Forensic analysis of video data deletion and recovery in Honeywell surveillance file system

TL;DR

This paper analyzes Honeywell's proprietary video file system to understand deletion mechanisms and demonstrates methods for recovering deleted video data, aiding forensic investigations.

Contribution

It provides the first analysis of Honeywell's undocumented file system, revealing deletion methods and demonstrating video recovery techniques.

Findings

Deletion methods include formatting, data expiration, and overwriting.

Video data can be recovered after deletion using binary diffing techniques.

The study enhances forensic analysis capabilities for Honeywell surveillance devices.

Abstract

Real-time video surveillance systems store recorded video using digital video recorders (DVRs) and network video recorders (NVRs). To support continuous high-volume video storage, these devices employ specialized, nonstandard file systems that are often proprietary and undocumented. This lack of documentation significantly increases the time and effort required for forensic analysis. In this study, we analyze an undocumented proprietary file system used by Honeywell video surveillance devices-one that, to the best of our knowledge, has not been examined in prior work-and investigate its deletion mechanisms and demonstrate the feasibility of video recovery after deletion. We perform a file system analysis using a binary diffing technique and evaluate three deletion methods supported by the target device: 1) formatting-based deletion, 2) data expiration, and 3) overwrite. For each method, we investigate changes in file system metadata and on-disk data structures and demonstrate the feasibility of video data recovery. Our findings aim to support more efficient and accurate forensic investigations of Honeywell surveillance products and provide foundational insights into the analysis of proprietary file systems used in video recording devices.