Wednesday, April 8, 2009

Recovering video files in unallocated space

Recently, Sgt. Glenn Lang from the Maine State Police contacted me regarding an EnScript request designed to export some data from keyword hits where he was searching for movie files in unallocated. Sgt. Lang is the ICAC coordinator and does a lot of child exploitation investigations. He has had great success in building some excellent GREP keywords to find movie files in unallocated.

The GREP keywords are usually characters that are located at various offsets inside the video files, not at the beginning. He needed a way to quickly export the suspected video files and view them.

By modifying the previous "export x bytes from a search hit" EnScript, I created an EnScript that will export x bytes in front of the keyword hit and then specify the total number of bytes to export:



It then saves the data into a file named after the original filename where the hit was found (usually unallocated) the search term, the offsets and then you can specify a extension for the export:



You can then double-click and use your registred viewer to view (vlc in this example).

Sgt. Lang has put together some basic videos demonstrating this technique and they can be viewed here:

Adding keywords and starting a search.wmv
Recovering Movies Located Using Harvester Key Words.wmv

Download GREP keyword list here (Import into EnCase Keyword tab)
Download EnScript here

5 comments:

Robert Thursday, 09 April, 2009  

Problems with the keyword file. It display in the browser. Once saved the import fails.

johnmccash Thursday, 09 April, 2009  

Lance - I attempted to import the grep keyword list into EE 6.13, and it says it's an invalid import file.

Lance Mueller Thursday, 09 April, 2009  

I updated the GREP keyword list to a ZIP file. I have tested it and it should work fine now.

johnmccash Thursday, 09 April, 2009  

Question about the keyword list: as presented here, it's generic to movie files in general, but in an associated posting on the Guidance support forums, it refers to "harvesting 10 bytes of data from the data portion of videos we have found to contain child pornography". Are these search terms generic to movie files, or are they specific to certain known child exploitation videos.

Lance Mueller Thursday, 09 April, 2009  

John, I am only the author of the EnScript. For claification on the search terms, you should contact Sgt. Lang (his email and phone are listed in the training video).

Here is some info he provided me:
"Note: Please check your work, i.e. the source of many of the GREPs in the first list are from outside sources and you may find non-child porn videos in your searches. If that happens please let us know so that we can update the lists. The same is true if you find a GREP statement that has a large number of false hits. We tried to check every statement for false hits before adding to these lists, but some may have gotten by us."

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles