Design Tradeoffs for Developing Fragmented Video Carving Tools

Similar documents
Digital Investigation

Categories of Digital Investigation Analysis Techniques Based On The Computer History Model

A SURVEY ON MULTIMEDIA FILE CARVING

FRAME BASED RECOVERY OF CORRUPTED VIDEO FILES

Forensic Analysis of Video File Formats

Developing a New Digital Forensics Curriculum

The Normalized Compression Distance as a File Fragment Classifier

File Fragment Encoding Classification: An Empirical Approach

Extracting Hidden Messages in Steganographic Images

Rapid Forensic Imaging of Large Disks with Sifting Collectors

Monitoring Access to Shared Memory-Mapped Files

System for the Proactive, Continuous, and Efficient Collection of Digital Forensic Evidence

Ranking Algorithms For Digital Forensic String Search Hits

Hash Based Disk Imaging Using AFF4

A Functional Reference Model of Passive Network Origin Identification

Unification of Digital Evidence from Disparate Sources

A Correlation Method for Establishing Provenance of Timestamps in Digital Evidence

File Classification Using Sub-Sequence Kernels

Multidimensional Investigation of Source Port 0 Probing

An Evaluation Platform for Forensic Memory Acquisition Software

Android Forensics: Automated Data Collection And Reporting From A Mobile Device

Introduction. Collecting, Searching and Sorting evidence. File Storage

Breaking the Performance Wall: The Case for Distributed Digital Forensics

Multi-version Data recovery for Cluster Identifier Forensics Filesystem with Identifier Integrity

Honeynets and Digital Forensics

A Study of User Data Integrity During Acquisition of Android Devices

Computer Forensics: Investigating Data and Image Files, 2nd Edition. Chapter 3 Forensic Investigations Using EnCase

On Criteria for Evaluating Similarity Digest Schemes

Searching for Yahoo Chat fragments in Unallocated Space Detective Eric Oldenburg, Phoenix Police Department

Designing Robustness and Resilience in Digital Investigation Laboratories

File Carving Using Sequential Hypothesis Testing

Information Assurance In A Distributed Forensic Cluster

Introduction to carving File fragmentation Object validation Carving methods Conclusion

Fast Indexing Strategies for Robust Image Hashes

Leveraging CybOX to Standardize Representation and Exchange of Digital Forensic Information

A Novel Approach of Mining Write-Prints for Authorship Attribution in Forensics

Beyond TS Workshop

Dissecting Files. Endianness. So Many Bytes. Big Endian vs. Little Endian. Example Number. The "proper" order of things. Week 6

RAPID RECOGNITION OF BLACKLISTED FILES AND FRAGMENTS MICHAEL MCCARRIN BRUCE ALLEN

FRACTAL COMPRESSION USAGE FOR I FRAMES IN MPEG4 I MPEG4

Audio Engineering Society. Conference Paper. Presented at the Conference on Audio Forensics 2017 June Arlington, VA, USA

Tool reviewdwinhex. Eoghan Casey a,b, ) PRODUCT REVIEW. Introduction

Can Digital Evidence Endure the Test of Time?

Analysis of the Db Windows Registry Data Structure

CAT Detect: A Tool for Detecting Inconsistency in Computer Activity Timelines

Speech Upload & Annotation Tool User Guide for Instructors

BinComp: A Stratified Approach to Compiler Provenance Attribution

Privacy-Preserving Forensics

INSTITUTO SUPERIOR TÉCNICO

DATA RECOVERY FROM PROPRIETARY- FORMATTED CCTV HARD DISKS

10 Good Reasons Why You Should Shift Focus to Small Scale Digital Device Forensics

Guide to Computer Forensics and Investigations Fourth Edition. Chapter 6 Working with Windows and DOS Systems

