Recovering Deleted CCTV From A Samsung SRD-1670D

A Case Study

As part of a computer forensics legal case, Data Clinic were recently asked by a solicitor to attempt to recover the footage from a CCTV system. The system had been with Cleveland police for several months, who during that time had been unable to recover any footage. We pick up the story from where we were first contacted by the solicitor.

Contact from the solicitor regarding the CCTV system, Cleveland Police were unable to recover anything and were unable to get through the password protection.
CCTV system arrived with us containing 2 x 2TB Western Digital hard drives, this system was a Samsung SRD-1670D
Each internal hard drive was tested with each displaying symptoms of media degradation, one quite badly degraded. (What is media degradation ? Go here: https://www.dataclinic.co.uk/recovery-hard-disk-drive-bad-sectors/)
Each drive was cloned on to another 2TB WD drive, one a perfect clone the other with approx. 9000 bad sectors from 1.9 billion, both clones were considered more than acceptable for the purposes of CCTV image recovery.
Examination of the drives showed each had an EXT3 partition of around 20GB and a larger XFS partition occupying the rest of the drive.
Both drives were returned to the CCTV system and powered on.
The system was security locked and neither the provided password nor the default would provide access.
The correct username and password was then hacked from a file located in the 20GB partition at the beginning of one of the drives.
We now had access to the system but no footage could be viewed, the system simply detailed each of the drives as empty.
We then accessed the drives once again to see if we could play any of the stored files using various video player and codecs. Each of the files had an extension of .SSF
The files could not be played using any of the software we found nor would our carving methods work.
We then discovered that the drive with the most content had partition damage due to the bad sectors and a lot of the files in the 20GB partition were in accessible. Attaching the drive to a Ubuntu system and running the command xfs_repair -L /dev/sda1 we were able to repair this enough to access and recover the missing files.
It was here we discovered that each of the video files had 3 associated files probably used by the system for metadata or playback purposes.
A new drive was introduced into the system and formatted using the CCTV device itself to provide use with a new undamaged volume.
All of the associated metadata files were then copied over to the 20GB volume and all of the video footage files were copied over to the larger XFS volume.
This newly created and populated drive was then introduced to the system.
Once again the system displayed the volume as empty, no video footage was displayed.
Further scans of the XFS partition revealed some older footage files, the interesting thing here was that these older deleted files were not prefixed with the letter D as with all the current present files.
It was here we discovered that the prefix of D must indicate to the system that these were deleted files and the CCTV recorder was disregarding them.
We then renamed quite a few of these files without the prefixed D and placed back into the system.
Once again the CCTV system showed no video data.
Looking at the volume again in Ubuntu each of the video files we modified had once again been given the D prefix.
It was here we discovered that the system was setup to delete video footage which was older than 40 days, and so much later, when the Police powered on the system, each of the video files were automatically given the D prefix and were disregarded by the system.
We then changed the CCTV systems date setting from sync and manually input the time back to the approx. date of the event in question.
Before re-introducing the disk again, we then renamed all of the video files by again deleted in the prefix.
Once introduced the system now allowed access to all the video footage which was before not viewable.
The footage from the event in question was located and the appropriate time period was extracted from the CCTV system using the back facility and output using the .AVI file type.
Data recovered.

Do You Need To Recover CCTV ?

This case study is just one example of the CCTV recovery work we do. For more information, please contact us.

Links
> Go to our CCTV and DVR Recovery Page
> Go to our Computer Forensics Page

cctv, computer, data, forensics, recovery

Reece Cairns

12:53 21 Jul 21

The hard drive I use for work recently died. I hadn't backed up for a few weeks and thought I'd lost out on a fair chunk of work. However, Data Clinic managed to retrieve the data in full (around 3TB) and returned it to me fairly quickly. A little pricey, but worth it. Excellent customer service too, I called up a couple of times and each time they were friendly, helpful and informative.

Hannah F F

14:22 02 Jul 21

I highly recommend Data Clinic Ltd. Although on the higher end of the price scale compared to a couple of other companies I contacted; this company is extremely professional and efficient with communication which is why I went with them.Others were a little bit pushy in their sales pitches and one of them failed to get back to me in time.Data Clinic give you the information without pressuring you to choose them which is what I liked. Due to how friendly and genuine they sound on the phone and professional emails I chose them.My damaged external hard drive was not allowing me to access any files. I sent in my damaged one and an empty new one and they were able to retrieve all the data from the damaged one and transfer it to the new one!Initially, when they arranged the old and new hard drives to be collected and sent to their lab, the courier Parcel Force missed two collections but eventually collected it. Due to the inconvenience caused because of this, Michelle who handled my case kindly gave me a £50 discount towards the total cost of the service. She provided her mobile number for easy contact to get updates as well.I had to pay a spare parts charge of £60 before the work was carried out.Once the work was carried out I was sent a final invoice for the balance. There was an extra charge on there for the supply of a hard drive but when I called to query it, Chris kindly ammended the invoice for me.Humans are not perfect and will make mistakes but it's the way the mistakes are handled which gives you a good or bad impression of a company.Data Clinic staff are very friendly and professional and if I ever need their services again I would not hesitate to contact them!Just to note, Parcel Force delivered my old and new hard drive with the recovered data back to me a day later than was promised, but this is not Data Clinics fault. Just be aware that if you use Data Clinic, Parcel Force may delay the collection and delivery. Other than that, I cannot fault Data Clinic for their hard work and professionalism.

Salutation
First Name *
Last Name *
Phone *
Email *
Device Type *
Description *
GDPR Opt-in *


User Type *