Forums
Main Category
General (Technical,...
Recovering H.264 vi...
 
Notifications
Clear all

Recovering H.264 video files with Defraser 1.3.0 for free ?

 
Page 1 / 2
General (Technical, Procedural, Software, Hardware etc.)
Last Post by Zul22 12 years ago
13 Posts
3 Users
0 Reactions
3,984 Views
RSS
 Zul22
(@zul22)
Trusted Member
Joined: 12 years ago
Posts: 53
Topic starter 14/06/2013 4:40 am  

Hi folks,

I'm having a hard time trying to recover H.264 videos from a surveillance system.
The fact is the partitions on which the videos are stored is of unknown type and refuses to mount with any file system (ext2, ext3, ntfs, fat, …).

As I was looking for some "video file carver", I found on the forum some thread about Defraser, an open source project coming from the Nederlands Forensisch Instituut (NFI).
For the 1.3.5 version, a plugin is available for H.264 videos, which costs about 900 USD if I remember.

I found that this plugin or at least its draft is available (although under developement) in the sources of the 1.3.0 version. However, it was removed in the binaries of the 1.3.0 and 1.3.5 versions.
In the archive containing the sources of the 1.3.0 version is an installation manual which is quite straightforward.

Basically, all components are free. To run the source code, you have to

1) Install Microsoft .NET framework 3.5
2) Install Microsoft Visual C# Express 2008 (Attention C# and not C++ !)
(available in Microsoft Visual Studio Express 2008.
3) Install the trial of Virtual Tree by Infralution.
Version 3.14 is no more available, but you can download version 3.15.2
at the bottom of Infralution's download page. It worked for me.
4) Unpack the source code of Defraser 1.3.0.
5) Double-click the "Defaser.sln" file and ignore warnings to open it inside Visual C#

In Visual C#
6) If you're using the Express Edition of Visual C#, remove the two projects
that correspond to installers for the 32 bits and 64 bits editions.
To do this, you have to do a right click on their names and chose to delete them.
7) Right-click on "GuiCe" in the project tree and choose "Set as StarUp project" in the contextual menu.
8 ) Menu "Build > Build Solution"
9) Menu "Debug > Start without debugging"

A fully functional "Defaser" appears.
Here's a screenshot of Defraser 1.3.0 built from source code showing H.264 videos detected on the image file of a partition.

As you see, Defraser was unable to decode the videos and to display thumbnails.

For each H.264 video are chunks labeled "CodedSliceOfAnIdrPicture" and I don't know how to go forward.

I don't know is the issue comes from the codec used or from the fact that the pluggin for H.264 videos is mentioned as being under development.

Also, I had a power failure when scanning my 1 TB file with Defraser.
Maybe Defraser stayed with found chunks and simply "forgot" the part of the file that had not been scanned ; I don't know.

Other experiences of H.264 videos recovery using Defraser 1.3.0 source package would be much welcome.


   
Quote
 mscotgrove
(@mscotgrove)
Prominent Member
Joined: 17 years ago
Posts: 940
14/06/2013 1:01 pm  

H264 is a codec, ie type of compression used - and not the file structure.

What type of files are the good ones, eg do they have FTYP, MOOV and MDAT segments?


   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
14/06/2013 4:18 pm  

Sorry for the OT oops , but this is interesting

… an open source project coming from the Nederlands Forensisch Instituut (NFI).
….
I found that this plugin or at least its draft is available (although under developement) in the sources of the 1.3.0 version. However, it was removed in the binaries of the 1.3.0 and 1.3.5 versions.
….

An Open Source project (seemingly released under BSD license) without source. 😯

Unless I am mistaken the sources of the 1.3.5 have not been released at all.

jaclaz


   
ReplyQuote
 Zul22
(@zul22)
Trusted Member
Joined: 12 years ago
Posts: 53
Topic starter 18/06/2013 8:59 pm  

@Jaclaz
Sorry, I should have written "a formerly open source project".
The authors of NFI Defraser do not describe their project as being open source ; it's just that I could find the sources for the 1.3.0 version. The BSD licence does not force any author to (re-)distribute the sources of a software, not to (re-)distribute it at all. It just fix how a software should be redistributed if it is.

@Forensic Focus readers
As Jaclaz mentionned, it's right that the sources of the 1.3.5 version are not available from Sourceforge.net. But as 1.3.5 suggests a minor version and the 1.3.0 should be quite similar.

In the features of the NFI Defraser 1.3.5 project on Sourceforge is written
"The new plugin for H264 is available for free for law enforcement in
the Netherlands. Outside the Netherlands the license is sold for
895 euro for maintenance and further updates."

The H264 detector was already in the 1.3.0 version (with source code), but was work in progress. I assume the NFI team realized that recovering H.264 videos was harder than for common video files because as Michael mentioned it, H264 a codec and not the file structure.
This might explain why they decided to sell the plugin once finished. Currently, I don't know how far from completion was the source of the H.264 plugin in the 1.3.0 version.

@Michael (mscotgrove)
I believe that I may find the FTYP segments, as I had previoulsy run scalpel, which found detected lot of MPEG signatures. I'm going to scan again the full drive with Defraser as I believe the scan was interrupted due to power failure. Then, I'll be able to look closer at hexadecimal signatures. I have currently no idea about the type of the files.

