Archive for the ‘Computer Forensic Investigations’ Category

CCTV G-RAID Data Recovery and HP Spectre Laptop

Wednesday, January 8th, 2020

In this article we talk about data recovery from CCTV, a G-RAID thunderbolt, an HP Spectre laptop and a SATA hard drive that is not responding.

Retrieve footage from CCTV

cctv nvr recoveryI need to talk to you about a CCTV issue.
I tried to retrieve footage on my 16 channel NVR, which had a 1TB sata drive, which at the time recorded 8 IP cams. I found that I could go back to footage from 16th Oct.
I actually need footage of the 15th Oct.
Would the footage be irretrievable ? It is most likely overwritten but I’m hoping that maybe the NVR would start to overrwrite different parts of the HD and thus it there is a likelihood that it is retrievable?
The NVR is a cheap unbranded made in China 16 channel NVR.
It records in H.264.

No files on G-Raid Thunderbolt

G-Technology G-Raid Thunderbolt Drive is recognised, but you cannot see any files as it just keeps loading. The drive then starts to crash finder, which it continues doing until you unplug it. You sometimes might have to restart the mac to get it working normally. It sounds as if the disk inside the drive is trying to start spinning but cannot.

HP Spectre laptop – Boot device not found

This is the type of drive:
It’s in an HP Spectre Laptop.
After laptop said “Boot Device Not Found” I opened the laptop. The SSD is getting very very hot.

SATA hard drive whirring and buzzing

I work in IT and I have a Customer’s SATA Laptop Hard Drive that they require accessing (If Possible) I have removed the hard drive from the Laptop and have put it into an external Hard Drive Caddy and is just whirring and buzzing every few seconds. It isn’t being recognized by Explorer or by any file recovery software. Could you quote on a possible repair and recovery please?

Lost text messages on HTC and Galaxy

Sunday, April 8th, 2018

What are the most valuable items of data on a mobile phone? For the owners of HTC M8 and Samsung Galaxy S7 phones, the answer seems to be lost text messages. Here are two examples:

recovering deleted and lost text messagesAbout 3 weeks ago I lost some text messages from my mobile phone (HTC M8). I don’t recall deleting it, perhaps I did without knowing. I never backup my data. I’m only interested in lost data of one contact that’s all.
Please let me know if you able to help?
I live close to Data Clinic’s Lombard St centre in London I’m happy to take there if someone wants to have a look at my device. I also have the data stored on a broken hard drive so I’ll bring that in too and hopefully you can get the data off of it.

I have got an old, broken galaxy s7 edge that has some photos and text messages on it that I would really like to retrieve, problem is that the phone is bricked, the screen is broken, the battery is dead (as in not chargeable dead), the charging/data port is broken, the list goes on. I’m just hoping to get my old photos back, and would like a quote if thats okay. Just a heads up, I probably won’t be able to answer a call back in business hours just due to my job (having seen the button that says request call back) so if you could pop me an email to the address provided instead, that would be brilliant.

When attempting to retrieve text messages from phone’s the still turn on the best way forward is to try a software extraction process. This can be done by downloading some software from the internet that will do the job for you. However, if your phone no longer turns on then you’ll need to get the assistance of a phone data recovery company to help you. These companies are able to read the text message data from the memory chips on your phone, even if it no longer switches on.

Often in legal cases it’s necessary to extract messages and data from phone where those messages have been lost or deleted, a data recovery company who are also experts in extracting text messages (whether deleted or not) are Data Clinic – you can read their phone data recovery services page here 1 and their phone data extraction (investigative forensics services) page here 2.

The Achilles Heel of CCTV Equipment

Thursday, February 11th, 2016

There’s a huge growth in CCTV equipment in the UK, and a recent study by the BBC claimed that in 2015 there were between some 4 – 5.9 million cameras in the UK. As this article is now over a year old there’s a very high chance that this number has increased.

Whilst there is much public debate that surrounds the ethical and moral use of CCTV cameras and their capture of actions by people unaware they are being filmed, it is of interest to note that there is practically zero debate about how vulnerable to data stored by CCTV actually is. To understand this issue we need to look at the basic hardware components of any CCTV system, or to be more accurate, just one of them: the hard disk drive.

