Thice Security

De Star 6, 1601 MH Enkhuizen
Thice Security

Samsung WB650 Video file Scalpel rule

08/10/2011, by Thice, category Code, Forensics

I recently ran into the issue that my new photo-camera (Samsung WB650) somehow decided to erase all the data of my SD card. Since the SD card was filled with a lot of photos and video files I decided to image the SD card and to try to recover my files. The photo files all were JPEGs, so it was pretty easy to recover them by using Scalpel. However the Video format this camera uses was not included in Scalpel so they weren’t recovered. To be able to recover the video files as well I created a Scalpel rule for them myself.

To figure out the header and the footer of the video format I analyzed a previously saved video file. The header and footer of this file are shown below.


Video file header 1


Video file header 2

It seemed I was pretty lucky with this file format since it has quite a clear header and footer. Each video file would start with \x00\x00\x00\x00\x1C  followed by ftypMSNV, and the footer would always end with vndrZORAN.

Using this information I was able to create the following Scalpel rules (which both do the same):

Scalpel rule in Hex only:


Scalpel rule in Hex plus text:

The file-size in this rule is set to maximum bytes at this moment, which was more than enough for me, in case you expect to carve bigger video files you might want to adjust this.

With this new Scalpel rule I was able to recover all my video files from the SD card. This rule probably works on more camera types as well, however since I only have a Samsung  WB650 at this moment I was unable to check this.


UPDATE 30-11-2012:

Mariano added the following rule in the comments which should work for the video files on the Samsung Galaxy SII Android device:

Thanks Mariano!

One Comment

  1. Mariano |

    Hey thanks for the post!

    This rule worked for me on a Samsung Galaxy SII Android device:
    mp4 y 1000000000 \x00\x00\x00\x18ftyp3gp4 SDLNSEQ_PLAY

So, what do you think ?