Hi there!
I have to recover 1 video from an iPhone 3GS.
So I made an image from media partition directly with linux command "dd".
There are many files I recovered, e.g. images, mp3s and quicktime movies (.mov)
[EDIT] I used foremost, scalpel and photoRec. [/EDIT]
And now my problem
All images and all mp3s are running without any problem, but I can't open the movies.
Any idea how to fix this?
Thanks!
Houdini
The foremost and scalpel is simply linear carving tool. so, can't carve fragmented files. Your images and mp3s is relatively small, will recover that..
But, movie files have large scale capacity(fragmented). So will can't recovered.
As a result, fragmented files need to carve smart. Currently, very little is known of smart carving of large-scale file. You try to dump logical area..
What are you trying to play the movies with? Some players are more robust than others with damaged files (VLC is usually a good bet).
In terms of recovery, you could also try NFI Defraser (http//
Pass the image into a piece of data recovery / forensic software and look for the file system D
If you can identify the file system and mount you might be able to run HFS type data recovery software over it with greater success
With defragmenting it is important to know the cluster size used by the file system. It is then a reasonable assumption that all fragments will be in cluster sized elements (or multiples of), and typically (but not always) that the fragments will be on increasing locations of the media.
To join the fragments intelligently it will be necessary to walk through the file and read the length of each tag (4 byte number before the tag). The next stage is to investigate possible unused clusters for one that has a recognisable tag at the correct location within the cluster. It is possible to get false positives, so more tests may be required.
I have recently been working on a similar problem with AVI files and with these I searched for a matching index section that is stored at the end of the file and used it for cluster verification. When the file has been corrupted, and not complete, I recreated an index file which would allow the fragment to be viewed. The .MOV structure looks more complex than the AVI standard, but recovery may be posible.
Hey!
Many thanks for so many answers in this short time )
@AlexC
I've tried VLC Player, Mplayer and Quicktime itself. But I'll try to recover with "NFI Defraser" now. Thank you!
@stezer2000
The iPhone uses a HFSX filesystem, I'll try your advice. Thank you!
@mscotgrove
I only know that iPhone uses 8k block size on media partition, is it the same as cluster size? )
I have found a spec pdf about .MOV structure - but it's not small…
Thank you all!
Houdini
Hey!
Many thanks for so many answers in this short time )
@AlexC
I've tried VLC Player, Mplayer and Quicktime itself. But I'll try to recover with "NFI Defraser" now. Thank you!@stezer2000
The iPhone uses a HFSX filesystem, I'll try your advice. Thank you!@mscotgrove
I only know that iPhone uses 8k block size on media partition, is it the same as cluster size? )
I have found a spec pdf about .MOV structure - but it's not small…Thank you all!
Houdini
the iPhone filesystem is really similar to HFS+, we can say that the only changing part is the partition identifier.
you can easly trick forensic tools by changing the value to match HFS+ and then you'll be able to open the image using encase and any other tool that can handle HFS+ filesystems.
I think the iPhone just uses HFSX, which is a documented filesystem that is nearly the same as HFS+. (In fact, I think the only current HFSX feature is that it can be set to be case-sensitive, wheras HFS+ is always case-insensitive.)
Some forensic tools require you to modify the "HX" identifier in an HFSX filesystem to "H+" so it will be interpreted as an HFS+ volume. Some tools – e.g., SleuthKit – support HFSX and don't require this hack.
afaik hfs+ supports case-sensitiveness, since you can specify it in disc utilities when you format the drive for installing the OS
Hi again.
I tried everything now, to get those movies playing. But I failed (
I have looked them up in a hex editor and I can see the right headers, but I am not firm enough with it, to correct the rest of file.
Is anybody in here how could analyse my file and give me an feedback if there is any chance to repair them?
Perhaps I can pay for your work - it's very important for me to get the movie back. I'll need it for a trial.
Best regards