Edits to Bannerman and Dumbo posts.
Spent some more time looking at Hikvision iVM4200 password stuff, and emailed Bob on same.
Looks like iVMS4200 stores password, and other info, in a sqllite database
It is possible to engineer a hack where an attacker can insert a USB drive that auto-runs a script (granted, this CAN be disabled on Windows, if users are aware of how to do it) that would read the DB, extract the password string, and possibly decrypt it. I don't think we will get into this depth in the report, but the whole way Hik manages this (and possibly other stored credentials for attached NVRs) is really weak.
Going through recent survey posts, tallied up data for favorite recorder, sent graphics request to Lightning, arranging quotes, etc.