Inside a hard diskVery much like the computer you have at home, the data captured by a CCTV recorder is stored onto a computer hard drive, and it’s here where the Achilles Heel can be found. The hard drive is a fragile device. One knock or blow can cost a user their data. Hard drives should be sold with a “Handle With Care” label. The reason why hard drives are so brittle is because they are based on an old technology that is based around moving parts. Central to a hard drive is a rotating magnetic disk or “platter”. This is coated in a magnetic film which is able to store billions of electronic signals that represent either a ‘0’ or a ‘1’. Images are written to the hard drive as a series of zeros and ones by another moving part: an arm that moves back and forth across the surface of the hard write, writing and reading the data.

It’s these moving parts that are extremely fragile, but there are many other faults a hard disk can suffer from that will also result in the images recorded being lost. Once the hard disk is damaged it requires experts in recovering CCTV images to repair the hard drive and get the images back. Although these companies are highly skilled, it’s not guaranteed that they will be able to rescue the images from a damaged or broken CCTV system. It very much depends on the fault.

So if hard drives have this Achilles’ Heel are so fragile and so prone to breakage, why use them in CCTV recorders? Hard drives do actually have a lot of positives in their favour. They are cheap, they store a lot of data, they don’t use much power and are therefore cheap to run. But most of all in these days of mass surveillance, they are the only option.

Starting A Business in Digital Forensics – Part 3

Sunday, February 7th, 2016

Here’s the final part of the article about setting up a digital forensics lab. For the first part of the article, and here for the second part.

Product, Customers, Markets, Channels, Brand and Pricing for Digital Forensics:

A Description of What Digital Forensics Does

Computer Investigations
As digital devices become more ubiquitous and integrated into ever more aspects of daily business, academia, and individuals personal lives, so has their use as a tool and as a source of evidence in criminal investigations. Law-enforcement agencies must now consider the role a digital device may play in every type of crime, from murder and drug deals, to blackmail and paedophilia. The digital device may be used as a tool in the perpetration of the crime or just as a repository for information related to the crime. Law enforcement officials do not have he expertise in sufficient quantity to conduct the required investigations, using their own resources and implementing all of the digital devices and systems necessary. As a result, in many locations, a serious backlog of cases has developed. The services offered by the forensics lab would allow us to be seen by law enforcement agencies as a trusted organisation that they could outsource part of their investigations to.

The Need for a Digital Forensics Service
The sheer volume of digital forensics work that has arisen, partially due to th spread in the use of digital devices, and partially as a result of law enforcement and commercial operations to address computer crime issues, has resulted in law enforcement computer crime units being overwhelmed by the volume of work. The time required to train new staff, and the salaries available for public servants, ensure that the supply of trained staff for law enforcement agencies will always be less than the demand for their services.

Target customers will, initially be taken from local law enforcement, government departments, and commercial organisations. As the service becomes established, we will expand this to other law enforcement regions and then to local and central government departments.

We will initially target the law enforcement community in the London and southeast portions of the United Kingdom. When the customer base is established, other law enforcement bodies will be targeted and then eventually the government market, banking, and financial services market, health care market, manufacturing and retail market, and telecommunication markets.

Research conducted with local law enforcement agencies and feedback from practitioners attending local seminars has demonstrated there is an unprecedented level of interest in the proposed service.

Starting A Business in Digital Forensics – Part 2

Thursday, January 21st, 2016

Here’s the continuation of the article about setting up a digital forensics lab. For the first part of the article go here

Outline of Proposal

  • Computer ForensicsThis proposal concerns the establishment of a Digital Forensics Service, to be known as “The Digital Forensics Laboratory”. The service will operate on a Monday – Friday, 9 – 5 basis, with a call out facility for after-hours requirements, and will satisfy a need in the law enforcements and government departments market area for a service that improves the timelines and quality of evidence for use in prosecutions. In addition it will also provide the same level of quality information for use by corporate customers in industrial tribunal that involve the misuse of digital assets.
  • The business proposed in this “case” represents a minimal viable business, with minimum financial risk, and an expected turnover of £200,000 in the financial year rising to over £2 million, 5 years later.

The next section of the business plan describes in more details the business being proposed and explains what it will deliver

The Business

The Nature of the Digital Forensics Service Offering

  • The purpose of the Digital Forensics Service is to provide clients with a reliable and knowledgeable service that will service the demand being place on law enforcement agencies and government departments as a result of ongoing operations and new legislation.
  • The law enforcement and government department market for digital device based investigations is one of the fastest growing markets in the US, the UK, and Europe. The has been brought about by an infusion or funds for the government and the creation of a number of high tech crime investigation units around the country. The creation of these units was a reaction to the increased reporting of digital device based crimes and the lack of skilled staff to address the issues raised.

The Scope of the Digital Forensics Business

  • The business will be a £200,000 establishment, growing to a greater than £2 million turnover business from a laboratory located at the corporate headquarters.
  • There will be a number of offerings to clients, all based on digital forensics. The laboratory will provide a digital device imaging and analysis service for evidence to be used in the courts and in industrial tribunals. The laboratory will provide individuals to act as expert witnesses for the courts and, where required, will provide training to organisations in digital forensic techniques.
  • The service offering, known as “Digital Forensics”, will be launched in January
  • The laboratory will initially utilise industry standard tools for digital forensics imaging and analysis, but as the requirement for the imaging, recovery, and analysis of particular elements and types of information becomes clearer, tools will be acquired or developed to meet the requirement.

Business Strategy got the Parent Organisation vis-a-vis Digital Forensics

  • The principle factors that have influenced the strategy for this business case are investment, staffing resources, and existing expertise and culture with the Organisation.
  • Factors that have not influences that strategy include the organisations desire to be a recognised centre of excellence in the computer security and computer crime investigation areas in the future, or the size of the market for such services. The latter is not seen to be a limiting factor to the growth of the business.
  • The strategy for the activity is to establish the parent organisation as a permiere centre for digital forensics services and digital forensics research in the US. This business case, being modest and risk averse, does not seek to establish the parent organisation as the market leader.
  • The non financial benefits of this activity are that it will allow the staff involved to become highly proficient in the area which in turn will benefit the organisation as a whole and will enhance the reputation of the parent organisation.
  • By undertaking forensic investigations the staff will gain knowledge and skill in areas that will support the wider organisational infrastructure.

Starting A Business in Digital Forensics – Part 1

Thursday, January 7th, 2016

Digital Forensics LabDeveloping a business plan is always a subjective affair, especially in digital forensics which is such a new field and full of unknown quantities. Uk computer forensics experts are one of the best known computer and data investigators in the country and considerable advice and examples of using best practice were adopted by them in the construction of their original business plan. Of course, your own organisation will likely also have its best practices and accepted ways of during things. The material provided here is not intended to be a rigid template, but is offered as an example of a type of business case used successfully by an organisation to create a digital forensics laboratory.

As with any good document you want senior management to absorb, there should be an executive summary at the from telling them – in the length of only a page or so – what the document is about and giving them the “elevator pitch” level of information you want them to approve. To provide context, the following business plan has been written as though the digital forensics laboratory would work within the security department.

Executive Summary

  • This document is the Business Plan for a proposed new activity to be managed by the Security department at the parent Organisation.
  • The activity is concerned with the provision of a Digital Forensics Service, aimed at law enforcement, government departments, major corporations, and small to medium enterprises in the high tech market. The market is ready to explode, and we are ready to exploit it.
  • The market need for these digital forensics services arises for the growth in the detection and pursuit of digital based crimes and the resultant need to forensically image digital devices for law enforcement agencies, government departments, and corporations, and to provide individuals who can act as “expert witnesses” in the courtroom.
  • The Digital Forensics Service will provide a low cost easy to understand service, and be a highly effective solution for the coronet business climate.
  • The purpose of this business case is to present management with the information needed to determine whether or not to proceed with the business. Approval to proceed is sought.
  • Although not without risk, the digital forensics business has both a low technical risk and low financial risk, and is capable of being managed by the Security department.
  • The digital forensics business requires a relatively small investment and has a payback period of less than three years.
  • Income in year 1 will be £150,000, rising to £1,000,000 in three years, and £2,500,000 in five years.

The next section of the business plan is the outline of the proposal that gives a short explanation of the purpose of the plan and an indication of scope.

Handheld Forensic Investigation

Tuesday, December 8th, 2015

When dealing with a handheld device, a set of additional  considerations must be addressed to ensure that any evidence they contain is captured in a manner that makes is useable in any criminal or civil action. The term “handheld device” is used to describe a range of devices that continues to expand. It includes electronic organisers, tablets, personal digital assistants (PDAs), mobile and smart phones. As they reduce in size, devices that would previously have been called laptop computers. An increasing convergence in the capabilities of small devices in underway, and the distinction between the whole range of handheld devices in shrinking.

