Notifications
Clear all

FTK Imager question

13 Posts
4 Users
0 Likes
818 Views
(@kpryor)
Posts: 68
Trusted Member
Topic starter
 

I just tried to recover a deleted file here at work using FTK Imager, which I had never used before. I was able to recover it, but when I tried to access the file (a video file) using the proprietary viewer, it asked for the password for the file.
However, this file should have never had a password to begin with and didn't the last time it was accessed prior to deletetion. Any suggestions as to why or how a password might have been added to the file? I recovered several other of the same type of files and they did not require a password to view them.
Thanks!
KP

 
Posted : 24/09/2006 2:52 am
(@kpryor)
Posts: 68
Trusted Member
Topic starter
 

To clarify what I'm asking, as my post isn't as clear as I intended, could there have been some corruption of the file after deletion that would fool the software into thinking there is a password when there isn't one?
This file was automatically deleted by our archival software. The material in the archive is held for 90 days and then deleted automatically. The file in question was deleted about 24 hours or so ago. It would be very good if the file could be retrieved and made useful, but it's not critical.
KP

 
Posted : 24/09/2006 3:21 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

There are several things that could be at work here.

What was the file extension (there are several types of "video files")? What is the name of the "proprietary viewer"?

It may be possible that some missing sectors could possibly lead to the prompt you're seeing, but it's hard to tell or even guess *how* possible without knowing more about what you're working with.

 
Posted : 24/09/2006 4:19 pm
(@kpryor)
Posts: 68
Trusted Member
Topic starter
 

The viewer is the "basic" viewer of L-3 Mobile Vision and the video file extension is .avd. The videos are created by our digital in-car video systems we purchased from L3 which are then transmitted from the car via wireless network to our video server in the police department. The archiving software receives the file and saves it to disk, automatically deleting it after a preset number of days. In this case, a number of days before the States Attorney finally got around to asking for a copy of it 😉
Thanks!
KP

 
Posted : 24/09/2006 7:52 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

KPryor,

Thanks for the more specific info.

Now, have you tried going to L-3 Mobile Vision with this question? I can't imagine that someone else hasn't already had this question. Maybe they have a response.

H

 
Posted : 25/09/2006 4:13 am
(@kpryor)
Posts: 68
Trusted Member
Topic starter
 

No, haven't talked them yet. This just came up yesterday and their support staff isn't in on the weekend. I can try them this week, but thought I'd give the ol' college try over the weekend to see if I could get it back.
Thanks again! BTW, I intend to purchase your book soon in furtherance of my newfound interest in forensics.
KP

 
Posted : 25/09/2006 5:22 am
(@jimmyw)
Posts: 64
Trusted Member
 

First, it's entirely possible that at least a small amount of corruption occurred once the file was deleted, especially as the machine remained in use and the video was probably a relatively large file. One thing that I learned concerning proprietary video, is that the format may be designed to "self-protect" against tampering. This is particularly true when it comes to surveillance systems. Hence, one missing byte or incorrect values in one or more bytes can render the video unviewable. As Harlan suggested, the publisher is the best source for recovery information.

 
Posted : 25/09/2006 7:40 am
(@kpryor)
Posts: 68
Trusted Member
Topic starter
 

Thanks for the input Jimmy. I'll check with them this week, but fortunately this isn't a critical issue (this time).
KP

 
Posted : 25/09/2006 8:15 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

> …it's entirely possible that at least a small amount of corruption occurred once the file was deleted, especially as the machine remained in use…

Given how files are "deleted", wonder how likely this would be. I'd suggest that it would be more likely that the file was deleted (ie, not sent to the Recycle Bin) and at least a portion of the sectors used by the file were overwritten.

KP…would you be willing to post your findings?

 
Posted : 25/09/2006 7:01 pm
(@jimmyw)
Posts: 64
Trusted Member
 

Given how files are "deleted", wonder how likely this would be. I'd suggest that it would be more likely that the file was deleted (ie, not sent to the Recycle Bin) and at least a portion of the sectors used by the file were overwritten.

That's exactly what I meant, but could have said that more clearly. If the file were sent to the Recycler, I imagine that we wouldn't be having this discussion. The size wasn't mentioned, but these files can be a few 100MB or more in length. When you free up, for example, 25,000 clusters, the OS can easily use a few of them pretty soon. There's also a size limit on files that the Recycler will accept, but I don't recall what it is or how it's based.

 
Posted : 25/09/2006 7:43 pm
Page 1 / 2
Share: