DVR/NVR and Surveillance System Forensics

A traditional DVR takes analog feeds from CCTV cameras. Each camera connects over a 75-ohm coax cable terminated in a BNC connector, and the DVR has a fixed number of BNC inputs on its rear panel (typically 4, 8, 16 or 32). Inside the DVR, an encoder chip digitises each feed, compresses it with H.264 or H.265, and writes the segment files to internal SATA HDDs. Indian retail and small-shop fleets through about 2018 are overwhelmingly DVR. Brands seen most often at state cyber wings are CP Plus, Hikvision (older models), Dahua, Honeywell and Zicom.

An NVR takes already-digital streams from IP cameras. The camera contains its own encoder, the stream travels over Ethernet using ONVIF or a vendor protocol, and the NVR multiplexes and records. Power over Ethernet (PoE) is typical: a single Cat 5e or Cat 6 cable carries both the video and the 48 V DC for the camera, so the NVR doubles as a PoE switch. Hybrid recorders accept both analog (BNC) and IP camera feeds, which is common during Indian retrofits where half the cameras have been upgraded and half have not.

A cloud-recording NVR splits the storage. A small local cache (often a single 1 TB or 2 TB HDD, sometimes an SD card) holds the last few hours or days. The primary copy is uploaded continuously to a vendor cloud: Hikvision Hik-Connect, Dahua DSS, Wyze, EZVIZ, CP Plus iCloud. The on-premise disk image, by itself, will not contain footage from a week ago. The vendor must be subpoenaed.

The HDDs inside a DVR or NVR are formatted with the vendor's own file system, which the device firmware understands and the host OS does not. Most consumer-grade DVRs use a single HDD with no redundancy. Commercial NVRs use multiple HDDs in JBOD (just a bunch of disks, no redundancy), RAID 0 (striping, no redundancy, more capacity), RAID 1 (mirroring, redundancy at the cost of half the capacity), RAID 5 (striping with single parity, one disk's worth of redundancy) or RAID 10 (mirrored pairs striped, used in larger setups). Standalone DVRs sometimes have a small embedded NAND chip for firmware and configuration with the HDDs holding only the video.

The on-disk layout, across vendors, follows a recurring pattern. A small header region holds the magic bytes and the format version. A timestamp directory or index maps each minute (or each motion event) to one or more segment files. Segment files are fixed in size, typically 256 MB, and are written as a circular ring buffer: once the disk is full, the oldest segment is overwritten by the newest. There is no recycle bin, no journal that holds the prior version. A 4 TB DVR recording 16 cameras at 1080p with H.264 will hold roughly 20 to 30 days of footage before the ring closes. After that, every new second of recording destroys an old second from the same offset in the ring.

Any case more than a few weeks old, on a small-shop DVR, may have its relevant footage physically overwritten. Recovery work focuses on what remains in the ring, plus any fragments in slack space, reserved areas, or vendor-reserved system-log sectors.

H.264, also called AVC (Advanced Video Coding), is the dominant codec in Indian DVR and NVR fleets in 2026. It splits the stream into Groups of Pictures (GOPs), each starting with an I-frame (a complete still image) followed by P-frames (predicted from the previous frame, smaller, only encoding differences) and B-frames (bidirectional, predicted from both previous and following frames, smallest). A typical I-frame interval is 25 to 50 frames, which at 25 fps means one complete picture every 1 to 2 seconds. Between I-frames, the stream only carries motion deltas.

H.265, also called HEVC (High Efficiency Video Coding), is the newer codec, roughly twice as efficient as H.264 for the same visual quality. Indian NVR shipments since about 2022 default to H.265, especially for 4K cameras where bandwidth dominates. MPEG-4 is the predecessor codec, still seen on Indian government installations procured in the 2010s. MJPEG is the oldest: every frame is a standalone JPEG, no inter-frame compression, very inefficient on storage but trivial to extract frame by frame.

The frame structure dictates what the examiner can extract reliably. I-frames are independently decodable, so any single I-frame can be carved and viewed even if the surrounding stream is corrupt. P and B frames cannot be decoded without their reference I-frame; pull a P-frame out of context and it is meaningless. For evidentiary still images presented in court, prefer I-frames: they are visually complete, timestamped, and survive lossy extraction better than predictive frames. The date-time overlay burned into the video by the camera or DVR is part of the I-frame's pixel content, not a separate metadata field, so it travels with any extracted still.

The on-scene workflow is short and the order matters. A booted DVR, left running, will continue to overwrite the ring buffer; every minute of delay potentially loses the oldest minute of evidence. A DVR booted from its own disk in the lab will also start writing, which destroys integrity. The standard sequence is below.

1. Photograph the recorder in situ
   Front panel (model, serial), rear (cabling, BNC vs Ethernet), LED state. The recording LED on the front, if blinking or steady, is on-scene proof that the device was recording at the moment of seizure. Document camera count and which inputs are active.
2. Photograph the live screen and on-screen clock
   Use a wristwatch or a second device with NTP-synced time in the same frame. This anchors the DVR clock to wall time and lets the lab compute drift. Without this anchor, the DVR's burned-in timestamps are forever uncalibrated.
3. Export via vendor menu if write-protected by design
   Some DVRs let an authorised user export segments to a USB stick through the front panel menu. If the recorder is in this mode and the proprietor cooperates, capture an export of the relevant window. This is a non-invasive first pass; the HDD image is still mandatory.
4. Power down cleanly, then pull HDDs
   Use the front panel shutdown if available; otherwise pull AC. Open the chassis, note HDD model, serial and SATA channel position. Bag each HDD separately. Multiple disks in a RAID must be labelled with their physical channel because RAID metadata depends on disk order.
5. Image each HDD behind a hardware write-blocker
   Tableau, WiebeTech or CRU SATA write-blocker. Image with FTK Imager, Guymager or dc3dd. Compute SHA-256 of both source disk (read via blocker) and image. Record the hashes in the seizure memo.
6. Parse offline with DVR Examiner or equivalent
   Mount the image read-only, load into Salvation Data DVR Examiner, Magnet AXIOM Video, MD-Video or AmpedDVRConv. The tool identifies the vendor, parses the proprietary FS, lists segments and exports playable .mp4 or extracts I-frames as PNGs.
7. For cloud-recording NVRs, issue BNSS 94 notice to the provider
   Local disk image still required, but the bulk of evidence is in the cloud. Issue under BNSS Section 94 (production notice) to the vendor's India entity; cross-link with /topics/digital-forensics/cloud-forensics-multi-tenant-api-jurisdictional-challenges for the multi-tenant evidence-acquisition framework.

