Staying true to my compulsion to forensically examine anything I can connect to a computer, I decided to see what sort of information I could pull off of a Flip Video UltraHD device.
It turns out that these devices aren't terribly difficult to examine which isn't surprising since they're a narrowly purposed. They're a very user friendly device that allows easy creation and sharing of relatively high quality videos. They are designed to be plugged into a computer's USB port so that video can be pulled off and shared via the software included on the device itself.
Like the Kindle, write blocking can be accomplished by standard USB write blocking procedures. For this examination, I used the Windows USB write blocking software (essentially just an automated registry modification program) that came with the SANS 508 class disk. You should also be able to use traditional hardware write blocking methods such as the Tableau T8 USB write blocker.
The device has one FAT32 partition that comes in at around 7.6GB with most of it being unallocated space that is used for video storage. The actual system files don't take up much more than 120MB of data and include the software needed to run the actual device as well as the software that a user would place on a computer to manage their videos. There is software on the device for both Windows and Mac.
The videos themselves are in the DCIM\100VIDEO folder and are in MPEG-4 format. The video files are numbered in the order they are created starting with "VID00001.MP4". There aren't any surprises when it comes to deleted videos and you can recover those videos like you would any other file from a FAT32 volume. Thus, deleted videos will show up as "_ID0007.MP4" as you would expect based on normal FAT file system behavior. I did a keyword search for the header information for MP4 videos and I was able to get plenty of hits in unallocated space. A system files of interest sits in the root folder and that's the "INFO.BIN" file which contains useful information such as the firmware and serial number information for the device.
No comments:
Post a Comment