arxiv: 2605.07430 · v1 · submitted 2026-05-08 · 💻 cs.CR · cs.MM

Recognition: 2 theorem links

· Lean Theorem

Forensic analysis of video data deletion and recovery in Honeywell surveillance file system

Jinhee Yoon , Sungjae Hwang

Authors on Pith no claims yet

Pith reviewed 2026-05-11 01:45 UTC · model grok-4.3

classification 💻 cs.CR cs.MM

keywords forensic analysisvideo data recoveryproprietary file systemdata deletionHoneywell surveillancedigital video recorderbinary diffingdigital forensics

0 comments

The pith

Honeywell surveillance video data stays recoverable after deletion via formatting, expiration or overwrite.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper examines an undocumented proprietary file system used in Honeywell video surveillance devices. It applies binary diffing to disk images to map how the system performs three deletion operations: formatting-based deletion, data expiration, and overwrite. The analysis shows that each method alters metadata and data structures in ways that leave video content recoverable. A reader would care because surveillance footage is often critical evidence, and these devices are common yet poorly documented. The work supplies concrete recovery steps for investigators facing such systems.

Core claim

The central claim is that video data deleted from the Honeywell proprietary file system can be recovered because the three supported deletion methods leave detectable changes in metadata and on-disk structures; binary diffing of before-and-after images reveals these remnants without source code, allowing reconstruction of deleted recordings.

What carries the argument

Binary diffing of disk images to expose deletion-induced changes in proprietary file-system metadata and data structures.

If this is right

Forensic examiners can recover deleted video from Honeywell DVRs and NVRs using the identified metadata patterns.
The three deletion methods do not fully erase data, so partial or complete recordings survive in all cases examined.
The same diffing approach yields foundational insights for analyzing other undocumented video-recording file systems.
Investigation time for Honeywell devices decreases once the deletion signatures are known.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The recovery techniques could be adapted to other brands of proprietary surveillance file systems that use similar high-volume video storage.
If recovery is routinely possible, it may affect how long such devices must retain logs or how evidence chains are documented in court.
Automated tools could be built around the observed metadata change patterns to speed up field recovery.
The findings suggest that formatting alone is insufficient for secure deletion in these embedded systems.

Load-bearing premise

Binary diffing of disk images accurately reveals the internal deletion logic of the proprietary file system without source code access.

What would settle it

Apply the three deletion methods to a test device, extract the resulting disk image, and check whether the described metadata patterns allow actual video recovery; recovery failure would falsify the claim.

Figures

Figures reproduced from arXiv: 2605.07430 by Jinhee Yoon, Sungjae Hwang.

**Figure 1.** Figure 1: Research workflow: environment setup, dataset acquisition during recording and deletion operations, and binary di [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗

**Figure 2.** Figure 2: Overall file system layout of the Honeywell NVR. [PITH_FULL_IMAGE:figures/full_fig_p004_2.png] view at source ↗

**Figure 3.** Figure 3: Machine Data region at Sector 34 within the start sectors, containing [PITH_FULL_IMAGE:figures/full_fig_p005_3.png] view at source ↗

**Figure 4.** Figure 4: Structure of the Header area in Partition 1. [PITH_FULL_IMAGE:figures/full_fig_p005_4.png] view at source ↗

**Figure 6.** Figure 6: Structure of the Record State area in Partition 1. [PITH_FULL_IMAGE:figures/full_fig_p006_6.png] view at source ↗

**Figure 7.** Figure 7: Data observed in the Fixed Value region. [PITH_FULL_IMAGE:figures/full_fig_p006_7.png] view at source ↗

**Figure 8.** Figure 8: Structure of the Video Data area in Partition 1. [PITH_FULL_IMAGE:figures/full_fig_p007_8.png] view at source ↗

**Figure 9.** Figure 9: Changes in Start Sectors and Partition 1 caused by formatting-based deletion. [PITH_FULL_IMAGE:figures/full_fig_p008_9.png] view at source ↗

**Figure 10.** Figure 10: Changes in Start Sectors and Partition 1 caused by expiration & overwrite deletion. [PITH_FULL_IMAGE:figures/full_fig_p009_10.png] view at source ↗

**Figure 11.** Figure 11: Header and Video Data region layouts under di [PITH_FULL_IMAGE:figures/full_fig_p010_11.png] view at source ↗

read the original abstract

Real-time video surveillance systems store recorded video using digital video recorders (DVRs) and network video recorders (NVRs). To support continuous high-volume video storage, these devices employ specialized, nonstandard file systems that are often proprietary and undocumented. This lack of documentation significantly increases the time and effort required for forensic analysis. In this study, we analyze an undocumented proprietary file system used by Honeywell video surveillance devices-one that, to the best of our knowledge, has not been examined in prior work-and investigate its deletion mechanisms and demonstrate the feasibility of video recovery after deletion. We perform a file system analysis using a binary diffing technique and evaluate three deletion methods supported by the target device: 1) formatting-based deletion, 2) data expiration, and 3) overwrite. For each method, we investigate changes in file system metadata and on-disk data structures and demonstrate the feasibility of video data recovery. Our findings aim to support more efficient and accurate forensic investigations of Honeywell surveillance products and provide foundational insights into the analysis of proprietary file systems used in video recording devices.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

read the letter

This paper gives the first reported look at deletion behaviors in one Honeywell proprietary surveillance file system, using binary diffing to track formatting, expiration, and overwrite cases and to show recovery is feasible. The authors compare disk images before and after each operation and map the resulting changes in metadata and on-disk structures. That is the core contribution: a practical starting point for forensic work on a system that has not been documented in the literature. The method is straightforward and the demonstrations for all three deletion types are concrete enough to be useful to investigators who encounter these devices. The paper does a reasonable job of turning an undocumented file system into something examiners can reason about. The main limitation is that binary diffing alone cannot fully separate the file system's deletion rules from background writes, caching, or housekeeping. Without source code or vendor specifications, the mapping from observed differences to internal logic stays under-determined. The findings would be stronger with additional checks across firmware versions or device states to confirm the patterns are stable. This work is aimed at digital forensics practitioners and researchers who deal with proprietary embedded storage in surveillance equipment. Readers who need concrete guidance on Honeywell systems or similar undocumented file systems will find direct value. The empirical approach is clear and grounded enough to deserve peer review, though referees should ask for more validation of the inferred structures. I would send it to referees.

Referee Report

1 major / 1 minor

Summary. The manuscript analyzes an undocumented proprietary file system in Honeywell video surveillance DVR/NVR devices. Using binary diffing of before-and-after disk images, it examines three deletion mechanisms (formatting-based deletion, data expiration, and overwrite), documents resulting changes to metadata and on-disk structures, and claims to demonstrate feasible recovery of video data after each type of deletion.

Significance. If the recovery demonstrations are reproducible and the inferred structures are correctly mapped, the work would supply practical forensic techniques for a previously unexamined proprietary file system, aiding investigators who encounter Honeywell surveillance hardware. It also offers a template for analyzing other undocumented video-recording file systems.

major comments (1)

[Methods / binary diffing description] The core claim that binary diffing isolates the deletion logic for formatting, expiration, and overwrite rests on observable disk-image changes, yet the manuscript provides no independent validation (e.g., comparison against vendor documentation, multiple device models, or controlled re-implementation) that the diffs reflect intentional deletion semantics rather than caching, background writes, or incidental housekeeping. This mapping is load-bearing for all three recovery demonstrations.

minor comments (1)

[Abstract] The abstract states the approach and goals but contains no quantitative results, success rates, or example recovered footage; the results section should include concrete metrics (e.g., percentage of frames recovered per deletion method) to support the feasibility claim.

Simulated Author's Rebuttal

1 responses · 1 unresolved

We thank the referee for the constructive feedback on our analysis of the Honeywell proprietary file system. We address the concern about validation of the binary diffing method below and have revised the manuscript to include additional methodological details.

read point-by-point responses

Referee: The core claim that binary diffing isolates the deletion logic for formatting, expiration, and overwrite rests on observable disk-image changes, yet the manuscript provides no independent validation (e.g., comparison against vendor documentation, multiple device models, or controlled re-implementation) that the diffs reflect intentional deletion semantics rather than caching, background writes, or incidental housekeeping. This mapping is load-bearing for all three recovery demonstrations.

Authors: We agree that direct comparison to vendor documentation is not feasible, as the file system is proprietary and undocumented. Our experiments were conducted under controlled conditions on a single Honeywell device model: each deletion type was triggered individually via the device's native interfaces, with forensic disk images acquired immediately before and after using a write-blocker to prevent background activity. Experiments were repeated multiple times with consistent results in metadata and data structure changes. While we did not re-implement the file system or test additional models, the isolated before/after diffs provide direct evidence of the modifications attributable to each deletion mechanism. We have added an expanded Methods subsection detailing the experimental protocol, timing controls, and repetition to strengthen this description. revision: partial

standing simulated objections not resolved

Comparison against vendor documentation, which is not publicly available for this proprietary file system.

Circularity Check

0 steps flagged

No circularity: purely empirical forensic analysis with no derivations or self-referential claims

full rationale

The paper conducts an empirical investigation of a proprietary file system via binary diffing of before/after disk images to observe metadata and on-disk changes under three deletion methods (formatting, expiration, overwrite), then demonstrates recovery feasibility. No equations, mathematical derivations, fitted parameters, predictions, or load-bearing self-citations appear in the provided text or abstract. Claims rest on direct experimental observation rather than any chain that reduces to its own inputs by construction. The analysis is self-contained against external benchmarks of disk-image comparison.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The paper relies on standard reverse engineering practices for file systems rather than introducing new parameters or entities.

axioms (1)

domain assumption File systems use metadata structures that can be inferred from binary comparisons
Core to the binary diffing technique used.

pith-pipeline@v0.9.0 · 5484 in / 1011 out tokens · 36528 ms · 2026-05-11T01:45:06.746553+00:00 · methodology

discussion (0)

