Join Us!

Any tips for carvin...
 
Notifications
Clear all

Any tips for carving .h264  

  RSS
fissa
(@fissa)
New Member

Hi all,

So i have a case where i was 15 hours late, securing an harddrive from a camerasystem with very important video's. The saved videoformat is .H264. While imaging the disk was 91% full. (910GB of a 1TB harddrive)
I know my chances are little, but i was hoping to find some video's or fragments of them in unallocated.

So what did i do?
I made an E01 (writeblocked)
I used Axiom, searching for media in unallocated; no hits whatsover
I used Photorec on unallocated; only txt files (i might re-run it again)
I used Encase file-carving option, but cant 'select' to search for .h264 can i? (Its finding lots of corrupted mp3 files)

Anyone else got a tool of tip in this case?

With kind regards,
Fissa.

Quote
Posted : 01/12/2019 3:18 pm
watcher
(@watcher)
Member

Here's an article that might help you

https://orochena.net/carving-files-with-scalpel

Fundamentally you define the HEADER sequence, Max Length, and Footer sequence.

Good Luck!

ReplyQuote
Posted : 01/12/2019 6:25 pm
Passmark
(@passmark)
Active Member

What was the file system? Was there even a file system?

Were all the video files deleted? How? Or just overwritten and replaced by new videos?

Was this a boot drive (with an active O/S running on it) or a data drive?. Changes are much better with data drives.

If the disk is 91% full, what was the 910GB of files? Other videos in the same format?

ReplyQuote
Posted : 02/12/2019 12:23 am
soft512byte
(@soft512byte)
New Member

write in private, I will help

ReplyQuote
Posted : 02/12/2019 12:00 pm
fissa
(@fissa)
New Member

Here's an article that might help you

https://orochena.net/carving-files-with-scalpel

Fundamentally you define the HEADER sequence, Max Length, and Footer sequence.

Good Luck!

Hi, i will definitly look into and try this! Thanks.

What was the file system? Was there even a file system?

Were all the video files deleted? How? Or just overwritten and replaced by new videos?

Was this a boot drive (with an active O/S running on it) or a data drive?. Changes are much better with data drives.

If the disk is 91% full, what was the 910GB of files? Other videos in the same format?

File system = EXT2 (if im correct, will check in two days, got a day off tomorrow)
The files were overwritten by new video's
It was a datadrive, just for storing the video's
The disk had 910GB of the same H264 videofiles.

write in private, I will help

I will PM you.

ReplyQuote
Posted : 02/12/2019 6:31 pm
Olly_wolly
(@olly_wolly)
New Member

The other thing to consider is that h.264 streams are usually within container files such as MP4 or MKVs, and it is these container files that most forensic software will be carving. It’s fairly typical for CCTV units to use a proprietary container format, so you’ll need to identify what that is.

ReplyQuote
Posted : 03/12/2019 1:58 pm
Share: