MP4, MOV, M4A and HEIC File Carver

363968

OpenText OpenText Community

App Support Tiers

OpenText SUPPORTED

Support via OpenText Software Support, with a ticket filed against the associated product.

PARTNER

OpenText offers a content partnership program for select partners. Support for Partner Content offerings is provided by the partner and not by OpenText of the OpenText community.

OpenText COMMUNITY

OpenText Community Content is provided by OpenText for the benefit of customers, support for it is not available via OpenText Software Support but through specific community content forums.

COMMUNITY

Community Contributed Content is provided by OpenText customers and supported by them.

EARLY ACCESS

Show less ...Show more

The downloads referenced under the "Cybersecurity Early Access" category are made available to subscribers to mitigate time-critical issues but have not undergone formal quality and performance testing associated with official OpenText/Cybersecurity product releases. OpenText has a multi-stage Quality Assurance process. During Stage 1 we conduct a resource analysis, field mapping, ensure content level 1 functionality and analysis in our sandbox environment. Stage 2 is a complete validation including production validation. This package has cleared Stage 1 validation and therefore should be deployed with the appropriate pre-production validation. OpenText strongly recommends that any downloaded content is first checked and tested thoroughly in a non-production environment before committing to production. We welcome feedback and, should any content be shown to be faulty, detrimental or carry an incorrect claim of authorship, we shall endeavor to remove or correct such content as promptly as reasonably possible once notified and validated.

OpenText | OpenText Community

This EnScript is designed to carve MP4, MOV, M4A and HEIC files as defined by the ISO base media file format, ISO/IEC 14496-12.

1,071 downloads

Product compatibility

EnCase App Central

Description

This EnScript is designed to carve MP4, MOV, M4A and HEIC files.

The structure of these files is defined by the ISO base media file format, ISO/IEC 14496-12.

These files consist of a sequence of 'boxes' and 'sub-boxes' each having a type and size. The type is a 4-character code, e.g., ftyp, moov, mdat, etc. Boxes are sometimes referred to as 'atoms'.

The script locates files by searching for the ftyp (file-type) box, which it expects to be at the start of each file. As the name suggests, this box will contain a 4-character code specifying the file's type.

ISO base media files do not have a footer. In addition, other than the ftyp box at the beginning, the top-level boxes are not guaranteed to be in the same order and may differ from file-to-file depending on type.

Accordingly, to find the end of a file, the script parses each box one after another until it reaches data that it can't identify, i.e., data that doesn't match a valid box code. It then checks to see that the minimum number of boxes deemed necessary for the file-type in question have been located.

For MOV (QuickTime video) and M4A (AAC audio) file-types, it will expect a file to have the fytp, moov and mdat boxes; for the HEIC (HEIF) file-type, it will expect a file to have the fytp, meta and mdat boxes. Any other ISO base media files will be treated as generic MP4 files, in which case the script will expect to locate fytp, moov and mdat boxes as per MOV and M4A files.

Whilst this methodology works reasonably well, the examiner should note that the script does not validate the content of each box; also, that it cannot locate fragmented files in their entirety. Accordingly, even though a file may have the required minimum number of boxes, those boxes may be corrupt, incomplete and/or other boxes may be missing.

The script writes recovered files to a designated output folder rather than a logical evidence file in order to make it easier to preview video content in Windows thumbnail view. Note that viewing HEIC files in Windows Explorer will require installation of the HEVC Video Extensions, which are available to purchase from the Microsoft Store at a nominal cost.

The script does not distinguish between M4A files and M4P files. Accordingly, any M4A file that does not play may be a copyright-protected M4P file.

For additional information, please see the following Twitter post:

https://twitter.com/SimonDCKey/status/1389600501960949766

This script was developed for use in EnCase training. For more details, please click the following link:

OpenText EnCase Training

Releases

Release

Size

Date

MP4, MOV, M4A and HEIC File Carver 1.2.0

Aug 1, 2024

More info Less info

Product compatibility

Release notes

Tested with:
EnCase Forensic 21.01.00.68.

Languages

English

Files

Marketplace

Marketplace

MP4, MOV, M4A and HEIC File Carver

Product compatibility

CATEGORY

Description

Releases

Sign in

Marketplace

MP4, MOV, M4A and HEIC File Carver

App Support Tiers

Product compatibility

CATEGORY

Description

Releases

Unsubscribe from notifications

Marketplace Terms of Service

Your download has begun