The manual doesn't tell about the container ; just that files have are either ".264" or ".nvr"
It's on page 23 http//shop.monacor.at/attachments/FLE/DMR286_1840_1880_2860-GB.pdf

The drive has a second partition, formatted ext2, which references the videos using one log file per day. Those files are binary and I don't know about their inner structure.

I believe your software would be very useful if it was able to work on an image of a partition independantly from the file allocation table. In my case the partition of unknown type was cloned to an NTFS image file.


   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
18/06/2013 10:37 pm  

@Jaclaz
Sorry, I should have written "a formerly open source project".
The authors of NFI Defraser do not describe their project as being open source ; it's just that I could find the sources for the 1.3.0 version. The BSD licence does not force any author to (re-)distribute the sources of a software, not to (re-)distribute it at all. It just fix how a software should be redistributed if it is.

Sure, not at all an issue with your description ) , but in my perverted mind, if you host a project on sourceforge.net you should also provide the source to it, or - if you prefer - ONLY open source projects should be hosted on sourceforge.

BTW it is also in the terms of the site
http//slashdotmedia.com/terms-of-use/

7. SourceForge.net Submissions/Content

When you submit, post, upload or otherwise provide Code to SourceForge.net, you must designate promptly the software license pursuant to which licensees, including Slashdot Media, obtain rights with respect to such Code. Except as otherwise expressly permitted by these Terms, any Code submitted to SourceForge.net must be licensed to Slashdot Media and other licensees under a license that is compliant with the Open Source Initiative (“OSI”)’s Open Source Definition (http//www.opensource.org/docs/osd) or certified as an “OSI-Approved License” (http//opensource.org/licenses).

And of course an essential part of the Open Source Definition is that the Source should be made available, most probably the Authors consider the "plug-in" a separate project that they "sell" separately.
And it is very possible that also the "plug-in" is actually Open Source, and BSD licensed, but only available in exchange for several hundred bucks, nothing "wrong" in "Commercial, BSD licensed" software.
But still the source for the 1.3.5 version (without the plug-in) is seemingly missing, and this is not anymore "Open Source".

Sorry for the OT oops .

jaclaz


   
ReplyQuote
 Zul22
(@zul22)
Trusted Member
Joined: 12 years ago
Posts: 53
Topic starter 24/06/2013 2:45 am  

More than three days now that I'm running Defraser 1.3.0 trying to extract videos that are H.264 encoded. I selected a few potential container formats.

Defraser displays "Running detectors on my-image-of-the-drive.img" and the progress bar seems frozen at one third of the total.

The drive was imaged as a 1 Tb NTFS file.
I assume that using a huge file rather than a raw drive doesn't help, but I had no other choice as Defraser runs on Windows and requires a file. It's maybe not the best tool for my needs.

The processor is running at 1,86 GHz and the total RAM is 4 Gb.
I assume the software is interpreted and hence slower.

Because I wonder if Defraser will ever be able to recover anything, I'm looking for alternatives, maybe semi-automatic techniques.

I assume the first thing to do is to list the locations of potential H264 videos.
But which file signature to take as I don't know the container ?

From this thread, as well as from Garry Kessler's file signatures, I guess that "00 00 00 01 67" as well as "00 00 00 ? 66" could be good candidates to carve H264 videos, but any other other technique to list the locations of either the containers or the bitstreams would be much welcome.

@mscotgrove Do you think that your software could be adapted to recover videos from "RAW" partitions (which were not previously in NTFS nor FAT)?


   
ReplyQuote
 mscotgrove
(@mscotgrove)
Prominent Member
Joined: 17 years ago
Posts: 940
24/06/2013 3:22 am  

Zul22 - I sent you a PM

My software will work with raw images

As far as I know, a file signature is not enough - you need to know the codec, and reconstruct ftyp and moov segments as well. Not a trival task. It can be helped if you do have a valid working sample.


   
ReplyQuote
 Zul22
(@zul22)
Trusted Member
Joined: 12 years ago
Posts: 53
Topic starter 24/06/2013 3:08 pm  

@mscotgrove

Thanks.
Reconstructing H264 videos doesn't seem easy…
Thank you for the PM and your proposal. I'll try your software.

Unfortunately, I don't have any valid file example as the partition type is not detected by gParted. So, I have to scan for possible video signatures.


   
ReplyQuote
 Zul22
(@zul22)
Trusted Member
Joined: 12 years ago
Posts: 53
Topic starter 14/07/2013 4:05 pm  

What type of files are the good ones, eg do they have FTYP, MOOV and MDAT segments?

I carved the drive image using "ftyp", "moov" and "mdat", generating 10 Kb files.

The first bytes after "ftyp", "moov" and "mdat" are random.

Is it possible that the H.264 bitstreams are not encapsulated and is there a way to reconstruct the full bitstream (unfragmented), in order to include it afterwards in a container?


   
ReplyQuote
 mscotgrove
(@mscotgrove)
Prominent Member
Joined: 17 years ago
Posts: 940
14/07/2013 5:20 pm  

If you have roughly the same number of ftyp, moov and mdat tags on a disk, it is likely that they are encapsulated.

ftyp are normally only 0x14 to 0x24 bytes long

moov atoms have a structure that will be consistent for the video recorder, and will have
groups of data preceded by 4 byte tags

mdat often looks like random data, the headers for audio and video can be 'subtle', but may just be a length which is different for every frame.


   
ReplyQuote
Page 1 / 2
Forum Jump:
  Previous Topic
Next Topic  
Share: