MP4, MOV, M4A and HEIC File Carver
This EnScript is designed to carve MP4, MOV, M4A and HEIC files.
The structure of these files is defined by the ISO base media file format, ISO/IEC 14496-12.
These files consist of a sequence of 'boxes' and 'sub-boxes' each having a type and size. The type is a 4-character code, e.g., ftyp, moov, mdat, etc. Boxes are sometimes referred to as 'atoms'.
The script locates files by searching for the ftyp (file-type) box, which it expects to be at the start of each file. As the name suggests, this box will contain a 4-character code specifying the file's type.
ISO base media files do not have a footer. In addition, other than the ftyp box at the beginning, the top-level boxes are not guaranteed to be in the same order and may differ from file-to-file depending on type.
Accordingly, to find the end of a file, the script parses each box one after another until it reaches data that it can't identify, i.e., data that doesn't match a valid box code. It then checks to see that the minimum number of boxes deemed necessary for the file-type in question have been located.
For MOV (QuickTime video) and M4A (AAC audio) file-types, it will expect a file to have the fytp, moov and mdat boxes; for the HEIC (HEIF) file-type, it will expect a file to have the fytp, meta and mdat boxes. Any other ISO base media files will be treated as generic MP4 files, in which case the script will expect to locate fytp, moov and mdat boxes as per MOV and M4A files.
Whilst this methodology works reasonably well, the examiner should note that the script does not validate the content of each box; also, that it cannot locate fragmented files in their entirety. Accordingly, even though a file may have the required minimum number of boxes, those boxes may be corrupt, incomplete and/or other boxes may be missing.
The script writes recovered files to a designated output folder rather than a logical evidence file in order to make it easier to preview video content in Windows thumbnail view. Note that viewing HEIC files in Windows Explorer will require installation of the HEVC Video Extensions, which are available to purchase from the Microsoft Store at a nominal cost.
The script does not distinguish between M4A files and M4P files. Accordingly, any M4A file that does not play may be a copyright-protected M4P file.
For additional information, please see the following Twitter post:
This script was developed for use in EnCase training. For more details, please click the following link:
Download Now