Join Us!

Orange Tokyo used f...
 
Notifications
Clear all

Orange Tokyo used for ATM skimming  

  RSS
nsbuck
(@nsbuck)
Member

Hi, There is no data on the handset, however I came across a 116MB file stored on the memory card that XACT has recovered. This file cannot be viewed via the handset.

Is there any program(s) that I could try to open the file? (I've tried office, txt, rtf, but I think lits a specific file that ATM skimmers use!)

Thanks in advance

Neil

Quote
Posted : 19/06/2009 8:54 pm
Rich2005
(@rich2005)
Senior Member

Whats the file name/extension/signature?
PS - Hi, as i presume u worked at the northern lab of where i used to work, before that dept shut down 😉

ReplyQuote
Posted : 19/06/2009 8:57 pm
nsbuck
(@nsbuck)
Member

Morning, the two large files are ~audio.tmp & ~visual.tmp.

Good guess! Hows things? lol

ReplyQuote
Posted : 22/06/2009 2:57 pm
AlexC
(@alexc)
Active Member

I'd give it a go with VLC as the name suggests a media file and it's pretty robust.

Could you give us the hexadecimal file signature (generally the first few bytes) of the file? It'll give some clues as to what the file actually is.

ReplyQuote
Posted : 23/06/2009 2:44 pm
nsbuck
(@nsbuck)
Member

Here are the first few bytes -

ftyp3gp4 3gp4isom mdat

I,ve tried VLC & other programs to play video but no luck yet.

Neil

ReplyQuote
Posted : 23/06/2009 4:38 pm
pwakely
(@pwakely)
Junior Member

Here are the first few bytes -
ftyp3gp4 3gp4isom mdat
I,ve tried VLC & other programs to play video but no luck yet.

If FLV wont play it, would also suggest to try throwing it at Quicktime as well, as I'm sure I've seen .mov files with similar headers. Depending how important the file is to your case, even if the file won't play directly, you may be able to extract frames from the video/audio for display, but this would be an involved specialist process.

Would prefer to be answering your question from data supplied as hex, but… The 'ftyp' part looks like it's a multimedia container file, with the type of 3gp4 suggesting MPEG4 data contained within. Likely this means it should meet the ISO14496-12/14 standards, and could be a .mp4 .m4a or .m4v (or others) so I'd suggest checking the headers against that.

If you want a simpler check rather than diving into the hex, it might be worth opening the file with a too like mediaInfo (http//mediainfo.sourceforge.net/en) to get information on the codec IDs etc, though this might not work for your file, of course, in which case you're back to the hex data.

Phil.

ReplyQuote
Posted : 23/06/2009 5:46 pm
Biedubbeljoe
(@biedubbeljoe)
New Member

Both are 3gp files, see
http//www.ftyps.com/3gpp.html

Cheers,

ReplyQuote
Posted : 24/06/2009 1:32 pm
Rich2005
(@rich2005)
Senior Member

The others have suggested most of what i'd have tried already. I'll just mention that in the past i've tried to play some of these 3gps/mp4s with quicktime, and renaming the extension for no explicable reason made the odd one play. So i'd try it with your file renamed to both whatever.3gp and whatever.mp4 and whatever.mov just in case to see if they play in quicktime. (i have no idea why that worked once or twice in the past)
Also, you might give this a shot
http//www.erightsoft.com/SUPER.html
Claims to be able to play everything under the sun 😉
(PS also from the site biedubbeljoe posted, a page i've found useful in the past is http//www.ftyps.com/what.html )

And yeah not bad, still catching bad guys, and occasionally defending them p

ReplyQuote
Posted : 24/06/2009 3:41 pm
forensic-bob
(@forensic-bob-2)
New Member

Hi Nsbuck,

Maybe you can give this tool a try
http//sourceforge.net/projects/defraser/

The description
"Defraser is a forensic analysis application that can be used to detect full and partial multimedia files in datastreams. It is typically used to find (and restore) complete or partial audio/video files in datastreams (for instance, unallocated diskspace)"

maybe it is of help, since you are likely dealing with broken/partial multimedia files.

ReplyQuote
Posted : 25/06/2009 6:22 pm
nsbuck
(@nsbuck)
Member

This has helped. Thankyou )

ReplyQuote
Posted : 30/06/2009 5:19 pm
tuxy
 tuxy
(@tuxy)
New Member

Hi Neil, I've sent you a private message, but I don't know if you received it.

How did you manage to view the files. Did you use defraser?

regards,

Martin

ReplyQuote
Posted : 01/02/2010 2:31 pm
nsbuck
(@nsbuck)
Member

Hi Martin,

Not received a message from you but just to let you know that Defraiser worked.

I got video but I could'nt get sound.

Once you have the video, I found that I could not fast forward but at least it worked.

If you find a wasy to get sound, then please let me know.

Neil

ReplyQuote
Posted : 02/02/2010 9:40 pm
Share: