Wednesday, January 5, 2011

Defragmenting videos from mobile phones

Mobile / Cell phones typically store videos as .3GP, .MP4 type files.  These can be recognised easily in a hex viewer by looking at the start of the file. The second group of 4 bytes will be the string 'ftyp' followed by the exact type of file, eg '3gp5'.

If the files are to be recovered by data carving, then at times the data may be fragmented.  CnW is working on a solution to this problem.  Fortunately these Quick Time files have a fairly helpful data structure, and so it is possible to both verify, and hence reconstruct files from fragmented stored in different fragments.  The basic file struct is 3 main data areas,

    ftyp  moov  mdat

However, the order of moov and mdat can vary.  The moov segment stores all pointers and decoding details for the data area, mdat.  The mdat area basically contains frames of video and sound.  As video frames normally start with the same header string, by decoding the moov it is possible to examine a possible fragment and determine if it does have the correct headers in the correct location.  If a match is found then it is possible to apply this fragment to the new image.

The moov fragment is not normally very large and so the expectations are that the complete segment will be found in the first complete fragment, along with the ftyp header.  This will be true for the files that store moov straight after the ftyp tag.  For files which are ftype - mdat - moov sequence, it is necessary to examine the mdat for frame starts and hence calculate possible values that will be found in a moov segement.  The disk then has to be searched for a suitable moov fragment.

The current status of CnW Recovery is for recovery of a ftyp - moov - mdat file.  The second variation is under development.  http://www.cnwrecovery.com/ for more details of software

No comments:

Post a Comment