In addition to the types of devices previously detailed, and number of other electronic devise fall into the handheld group that might be encountered during searches, which may contain evidence relevant to the investigation. These include pagers, digital cameras, MP3 and MP4 players.

Electronic organisers, PDAs, tablets and smartphones range from very small and very cheap devices that may contain anything from a few telephone entries to expensive devices that have as much processing power and store as the desktop PC of only a few years ago. These devices work on a range of operating systems, such as Linux, Windows CE, the Palm OS and the Symbian OS. Mobile and smart phones range from devices capable of making phone calls and storing a small list of phone numbers to modern 3G and 4G capable devices that have the functionality of a computer.

Small laptops such as the Nokia N810, the Toshiba Libretto, and the HTC “Shift” are fully functional laptops that have been reduces in size to the point where they are treated very much like other handheld devices. The same is true for computer tablets.

Despite the range of hardware and operating systems, all handheld devices these days provide and similar level of functionality. They contain a small microcomputer with a miniature or virtual keyboard and a display screen and memory chips or micro disks on which information is stored.

In some of the devices, the memory is volatile and is kept active by the battery. If this fails or is allowed to fully discharge, all information contained in the device may be lost. However, even then, it may be possible to recover data from flash memory.

Other devices have two sets of batteries. The main battery is used to run the device when it is turned on, while a backup battery maintains information in the memory if and when the main battery fails or is fully discharged. When handheld devices are seized, specialist advice should be obtained at an early stage to determine the most appropriate way to handle and store the device. With handheld devices, special consideration must be given to the isolation of the device to prevent data stored on it from being altered or deleted as a result of connection to a network.

The information stored on a handheld device is likely to be held in volatile memory. Consequently a main concern is to make certain the procedures in place ensure that the evidence stored in the main memory is changed as little as possible. Any changes that occur must take place with the certain knowledge of what is happening internally on the device.

To access most handheld devices, it is typically necessary to switch them on. This means that every effort has to be made to avoid modifying the contents of the device. In addition it is often not possible to create an image of some handheld devices in a manner that can be repeated to achieve the same hash value, because variables such as the clock times are constantly changing.

Getting CCTV Images Back

Monday, March 23rd, 2015

CCTV is being used increasingly extensively in the UK these days. It seems like it’s impossible to walk in some places without spotting a ubiquitous CCTV camera high above on a wall looking down. While there is a fair amount of criticism of CCTV recording in public places, CCTV images have helped in the solving of some nasty crimes of late (source:

Most CCTV recorders write their images to hard drive where they can be recalled when necessary but what happens if the CCTV images are lost? Who do you go to if you need them restoring?

UK company Data Clinic are CCTV restoration specialists who are able to retrieve the video and images recorded on most CCTV systems. Their skills are known far and wide and are used by the public, business owners and police forces to retrieve potential evidence that may be stored on a CCTV system. They have been asked to recover CCTV images that have been lost and deliberately deleted as well as from hard drives that have stopped working.

Many CCTV systems record the data to their hard drives without issue but some of the hard drives in the recorders are not of the best quality and can break very easily. This is when Data Clinic’s skills come into their own – recovering the images from the CCTV so that they can then be examined by a trained and highly skilled computer forensics examiner who will be able to extract evidence.


Using a CCTV DVR System to Monitor Your Business

Friday, January 3rd, 2014

CCTV and DVR SystemsSecurity is an important concern for any business.  Having a strong security system is not only important in terms of deterring and preventing theft, but it can also be an important factor in determining your insurance premiums.  Businesses need to worry about theft by local gang bangers as well as employees with access to inventory and the cash register.  Even a full time security guard does not have eyes in the back of his head.  To get the most comprehensive surveillance possible, you need video monitoring.  CCTV DVR systems represent a great system towards these ends.

Closed circuit television (CCTV) cameras are at the heart of any monitoring system.  These provide the watchful eye that scans your shop, potentially 24 hours a day and 7 days a week.  These can be acquired in simple black and white, color, or even with infrared capability.  The latter is especially useful if they will be monitoring the place in the dark.

Each camera is outfitted with a lens that defines the viewing angle.  These lenses can be configured for a very wide fisheye style viewing angle to cover the most real estate possible.  They can also cover a narrow field if you need a close up view with detail, such as perhaps near a cash register where one might want to be able to catch the denominations of any bills pulled out.  Cameras can also have zoom lenses that can pan in and out when controlled remotely.

It is not uncommon for CCTV cameras in such a system to be hard wired directly to a digital video recorder (DVR) which will record all of the footage in real time.  However, many modern cameras are being produced to work without being physically wired in to any other device other than the electrical socket supplying power.  These usually have their own wireless data transmitter that is connected to a wireless router or hub.  This hub then usually connects to the worldwide web and the DVR. The DVR can be either at the location being monitored or somewhere off site where it is secured from being tampered with by employees or thieves.

There are many advantages to this setup.  First, this makes setting up the system relatively easy.  There is no need to worry about running cable lines from various parts of the establishment, which could require substantial refits to the premises.  Each camera in such a system can also be polled remotely using its assigned IP address in real time.  If the DVR fails for some reason, this could be useful for obtaining real time security.  Certain cameras might even have the ability to pan back and forth and zoom in and out.  These could then be controlled remotely using by the IP address with this setup if suspicious activity is observed.

The DVR’s primary function is to collect and store the incoming data.  In older systems this would have been handled by a video cassette recorder (VCR).  The obvious disadvantages of the latter system are (1) the short duration of the tape which requires frequent replacements, (2) the ability to only record one camera per VCR, and (3) the inability to go back and view previous video frames on the tape while it is still a problem.  DVRs solve all of these problems.

DVRs utilize a hard disk to store the data instead of a tape.  All video is digitized at the level of the CCTV and then compressed into a digital file using standard computer video formats.  Due to the speed of the digital processing power of the DVR, it can handle signals from many cameras at once, writing all the data onto different hard drive files as the data comes in.  Since computer hard drives can hold up to four terabytes of data, a lot of video can be stored before the old video would have to be backed up to some other sort of backup.  Since hard drives operate on the principle of random access, one can always go back and view any frame or multiple clips from multiple views simultaneously even though the system is still recording. As you probably know, hard drives can break from time to time and the data on them lost. Should this happen it’s frequently necessary to contact a CCTV or DVR data recovery specialist.

DVRs can be configured as standalone units, like home entertainment center DVRs, or as personal computers outfitted to perform the same function.  A computer DVR will give a business owner much more flexibility in terms of software that can be used in addition to software and hardware expansion possibilities.  However, a standalone unit can be more stable since it is usually not working on a bloated PC operating system that can be prone to crash.  Multiple PCs can be used, one off site and one on site, if crashes are a concern.  The latter configuration also provides some redundancy in case of an outgoing network failure effecting the off site DVR or physical tampering of the data at the on site unit.

CCTV DVR systems have provided business owners with more options to monitor their operations more efficiently. Deterring crime with 24/7 surveillance has never been more easy to install and cost effective.

Computer Repair

Tuesday, October 29th, 2013

Repair, recycling and securityHmm I wonder, is computer repair a thing of the past ?

These days it seems to me that we live in an ever increasing disposable world – items that break are no longer repaired, they are simply replaced. Our TV breaks, and we just get a new one. Your printer breaks – why would you even bother to get it repaired? – just buy a new one – have you seen how little they cost ? I can buy a new printer (ok I admit it might not be a very good one, but it’ll do the job) for less than £50. Do you see what I mean? – we live in a disposable society.

I suggest that the only part of a computer system you would think to have repaired instead of replaced would be the hard disk, and only if you’ve got data on there that you want to recover that you haven’t got saved anywhere else.

Strange to think isn’t it that the funny looking little rectangular box you have holds all your data… If you’re a home user it’ll have your films, music and holiday snaps on. Perhaps it has pictures of the kids too. I’ve noticed that it’s often women who are more protective over family pictures than men. Men will often say that the data isn’t worth £500, but ask a woman if she’s prepared to spend £500 to get the pictures of her children back and the answer will often be a yes!.

If you use your computer for business purposes there may well be some sort of procedure in place to back up your data automatically – often to a central server of some kind or some cloud based system. Personally I have a mistrust of all cloud based systems. There are 2 main issues

The first point is obvious. The second takes a bit more explaining – US law (and with the co-operation of most of the G7 countries too it seems) as now legally entitled to look through your data. To paraphrase Obama – “If you’ve nothing to hide, you’ve nothing to fear” sort of misses the point doesn’t it ?

So in today’s world it’s all disposable except the data you value, and then, you need to be careful where you store it and who might be looking at it.