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

IndisputableMonolith/Foundation/AbsoluteFloorClosure.lean reality_from_one_distinction unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

We perform a file system analysis using a binary diffing technique and evaluate three deletion methods... changes in file system metadata and on-disk data structures
IndisputableMonolith/Cost/FunctionalEquation.lean washburn_uniqueness_aczel unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

binary diffing... identifies differences by comparing two or more binary datasets at the byte level

What do these tags mean?

matches: The paper's claim is directly supported by a theorem in the formal canon.
supports: The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends: The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses: The paper appears to rely on the theorem as machinery.
contradicts: The paper's claim conflicts with a theorem or certificate in the canon.
unclear: Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

23 extracted references · 23 canonical work pages

[1]

Analysis of the HIKVISION DVR file system , booktitle =

Han, Jaehyeok and Jeong, Doowon and Lee, Sangjin , year =. Analysis of the HIKVISION DVR file system , booktitle =. doi:10.1007/978-3-319-25512-5_13 , url =

work page doi:10.1007/978-3-319-25512-5_13
[2]

Kim, S. Y. and Kim, K. Y. and Kim, S. W. and Shin, Y. J. and Ahn, J. H. and Moon, H. J. and Kang, D. M. and Yoon, S. H. , year =. Analysis of the IDIS G2FDb File System Deletion Behavior and Identification of Audio Data , howpublished =

work page
[3]

Analysis of real-time operating systems’ file systems: Built-in cameras from vehicles , journal =

Lee, JungHwan and Hyeon, BumSu and Jeon, OcYeub and Park, Nam In , year =. Analysis of real-time operating systems’ file systems: Built-in cameras from vehicles , journal =

work page
[4]

and Brooks, R

Gomm, R. and Brooks, R. and Choo, K.-K. R. and Le-Khac, N. A. and Hew, K. W. , year =. CCTV Forensics in the Big Data Era: Challenges and Approaches , booktitle =. doi:10.1007/978-3-030-47131-6_6 , url =

work page doi:10.1007/978-3-030-47131-6_6
[5]

Tamhankar and K.R

Kwon, Soon-kak and A. Tamhankar and K.R. Rao , keywords =. Overview of H.264/MPEG-4 part 10 , journal =. 2006 , note =. doi:https://doi.org/10.1016/j.jvcir.2005.05.010 , url =

work page doi:10.1016/j.jvcir.2005.05.010 2006
[6]

2001 , note =

Hikvision , title =. 2001 , note =

work page 2001
[7]

FTK Imager: Forensic Data Imaging and Preview Tool , year =

work page
[8]

Journal of Forensic Sciences , volume=

IoT forensics: Exploiting unexplored log records from the HIKVISION file system , author=. Journal of Forensic Sciences , volume=. 2023 , publisher=

work page 2023
[9]

Information , volume=

Automated Forensic Recovery Methodology for Video Evidence from Hikvision and Dahua DVR/NVR Systems , author=. Information , volume=. 2025 , publisher=

work page 2025
[10]

Forensic Science International: Digital Investigation , volume=

IoT forensics: Analysis of a HIKVISION's mobile app , author=. Forensic Science International: Digital Investigation , volume=. 2023 , publisher=

work page 2023
[11]

2018 International CET Conference on Control, Communication, and Computing (IC4) , pages=

An efficient approach to recover CCTV video from proprietary DVR file system , author=. 2018 International CET Conference on Control, Communication, and Computing (IC4) , pages=. 2018 , organization=

work page 2018
[12]

Wenger and M

S. Wenger and M. M. Hannuksela and T. Stockhammer and M. Westerlund and D. Singer , title =. 2011 , month =

work page 2011
[13]

2012 , month = jun, url =

Approximate Matching: Definition and Terminology , author =. 2012 , month = jun, url =

work page 2012
[14]

2025 , month = oct, url =

WinHex: Hex Editor & Disk Editor, Computer Forensics & Data Recovery Software , author =. 2025 , month = oct, url =

work page 2025
[15]

Video Surveillance Market Size, Share & Trends 2025 to 2035 , year =

work page 2025
[16]

Video Surveillance Market Expected to Reach \ 204.5 Billion by 2032 , year =

work page 2032
[17]

FFplay Documentation , year =

work page
[18]

Dahua Technology Official Website , year =

work page
[19]

Journal of Forensic Sciences , year =

Dragonas, Evangelos and Lambrinoudakis, Costas and Kotsis, Michael , title =. Journal of Forensic Sciences , year =. doi:10.1111/1556-4029.15401 , url =

work page doi:10.1111/1556-4029.15401
[20]

North America video surveillance systems market size & share analysis -- growth trends & forecasts (2025–2030) , year =

work page 2025
[21]

SHS Web of Conferences , volume =

Fan Yang and Rongrong Li and Chunsheng Wu , title =. SHS Web of Conferences , volume =. 2015 , doi =

work page 2015
[22]

2026 , howpublished =

Alexis Brignoni , title =. 2026 , howpublished =

work page 2026
[23]

2026 , howpublished =

eraw1am , title =. 2026 , howpublished =

work page 2026