Hello gentlemen,
We have a hard drive image, looking for certain video files.
Gary Kessler Custom Carvers are imported and all selected for data carving.
Added the image to the case and started data carving. After the job finished we checked all the files and found nothing with the related crime.
Just to validate, we analyzed the same disc image with Internet Evidence Finder and we found over 20 files, most of them are MP4 and the rest are without an extension.
When I check the files in Hex view I see the signatures
- 00 00 00 1C 66 74 79 70 46 41 43 45 "….ftypFACE"
- 00 00 00 20 66 74 79 70 69 73 6F 6D "… ftypisom"
These signatures are available/imported in the custom carver section, selected in the Data Carving options prior to indexing of the case.
I was thinking that we find all these files, i mean we trusted the software that it shows us all the carved files. But now i suspect that it can't find all the files although the signatures are available. Maybe we just missed some files in our previous examinations because of this ?
What are your opinions ? Are we doing something wrong ?
why not try the same in something like foremost or bulk extractor?that way, assuming your signatures are good, you can show FTK is the issue since you have something else to compare it to
As I stated it in the previous message, I compared it with Internet Evidence Finder. Its obvious that the issue is related with FTK since i was able to find the files with IEF. I sent a 10mb raw image which contain each file with these two headers and FTK support team was able to carve one out but they are looking for the other one for over a month, no reply was given since that time.
i would not waste your time on AccessData fixing the issue.