Forums
Main Category
General (Technical,...
3GP file header/foo...
 
Notifications
Clear all

3GP file header/footer

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by ForensicRob 16 years ago
4 Posts
4 Users
0 Reactions
2,394 Views
RSS
 workneverends
(@workneverends)
Eminent Member
Joined: 16 years ago
Posts: 33
Topic starter 17/11/2009 3:24 am  

I am trying to carve out any 3GP files from unallocated clusters. These files reside on a Mini SD Card from a Palm Treo T850. Does anyone know the best way to recover these within EnCase? Maybe a file header/ footer so I can run case processor/file finder. Thanks


   
Quote
binarybod
 binarybod
(@binarybod)
Reputable Member
Joined: 17 years ago
Posts: 272
17/11/2009 4:38 pm  

Visit http//www.garykessler.net/library/file_sigs.html it is my favourite for file signatures.

I think the header you are looking for is

00 00 00 nn 66 74 79 70
33 67 70

I haven't done much with 3GP so I can't be absolutely certain myself.

The full spec is available from http//www.3gpp.org/ftp/Specs/archive/26_series/26.244/

Paul


   
ReplyQuote
 GammaX
(@gammax)
New Member
Joined: 16 years ago
Posts: 4
18/11/2009 2:46 am  

This might help, Make an enscript looking for the file header and matches a pattern.

ftyp3gp4 (6674797033677034)

FYI, there are two international standards for the 3gp file format
3GPP – this uses the file extension .3gp and is compliant with GSM based phones.
3GPP2 – compliant with CDMA mobiles and uses the file extension .3g2.


   
ReplyQuote
ForensicRob
 ForensicRob
(@forensicrob)
Eminent Member
Joined: 20 years ago
Posts: 26
18/11/2009 7:14 am  

Here are a few 3GP header patterns to look for

"ftyp3g2" for 3GPP2
"ftyp3gp" for 3GPP

These patterns have been seen at offset 0x00 or 0x04. If you are looking for these files on a Macintosh, look for "3GP2" and "3GPP" at offset 0x41 of the resource fork.


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: