I am examining a Hard Drive that has a few problems so I am extracting the data from it from a partial acquired image.
I am using X-Ways to extract the data. I notice there is a Max Byte allowance to extract.
Now some of the files are taken from a video camera and are over 4GB in size therefore X-Ways is not extracting it all.
Is there any way of exporting the whole file or other Forensic Software that will allow this?
The data is quite important so the more data extracted will be very beneficial.
Thanks in advance.
Edit - I have noticed the the hard drive is FAT-32
One thought is what If i located the file within X-Ways and just copy out 2GB worth at a time and then put it all back together or label it as parts.
Not sure if this is possible and need anyone who is an X-Ways Pro.
Bit of a newbie with X-Ways really so need advice
Thanks again in advance
I haven't tried working with files that large, so, although your theory sounds like it might work, I can't really offer you any more hope.
You might want to post your question on the Computer Forensics forum at
There's a pretty good chance Stefan Fleischmann will reply personally.
/scott
Now some of the files are taken from a video camera and are over 4GB in size therefore X-Ways is not extracting it all.
Edit - I have noticed the the hard drive is FAT-32
The maximum file size in FAT-32 is 4 GiB (full 32-bit address space). Either export it as split files or another file system e.g. NTFS.
Hmmm. joachimm is, of course, correct – the file size limit on a FAT-32 drive is indeed 2^32−1 bytes. However, having re-read the OP, I'm now confused about which drive it is that's FAT-32.
forensicgeek, you indicated that the original drive had video files larger than that. Therefore, I'm guessing the original might have been NTFS (if it's Windows). And you said that you're working from an image of that drive. I suppose that image could be split in ~2GB chunks that reside on a FAT-32 drive. Is that the drive you're referring to? If so, the fact that it's FAT-32 is irrelevant; don't worry about it.
Or are you referring to the drive to which you're trying to extract the files? if so, you probably want to use NTFS as your destination file system.
/scott
Most cameras use FAT32, so the input would have a 4GB limit. Some though do use HFS+, which has no 4GB limit.
You need to determine the format o the camera drive.
I wont be able to check what format the camera was and I doubt the user of the camera will know.
The format of the video is .mpg. Looking at one extracted video (incomplete due to the file size (4GB)). You can see where the video starts and another one begins.
Does this sound like X-Ways is combining the video's together for some odd reason.
I ask this as if you were to stop a video recording and start another surely it would create a new file rather than just extending the original video?
Thanks for all your help it helping a lot with my understanding.
Edit - Extracted another 3 and they seem to be the same video and cutting out at the same places. Ill extract more and see what happens.
With my software I split big raw MPEG files on chapter starts, or when ever the time stamp in effect goes backwards. This produces nice size MPEGs for later processing.
I am not sure if MPEG files exist larger than 4GB. On DVDs they are split into VOB files, approx 1GB in length.
Can you not take a disk image from the camera, rather than logical files? If you get the image, you will also determine the disk format.
If the camera did support files > 4GB and they have since been copied to a FAT32, then the FAT32 will not have all the data.
I am unable to create a disk image of the camera as it is not accessible. All I was given was a Portable Hard Drive that asks to be formatted when plugged in but I have managed to Image about 180GB of 500 due to what seems an error with the drive. (Not sure if this could be the reason for it)
It looks like I can split the files into smaller parts as I examined just 1 of the mpg files and cut out chunks of it and saved it.
But when I search for the HEX term 000001BA440004 (Which is the correct header from examining the other mpg file) it will not find any hits. Even though they clearly exist. I am doing the Hex search when the Image is simply loaded in and as it is Interoperated as a Disk but still no luck.
Like i said before I will extract more and see what the outcome is - X-Ways extracted another 6 files that were limited to 4GB in size and are all the same video.
Starting to confuse me quite a bit now. The more I seem to work on it the more I'm getting confused but I'm sure ill get somewhere more with it soon as the advice given so far has been of a bit help.
I am unable to create a disk image of the camera as it is not accessible. All I was given was a Portable Hard Drive that asks to be formatted when plugged in but I have managed to Image about 180GB of 500 due to what seems an error with the drive. (Not sure if this could be the reason for it)
What tools did you try? Some tools deal better with defective drives than others.
You could try ewfacquire with read error retries set to 0, preferable from a Linux system.
BTW Windows wanting to format the 500GB drive does not sound to me like it contains a FAT32 file system.
But when I search for the HEX term 000001BA440004 (Which is the correct header from examining the other mpg file) it will not find any hits. Even though they clearly exist. I am doing the Hex search when the Image is simply loaded in and as it is Interoperated as a Disk but still no luck.
Actually only 000001BA is a signature within MPEG PES (440004 is value data), but there are more like 000001BB. For a full reference check MPEG format documentation.
Starting to confuse me quite a bit now. The more I seem to work on it the more I'm getting confused but I'm sure ill get somewhere more with it soon as the advice given so far has been of a bit help.
My advise, try multiple tools, to rule out any bugs in one of them.