrupted versions where the video data has been significantly fragmented or partly overwritten in the CCTV hard disk.
The proposed method identifies, collects, and connects isolated video frames using the video codec specifications from non-overwritten portions of the video data to restore a corrupted video file. The technique consists of the extraction phase and connection phase of relevant video frames. (Fig. 2)
Fig. 2 - Processing steps of the proposed frame-based video file restoration techniqueThe extraction phase uses the video codec specifications to extract a set of video frames from the CCTV Hard disk. In the connection phase, the restored video frames are used to group and connect relevant video frames using the specifications of the video file used.
The proposed method was tested for three kinds of video files encoded with MPEG-4 Visual, H.264_start and H.264_Length codec’s. The recovery rates of video files decrease when the number of fragmentation increases, the degree of overwriting of files has also significantly affected the restoration rate of video files. According to their work a human expert should go through the video header to identify the video codec specifications, which is not a relatively simple task.
Conclusion
Table 1 lists the reviewed studies, their main area of concern and their limitations in successful video recovery in CCTV DVRs which have proprietary OS and proprietary file systems.
| Research | Main area of concern | Identified potential limitations |
|---|---|---|
| Forensic analysis of video file formats-2014 |
|
|
| File System Forensics Analysis-2005 |
|
|
| International Conference on Digital Forensics-January 28-30, 2013 |
|
|
| Frame-Based Recovery of Corrupted Video Files Using Video Codec Specifications-2014 |
|
|
Large-size video files are often fragmented and overwritten. Many existing file-based techniques could not restore partially overwritten video files. The frame-based file recovery technique increases restoration ratio. The time of recovery is also important in day to day life. The time taken to identify frames and reassemble the video increases when the size of the CCTV hard disk increases.
REFERENCES
[1] Thomas Gloe, André Fischer and Matthias Kirchner, “Forensic analysis of video file formats”, Digital Investigation 11 (2014) S68–S76.[2] Aswami Ariffin, Jill Slay and Kim-Kwang Choo, 9th IFIP WG 11.9 International Conference on Digital Forensics, Orlando, FL, USA, January 28-30, 2013.
[3] R. McKemmish, What is forensic computing? Trends and Issues in Crime and Criminal Justice, no. 118, 1999.
[4] B.Carrier, File System Forensics Analysis, Vol. 3. Boston, MA, USA: Addison-Wesley, 2005.
[5] B.Carrier. (2005). The Sleuth Kit [Online]. Available: http://www.sleuthkit.org/ sleuthkit/
[6] Eoghan Casey Rikkert Zoun, Design Tradeoffs for Developing Fragmented Video CarvingTools.2014 Digital Forensics Research Workshop Published by Elsevier Ltd.
[7] Gi-Hyun Na, Kyu-Sun Shim, Ki Woong Moon,Seong G. Kong, Senior Member, IEEE, Eun-SooKim, and Joong Lee, Frame-Based Recovery of Corrupted Video Files Using Video Codec Specifications IEEE TRANSACTIONS ON IMAGE PROCESSING,VOL. 23, NO. 2, FEBRUARY 2014.
[8] (2004). Winhex [Online]. Available: http://www.x-ways.net/winhex/Index-m.html
