Recovering erased digital image files

**setarip** · 25 May 2005, 08:14 AM

"The files are recordings from a security camera. To your knowledge, if a digital movie file is erased and its header overwritten is there a way to determine if a file is an AVI or MPEG or MOV file...?

I hate to ask the obvious but, can't you?:

1) First determine what format(s) the specific camera is capable of generating

2) Ask the owner/user what format the camera was set to capture in

**dpenrod** · 25 May 2005, 08:26 AM

Yes, we already know what the various formats are. But that's not the issue. My problem is that I am searching unallocated space on a computer for deleted movie files that have been partially overwritten - the headers have been deleted. All movie files have unique headers to identifiy the file that follows. Unfortunately, all that I have is unidentifiable code strings. I need to know if these formats have code within their bodies that is common to all files created in that particular format. In other words, do all AVI files contain a universal code string, a string that is located within each and every file created as an AVI.

**setarip** · 25 May 2005, 08:43 AM

.AVI index is at end of file

Looks like this in a hex editor:

....j.m.8...01wb......m.....00dc....:.m.....01wb.. ..P.m.,...00dc......m.s...00dc......m.P...00dc.... X.m.....00dc......n.....00dc.....)n.c...00dc.....? n.....00dc.....Zn.....00dc.....pn.'...JUNK

"AVIFix" can (sometimes) repair corrupt .AVI file headers.

**dpenrod** · 25 May 2005, 08:50 AM

Fantastic! Do other digital video files contain the same kind of code strings within them? Specifically, WMV and MPEG?

**setarip** · 25 May 2005, 10:36 AM

(By the way, for the .AVIs, it's simplest to look for the word "JUNK")

MPEGs have tail endings as follows:

FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
00 00 01 B9

**dpenrod** · 26 May 2005, 01:06 AM

Beautiful. The AVI "junk" works great. You've been a great help. Thank you. Two more questions for you:

1) Do you know if something similar is located within WMV and MOV files? If not, can you suggest a resource I can query?

2) Thinking ahead now: after we've gathered together all the bits and pieces of a fragmented video file from unallocated space, is there anything special I need to do in order to put the file back together other than reorder the fragments in the correct sequence? The FAT and MFT have pointers (deleted, but can be recovered) to each fragment. Is there something unique about video files or a particular video file format that requires special attention when we reconstruct them.

**setarip** · 26 May 2005, 03:08 AM

"Beautiful. The AVI "junk" works great. You've been a great help. Thank you."

My pleasure ;>}

"If not, can you suggest a resource I can query?"

Examine several each WMV and MOV files from within a hex editor - and see if you can observe any standard coding at the tail-end for each type...

"Is there something unique about video files or a particular video file format that requires special attention when we reconstruct them."

Nope (Other than, as you already know, the headers and tail-ends)...

Recovering erased digital image files

Recovering erased digital image files

Comment

Comment

Comment

Comment

Comment

Comment

Comment