Eoghan Casey, Ph.D. (University of Lausanne)
Rikkert Zoun

Abstract

When conducting a digital forensic examination, there is sometimes a need to salvage as

much playable video as possible from available data sources. Although an ideal outcome

might be to have all deleted and partially overwritten file fragments identified, reas-

sembled, and repaired to provide playable videos, there are situations where this is not

possible. In addition, there are complexities in real world datasets that can lead to false

positives and false negatives. This paper captures practical lessons learned from extensive

experiences in this problem space, and describes tradeoffs that developers must consider

when creating file carving tools for salvaging and reassembling fragmented AVI, MPEG, and

3GP video files. Recommendations are provided for each tradeoff, concentrating on

increasing the amount of playable video fragments that can be salvaged, with the potential

for duplicate copies of some fragments being salvaged. Developers need to carefully

consider how to handle the tradeoffs described in this paper when developing fragmented

video carving tools. In addition, digital investigators need to consider the strengths and

limitations of different fragmented video carving methods, and need to select those that

are best suited to their given dataset. Another important outcome of this work is that the

products of some carving methods may be playable in one video viewer but not others,

making it necessary to view carved results using various methods, including story-

boarding. This paper also includes discussion of current challenges and potential future

work in fragmented file carving, with the aim of advancing research and development of

automated methods for reassembling salvaged video fragments.