Restoring erased DVR surveillance video played key role in investigation

Video footage found within surveillance systems can be very helpful when investigating a crime, but criminals know this too, and so they sometimes try to erase, turn off, and evade these systems.

Knowing how to recover these erased surveillance files was vital to the success of a recent forensic investigation at NCAVF. Each brand of DVR and their resulting videos come with specific challenges as each model behaves differently, uses different video formats, and contains a labyrinth of menus, directories, and folders.

This digital forensic mystery started when Angela (actual name undisclosed) returned from vacation to find her home had been burglarized. Her first thought in catching the intruder was to review footage on her security system’s DVR. Unfortunately, the DVR showed no recordings for the time she was away. Really, no video?

She suspected the intruder was her estranged husband with whom she was having a dispute in family law court.

The surveillance DVR was the best hope for solving the mystery of the thefts, but viewing video through the DVR’s playback software revealed no recordings for the timeframe in question.

Angela contacted NCAVF for help.

Our forensic investigation uncovered a detailed log file documenting changes made to the system including that the DVR was formatted several times early one Sunday while Angela was on vacation. This proved that someone had logged in and purposely tried to erase the surveillance evidence which showed their activity inside Angela’s home.

The above log proved DVR hard drives were formatted early on a Sunday morning while client was away on vacation. The videos recorded during this period could be recovered through a forensic process, revealing the actions and identity of whoever had entered the home of our client.

Formatting a hard drive this way is comparable to ripping out the table of contents in a book; the book is still intact and the contents can be reconstructed by reading through the book page by page. 

In this case, very little footage had been recorded after the hard drives were formatted because Angela unplugged the DVR very soon after discovering the intrusion. This meant that the ‘deleted’ videos remained on the hard drives even though they seemed inaccessible. Since the data had not been written over by the security system, the videos could be recovered in the forensic process that would reconstruct the table of contents.

Through her attorney, Angela confronted her estranged husband with these damaging facts and walked away with a favorable settlement; her husband quickly agreed to settle rather than face embarrassing video evidence.

Criminals try to find ways to sidestep technology but sometimes slip up. It’s the challenge of forensic organizations to uncover the truth.