Posted: Sun Feb 19, 2012 9:13 am Author: mscotgrove Location: Sussex, UK This looks like the start of a 'Quick Time' file, .3GP
Your dump has the 'ftyp' header and start of the mdat segment - but no segment length. This would be typical of a file before finalisation.
In order to read the file you would need a moov segment to be added, and I think these are probably stored in memory until required. ie, in your case it will have been lost.
I would be happy to try and reconstruct the file. I would require the temp_video file and also a small but complete video from the same camera. The later is required to pinch certain configuration details from the moov segment.
Posted: Wed Feb 22, 2012 6:35 pm Author: mscotgrove Location: Sussex, UK It has been possible to reconstruct some of the video. This includes a sequence of the phone being snatched.
It was possible by reconstructing the missing moov fragment of the file based on data found in the mdat segment.
Next weeks work will be to make this more generic and userable.
The ftyp / Quick time file is very fussy about all elements being correct. My current solution will display with Quick Time and VLC, but not yet with Windows Media Viewer.All times are GMT - 6 Hours Page 2 of 2 Go to page Previous1, 2:| |: http://www.forensicfocus.com/