Authors: Jinhee Yoon, Sungjae Hwang
DFRWS USA 2026
Abstract
Real-time video surveillance systems store recorded video using digital video recorders (DVRs) and network video recorders (NVRs).
To support continuous high-volume video storage, these devices employ specialized, nonstandard file systems that are often proprietary and undocumented.
This lack of documentation significantly increases the time and effort required for forensic analysis. In this study, we analyze an undocumented proprietary file system used by Honeywell video surveillance devices—one that, to the best of our knowledge, has not been examined in prior work—and investigate its deletion mechanisms and demonstrate the feasibility of video recovery after deletion. We perform a file system analysis using a binary diffing technique and evaluate three deletion methods supported by the target device: (1) formatting-based deletion, (2) data expiration, and (3) overwrite. For each method, we investigate changes in file system metadata and on-disk data structures and demonstrate the feasibility of video data recovery. Our findings aim to support more efficient and accurate forensic investigations of Honeywell surveillance products and provide foundational insights into the analysis of proprietary file systems used in video recording devices.