MP4-Karver: CARVING OF CORRUPTED MP4 VIDEOS USING ASMD REPAIRING TECHNIQUE


Automated Identification of Installed Malicious Android Applications

Mobile memory dumps, MSAB and MPE+ Data collection Information recovery Analysis and interpretation of results

Domain-Specific Languages for Digital Forensics

Testing the Date Maintenance of the File Allocation Table File System

Predicting the Types of File Fragments

ANALYSIS AND VALIDATION

Automating Video File Carving and Content Identification

A Framework for Attack Patterns Discovery in Honeynet Data

Java Oriented Object Programming II Files II - Binary I/O Lesson 3

Oracle Forensics Part 2: Locating dropped objects

Computer Forensics CCIC Training

Media Formats. Sound. Image. Video. WAV (uncompressed, PCM) MIDI. BMP XML dia MPEG

Optimizing A/V Content For Mobile Delivery

Media Analyzer User s Guide

Digital Forensics File Carving Advances

Source:

CIS-331 Final Exam Fall 2015 Total of 120 Points. Version 1

Standard Exponential Creative Specifications

Model-Driven Engineering in Digital Forensics. Jeroen van den Bos with Tijs van der Storm and Leon Aronson

Chapter Two File Systems. CIS 4000 Intro. to Forensic Computing David McDonald, Ph.D.

Topic Data carving, as defined by Digital Forensic Research Workshop is the process of

Encoder Core. API Specification. Revision: SOC Technologies Inc.

After Conversation - A Forensic ICQ Logfile Extraction Tool

Funcom Multiplayer Online Games - FTP Site Statistics. Top 20 Directories Sorted by Disk Space

A Strategy for Testing Hardware Write Block Devices

OneClick Video Converter Free Version

CHAPTER 5 A Closer Look at Instruction Set Architectures

Running Head: IPHONE FORENSICS 1. iphone Forensics Jaclyn Sottilaro Monica Figueroa-Santos Antonina Spinella Saint Leo University

Case Study. Log Analysis. Automated Windows event log forensics. Engagement Preliminary Results Final Report. Extract Repair. Correlate.

File Systems and Volumes

DERRIC. Model-Driven Engineering in Digital Forensics. Jeroen van den Bos

CIS-331 Fall 2013 Exam 1 Name: Total of 120 Points Version 1

J. A. Drew Hamilton, Jr., Ph.D. Director, Center for Cyber Innovation Professor, Computer Science & Engineering

Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion. Bin-Carver. Automatic Recovery of Binary Executable Files

Identification, Recovery and Verification of MP3 frames from Obfuscated Files. Paul Flack

Video Assignment 7/9/2014

GNSS High Rate Binary Format (v2.1) 1 Overview

My Media Hub Quick Start Guide for USB Devices. Sharing media content with the Fetch Box from a USB device

Source coding and compression

CEIC 2007 May 8, 2007

Computer Forensic Capabilities. Cybercrime Lab Computer Crime and Intellectual Property Section United States Department of Justice

Module 10 MULTIMEDIA SYNCHRONIZATION

Quicktime Player Error Codec For Mac Avi

ExtremeTech Technology News - FTP Site Statistics. Top 20 Directories Sorted by Disk Space

DbsEditor v1.8 (Database Editor) QUICK REFERENCE

Archival Science, Digital Forensics and New Media Art

Transcription:

DIGITAL FORENSIC RESEARCH CONFERENCE Design Tradeoffs for Developing Fragmented Video Carving Tools By Eoghan Casey and Rikkert Zoun Presented At The Digital Forensic Research Conference DFRWS 2014 USA Denver, CO (Aug 3 rd - 6 th ) DFRWS is dedicated to the sharing of knowledge and ideas about digital forensics research. Ever since it organized the first open workshop devoted to digital forensics in 2001, DFRWS continues to bring academics and practitioners together in an informal environment. As a non-profit, volunteer organization, DFRWS sponsors technical working groups, annual conferences and challenges to help drive the direction of research and development. http:/dfrws.org

Design Tradeoffs for Developing Fragmented Video Carving Tools Eoghan Casey (MITRE/DC3) & Rikkert Zoun (NFI) DFRWS2014

Example Scenario Crime Recorded with smartphone camera Smartphone is seized for forensic examination

Example Scenario Investigation with conventional tools reveals? File was deleted and overwritten No valid video file could be recovered END OF INVESTIGATION?

Example Scenario Closer inspection of smartphone reveals:? Deleted file was only partly overwritten. Fragment of video file was recoverable and images made viewable

Motivation Maximize playable video fragments Minimize missed fragments Minimize unplayable fragments HARDER THAN YOU MIGHT THINK!

Personal Motivation

Fragmented Lessons DFRWS2007 Forensic Challenge Make use of cluster boundaries Container Video data Audio data Video data Audio data (etc ) Fragment classification (Simson et al, 2010) Reassembly of compressed video data (Lewis, 2012) Reassembling individual frames (Na et al, 2014)

Fragmented Digital Videos Carving challenges There are no safe assumptions Flexible file specifications Codecs

Strategy Rely on human review and reassembly Requires person with knowledge of file formats Employ multiple automated methods Results in more output to review, including dups OPTIMAL COMBINATION OF HUMAN-AUTOMATED?

NFI Defraser Digital Evidence Fragment Search & Rescue MPEG-1 & -2 Systems AVI 3GP / QT / MP4 ASF / WMV Decoding of encoded video formats MPEG-1, -2 & -4 video and H.264 (developing) http://defraser.sourceforge.net/

Carved 3GP Fragments (iphone)

DC3 Carver Also known as DCCI_StegCarver 2 methods for carving MPEG videos (contig & frag) 4 method for carving AVI videos (contig & frag) 3 method for carving 3GP videos (contig & frag) Repair of MPEG and AVI

Reassembled MPEG Fragments DFRWS2007 Forensic Challenge Combined Carved_MPEG_Fragment_dfrws-2007-challenge.img_301_61577728_61790719.MPG And Carved_MPEG_Fragment_dfrws-2007- challenge.img_296_44895744_44912127.mpg Combined Carved_MPEG_Fragment_dfrws-2007-challenge.img_301_61577728_61790719.MPG And Carved_MPEG_Fragment_dfrws-2007- challenge.img_408_327213056_327270399.mpg Combined Carved_MPEG_Fragment_dfrws-2007-challenge.img_301_61577728_61790719.MPG And Carved_MPEG_Fragment_dfrws-2007- challenge.img_295_44841984_44891135.mpg Combined Carved_MPEG_Fragment_dfrws-2007-challenge.img_301_61577728_61790719.MPG And Carved_MPEG_Fragment_dfrws-2007- challenge.img_410_327419392_327812607.mpg Combined Carved_MPEG_Fragment_dfrws-2007-challenge.img_301_61577728_61790719.MPG And Carved_MPEG_Fragment_dfrws-2007- challenge.img_362_245580288_245826047.mpg Combined Carved_MPEG_Fragment_dfrws-2007-challenge.img_301_61577728_61790719.MPG And Carved_MPEG_Fragment_dfrws-2007- challenge.img_364_246311424_246657535.mpg Combined Carved_MPEG_Fragment_dfrws-2007-challenge.img_301_61577728_61790719.MPG And Carved_MPEG_Fragment_dfrws-2007- challenge.img_363_245949440_246310911.mpg Inserted 12 byte pack header copied from byte location 6144 into E:\dfrws2007\log_4_21_2011_10_23_41_AM\Logical MPEGs\Carved_8_61577728_Logical.mpg

File System Considerations Most forensic tools Unallocated = 408,068,096 bytes (389 MB) EnCase Unallocated = 376,360,960 bytes (359 MB) Subtracts size of recovered deleted files +?

