MP4 File Carving (in cooperation with Fraunhofer SIT)
Reconstruction of files from a storage medium without utilization of file system
information is a conventional technique deployed to extract hidden or lost sets of data. Common so-called file carving algorithms, which aim to extract data via identification of specific byte sequences, can be obstructed depending on a file’s storage details. For example, whenever a file is fragmented into several pieces most file carving tools yield no feasible result, even though the file data is still stored on the storage medium and theoretically accessible for the user. For forensic evaluation of a storage medium, complete analysis and extraction of all usable data is vital to collect evidence.
To solve this and other prevalent issues for MP4 files, this thesis proposes a twofold approach capitalizing on MP4 structures for the calculation of reference points using stored codec information. These reference points are subsequently employed to ascertain whether a block of data belongs to a specific MP4 file via binary decision making of continuous data blocks.
Evaluation results originating from a prototypical implementation indicate that the proposed file carving scheme provides satisfactory results for a multitude of file carving challenges.