File carving ftk im...
 
Notifications
Clear all

File carving ftk imager

2 Posts
2 Users
0 Reactions
2,586 Views
(@forensiclearner)
New Member
Joined: 1 year ago
Posts: 1
Topic starter  

Hi! I found a file with jpg extension, but metadata says mjpeg. However, i can not open the file. I have the hex code for the file and I cant find jpeg header in the hex. I searched for other common file types headers without success. 

please help me, i really need to find out whats in that file. 

 


   
Quote
markg43
(@markg43)
Trusted Member
Joined: 17 years ago
Posts: 77
 

Not really sure what we are doing here -- Title says data carving with FTKi -- here is a response to that: FTK Imager does not have a capability to carve by itself, but you could find the relevant bytes of data and copy them out into a new file.  This link shows the steps to carve manually carve a jpg file and also have test files you can download to try it yourself.

https://www.thehexninja.com/2017/12/practical-exercise-image-carving.html

 

On the other hand, you found a file with a jpg extension that you cant open and metadata says mjpeg.  If the file is not too large, then open it with notepad ( or better yet a hex editor like HxD) and look at the first 3 bytes(characters) - it should say in notepad - ÿØÿ    ; or the in the hex editor it should say  FF D8 FF.    In the hex editor, the last bytes of the file should say FF D9.

If it doesn't, post a screen capture of the beginning of the file here.

Good Luck,

/M

This post was modified 1 year ago by markg43

   
ReplyQuote
Share: