Recovering video files in unallocated space

Recently, Sgt. Glenn Lang from the Maine State Police contacted me regarding an EnScript request designed to export some data from keyword hits where he was searching for movie files in unallocated. Sgt. Lang is the ICAC coordinator and does a lot of child exploitation investigations. He has had great success in building some excellent GREP keywords to find movie files in unallocated.

The GREP keywords are usually characters that are located at various offsets inside the video files, not at the beginning. He needed a way to quickly export the suspected video files and view them.

By modifying the previous "export x bytes from a search hit" EnScript, I created an EnScript that will export x bytes in front of the keyword hit and then specify the total number of bytes to export:



It then saves the data into a file named after the original filename where the hit was found (usually unallocated) the search term, the offsets and then you can specify a extension for the export:



You can then double-click and use your registred viewer to view (vlc in this example).

Sgt. Lang has put together some basic videos demonstrating this technique and they can be viewed here:

Adding keywords and starting a search.wmv
Recovering Movies Located Using Harvester Key Words.wmv

Download GREP keyword list here (Import into EnCase Keyword tab)
Download EnScript here