Most data files are written sequentially which means that data carving can have a good guess that the data will typically be sequential. However, recently some AVI files have been found that do not seem to follow this pattern.
The file in question was written using a video camera and it appears that the first section was the data - a series of tagged chunks ofthe starting "00dc" or "00wb". An AVI file contains an index and in this version, the index was added to the first block after the main header information. Thus to carve the files it is necessary to read the header, and then in effect go back to find the blocks used. To make the job possible, the index does conatin the offset and length of each tag. It is therefore possinle to search the raw disk for a cluster that contains a '00xx' tag at a certain location within a block, with a defined length.
Recent developments with CnW Recovery software have added the automatic feature so that a trailier can be created if missing. This means that even a partial fragment can be viewed.
No comments:
Post a Comment