Car Camera Video Forensics

by Gordon. Posted in Video Forensics

I was recently asked to recover some video footage from a car camera (model Kaiser baas KBA12001) . one of those little self-contained cameras that stick to the front windscreen and record to an SD card within the device.  It can record with a video resolution of 640×480(30fps) or 1280×720(30fps) using a video format of AVI(MJPEG). This unit can also capture JPEG still images at up to 2560×1920(5M) and can take up to a 64GB SD card and retails for around $100.

Once provided with the SD card (16GB) I flicked the slider switch over to read-only, to ensure nothing further could inadvertently write to the card.  Observed on the card were 83 AVI files (containing MJPEG formatted video with a resolution of 1280×720 at a frame rate of 30fps and ADPCM mono audio with a sampling rate of 16kHz and 16bits/sample) and 4 JPEG snapshots. Each AVI file was typically 150 – 200MB in size giving a total data size of 12.1GBytes. This left 2.76GB of unused space out of an available 14.8GB of formatted storage. These files dated over a period of three days, each file was roughly 2 minutes of MJPEG video.

From a Video Forensics viewpoint, the request was for some footage of an event that had occurred 23 days earlier than the earliest file still viewable on the SD card.  Not very promising, but still possible if that data had not yet been overwritten and therefore retrievable.

Recovering Deleted Files

Calculations determined that the FAT32 formatted 16GB SD card can store approximately 2hrs 40mins of recorded data at the resolution observed (it’s highest setting) before deleting all files and starting again. The card was showing around three days of recordings, and it could be estimated that typical use would be close to an hour a day on weekdays, e.g. school runs and shopping runs. If that estimate is correct, 24 days use would equate to 5 or 6 full deletes and overwrites.  Things are looking bleaker for a successful recovery.

Using some reliable software to read the FAT tables and retrieve the deleted data, nearly 700 deleted files were noted (none were listed as complete); well filenames at least, as the card is only capable of storing up to around 100 2minute files max, and there were 87 active files already stored.  Due to the multiple full deletes and overwrites that have occurred, anything could be present within the listed space allocation associated with the deleted files, and it was. There were partial files starting and ending all over the place, data without headers and ends, multiple space allocation overlaps, the works.

Rebuilding MJPEG files

After retrieving 209 files that were dated around the time of interest, attempts at playback were found to be futile due to the multiple overwrites and resulting partial data blocks. Using a wonderful application called “Defraser” I was able to rebuild headers for the pieces of data that were retrieved and this resulted in some 15 retrieved files being playable, with a number of them duplicated due to the different filenames addressing the same storage space. Unfortunately, none of the recovered files dated back earlier than 6 days prior to the earliest active file. So no joy with recovering the events of interest from 24 days earlier.

Recommendations

  1. Know your recording system’s settings and capabilities.  In this case, the system uses the MJPEG algorithm, which although it is some 10 times less efficient as H.264, it does provide the best possible chance of recovering and enhancing data due to every frame being a full image. The H.264 algorithm will have one full image keyframe followed by a number of predictive frames that only contain predicted changes to the keyframe for anything from the next 10 to 70 frames depending upon settings.  If this system had been using H.264, I doubt that any of the retrieved file would have been rebuildable and playable, as once keyframes are lost, all successive predictive frames are useless as they have no reference.
  2. Ensure you are happy with the resolution it records at and how long it takes to fill up. I would always recommend recording at the highest resolution and frame rate possible and accept that it will fill up fast, counter this by using the largest possible recording media that the system will take.
  3. Always have some spare SD cards handy, so that when something happens that you feel could be required later, take the card out, switch the tab to read-only and put it aside for safekeeping.