±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 36006
New Yesterday: 0 Visitors: 140

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

FTK Imager question

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

KPryor
Senior Member
 

FTK Imager question

Post Posted: Sep 24, 06 02:52

I just tried to recover a deleted file here at work using FTK Imager, which I had never used before. I was able to recover it, but when I tried to access the file (a video file) using the proprietary viewer, it asked for the password for the file.
However, this file should have never had a password to begin with and didn't the last time it was accessed prior to deletetion. Any suggestions as to why or how a password might have been added to the file? I recovered several other of the same type of files and they did not require a password to view them.
Thanks!
KP  
 
  

KPryor
Senior Member
 

Re: FTK Imager question

Post Posted: Sep 24, 06 03:21

To clarify what I'm asking, as my post isn't as clear as I intended, could there have been some corruption of the file after deletion that would fool the software into thinking there is a password when there isn't one?
This file was automatically deleted by our archival software. The material in the archive is held for 90 days and then deleted automatically. The file in question was deleted about 24 hours or so ago. It would be very good if the file could be retrieved and made useful, but it's not critical.
KP  
 
  

keydet89
Senior Member
 

Re: FTK Imager question

Post Posted: Sep 24, 06 16:19

There are several things that could be at work here.

What was the file extension (there are several types of "video files")? What is the name of the "proprietary viewer"?

It may be possible that some missing sectors could possibly lead to the prompt you're seeing, but it's hard to tell or even guess *how* possible without knowing more about what you're working with.  
 
  

KPryor
Senior Member
 

Re: FTK Imager question

Post Posted: Sep 24, 06 19:52

The viewer is the "basic" viewer of L-3 Mobile Vision and the video file extension is .avd. The videos are created by our digital in-car video systems we purchased from L3 which are then transmitted from the car via wireless network to our video server in the police department. The archiving software receives the file and saves it to disk, automatically deleting it after a preset number of days. In this case, a number of days before the States Attorney finally got around to asking for a copy of it Wink
Thanks!
KP  
 
  

keydet89
Senior Member
 

Re: FTK Imager question

Post Posted: Sep 25, 06 04:13

KPryor,

Thanks for the more specific info.

Now, have you tried going to L-3 Mobile Vision with this question? I can't imagine that someone else hasn't already had this question. Maybe they have a response.

H  
 
  

KPryor
Senior Member
 

Re: FTK Imager question

Post Posted: Sep 25, 06 05:22

No, haven't talked them yet. This just came up yesterday and their support staff isn't in on the weekend. I can try them this week, but thought I'd give the ol' college try over the weekend to see if I could get it back.
Thanks again! BTW, I intend to purchase your book soon in furtherance of my newfound interest in forensics.
KP  
 
  

JimmyW
Senior Member
 

Re: FTK Imager question

Post Posted: Sep 25, 06 07:40

First, it's entirely possible that at least a small amount of corruption occurred once the file was deleted, especially as the machine remained in use and the video was probably a relatively large file. One thing that I learned concerning proprietary video, is that the format may be designed to "self-protect" against tampering. This is particularly true when it comes to surveillance systems. Hence, one missing byte or incorrect values in one or more bytes can render the video unviewable. As Harlan suggested, the publisher is the best source for recovery information.  
 

Page 1 of 2
Page 1, 2  Next