.MOV in RAW research
Page 1 of 1

Author:  Alkemist [ August 24th, 2020, 19:06 ]
Post subject:  .MOV in RAW research

I need to recover some video (.MOV) from a formatted Hard Drive.

Pretty all common software can do it by RAW research, but problem is result:
instead of original videos in full lenght I just can obtain a tons of little parts.
Thousands of short videos and fragments.

Someone can advice me a software with specific carving algoritm for .MOV video files?

Author:  Amarbir[CDR-Labs] [ August 24th, 2020, 22:44 ]
Post subject:  Re: .MOV in RAW research

I do not see that amount of fragmentation in .mov files on hdds using rstudio ,although the recovery in raw by this tool is also conventional methods

Author:  Arch Stanton [ August 25th, 2020, 9:06 ]
Post subject:  Re: .MOV in RAW research

What file system originally?

Author:  Alkemist [ August 25th, 2020, 9:10 ]
Post subject:  Re: .MOV in RAW research

Arch Stanton wrote:
What file system originally?

NTFS formatted NTFS again.
Is not possible to rebuild because is probably a bit overwritten

Author:  Arch Stanton [ August 25th, 2020, 9:32 ]
Post subject:  Re: .MOV in RAW research

Alkemist wrote:
Arch Stanton wrote:
What file system originally?

NTFS formatted NTFS again.
Is not possible to rebuild because is probably a bit overwritten

Volume was written to since it was reformatted? So they're not detected by filename? Using whatever, R-Studio, UFS, ReclaiMe etc.? If filenames do appear in your file recovery software, do run lists look okay? And if so and yet recovered files are corrupt then it's very likely portions of the file have been overwritten. No specialized carver can solve that.

ISTM then you can not even be certain portions of the videos haven't been overwritten themselves if file recovery software does not even find MFT entries for them. Which makes it hard to judge if the little chunks you did recover are best possible result or not.

Anyway. Tools do exist that carve for and try to reconstruct fragmented video, however these were primarily designed to scan memory cards. Some even for one specific device that was used to record video. MOV is quite flexible and so atoms, the parts that make up the file, may appear in very different orders which makes it kind of hard to figure out which part belongs to what file. So a tool 'knowing' how a specific GoPro formats the video helps recovery while another tool designed for a different device may fail recovering GoPro video.

Typical fragmentation of video files are result of a combination of factors: The file system they're written to (so some flavor or FAT probably) and the nature of recording video, where in advance it is unknown how large file will be. However once you copied such a file to a hard drive, this fragmentation will be largely resolved as OS driver now has the chance to look for a chunk of clusters large enough to accommodate the file.

The carver can still fuck up because it may apply very simple rules for end of file detection, and assume a certain layout of atoms. If you'd take one intact file shot with same device and examine order of atoms, you may be able to carve using a disk editor.

These make specialized MP4/MOV carvers:


Again, all written with memory cards in mind. On hard drives they make make days to complete, if they even do.

Author:  awesome14 [ August 29th, 2020, 23:48 ]
Post subject:  Re: .MOV in RAW research

I've used 'foremost' for this purpose. It's not a GUI program, nor does it run under Windows. It was written by two special agents in US Air Force intellgence to recover data as files, regardless of format, partitioning, or fragmentation. Even if the partition table is destroyed, it works fine. But you don't get filenames back, even if they're there. And it's fast, 1-2 hours for a 100GB partition.

It's primarily for use by military and law enforcement in forensic recovery work, usually on partition image files. But it can be used directly on the original source.

It reads a configuration file that lists header and footer bytes for each type of file. You simply uncomment the file types to recover, set the maximum size of files to recover within each type you wish to recover, and foremost carves them out.

I've recovered >300MB video files from drives that were used for days, weeks or months before the user asked for help. There's also 'photorec' which recovers files from repartitioned, reformated media.

If chunks are missing from a video file, 'ffmpeg' can smooth out the transitions. I think it's available for Windows. Windows does not permit some useful DR functions, because of concerns over using them for copyright violation.

Foremost works as long as the drive is working properly. For failing drives, 'ddrescue' is phenomenal. I had a dvd that looked like someone put it under their tire for traction to get out of a snow drift. Ddrescue recovered the whole disk in about 12 hours.

Author:  Arch Stanton [ August 30th, 2020, 7:06 ]
Post subject:  Re: .MOV in RAW research

Wooooohhh! Special Agents! https://www.youtube.com/watch?v=hAAlDoAtV7Y

As far as I know the tools you mention don't do anything more advanced than carving as implemented in generic file recovery tools. So trying these will probably not add a lot other than wasted time.

You being able to carve 300+ MB has nothing to do with special agent tricks but with luck.

Author:  Grant [ September 2nd, 2020, 10:31 ]
Post subject:  Re: .MOV in RAW research

What exact camera / resolution are we talking?

You can send me an original sample here if you like: lctech.myairbridge.com

And I'll let you know if any of our raw scans can get them? We have built in a fragmented scan to our SanDisk RescuePRO and Videorecovery..

Page 1 of 1 All times are UTC - 5 hours [ DST ]
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group