Product Features
Decorative header for Magnet DVR EXAMINER

Analysis of Hikvision Date/Time

Hikvision-based systems store date/time metadata a little differently than other DVR filesystems, and when it comes to adding support for new DVRs into DVR Examiner, or recovering video manually for a laboratory case, understanding date/time information is critical.

Most DVR filesystems store key metadata in 2 different places: the index(es) and at the beginning of each frame. In the case of the Hikvision-based systems, the index information is stored at the end of each data block, and provides a date time range per channel for the clips within that block. In this metadata, the date time is stored as a traditional Unix epoch timestamp (seconds since 1970). However, the date/time metadata at the frame level is stored in a very different manner.

An Experiment with a Hikvision-Based System

As a part of the process that we use to implement support for new DVRs into DVR Examiner, we conduct a series of test recordings with known variables. This way, when we are trying to decipher date/time metadata, we know exactly what we are looking for, and since we use the same dates and times in every recording, we begin to recognize the common date time formats. In this case, Hikvision DVRs also ‘burn in’ the date time into the video, so we know exactly what we are looking for in metadata for a given frame.

DVR Frame example

In this situation, we are looking for 2013-12-31 at 23:44:40. While the block or clip level metadata is an easy Unix epoch timestamp, the frame level metadata is stored in what we refer to as binary date time. The exact structure of this format can vary from format to format, but this is a pretty common one.

Example of DVR Video metadata

By converting the 5 bytes to binary, we are able to identify a pattern for the date time. I have highlighted the ‘bit to time maps’ above. As always, when deciphering proprietary metadata, you want to double check and make sure that what you discovered is consistent and repeatable.

Repeating the Test

I conducted the same analysis below, but later in our test recording with a date/time that includes a new year, month, and day to help verify the findings.

An identical frame from a DVR video with a new year, month and day.
DVR video metadata with different date/time information.

CONCLUSION

When it comes to conducting byte level analysis of DVRs, understanding as much metadata as possible is essential. While some systems are easier than others, this is an example of a one that is ‘bit’ more complicated!

Related Resources

Blog

Blog

Griffeye products now a part of the Magnet Forensics product suite

Following the announcement that Griffeye would become part of Magnet Forensics, we are thrilled to announce that Griffeye is now fully integrated into the Magnet Forensics family. 

April 12, 2024 • About a 2 minute view
Blog

Blog

Magnet Axiom Cyber 7.10: AWS Sign-in improvements & animated maps

The latest release of Magnet AXIOM Cyber is here, and we’re excited to share new features for analysis and cloud acquisitions.

February 29, 2024 • About a 2 minute view
Blog

Blog

Reviewing email evidence with Email Explorer in Magnet Axiom and Axiom Cyber

With the continued prominence of email in corporate settings, we’re thrilled to unveil a highly anticipated feature to AXIOM Cyber: Email Explorer.

February 29, 2024 • About a 4 minute view
Resource Center Home

Subscribe today to hear directly from Magnet Forensics on the latest product updates, industry trends, and company news.

Start modernizing your digital investigations today.

Top