Samsung WB650 Video file Scalpel rule

Categories Code, Forensics

I recently ran into the issue that my new photo-camera (Samsung WB650) somehow decided to erase all the data of my SD card. Since the SD card was filled with a lot of photos and video files I decided to image the SD card and to try to recover my files. The photo files all were JPEGs, so it was pretty easy to recover them by using Scalpel. However the Video format this camera uses was not included in Scalpel so they weren’t recovered. To be able to recover the video files as well I created a Scalpel rule for them myself.

To figure out the header and the footer of the video format I analyzed a previously saved video file. The header and footer of this file are shown below.

 

Video file header 1

 

Video file header 2

It seemed I was pretty lucky with this file format since it has quite a clear header and footer. Each video file would start with \x00\x00\x00\x00\x1C  followed by ftypMSNV, and the footer would always end with vndrZORAN.

Using this information I was able to create the following Scalpel rules (which both do the same):

Scalpel rule in Hex only:

     mp4    y    1000000000    \x00\x00\x00\x1C\x66\x74\x79\x70\x4D\x53\x4E\x56    \x76\x6E\x64\x72\x5A\x4F\x52\x41\x4E

 

Scalpel rule in Hex plus text:

     mp4    y    1000000000    \x00\x00\x00\x1CftypMSNV    vndrZORAN

The file-size in this rule is set to maximum 1.000.000.000 bytes at this moment, which was more than enough for me, in case you expect to carve bigger video files you might want to adjust this.

With this new Scalpel rule I was able to recover all my video files from the SD card. This rule probably works on more camera types as well, however since I only have a Samsung  WB650 at this moment I was unable to check this.

 

UPDATE 30-11-2012:

Mariano added the following rule in the comments which should work for the video files on the Samsung Galaxy SII Android device:

     mp4    y    1000000000    \x00\x00\x00\x18ftyp3gp4    SDLNSEQ_PLAY

Thanks Mariano!

1 Comment

  • Mariano
    26/11/2012

    Hey thanks for the post!

    This rule worked for me on a Samsung Galaxy SII Android device:
    mp4 y 1000000000 \x00\x00\x00\x18ftyp3gp4 SDLNSEQ_PLAY

Leave a Reply

Your email address will not be published. Required fields are marked *