File System Considerations NTFS VDL Slack

Finding AVI Video Fragments Description Hex values Byte range File header RIFF - Total size of AVI - AVI Header list LIST - Size of header list - hdrl AVI header avih - Size of avi header - Various flags - # of video frames LIST structures - Size of list - List type (movi, odml or stream) Chunk four character code ( db, dc, wb or tx ) - Size of chunk - Data Index idx1 - Size of index - Index entries Index entry four character code( db, dc, wb or tx ) - Flags - Offset of chunk - Size of chunk \x52\x49\x46\x46-4 bytes (little endian) - \x41\x56\x49\x20 \x4c\x49\x53\x54-4 bytes (little endian) - \x68\x64\x72\x6c \x61\x76\x69\x68-4 bytes (little endian) \x4c\x49\x53\x54-4 bytes (little endian) - [movi, odml or stream] [Hex of db, dc, wb or tx] - 4 bytes (little endian) - [binary data] \x69\x64\x71\x31-4 bytes (little endian) [Hex of db, dc, wb or tx] - [flags] - 4 bytes (little endian) - 4 bytes (little endian) [0:3] - [4:7] - [8:b] [0:3] - [4:7] - [8:b] [0:3] - [4:7] - - [18:1b] [0:3] - [4:7] - [8:b] [0:3] - [4:7] - [8:size] [0:3] - [4:7] - [8:size] [0:3] - [4:7] - [8:b] - [c:f]

MPEG-2 fragments (DFRWS2007) Offset Size (bytes) Type Attribute 274370048 14 PackHeader SystemClockReference=0 274370062 18 SystemHeader 274370080 2016 PesPacket PresentationTimeStamp=0, DecodingTimeStamp="8589930992" 274370103 12 SequenceHeader 274370125 8 GroupOfPicturesHeader TimeCode="00:00:00-00 274372096 14 PackHeader SystemClockReference=900 274372110 2034 PesPacket PresentationTimeStamp=0 274374144 14 PackHeader SystemClockReference=1800 274416688 12 SequenceHeader 274416710 8 GroupOfPicturesHeader TimeCode="00:00:00-10

Finding MPEG-4 Video Fragments Offset Size (bytes) Type Attribute Comment 228514304 20 ftyp MajorBrand="isom" CompatibleBrands="mp41" 228514324 2445504 mdat 228514332 18457 Vop TimeIncrement=0 CodingType="I_VOP" 228533351 3976 Vop TimeIncrement=1 CodingType="P_VOP" 228537740 2248 Vop TimeIncrement=2 CodingType="P_VOP" 228540402 5001 Vop TimeIncrement=3 CodingType="P_VOP" 228545829 6195 Vop TimeIncrement=4 CodingType="P_VOP" 228552470 4580 Vop TimeIncrement=5 CodingType="P_VOP" 228557499 6300 Vop TimeIncrement=6 CodingType="P_VOP" 228564245 5507 Vop TimeIncrement=7 CodingType="P_VOP" 228570071 5339 Vop TimeIncrement=8 CodingType="P_VOP" 228575902 5180 Vop TimeIncrement=9 CodingType="P_VOP" 228581586 4525 Vop TimeIncrement=10 CodingType="P_VOP" 228586643 5638 Vop TimeIncrement=11 CodingType="P_VOP" 228592843 18946 Vop TimeIncrement=12 CodingType="I_VOP" 228612368 4544 Vop TimeIncrement=13 CodingType="P_VOP" 228617492 2789 Vop TimeIncrement=14 CodingType="P_VOP" 230959828 16635 moov 230959944 4597 trak TrackID=1 Video

Measure Once, Cut Twice ftyp moov mdat Streams (part 1) Streams (part 2): Overwritten Streams (part 3) ftyp mdat Streams (part 1) Streams (part 2): Overwritten Streams (part 3) moov

Repair Unassigned Fragments

Repair Unassigned Fragments

Determine Whether Playable

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback