Following mscotgrove's advice, I carved for "????ftyp" 36-bytes long sequences (0x24).
Here are the contents of four randomly picked output files
Ascii.hreftyp............DUMMYUNIONNAMEWEB 68 72 65 66 74 79 70 65 10 0E 00 00 B0 0D 00 00 0E 00 D5 CD 44 55 4D 4D 59 55 4E 49 4F 4E 4E 41 4D 45 57
Ascii144.ftyp............................Hex31 34 34 2E 66 74 79 70 00 10 00 02 00 00 00 00 10 00 00 00 00 01 00 00 00 00 00 00 00 EF BE AD DE EF BE AD
Asciirec/ftyp/00000146.ftyp..............Hex72 65 63 2F 66 74 79 70 2F 30 30 30 30 30 31 34 36 2E 66 74 79 70 00 10 00 02 00 00 00 00 10 00 00 00 00 01
Ascii159.ftyp............................31 35 3E 2E 66 74 79 70 00 10 00 02 00 00 00 00 10 00 00 00 00 02 00 00 00 00 00 00 00 EE BE AD DE EF BE AD
I assume the possibly interesting infos being located in this hexadecimal sequence, which follows the ftyp 00 10 00 02 00 00 00 00 10 00 00 00 00 01
and maybe also in this sequence, which is shared by the trailer of two of the given samplesEE BE AD DE EF BE AD
A ftyp header is normally 0x14, 0x18, 0x1c, 0x20 bytes long. The length is stored as a 4 byte Big endian number before ftyp
With random data, you can always get false positive hits
I would search for 0x00 0x00 0x00 ? ftyp
eg a 0x20 byte header, followed by 8 byte wide atom, followed by a 0x85ad1 length mdat atom
00000000 00 00 00 20 66 74 79 70 - 71 74 20 20 20 05 03 00 ftypqt
00000010 71 74 20 20 00 00 00 00 - 00 00 00 00 00 00 00 00 qt
00000020 00 00 00 08 77 69 64 65 - 00 08 5A D1 6D 64 61 74 wide ZÑmdat
With random data, you can always get false positive hits
I agree. However, looking at the sample in my previous message, they are certainly false positives but their content doesn't look random, and hence could be useful.
The carved strings seems belonging to some table of content, which probably lists the video recordings.
For instance rec/ftyp/00000146.ftyp
It could be useful to know the LBA address of each carved sample and then explore with an Hexadecimal editor what is before and after. Maybe could we locate some "Table of contents", which may help a little to carve the files afterwards.
With Scalpel itself, I don't know any option to get the LBA addresses of carved content. Maybe would this be possible with other tool or by chaining commands, but I'll create a separate topic fo this.
I would search for 0x00 0x00 0x00 ? ftyp
I'm going to filter the carved files in two folders.
Those who start with "0x00 0x00 0x00 ?" and the other ones.