Abstract: Objective The multimedia (video/audio) data in the embedded systems with digital video recorder (DVR) often act as vital pieces of evidence in the field of digital forensics. However, in the practice of forensic appraisal, it is common that the data in the DVR are inaccessible due to accidental deletion, malicious deletion or damage, which undoubtedly makes the digital forensics process more difficult. Methods Combined with the practice of forensic appraisal, taking the inaccessible DVR video files stored in MicroSD card as an example, the research on DVR data recovery based on the file allocation table (FAT) 32 file system and H.264 related file formats was carried out. Results The video files recovered through these two methods explored in this paper can be accessed normally, and the automatic reconstruction of DOS boot record (DBR) can also be achieved by running script files. Conclusion In this paper, we effectively recovered DVR systems data of FAT32 file system and H.264 format. In addition, we also realized the automatic reconstruction of DBR by running script files, which improved the efficiency of forensic examination. The research of relevant examination techniques has significant theoretical and practical value for the research on forensic examination of embedded DVR systems.

Key words: DVR data recovery, FAT32 file system, H.264-related file format, DBR, master boot record (MBR)

摘要： 目的 嵌入式数字视频录像机（digital video recorder, DVR）系统中的多媒体（视频/音频）数据往往是电子数据司法鉴定领域的重要证据，然而在司法鉴定实践中，DVR被意外删除、恶意删除或遭受损坏导致DVR中数据无法访问的现象屡见不鲜，这无疑使得电子数据鉴定过程变得更加困难。方法 结合司法鉴定工作实务，主要以存储于Micro SD卡中无法访问的DVR视频文件为例，开展了基于文件分配表（file allocation table, FAT）32文件系统和H.264相关文件格式的DVR数据恢复研究。结果 通过探讨的两种方法恢复的视频文件可以正常访问，同时还可通过运行脚本文件实现 DBR 的自动重建。结论 探讨的两种方法可有效恢复FAT32文件系统的DVR数据和H.264格式的DVR数据。此外，通过运行脚本文件自动重构DBR，可有效提高司法鉴定效率。相关鉴定技术的研究对嵌入式DVR视频的鉴定技术研究具有重要的理论研究意义和实践应用价值。

关键词: DVR数据恢复, FAT32文件系统, H.264编码数据流, DBR, MBR