Good afternoon all,
I have a number of files labelled “$deleteme” stored on the memory and are marked as deleted, which have no known extension. When I look at the raw data, there are number of references to child pornography phrases in Unicode. Are these files common in computers as I have never come across these in a mobile phone?
My thinking is that there are embedded files within these files, however image carving software is so far successful.
Has anyone come across this?
Regards,
Good afternoon all,
I have a number of files labelled “$deleteme” stored on the memory and are marked as deleted, which have no known extension. When I look at the raw data, there are number of references to child pornography phrases in Unicode. Are these files common in computers as I have never come across these in a mobile phone?
My thinking is that there are embedded files within these files, however image carving software is so far successful.
Has anyone come across this?
Regards,
What do the the headers of these files look like?
Hi hmorgan,
There are a lot more zeros before the start of the data. Is it possible that this is a ghost file of what was available on the memory card at one time?
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004149006D006100670065000F007173000000FFFFFFFFFFFFFFFF0000FFFFFFFF494D414745532020202020100000B125643A643A0000B125643A0300000000004156006900640065006F000F001673000000FFFFFFFFFFFFFFFF0000FFFFFFFF564944454F532020202020100000B125643A8C3C0000B125643A0400000000004153005400680075006D000F00F56200440042002E0074006400000062000000535448554D4244425444422000008BA6943D263E00008E73263E370020AC0E004153006F0075006E0064000F004E73000000FFFFFFFFFFFFFFFF0000FFFFFFFF534F554E44532020202020100000B325643A643A0000B325643A060000000000415F0055006E00710069000F00DE75006500490064002E0064000000610074005F554E51497E33314441542000005973263E263E00005973263E740004000000E553005400680075006D000F00886200440042002E0074006D00000070000000E55448554D424442544D502000006873263E263E00006873263E00000000000041440041005600450020000F008620002000200020002000200000000000FFFF4441567E3330202020202008000047BDCD3ACD3A000047BDCD3A0000000000004153005400680075006D000F00886200440042002E0074006D00000070000000E5300030002E00740063000F00116F000000FFFFFFFFFFFFFFFF0000FFFFFFFFE5302020202020
This is how it appears in Unicode
AI m a g e qs ÿÿÿÿÿÿÿÿ ÿÿÿÿIMAGES ±%dd ±%d AV i d e o s ÿÿÿÿÿÿÿÿ ÿÿÿÿVIDEOS ±%d< ±%d AS T h u m õb D B . t d b STHUMBDBTDB ¦=&> s&>7 ¬ AS o u n d Ns ÿÿÿÿÿÿÿÿ ÿÿÿÿSOUNDS ³%dd ³%d A_ U n q i Þu e I d . d a t _UNQI~31DAT Ys&>&> Ys&>t åS T h u m b D B . t m p åTHUMBDBTMP hs&>&> hs&> AD A V E ÿÿDAV~30 G½ÍÍ G½Í AS T h u m b D B . t m p å0 0 . t c o ÿÿÿÿÿÿÿÿ ÿÿÿÿå0
This looks like a dump of a FAT directory.
If you look with a Hex editor you will see entries of 0x20 bytes in length, some with the name in 8.3 format, and the Unicode names above them.
This is not file data
ps can you edit your data so it is not 300000 charcters wide on tne screen!!