DVR Examiner (Salvation Data), the de facto industry standard, ships a recogniser library covering several hundred DVR and NVR firmware fingerprints. Load the disk image, it identifies the vendor and parses the ring buffer, lists camera channels and timestamps, and exports playable .mp4 segments with the date-time overlay preserved. Magnet AXIOM Video covers a similar set with tighter integration to AXIOM's case management. MD-Video (a Chinese tool seen in some Indian state-FSL labs) covers obscure South Asian rebrands. AmpedDVRConv specialises in container conversion when the underlying codec is recoverable but the container is not (typical for damaged .dav). For everything else, FFmpeg builds usable pipelines.

For frame-level work, FFmpeg is the bedrock. Common patterns the field examiner uses:

• Extract every I-frame as a numbered PNG. ffmpeg -i evidence.264 -vf "select='eq(pict_type,I)'" -vsync vfr i-%05d.png writes one PNG per I-frame. The numbering gives a stable reference for the court exhibit list.
• Extract a single frame at a precise timestamp. ffmpeg -ss 00:14:32 -i evidence.mp4 -frames:v 1 -q:v 2 still.jpg seeks to the moment, decodes one frame, writes a JPEG.
• Probe metadata without re-encoding. ffprobe -v error -show_streams -show_format evidence.dav reveals codec, resolution, frame rate, GOP structure, container metadata. This goes into the exhibit description verbatim.
• Re-mux without re-encoding. ffmpeg -i evidence.264 -c copy evidence.mp4 repackages an H.264 raw stream into MP4 for viewing in court IT, with no quality loss and a verifiable byte-for-byte preservation of the codec layer.

Temporal correlation is where DVR evidence succeeds or fails. The DVR clock drifts: 1 to 5 minutes per month is normal for Indian field installations without NTP. Drift correction is done by taking the wall-time photograph captured on scene (DVR overlay versus wristwatch), computing the offset, and then propagating it linearly back across the recording window. If a relevant event happened 14 days before the seizure and the DVR was 3 minutes fast at seizure, with a typical drift of 0.1 minute per day, the event window opens roughly 3 minus 1.4 equals 1.6 minutes early on the DVR's burned-in clock. Document the calculation in the report; counsel will ask.

The legal frame in 2026 is BSA 2023 Section 63, which replaced Indian Evidence Act Section 65B. The requirement is that a person responsible for the device or the management of the relevant activities certify, at the time the electronic record is produced, that the record was produced from the device in the ordinary course of business, that the device was working properly (or, if not, that the malfunction did not affect the record), and that the record is a true reproduction. For a CCTV image, the certifying person is usually the shop proprietor, the security manager, or the IT manager who owns the recorder; for a cloud NVR it is the vendor's nodal officer in India.

Two case-law anchors are tested every cycle. The first, Anvar P V v P K Basheer (Supreme Court, 2014), made Section 65B compliance mandatory for electronic records and is carried forward by Section 63. The certificate is the gatekeeper. The second, Tomaso Bruno v State of UP (Supreme Court, 2015), addressed a murder case where the prosecution failed to produce CCTV that should have existed; the Court treated the absence as a fact adverse to the prosecution under what is now BSA Section 119 (presumption against the party withholding evidence). The lesson for the modern Indian examiner is symmetric: present CCTV cleanly with the Section 63 certificate, and the defence has nothing to work with; present CCTV with timeline gaps or hash mismatches, and the same presumption can be turned against the prosecution.

Integrity, as a technical matter, comes from hashing. SHA-256 of the disk image, SHA-256 of each extracted .mp4 segment, SHA-256 of each extracted still frame. The hash chain is documented in the case file. Cross-link the in-court mechanics at Bharatiya Sakshya Adhiniyam: Forensic Evidence in Court, and the parallel question of how scene videography itself is preserved at Digital Imaging, 3D Scanning and Videography.

Common forensic challenges, ranked by how often they break a CCTV case in Indian courts:

• Clock drift uncalibrated. The wall-time photograph was never taken on scene, so the DVR overlay cannot be tied to NTP. The downstream timeline cannot be defended against CDR or mobile-tower evidence.
• Proprietary codec or container the lab cannot parse. The vendor went out of business, the firmware version is undocumented, no DVR Examiner signature matches. Reverse engineering is sometimes the only path.
• Motion-only recording gaps. Many small-shop DVRs record only on motion detection to save disk. The gap between motion events looks identical to deleted footage and must be distinguished by examining the system log.
• Encrypted streams. Some newer enterprise NVRs encrypt the stream between camera and recorder, and the disk holds ciphertext until the recorder boots and decrypts at playback. A pulled HDD is useless; the recorder firmware is required.
• Vendor non-cooperation on cloud NVR. The data centre is offshore, the India entity is a sales office, the BNSS 94 notice gets a slow or partial response. MLAT (Mutual Legal Assistance Treaty) work is sometimes the only path.