I recently ran into the issue that my new photo-camera (Samsung WB650) somehow decided to erase all the data of my SD card. Since the SD card was filled with a lot of photos and video files I decided to image the SD card and to try to recover my files. The photo files all were JPEGs, so it was pretty easy to recover them by using Scalpel. However the Video format this camera uses was not included in Scalpel so they weren’t recovered. To be able to recover the video files as well I created a Scalpel rule for them myself.
To figure out the header and the footer of the video format I analyzed a previously saved video file. The header and footer of this file are shown below.
It seemed I was pretty lucky with this file format since it has quite a clear header and footer. Each video file would start with \x00\x00\x00\x00\x1CÂ followed by ftypMSNV, and the footer would always end with vndrZORAN.
Using this information I was able to create the following Scalpel rules (which both do the same):
Scalpel rule in Hex only:
Â Â Â Â mp4Â Â Â yÂ Â Â 1000000000Â Â Â \x00\x00\x00\x1C\x66\x74\x79\x70\x4D\x53\x4E\x56Â Â Â \x76\x6E\x64\x72\x5A\x4F\x52\x41\x4E
Scalpel rule in Hex plus text:
Â Â Â Â mp4Â Â Â yÂ Â Â 1000000000Â Â Â \x00\x00\x00\x1CftypMSNVÂ Â Â vndrZORAN
The file-size in this rule is set to maximum 1.000.000.000 bytes at this moment, which was more than enough for me, in case you expect to carve bigger video files you might want to adjust this.
With this new Scalpel rule I was able to recover all my video files from the SD card. This rule probably works on more camera types as well, however since I only have a SamsungÂ WB650 at this moment I was unable to check this.
Mariano added the following rule in the comments which should work for the video files on theÂ Samsung Galaxy SII Android device:
Â Â Â Â mp4Â Â Â Â yÂ Â Â Â 1000000000 \x00\x00\x00\x18ftyp3gp4 SDLNSEQ_PLAY